Pentesting of Zeno

Ahmet Göker
8 min readSep 30, 2023

Greetings, fellow enthusiasts, and welcome to this blog post. In today’s exposition, I shall elucidate the feasibility of attaining root-level access on a vulnerable system. The primary objective of this blog is to cater to individuals seeking insights into the realm of penetration testing methodologies. It is of paramount importance to cultivate proficiency in both offensive and defensive strategies, particularly for those aspiring to embark on a career as a Security Operations Center (SOC) analyst. This multifaceted journey into the intricacies of our chosen methodology shall commence forthwith for those who are prepared to embark upon it.

Reconnaissance

Reconnaissance, in the context of cybersecurity and penetration testing, is the initial phase of gathering information and intelligence about a target system, network, or organization. This phase is crucial for understanding the potential weaknesses and vulnerabilities that could be exploited during the subsequent stages of a penetration test. Reconnaissance is also known as “footprinting” or “information gathering.”

We will start off to use active reconnaissance but what does it mean?

the pentester begins to interact more directly with the target. This involves techniques like DNS enumeration, network scanning, and fingerprinting to identify active hosts, open ports, and services. Tools like Nmap and Shodan are commonly used for active reconnaissance. The objective is to map the network and understand the services running on it.

I was starting to enumerate the ports, but it seemed that was being protected by Firewall, so I decided to use -pN flag.

This option skips the host discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning and to gauge the speed of the network.

We can see that port 22 and port 12340 are open. In order to engage this to you, I am going to enumerate further….

I will kick off to use 12340 port.

The sentence describes information gathered from a network scan on a specific host:

  1. Port 12340/tcp is open and running an HTTP service.
  2. The server is Apache httpd version 2.4.6, running on CentOS, with PHP/5.4.16.
  3. Supported HTTP methods include GET, HEAD, POST, OPTIONS, and TRACE.
    - The TRACE method is considered potentially risky.
    - The web page title is “We’ve got some trouble | 404 — Resource not found.”
  4. The server’s HTTP response header indicates it’s Apache/2.4.6 on CentOS with PHP/5.4.16.

No results were found, but a directory scan tool like Gobuster will be used to continue the search for hidden directories.

We are waiting for any interesting directories…

It might be interesting!

After enumerating the ports and finding some interesting ports like 22 and 12340, a directory scan was performed using Gobuster on a website, which revealed some potential vulnerabilities such as exploits, reverse shells, and SQL injection.

Attacking

In this phase, we are going to try to attack this machine, but how?

First of all, I successfully created an account. After that, I was trying to use the given link in sqlmap, but it seemed that no parameter was not given. I reckon that finding an exploit for this server will be a better choice.

I used burp to see the user-agent, it seems that user-agent is same. But I am not sure whether this exploit will work or not. I am going to try to use this exploit to see the result.

This code sends an HTTP POST request to a specific web server with some special information. Let me explain it simply:

1. The “headers” part tells the server what kind of web browser and language the request is coming from, among other things. It also says that the client can accept compressed data.

2. The “data” part is the actual content being sent in the request. It pretends to upload a file called “reverse-shell.php” with a piece of PHP code that can execute a shell command.

3. Finally, it uses the “requests.post” function to send this request to a web address (`target`). It turns off SSL certificate checking (not recommended for security reasons) and sends the request through a proxy server.

In plain terms, this code appears to be trying to upload a PHP file to a server with a potentially malicious shell command, and it’s doing so in a way that hides some of its tracks. The purpose and legality of this code depend on the context in which it’s used, and it could potentially be used for malicious activities. Use such code responsibly and within legal boundaries.

It seems we need to fix this code:

This should be the correct one.

Please remove the proxy! Otherwise you will not be able to get the link!

Awesome! It works!

When you use that link it is important to use cmd?={command}.

Awesome! In order to get the reverse shell, we can use reverse shell command, shall we ?

It is important to encode the shell. I think that WAF protects the server from reverse shells, but there are always alternative ways to bypass it:)

We need to switch to edward to be able to get the flag!

When we go to the /var directory we can see connection it may be interesting.

We have identified the user ‘root’ and its associated password, but unfortunately, attempts to authenticate using these credentials have been unsuccessful. I am currently attempting to execute the LinEnum.sh script for system enumeration.

Additionally, there is an option to connect to the SQL database where we have discovered certain hashes. However, upon analysis, it appears that the hashes do not contain any useful information and are resistant to cracking attempts.

Hostname: Zeno

We have identified a hostname named ‘zeno.’ Is it possible to leverage this hostname to our advantage? Alternatively, we can employ a local privilege escalation script to search for potential exploits, vulnerabilities, and other relevant information

It appears that we have write permissions, which is promising. Initially, I must conduct an examination of the ‘/etc/fstab’ file

The fstab (file system table) on your Linux system serves as a configuration file that simplifies the process of mounting and unmounting file systems. It consists of a set of instructions that dictate how various file systems should be handled when they are connected to the system. One common example is the management of USB drives.

There is a problem with it. We were not able to find zeno as username? let me check with cat /etc/passwd command. zeno was the hostname!

I suspect that the password is associated with the user ‘edward.’ I intend to proceed with an attempt to authenticate using this password.

Awesome! We have successfully gained access to the machine. :)

As first, what I will try is using sudo -l command, but what is it used for? let me explain briefly:

The “sudo -l” command in Linux is used to list the permissions and privileges that are associated with your user account when using the “sudo” command. It allows you to check what commands you are allowed to run with elevated privileges (root or superuser privileges) using “sudo”.

When you run “sudo -l”, it will typically prompt you for your password (unless you’ve recently used “sudo”), and then it will display a list of rules or permissions that define what you can do with “sudo”. These rules are usually configured in the “/etc/sudoers” file or in files within the “/etc/sudoers.d/” directory.

Awesome!

“It also possesses root privileges. Is it feasible to modify the command, substituting ‘/root/zeno-monitoring’ with a ‘bash’ command followed by a system reboot? I would like to attempt this adjustment.”

I was forcibly logged out of the system. I intend to explore alternative methods to address the issue

I employed the identical approach; nonetheless, I found it necessary to perform a system reboot and subsequently restart the service using the “/home/edward bash -p ” command.

Thank you for taking the time to explore this technical blog! I hope you found it both informative and engaging. I aimed to provide practical explanations in an accessible manner. Should you have any questions or require further clarification on any topic discussed, please don’t hesitate to reach out to me via social media.

Social Media

Twitter: https://twitter.com/lockpin010_

LinkedIn: https://www.linkedin.com/in/ahmetgoker/

Ahmet | Security Researcher | Sociologist

--

--