Thursday 8 December 2016

I am back!

Hi everyone,

I would like to say - I am back! I will work on this blog as effectively as I can :-)

I was working on my Penetration with Kali Linux course, so I was unable to publish new post on my blog.

Probably on this week I will have added new posts :-)

Tuesday 16 August 2016

Breach 2 challenege

Hello,
"Second in a multi-part series, Breach 2.0 is a boot2root/CTF challenge which attempts to showcase a real-world scenario, with plenty of twists and trolls along the way."

Scanning






















Good, we can see that there is not NFS for RPC. Let's check SSH.









 Hmmm, blog? Scanning phase did not discover HTTP port. Let's try use password inthesource for peter SSH username.
Voila!




















Excellent! We have opened 80 port! As far as I know, Apache 2.4.10 does not have dedicated public known exploit. So, let's examine the web application (blog)




















Ok, source code doesn't contain credentials and anything like that - only hint that web application administrators do not trust user. We know two exploits for BlogPHP CMS - XSS Stored and Remote Privilege Escalation. For me more interesting is the second.
Unfortunately it is not work, so let's try exploit XSS.












Probably we are on the right way.








Good! We have got administrator cookies. I was trying use stolen credentials, but without success... Let's look at Firefox version - 15.0. It is so old.
Let's look for some exploit. BINGO - CVE: 2013-1710!


















Great! We have got limited shell! Let's upgrade our limited shell to meterpreter session.



















So, good! I have got a shell and run netstat -antp to find what kind of services is running on our victim machine. There is 2323 so I decided to perform remote port forwarding to my 7777 port and







Hmmm, strange... But the numbers indicates Houston City in Texas (USA). Maybe it is a password for milton, peter, bill or blumbergh? Let's try. It works for milton! I run again netstat -antp and there is interesting port 8888, so again - let's perform remote port forwarding!


































Good! Let's browse it. BINGO!











OK, let's click on oscommerce link














Very good, dirb found admin panel but there doesn't work credentials which we stole using SQL Injection. But admin:admin works!










Nice! I have found File Manager















So, let's try upload reverse shell. TO do this - we have to find writable directory. BINGO! Work directory is writable - I have uploaded reverse shell script and















Excellent! Now we have to use tcpdump to get root shell. I found great article about it.
I followed step by step and I have obtained reverse ROOT shell.








Unfortunately /root/flag.txt file does not exist so, let's locate flag file.






























Game over!

This challnege was extremely amazing!

Thursday 11 August 2016

Loophole challenge

Hi,

"We suspect that someone inside Rattus labs is working with known terrorist group. Your mission is to infiltrate into their computer network and obtain encrypted document from one of their servers. Our inside source has told us that the document is saved under the name of Private.doc.enc and is encrypted using OpenSSL encryption utility. Obtain the document and decrypt it to complete the mission."

Scanning


We can play with Samba server, web application and SSH.

Web application


















Hmmm, nothing special. If you click on here link, you will get page which contains several email addresses.
So, I have decided to run Dirb












Good, for me very interesting may be ~root, garbage and info.php files.
Unfortuately we don't have enough privileges to view ~root directory, but garbage file is very attractive for us!









Something like shadow file, isn't it?
Let's try crack it!








Great! So, let's try log in via SSH.








Excellent! So, we have to find Private.doc.enc file and decrypt it!






OK, so let's decrypt it! Maybe in .bash_history will be juicy information for us? Because tskies user encrypted the Private.doc file.



















Good, we know command which encrypted Private.doc file.
I decrypted the file and it presents engineers confidential doc :-)

Game over

Wednesday 10 August 2016

pWnOS v2

Hello,
The second version (and the latest) of pWnOS challenges.

Scanning
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)
|   2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)
|_  256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)
80/tcp open  http    Apache httpd 2.2.17 ((Ubuntu))
|_http-server-header: Apache/2.2.17 (Ubuntu)
|_http-title: Welcome to this Site!
OK, as always let's try from web application.











OK, maybe let's try register us to the web application. DirBuster found also blog directory































Good, in the source code I have discovered that this is Simple PHP Blog 0.4.0  As far as I know, we can find effective exploit.
I have use exploit and I have change credentials for known for me to blog and I have logged in. So, I have uploaded PHP backdoor and execute it from images directory.
When I have got limited shell I found mysql connect PHP file, which contains valid credentials for root database. I have reused these credentials and I have got a root system.

Game over!

Tuesday 9 August 2016

pWnOS 1

Hi,
"It's a linux virtual machine intentionally configured with exploitable services to provide you with a path to r00t. :) Currently, the virtual machine NIC is configured in bridged networking, so it will obtain a normal IP address on the network you are connected to. You can easily change this to NAT or Host Only if you desire. A quick ping sweep will show the IP address of the virtual machine."

Scanning








Good, let's start from 80 HTTP and then 10000 HTTP.
Default web page looks as below












OK, so let's click on Next button.














Hmmm, I don't know what is it, but it is some kind of help page. Let's run DirBuster.












I was trying log in to the phpmyadmin panel using default credentials but without success.
Let's try do something with 10000 http.


















I was trying also log in using default credentials - without success as well. We know that Webmin has assigned several known exploits, so let's try use some of it.
BINGO! I have found CVE 2017.

























There is now ass lines of /etc/passwd file. Let's try display /etc/shadow file.

























Awesome! We can run John the Ripper now! Unfortunately it consumes a lot of time - too lot for me.
I haven't idea, so I decided to perform some research about version of OpenSSH and I saw (unfortunately part of other solution) that it is vulnerable to CVE 2008-0166.
















Great! So, we have to find some way to escalate our privileges. I have found effective exlpoit and...



















Game over!

Second attack scenario.
We can also get limited shell via Samba. So, we have to read /etc/samba/passdb.tdb and decrypt password for vmware username. After that we will 
be able to crack the password (we will get h4ckm3). So, now we can log in to the //UBUNTUVM/home directory using samba and get from home directory SSH public key.

PwnLab init challenge

Hello,

"Wellcome to "PwnLab: init", my first Boot2Root virtual machine. Meant to be easy, I hope you enjoy it and maybe learn something. The purpose of this CTF is to get root and read de flag."

So, let's play with it
Nmap scanning phase
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PwnLab Intranet Image Hosting
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          40309/udp  status
|_  100024  1          42225/tcp  status
3306/tcp  open  mysql   MySQL 5.5.47-0+deb8u1
| mysql-info:
|   Protocol: 53
|   Version: .5.47-0+deb8u1
|   Thread ID: 38
|   Capabilities flags: 63487
|   Some Capabilities: Speaks41ProtocolOld, Support41Auth, LongPassword, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsCompression, IgnoreSigpipes, InteractiveClient, ODBCClient, SupportsTransactions, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, FoundRows, ConnectWithDatabase, LongColumnFlag
|   Status: Autocommit
|_  Salt: BWnFSNkP0;xm:veu@|p=
42225/tcp open  status  1 (RPC #100024)
As always let's start from web application.
Default Web page looks like a some kind of administrator panel.










We must be logged in if we want to upload some file. Let's try do something with page parameter.







Great! So, le'ts try read something like a config.php file.


















Excellent! We have retrieved MySQL credentials! Let's verify it.












































Great! We have got three credentials - probably for our web application.
These passwords looks like base64 encoded string.
Valid credentials:
kent:JWzXuBJJNy
mike:SIfdsTEn6I
kane:iSv5Ym2GRo
Before logging as one of the three users, let's try examine how looks upload.php file.
<?php
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html>
    <body>
        <form action='' method='post' enctype='multipart/form-data'>
            <input type='file' name='file' id='file' />
            <input type='submit' name='submit' value='Upload'/>
        </form>
    </body>
</html>
<?php
if(isset($_POST['submit'])) {
    if ($_FILES['file']['error'] <= 0) {
        $filename  = $_FILES['file']['name'];
        $filetype  = $_FILES['file']['type'];
        $uploaddir = 'upload/';
       $file_ext  = strrchr($filename, '.');
        $imageinfo = getimagesize($_FILES['file']['tmp_name']);
        $whitelist = array(".jpg",".jpeg",".gif",".png");

        if (!(in_array($file_ext, $whitelist))) {
            die('Not allowed extension, please upload images only.');
        }

        if(strpos($filetype,'image') === false) {
            die('Error 001');
        }

        if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] !=      'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
            die('Error 002');
        }

        if(substr_count($filetype, '/')>1){
            die('Error 003');
        }

        $uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;

        if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
            echo "<img src=\"".$uploadfile."\"><br />";
        } else {
            die('Error 4');
        }
    }
}

?>
OK, we can see that we have to use gif,jpg, jpeg and png extensions. I was trying a lot upload some PHP code, but without success... Probably upload functionality has been created correctly (secure).
Let's examine index.php file (I don't have more ideas).
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
    include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
    if (isset($_GET['page']))
    {
        include($_GET['page'].".php");
    }
    else
    {
        echo "Use this server to upload and share image files inside the intranet";
    }
?>
</center>
</body>
</html>
We can see that lang is handled via include method, so maybe there is LFI?
BINGO! I have removed PHPSESSIONID parameter and add lang=../../../../../../../etc/passwd.








 Great! So, we can upload png file with injected PHP script and run using LFI and lang Cookie!












Excellent! We have got limited shell. So, let's try retrieved credentials to up our privileges.
BINGO! We can do that!
























Great!


















Very good. TRY HARDER!












Game over!

Friday 22 July 2016

Kioptrix 5

Hello,
Now it's turn to the last (unfortunately) Kioptrix challenge.

Scanning








Two open ports? It suits me.
Let's begin our travel from port 80. Default web page is a default page for Apache - It works, but source code contains good news for us.











Wow, there is pChart, that's good for us, because it contains multiple vulnerabilities.

































OK, let's try exploit Directory Traversal vulnerability.























Excellent! Let's try find Document Root file for apache.


































What do you think about it? I have changed User Agent using Burp Suite and I have got on port 8080











I have clicked on it

































Hmmm I don't know how to exploit it.... But quick research and we can use Remote Code Execution!
I have used Metasploit Framework and I have got limited shell!

























So, now it's time to escalate our privileges.























Game over!