Thursday 30 June 2016

Mr Robot v1 challenge

Hello all,

First of all I would like to thank you for visiting my blog.

Based on the show, Mr. Robot. This VM has three keys hidden in different locations. Our goal is to find all three. Each key is progressively difficult to find.

Scanning phase
Of course with version and aggressive mode all ports.













OK, we see that our target is not complex, but I can't say that is easy :-)
The 443 and 80 both host probably the same web application













Hmmm, very interesting isn't it? I was trying each of these commands but there gave me only videos and pictures.
I tried open robots.txt file









Very good! Nice shot! Let's open key-1-of-3.txt file







OK, we retrieve one of three keys.
Let's run dirb
































This is not full list of dirb's findings. Below is also directories such as wp-content, wp-login, etc.
So we know that the target's CMS is WordPress, but we don't know which version. I found also readme.html file.






















Excellent! Now we know which version of WordPress there is. I was looking for some exploit but without success. Let's come back to our robots.txt file. We can see fsocity.dic file except key's file.
I have downloaded it and this file is something like a dictionary. This file is large so I decided to use
cat fsocity.dic | sort | uniq > n_fsocity.dic
Good! We have prepared dictionary. We know that admin panel is located on wp-login path.




























OK! But we don't know username and password both. Brute-force may take up too much time. We can enumerate usernames using forgotten password and/or using wpscan.








Great! We know two users, let's try brute-force both via wpscan.
[Brute-forcing....] BINGO!








and









Amazing! So, now we are able to log in as one of them. I did that and I verified that elliot has higher privileges than mich05654.




















Great! Probably elliot is an administrator. I have edited Themes and upload using it revershe shell code and...









Excellent! We have got limited shell! Let's try find something interesting











Wow! Very nice! Let's read key-2-of-3.txt and password.raw-md5






50% of success :) We have to crack the MD5 hash.
[Cracking...] Above MD5 is hashed string 'abcdefghijklmnopqrstuvwxyz'












Excellent! Let's try OS version of our target
We know that exists several exploits for our target, unfortunately all of them does not work :( I conducted deep research and I have found something interesting about nmap and running command using it.




























Wonderful, isn't it?













Amazing! Probably it is game over, becuase firstboot_done file is empty. Let's look at /etc/shadow also






















Summary
We have known now, how powerful may be nmap also localy.

Sunday 26 June 2016

Holynix v2 challenge

Hello all,
Holynix is an Linux distribution that was deliberately built to have security holes for the purposes of penetration testing. The object of the challenge v1 is just to root the box. Register on the forums to receive an email update when a new challenge is released.

Scanning phase
I performed scanning all ports.
Nice, there are four open potrs.

FTP
Unfortunately we can't log in to FTP as anonymous user. We don't know username neither but we know that exist effective exploit assigned to Pure-FTPd.

SSH
OpenSSH 4.7p1 does not have associated known exploit.

Web application
Let's examine the web application



















Hmmm, probably we have to do something with DNS. I have set up in the /etc/hosts file the IP address as www.zincftp.com and I have run dig command to look at DNS Zone table


























Great! We can see ns1.zincftp.com ... 192.168.1.89 - the secon IP address. I have tried transfer DNS data from 192.168.1.88 but without success. Hmmm, but I have got the second IP! Let's try set up our (my eth0) IP address to 192.168.1.89 and try transfer from 192.168.1.88 DNS Zone data.

Above is not all records. So the syntax looks probably like username.zincftp.com. Very good findings! But in spite of that, let's run DirBuster.









Wow, this result contains at least two interesting directories: phpmyadmin and setup_guides. Firstly let's examine the setup_guides. Hmm, unfortunately it is Forbidden for us... I was trying bypass some restriction via edition of requests - without success. I was trying change my IP to 192.168.1.88, 192.168.1.89 - without success. Hmm maybe I have overlooked something?  I have found also 192.168.1.34 IP address in the result of dig! (in above screenshot there is not displayed). Let's try change our IP and browse setup_guide
Owww yeah! The todo file looks as follow
Great, isn't it? But maybe phpmyadmin has default credentials
Woow! I have logged into admin panel without any credentials!
So, we know that the FTP server has at least two users shanover and lbaumann. Because we have access to phpmyadmin (maybe root privileges) I was trying upload PHP backdoor. Unfortunately we don't have enough privileges to do that :( But, wait a minute! We know excatly where are passwords for FTP users. Let's try use load data local infile statement
load data local infile 'path_to_passwords' into table 'created_table' lines terminated by '\n';




























Excellent! PS. We could do that also using Metasploit and phpmyadmin directory traversal module.
Let's try crack these passwords using John the Ripper.


Very good! Maybe this credentails will be valid for SSH?
Unfortunately it does not work. Hmm, maybe for FTP it will be valid? BINGO!
So, let's try upload our PHP backdoor and chmod 0775 shell.php. So, let's try execute the backdoor.
Hmm I tried execute our backdoor but without success - I have got "Server not found". I had to add line to the resolv.conf file as follow
echo nameserver 192.168.1.88 > /etc/resolv.conf
and BINGO!











Excellent! I examined that our target is Linux Kernel 2.6.22-14. So, as far as I know we have several exploits which may be useful.





















Game over!


Friday 24 June 2016

Kioptrix Level 3

Hello,
I would like to introduce you to one of my favourite series - Kioptrix challenges. Non typical I begin form level 3 (Kioptrix 1.2).

Scanning phase
Nmap with options: -p- (all ports), -sV (versions of services) and -A (aggressive).









The OpenSSH 4.7p1 does not have dedicated exploit and critical vulnerabilities.
So, let's examine web application. We can see in the nmap result that web application uses vulnerable PHP version (5.2.4). Unfortunately in exploit-db exist only exploit for windows platform.
We can see that we are able to go to the login panel directly. BUt in spite of that let's run dirbuster.
OK, we can see gallery directory, for me it is interesting. 
Login panel looks as below
We see that CMS which hosts the web application is LotusCMS. Maybe we could find some exploit for the CMS? I found several exploits and one from Metasploit. I tested each except from Metasploit and without success. I don;t want to use Metasploit, so let's continue our pentesting.
As I said previous gallery directory looks interesting
Displaying the source code we can find that there is admin panel for gallery which is located on gadmin.
Very good! The Gallarific also has assigned several exploits. For me this most interesting was SQL injection exploit. Let's verify it.
Nice! Probably there is indeed SQLi. Let's use sqlmap
Amazing! Let's examine gallery database
Excellent! We have valid credentials to gallery (admin:n0t7t1k4).
Using the sqlmap tool I have also retrieved /etc/passwd file
I have got also credentials from mysql database (root:fuckeyou). We know that phpmyadmin is tied with our target. Maybe this would give us other way for exploitation (I have verified it and unfortunately this method doesn't work). At this moment let's back to the gallery.
I have used our credentials 
Good, we have to find place to upload PHP backdoor. Hmmm I have some problem with it. Maybe we should back to the SQL injection and find something helpful.
Bingo! We know that both dreg and loneferret are system users!
I have logged in as loneferret, because for dreg everything is restricted.
OK! We know that we are not able to execute su but /usr/local/bin/ht yes.
Using ht I have open /etc/shadow
 and /etc/sudoers
 We are allowed to edit this file, so let's exploit it!
Game over!