Sunday 26 June 2016

Holynix v2 challenge

Hello all,
Holynix is an Linux distribution that was deliberately built to have security holes for the purposes of penetration testing. The object of the challenge v1 is just to root the box. Register on the forums to receive an email update when a new challenge is released.

Scanning phase
I performed scanning all ports.
Nice, there are four open potrs.

FTP
Unfortunately we can't log in to FTP as anonymous user. We don't know username neither but we know that exist effective exploit assigned to Pure-FTPd.

SSH
OpenSSH 4.7p1 does not have associated known exploit.

Web application
Let's examine the web application



















Hmmm, probably we have to do something with DNS. I have set up in the /etc/hosts file the IP address as www.zincftp.com and I have run dig command to look at DNS Zone table


























Great! We can see ns1.zincftp.com ... 192.168.1.89 - the secon IP address. I have tried transfer DNS data from 192.168.1.88 but without success. Hmmm, but I have got the second IP! Let's try set up our (my eth0) IP address to 192.168.1.89 and try transfer from 192.168.1.88 DNS Zone data.

Above is not all records. So the syntax looks probably like username.zincftp.com. Very good findings! But in spite of that, let's run DirBuster.









Wow, this result contains at least two interesting directories: phpmyadmin and setup_guides. Firstly let's examine the setup_guides. Hmm, unfortunately it is Forbidden for us... I was trying bypass some restriction via edition of requests - without success. I was trying change my IP to 192.168.1.88, 192.168.1.89 - without success. Hmm maybe I have overlooked something?  I have found also 192.168.1.34 IP address in the result of dig! (in above screenshot there is not displayed). Let's try change our IP and browse setup_guide
Owww yeah! The todo file looks as follow
Great, isn't it? But maybe phpmyadmin has default credentials
Woow! I have logged into admin panel without any credentials!
So, we know that the FTP server has at least two users shanover and lbaumann. Because we have access to phpmyadmin (maybe root privileges) I was trying upload PHP backdoor. Unfortunately we don't have enough privileges to do that :( But, wait a minute! We know excatly where are passwords for FTP users. Let's try use load data local infile statement
load data local infile 'path_to_passwords' into table 'created_table' lines terminated by '\n';




























Excellent! PS. We could do that also using Metasploit and phpmyadmin directory traversal module.
Let's try crack these passwords using John the Ripper.


Very good! Maybe this credentails will be valid for SSH?
Unfortunately it does not work. Hmm, maybe for FTP it will be valid? BINGO!
So, let's try upload our PHP backdoor and chmod 0775 shell.php. So, let's try execute the backdoor.
Hmm I tried execute our backdoor but without success - I have got "Server not found". I had to add line to the resolv.conf file as follow
echo nameserver 192.168.1.88 > /etc/resolv.conf
and BINGO!











Excellent! I examined that our target is Linux Kernel 2.6.22-14. So, as far as I know we have several exploits which may be useful.





















Game over!