Hi everyone,
I would like to say - I am back! I will work on this blog as effectively as I can :-)
I was working on my Penetration with Kali Linux course, so I was unable to publish new post on my blog.
Probably on this week I will have added new posts :-)
Thursday, 8 December 2016
Tuesday, 16 August 2016
Breach 2 challenege
Hello,
"Second in a multi-part series, Breach 2.0 is a boot2root/CTF challenge which attempts to showcase a real-world scenario, with plenty of twists and trolls along the way."
Scanning
Good, we can see that there is not NFS for RPC. Let's check SSH.
Hmmm, blog? Scanning phase did not discover HTTP port. Let's try use password inthesource for peter SSH username.
Voila!
Excellent! We have opened 80 port! As far as I know, Apache 2.4.10 does not have dedicated public known exploit. So, let's examine the web application (blog)
Ok, source code doesn't contain credentials and anything like that - only hint that web application administrators do not trust user. We know two exploits for BlogPHP CMS - XSS Stored and Remote Privilege Escalation. For me more interesting is the second.
Unfortunately it is not work, so let's try exploit XSS.
Probably we are on the right way.
Good! We have got administrator cookies. I was trying use stolen credentials, but without success... Let's look at Firefox version - 15.0. It is so old.
Let's look for some exploit. BINGO - CVE: 2013-1710!
Great! We have got limited shell! Let's upgrade our limited shell to meterpreter session.
So, good! I have got a shell and run netstat -antp to find what kind of services is running on our victim machine. There is 2323 so I decided to perform remote port forwarding to my 7777 port and
Hmmm, strange... But the numbers indicates Houston City in Texas (USA). Maybe it is a password for milton, peter, bill or blumbergh? Let's try. It works for milton! I run again netstat -antp and there is interesting port 8888, so again - let's perform remote port forwarding!
Good! Let's browse it. BINGO!
OK, let's click on oscommerce link
Very good, dirb found admin panel but there doesn't work credentials which we stole using SQL Injection. But admin:admin works!
Nice! I have found File Manager
So, let's try upload reverse shell. TO do this - we have to find writable directory. BINGO! Work directory is writable - I have uploaded reverse shell script and
Excellent! Now we have to use tcpdump to get root shell. I found great article about it.
I followed step by step and I have obtained reverse ROOT shell.
Unfortunately /root/flag.txt file does not exist so, let's locate flag file.
Game over!
This challnege was extremely amazing!
"Second in a multi-part series, Breach 2.0 is a boot2root/CTF challenge which attempts to showcase a real-world scenario, with plenty of twists and trolls along the way."
Scanning
Good, we can see that there is not NFS for RPC. Let's check SSH.
Hmmm, blog? Scanning phase did not discover HTTP port. Let's try use password inthesource for peter SSH username.
Voila!
Excellent! We have opened 80 port! As far as I know, Apache 2.4.10 does not have dedicated public known exploit. So, let's examine the web application (blog)
Ok, source code doesn't contain credentials and anything like that - only hint that web application administrators do not trust user. We know two exploits for BlogPHP CMS - XSS Stored and Remote Privilege Escalation. For me more interesting is the second.
Unfortunately it is not work, so let's try exploit XSS.
Probably we are on the right way.
Good! We have got administrator cookies. I was trying use stolen credentials, but without success... Let's look at Firefox version - 15.0. It is so old.
Let's look for some exploit. BINGO - CVE: 2013-1710!
Great! We have got limited shell! Let's upgrade our limited shell to meterpreter session.
So, good! I have got a shell and run netstat -antp to find what kind of services is running on our victim machine. There is 2323 so I decided to perform remote port forwarding to my 7777 port and
Hmmm, strange... But the numbers indicates Houston City in Texas (USA). Maybe it is a password for milton, peter, bill or blumbergh? Let's try. It works for milton! I run again netstat -antp and there is interesting port 8888, so again - let's perform remote port forwarding!
Good! Let's browse it. BINGO!
OK, let's click on oscommerce link
Very good, dirb found admin panel but there doesn't work credentials which we stole using SQL Injection. But admin:admin works!
Nice! I have found File Manager
So, let's try upload reverse shell. TO do this - we have to find writable directory. BINGO! Work directory is writable - I have uploaded reverse shell script and
Excellent! Now we have to use tcpdump to get root shell. I found great article about it.
I followed step by step and I have obtained reverse ROOT shell.
Unfortunately /root/flag.txt file does not exist so, let's locate flag file.
Game over!
This challnege was extremely amazing!
Thursday, 11 August 2016
Loophole challenge
Hi,
"We suspect that someone inside Rattus labs is working with known terrorist group. Your mission is to infiltrate into their computer network and obtain encrypted document from one of their servers. Our inside source has told us that the document is saved under the name of Private.doc.enc and is encrypted using OpenSSL encryption utility. Obtain the document and decrypt it to complete the mission."
Scanning
We can play with Samba server, web application and SSH.
Web application
Hmmm, nothing special. If you click on here link, you will get page which contains several email addresses.
So, I have decided to run Dirb
Good, for me very interesting may be ~root, garbage and info.php files.
Unfortuately we don't have enough privileges to view ~root directory, but garbage file is very attractive for us!
Something like shadow file, isn't it?
Let's try crack it!
Great! So, let's try log in via SSH.
Excellent! So, we have to find Private.doc.enc file and decrypt it!
OK, so let's decrypt it! Maybe in .bash_history will be juicy information for us? Because tskies user encrypted the Private.doc file.
Good, we know command which encrypted Private.doc file.
I decrypted the file and it presents engineers confidential doc :-)
Game over
"We suspect that someone inside Rattus labs is working with known terrorist group. Your mission is to infiltrate into their computer network and obtain encrypted document from one of their servers. Our inside source has told us that the document is saved under the name of Private.doc.enc and is encrypted using OpenSSL encryption utility. Obtain the document and decrypt it to complete the mission."
Scanning
We can play with Samba server, web application and SSH.
Web application
Hmmm, nothing special. If you click on here link, you will get page which contains several email addresses.
So, I have decided to run Dirb
Good, for me very interesting may be ~root, garbage and info.php files.
Unfortuately we don't have enough privileges to view ~root directory, but garbage file is very attractive for us!
Something like shadow file, isn't it?
Let's try crack it!
Great! So, let's try log in via SSH.
Excellent! So, we have to find Private.doc.enc file and decrypt it!
OK, so let's decrypt it! Maybe in .bash_history will be juicy information for us? Because tskies user encrypted the Private.doc file.
Good, we know command which encrypted Private.doc file.
I decrypted the file and it presents engineers confidential doc :-)
Game over
Wednesday, 10 August 2016
pWnOS v2
Hello,
The second version (and the latest) of pWnOS challenges.
Scanning
OK, maybe let's try register us to the web application. DirBuster found also blog directory
Good, in the source code I have discovered that this is Simple PHP Blog 0.4.0 As far as I know, we can find effective exploit.
I have use exploit and I have change credentials for known for me to blog and I have logged in. So, I have uploaded PHP backdoor and execute it from images directory.
When I have got limited shell I found mysql connect PHP file, which contains valid credentials for root database. I have reused these credentials and I have got a root system.
Game over!
The second version (and the latest) of pWnOS challenges.
Scanning
PORT STATE SERVICE VERSIONOK, as always let's try from web application.
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)
| 2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)
|_ 256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
|_http-server-header: Apache/2.2.17 (Ubuntu)
|_http-title: Welcome to this Site!
OK, maybe let's try register us to the web application. DirBuster found also blog directory
Good, in the source code I have discovered that this is Simple PHP Blog 0.4.0 As far as I know, we can find effective exploit.
I have use exploit and I have change credentials for known for me to blog and I have logged in. So, I have uploaded PHP backdoor and execute it from images directory.
When I have got limited shell I found mysql connect PHP file, which contains valid credentials for root database. I have reused these credentials and I have got a root system.
Game over!
Tuesday, 9 August 2016
pWnOS 1
Hi,
"It's a linux virtual machine intentionally configured with exploitable services to provide you with a path to r00t. :) Currently, the virtual machine NIC is configured in bridged networking, so it will obtain a normal IP address on the network you are connected to. You can easily change this to NAT or Host Only if you desire. A quick ping sweep will show the IP address of the virtual machine."
Scanning
Good, let's start from 80 HTTP and then 10000 HTTP.
Default web page looks as below
OK, so let's click on Next button.
Hmmm, I don't know what is it, but it is some kind of help page. Let's run DirBuster.
I was trying log in to the phpmyadmin panel using default credentials but without success.
Let's try do something with 10000 http.
I was trying also log in using default credentials - without success as well. We know that Webmin has assigned several known exploits, so let's try use some of it.
BINGO! I have found CVE 2017.
There is now ass lines of /etc/passwd file. Let's try display /etc/shadow file.
Awesome! We can run John the Ripper now! Unfortunately it consumes a lot of time - too lot for me.
I haven't idea, so I decided to perform some research about version of OpenSSH and I saw (unfortunately part of other solution) that it is vulnerable to CVE 2008-0166.
Great! So, we have to find some way to escalate our privileges. I have found effective exlpoit and...
Game over!
Second attack scenario.
We can also get limited shell via Samba. So, we have to read /etc/samba/passdb.tdb and decrypt password for vmware username. After that we will
be able to crack the password (we will get h4ckm3). So, now we can log in to the //UBUNTUVM/home directory using samba and get from home directory SSH public key.
"It's a linux virtual machine intentionally configured with exploitable services to provide you with a path to r00t. :) Currently, the virtual machine NIC is configured in bridged networking, so it will obtain a normal IP address on the network you are connected to. You can easily change this to NAT or Host Only if you desire. A quick ping sweep will show the IP address of the virtual machine."
Scanning
Good, let's start from 80 HTTP and then 10000 HTTP.
Default web page looks as below
OK, so let's click on Next button.
Hmmm, I don't know what is it, but it is some kind of help page. Let's run DirBuster.
I was trying log in to the phpmyadmin panel using default credentials but without success.
Let's try do something with 10000 http.
I was trying also log in using default credentials - without success as well. We know that Webmin has assigned several known exploits, so let's try use some of it.
BINGO! I have found CVE 2017.
There is now ass lines of /etc/passwd file. Let's try display /etc/shadow file.
Awesome! We can run John the Ripper now! Unfortunately it consumes a lot of time - too lot for me.
I haven't idea, so I decided to perform some research about version of OpenSSH and I saw (unfortunately part of other solution) that it is vulnerable to CVE 2008-0166.
Great! So, we have to find some way to escalate our privileges. I have found effective exlpoit and...
Game over!
Second attack scenario.
We can also get limited shell via Samba. So, we have to read /etc/samba/passdb.tdb and decrypt password for vmware username. After that we will
be able to crack the password (we will get h4ckm3). So, now we can log in to the //UBUNTUVM/home directory using samba and get from home directory SSH public key.
PwnLab init challenge
Hello,
"Wellcome to "PwnLab: init", my first Boot2Root virtual machine. Meant to be easy, I hope you enjoy it and maybe learn something. The purpose of this CTF is to get root and read de flag."
So, let's play with it
Nmap scanning phase
Default Web page looks like a some kind of administrator panel.
We must be logged in if we want to upload some file. Let's try do something with page parameter.
Great! So, le'ts try read something like a config.php file.
Excellent! We have retrieved MySQL credentials! Let's verify it.
Great! We have got three credentials - probably for our web application.
These passwords looks like base64 encoded string.
Valid credentials:
kent:JWzXuBJJNy
mike:SIfdsTEn6I
kane:iSv5Ym2GRo
Before logging as one of the three users, let's try examine how looks upload.php file.
Let's examine index.php file (I don't have more ideas).
BINGO! I have removed PHPSESSIONID parameter and add lang=../../../../../../../etc/passwd.
Great! So, we can upload png file with injected PHP script and run using LFI and lang Cookie!
Excellent! We have got limited shell. So, let's try retrieved credentials to up our privileges.
BINGO! We can do that!
Great!
Very good. TRY HARDER!
Game over!
"Wellcome to "PwnLab: init", my first Boot2Root virtual machine. Meant to be easy, I hope you enjoy it and maybe learn something. The purpose of this CTF is to get root and read de flag."
So, let's play with it
Nmap scanning phase
PORT STATE SERVICE VERSIONAs always let's start from web application.
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PwnLab Intranet Image Hosting
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 40309/udp status
|_ 100024 1 42225/tcp status
3306/tcp open mysql MySQL 5.5.47-0+deb8u1
| mysql-info:
| Protocol: 53
| Version: .5.47-0+deb8u1
| Thread ID: 38
| Capabilities flags: 63487
| Some Capabilities: Speaks41ProtocolOld, Support41Auth, LongPassword, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsCompression, IgnoreSigpipes, InteractiveClient, ODBCClient, SupportsTransactions, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, FoundRows, ConnectWithDatabase, LongColumnFlag
| Status: Autocommit
|_ Salt: BWnFSNkP0;xm:veu@|p=
42225/tcp open status 1 (RPC #100024)
Default Web page looks like a some kind of administrator panel.
We must be logged in if we want to upload some file. Let's try do something with page parameter.
Great! So, le'ts try read something like a config.php file.
Excellent! We have retrieved MySQL credentials! Let's verify it.
Great! We have got three credentials - probably for our web application.
These passwords looks like base64 encoded string.
Valid credentials:
kent:JWzXuBJJNy
mike:SIfdsTEn6I
kane:iSv5Ym2GRo
Before logging as one of the three users, let's try examine how looks upload.php file.
<?phpOK, we can see that we have to use gif,jpg, jpeg and png extensions. I was trying a lot upload some PHP code, but without success... Probably upload functionality has been created correctly (secure).
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html>
<body>
<form action='' method='post' enctype='multipart/form-data'>
<input type='file' name='file' id='file' />
<input type='submit' name='submit' value='Upload'/>
</form>
</body>
</html>
<?php
if(isset($_POST['submit'])) {
if ($_FILES['file']['error'] <= 0) {
$filename = $_FILES['file']['name'];
$filetype = $_FILES['file']['type'];
$uploaddir = 'upload/';
$file_ext = strrchr($filename, '.');
$imageinfo = getimagesize($_FILES['file']['tmp_name']);
$whitelist = array(".jpg",".jpeg",".gif",".png");
if (!(in_array($file_ext, $whitelist))) {
die('Not allowed extension, please upload images only.');
}
if(strpos($filetype,'image') === false) {
die('Error 001');
}
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
die('Error 002');
}
if(substr_count($filetype, '/')>1){
die('Error 003');
}
$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
echo "<img src=\"".$uploadfile."\"><br />";
} else {
die('Error 4');
}
}
}
?>
Let's examine index.php file (I don't have more ideas).
<?phpWe can see that lang is handled via include method, so maybe there is LFI?
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
if (isset($_GET['page']))
{
include($_GET['page'].".php");
}
else
{
echo "Use this server to upload and share image files inside the intranet";
}
?>
</center>
</body>
</html>
BINGO! I have removed PHPSESSIONID parameter and add lang=../../../../../../../etc/passwd.
Great! So, we can upload png file with injected PHP script and run using LFI and lang Cookie!
Excellent! We have got limited shell. So, let's try retrieved credentials to up our privileges.
BINGO! We can do that!
Great!
Very good. TRY HARDER!
Game over!
Friday, 22 July 2016
Kioptrix 5
Hello,
Now it's turn to the last (unfortunately) Kioptrix challenge.
Scanning
Two open ports? It suits me.
Let's begin our travel from port 80. Default web page is a default page for Apache - It works, but source code contains good news for us.
Wow, there is pChart, that's good for us, because it contains multiple vulnerabilities.
OK, let's try exploit Directory Traversal vulnerability.
Excellent! Let's try find Document Root file for apache.
What do you think about it? I have changed User Agent using Burp Suite and I have got on port 8080
I have clicked on it
Hmmm I don't know how to exploit it.... But quick research and we can use Remote Code Execution!
I have used Metasploit Framework and I have got limited shell!
So, now it's time to escalate our privileges.
Game over!
Now it's turn to the last (unfortunately) Kioptrix challenge.
Scanning
Two open ports? It suits me.
Let's begin our travel from port 80. Default web page is a default page for Apache - It works, but source code contains good news for us.
Wow, there is pChart, that's good for us, because it contains multiple vulnerabilities.
OK, let's try exploit Directory Traversal vulnerability.
Excellent! Let's try find Document Root file for apache.
What do you think about it? I have changed User Agent using Burp Suite and I have got on port 8080
I have clicked on it
Hmmm I don't know how to exploit it.... But quick research and we can use Remote Code Execution!
I have used Metasploit Framework and I have got limited shell!
So, now it's time to escalate our privileges.
Game over!
Subscribe to:
Posts
(
Atom
)