Friday, 22 July 2016

Kioptrix 5

Hello,
Now it's turn to the last (unfortunately) Kioptrix challenge.

Scanning








Two open ports? It suits me.
Let's begin our travel from port 80. Default web page is a default page for Apache - It works, but source code contains good news for us.











Wow, there is pChart, that's good for us, because it contains multiple vulnerabilities.

































OK, let's try exploit Directory Traversal vulnerability.























Excellent! Let's try find Document Root file for apache.


































What do you think about it? I have changed User Agent using Burp Suite and I have got on port 8080











I have clicked on it

































Hmmm I don't know how to exploit it.... But quick research and we can use Remote Code Execution!
I have used Metasploit Framework and I have got limited shell!

























So, now it's time to escalate our privileges.























Game over!

Kioptrix 4

Hello,
We know Kioptrix (one of my favourite) challenges, isn;t it? We resolved the first three, so now it is the turn for fourth.

Scanning without aggressive mode :)








OK, four open ports.Let's start from web application.



















Nice, maybe it is opportunity to conduct SQL Injection attack? So, indeed there is SQLi vulnerability













We can use sqlmap but let's penetrate manually further. I run dirb




















Excellent! We can see /john directory - I have browsed it and there is john.php file, but unfortunately executing it I achieved nothing.












Wow, look at this! LFI? But let's come back to SQLi.






Great! Let's go deeper











Awesome, we have got credentials! So let's try log in via SSH













Very good, but we have limited access to shell. It is very helpful https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Wow!


















Are you surprised? I am! But we can't connect to our attacker machine from the target using i.e wget. Probably firewall block the traffic.

































Exellent! We are able to exploit UDF - http://www.iodigitalsec.com/mysql-root-to-system-root-with-udf-for-windows-and-linux/

So, I have changed iptables rules to accept all inbound and outbound traffic. Now we can download local root exploit, but we are clever and we don't need exploit to get root privileges.































Game over

Wednesday, 20 July 2016

Kioptrix 1

Hello,
This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

I have run nmap scanning all ports.











Wow, OpenSSH and Apache are so old. Let's try find suitable exploit for them. BINGO! Openfuck should be suitable for Apache 1.3.20. Ups... It doesn't work...



















Surprise... Hmm, we have to looking for suitable exploit further.
We can use Metasploit and trans2open exploit for Samba on our target. When we run the exploit we will get root directly.

Game Over!

Tuesday, 19 July 2016

Scream challenge

Hello,

This challenge is a Windows XP vulnerable machine. Thank for g0tm1lk for preparation the challenge.

Scanning with aggressive mode all ports TCP.

















Good, we know what kind of services serves our target. To be honest I am a little surprised, only four open ports for Windows is a good result. We can see that we are able to log in to FTP as a anonymous user. As far as I know FTP version has assigned public known Buffer Overflow exploit.
In spite of fact that we can log in as anonymous, let's browse a web application.






















Wow! So beautiful! I run dirb, but it didn't find any website... So, we have to focus on FTP.

























OK, we know that pages are in the root directory, so mayve we will be able to upload our reverse shell script? Unfortunately anonymous user does not have enough privileges for each directory.
I was trying also use Metasploit exploits but without success... Let's try play with SSH.
BINGO! We can use freesshd_authbypass  exploit and we will get SYSTEM privileges (it is equal to root from Unix distribution).
Game Over!



Monday, 18 July 2016

De-Ice 2.100

Hello,

Scenario
"The scenario for this LiveCD is that you have been given an assignment to test a company's 192.168.2.xxx network to identify any vulnerabilities or exploits. The systems within this network are not critical systems and recent backups have been created and tested, so any damage you might cause is of little concern. The organization has had multiple system administrators manage the network over the last couple of years, and they are unsure of the competency previous (or current) staff2"

Scanning
PORT    STATE  SERVICE  VERSION
20/tcp  closed ftp-data
21/tcp  open   ftp      vsftpd 2.0.4

| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
22/tcp  open   ssh      OpenSSH 4.3 (protocol 1.99)
| ssh-hostkey:
|   2048 83:4f:8b:e9:ea:84:20:0d:3d:11:2b:f0:90:ca:79:1c (RSA1)
|   2048 6f:db:a5:12:68:cd:ad:a9:9c:cd:1e:7b:97:1a:4c:9f (DSA)
|_  2048 ab:ab:a8:ad:a2:f2:fd:c2:6f:05:99:69:40:54:ec:10 (RSA)
|_sshv1: Server supports SSHv1
25/tcp  open   smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp  open   http     Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
|_http-server-header: Apache/2.0.55 (Unix) PHP/5.1.2
|_http-title: Site doesn't have a title (text/html).
110/tcp open   pop3     Openwall popa3d
143/tcp open   imap     UW imapd 2004.357

|_imap-capabilities: IDLE IMAP4REV1 BINARY THREAD=REFERENCES SORT completed SCAN CAPABILITY OK MULTIAPPEND THREAD=ORDEREDSUBJECT STARTTLS MAILBOX-REFERRALS AUTH=LOGINA0001 LITERAL+ SASL-IR UNSELECT NAMESPACE LOGIN-REFERRALS
|_imap-ntlm-info: ERROR: Script execution failed (use -d to debug)
443/tcp closed https
I tried log in as anonymous to FTP service, but without success. I have got indeed response 230 but I can't list directory. Probably we need to user with higher privileges.

Default web page looks as below


























Nice web page. So, we can see three links but in spite of that let's run dirbuster.
In the meantime I clicked on link CLICK HERE and I have got something interesting!


































 
Great! There is a list of usernames, I think.
Dirbuster gave us result










 OK, there is not much files. I have created list of usernames and I was trying brute-force FTP and SSH, but without success. I have no idea how to attack this machine. So, maybe we need to a little bit more enumeration.
Nmap scan report for 192.168.2.100
Host is up (0.00016s latency).
MAC Address: 08:00:27:53:0C:11 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.101
Host is up (0.00016s latency).
MAC Address: 08:00:27:53:0C:11 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.1
So, 192.168.2.100 is our target, 192.168.2.1 is our attacker machine, but what is 192.168.2.101?
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.0.55 (Unix) PHP/5.1.2
|_http-title: Site doesn't have a title (text/html).
Wow, what is that?












I run Dirbuster and /home/root directory has been found! So maybe there is other user's home directory? BINGO! We found private and public key for SSH.













Interesting... So, I have downloaded private key and I used it to log in as pirrip.









I have found something interesting in the /var/mail directory.
pirrip@slax:/var/mail$ ls
havisham  magwitch  pirrip
So, let's check what kind of information these mails have. Our user has very juicy information.
From: Estella Havisham <havisham@slax.example.net>
Message-Id: <200801132350.m0DNoXfV010468@slax.example.net>
Date: Sun, 13 Jan 2008 23:50:33 +0000
To: pirrip@slax.example.net
Subject: welcome to the team
User-Agent: nail 11.25 7/29/05
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Thanks!  Glad to be here.

From magwitch@slax.example.net  Sun Jan 13 23:53:37 2008
Return-Path: <magwitch@slax.example.net>
Received: from slax.example.net (localhost [127.0.0.1])
    by slax.example.net (8.13.7/8.13.7) with ESMTP id m0DNmvpV009983
    for <pirrip@slax.example.net>; Sun, 13 Jan 2008 23:48:57 GMT
Received: (from magwitch@localhost)
    by slax.example.net (8.13.7/8.13.7/Submit) id m0DNmvpd009982
    for pirrip; Sun, 13 Jan 2008 23:48:57 GMT
From: Abel Magwitch <magwitch@slax.example.net>
Message-Id: <200801132348.m0DNmvpd009982@slax.example.net>
Date: Sun, 13 Jan 2008 23:48:57 +0000
To: pirrip@slax.example.net
Subject: havisham
User-Agent: nail 11.25 7/29/05
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

I set her up with an accountus servers.  I set her password to "changeme" and will swing by tomorrow and make sure she changes her pw.
Let's try log in as havisham using this password. Hmmm it does not work... but wait a minute
From: noreply@fermion.herot.net
Message-Id: <200801132354.m0DNshjD011722@slax.example.net>
Date: Sun, 13 Jan 2008 23:54:42 +0000
To: pirrip@slax.example.net
Subject: Fermion Account Login Reminder
User-Agent: nail 11.25 7/29/05
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Fermion Account Login Reminder

Listed below are your Fermion Account login credentials.  Please let us know if you have any questions or problems.

Regards,
Fermion Support


E-Mail: pirrip@slax.example.net
Password: 0l1v3rTw1st
Wow, now we know our password! So let's check what we can do as root.
pirrip@slax:/var/mail$ sudo -l
User pirrip may run the following commands on this host:
    (root) /usr/bin/more
    (root) /usr/bin/tail
    (root) /usr/bin/vi
    (root) /usr/bin/cat ALL
Excellent! I have used more command toward /etc/shadow
























So, we are able to use John the Ripper. Unfortunately it consumes a lot of time... We know that vi can use another command via !command.



























Game over!

Friday, 15 July 2016

De-ICE: S1.140

Hello,
De-ICE are Penetration LiveCD images available from http://forum.heorot.net and provide scenarios where students can test their penetration testing skills and tools in a legal environment.

Scanning with aggressive mode all ports

PORT    STATE  SERVICE  VERSION
21/tcp  open   ftp      ProFTPD 1.3.4a
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: ERROR
22/tcp  open   ssh      OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 38:82:58:d3:9c:0d:28:01:f0:77:11:0a:24:c7:28:84 (DSA)
|   2048 62:a6:24:6a:62:71:b6:5f:7f:67:2f:c2:fd:0a:2a:5e (RSA)
|_  256 2b:1d:91:ac:6b:2e:7a:fe:6e:aa:0d:55:cc:30:7c:de (ECDSA)
80/tcp  open   http     Apache httpd 2.2.22 ((Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1)
|_http-server-header: Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1
|_http-title: Lazy Admin Corp.
443/tcp open   ssl/http Apache httpd 2.2.22 ((Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1)
|_http-server-header: Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1
|_http-title: Lazy Admin Corp.
| ssl-cert: Subject: commonName=webhost
| Not valid before: 2016-07-13T09:13:52
|_Not valid after:  2026-07-11T09:13:52
|_ssl-date: 2016-07-13T09:17:17+00:00; -1s from scanner time.
465/tcp closed smtps
993/tcp open   ssl/imap Dovecot imapd

|_imap-capabilities: LOGIN-REFERRALS ENABLE AUTH=PLAIN Pre-login have ID IMAP4rev1 listed more capabilities post-login IDLE AUTH=LOGINA0001 OK SASL-IR LITERAL+
|_ssl-date: 2016-07-13T09:17:17+00:00; -1s from scanner time.
995/tcp open   ssl/pop3 Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN LOGIN) RESP-CODES PIPELINING CAPA TOP UIDL USER
|_ssl-date: 2016-07-13T09:17:17+00:00; -1s from scanner time.
Let's start from FTP, because it allows anonymous user. There is incoming directory which is empty.
Browsing web application we can see default web page

















OK, we won't to display a source code, because it contains hints. Let's run Dirbuster.











Forum looks interesting. Let's see it deeper.

































Excellent! Hmmm what do you think about Login Attacks? It is interesting for you? Beucase for me it is.




































OK, we have to understand what it was going on. We can see that someone was trying enumerate usernames and/or brute force SSH. Hey, look at this
Mar 7 11:15:32 testbox sshd[5774]: Accepted keyboard-interactive/pam for mbrown from 10.0.0.23 port 35168 ssh2
Mar 7 11:15:32 testbox sshd[5774]: pam_unix(sshd:session): session opened for user mbrown by (uid=0)
but unfortunately SSH in this case does not allow password authentication.
I have also found
Mar 7 11:15:32 testbox sshd[5772]: Invalid user !DFiuoTkbxtdk0! from 10.0.0.23
Mar 7 11:15:32 testbox sshd[5772]: input_userauth_request: invalid user !DFiuoTkbxtdk0! [preauth]
This looks like a password. BINGO! I have logged in as mbrown using the password.


































Very good! I was looking for some chance to upload some kind of backdoor, but without success.
I remember that DirBuster found also /webmail/ directory, so let's try to log in as mbrown.
















BINGO! We are in. I have open one of two mail and it contains following very juicy information.



















Wow! So nice! Now we are able to log in as root to phpmyadmin panel.












Nice! I was searching a lot 'where may I upload our PHP script' and I have found that /templates_c/ directory is writable.














Excellent! So, let's execute it




Awesome, we have got limited shell via Web Browser. But we can also obtain console limited shell using certain script.










Great! So, maybe we can log in as some user using known password. BINGO! We have achieved it! So let's try find something useful









































Yeah! Let's download the key for our attacker machine and try log in SSH via key authorization.
Unfortunately without success... Hmmm I am a little bit confused.
So let's look at /home directory



















I was trying decrypt the file but we need to know password. I have found /opt/backup.sh file - it may be interesting!













We cannot execute it, but we can see that there is a password for our encrypted file!

TBU


Tuesday, 12 July 2016

Tr0ll:2

Hello,
The next machine in the Tr0ll series of VMs. This one is a step up in difficulty from the original Tr0ll but the time required to solve is approximately the same, and make no mistake, trolls are still present! :)  Difficulty is beginner++ to intermediate.

Scanning
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
Let's begin from FTP service
Connected to 192.168.56.101.
220 Welcome to Tr0ll FTP... Only noobs stay for a while...
Name (192.168.56.101:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
Uu, we cannot log in as anonymous user.
Let's browse the web application






















They bother me :-) I opened robots.txt file and there are several paths.






















Nice, isn't it? I add these paths to wordlist and run Dirbuster. We have got following result
Dir found: /noob/ - 200
Dir found: /keep_trying/ - 200
Dir found: /ok_this_is_it/ - 200
Dir found: /dont_bother/ - 200
OK, so only four paths are not a fake. So let's examine it. Hmm on each path I have got response






















OK, the picture must contain something hidden - I am pretty sure.
Picture from /dont_bother/ has injected commet
Look Deep within y0ur_self for the answer
Hmm, ok I browsed /y0ur_self/ directory











I have downloaded answer.txt file and there are a lot of base64 encoded line.
I conducted brute-force FTP credentials using decoded answer.txt file, without success. So, I was wondering how may look like credentials and I thought about root:root, so maybe Tr0ll:Tr0ll?

















Great! Let's download lmao.zip file and unpack it.







Ups, we need to have password... Maybe answer.txt would be useful in this case?
PASSWORD FOUND!!!!: pw == ItCantReallyBeThisEasyRightLOL
Awesome! I have unpacked lmao.zip file using appropriate password




























We have got private key for SSH! Let's try login using the key.









I don't know what is going on. Let's use verbose modeOpenSSH_7.2p2 Debian-5, OpenSSL 1.0.2h  3 May 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.56.101 [192.168.56.101] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file noob type -1
debug1: key_load_public: No such file or directory
debug1: identity file noob-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Debian-5
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.4
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.4 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to 192.168.56.101:22 as 'noob'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:I3xuSgcBlIsoldKTkOyVYwx8B4NLGl0fDDTi0H6ExYg
debug1: Host '192.168.56.101' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:4
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: noob
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.56.101 ([192.168.56.101]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: Remote: Forced command.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
TRY HARDER LOL!
debug1: channel 0: free: client-session, nchannels 1
Connection to 192.168.56.101 closed.
Transferred: sent 2696, received 1712 bytes, in 0.0 seconds
Bytes per second: sent 54430.6, received 34564.2
debug1: Exit status 0
We have to google what is that. I found that this may be Shellshock vulnerability.
So, letry verfity our prediction
root@kali:~# ssh -l noob -i noob  192.168.56.101 '() { :;}; echo MALICIOUS CODE'
MALICIOUS CODE
TRY HARDER LOL!
Yes, there is Shellshock, so we are able to exploit it.







Great! We have got limited shell. I went to the /home/noob/ directory and found


















So, we need to find bof file and use Buffer Overflow to get root and it would be over.

I found interesting file





let's try perform Buffer Overflow.







Now, we are sure that we have to prepare Buffer Overflow payload. To perform this kind of attack we have to know where is located EIP register.

















So, we know that our payload should be - [payload length 268] + [EIP] + [Trash]
I examined this application and I couldn't find JMP ESP but we can use CALL EAX.









Good, but unfortunately it is not work :( Maybe I am wrong, let's try again find jmp esp.






















Wow, there is a ESP register, so let's generate appropriate shellcode and execute it locally.