Thursday, 20 April 2017

Playing with Buffer Overflows

I will not profess to be being a ninja in the art of BOF.  I understand some c code and get how the stack works.  But................ Exploiting code? Well that's something I need to work on!

I decided to revisit Overthewire and try my luck with narnia.  Wish me luck!!!!

I will update as I go along.

Thursday, 2 March 2017

Installing Metasploitable 3




Metasploitable is an awesome VM to practice your skills against, so when Rapid 7 released Metasploitable 3 I was excited!!!  However installing it is a pain in the bum 😓  However I found this excellent blog entry which works a treat.  So if you are having issues follow this and happy hacking!!

Install Metasploitable 3

Thursday, 16 February 2017

MS08_067 How it works

MS08_067 is probably one of the most famous exploits out there, but trying to find information on how it actually works can be a nightmare.  I came across a brilliant piece of writing from Jason Matthyser at MWR Labs, so I thought I would share it here:



Kioptrix Level 4

Back at the next Kioptrix Level.  This one was a little bit sneakier than the last one.  I had to scratch my head a few times that's for certain!!

NMap















We can see that the usual ports are open (22,80) but we have 139 & 445 now.  The service scan has given me a little bit of info so it's time to see what else it can yield via Enum4Linux.














Looks like I have a few users to try, I'll goto the web page and see what awaits.

















Just a login page.  There is nothing hidden or showing up via Dirb and Nikto isn't giving much away either.

I try one of the usernames to see what I get.








It looks like it's talking to a database of some kind in the background, so I will try and see if I can get it to error.

Using :


username: john
password: 'OR 1=1--










I get this nice MySQL error :)

I try hitting the boxes with various SQLi variations but I don't get a hit.  So I decided to see if I could modify it on the fly via Tamper Data.










Awesome news awaits:
















I now have potential login credential.

I try the same with robert and I get:














The password gives rogue values when I try to decode it via base64. So I decide to try my luck with John's creds on the ssh service.






















And they work!! This is awesome.  But what's this banner about?






















Looks like I am in jail!!! I need to break out of my cell.  As echo is available I try

echo os.system('/bin/bash')

























I now need to enumerate this box.  I could do this manually but automation makes life easier. I look for a way to transfer files:

























I have few tools at my disposal here which is good.

I try wget via a python server to get LinuxEnum.sh on my attack box:



























Hmmmmm, this doesn't look good.  I wonder if there is a rule in place to block this traffic?  I'll try netcat










That's better!! Now to see what lurks on this box:































MySQL with root privileges!  This could be useful:





















I can see the databases time to see what lurks within:





















Nothing I don't already have.  I wonder if I can execute commands from within?  This BLOG is useful in that regard



As I am in as root every command I run is the same as root running it so I can start doing something about my current privileges.  The sudoers file seems a good start!!














































Looks like that worked!!! No exploits to compile or Metasploit modules to run, just old fashioned enumerating and reading.

I really enjoyed this VM, I think it has been one of my favourites so far.

Wednesday, 15 February 2017

Kioptrix Level 3 (Don't forget the low hanging fruit)

Back again!!

I'm continuing with the Kioptrix series as I am really enjoying it.  The trouble is......... I seem to be over thinking stuff and forgetting this isn't meant to be "difficult". Anyway enough pre-amble and more how to!!!

Scanning
















Only ssh and web are open here.

Web Checks

Browsing to the IP gave me the website below:



There wasn't a robots.txt file giving any hidden directories away, so I carried on perusing the content to see if there was anymore info:

I noticed the URL for the blog was interesting:





I wondered if I could manipulate it to give me information.  First of all I tried some local file inclusion LFI:

This took some tinkering as just adding a null byte () didn't work.  I had to insert a character after the null byte in order for it to yield a result.

















This made me think of a way to automate this task.  After looking around on the web I found this code from a BLOG.  I noticed it only scanned for conventional LFI so I amended it to my needs.  The code can be found HERE.  When I ran the code it gave me the results quickly:














That was a useful learning point for me, as my coding isn't the greatest.  So what did the LFI give me?

2 users that are of interest:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash
dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

I couldn't pull the shadow file to grab their login creds, but I could have a go at brute forcing my way in via ssh.

Unfortunately Hydra was playing up and kept giving me errors but it wasn't an issue as I could use Patator.












I now had some creds I could use to SSH across.

I use loneferret's account first (it was first in the list)












Let's have a look at what's inside the folder I am in












Looks like the home directory to me!

Reading the CompanyPolicy.README showed the "sudo ht" command.  I ran it to see what this was, unfortunately I had an issue with my terminal type so I amended it:










Looks like I have an editor with root privs COOL!!!  I wonder if I can edit the /etc/sudoers file











That a big yes!!

So, save and exit:
















I am root!! It looks like the HT editor is susceptible to Buffer Overflow

However when I tried to run the exploit on the server I got an error with the Perl version. I will revisit this again.  Now onto the other methods of rooting this box?

SQLi

The blog indicates there is a gallery:


















Now I wonder what awaits me here?

After looking around I came to this page:

















The URL here looks interesting:






I wonder if I can inject?

















Yup!!












Looks like there are 6 columns to peruse:

















And column 2 is vulnerable to injection!
















Looks like I have a MYSQL DB running on a Ubuntu server.


















The current DB in use here is gallery.


And there are these tables sitting on the server too.

















Enumerating the table "dev_accounts" gave:

















Grabbing the details from this gave:

















MD5 hashed passwords for the 2 users we already had :)

I could have used SQLmap to make it easier but sometimes you need to check manually as automation doesn't always make things better!!

















SQLi for Admin

By enumerating the gallarific_users table we get:

















Which allows me to login to the myphpadmin page and grab the creds of loneferret and dreg.

There are other ways to root this box like using code injection to get a netcat shell, so go wild!!!