AdSense

Sunday, December 23, 2018

W1R3S: 1.0.1


W1R3S: 1.0.1

 - Layout for this exercise:
1 - INTRODUCTION

 - The goal of this exercise is to develop a hacking process for the vulnerable machine w1r3s 1.0.1

 w1r3s 1.0.1 can be downloaded from here:

 https://www.vulnhub.com/entry/w1r3s-101,220/
- Once downloaded and extracted with VirtualBox:



2 - ENUMERATION

 - Discovering the IP:





- Scanning:



2.1 - FTP enumeration

 - Let's start enumerating the FTP service in detail.

 - It seems that anonymous login to the FTP service is allowed:


- Using the browser to access FTP service:



- Reading text files inside folder /content:




- Reading 01.txt:


- Reading 02.txt:


- Indentifying the hash type of the first string, it is probably MD5:


- Decrypting the MD5 hash:


- Decoding the second string:





- Reading 03.txt:




- Reading /docs/worktodo.txt:




- Reading employee-names.txt:


- Just in case, let's store the names for later usage:




2.2 - Web enumeration

 - Browsing the web server:


- Applying dirb on the web server:





- So basically 2 main directories have been found, /administrator and /wordpress:


- Going to /administrator we are redirected to /installation, where the content project manager Cuppa CMS is running:




- EXPLOITATION

- Searching for Cuppa CMS exploits:




- The exploit 25971.txt allows a Remote/Local File Inclusion:

 https://www.exploit-db.com/exploits/25971


-  Reading 25971.txt:






- Following instructions from 25971.txt and trying the exploit directly at the browser it doesn't work:



- However, using curl we achieve /etc/passwd. URL data sent with method POST is encoded:






............................
- Same thing for /etc/shadow:




...........................

- Same results with Burp, using method POST instead of GET. 

 - It is important to notice the header Content-type: application/x-www-form-urlencoded, what indicates that the request body is URL encoded.








4 - CRACKING PASSWORDS WITH JOHN THE RIPPER

 - Storing /etc/passwd and /etc/shadow in text files p and s, and unshadowing to text file u:




 - John The Ripper is able to crack two passwords:


5 - LOW PRIVILEGE REMOTE SHELL

 - Credentials w1r3s:computer allow to connect the remote machine with SSH:

6 - PRIVILEGE ESCALATION

- Privilege Escalation is easy because user w1r3s is a sudoer with (ALL : ALL) ALL privileges:






- Getting a root shell:


7 - CAPTURING THE FLAG

- Reading flag.txt:










Posted by at
Labels:

Friday, December 21, 2018

Lord Of The Root 1.0.1


LORD OF THE ROOT 1.0.1

 - Layout for this exercise:



1 - INTRODUCTION

 - The goal of this exercise is to develop a hacking process for the vulnerable machine Lord Of The Root:

 - Lord Of The Root can be downloaded from here:

https://www.vulnhub.com/entry/lord-of-the-root-101,129/

 - Once downloaded and extracted with VirtualBox:



2 - ENUMERATION

 - Discovering the IP with netdiscover:



- Scanning with Nmap:


- Connecting with SSH there is message about Knock 1,2,3:


- Nmap helps to unknock ports 1,2,3 by using these options:
  • -r: Scan ports consecutively - don't randomize
  • -Pn: Treat all hosts as online -- skip host discovery
- A new open port 1337 is discovered, where an Apache web server is running:


- Dirbusting, the folder /images is found:


- Going to folder /images:


- Clicking the 3 images:








- Nothing of particular interested is found, even using strings or viewsourcing the page.

 - However, when using ViewSource over robots.txt an encoded string is found:


- Viewing the source of /robots.txt:




- Decoding the Base64 string:





- Decoding again we find a reference to the folder /978345210/index.php:



- Going to /978345210/index.php there is a login form:



3 - SQL INJECTION 

 - Let's use SQLMAP to perform automated Sql injections. 

 - First, discovering the existing 4 databases:







- Focusing on mysql, let's find tables, columns and credentials:




- We stop the injection once User and Password columns are detected:




- Credentials for root are found:








- Changing to database Webapp and following similar procedures than with previous database:















 - Finally we have found credentiales for these 6 users: root, frodo, smeagol, aragorn, legolas, gimli.
4 - GETTING A REMOTE SHELL

 - Let's use Hydra to attack the SSH server:






- So the only user that allows the SSH connection is smeagol, which password is MyPreciousR00t:


- Unfortunately smeagol is not a sudoer:



5 - PRIVILEGE ESCALATION

 - Let's try 2 ways of Privilege Escalation:

 5.1 - Buffer Overflow Exploitation

 - Before starting the BOF exploitation let's check that ASLR is enabled, and unfortunately it is not possible for smeagol to disable this security measure:



- The folder SECRET contains 3 folders:
- Inside those folders there are 3 files that are owned by root and have the SUID bit set, what make them interesting to be exploited:


- The 3 files are executable, 2 of them seem to be identical according to their same SHA1 hashes, while the other is different:


- Running the 3 files without arguments the result is that an <input string> is required:







-However, after around 5 minutes the content of door1, door2 and door3 is switched:
- Before another switch happens let's transfer the file that is different to /tmp, so that we can study it calmly, without switching interruptions:




- Let's try how file works, for instance entering a short string:


- However a Segmentation fault is detected when the input is a long string:


- To begin the BOF exploitation let's create a 1000 characters long pattern:
- Starting GDB and passing the pattern to file:



- There is a Segmentation fault and the EIP is overwritten with 0x41376641 whose offset from the beginning of the pattern is 171:




- Running the next script, the EIP is now overwritten with BBBB (0x42424242), meaning that we have control over the EIP:


- Checking registers:


- The ESP points to 0xbffff580:


- Now, let's add to the exploit the address pointed by ESP (reversely written in little endian form), a bunch of NOP characters \x90, and this well-known shellcode:

 http://shell-storm.org/shellcode/files/shellcode-827.php
- Running the exploit a shell is spwaned successfully:


- This exploit works in the GDB environment because the ASLR is disabled, however it won't work in the real scenario of the folder /SECRET where ASLR is actually enabled.
- One way to bypass ASLR is bruteforcing the stack by writing an automated looped script that tries the exploit 2000 times, in the hope that one of these trials hits the EIP successfully and a shell is achieved:
.................................
- Finally, after a lot of trials a root shell is achieved:


- Though the uid is not set to root but yes the euid:



- Another way of neutralizing ASLR would be to use the ulimit -s unlimited comand, as explained here:

https://lore.kernel.org/patchwork/patch/658246/

https://www.exploit-db.com/exploits/39669




- This is possible because LordOfTheRoot is a 32 bits machine:



5.2 - Exploiting the kernel

 - Checking the kernel and Ubuntu version:
- For this kernel there is a potential 'overlayfs' Local Privilege Escalation exploit:

- Downloading the 39166.c exploit:



- Setting an HTTP server on port 8000:



- Transferring the exploit from Kali to the /tmp folder of the victim:



- Compling, setting execution permissions and running the exploit, eventually we've got a remote root shell:



6 - CAPTURING THE FLAG

 - Going to the /root folder we can read the Flag.txt:






Posted by at
Labels:
Subscribe to: Posts (Atom)