Pages

Sunday, June 10, 2012

[Learning] Kioptrix level three

Links:

watch the HD video online:   http://vimeo.com/f4l13n5now/kioptrixlevel3

Description:

"This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.
 "
                                                                                                                                        --------- Kioptrix team

Attacker:

Backtrack 5 R2
IP: 192.168.1.2/24

Victim:

Holynix level 2
IP: 192.168.1.18/24



vulnerability & exploit:

1, GALLARIFIC PHP Photo Gallery Script (gallery.php) SQL Injection
2, Remote File Traversal & Local File Inclusion Exploit
3, Arbitrary File Upload Exploit



Attacking tools:

1, nmap
2, SQLMAP
3, Exploit-DB
4, John The Ripper
5, Metasploit



Attacking process:

1, Reconnaissance & Enumeration:
use nmap to sweep the active hosts in the network:
nmap -n 192.168.1.0/24

use NMAP to probe the opening ports and services:

nmap -sS -sV -O 192.168.1.18 -v

found the following services:
[1] HTTP service running on port 80
[2] SSH service running on port 22
 

2, exploit vulnerable services:
[1] exploit the Remote Directory Traversal vulnerability to get users ("/etc/passwd")
[2] exploit the GALLARIFIC PHP Photo Gallery Script (gallery.php) SQL Injection to get users and hashed password
[3] use JTR to crack those passwords
[4] login as administrator and upload php attacking payload and reverse connect to attacker machine (got low privilege) 
or
[5] use cracked account to login to the server via SSH (upgrade to user privilege)
[6] broswering the server system directories and collect information (found the file "CompanyPolicy.README")
[7] change file "/etc/sudoers" to get root privilege ("allocate loneferret with ALL priviliege") 

 

[Learning] Holynix level two


Links:
watch the HD video online:  http://vimeo.com/f4l13n5now/holynix2
Description:
" Similar to the de-ice pentest CDs and pWnOS, Holynix is an Linux vmware image that was deliberately built to have security holes for the purposes of penetration testing."
                                                                                                                                        --------- Holynix team
Attacker:
Backtrack 5 R2
IP: 192.168.1.2/24
Victim:
Holynix level 2
IP: 192.168.1.88/24


vulnerability & exploit:
1, phpMyAdmin 2.6.4-pl1 Remote Directory Traversal Exploit
2, Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit


Attacking tools:
1, netdiscover
2, nmap
3, DirBuster
4, Exploit-DB
5, John The Ripper
6, Metasploit


Attacking process:
1, Reconnaissance & Enumeration:
use netdiscover to sweep the active hosts in the network:
netdiscover -i wlan0 -r 192.168.1.88

use NMAP to probe the opening ports and services:
nmap -sS -sV -O 192.168.1.88 -v
found the following services:
[1] HTTP service running on port 80
[2] SSH service running on port 22
[3] FTP service running on port 21
[1] DNS service running on port 53

use DNS zone transfer to harvest FTP username:
dig AXFR zincftp.com @192.168.1.88 

use DirBuster to enumerate web directories:
java -jar DirBuster -u http://www.zincftp.com/
found the following directories:
[1] /phpMyAdmin/
[2] /setup_guide/todo

2, exploit vulnerable services:
[1] exploit phpMyAdmin Remote Directory Traversal vulnerability to get FTP users' password ("/etc/pure-ftpd/pureftpd.passwd")
[2] use JTR to crack those passwords 
[3] login to the FTP server with cracked account and upload php attacking payload and reverse connect to attacker machine (got low privilege) 
[4] broswering the server system directories and collect information (found "my_key.eml" under directory "amckinley")
[5] use new account login to the server via SSH (upgrade to user privilege)
[6] exploit "Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit" to get root privilege