Pages

Saturday, July 26, 2014

[Pentester Lab] PHP LFI & Post Exploitation


Links:
watch the HD video online:   http://vimeo.com/f4l13n5now/phplfi

Method
  • Scanned the network to discover the target server [Net Discover]
  • Port scanned the target to determine the running services on the target [Unicorn Scan]
  • Interacted with the web server, found the Local File Include (LFI) vulnerable point and a page with upload function. [Firefox]
  • Construct and upload a PHP shell onto the web server (have to bypass server end file validation). [Burp proxy]
  • Gain remote access by running the PHP shell via LFI vulnerability which we found before. [Burp proxy]


Tools
All the tools used here can be found in Kali linux


Walk-through
By reading the training pdf, we know what kind of vulnerabilities should be targeted to. (PHP Include vulnerability is focused on this vuln disc)

 

Find the LFI weakness

The attacker interacts with the web server, by using “Firefox” browser to graphically render the web application on the target. Upon viewing the page, the attacker know that this is a site which is calling for papers for a conference. On the right hand side, is the navigation menu to “home” (show the home page), “submit” (jump to paper upload form page) and “login” (which asks the attacker to login). The attacker noticed the URL’s parameter is “?page=submit” in submit page and “?page=login” in login page. After the attacker tried to replace the parameter “submit” in submit page to “./login” and the login page is presented from the web server. That means here is the LFI vulnerable point. In order to double check this vulnerability, the attacker construct the following URL “http://10.10.10.130/index.php?page=/etc/passwd” to extract the famous passwd file in Linux. The attacker also check if the server is vulnerable to RFI by constructing the following URL “http://10.10.10.130/index.php?page=http://www.google.com/?”. However the server sent back error information which is illustrated that the PHP function for Remote file include is currently turned off (allow_url_fopen = On but allow_url_include = Off).

 

Find the way to upload file (web shell) and the path where the uploaded file saved

In the submit page, the attacker only can upload a pdf file to the server (white list and file content is validated on the server end). Then the attacker inputted everything the form required and submit a normal pdf file. After that, successful uploaded page is presented. Then the attacker login to the web server with the information he just provided in the submit form. Then he found the uploaded PDF file is saved under the “uploads” folder

 

Bypass file upload validation

The attacker can only upload a PDF file due to the white list and file content validation are running on the web server side. However, many file content validation only check file header which usually first bytes of a file. So the attacker create a fake PDF file (evil.php) which has normal PDF header and followed by the PHP shell code (here the attacker using Pentest Monkey’s PHP reserve shell, which is able to connect back from the target to the attacker). Then the attacker upload the file “evil.php” to the server. Because it is only executed when someone visits the page, the attacker quickly creates a listener to wait for the PHP shell to connect into. After the attacker browse the page on the server, it causes the PHP code to be executed and a connection back to the attacker. Now, the attacker has an interactive shell on the target.

Sunday, June 10, 2012

[Learning] Kioptrix level three

Links:

watch the HD video online:   http://vimeo.com/f4l13n5now/kioptrixlevel3

Description:

"This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.
 "
                                                                                                                                        --------- Kioptrix team

Attacker:

Backtrack 5 R2
IP: 192.168.1.2/24

Victim:

Holynix level 2
IP: 192.168.1.18/24



vulnerability & exploit:

1, GALLARIFIC PHP Photo Gallery Script (gallery.php) SQL Injection
2, Remote File Traversal & Local File Inclusion Exploit
3, Arbitrary File Upload Exploit



Attacking tools:

1, nmap
2, SQLMAP
3, Exploit-DB
4, John The Ripper
5, Metasploit



Attacking process:

1, Reconnaissance & Enumeration:
use nmap to sweep the active hosts in the network:
nmap -n 192.168.1.0/24

use NMAP to probe the opening ports and services:

nmap -sS -sV -O 192.168.1.18 -v

found the following services:
[1] HTTP service running on port 80
[2] SSH service running on port 22
 

2, exploit vulnerable services:
[1] exploit the Remote Directory Traversal vulnerability to get users ("/etc/passwd")
[2] exploit the GALLARIFIC PHP Photo Gallery Script (gallery.php) SQL Injection to get users and hashed password
[3] use JTR to crack those passwords
[4] login as administrator and upload php attacking payload and reverse connect to attacker machine (got low privilege) 
or
[5] use cracked account to login to the server via SSH (upgrade to user privilege)
[6] broswering the server system directories and collect information (found the file "CompanyPolicy.README")
[7] change file "/etc/sudoers" to get root privilege ("allocate loneferret with ALL priviliege") 

 

[Learning] Holynix level two


Links:
watch the HD video online:  http://vimeo.com/f4l13n5now/holynix2
Description:
" Similar to the de-ice pentest CDs and pWnOS, Holynix is an Linux vmware image that was deliberately built to have security holes for the purposes of penetration testing."
                                                                                                                                        --------- Holynix team
Attacker:
Backtrack 5 R2
IP: 192.168.1.2/24
Victim:
Holynix level 2
IP: 192.168.1.88/24


vulnerability & exploit:
1, phpMyAdmin 2.6.4-pl1 Remote Directory Traversal Exploit
2, Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit


Attacking tools:
1, netdiscover
2, nmap
3, DirBuster
4, Exploit-DB
5, John The Ripper
6, Metasploit


Attacking process:
1, Reconnaissance & Enumeration:
use netdiscover to sweep the active hosts in the network:
netdiscover -i wlan0 -r 192.168.1.88

use NMAP to probe the opening ports and services:
nmap -sS -sV -O 192.168.1.88 -v
found the following services:
[1] HTTP service running on port 80
[2] SSH service running on port 22
[3] FTP service running on port 21
[1] DNS service running on port 53

use DNS zone transfer to harvest FTP username:
dig AXFR zincftp.com @192.168.1.88 

use DirBuster to enumerate web directories:
java -jar DirBuster -u http://www.zincftp.com/
found the following directories:
[1] /phpMyAdmin/
[2] /setup_guide/todo

2, exploit vulnerable services:
[1] exploit phpMyAdmin Remote Directory Traversal vulnerability to get FTP users' password ("/etc/pure-ftpd/pureftpd.passwd")
[2] use JTR to crack those passwords 
[3] login to the FTP server with cracked account and upload php attacking payload and reverse connect to attacker machine (got low privilege) 
[4] broswering the server system directories and collect information (found "my_key.eml" under directory "amckinley")
[5] use new account login to the server via SSH (upgrade to user privilege)
[6] exploit "Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit" to get root privilege

Sunday, May 27, 2012

[Learning] Kioptrix level two -- injection


Links:
watch the HD video online: http://vimeo.com/f4l13n5now/kioptrix2
Description:
"This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges."
                                                                                                                                 --------- Kioptrix team
Attacker:
Backtrack 5 R2
IP: 192.168.1.15/24
Victim:
Kioptrix level 2
IP: 192.168.1.102/24
vulnerability & exploit:
1, SQL Injection & Command Injection
2, ip_append_data() ring0 Root Exploit

Attacking process:
1, discover the vulnerable services:
use NMAP to probe the opening ports and services
nmap -sS -sV -O 192.168.1.102 -v
found the following services:
[1] HTTP service running on port 80
2, exploit vulnerable services:
[1] exploit SQL & Command injection vulnerability to get remote shell
[2] exploit ip_append_data() ring0 Root Exploit to get root privilege

Reference:
[1] Kioptrix download link
[2] Tutorial on g0tmi1k's Blog

Saturday, February 4, 2012

[Learning] Kioptrix level one -- samba



Links:
watch the HD video online: http://vimeo.com/f4l13n5now/kioptrix1samba

Description:
"This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges."
                                                                                                                                 --------- Kioptrix team

Attacker:
Backtrack 5 R2
IP: 10.10.10.132/24

Victim:
Kioptrix level 1
IP: 10.10.10.137/24

vulnerability & exploit:
1, Samba 2.2.8 Remote Root Exploit - sambal.c
2, Samba trans2open Overflow


Attacking process:
1, discover the vulnerable services:
use NMAP to probe the opening ports and services
nmap -sS -sV -O 10.10.10.137 -v

found the following services:
[1] samba (smbd) service running on port 139


2, exploit vulnerable services:
[1] exploit samba service to get remote root privilege (use sambal.c)
or
[2] exploit samba service using trans2open to get remote root privilege


Reference:
[1] Kioptrix download link
[2] Tutorial on g0tmi1k's Blog


Saturday, January 21, 2012

[Learning] Kioptrix level one -- mod_ssl



Links:
watch the HD video online: http://vimeo.com/f4l13n5now/kioptrixl1

Description:

"This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.
"
                                                                                                                                 --------- Kioptrix team

Attacker:
Backtrack 5 R2
IP: 10.10.10.132/24

Victim:
Kioptrix level 1
IP: 10.10.10.137/24


Vulnerability & Exploit:
1, Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)


Attacking process:
1, discover the vulnerable services:
use NMAP to probe the opening ports and services
nmap -sS -sV -O -v 10.10.10.137

found the following services:
[1] ssh service running on port 22
[2] https service running on port 443 (apache_1.3.20)


use Nikto to discover vulnerabilities:
./nikto -host 10.10.10.137

found the following vulnerability:
[1] mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow (CVE-2002-0002, OSVDB-756)


2, exploit vulnerable services:
[1] exploit mod_ssl based on apache_1.3.20

3, cover the trace
use 0x333shadow to delete the logs


Notes:
764.c compile error on BT5:
The problem is that openssl develop package is not included in BT5. You have to install it manually.

Solution:
apt-get install libssl-dev


Reference:
[1] Kioptrix download link
[2] Tutorial on g0tmi1k's Blog

Sunday, January 1, 2012

[Learning] Metasploitable - Tikiwiki



Links:
watch the HD video online: http://vimeo.com/f4l13n5now/tikiwiki

Description:
"Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql."                                                                                     -- metasploit team


Attacker:
Backtrack 5 R2
IP: 10.10.10.128/24

Victim:
metasploitable
IP: 10.10.10.129/24


vulnerability & exploit:
1, TikiWiki 1.9.5 Sirius (sort_mode) Information Disclosure Vulnerability
2, TikiWiki tiki-graph_formula Remote PHP Code Execution
3, Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit


Attacking process:
1, discover the vulnerable services:
use NMAP to probe the opening ports and services
nmap -sS -sV -O 10.10.10.129 -v

found the following services:
[1] HTTP service running on port 80
[2] MYSQL service running on port 3306
[3] Debian openSSH running on port 22

use DirBuster to discover hidden directories
java -jar DirBuster-0.12.jar -u http://10.10.10.129

found the following directory:
[1] tikiwiki (http://10.10.10.129/tikiwiki)

2, exploit vulnerable services:
[1] exploit tikiwiki service to get Critical Database information (DB user, DB password, DB name and DB type)
[2] exploit tikiwiki service to get www-data privilege and grep SSH key file information
[3] exploit Debian OpenSSH service to get into the victim server as root privilege


Reference:
[1] Metasploitable download link
[2] Tutorial on g0tmi1k's Blog
[3] Metasploitable official website