[Learning] Kioptrix level three

Links:

watch the HD video online:   http://vimeo.com/f4l13n5now/kioptrixlevel3

Description:

"This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges. "
                                                                                                                                        --------- Kioptrix team

Attacker:

Backtrack 5 R2
IP: 192.168.1.2/24

Victim:

Holynix level 2
IP: 192.168.1.18/24

vulnerability & exploit:

1, GALLARIFIC PHP Photo Gallery Script (gallery.php) SQL Injection
2, Remote File Traversal & Local File Inclusion Exploit
3, Arbitrary File Upload Exploit

Attacking tools:

1, nmap
2, SQLMAP
3, Exploit-DB
4, John The Ripper
5, Metasploit

Attacking process:

1, Reconnaissance & Enumeration:
use nmap to sweep the active hosts in the network:
nmap -n 192.168.1.0/24

use NMAP to probe the opening ports and services:

nmap -sS -sV -O 192.168.1.18 -v

found the following services:
[1] HTTP service running on port 80
[2] SSH service running on port 22
 

2, exploit vulnerable services:
[1] exploit the Remote Directory Traversal vulnerability to get users ("/etc/passwd")
[2] exploit the GALLARIFIC PHP Photo Gallery Script (gallery.php) SQL Injection to get users and hashed password
[3] use JTR to crack those passwords
[4] login as administrator and upload php attacking payload and reverse connect to attacker machine (got low privilege) 
or
[5] use cracked account to login to the server via SSH (upgrade to user privilege)
[6] broswering the server system directories and collect information (found the file "CompanyPolicy.README")
[7] change file "/etc/sudoers" to get root privilege ("allocate loneferret with ALL priviliege") 

 

 
Reference:

[1] Kioptrix download link
[2] Tutorial on g0tmi1k's Blog

[Learning] SQL injection - ruxcon training website

Links:

watch the HD video online: http://vimeo.com/f4l13n5now/sqli-ruxcon

Description:
This is Ruxcon WEB Pen Testing Training website (used to practise SQL injection) provided by Louis.

Attacker:
Backtrack 5 R2
IP: 192.168.1.60

Victim:
Photoblog (training website)
IP: 192.168.1.56

vulnerability & exploit:
MySQL based SQL injection

Attacking process:
1, discover the vulnerable services:
use NMAP to probe the opening ports and detect services
nmap -sS -sV -O 192.168.1.56 -v

found the following services:
[1] MySQL database service running on port 3306
[2] HTTP web service running on port 80

2, browes the website and detect the injection point
[1] the potential vulerable URL: http://192.168.1.56/cat.php?id=1

3, test the potential injection point if it has vulerability
[1] numberic based SQL injection test:
try apply the following two URL and check the different response.
URL one "http://192.168.1.56/cat.php?id=1 and 1=2" (response nothing)
vs.
URL two "http://192.168.1.56/cat.php?id=1 and 1=1" (response the normal page)

the test above shows that here is vunerable SQL injection point.

4, exploit the injection point and finally got admin.

Reference:
[1] https://www.owasp.org/index.php/Unrestricted_File_Upload
[2] http://dev.mysql.com/doc/refman/5.0/en/tables-table.html
[3] http://hungred.com/useful-information/secure-file-upload-check-list-php/
[4] http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/

[Update] pWnOS v1

Two more vulnerabilities:

1, There is another vulnerability can be used to get root privilege locally, here is the exploit:

Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit [3]

2, an RFI vulnerability was found at "/index1.php", the vulnerable URL is:
http://192.168.1.107/index1.php?connect=/etc/password

The bug in index1.php:

...

if($_GET['connect'] != 'true'){

    include($_GET['connect']);        //Here user's input just be used directly

}

...

[Learning] pWnOS v1

Links:

watch the HD video online: http://vimeo.com/30946182


Description:
 "pWnOS focuses more on exploitation. All of the exploits are found from milw0rm.com so you won't have to scour the Internet for some obscure exploit. There are a couple different paths to root...so if you get one you can keep working to figure out the other."
                                                                                                                                                  -- bond00

Attacker:
Backtrack 5 R2 [VM]
IP: 192.168.1.108

Victim:
pWnOS v1 [VM]
IP: 192.168.1.110


Vulnerability & Exploit:
1, Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit
2, Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
3, Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit

Attacking process:
1, discover the vulnerable services:use NMAP to probe the opening ports and services

nmap -sS -sV -O -A 192.168.1.110 -v

found the following services:

[1] webmin httpd       open on port 10000

[2] Debian openSSH     open on port 22

2, exploit vulnerable services:
[1] exploit webmin service to get password file "/etc/shadow", then found the users:

vmware

obama

osama

yomama

[2] exploit webmin service to get openSSH key files default path: "/home/$USER/.ssh/authorized_keys" (replace $USER with vmware, obama, osama and yomama)
[3] exploit Debian OpenSSH service to get into the victime server
[4] use vmsplice Local Root Exploit to get the root priviledge

Reference:

[1] pWnOS download link (http://0dayclub.com/files/pWnOS%20v1.0.zip)
[2] g0tmi1k's Blog (http://g0tmi1k.blogspot.com/2010/04/video-pwnos.html)
[3] pWnOS forum (http://forums.heorot.net/viewforum.php?f=21)