Pages

Saturday, February 4, 2012

[Learning] Kioptrix level one -- samba



Links:
watch the HD video online: http://vimeo.com/f4l13n5now/kioptrix1samba

Description:
"This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges."
                                                                                                                                 --------- Kioptrix team

Attacker:
Backtrack 5 R2
IP: 10.10.10.132/24

Victim:
Kioptrix level 1
IP: 10.10.10.137/24

vulnerability & exploit:
1, Samba 2.2.8 Remote Root Exploit - sambal.c
2, Samba trans2open Overflow


Attacking process:
1, discover the vulnerable services:
use NMAP to probe the opening ports and services
nmap -sS -sV -O 10.10.10.137 -v

found the following services:
[1] samba (smbd) service running on port 139


2, exploit vulnerable services:
[1] exploit samba service to get remote root privilege (use sambal.c)
or
[2] exploit samba service using trans2open to get remote root privilege


Reference:
[1] Kioptrix download link
[2] Tutorial on g0tmi1k's Blog


Posted by at 1 comment:
Labels: , ,

Saturday, January 21, 2012

[Learning] Kioptrix level one -- mod_ssl



Links:
watch the HD video online: http://vimeo.com/f4l13n5now/kioptrixl1

Description:

"This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges."
                                                                                                                                 --------- Kioptrix team

Attacker:
Backtrack 5 R2
IP: 10.10.10.132/24

Victim:
Kioptrix level 1
IP: 10.10.10.137/24


Vulnerability & Exploit:
1, Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)


Attacking process:
1, discover the vulnerable services:
use NMAP to probe the opening ports and services
nmap -sS -sV -O -v 10.10.10.137

found the following services:
[1] ssh service running on port 22
[2] https service running on port 443 (apache_1.3.20)


use Nikto to discover vulnerabilities:
./nikto -host 10.10.10.137

found the following vulnerability:
[1] mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow (CVE-2002-0002, OSVDB-756)


2, exploit vulnerable services:
[1] exploit mod_ssl based on apache_1.3.20

3, cover the trace
use 0x333shadow to delete the logs


Notes:
764.c compile error on BT5:
The problem is that openssl develop package is not included in BT5. You have to install it manually.

Solution:
apt-get install libssl-dev


Reference:
[1] Kioptrix download link
[2] Tutorial on g0tmi1k's Blog

Posted by at 1 comment:
Labels: , ,

Sunday, January 1, 2012

[Learning] Metasploitable - Tikiwiki



Links:
watch the HD video online: http://vimeo.com/f4l13n5now/tikiwiki

Description:
"Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql."                                                                                     -- metasploit team


Attacker:
Backtrack 5 R2
IP: 10.10.10.128/24

Victim:
metasploitable
IP: 10.10.10.129/24


vulnerability & exploit:
1, TikiWiki 1.9.5 Sirius (sort_mode) Information Disclosure Vulnerability
2, TikiWiki tiki-graph_formula Remote PHP Code Execution
3, Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit


Attacking process:
1, discover the vulnerable services:
use NMAP to probe the opening ports and services
nmap -sS -sV -O 10.10.10.129 -v

found the following services:
[1] HTTP service running on port 80
[2] MYSQL service running on port 3306
[3] Debian openSSH running on port 22

use DirBuster to discover hidden directories
java -jar DirBuster-0.12.jar -u http://10.10.10.129

found the following directory:
[1] tikiwiki (http://10.10.10.129/tikiwiki)

2, exploit vulnerable services:
[1] exploit tikiwiki service to get Critical Database information (DB user, DB password, DB name and DB type)
[2] exploit tikiwiki service to get www-data privilege and grep SSH key file information
[3] exploit Debian OpenSSH service to get into the victim server as root privilege


Reference:
[1] Metasploitable download link
[2] Tutorial on g0tmi1k's Blog
[3] Metasploitable official website

Posted by at 137 comments:
Labels:

Tuesday, November 8, 2011

[Learning] SQL injection - ruxcon training website



Links:
watch the HD video online: http://vimeo.com/f4l13n5now/sqli-ruxcon

Description:
This is Ruxcon WEB Pen Testing Training website (used to practise SQL injection) provided by Louis.

Attacker:
Backtrack 5 R2
IP: 192.168.1.60

Victim:
Photoblog (training website)
IP: 192.168.1.56

vulnerability & exploit:
MySQL based SQL injection

Attacking process:
1, discover the vulnerable services:
use NMAP to probe the opening ports and detect services
nmap -sS -sV -O 192.168.1.56 -v

found the following services:
[1] MySQL database service running on port 3306
[2] HTTP web service running on port 80

2, browes the website and detect the injection point
[1] the potential vulerable URL: http://192.168.1.56/cat.php?id=1

3, test the potential injection point if it has vulerability
[1] numberic based SQL injection test:
try apply the following two URL and check the different response.
URL one "http://192.168.1.56/cat.php?id=1 and 1=2" (response nothing)
vs.
URL two "http://192.168.1.56/cat.php?id=1 and 1=1" (response the normal page)

the test above shows that here is vunerable SQL injection point.

4, exploit the injection point and finally got admin.

Reference:
[1] https://www.owasp.org/index.php/Unrestricted_File_Upload
[2] http://dev.mysql.com/doc/refman/5.0/en/tables-table.html
[3] http://hungred.com/useful-information/secure-file-upload-check-list-php/
[4] http://soroush.secproject.com/blog/2010/03/improve-file-uploaders%e2%80%99-protections-rev-1-0/
Posted by at 2 comments:
Labels: , , ,

Saturday, October 29, 2011

[Learning] Metasploitable - Distcc



Links:
watch the HD video online: http://vimeo.com/f4l13n5now/distcc

Description:
"Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql."                                                                                     -- metasploit team

Attacker:
Backtrack 5 R2
IP: 10.10.10.128/24

Victim:
metasploitable
IP: 10.10.10.129/24

vulnerability & exploit:
1, DistCC Daemon Command Execution
2, Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit

Attacking process:
1, discover the vulnerable services:
use NMAP to probe the opening ports and services
nmap -sS -sV -p0-65535 -O 10.10.10.129 -v

found the following services:
[1] distccd service running on port 3632
[2] Debian openSSH running on port 22

2, exploit vulnerable services:
[1] exploit distccd service to get in the victim server with limited privilege
[2] grep SSH key file information
[3] exploit Debian OpenSSH service to get into the victim server as root privilege

Reference:
[1] Metasploitable download link
[2] Tutorial on g0tmi1k's Blog
[3] Metasploitable official website

Posted by at No comments:
Labels: , ,

Sunday, October 23, 2011

[Update] pWnOS v1

Two more vulnerabilities:

1, There is another vulnerability can be used to get root privilege locally, here is the exploit:

Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit [3]

2, an RFI vulnerability was found at "/index1.php", the vulnerable URL is:
http://192.168.1.107/index1.php?connect=/etc/password

The bug in index1.php:
...
if($_GET['connect'] != 'true'){
    include($_GET['connect']);        //Here user's input just be used directly
}
...
Posted by at No comments:
Labels: ,

Saturday, October 22, 2011

[Learning] pWnOS v1



Links:
watch the HD video online: http://vimeo.com/30946182


Description:
 "pWnOS focuses more on exploitation. All of the exploits are found from milw0rm.com so you won't have to scour the Internet for some obscure exploit. There are a couple different paths to root...so if you get one you can keep working to figure out the other."
                                                                                                                                                  -- bond00

Attacker:
Backtrack 5 R2 [VM]
IP: 192.168.1.108

Victim:
pWnOS v1 [VM]
IP: 192.168.1.110


Vulnerability & Exploit:
1, Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit
2, Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
3, Linux Kernel 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit

Attacking process:
1, discover the vulnerable services:use NMAP to probe the opening ports and services
nmap -sS -sV -O -A 192.168.1.110 -v
found the following services:
[1] webmin httpd       open on port 10000
[2] Debian openSSH     open on port 22

2, exploit vulnerable services:
[1] exploit webmin service to get password file "/etc/shadow", then found the users:
vmware
obama
osama
yomama
[2] exploit webmin service to get openSSH key files default path: "/home/$USER/.ssh/authorized_keys" (replace $USER with vmware, obama, osama and yomama)
[3] exploit Debian OpenSSH service to get into the victime server
[4] use vmsplice Local Root Exploit to get the root priviledge


Reference:
[1] pWnOS download link (http://0dayclub.com/files/pWnOS%20v1.0.zip)
[2] g0tmi1k's Blog (http://g0tmi1k.blogspot.com/2010/04/video-pwnos.html)
[3] pWnOS forum (http://forums.heorot.net/viewforum.php?f=21)


Posted by at 2 comments:
Labels: , ,
Subscribe to: Posts (Atom)