tag:blogger.com,1999:blog-4163733967401396123.post2689031131697659222..comments2023-06-08T03:08:27.324-07:00Comments on Kook Sec: Hacking Lord Of the RootKookhttp://www.blogger.com/profile/01408423846997987852noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-4163733967401396123.post-82041940408617866622017-07-17T10:42:09.544-07:002017-07-17T10:42:09.544-07:00When I create the initial python code, I run it ag...When I create the initial python code, I run it against all 3 files. Two of them will exit normally and one will seg fault. The seg fault is a good sign it is potentially vulnerable to a buffer overflow. The following is the code:<br /> import os<br /> exploit = "A"*500<br /> os.system("./file"+exploit)Kookhttps://www.blogger.com/profile/01408423846997987852noreply@blogger.comtag:blogger.com,1999:blog-4163733967401396123.post-46616401378176475272017-07-17T06:17:29.952-07:002017-07-17T06:17:29.952-07:00Hi Kook. Great Writeup mate. Can you please let me...Hi Kook. Great Writeup mate. Can you please let me know how you found out that one of the files in the SECRET directory is vulnerable to Buffer overflow? Thank youAnonymoushttps://www.blogger.com/profile/08781881644025436586noreply@blogger.comtag:blogger.com,1999:blog-4163733967401396123.post-56125481767953471002017-01-12T22:41:35.758-08:002017-01-12T22:41:35.758-08:00I got the same error as Unknown (ERROR 1126 (HY000...I got the same error as Unknown (ERROR 1126 (HY000): Can't open shared library 'raptor_udf.so' (errno: 0 /usr/lib/mysql/plugin/raptor_udf.so: invalid ELF header). Eventually found that the error will happen when the wrong directory is specify when loading the file into the database insert into foo3 values(load_file('/home/smeagol/raptor_udf2c.so')); <br /><br />If that happens then the exploit have to be recompile with another name and the new table has to be recreated. So copy all the commands to run in a notepad first and review them before running them. Monsta Mostropihttps://www.blogger.com/profile/09744715861129811949noreply@blogger.comtag:blogger.com,1999:blog-4163733967401396123.post-90437855274403755732016-02-22T09:13:37.063-08:002016-02-22T09:13:37.063-08:00I doubt that directory you are attempting to read ...I doubt that directory you are attempting to read and write from are readable and writable. My tutorial has where I read and wrote from and it will work successfully. Google is your friend.Kookhttps://www.blogger.com/profile/01408423846997987852noreply@blogger.comtag:blogger.com,1999:blog-4163733967401396123.post-15103513190195501212016-02-20T13:59:45.343-08:002016-02-20T13:59:45.343-08:00hello, Can someone please give me some advice. I a...hello, Can someone please give me some advice. I am stuck at this part.<br /><br />MySQL>create function do_system returns integer soname 'raptor_udf.so';<br />ERROR 1126 (HY000): Can't open shared library 'raptor_udf.so' (errno: 0 /usr/lib/mysql/plugin/raptor_udf.so: invalid ELF header)<br /><br /><br />Anonymoushttps://www.blogger.com/profile/09753864248985057468noreply@blogger.comtag:blogger.com,1999:blog-4163733967401396123.post-61541043785969511412016-01-08T12:19:03.039-08:002016-01-08T12:19:03.039-08:00That was intentional! It is important to do post e...That was intentional! It is important to do post exploitation on Smeagol before you move to attacking root.Kookhttps://www.blogger.com/profile/01408423846997987852noreply@blogger.comtag:blogger.com,1999:blog-4163733967401396123.post-71543408265208754942016-01-08T10:16:16.133-08:002016-01-08T10:16:16.133-08:00Also you have the MySQL root password inside login...Also you have the MySQL root password inside login.php and smeagol can read it! :)DMLhttps://www.blogger.com/profile/06172581897262839812noreply@blogger.comtag:blogger.com,1999:blog-4163733967401396123.post-11032161125108663112015-09-26T16:04:58.526-07:002015-09-26T16:04:58.526-07:00SQLmap is an automated sql injection exploiter. I ...SQLmap is an automated sql injection exploiter. I used it to dump the credentials. I suggest you look up a tutorial if you are not familiar with it. I did it by first capturing the request via a proxy, then I used the requests:<br />sqlmap -r request.txt --dbs<br />sqlmap -r request.txt -D $database --table<br />sqlmap -r request.txt -D $database -T $table --dump<br /><br />Hope that helps.Kookhttps://www.blogger.com/profile/01408423846997987852noreply@blogger.comtag:blogger.com,1999:blog-4163733967401396123.post-14452349332785749972015-09-26T03:40:06.633-07:002015-09-26T03:40:06.633-07:00hello, I am a little confused when at the SQL Inje...hello, I am a little confused when at the SQL Injection, can you explain the Script using sqlmap? Thanks. :)Anonymoushttps://www.blogger.com/profile/15864097499875589198noreply@blogger.comtag:blogger.com,1999:blog-4163733967401396123.post-25911762775052961492015-09-23T14:34:23.777-07:002015-09-23T14:34:23.777-07:00Really Dirb is the best for predictable directorie...Really Dirb is the best for predictable directories but using a proxy and stepping through an application to view both requests and response is the best practice to understand the flow of an application. My favorite proxy is Burp.Kookhttps://www.blogger.com/profile/01408423846997987852noreply@blogger.comtag:blogger.com,1999:blog-4163733967401396123.post-15546844799810254932015-09-23T13:19:52.302-07:002015-09-23T13:19:52.302-07:00Thanks for the reply. I am new to pentesting, and ...Thanks for the reply. I am new to pentesting, and currently doing the OSCP. What manual techniques would you recommend for finding directories?Xikehttps://www.blogger.com/profile/13295291117229072472noreply@blogger.comtag:blogger.com,1999:blog-4163733967401396123.post-78866522284975117202015-09-23T12:57:38.824-07:002015-09-23T12:57:38.824-07:00Sorry I was unclear in my post. The Webapp was int...Sorry I was unclear in my post. The Webapp was intentionally designed to not show anything on dirb. I found the 404.html through manual testing. Kookhttps://www.blogger.com/profile/01408423846997987852noreply@blogger.comtag:blogger.com,1999:blog-4163733967401396123.post-31807498771794839312015-09-23T12:52:41.577-07:002015-09-23T12:52:41.577-07:00Hello, and thanks for the VM. What wordlist did yo...Hello, and thanks for the VM. What wordlist did you use for your dirb scan? I do not get the 404 page that you mention in your tutorial. Here is what I get when running dirb with all included wordlists and dirbuster's wordlists:<br />192.168.xxx.xxx:1337/<br />192.168.xxx.xxx:1337/index<br />192.168.xxx.xxx:1337/imagesXikehttps://www.blogger.com/profile/13295291117229072472noreply@blogger.comtag:blogger.com,1999:blog-4163733967401396123.post-31345402616450196652015-09-23T10:01:55.398-07:002015-09-23T10:01:55.398-07:00Whoa! That was a HUGE oversight. Thanks for the in...Whoa! That was a HUGE oversight. Thanks for the input! I will have the modified image up and the updated image is found on the mediafire link. Hopefully the Vulnhub mirror will be updated soon.Kookhttps://www.blogger.com/profile/01408423846997987852noreply@blogger.comtag:blogger.com,1999:blog-4163733967401396123.post-1927485340342250292015-09-23T08:43:56.830-07:002015-09-23T08:43:56.830-07:00not sure if this was intentional or not but you ca...not sure if this was intentional or not but you can bypass the privesc:<br /><br />smeagol@LordOfTheRoot:~$ sudo -l<br />User smeagol may run the following commands on LordOfTheRoot:<br /> (ALL : ALL) ALL<br /><br />smeagol@LordOfTheRoot:~$ sudo su<br /><br />root@LordOfTheRoot:/home/smeagol# cat /root/Flag.txt <br />“There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”<br />– Gandalf<br /><br />Anonymoushttps://www.blogger.com/profile/05943803016812193974noreply@blogger.com