OSCP Series: Kioptrix Level 2

Another day, another challenge.

In today’s post we’re going to solve Kioptrix Level 2.

Let’s get started.

After booting the machine, we see the following:

Kioptrix_Level2

This screen is very similar to level 1 click HERE if you missed that.

Let’s begin.

First, let’s enumerate using nmap, with the command nmap -sV <IP_ADDRESS>. In my case it will be nmap -sV 192.168.0.14

Below is the screenshot I have:

Kioptrix_nmap_Level2

We have a number of ports open. Let’s look at port 80 (http) and see what we can find.

Going to http://<IP_ADDRESS> (substitute IP_ADDRESS with your IP address)

We see the following screen:

Kioptrix_webpage_Level2

A login screen… let’s see if we can do an authentication bypass by doing a SQL injection.

Kioptrix_webpage_login_Level2

Entering the username of admin and password of ‘ OR ‘1’=’1′–

Success! We were able to complete an authentication bypass. Now we’re presented with a web console to ping a machine. So let’s ping.Kioptrix_webpage_console_Level2

Entering our IP address and pressing the submit button we see that the web page pings our machine.

Kioptrix_webpage_ping_Level2

Kioptrix_webpage_ping_results_Level2

Let’s see if we can complete one or more commands in succession. This vulnerability is called command injection, as the attacker can enter arbitrary commands to read and write to the server.

Kioptrix_webpage_command_injection_Level2

Kioptrix_webpage_command_injection_results_Level2

We see this application is vulnerable to command injection as we were able to ping our machine and list the contents on the server.

Let’s see if we can use the command injection vulnerability to get a remote shell.

Going to Google and typing in “remote shell commands” the following screenshot is from the first result.

Kioptrix_remote_shell_command_Level2

As you can see this web page lists different ways to gain a remote shell a server. Let’s use the first command, and see this will be successful for us.

First we need to get our IP address.

Entering the command in a terminal ifconfig we will get our IP address, which is what we need for our remote shell.

The below screenshot is mine:

Kioptrix_webpage_ipconfig_Level2

The next two steps need to be completed at the same time.

Going back to the web console, we’re going to enter the above remote shell command, changing our IP address, to the IP address from our ifconfig command. As well as change our port to the port listed in our netcat command (note the port can be anything, I just picked 4444 as it’s easier for me. It could be 1234, 2222, etc.)

Kioptrix_remote_shell_command_webpage_Level2

Now we need to start a listener, the below screenshot is used with netcat

Kioptrix_remote_shell_Level2

After pressing the submit button from the web console, we have the following screenshot – our remote shell worked! we see that we’re connected (192.168.0.14 is the Kioptrix machine and 192.168.0.12 is my machine). You’ll notice that when we list the directory it matches the above screenshot from the command injection inside the web console.

Continuing on let’s see the server version we’re running. See screenshot below.Kioptrix_webpage_uname_Level2

Opening a new terminal, let’s go to searchsploit and see how many exploits we can find for this version.Kioptrix_webpage_searchsploit_1_Level2Kioptrix_webpage_searchsploit_2_Level2Kioptrix_webpage_searchsploit_3_Level2Kioptrix_webpage_searchsploit_4_Level2Kioptrix_webpage_searchsploit_5_Level2Kioptrix_webpage_searchsploit_6_Level2

There are A LOT of exploits, as I was pretty lax on the search results. Let’s use exploit 9545.c as it lists the version number and it also use CentOS (which we saw during the enumeration phase) exploit.

Let’s copy the exploit to the current directory – see screenshot below.

Kioptrix_copy_exploit_Level2

Since we’re working with a web server, we need to move our exploit to the Apache folder and start Apache. See screenshots below.

Kioptrix_apache_exploit_in_folder_Level2Kioptrix_apache_start_Level2

Now let’s try to download our exploit. The first time doesn’t work as one we didn’t specify the file, and we get a permission denied – screenshot below.

Kioptrix_download_file_failure_Level2

Let’s try to change the directory to the /tmp folder and see if we can download our exploit.Kioptrix_download_file_success_Level2

We were successful! Our exploit was downloaded.

Let’s compile our exploit, and give it the name of exploit. See screenshot below.Kioptrix_compiling_exploit_Level2

Running the exploit and entering the whoami command we’re now root. W00t! Kioptrix_whoami_root_Level2

Let’s see if we’re truly root – let’s read the /etc/shadow by entering the following command cat /etc/shadowKioptrix_etc_shadow_Level2Kioptrix_etc_shadow_2_Level2

We’re able to view the /etc/shadow file, which means we’re truly root.

Advertisements

OSCP Series: Kioptrix Level 1

Another day, another challenge.

I am studying for the OSCP exam. I read the following boot-to-root is a good VM to root in preparation for the exam.

Anyway without further ado…

Note: I set Kioptrix and Kali to both Bridged, so both VMs are on the same network. Please make sure to do this or the walkthrough will not work.

Booting the Kioptrix machine we see the following…

Kioptrix_boot

Hmm… so we need to acquire root of this machine. And we’re presented with a login prompt.

Going to our Kali machine, we first need to find open the terminal and find the IP address of the Kioptrix machine.

To do this, type netdiscover followed by Enter.

For me, the IP address is 192.168.0.10, this will be different for you.

Now, let’s see which services are running on the Kioptrix VM.

Type nmap -sV (TCP scan) <IP_ADDRESS> in my case my IP address is 192.168.0.10.

Below is a screenshot:

kioptrix_services

We have the following services open – ssh, http, rpcbind, netbios-ssn, ssl/http, status

Let’s look at the http page and see if we can find something useful

Kioptrix_html

Nothing useful was listed here. Let’s go back to the services above and see if we can use another vector to find gems in the VM.

We see there’s a Samba server running on 139.

Maybe we can enumerate this server and get more information.

What can we use to enumerate?

There’s a useful tool called enum4linux which enumerate SMB servers for goodies.

Running the command enum4linux -a <IP_ADDRESS> we get:

Kioptrix_enum1Kioptrix_enum2Kioptrix_enum3Kioptrix_enum4Kioptrix_enum5Kioptrix_enum6Kioptrix_enum7Kioptrix_enum8

As you can see the tool returns a lot of data. The important pieces are:

  1. The server version of Samba server
  2. The different groups and users for the server

Looking at the output we see the Samba server is 2.2.1a

Let’s see if we can find an exploit for this server version.

Using searchsploit we have the following:

Kioptrix_SambaKioptrix_Samba2

OK, this looks promising.

Let’s try the first exploit. We need to copy the exploit to our current directory.

kioptrix_first_exploit

This is a perl program, so let’s see what we need to supply to get the exploit working:kioptrix_first_exploit2

We need to supply a target type, our ip, and a target ip. After supplying the correct information we have the following:

kioptrix_first_exploit3

The exploit didn’t work. Let’s try another.

Going back to the searchsploit results, the second exploit – Samba 2.2.8 – Remote Root Exploit, we see that it’s a c program.

First, let’s copy this file to our current location.

kioptrix_copy

Now we need to compile this file.

Using the gcc compiler, we can have a working exploit.

kioptrix_gcc

Let’s see what options we can use for this exploit…

kioptrix_sambaSploit

OK. We need to specify the platform (-b), it’s good to have the verbose (-v), and specify the host. Let’s see a screenshot of this.

kioptrix_remote

Score! We were able to gain a shell!!

OK, let’s see if we can find some goodies…

kioptrix_remote2

Looking at the bash history we see mail has been accessed.  Let’s try accessing the mail.kioptrix_remote4

Going to the inbox and reading the first message, we see the above message.

Score! We have successfully completed this boot to root!!

The BodgeIT Store Series #7, Change your Passwords via a GET Request – #bodgeit #infosec #pentest #appsec #webapp

Happy hacking!

Today’s blog post is #7 in the BodgeIt Store series.

To view the blog post #6 click HERE.

Today’s topic is we’re going to change our password via a GET request.

Let’s get started.

We were able to log into the application without supplying a password – click HERE to read it.

Logging into the application as user1@thebodgeitstore.com’ OR ‘1’=’1

We get the following:

burp_login_user1_successful

Clicking on the user1@thebodgeitstore.com link we see:

bodgeit_GET_1

Let’s view the page source of the webpage:

bodgeit_GET_2

We see that the update password is looking for a POST, but we need to send it as a GET. How are we going to solve this?

Let’s do a right click on one of the text boxes and select “inspect element”.

From there we see:

bodgeit_GET_3

Double clicking on the form method we’re going to change the method from POST to GET.

bodgeit_GET_4

Going back to the password page, we can select the password to anything. I am going to use “hello”, and press “Submit”

bodgeit_GET_5

bodgeit_GET_6

We we’re able to change our password, through a GET request.

Let’s see if our solution was accepted.

bodgeit_GET_7

Our solution was accepted (as the challenge is now green)!

The BodgeIT Store Series #6, Access Someone Else’s Basket – #bodgeit #infosec #pentest #appsec #webapp

Happy Hacking!

Today’s post is #6 in the BodgeIt Store series.

To view post #5 in the BodgeIt Store series click HERE.

The topic for today is to access someone else’s basket.

First, let’s go to the admin page, and notice the different basket ids:

bodgeit_new_admin

We see that for each user – there’s a corresponding basket id.

Let’s go to the Your Basket page. Going there we see the following:
bodgeit_new_your_basket

Let’s open Burp and see if our traffic will reveal anything to us.

After opening Burp, and clicking on the “Update Basket” button we see:

bodgeit_basketid_initial

Hmm.. we see there’s a cookie value of b_id. Could this possibly be basket id?

Let’s try changing the value from 8 to 0 (which is the admin basket).

bodgeit_basketid_admin_not_working

bodgeit_basketid_admin_not_working_basket

OK… we see that the basket has been updated and we received a system error. This let’s me know that admin basket didn’t work too good.

Let’s go back and try another basket id of 1 which is the user1 account.

bodgeit_basketid_initial

bodgeit_basketid_changed_value

bodgeit_basketid_final

OK, changing the basket from 8 to 1 (user1 account) we see that our basket has been updated to show the user1 basket.

Let’s go back to the scoring page and see if we have successfully solved the challenge.

bodgeit_scoring_8

We solved the challenge successfully!

The BodgeIT Store Series #5, Login as a Different User?! – #bodgeit #infosec #sqli #pentest #appsec #webapp

Happy hacking!

Today’s blog post is #5 in the BodgeIt Store series.

To view blog post #4, click HERE.

The challenges we’re going to solve are the following:

  1. Log into the application as test@bodgeitstore.com
  2. Log into the application as user1@bodgeitstore.com
  3. Log into the application as admin@bodgeitstore.com

Let’s begin.

Going to the application let’s go to the login page – screenshot:

bodgeit_login1

Reviewing the objectives we have the username (email), but we don’t have the password… Meaning we can’t log into the application… well let’s see.

We already know the application is buggy (our favorite!) so it will not be hard to deduce that the application is not sanitizing our input. Meaning we can append certain characters in the username box and bypass entering a password to log into the application.

What possibly are these characters?

We know that for a valid login there has to be an back-end database that is used to test the username and password. We have the username, but what if we trick the database with a true statement and allow us to log into the application without entering a password.

The topic that I am talking about is SQL Injection. Doing a Google search you will see there are plenty websites dedicated to this topic.

Let’s imagine that the back-end database is the following:

SELECT valid_login FROM customers WHERE username=uname AND password=passwd;

Note: valid_login will return a boolean (TRUE/FALSE)

The username is the email that we have plus the appended characters –> test@bodgeitstore.com’ OR ‘1’=’1

Password is going to be blank.

So the above line will be:

SELECT valid_login FROM customers WHERE username=’test@bodgeitstore.com’ OR ‘1’=’1 AND password=<blank>;

The password is going to be blank.

Let’s break down the above statement

We’re closing the test@bodgeitstore.com expression, and then we’re going to include a new expression using the OR statement. The next expression is 1=1 which will ALWAYS evaluate to true (1 does equal 1).

 

Try it in the application and see what happens.

First, let’s configure our browser to listen through our Burp proxy.

Going to the login page, let’s add the username of test@bodgeitstore.com’ OR ‘1’=’1′, with no password, and press the Login button.

See screenshots:

bodgeit_login1

burp_login_test

burp_login_test_successful

We’ve successfully logged in without a valid password!

Let’s see if we can do this with the second username: user1@bodgeitstore.com

bodgeit_login2

burp_login_user1

burp_login_user1_successful

We were able to log into the application as user1, without supplying a valid password!

Let’s try username: admin@thebodgeitstore.com

Going back to the login page, let’s enter the username as admin@thebodgeitstore.com without supplying a password.

bodgeit_login3

burp_login_admin

burp_login_admin_successful

We were able to log into the application as an admin without supplying a valid password.

Hmm… we see with the admin login we have a new link – Comments. We’ll come back to this in another post.

Going back to the scoreboard we see:

bodgeit_scoring_6

All of the login challenges are now complete (green)!

The BodgeIT Store Series #4, Find Diagnostic Data – #bodgeit #infosec #pentest #appsec #webapp

Happy hacking!

Today’s blog post is #4 in the BodgeIt Store series.

If you want to view post #3 click HERE.

In today’s post we’re going to find diagnostic data.

So exactly what is diagnostic data?

In this case, we’re looking for a webpage inside the store that will reveal debugging data.

What exactly is debugging data?

Debugging data is used by developers who want to make sure their application is working correctly.

The problem is that the developers do not turn off the debugging feature before moving their application to production (live).

Let’s get started.

So how are we going to find the debug data? We’re going to add the following in the URL address bar: ?debug=true

Let’s start with the home page:

debug_true_1

We added the debug command, and it the page rendered the same. No debugging code on this page.

Let’s try the about us page.

Adding the debug command, the page rendered the same. No debugging code on this page.

debug_true_2

 

Let’s try the contact us page.

Adding the debug command, the page rendered the same. No debugging code on this page.

debug_true_3

Let’s try the login page.

Adding the debug command… the page rendered:

debug_true_4_yess

If you view the top of the page, you will see the new line – DEBUG: Clear.

This is an example of debugged code!

We were able to find diagnostic code in the application.

Let’s try the Your Basket page, and see what we get:

debug_true_5_yes

We found another page that has diagnostic data! In this case the debugged line says – DEBUG basketid = 5.

Let’s try search page, and see what we get:

debug_true_6

No diagnostic data here.

Let’s see what the scoreboard says:

bodgeit_scoring_5

We have successfully completed the find diagnostic data challenge (it’s green)!

The BodgeIT Store Series #3, Get the Store to Owe You Money – #bodgeit #infosec #pentest #appsec #webapp

Happy hacking!

Today’s post is #3 in a series of solving the BodgeIt Store.

If you want to check post #2, click HERE.

In today’s challenge we will make the store owe us money.

Before continuing on, you will need an interception proxy.

Two of the most popular interception proxies are ZAP and Burp.

I am going to use the free version of Burp (Community Edition) which can be downloaded HERE.

After downloading and installing Burp we need to set our proxy to have Burp intercept the traffic.

Note: I am using Chrome, but the steps are VERY similar between browsers (IE, Chrome, and Firefox)

When opening Burp, and clicking on the Proxy –> Options tab we see that the Proxy Listener is listening on 127.0.0.1, port 8080.

burp_settings

Going to your browser, go to Options.

In Chrome, click the three dots, and select Settings

You should see the following screen:

chrome_settings

In the search settings type in “proxy” which will show the following:

chrome_proxy_settings

Clicking on the last option – Open proxy setting we see:

internet_properties_1

Clicking on the Connections tab, we see:

internet_properties_2

Clicking the LAN settings button, make the settings look like the following screenshot and press “OK”.

internet_LAN_properties

To summarize: We’re setting the proxy in Chrome (or IE, Firefox, depending on the browser) to send traffic through our Burp proxy which is listening on 127.0.0.1:8080.

Going back to Burp, make sure that the intercept is on –  see screenshot:burp_intercept

Refreshing the BodgeIt page, we see:

burp_bodgeit

Yay! our traffic is being trapped properly through Burp.

Click Forward until the Raw tab is blank, and turn the intercept off.  Click the intercept is on box once and it will turn off the interception.

OK… now let’s earn some $$$!!!

Navigating to the home page, click on any of the items on the left side. I am going to click on Doodah’s (first item), and I see the following:

Doodah_1

I am going to click on the most expensive item which in this case is Doo dah day, and I see:

Doodah_2

OK, let’s turn on the interception back on. Click the intercept is off button once to turn the interception back on.

After the interception is on, click on the basket button. I see:

burp_price

Changing the quantity to -10 (which is a negative value, and should not be permitted as you can’t purchase a NEGATIVE item) we see:

burp_updated_price

Going back to BodgeIt…

We have successfully made the store owe us money!!!

burp_updated_price_final

Going back to the scoreboard…

bodgeit_scoring_4

we see this challenge is now complete (green)!