Windows/Linux LFI/RFI + MSF + Fimap = call me tons of fun

Hey guys, as promised I wanted to do something a little different. I made a sample video of Fimap, which is a tool to find and exploit Local and Remote File Inclusion bugs. If you aren’t familiar with the tool you can check it out here.

File inclusion(FI) happens when an attacker can include files through a web script or an improperly coded page. You can learn more about LFI/RFI here. Most people confuse LFI/RFI with browser traversal, while both are bad, LFI/RFI can lead to fun times for a pentester.

When looking for FI bugs, I attempt to see if the php code uses commonly vulnerable functions (e.g. include_once, fopen, file_get_contents, etc.). In the example that I will be attacking, the page uses the “include” function. Some of these functions can be manipulated in the “php.ini” file. More info can be found here and here.

You will normally see code like this:

$incfile = $_REQUEST["page"];
include($incfile.".php");

In this example, the potentially vulnerable parameter is “page” because of the way the file ($incfile) is being “included”.

Scenario: We are attacking two machines (Linux and Windows). I wanted to show the versatility of the tool and how easy it is to go from identifying the bug to Admin/Root.

[youtube=http://www.youtube.com/watch?v=AIigCni-bJI&w=420&h=315]

Sorry for the delay, I guess things went crazy. Ahwell!!! Hope you enjoy!

Now that I sort of worked out the video issue, I am going to do a mini-series on Exploit Dev. This series will cover setting up the lab environment, writing our exploits in python and ruby(MSF) to semi-advanced software protection bypass.

Webmin + John = root!

I wanted to do something different this week, however the video I recorded crashed and didnt save correctly. sniffles I will attempt to do a video this weekend since I have some extra time and get it uploaded for next week. I still wanted to do something, so I was going through some of my old notes and decided to write about an oldie but goodie.

Scenario:
I was approached by a mean kitteh. He said that if we can hack into his box, we can have all the beers we want. However, he said that if we cannot hack into his box, he will eat our faces and piss on our favorite Batman Chucks!! 🙁 Since I love beer, I figured why not.

After scanning the kitteh’s network, I came across the following port open on a host:

Webmin on default port

I wanted to make sure I could reach the victim on that port by visiting the IP:PORT in our browser. Since, my other scans were not completed yet, I went to the Googles!! However, if I previously scanned the victim with hydra or nessus, etc… Maybe I was lucky enough to find weak passwords. If that is the case, game is pretty much over, depending on how webmin was installed.

default

As you can see from the screenshot, webmin is running with root permissions, so we can execute any command that we want. However, if you aren’t that lucky. Extra research can come in handy. I have identified that this version of webmin has a flaw that will allow us to retrieve files from the local system. This could come in handy! Of course, you can easily search the Internet and find many exploits or ways to hack this version of Webmin.

Now that we have done our research and have found a promising exploit. Lets get to work!!!

perl

Ok, from the exploit we see that the default vaules are:

url - victim url/ip
port - in most cases the default is "10000"
filename - the name of the file you are looking to retrieve
target - whether the victim uses HTTP or HTTPS

That seems simple enough. The easiest thing to do is to attempt to retrieve the “/etc/passwd” file; as this file should be “world” accessible this is a good first test.

pass

Awesome, looks like we can read the “/etc/passwd” file. Lets see if we can read any other files, like the “/etc/shadow” file. 😉 YAY! we can read that file as well. Lets save them to a file in preparation for our next step with john.

root@L4mers3c:~# perl 2017.pl 192.168.160.156 10000 /etc/passwd 0 > passwd.txt

root@L4mers3c:~# perl 2017.pl 192.168.160.156 10000 /etc/shadow 0 > shadow.txt

You may have to clean up the output a little.

Now that we have both files saved, we can use a cool utility that comes along with John the Ripper (JTR) called “unshadow”. Unshadow will take an “/etc/passwd” file and merge it with an “/etc/shadow” file and hopefully allow us to crack the passwords. Of course this depends on how secure and complex the kittehs passwords are.

root@L4mers3c:~# unshadow passwd.txt shadow.txt > both.txt

Now that both files are merged, we can attempt to crack them with JTR.

john

As you can see we have cracked some of the really weak passwords. hmmm! During scanning I noticed that SSH was running on this host. Lets see if we can login with one of the accounts that we have found.

ssh

Game Over!! Well not really, if we look at our user permissions, we arent root! The kitteh said we cannot have a beer until we get root. We can go through the normal post exploitation steps and look for a local exploit.

[l4mers3c@localhost ~]$ uname -a
Linux localhost.localdomain 2.6.18-128.el5 #1 SMP Wed Jan 21 10:44:23 EST 2009 i686 i686 i386 GNU/Linux
[l4mers3c@localhost ~]$

After searching on the Interwebz, we find that our victim is potentially vulnerable to the “Linux sock_sendpage() NULL pointer dereference” exploit. Lets move it over to our victim and see what we can do.

root@L4mers3c:~# service apache2 start
[ ok ] Starting web server: apache2.
root@L4mers3c:~# searchsploit sock
Linux Kernel <= 2.6.3 (setsockopt) Local Denial of Service Exploit Continue reading Webmin + John = root!

Subdomain Enumeration

As with most things related to pen-testing, there are many different ways to enumerate the subdomains of your target.  One promising tool I’ve been playing with recently is Recon-Ng.  I won’t be at all surprised if recon-ng becomes as popular for the reconnaissance phase of a pen-test as metasploit has become for the exploit phase.  Today, though, I want to talk about a fun method I used a few weeks ago to find out more about the subdomains of my target.  But first, here are some completely passive methods of enumerating subdomains.

Continue reading Subdomain Enumeration

Configure Your Environment

In my last post on Reverse Shell Methods, I discussed the shell a lot.  As a penetration tester, I spend the majority of my actual “work” time in a shell.  I leverage Windows, OSX, and Linux about evenly throughout the day, so I’ve tried to customize my environment in all three, though I have had substantially more success tweaking OSX and Linux to my liking.  Today, I want to discuss the way I’ve configured my OSX, Kali, and Metasploit prompts to give me the information I need when I need it – for example, when I am writing a penetration test report. Besides, it’s always a good idea to keep track of what I’m doing and when I’m doing it!  Always CYA!

Continue reading Configure Your Environment