Oldie but Goodie- from command injection to r00t

First, I have to admit that I have not published as much as I was hoping since I started this blog last year. I have recently finished grad school and now I am in the mode of finally doing,starting,creating and catching up on all of the things that I have been neglecting because of classes.

My plan is to start posting material more often. I know I owe some of my friends posts from months ago…so yeah! I hope to start “Break sh*t Saturdays” with some guys from work and other friends, so that should start to help my weekly publish rate. Anyway, I wanted to do something small just to get back into the swing of things. Enjoy!

I remember working on an assessment for a company many moons ago when I ran across an old linux box that had “mod_perl” with script access running. I rarely see it anymore because well, most administrators have not allowed CGI scripts or other crazy stuff to run on their network.

(ahem, notice I said most)

However, I was recently reading a few posts on Infosec Institute, despite the whole BS that went on last year about stealing material, or whatever started the flame war on twitter, they still publish decent material from time to time. One of which was setting up and hacking a CGI server. Since I was working on a few things, I decided to set it up and and just play around. You can read the entry on their blog. In the post they tell you have to setup your server and perform some basic tests. For one of the examples, the author used “Common Injection” on a ping.pl page. He only did enough to show you that it can be done, and it is up to you to figure out how to get from injection to root. So I figured I would just play around and see how far I can get.

Setup:

Attacker: Kali 32bit updated as of 9-13-14 @ 192.168.160.155
Victim: CentOS 5.3 with Apache and a few other services running. @ 192.168.160.156

First, I started off by using nmap to gain information about the victim machine. I did the typical scans for fingerprinting, scripting, etc.

nmap -T4 -A 192.168.160.156
Nmap scan report for 192.168.160.156
Host is up (0.00033s latency).
Not shown: 991 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 fe:91:88:40:f8:1f:9d:35:a3:5a:33:7d:bb:36:81:03 (DSA)
|_2048 0d:ca:d5:ff:76:af:f8:ba:bf:de:4d:4d:93:e7:27:07 (RSA)
23/tcp closed telnet
25/tcp closed smtp
80/tcp open http Apache httpd 2.2.3 ((CentOS))
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Administrator Ping Script
139/tcp closed netbios-ssn
445/tcp closed microsoft-ds
631/tcp closed ipp
2049/tcp closed nfs
MAC Address: 00:0C:29:5A:71:84 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.27
Network Distance: 1 hop

TRACEROUTE
HOP RTT ADDRESS
1 0.33 ms 192.168.160.156

As we can see from the nmap output there isn’t much there, however I did notice a website running and SSH which could come in handy later. I visited the website and realized it was just an “Administrative CGI/PERL script interface” to allow the companies administrator to ping hosts on their internal LAN. There are a few things that I noticed when I visited the website.

  1. There was nothing super exciting about the page, however when I viewed “page source” I noticed the form action tags, which referenced a “/cgi-bin/ping.pl” page.

    < Continue reading Oldie but Goodie- from command injection to r00t

What’s up?!?! and Arm Exploitation

So, I am either getting sick or I need more sleep. I wanted to do a video this week but I feel horrible so here is a video that I did a few years ago. It is now on Security Tube but I wanted to link and add it here.

[vimeo http://www.vimeo.com/11890370 w=500&h=313]

Also, because I am on this never ending search for knowledge I ran across this Introduction to Arm Exploitation. This site is pretty cool I have viewed their other lessons on Assembly and found them to be a great resource.

*Yawns* Why my head hurts

Over the last few weeks I have been doing the Cracking the Perimeter course (aka OSCE) from Offensive Security. The course has been an awesome learning experience and has sparked a passion for exploit development and reverse engineering. Now that my course lab time is over I am left to my own devices before I sit for the practical. I thought I would add some cheat-sheets, nothing that will give the course work away (besides whats on the syllabus)- I want people to suffer as much as I did, but also wanted to provide some helpful hints for other n00bs.

Besides the basics of assembly and according to the Course Syllabus, here are a few cheat-sheets/notes that helped me along the way.

Module 1 Cross-Site Scripting

The course work and labs during the OSCP should prepare you enough for this module.

Module 2 Directory Traversal

Again, the course work and labs during the OSCP should prepare you enough for this module.

Module 3 Backdoor PE

Know your direction flags in assembly (e.g. cld and std) know what they do. Also, know The common FLAGS registers (e.g. EFLAGS and RFLAGS)

Module4 Bypassing AV

Know your assembly jump commands

Module5 Bypassing ASLR

Read and do the tutorial from Corelan along with the Offsec labs.

Module6 Egghunters

Read this and this and this white paper

Module7 TFTP zeroday

Read this

Module8 HP Openview zeroday

Read this

Module9 Gre Sniffing

Hope that you get tftp working on BT5 correctly, then you should have no problem.

I have learned so much during this course and I will continue to add to my knowledge. Probably one of the best courses I have taken in awhile, even more so than the OSCP course. Those who have taken the OSCP course and are thinking about taking the OSCE course I would definitely walk through the Corelan exploit tutorial series along with the Offsec course work, you should have no problem.

Hope you found this helpful!

UPDATE forgot to add this, a collection of assembly primer from the trainers at OpenSecurityTraining.info.

NOVA Hackers tonight

Doing a presentation for NOVA Hackers on fuzzing with Spike, I will add slides after the meeting. Also, I will add the spike scripts I created to git-hub once they are done.

Update will add slides tonight.  After the meeting I started talking with another NoVAH member which sparked an idea that we are starting to work on. Hopefully other people will find it useful