First, I have to admit that I have not published as much as I was hoping since I started this blog last year. I have recently finished grad school and now I am in the mode of finally doing,starting,creating and catching up on all of the things that I have been neglecting because of classes.
My plan is to start posting material more often. I know I owe some of my friends posts from months ago…so yeah! I hope to start “Break sh*t Saturdays” with some guys from work and other friends, so that should start to help my weekly publish rate. Anyway, I wanted to do something small just to get back into the swing of things. Enjoy!
I remember working on an assessment for a company many moons ago when I ran across an old linux box that had “mod_perl” with script access running. I rarely see it anymore because well, most administrators have not allowed CGI scripts or other crazy stuff to run on their network.
(ahem, notice I said most)
However, I was recently reading a few posts on Infosec Institute, despite the whole BS that went on last year about stealing material, or whatever started the flame war on twitter, they still publish decent material from time to time. One of which was setting up and hacking a CGI server. Since I was working on a few things, I decided to set it up and and just play around. You can read the entry on their blog. In the post they tell you have to setup your server and perform some basic tests. For one of the examples, the author used “Common Injection” on a ping.pl page. He only did enough to show you that it can be done, and it is up to you to figure out how to get from injection to root. So I figured I would just play around and see how far I can get.
Attacker: Kali 32bit updated as of 9-13-14 @ 192.168.160.155
Victim: CentOS 5.3 with Apache and a few other services running. @ 192.168.160.156
First, I started off by using nmap to gain information about the victim machine. I did the typical scans for fingerprinting, scripting, etc.
nmap -T4 -A 192.168.160.156
Nmap scan report for 192.168.160.156
Host is up (0.00033s latency).
Not shown: 991 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 fe:91:88:40:f8:1f:9d:35:a3:5a:33:7d:bb:36:81:03 (DSA)
|_2048 0d:ca:d5:ff:76:af:f8:ba:bf:de:4d:4d:93:e7:27:07 (RSA)
23/tcp closed telnet
25/tcp closed smtp
80/tcp open http Apache httpd 2.2.3 ((CentOS))
| http-methods: Potentially risky methods: TRACE
|_http-title: Administrator Ping Script
139/tcp closed netbios-ssn
445/tcp closed microsoft-ds
631/tcp closed ipp
2049/tcp closed nfs
MAC Address: 00:0C:29:5A:71:84 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.27
Network Distance: 1 hop
HOP RTT ADDRESS
1 0.33 ms 192.168.160.156
As we can see from the nmap output there isn’t much there, however I did notice a website running and SSH which could come in handy later. I visited the website and realized it was just an “Administrative CGI/PERL script interface” to allow the companies administrator to ping hosts on their internal LAN. There are a few things that I noticed when I visited the website.
- There was nothing super exciting about the page, however when I viewed “page source” I noticed the form action tags, which referenced a “/cgi-bin/ping.pl” page.
< Continue reading Oldie but Goodie- from command injection to r00t