target is linux. tftp help?

[kungfusurfer]

I'm doing a lab at home via vmware. My attacker is BackTrack (of course) and my target is linux slackware. So far I have only been able to get as far as logging onto it's ftp as anonymous (nothing really useful in there) and able to connect to the target via tftp. I'm still quite new to pen-testing so I'm not sure what I could do with this tftp access. I see that I am able to run commands such as "get" and "put". I was able (i think) to copy netcat over to the target but not sure how I can connect to the target via netcat. Since I don't have access to the target yet, I can't start a listener on the box (unless one of you know a way). If I could start a listener then I assume the best bet would be to retrieve the /bin/bash with the nc -e option. The following are the ports which are open. *this is all on my personal lab, just an fyi*

21 – ftp – vsftpd 2.0.4
22 – ssh – OpenSSH 4.3
80 – http – Apache httpd 2.2.4 mod_ssl/2.2.4 OpenSSL/0.9.8b DAV/2
631 – ipp – CUPS 1.1

Thanks for any help or a push in the right direction.

[The Bandit]

Personally, I would approach it one of two ways:

1. Bruteforce the FTP server for a username / password
2. Find an exploit for the CUPS 1.1 service (A google search for "CUPS 1.1 vulnerability" turned up quite a few results.)

Also, I generally like to stay away from "noisy" methods. Thus, I would pick the 2nd method.

[lupin]

What you have managed to do with nc is basically just get it onto the box. (You can confirm its actually there by trying a TFTP get on the filename by the way, or you can check via the console on the slackware box, a good practice when you are just learning).

To actually USE that uploaded nc, the target system needs to be binary compatible with the system that nc was compiled for and must have compatible libraries so the nc binary will run (e.g. the CPU architecture must be the same, c libraries must be compatible, etc). That probably won't be an issue assuming the slackware target is relatively recent (it looks to be judging by the services versions you reported) and is 32 bit X86 based.

You then need to find a way to get code execution on the box to run nc. Code execution as any user will do to start with, you dont need root access right off the bat (but its good if you can get it). This is the challenging bit.

Assuming no client side attacks (where a client process on the target system interacts with your attack to give you access), you need to exploit or bypass security on one of the network services on the target. The two attacks Id suggest you focus on first are authentication bypasses and service exploitation. So basically, try password guessing on SSH/FTP and use Nessus/OpenVAS to scan for vulnerabilities on the other services, check vulnerability databases and check for exploits in Milw0rm/Metasploit/Securityfocus/Google/elsewhere.

If you are feeling adventurous you can also try a application assessment on the web server. Check out the OWASP Testing Guide for more information. The obvious things to look at first based on the banner info is WEBDAV, which may give you the ability to upload and download files which you may then be able to run if any cgi scripting is enabled on the server. (The banner doesnt mention any scripting engines, but it doesnt mean that they are not there - check other HTTP header information, file extensions, the presense of default files, etc to try and determine this).

You may also want to setup an older system for a target (a few years old say) and run as many services as possible, or try something like the DeICE CDs or Damn Vulnerable Linux to get practice on a slightly easier target.

That should be enough to keep you occupied for a while hopefully...

[kungfusurfer]

Thanks for the quick replies guys!

I should have mentioned that yes, I have run hydra for password guessing (ssh & ftp). I tried the wordlist which comes with backtrack but it didn't find anything at all.

Also before writing, I did confirm that nc was sent successfully by doing a "get" for the file via tftp from the target.

I was hoping to max out backtrack first to see what all it has included before downloading and installing possible exploits from the net but I'll go ahead and download nessus at least for starters.

Oh, I'm also going through the ISSAF manual while trying to hack into the target.

[lupin]

The milw0rm archive is on BT in /pentest/exploits/ and OpenVAS is also installed (I prefer Nessus though so its probably not a bad idea to install that). There are also other wordlists you could potentially try - the basic john list, the milw0rm list and various other common password lists as found on the Net can be useful. Password guessing however is not always that satisfying in a personal lab unless you use prebuilt images to which you dont know the passwords (e.g. DeICE)....

ISSAF is quite good, you may also want to check out the NIST security testing guide, OSSTMM and the Penetration Testing Framework, as well as OWASP for web assessments as I already mentioned.

[kungfusurfer]

I've spent quite a while on this hack and so far I have come up with nothing really. I know 3 names of users on the target system and made every possible combo which could be each of their usernames, tossed those potential usernames into a file and ran hydra to guess the password for their SSH access and their FTP access. It resulted in no found passwords.

As for the CUPS 1.1 vulnerabilities, I found a sigcups.c script on packetstorm which I downloaded and ran. It ran fine but said it could not exploit anything, the actual msg was "better luck next time! try different offsets maybe". I found many vulnerabilities for CUPS 1.1 but couldn't exploit any of them or even find enough material to know how to exploit these. As for the other found services, I could not find anything for OpenSSH 4.3 other than the much talked about "zero day exploit" 0pen0wn which I've heard conflicting stories on with regards to if it's just a rumor or not. Could not find any vulnerability to exploit for vsftpd 2.0.4 or openssl 0.9.8b. I had a look for some WebDAV exploits but they were all for IIS instead of Apache on Linux.

I was able to run OpenVAS and Nikto but could not get Nessus to start. Maybe Nessus needs a public internet connection to run or maybe I don't have the correct port # entered when editing the new nessus connection? (I'm on a private network with attack and victim on 2 vmware images running off of 2 iso's)

Nikto gave me:
Allowed HTTP methods: GET, HEAD, POST, OPTIONS, TRACE
OpenSSL 0.9.8b is vulnerable to remote buffer overflow exploit with may result in a remote shell. CAN-2002-0082. (can't find how to exploit this)

I can't find how to exploit any of the following which OpenVAS gave me:
1. The following directories were discovered: /cgi-bin
2. Anonymous FTP login allowed & has a world writeable folder.
3. OpenSSH 4.3 has a flaw caused by improper handling of errors within a SSH session encrypted with a block cipher in CBC mode. Successful exploits will allow attackers to obtain four bytes of plaintext from an encrypted session.
4. Command Injection vulnerability due to error in the mod_proxy_ftp module which can be exploited via vectors related to the embedding of these commands in the Authorization HTTP header. Successful exploitation could allow remote attackers to bypass intended access restrictions in the context of the affected application, and can cause the arbitrary command injection.
5. Input passed to the module mod_proxy_ftp with wildcard character is not properly sanitized before returning to the user. Remote attackers can execute arbitrary script code.
6. Apache HTTP server is prone to a security-bypass vulnerability. A local attacker may exploit this issue to execute arbitrary code within the context of the webserver process.
7. Remote SSH supported authentication : publickey,password,keyboard-interactive.

I found a couple google pages describing how to perform SSH authentication with publickey but did not quite understand it. I did find the following on the target ftp server while logged in as anonymous and it looks like it may be a publickey but not sure:

Qwaerasdf12iilasdfo22o12kaskfmcjalklknlk!ljaio3ioa s
asdlfkmcmiIOFlkjnlsdlkjndIUNsdhLKJDsjNKSkdnKiueQWQ F
ZASMCZLSFLKElknasdknzxcmvn123maskjfaQ!

Any hints would be awesome about now. Quite stuck here.