Watch video on-line: http://blip.tv/g0tmi1k/holynix-level-2-5494348
Download video: http://www.mediafire.com/?70m714m55v4c6df
Holynix is a series of operating systems with purposely designed weakness(es) left inside. The aim of them is to go from "boot-to-root"; the user has to try and get a shell with the highest user privilege they can reach.
- Scanned network for the target (Netdiscover)
- Configured IP address (192.168.1.0/24)
- Port scanned the target (unicornscan)
- Banner grabbed the services running on the open ports (nmap)
- Added the target's IP to the host file & Re-configured DNS settings
- Successfully replicated the DNS databases (Zone Transfer)
- Successfully brute forced web server directories (DirBuster)
- Detected & exploited outdated software (phpMyAdmin)
- Discovered an internal document (DirBuster)
- Cracked FTP passwords (John The Ripper)
- Uploaded a web backdoor (Metasploit)
- Escalated privileges via a vulnerable kernel version
- Located MySQL database details
What do I need?
- kolynix-v2.tar.bz2 (MD5: 2B91038DE5C5150BFC48AA39C84E7E71) – (Homepage).
- A virtual machine (Example: Virtual Box or VMware Player).
- Netdiscover – (Can be found on BackTrack 5).
- Nmap – (Can be found on BackTrack 5).
- Unicornscan – (Can be found in BackTrack 5's repository).
- DirBuster – (Can be found in BackTrack 5).
- Exploit-DB – (Can be found on BackTrack 5).
- John The Ripper – (Can be found on BackTrack 5).
- Metasploit – (Can be found on BackTrack 5).
To begin, the attacker needed to locate the target. This was accomplished by using "netdiscover", as it was able to scan for hosts on multiple IP ranges quickly. The output from the scan had the target on a different IP range from the DHCP server's pool, meaning the target had a static IP address. The IP address, MAC address and vendor was now known to the attacker and they updated their IP address to fit inside the same IP range as the target.
Once the attacker was in the same subnet as the target, the attacker completed a full port scan of both TCP & UDP on the target by using "unicornscan". When the scan had finished, the results showed that the target had four TCP ports open: 21, 22, 53 & 80, as well as one UDP port, 53.
Afterwards, the attacker wanted to know what services were being used on these ports. By using "nmap" to banner grab the services, the protocols and services (and possible versions) were able to be identified, along with finger printing the operating system which was being used. The outcome of the scan revealed that the services being used matched up to their default protocol ports; ftp, ssh, dns and web services.
The attacker then proceeded by interacting with the target's web server, and by doing so, they were able to find some useful information; the domain name, name servers and each user had their own sub-domain. The attacker updates their system to reflect the newly discovered information by replacing the DNS server to point to the target.
The attacker then sets out to produce a list of possible usernames via the sub-domain by using DNS enumeration. By using "dig" the attacker was able to gather details about the domain, zincftp.com. This revealed that there were two DNS servers; the primary server was pointed to itself, the secondary server had an IP address increased by one of the primary servers. From the earlier nmap scan, the attacker knew that this IP address wasn't currently being used. The attacker then attempted a zone transfer as DNS port (TCP 53) was open, which would clone the DNS database; however it failed. But, by the attacker changing their IP address to match the secondary DNS server and re-trying the request, this time the attacker was presented with a list of all the known values for the DNS service.
The next stage was to extract a list of all known hosts from the sub-domains as well as a possible list of usernames. Upon futher inspection of the list, the attacker then filtered out all the primary server values - which left a few interesting results such as; the nameservers (which were already known), a mail server (which was on a completely different IP range) and trusted.zincftp.com.
The attacker then moves their force back to the web server. "DirBuster" was able to brute force a list of directories on a web server and check their status. In the first scan, the attacker notices two folders (/phpMyAdmin/ & /setup_guide/) which returned "HTTP response code 403 - Forbidden". The attacker then changes their IP address to match the same value as "trusted.zincftp.com" and re-open another instance of DirBuster to compare the output. After the second scan had completed, the two previous denied folders, had returned "HTTP response code 200 - OK". The attacker then chooses to view what was meant to be hidden and discovers that one page is an unprotected phpMyAdmin page as well as a directory listing which only contained one file "todo".
By exploring the phpMyAdmin page, the attacker was able to view the contents of the database which contained two usernames and their email addresses, which the attacker adds to their list of known users. Afterwards, the attacker checks the version of phpMyAdmin and notices it's a very old version and checks to see if there has been any known exploits released for it in their local copy of public exploits from "exploit-db". After checking the versions the attacker discovers that there is a remote directory traversal vulnerability.
The exploit allowed the attacker to view any files which had the same permission that phpMyAdmin was being run as. By using this, the attacker was able to discover all the user accounts on the system, by using a known file which commonly contains details of each user on the system (/etc/passwd). After analysing the file the attacker saw that not every user had shell access, and filtered these users out, as they wouldn't be able to gain remote shell. The attacker then made a note of those usernames in a separate file, as they have higher priority.
Afterwards the attacker viewed the "todo" file on the web server, which displayed the internal working of the company when a new user is added to the system. The last stage was to add them to the FTP service, allowing them to download/upload files to the server. By using the phpMyAdmin exploit, the attacker was able to read the encrypted password file which contained the user credentials.
The attacker now had a local copy of the users which were allowed to use the FTP service, along with their passwords, however, it was encrypted. The attacker then locates a small wordlist to attempt to brute force the passwords. After loading the passwords and wordlist into "John The Ripper", the attacker discovered two passwords (jack-in-the-box and millionaire) which were used (due to them being inside the wordlist), along with the two usernames (dhammond and tmartin).
As the attacker was now able to view the user web folder via [username].zincftp.com, as well as being able to interact with the ftp server, the attacker created and uploaded a small test file to see if the two services overlapped with each other. (Editor's note: The VM at this stage had "run out of room", however, after restarting the holynix virtual machine it worked). The result was the message "Hello World" was displayed, meaning; FTP & Web root folders were the same, the attacker was able execute PHP commands. From this, the attacker then crafts a web based backdoor via "metasploit", setups a listener to catch the reverse connection and repeated the same procedure as before.