Watch video on-line: http://blip.tv/g0tmi1k/vulnimage-manual-5830689
Download video: http://www.mediafire.com/?38zd5afv4uadbxv
VulnImage is an obscure (I can't even find a 'homepage' as such for it!) "boot-to-root" operating system which has purposely crafted weakness(es) inside itself. The user's end goal is to interact with it and get the highest user privilege they can.
The 'manual' tag is due to the way the login system is bypassed as well as privilege escalation (via Linux exploit development, covering fuzzing to metasploit module). Another method is located here.
What do I need?
- Scanned network for the target [NetDiscover]
- Port scanned the target [UnicornScan]
- Banner grabbed the services running on the open port(s) [NMap]
- Bypass login system [Firefox]
- Modified page requests to the web server [Tamper Data]
- Manipulate the blog to upload an backdoor [Pentestmonkey's PHP-Reverse-Shell]
- Brute forced directories & files on the web server [DirBuster]
- Discovered a custom application running and downloaded the source code ['buffd']
- Escalated privileges via a vulnerable kernel version [udp_sendmsg]
- Exploit development starts at 5:28
- Fuzzed the custom application until it crashed [NetCat & Python]
- Verified and located which part of the buffer is overwriting the EIP address in the registers [Metasploit's pattern_create & pattern_offset & GDB]
- Created shellcode to be executed [Metasploit's msfvenom]
- Updated the buffer with the shellcode and verified everything so far [Python & GDB]
- Final update of the buffer to include the ESP address [GDB]
- Escalated privileges via the new exploit ['buffd']
- Restart the target machine to verified the exploit
- Created metasploit module [Geany]
- Escalated privileges via the new exploit using metasploit ['buffd']
- Restored the targets machine back to its original state
- Instantly gained root access via the new exploit [metasploit]
- VulnImage.zip (MD5: 8CB0E628AEB3C7E1F771764D07280655).
- A virtual machine (Example: VMware Player or Virtual Box).
- NetDiscover – (Can be found in BackTrack 5).
- UnicornScan – (Can be found in BackTrack 5's repository).
- NMap – (Can be found in BackTrack 5).
- Firefox – (Can be found in BackTrack 5).
- Tamper Data – (Can be found in BackTrack 5).
- PHP-Reverse-Shell – (Can be found in BackTrack 5).
- NetCat – (Can be found in BackTrack 5).
- DirBuster – (Can be found in BackTrack 5).
- udp_sendmsg – (Found on exploit-db.com & Can be found in BackTrack 5).
- Python – (Can be found in BackTrack 5).
- Metasploit – (Can be found in BackTrack 5).
- A Text Editor (e.g. Geany) – (Can be found in BackTrack 5's repository).
The first stage is to locate the target, which the attacker does by using "NetDiscover" as this quickly scans all the subnets for IP's, Media Access Control (MAC) addresses and any known vendors that relate to their MAC address. The attacker knows that the target is using VMware, as there aren’t any other virtual machines in use and the target hasn't spoofed their MAC address, therefore they have successfully identified the target.
The attacker then port scans the target as this discovers any services which are listening on the exposed interface. The attacker chooses to use "UnicornScan" as it is accurate & efficient whilst scanning at speed. The port scan shows there are 7 open TCP ports; 22 (SSH), 25 (SMTP), 80 (HTTP), 139 (NETBIOS), 445 (SAMBA), 3306 (MySQL) and 7777 (CBT). There is only 1 UDP port open, 137 (NETBIOS). The attacker then chooses to verify the TCP results by using "nmap" to do another port scan. At the same time, the attacker takes advantage of some other features built into nmap, such as its scripting engine. This enumerates the open port's protocols and services which have been detected, as well as banner grabbing. The attacker chooses to interact with the web service which is running on the default TCP port 80. The justification for this is because it is a very graphical, friendly and common way in allowing the end user to interact, because of this there could be lots of information which could be enumerated as well as poorly written code which could be taken advantage of.
The attacker starts "DirBuster" to brute force directories and files on the web server by connecting to a list of common paths used on a web server and to then analyse the HTTP response codes. As this takes a while, it is left running in the background.
The web service responds normally when the attacker interacts with it using a web browser, for example "firefox". The attacker then explores the web application structure by clicking through on links and soon sees the web service is running a blog, and, at the same time sees that two posts have been posted by the user, blogger. The attacker keeps on following links on the blog and soon is presented with a login page for user profiles. The first thing the attacker looks at is the page source code, which they notice has a hidden field called "fname" and a value of "sig.txt", which appears to be a text document for signatures. Next they test the login system by entering data which wouldn't be correct as this can be used to see if the login system is working as well as the error message(s) for an incorrect login. The attacker uses the possible username, 'blogger' and the password, 'password'. The attacker then goes back and repeats the request, however; this time uses a different password to attempt to alter the login process. Editor's note: Before recording the video, the attacker noticed that phpMyAdmin was running on the web server (due to DirBuster). This is a GUI to manage MySQL databases, which are commonly used to validate credentials. The attacker then replaces their password with a MySQL statement in which to modify (by 'injecting' their code) the MySQL statement which has been hardcoded on the server side. This "password" will cause the original MySQL statement to return true, therefore it will login as the chosen user without the correct password being present. Editor's note: An explanation of the vulnerable code is below: