Tuesday, October 10, 2017

Vulnhub Walkthrough: LazySysAdmin 1

Walkthrough: LazySysAdmin 1
Author: Agoonie
Date: 2017-10-9

1. Target IP
VM is setup with host-only in VMware workstation.  I identified the IP with a simple Nmap ping sweep. 
nmap -sn -v
2. NMAP Scan/Service ID

Now, on to the full scan to identify open ports and to identify what services are running.

Next, I start to look at interesting ports, usually while the scan is still going.  I took note of ports 80, 139, 445, and 3306.  For port 80, I wanted to start to enumerate files and folder structure for the web application.  I usually use dirb/dirbuster. 


With dirb, I see folders for wordpress and phpmyadmin.  I use wpscan to see if I can get any information about the wordpress site being hosted.  Sometimes, you can get users, plugins, themes, etc.

The scan identified an admin user, wordpress version, a theme and some links to look at.  I noted everything and went on to ports 139 and 445.

Bingo.  I am able to see files in the wordpress folder using the SMB service.  If I can connect to it, maybe I can just read and write to it.  Next, put in a web shell, escalate privs and then, game over. 


No luck.  I can only read the files. I cannot write to the folder.  Well, let’s read some files.

It looks like the admin put in a password in the deets.txt file.  What else can we find?  Maybe config files in the wordpress folder. 


The wp-config.php file might be good.

Looks like we have an account for the wordpress site.  Let’s keep track of more creds and test them out.


We have AntiSpam and Hello Dolly.  A quick search for Hello Dolly and you see it is used by hackers to add backdoors to sites.  I assume that means I can just add php code to it. 


3. Exploit Execution

It has accepted and saved the php code I added to hello.php  Now, I just start a Metasploit mult handler and browse to hello.php.

4.  Escalating Privileges

We are running as www-data.  How can we escalate?  Let’s start looking around to see if we find anything.

Looks like we have more credentials to take note of.  We found the user togie, which is the admin for the wordpress site.  Maybe I can start to test the creds for his account, togie.  There is ssh running on the server.  Let’s try.

The password 12345 worked for him.  Well, he is the admin, maybe he is a sudo user?


Well, enumeration was key to root the box.  I did not screen shot the process but I tried every priv escalation root file from exploit-db.com.  Every one of them failed.  In addition, gcc and cc was not present on the box.  I created similar vm’s to compile the code and uploaded the executables.  It did not matter.  Every time I got a credential, I could get to the next step on the vm.  Great boot2root!

Sunday, July 21, 2013

YAGI USB adapter review

I am still alive.  I have been working on projects at work and home. I will be posting an update to Education 2013. But I just wanted to make a quick post about a wireless adapter, USB-Yagi Plug and Play directional WiFi Antenna 802.11n 2200mW. It is a great wifi adapter to use for a penetration test. It has a higher range of your average wireless adapter and better sensititvity too. I took it for a spin for some war-driving to test how much it would capture.  Oh, I also grabbed a Garmin 18x USB GPS to record the location info.  It was pretty cool. I think I need something better to keep it still in the car since it comes with a tripod bottom which is good for a table but not a moving vehicle. Of course, I was lucky enough to have my wife drive so I could concentrate on the laptop and wifi. Perfect wingman, wingperson.  Anyway, so what I wanted to do is use kismet and wash, while I was at it with the garmin 18x.

Ok, so I connected the Yagi and Garmin to the laptop. The Yagi(rt2800USB) is detected instantly as wlan2 on Kali. However, in order for the Garmin to be detected, I had to load the drivers for Garmin. I just used the command, modprobe garmin_gps. It seemed to work.  I used the command dmesg:

[96273.677562] usbserial: USB Serial support registered for Garmin GPS usb/tty
[96273.677605] garmin_gps 5-6.4:1.0: Garmin GPS usb/tty converter detected
[96273.678093] usb 5-6.4: Garmin GPS usb/tty converter now attached to ttyUSB0
[96273.678118] usbcore: registered new interface driver garmin_gps
[96273.678123] garmin_gps: garmin gps driver v0.31

Ok, so that is done.  Once I loaded the garmin gps module, it looked like gpsd, was able to run. Kismet uses the daemon gpsd also. Then, I went to the kismet config file located at /etc/kismet/kismet.conf. I checked the GPS settings. In addition, I wanted to check the wifi source information. I changed the ncsource to "wlan2" since that is the adapter interface once you connect the Yagi. Also, you can check your local ports to make sure port 2947 is open (netstat -antp | grep 2947). That is the port gpsd uses.

# Do we have a GPS?
# Do we use a locally serial attached GPS, or use a gpsd server, or
# use a fixed virtual gps?
# (Pick only one)
# Host:port that GPSD is running on.  This can be localhost OR remote!

# See the README for full information on the new source format
# ncsource=interface:options
# for example:
# ncsource=wlan0:type=ath9k
# ncsource=wlan0:name=intel,hop=false,channel=11

Lastly, you start kismet by running the "kismet" command. We were about to hit the road but I wanted to start wash. That is a program from the reaver suite. It will help detect wireless access points that have wps enabled. The reason I wanted to try this is that when I ran the command (wash -i mon0) with the Yagi adapter, I would get an repeated message:

[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...
[!] Found packet with bad FCS, skipping...

Other people apparently had this message so they recommend that you run (wash -i mon0 -C). However, when I would run this command, it would not give me anything after that.  I started to wonder if there was something wrong with either reaver or the Yagi adapter. Well, I figured why not try the adapter on the road.  When you use kismet, you have to change your wash command to (wash -i wlan2mon -C). Kismet puts the wifi adaptor to monitoring mode like airmon-ng does. Now, we were off. We were not three blocks from the starting point before the wash command gave results. I guess everything was working before, but I was just not in a close enough range of a vulnerable adapter. We drove around for about 2 hours. It was pretty cool to see so many access points show up on kismet and wash. It was a little depressing to see so many WEP set access points also.  2013... Anyway, surprised to see that my laptop still had battery life, I went on to install Google Earth on Kali. I went to the link (http://www.google.com/earth/download/ge/agree.html) to download the deb file. I installed the deb but it came back with errors. However, when I went to /opt/google/earth/free, it seemed like all the files made it. I ran google-earth and it loaded. Now, kismet created 5 files from the little road trip. However, to import the files to Google Earth, you have to run:

giskismet -x Kismet-20130719-19-59-50-1.netxml
giskismet -q "select * from wireless" -o trip.kml

I just opened the "trip" file inside Google Earth. All of the wireless access points were loaded and displayed. It is also color coded by encryption strength. It has information on the hosts that are connected to the access point at the time of the capture.  That was pretty cool. Now, the interesting thing is that I could match the wash results to the BSSID and SSID names. I know that wash does not have the GPS functionality yet but it would be pretty cool to add it.

That brought up two things I would love to try to do. One, try to port the GPS functionality airmon-ng has to wash.  The author(s) of reaver said that it could be done. However, I have very little experience programming g with C++.  However, you have to start somewhere even tho it would probably be added by someone else before I could even come close to pulling it off. I will still give it a shot. I started by looking at the source code for airodump-ng which is in the file "airodump-ng.c". It has to be a million lines of code in there. Then, I looked at the source code for wash in "wpsmon.c". There are also corresponding header files with constants and libraries. Maybe SecurityTube will be creating a C++ class in the future...

Secondly, I would like to setup the FreeRadius-WPE man-in-the-middle attack. There is a great video from SchmooCon 2008 by Josh Wright and Brad Antoniewicz. I wanted to test it on WPA2 Enterprise wireless environment with the help of the Yagi. I am guessing with a greater range, you are less likely to get caught on a wireless pentest or security assessment. Start the recon work with kismet/wash and then, use the aircrack-ng/freeradius-wpe suites for exploitation.

Well, that is some of the wireless stuff I have been looking at lately. The wireless Yagi adapter is great. I love the fact that is not too big, not too small and is very effective. It increases the number of airodump-ng results that you receive. Kali loads the drivers automatically and it is easy to use. If you are looking for some war-driving fun, please pick it up.    

Credit, I didn't re-invent the wheel:



SchmooCon 2008


Wednesday, March 13, 2013

Kali Released


Kali has been released today.  I have been wondering what changes they have made for the new "Backtrack 6", Kali 1.0.  Looks like they are going to Debian.  For a list of changes, go here.  I have already downloaded the ISO and I love the boot screen.  It looks like all my devices are found in this version of the Kali Live CD.  The offsec guys say that this is a very customizable distro.  I want to install it but I have not had any trouble with Ubuntu 12.04.  It has everything I would need for a vulnerability assessment or penetration test, however, I will keep it as a virtual machine instead of using it daily on my laptop. Probably ... for now.  I want to investigate the new tools that are available.  They said that it has over 300 new tools and remove the stale ones.


Since I am trying to focus more on Web Application testing instead of the network testing, I will probably focus on Burp, WafW00f, Nikto, Wikto, SQLMap, SQLNinja, etc. I have been using them a lot in the Web App Pentester Night School course by Joe McCray.  When the course is over, I am sure I am going to want to use them against a web application test environment.  There was a great listing posted on EthicalHacker last month on web application testing here.  The actual website with all of the test virtual machines and security labs are located here.  I want to get better XSS and webshells and bypassing IDS/IPS.  I have been having trouble with the latest version of URLScan too.  Such a pain in the butt.

In addition, the Offensive Security guys have announced that they will give offsec veterans a discount "once a new version of PWB [ Offensive Security Certified Professional (OSCP) ] is available, in the next 6 months" (Reference: ) I do not think the new Kali release will impact the course.  Having Kali will probably just be nice to have if you were taking the course at the time. I am undecided if I will take the updated course.  I loved the course but I want to finish so many other subjects, I am not sure I can get it all done.  I am still working on SPSE from SecurityTube. I want to get very good at coding in Python and to do it justice, I will be doing it for a while.  There is a tool I have in mind that I want to write in python and I need a better understanding of web scraping google search results among other things.  Till next time.