Rebootuser - IT Security, HackLAB challenges and general blogging blurb

Local Linux Enumeration & Privilege Escalation Cheatsheet

Posted on June 3, 2013 by owen Leave a comment

The following post lists a few Linux commands that may come in useful when trying to escalate privileges on a target system. This is generally aimed at enumeration rather than specific vulnerabilities/exploits and I realise these are just the tip of the iceberg in terms of what’s available.

This will continually be updated with new/useful commands.

Revision 1.0

Kernel, Operating System & Device Information:

Command	Result
`uname -a`	Print all available system information
`uname -r`	Kernel release
`uname -n`	System hostname
`hostname`	As above
`uname -m`	Linux kernel architecture (32 or 64 bit)
`cat /proc/version`	Kernel information
`cat /etc/*-release`	Distribution information
`cat /etc/issue`	As above
`cat /proc/cpuinfo`	CPU information
`df -a`	File system information

Users & Groups:

Command	Result
`cat /etc/passwd`	List all users on the system
`cat /etc/group`	List all groups on the system
`cat /etc/shadow`	Show user hashes – Privileged command
`grep -v -E "^#" /etc/passwd \| awk -F: '$3 == 0 { print $1}'`	List all super user accounts
`finger`	Users currently logged in
`pinky`	As above
`users`	As above
`who -a`	As above
`w`	Who is currently logged in and what they’re doing
`last`	Listing of last logged on users
`lastlog`	Information on when all users last logged in
`lastlog –u %username%`	Information on when the specified user last logged in

Continue reading →

VulnVPN (Vulnerable VPN) Solutions

Posted on March 5, 2013 by owen 3 Comments

The following post shows some possible ways to hack and gain root on VulnVPN. In these examples VulnVPN is based at 192.168.0.10 and the attacking box/client is 192.168.0.11.

Attacking the VPN Server

The first few steps involve finding the listening services. As it’s a VPN image, I’ve performed a single scan on UDP port 500 from which the result can be seen in the following screenshot.

To keep this thorough I’ve also performed a full TCP port scan although, as expected, only the open port is 81. This is used to host a help page and is out of scope for testing.

Using ike-scan it’s possible to determine that the host is running an IKE based VPN in aggressive mode, from which we can basically perform an offline attack on the hash to return the unencrypted PSK. More information on this attack can be found here.

It’s then possible to use a program such as psk-crack to perform dictionary or brute-force attacks on the hash. From the following screenshot it is evident to see that the clear text PSK value is 123456.

If you’re using the client config files supplied, you’ll need to enter the PSK into the ipsec.secrets file (as follows).

Before attempting to connect to the host you’ll need to perform a service restart i.e. /etc/init.d/ipsec restart.

It’s then possible to initiate the VPN connection using the command as shown in the following screenshot.

If the connection has been successful you’ll see ‘IPsec SA established’ message as highlighted above. If things don’t go as planned, the following may help:

022 “vpn”: We cannot identify ourselves with either end of this connection – This means that your IP address is not the same as specified in the ipsec.conf file. Either change your address, or change the value in the file (the default for the client is set as 192.168.0.11).
021 no connection named “xxxx” – The name of the connection is not as specified in ipsec.conf, i.e. vpn (the default for this challenge).
STATE_AGGR_I1: INVALID_HASH_INFORMATION - This error indicates that the hash information in ipsec.secrets is incorrect. Ensure you enter the PSK as previously obtained.

After any changes make sure you restart the ipsec services.

Continue reading →

Remotely Dump SAM/SYSTEM Files & Avoid A/V

Posted on February 19, 2013 by owen Leave a comment

This command came in very handy on a recent pentest. Essentially this allows us to dump out the SAM and SYSTEM files on a compromised host, whilst also helping avoid A/V. It should be noted that this is a post exploitation task and assumes you have SYSTEM access to the host/or are using a privileged hash to authenticate from a remote system.

If you wish to perform this attack remotely you’ll need the relevant hash and wce to perform the following command:

wce.exe -s administrator:500:LMHASH:NTHASH -c cmd.exe

Then in the spawned window you can use the following:

PsExec.exe \\%VICTIM_IP% reg save hklm\system %LOCATION% & PsExec.exe \\%VICTIM_IP% reg save hklm\sam %LOCATION%

If you have local access you can obviously drop the wce and psexec sections.

If you have any issues accessing ADMIN$ etc you can always use the reg hack as described in a previous post.

Enjoy!

VulnVPN (Vulnerable VPN) Exploiting IKE Aggressive Mode – Release 1.0

Posted on February 8, 2013 by owen 13 Comments

The idea behind VulnVPN is to exploit the VPN service to gain access to the sever and ‘internal’ services. Once you have an internal client address there are a number of ways of gaining root (some easier than others).

Client VPN Configuration

-update-21-02-13-

I have created a VulnVPN client image (x64) that has the relevant settings in place, otherwise it’s basically a standard BT5r3 image. All you’ll need to do is populate the /etc/ipsec.secrets file once you have the PSK and then restart the relevant ipsec services. The IP of the client has been set to 192.168.0.11. The username/password is the standard BT of root/toor. Alternatively you can download the client config files and use your own host, as described below.

I have created/uploaded the relevant files which can be obtained from the compressed file here. You’ll need to configure Openswan/xl2tpd on your system, if you’re using an Ubuntu based Linux variant you can follow the below steps – please note that I’ve used Backtrack 5r3 for all client testing (mentioned as I know it works well):

1. apt-get install openswan xl2tpd ppp

2. Copy the downloaded client files into the following locations:

/etc/ipsec.conf
/etc/ipsec.secrets
/etc/ppp/options.l2tpd.client
/etc/xl2tpd/xl2tpd.conf

3. VulnVPN is located at 192.168.0.10 and the client configuration files state that the client IP address is 192.168.0.11. If you want your client to have a different address ensure you change the relevant settings in /etc/ipsec.conf.

4. To establish a VPN connection run the following command: ipsec auto –up vpn (that’s two hyphens before up, they get lost in the post formatting). If you’re viewing the logs you should see something along the lines of ‘IPsec SA established’.

5. If the connection succeeds (remember you’ll need to obtain the PSK before this is possible) you can run the ‘start-vpn.sh’ script (included with client config files download) or run the following command to initialise the PPP adaptor: echo “c vpn” > /var/run/xl2tpd/l2tp-control

6. Run ip list or ifconfig and you should see that a new PPP adapter has been created and assigned an IP address (this may not be instant, give it a few seconds). If the adaptor fails to come up run the script/command again – I’ve come across this issue a few times.

Note: If you change your configuration/IP settings etc you’ll need to reload the relevant configuration files i.e. /etc/init.d/ipsec restart and/or /etc/init.d/xl2tpd restart

Troubleshooting

I realise that VPN’s can be very troublesome (setting this challenge up was bad enough), so I have allowed access to auth and ufw logs. These should help highlight issues you may be experiencing and can be found at http://192.168.0.10:81 (note port 81). Please note that hacking this page and associated scripts are not part of the challenge, rather they have been provided for assistance.

A useful config reference can also be found here:
https://wiki.archlinux.org/index.php/L2TP/IPsec_VPN_client_setup

Download Information

Architecture: x86
Format: VMware (vmx & vmdk) compatibility with version 4 onwards
RAM: 1GB
Network: NAT – Static IP 192.168.0.10 (no G/W or DNS configured)
Extracted size: 1.57GB
Compressed (download size): 368MB – 7zip format – 7zip can be obtained from here

Download VulnVPN from -HERE-

MD5 Hash of VulnVPN.7z: 9568aa4c94bf0b5809cb0a282fffa5c2

Download Client files from -HERE-

MD5 Hash of client.7z: e598887f2e4b18cd415ea747606644f6

Download x64 Client VM Image from -HERE- (it’s big!)

MD5 Hash of client.7z: e57253a449cab4563bfa74852e1d5b2c

As per usual, I shall add a related solutions post shortly. Until then, enjoy

Windows 7, Administrative Shares and Metasploit PSExec Working in Harmony

Posted on January 20, 2013 by owen 4 Comments

I was using Metasploit on an internal test (it’s been a while as I meant to write this up some time ago) and I came across the following issue when attempting to gain access to a Windows 7 system via a remote PSExec/Meterpreter session with the compromised local administrator account hash; ‘The server responded with error: STATUS_ACCESS_DENIED (Command=117)‘.

It dawned on me that the newer versions of Windows (7 and 2008) don’t allow remote access to administrative shares such as ADMIN$, C$ etc from untrusted systems. I searched a little and found the following. This should be added to the victims registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Add a new DWORD (32-bit) key named ‘ LocalAccountTokenFilterPolicy’ and set the value to 1

If you don’t have access to an interactive session on the victim system, it’s possible to open a remote registry editor console using wce (Windows Credential Editor) with the following command:

wce.exe -s %local_admin_user_hash% -c cmd.exe

Essentially this command opens a cmd.exe window that’s running under the context of the chosen hash. Further, if you enter regedt32 in the spawned command window and change the target of the registry editor to the remote host, this will also authenticate on the host as the user from which cmd.exe was initially launched.

If the registry editor for the remote system is unavailable (i.e. the Remote Registry service is not running) a similar exploit can be run using wce to open an mmc. From here the computer management snap-in can be added for the remote system, again running under the context of the compromised account. The service can then be started on the remote host and you can continue to add the registry key.

After the registry settings have been added you’ll need to change the password of the user account you’re using to authenticate. Alternatively, create another local admin user via the remote computer management mmc on the remote host. Articles I’ve seen have also stated that once the changes have been made the system should be restarted. I haven’t had this issue to date and changes seem to be applied immediately.

It’s also worth noting that if you’ve previously authenticated to the system via SMB you’ll need to flush the current sessions by issuing the command net use /delete *

PSExec should then execute as planned.

Why would you want to do all of this if you already have the local administrator hash? For a number of reasons:

AV on the system kills/deletes any malicious process/binary from spawning. Therefore wce can be used to open a remote computer management mmc in the context of the compromised account in order to disable the offending service (if the AV policies allow).

A Meterpreter extension such as incognito (usually the reason for me) may be required so you can impersonate a user that is logged onto the system. Hence the admin shares will need to be accessible for Meterpreter to successfully spawn.

You may want to access the administrative shares to upload/download files.

Access to services, such as RDP or remote management facilities, may be blocked and hence attacks need to be performed over SMB.

VulnVoIP (Vulnerable VoIP) Solutions

Posted on November 17, 2012 by owen 9 Comments

As promised here we shall discuss a couple of ways to get root on VulnVoIP with some enumeration ‘fun’ in-between!

Assuming you’ve located the IP address, you can run a port scan and will find the following services listening (shortened for easy reference):

22/tcp open
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
967/tcp open
3306/tcp open mysql
4445/tcp open
5038/tcp open asterisk

VoIP User Enumeration

In this demonstration I’m using SIPVicious to enumerate the SIP device/users and to help crack extension passwords.

The first thing to do is enumerate the end device. To do so we can use the command ./svmap.py –fingerprint 192.168.237.148

The next step is to locate valid SIP extensions. The initial command I used was ./svwar.py -D 192.168.237.148

As you can see no valid extensions are returned.

It’s possible to specify the method used in the request. In this particular instance the INVITE request brings back valid responses ./svwar.py -D -m INVITE 192.168.237.148

If all went well you should find that 6 extensions exist. The –D option used in the previous command just searches for default extensions, so it’s generally best to use a custom range. I also found that if I specified the extensions to scan, i.e. –e100-3000, only the lower extensions were found, hence it may be best to split up long scans.

Continue reading →

VulnVoIP (Vulnerable VoIP) – The Fundamentals of VoIP Hacking

Posted on October 31, 2012 by owen 14 Comments

VulnVoIP is based on a relatively old AsteriskNOW distribution and has a number of weaknesses. The aim is to locate VoIP users, crack their passwords and gain access to the Support account voicemail.

Just to keep things interesting this particular disto also suffers from a known exploit from which it is relatively easy to gain a root shell. Once you’ve found the easy way, can you get root using a different method?

I’ve created these basic VoIP hacking training exercises as I found very limited resources online. Hopefully VulnVoIP will help others learn the basic fundamentals of VoIP hacking in a safe environment.

Architecture: x86
Format: VMware (vmx & vmdk) compatibility with version 4 onwards
RAM: 512MB
Network: NAT
Extracted size: 1.68GB
Compressed (download size): 552MB – 7zip format – 7zip can be obtained from here
MD5 Hash of VulnVoIP.7z: 1411bc06403307d5ca2ecae47181972a

- Download VulnVoIP from HERE -

As per usual I’ll post a few tips and tricks in the write-up shortly.

Until then, enjoy!

Using Wireshark to the minimum of its ability!

Posted on October 30, 2012 by owen Leave a comment

I was recently tasked with performing a pentest of a very small environment that contained 10 networked devices. Needless to say that everything seemed to be pretty new and well configured. Servers were patched, services were few and far between, firewall rules were tight and passwords were not set as defaults.

I was getting a bit desperate and thought I’d fire up Wireshark to have a look at the background traffic to see what was going on. In doing so I struck lucky!

Firstly, before I get to the point of the post I’ll take a small detour; in viewing network traffic it immediately became evident that the same physical switch was being used within several VLANs. It was possible to identify the switch from the System Name and Description subtrees within some LLDP_Multicast packets. These packets contained useful information such as switch name, model number and firmware/ROM revision information. Collecting such information not only helps identify any vulnerabilities that may exist in outdated firmware, but also helps gain a better understanding of the environment – especially when network diagrams are non-existent.

Back to the story. I was currently on a network with addresses in the range of 10.x.x.x/24 and I noticed a lot gratuitous ARP replies for the IP address 192.168.0.120 (many also stating duplicate address in use). I changed my IP to one in the 192.168.0.0/24 range and picked a single MAC address that was associated with the 192.168.0.120 address. After clearing my local ARP cache I set a permanent entry for the selected MAC address using the command ‘arp –s 192.168.0.120 mac:address’.

A fast nmap scan of the host revealed that ports 22, 80 and 443 were open. I navigated to 80 (which forwarded to 443 HTTPS) and lo and behold it was a Dell iDRAC controller for one of the 10.x.x.x hosts. I knew that default credentials are set as root/calvin (from many a previous pentest) to which, unsurprisingly, I was straight in, SSH too!

It just goes to show, if all else fails just open the shark and cross your fingers!

Vulnix (release 1.0) Solutions

Posted on September 23, 2012 by owen 1 Comment

There are several ways to gain root access in Vulnix (release 1.0). Here I shall discuss a variety of methods, although this is in no way a conclusive list.

Assuming you’ve located the IP address, you can run a port scan and will find the following services listening (shortened for easy reference):

22/tcp open ssh
25/tcp open smtp
79/tcp open finger
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
512/tcp open exec
513/tcp open login
514/tcp open
993/tcp open ssl
995/tcp open ssl
2049/tcp open nfs

The following stages break down the task into enumeration, attack and privilege escalation.

User Enumeration #1 – SMTP

Firstly we’ll telnet into the SMTP server to see if VRFY is enabled, as this will allow us to enumerate users.

telnet %vulnix_ip_address% 25

vrfy vulnix

You should see the following response:

The user ‘vulnix’ seems to exist (252 response) and by entering another name, in this case ‘thisusercannotexist’ we see that we’re given a 550 response and informed that the user is unknown.

It’s been proven that VRFY methods are implemented so we could quickly enumerate users by using a script such as smtp-user-enum or by using an auxiliary module within Metasploit etc.

Continue reading →

Vulnix (Vulnerable Linux) Release 1.0

Posted on September 10, 2012 by owen 2 Comments

Here we have a vulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions (well at the time of release anyway!)

The host is based upon Ubuntu Server 12.04 and is fully patched as of early September 2012. The details are as follows:

Architecture: x86
Format: VMware (vmx & vmdk) compatibility with version 4 onwards
RAM: 512MB
Network: NAT
Extracted size: 820MB
Compressed (download size): 194MB – 7zip format – 7zip can be obtained from here
MD5 Hash of Vulnix.7z: 0bf19d11836f72d22f30bf52cd585757

- Download Vulnix from HERE -

The goal; boot up, find the IP, hack away and obtain the trophy hidden away in /root by any means you wish – excluding the actual hacking of the vmdk

Free free to contact me with any questions/comments using the comments section below.

Enjoy!