Hack the Box Challenge: Jeeves Walkthrough

Hello Friends!! Today we are going to solve another CTF Challenge “Jeeves”. This VM is also developed by Hack the Box, Jeeves is a Retired Lab and there are multiple ways to breach into this VM. In this lab, we have escalated root privilege in 3 different ways and for completing the challenge of this VM we took help from Tally (Hack the box).

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

As these labs are only available online, therefore, they have a static IP. Jeeves Lab has IP: 10.10.10.63.

Now, as always let’s begin our hacking with the port enumeration.

Looking around its result we found ports 22, 80, 135, 445 and 50000 are open, and moreover, port 135 and 445 was pointing towards Windows operating system.

Subsequently, first we checked web service and explored target IP in a web browser and it was put up by “Ask Jeeves search engine” webpage. So we try to search some website such as google.com and a new web page represented by the fake error page come up in front of us.

 On port 50000 in a Web browser give us to HTTP 404 Error page.

Then we decide to use OWASP Dirbuster for directory brute force attack.

From its result, we found so many directories but we drive with /askjeeves for further process.

So when we had explored 10.10.10.63:50000/askjeeves it lead us to “Jenkins Dashboard”. Ahhh!! It was WOW moment for us because we knew that there are so many methods to exploit Jenkins. Thus we move inside “Manage Jenkins” options as it was the spine and abusing it was quite soothing.

There were so many options but we were interested in Script Console because Jenkins has very nice Groovy script console that allows someone to execute arbitrary Groovy scripts within the Jenkins master runtime.

We found Java reverse shell from GitHub, so we copied the code and modified its localhost and port as per our specification.

Then we start Netcat listener and run above Groovy Script to access victim’s reverse connection. From below image, you can observe that we access tty shell of victim’s machine.

As we love meterpreter shell therefore we load metasploit framework and execute below commands.

Copy the highlighted text for powershell.exe and Paste it inside CMD shell as shown in next image.

Paste above malicious code here in netcat.

You will get meterpreter session of victim’s machine in your Metasploit framework and after then finished the task by grabbing user.txt and root.txt file. Further type following:

getuid

But currently we don’t have NT AUTHORITY\SYSTEM permission. But we knew the techniques that we have used in Tally CTF for gaining NT AUTHORITY\SYSTEM permission.

Therefore taking help from our previous article “Tally” we executed below commands and successfully gained NT AUTHORITY\SYSTEM permission

Let me tell you this, that we have solved so many CTF challenges of Hack the Box among them some was framed using Windows Operating system and we always grabbed the user.txt file from inside some a folder that owned by any username and root.txt form inside Administrator folder and both these folders are present inside C:\Users

Similarly, you can observe the same thing here also and might be you got my intention of above said words. So let’s grab user.txt file first from inside /kohsuke/Desktop.

COOL!!! We have captured the 1st flag.

Then we go for root.txt file, BUT it was a little bit tricky to get the root.txt file. Because the author has hide root.txt file by using some ADS technique (Windows Alternate Data Streams) and to grab that file, you can execute below commands.

Hurray!! R flag with dir command discloses root.txt file and  We successfully completed the 2nd task.

2nd Method

When you have fresh meterpreter session 1 then move into /document directory and download CEH.kdbx file. Here also we took help from our previous article TALLY.

Now run the python script that extracts a HashCat/john crackable hash from KeePass 1.x/2.X databases.

Next, we have used John the ripper for decrypting the content of “passkey” with help of the following command.

so we found the master key “moonshine1” for keepass2 which is an application used for hiding passwords of your system then you need to install it (keepass2) using the following command.

After installing, run the below command and submit “moonshine1” in the field of the master key.

Inside CEH we found so many credential, we copied all password from here and past into a text file and got few password and one NTLM hash value: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

Awesome!!! We have meterpreter session 2 with proper NT AUTHORITY\SYSTEM permission, now use above steps to get the root.txt file.

Note: we have rebooted the target’s VM before starting 2nd method.

At the time when you have fresh meterpreter session2 (via psexec) then execute the following command to enable remote desktop service in victim’s machine.

Now we have victim’s command prompt with administrator privilege thus we can change User administrator password directly by using net user command.

net user administrator 123

Now open a new terminal in your Kali Linux and type rdesktop 10.10.10.63 command to access remote desktop services of victim’s machine and after that submit credential administrator: 123 for login.

BOOOOOM!!! Look at the screen of our victim, now let’s grab the root flag and enjoy this GUI mode.

Finding user.txt is quite easy you can try by your own. To grab root.txt flag open the CMD prompt and type following command ad done above.

 Enjoy Hacking!!!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Trollcave VM (Boot to Root)

Hello friends! Today we are going to take another CTF challenge known as Trollcave. The credit for making this vm machine goes to “David Yates” and it is another boot to root challenge in which our goal is to gain root access and capture the flag to complete the challenge. You can download this VM from here.

Penetrating Methodology

  • Network Scanning (Nmap, netdiscover)
  • Information gathering:
  • Examining  Web Application  framework (Ruby on Rails)
  • Mutable User IDs from 1 to 17 to confirm King’s page for superadmin’s Account
  • Abusing Rails default directory for password reset (Google)
  • Exploiting IDOR  to reset Password for King’s Account
  • Login into superadmin console (King’s account)
  • Explore file manger tab  and enable uploading option
  • Generate SSH RSA key without password
  • Upload RSA key
  • Pwn tty shell by ssh login
  • Kernel privilege escalation (searchsploit)
  • Encode exploit with base 64
  • Transfer in victim’s machine and decode it.
  • Run the kernel exploit and Gain root access
  • Capture the flag and Finished the challenge

Let’s Breach!!!

Let’s start with getting to know the IP of VM (Here, I have it at 192.168.1.124 but you will have to find your own)

netdiscover

Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

Awesome!! Nmap has dumped the details of services running on open port 22 and 80.

Knowing port 80 is open in victim’s network I preferred to explore his IP in a browser. At first glance, we saw three tabs Home, login and Register.

Then we scroll down the page and look at Ruby gem and found that this site is based on Ruby on rails. And on the right side we saw two categories i.e. 0nline users and Newest users, when we click on “xer” a new web page gets opened.

From its URL we perceived that user xer has user ID 17 and hence there must be any user between user ID 1 to 17.

So we manually replace id 17 from id 1 and found King’s page which was for superadmin account.

At its home page we read the post password reset by coderguy, represented by ruby gem for rail password reset and from Google we found default directory for password reset for reset. So we explored http://192.168.1.124/password_resets/new  and obtained password reset form.  Very first we try to reset superadmin password but unfortunately get failed, BUT successfully got the link for xer password reset.

Yeah!! It was Pretty Good to see a link for xer password reset, then we have copied that link.  

 

And past the copied link in URL, then swap name=xer from king as given below, later entered a new password for superadmin (king), it is known as IDOR.

Well!!! On executing URL; it gives a message “password reset successfully” and then we logged in superadmin account.

Yippee!!! Finally, we logged in as superadmin and access admin console, we saw many tabs and apparently click on file manager.

 

Here we saw enable file upload option, and we enabled it so that we can upload any backdoor whenever we need to upload that.

Thus we start from uploading PHP backdoor but failed to upload, similarly, we tried so many backdoors such as ruby, C shell and many more but get failed each time. After so many attempts we successfully upload ssh RSA file.

To do so follow the below steps:

 Here we have generated ssh RSA key file by the name of rails without a password and transferred rails.pub into authorized_keys and gave permission 600 for proper authentication.

Then upload the authorized_keys and add ../../../../../../home/rails/.ssh/authorized_keys path manually.

So after uploading SSH key, it was time to connect target’s machine through ssh key.

Awesome!! From below image, you can observe the target machine’s tty shell.

Then we execute lsb_release -a command to know the version of the kernel and found 16.04. After then with the help of searchsploit found kernel exploit 44298.c for local privilege escalation.

At that moment we copied this exploit on Desktop and compiled it, now it was impossible to transfer the exploit using simple complied file, therefore, we need to encode it file into base64. You use below command to follow same steps.

We copied the base64 encoded value then movie into target’s terminal where we created an empty file exploit.base64 with the help of nano and past above copied encode code.

Far ahead decoded it in a new file as rootshell and give all permission to the decoded file. At last, we run the rootshell file to get root privilege.

BINGO!!!! We got the root flag!!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Box Challenge: Fluxcapacitor Walkthrough

Hello friends!! Today we are sharing our experience that can be helpful in solving new CTF challenge: Fluxcapacitor of Hack The Box. Solving this lab is not much easy, all you need is your web penetration testing skill to solve this challenge. This lab is designed to bypass Web Application Firewall (WAF) for exploiting OS command injection vulnerability in this machine.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

These labs are only available online, therefore, they have a static IP. Fluxcapacitor has IP: 10.10.10.69.

As we knew the initial stage is enumeration; therefore use nmap version scan for gathering target’s machine and running services information.

So from its scanning result, it told us that port 80 is open for web services and also protected by web application firewall “superWAF”  thus we explored target IP in the web browser but found nothing interesting.

Then we look into its source code and saw an exciting comment which was pointing towards URL: /sync, and without wasting time we open /sync in URL.

LOL!!! It gave 403 forbidden error message and something openresty/1.13.6.1 then we looked into Google for any exploit related to this but failed to find any working exploit against it.

At the moment, we decided to use burp suite for intercepting our browser request. So after intercepting the Http request, the raw information is sent to the repeater.

Huhhhh!! It was responding same output as was in the web browser. Might be there would be some chances of WAF filter restriction on User-Agent such as Mozilla Firefox/5.0.

So we start scrutiny for User-Agent field by replacing original user-agent content from “raj” randomly. Finally!!! It gave current timestamp as disclosed in the comment found in the source code of the home page.

Now it was confirmed that there was SuperWAF filter against the user-agent field, therefore, we try to search its exploit in Google but we didn’t find any particular exploit.  Nevertheless, Google gave a little hint for OS command injection and on the bases of that, we try few parameters within Http Header such as /sync?test=ls which response with the same timestamp every time. Hence we need to fuzz proper directory, therefore, we will use wfuzz in our next step.

So we use common.txt wordlist for URL brute force and execute below command.

It gave 403 response for payload “opt”; let’s try to opt after/sync and identify the response.

Now use ‘opt’ parameter to bypass WAF and execute ls command through it, HOWEVER again there is a trick to execute ls command. Because WAF will not allow you to perform OS command injection directly, therefore, it will be a little bit tougher to exploit it. But THANKS to medium.com, because I got the idea to bypass WAF for exploiting OS command injection which is known as string literal concatenation from this website, means that adjacent string literals are concatenated, without any operator.

We took help from that website which I have mentioned above and execute three commands: whoami, id, uname through curl as shown in image.

 Superb!! It was great to know that we have bypassed WAF successfully, but still the task is not completed yet.

Let’s seize the user.txt and root.txt file and finished this task. Hhhhhh!!!! Believe me, still, it is not easy to bypass WAF even if your goal is near. Seriously we put great efforts and at last found user.txt when executed below commands.

Now the goal was root.txt file and taking a lesson from the previous experience I choose to run sudo -l command to check the sudo privileges of the current user.

 

Awesome!! It told us that we can run a script “monit” with root privileges without using password, which is inside /home/themiddle/ directory. Let’s open it with the help of cat command.

After reading .monit file, we concluded that the script takes two parameter i.e. cmd string and base64 decoding which will match the conditions according to it and passes the final result to bash -c as parameter.

 

Hence it was clear that 1st parameter will match string “cmd” and 2nd will decode base64 value for that reason first we generated base64 value for /root/root.txt because we were well aware of the location of the root.txt file from our previous challenges.

Now with the help of sudo privilege execute the command to gain root access and complete the task by grabbing root.txt

HURRAYYYY!!! We hit the goal and successfully found the root.txt file.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Linux Privilege Escalation using SUID Binaries

In our previous article we have discussed “Privilege Escalation in Linux using etc/passwd file” and today we will learn “Privilege Escalation in Linux using SUID Permission.” While solving CTF challenges we always check suid permissions for any file or command for privilege escalation. It is very important to know what SUID is, how to set SUID and how SUID helps in privilege escalation. You can read our previous article where we had applied this trick for privilege escalation. Open the links given below:

Link 1:  Hack the Box Challenge: Bank Walkthrough

Link 2: Hack the Box Challenge: Haircut Walkthrough

Let’s Start with Theoretical Concept !!

As we all know in Linux everything is a file, including directories and devices which have permissions to allow or restrict three operations i.e. read/write/execute. So when you set permission for any file, you should be aware of Linux users to whom you are going allow or restrict all three permissions. Take a look at the following image.

Hence it is clear that the maximum number of bit is used to set permission for each user is 7, which is a combination of read (4) write (2) and execute (1) operation. For example, if you set chmod 755, then it will look like as rwxr-xr-x.

But when special permission is given to each user it becomes SUID, SGID and sticky bits. When extra bit “4” is set to user(Owner) it becomes SUID (Set user ID) and when bit “2” is set to group it becomes SGID (Set Group ID) and  if other users are allowed to create or delete any file inside a directory then sticky bits “1” is set to that directory.

 

What is SUID Permission?

SUID: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Those files which have suid permissions run with higher privileges.  Assume we are accessing target system as a non-root user and we found suid bit enabled binaries, then those file/program/command can run with root privileges. 

How to set suid?

Basically, you can change the permission of any file either using “Numerical” method or “Symbolic” method. As result, it will replace x from s as shown in below image which denotes especial execution permission with the higher privilege to a particular file/command. Since we are enabling SUID for Owner (user) therefore bit 4 or symbol s will be added before read/write/execution operation.

 

If you execute ls -al command with the file name and then you will observe symbol small ‘s’ as in above image then its means SUID bit is enabled for that file and it can be run with root privileges.

HOW SUID helps in privilege escalation?

In Linux, some of the existing binaries and commands can be used by non-root user to escalate privileges to root access if the SUID bit is enabled. There are some famous Linux/Unix executables commands that can let privilege escalation are: Bash, Cat, cp, echo, find, Less, More, Nano, Nmap, Vim.

Let’s get into deep through practical work. First, create a user which should be not the sudo group user. Here we have added user “ignite” whose UID is 1001 and GID is 1001 and hence ignite is non-root user.

Privilege Escalation using Copy Command

If suid bit is enabled for cp command which is used to copy the data, then it can lead to privilege escalation to gain root access. For example, suppose you (system admin) want to give SUID permission for cp command. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

1st Method

On other hands start yours attacking machine and first compromise the target system and then move to privilege escalation phase. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then by using the following command you can enumerate all binaries having SUID permission.

In above image, you can observe that it is showing so many files but we are interested in /bin/cp file. Because now we can copy /etc/password file for reading user list. Therefore I copy /passwd file inside HTML directory.

On other hands we have generated a new encrypted password: pass123 using OpenSSL passwd

We have copied /passwd file inside the web directory i.e. /var/www/html, therefore I can open it through the web browser then copied the entire content of /password file in a text file and after then we can add our own user with root UID, GID and directory.

In our previous article, we have already discussed how to add a user /etc/passwd using openssl passwd utility.

Run Python HTTP server for transferring our edited passwd file into target’s machine.

As we all know /tmp directory has all permission to create or delete any file, therefore, we have download our passwd file inside it.  Once it gets downloaded after then we copied the data of /tmp/passwd into /etc/passwd as result it will overwrite original passwd file.

With the help of tail command, we ensured that our user “hack” is either the part of /etc/passwd file. Since we have added our own user with root privileges let’s get into the root directory.

And Yessssssss !! This is an incredible way to escalated root privilege.

2nd Method

Similarly, we can also transfer our backdoor in target’s system if SUID bit is enabled for cp command. Here we have generated natcat backdoor for reverse connect using msfvenom command.

Then copy the above-highlighted code and paste in a text file by editing #!/bin/bash then ready to transfer it into target’s system, I have saved it as raj.sh.

Now we all are aware of Linux crontab utility that runs file hourly, daily, weekly and monthly and thus I copied raj.sh inside /etc/cron.hourly. Hence it will run raj.sh file after one hour.

Other hands we started Netcat listener in a new terminal and as the hour past it gives reverse connect of target’s system with root privileges.

Hence we saw how a single cp command can lead to privilege escalation if SUID bit is ON. You can try your own way to escalated root privilege using cp command.

Privilege Escalation Using Find Command

Similarly, we can escalate root privilege if SUID bit is ON for find command. For example, suppose you (system admin) want to give SUID permission for Find command. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

Again compromise the target system and then move for privilege escalation phase as done above. Then by using the following command you can enumerate all binaries having SUID permission.

So here we came to know that SUID bit is enabled for find command which means we can execute any command within find command. To do so first we create an empty file “raj” and then run whoami command as shown below.

If an attacker successfully enumerated SUID bit for /usr/bin/find then it will allow him to execute any malicious command such netcat bin/bash shell or may fetch important system information for privilege escalation.

Privilege Escalation Using Vim

Similarly, we can escalate root privilege if SUID bit is ON for Vim editor. For example, suppose you (system admin) want to give SUID permission for Vim editor. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

You will found vim.basic through symlinking as shown in the below image.

Again compromise the target system and then move for privilege escalation phase as done above. Then by using the following command you can enumerate all binaries who’s having SUID permission.

So here we came to know that SUID bit is enabled for /usr/bin/vim.basic and hence now we can edit any file which through vim that can be editable only by sudo or root user.

As we know ignite is non-root user who has least permissions, since vim has SUID permission, therefore, we can edit the sudoers file through it and can change permissions for user “ignite”. So we open sudoers file by typing visudo command and give all permission to user “ignite” as shown in the image.

ignite   ALL=(ALL:ALL) ALL

Now let access root directory as shown in below image.

 Great!! This trick also work superbly for privilege escalations.

Privilege Escalation using Saved Script

There are maximum chances to get any kind of script for the system or program call, it can be any script either PHP, Python or C language script. Suppose you (system admin) want to give SUID permission to a C language script which will provide bash shell on execution.

So here we have coded a c program which will call system for bash shell and saved it as “asroot.c”.

Then create a rootshell directory inside /bin directory and copied the asroot.c file in rootshell directory then run gcc compiler for compilation.

Now again compromise target’s system and use find command to identify binaries having SUID permission.

So here we came to know that SUID bit is enabled for so many binary files but we are interested in /bin/rootshell/shell. So we move into /bin/rootshell directory and run the script “shell” as result we get root access as shown below.

Thus we saw how we can escalate root privilege if SUID bit is enabled for any script, although it is not possible to get such script which calls bash shell but if you found any script with SUID permission then using above techniques you can modify the content of that script to get the bash shell.

Privilege Escalation Using Nano

Similarly, we can escalate root privilege if SUID bit is ON for nano editor. For example, suppose you (system admin) want to give SUID permission for nano editor. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

Again compromise the target system and then move for privilege escalation phase as done above. Then by using the following command you can enumerate all binaries having SUID permission.

So here we came to know that SUID bit is enabled for /bin/nano and now let’s open /etc/passwd file to edit own user as done above by using openssl passwd.

On other hands I have generated a new encrypted password: 123 using openssl passwd

 

Now open passwd file with nano editor and add your own user as done above. Here you can observe I have created demo user with encrypted password in victim’s system.

Since we have added our own user with root privileges let’s get into root directory.

2nd Method

If suid bit is enabled for /bin/nano then we can steal the password from inside /etc/shadow file. So after compromising target’s machine we had opened shadow file in nano editor and copy the encrypted password set for user: raj.

Now paste above copy code into a text file and saved as hash on the desktop, after then used john the ripper to decode it as shown below. It has given raj: 123 as password, now try to login into target’s system through raj account.

So Today we have demonstrated how the SUID permission can lead to privilege escalation even if it is allow to a normal copy, cat, nano, vim and so commands and programs.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...