Raven 2: Vulnhub Walkthrough

Hello everyone and welcome to yet another CTF challenge walkthrough. This time we’ll be putting our hands on Raven 2. It is the sequel to previously solved Raven. Raven 2 is a Beginner/Intermediate boot2root machine. The goal is to snag 4 flags and get the root on target VM.

Table of contents:

  1. Port scanning and IP discovery.
  2. Hitting on port 80 and discovery of WordPress CMS.
  3. Directory enumeration to find a directory “vendor.”
  4. Discovering a file PATH to snag flag 1.
  5. Discovering a file VERSION to snag the PHP version.
  6. Exploiting RCE in PHP version 5.2.6
  7. Making local changes in the exploit code for successful delivery of payload.
  8. Getting a netcat shell using the uploaded payload.
  9. Snagging flag 2 in /var/www
  10. Reading database password from wp-config file.
  11. Running LinEnum.sh to enumerate processes.
  12. Exploiting UDF dynamic library vulnerability using an exploit with codename 1518.c on exploit-db
  13. Setting sticky bit on find.
  14. Getting root access.
  15. Snagging flag4 in /root
  16. Manually traversing system to find flag3.

Let’s get started then!

Discovering the active devices on a network using netdiscover and getting the IP address of our victim machine. In this case the IP address holds 192.168.1.101

Using nmap on the victim machine we got three ports open 22,80 and 111

So we instantly moved to the port 80 and discovered a website of Raven Security.

We thought it would be wise to run a directory test before we scan anything else. So we ran a directory buster test to find “vendor” directory in the victim machine.

Accessing /vendor the following files and folders came out.

Among them a file called PATH caught our attention since it is no ordinary name. So we opened it in the browser only to find flag1!

There was yet another file worth noting called VERSION. On opening it we found the version of something. It was unclear which software had version 5.2.6 but look at the previous screen again… A file exists called: PHPMailerAutoload.php. It is fairly certain now that version 5.2.6 was of PHPMailer. So, on a bit of internet surfing we found an RCE exploit for the version!

Now we downloaded this python file but don’t run it yet! There are some changes to be made which are highlighted in the screen below.

  1. A coding: utf-8 tag is to be added at the top.
  2. Set the target of vulnerability to 192.168.1.101/contact.php where this vulnerability exists (read PHPMailer’s function).
  3. Set the backdoor’s name. Let it be backdoor.php for now.
  4. Set the local IP in the Subprocess call.
  5. And finally, the location to upload the backdoor in.

Now run this python script and wait for the success message.

Activate a netcat listener on port 443. It is because the backdoor gives a connection on port 443 as written in the python code (Subprocess call).

Upon opening the location of backdoor we immediately got a shell!

Now we imported a proper teletype by using the python one liner and manually traversed to /var/www only to discover flag2!

Now we thought of checking the wordpress directory as we done in the prequel Raven 1.

We found the root database password! It was “[email protected]

Then we changed the active directory to /tmp and imported LinEnum.sh, a script to enumerate many of the basic and advanced linux details.

It was hosted in a folder on our local machine and was imported into the victim machine using wget command.

My local IP address was 192.168.1.109 in this case.

We found a MySQL-Exploit-Remote-Root-Code-Execution-Privesc vulnerability! (FOR MORE INFO: https://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html)

So, we searched for a UDF dynamic library exploit and it was named “1518.c” in exploit database.

https://www.exploit-db.com/exploits/1518/

The exploits run by compiling the raw C code to .so file and then transferring it to the victim machine and exploiting MySQL vulnerability.

The first step was to compile it.

And hence, we transferred this “.so” file in the /tmp directory in victim’s machine.

Now we logged in to the mysql interface.

<entered password>

After getting a MySQL shell, we started exploiting it using the vulnerability we just found

Now, we created a table called “foo”

In this table, we inserted the link to the 1518.so file we just imported from local machine to /tmp directory.

We dumped the same file to /usr/lib/mysql/plugin/ directory (since it was vulnerable)

In the most important step, we created a UDF function named do_system, that will invoke the code that implements the function.

Hence, we are invoking the code “chmod u+s /usr/bin/find” to set the sticky bit on “find”

Now we traversed back to the directory /tmp and executed commands using the find utility.

Only flag left to find was flag3.txt. You can do this with find utility but we had a bit of luck and found it manually!

It was lying in /var/www/html/wp-content/uploads/2018/11

We copied it in /var/www/html using cp.

Since it was a png file we had to view it on browser.

Hence, this is how we rooted Raven 2 and snagged all four flags! Hope you liked it!

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

Fowsniff: 1 Vulnhub Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as Fowsniff. The credit for making this vm machine goes to “berzerk0” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Beginner

Flags: There is one flag (flag.txt).

Table of contents:

  • Port scanning and IP discovery.
  • Hitting on port 80
  • Finding hashes on Pastebin
  • Decoding hashes
  • Brute force pop3 login
  • Connecting to pop3
  • Finding SSH username and password
  • Finding privilege escalation vectors
  • Exploiting Misconfiguration in system
  • Getting root access.
  • Reading the flags.

Walkthrough

Let’s start off with scanning the network to find our target.

We found our target –> 192.168.1.29

Our next step is to scan our target with nmap.

The NMAP output shows us that there are 4 ports open: 22(SSH), 80(HTTP), 110(POP3), 143(IMAP)

We find that port 80 is running http, so we open the IP in our browser.

We don’t find anything on webpage. Dirb scan and nikto also didn’t reveal anything, so we googled “fowsniff corp” and found a pastebin link that contained username and passwords. (You can find the link here)

We cracked the hashes use this site and find passwords to the respective email addresses. But only 8 hashes were cracked and there are 9 usernames.

So we create two wordlists one for username and one for passwords, we will use this to brute force pop3 login.

We use Metasploit-framework to brute force pop3 login. After running the brute forcing pop3 login we find the correct credentials to be “seina:scoobydoo2”.

 

We connect to pop3 service on the target server and login using the credentials we retrieved. After logging in we list the messages and find there are 2 messages.

We retrieved the 1st message and find that it contains the password to connect through SSH.

We retrieved the second message and find a message that hints that use the username “baksteen”.

We use the credentials “baksteen:S1ck3nBluff+secureshell” to login through SSH.

After gaining access we enumerate the system, as user “baksteen” belongs to two different groups. We use try to find files that belong to “users” group and find a file called “cube.sh”.

We take a look at the content of the file and find it contains the message that comes once we login through SSH.

We open the file with vim, and add python reverse shell one liner in the file.

p

We try to run it and find it gives an error “python: command is not found”. We try to locate python and find it contains python3.

So we make changes to the exploit we change the python reverse shell one liner. We replace python with python3.

As when we login through SSH we get a banner similar to the one that “cube.sh” contains. So we check “/etc/update-motd.d/” directory to look for executables that might run this program and find that file “00-header” runs this shell script.

So now we exit the SSH and setup our listener using netcat, then we again connect through SSH. So that our reverse shell gets executed.

As soon as we successfully login, we get a reverse shell as root user on our netcat listener. We go to the root directory and find the file called “flag.txt”. We take a look at the content of the file and find the congratulatory message.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Comprehensive Guide on Dirbuster Tool

In this article, we are focusing on transient directory using Kali Linux tool Dibuster and trying to find hidden files and directories within a web server.

Table of Content

  • What is DirBuster
  • Default Mode
  • GET Request Method
  • Pure Brute Force (Numeric)
  • Single Sweep (Non-recursive)
  • Targeted Start
  • Blank Extensions
  • Search by File Type (.txt)
  • Changing DIR List
  • Following Redirects
  • Attack Through Proxy
  • Adding File Extensions
  • Evading Detective Measures (Requests Per Second)

What is DirBuster

DirBuster is an application within the Kali arsenal that is designed to brute force web and application servers. The tool can brute force directories and files. The application lets users take advantage of multi thread functionality to get things moving faster. In this article we will give you an overview of the tool and its basic functions.

Default Mode

We start DirBuster and only input http://testphp.vulnweb.com/ in the target URL field. Leave the rest of the options as they are. DirBuster will now auto switch between HEAD and GET requests to perform a list based brute force attack.

Let’s hit Start. DirBuster gets to work and starts brute forcing and we see various files and directories popping up in the result window.

GET Request Method

We will now set DirBuster to only use the GET request method. To make things go a little faster, the thread count is set to 200 and the “Go Faster” check box is checked.

In the Results – Tree View we can see findings.

Pure Brute Force (Numeric)

DirBuo perform ster allows a lot of control over the attack process, in this set we will be using only numerals to perform a pure brute force attack. This si done by selecting “Pure Brute Force” in the scanning type option and selecting “0-9” in the char set drop down menu. By default the minimum and maximum character limit is set.

In the Results – Tree View we can see findings.

Single Sweep (Non-recursive)

We will now perform a single sweep brute force where the dictionary words are used only once. To achieve this, we will unselect the “Be Recursive” checkbox.

In the Results – List View we can see findings.

Targeted Start

Further exploring the control options provided by DirBuster, we will set it up to start looking from the “admin” directory. In the “Dir to start with” field, type “/admin” and hit start.

In the Results – Tree View we can see findings.

Blank Extensions

DirBuster can also look into directories with a blank extensions, this could potentially uncover data that might be otherwise left untouched. All we do is check the “Use Blank Entension” checkbox.

We can see the processing happen and DirBuster testing to find directories with blank extensions.

Search by File Type (.txt)

We will be setting the file extension type to .txt, by doing so, DirBuster will look specifically for files with a .txt extension. Type “.txt” in the File extension field and hit start.

We can see the processing happen and DirBuster testing to find directories with a .txt extension.

Changing DIR List

We will now be changing the directory list in DirBuster. Options > Advance Options > DIrBuster Options > Dir list to use. Here is where we can browse and change the list to “directory-list-2.3-medium.txt”, found at /usr/share/dirbuster/wordlists/ in Kali.

We can see the word list is now set.

Following Redirects

DirBuster by default is not set to follow redirects during the attack, but we can enable this option under Options > Follow Redirects.

We can see the results in the scan information as the test progresses.

Results in the Tree View.

Attack through Proxy

DirBuster can also attack using a proxy. In this scenario we try to open a webpage at 192.168.1.108 but are denied access.

We set the IP in DirBuster as the attack target.

Before we start the attack, we setup the proxy option under Options > Advance Options > Http Options. Here we check the “Run through a proxy” checkbox, input the IP 192.168.1.108 in the Host field and set the port to 3129.

We can see the test showing results.

Adding File Extensions

Some file extensions are not set to be searched for in DirBuster, mostly image formats. We can add these to be searched for by navigating to Options > Advance Options > HTML Parsing Options.

We will delete jpeg in this instance and click OK.

In the File Extension filed we will type in “jpeg” to explicitly tell DirBuster to look for .jpeg format files.

We can see in the testing process, DirBuster is looking for and finding jpeg files.

Evading Detective Measures

Exceeding the warranted requests per second during an attack is a sure shot way to get flagged by any kind of detective measures put into place. DirBuster lets us control the requests per second to bypass this defense. Options > Advance Options > Scan Options is where we can enable this setting.

We are setting Connection Time Out to 500, checking the Limit number of requests per second and setting that field to 20.

Once the test in initiated, we will see results. The scan was stopped to show the initial findings.

Once the scan is complete the actual findings can be seen.

We hope you enjoy using this tool. It is a great tool that’s a must in a pentester’s arsenal.

Stay tuned for more articles on the latest and greatest in hacking.

Author: Shubham Sharma is a Cyber security enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Hack the Box: Jerry Walkthrough

Hello CTF Crackers!! Today we are going to capture the flag on a Challenge named as “Jerry” which is available online for those who want to increase their skill in penetration testing and black box testing. Jerry is a retired vulnerable lab presented by ‘Hack the Box’ for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to expert level.

Level: Easy

Flags: There are two flags. (user.txt & root.txt)

IP Address: 10.10.10.95

Methodology:

  • Port scanning and IP discovery
  • Browsing the IP on port 8080
  • Enumerating served webpage
  • Getting Login Credentials
  • Attacking using Metasploit
  • Getting root Access
  • Reading the flags

Walkthrough

Since these labs are available online via VPN therefore, they have a static IP. The IP of Jerry is 10.10.10.95

Let’s start off with scanning the network to find our target

So here, we notice very interesting result from nmap scan, here it shows port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1

Next order of business is to browse the IP on a Web Browser.

On opening the IP on the Web Browser, we are greeted with the default TomCat page. After some enumeration here and there, we found the “Manager App” Link. On clicking on this link, we are struck with a Login Form as shown below.

Here, after some twerking with some passwords and other stuff, we found that clicking on “Cancel” Button triggers a 401 Error.

After closely reading the example on the webpage provided, we got the Logon Credentials

Its time to attack, using the swiss knife of any penetration tester – “Metasploit”.

After doing some research and some tries, it was clear that we can use the tomcat_mgr_upload exploit.

So, let’s do this:

As show in the screenshot provided below, it is clear that the exploit runs successfully and gives an meterpreter session with elevated privileges.

We traverse through the Directories to get flag using commands like “ls” and “cd”

After a little bit of enumeration, we get to the C:\Users directory. Here we come across the Administrator User Directory so we traverse to that directory. And the further we traverse to the Desktop Directory.

This gives us the flags directory, which on opening gives us a text file named 2 for the price of 1. On opening we get both the user and root password.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Related Posts Plugin for WordPress, Blogger...