Hack the ch4inrulz: 1.0.1 (CTF Challenge)

Hello readers and welcome to another CTF challenge. This VM is made by Frank Tope as you’ll see in the very homepage on the server’s website (his resume). Nice touch, if I might add. Anyhow, you can download this VM from vulnhub here. The aim of this lab is to get root and read the congratulatory message written in the flag.

I would rate the difficulty level of this lab to be intermediate. Although, there were no buffer overflows or unnecessary exploit development, yet it did make us think a little.

Steps Involved:

  1. Port Scanning and IP clutching.
  2. Directory busting port 80.
  3. Directory busting port 8011.
  4. Discovering LFI vulnerability.
  5. Discovering an HTML backup file.
  6. Cracking password hash
  7. Logging in /development
  8. Uploading a PHP shell disguised as GIF file.
  9. Bypassing the check and triggering the file to get a netcat shell.
  10. Privilege escalation to get flag.

Alright then, let’s head into the VM all the way in.

First step is as always, running netdiscover on the VM to grab the IP address. In my case the IP was 192.168.1.103.

 

Once the IP was found, we ran nmap aggressive scan to enumerate all the open ports.

What was there to wait for after we saw port 80 open! We headed straight into the browser and a webpage got displayed which looked like a single page resume.

After not finding much, we chose to ran directory buster dirb.

 

Robots.txt seemed interesting at first but it had nothing at all. Another directory was /development. It looked like a testing site since it asked for the authentication.

We then chose to look into port 8011, after finding not much of the info. It looked like a backend to development directory.

We ran one more dirb scan on this port.

We found an interesting directory called /api. We opened it in the browser immediately.

We modified the URL parameter to /api/<api-name> but only one api seemed to be working and that was files_api.php

 

A message said “no parameter called file passed to me.” It gave us a hint that we had to pass a parameter called file.

HAHA. They got us. But still there was another thing left to try—by passing parameter through curl.

As you can see, LFI is present here!

 

Now, we tried some methods, put our hands here and there but nothing worked with this LFI.

Meanwhile, another thing that got our attention was the development server. You had a development site, you have a development server, and hence there would be more than one html files or copies of html files (backups).

One such common file is index.html.bak

It was an arrow in the dark but it hit the bullseye!

We saved it and read it using cat utility.

It had a password hash! It took us no time to copy this in a text files called hash.txt and run John the Ripper on it.

It surely were the credentials to /development authentication.

frank:frank!!!!

 

And it opened up like a beautiful treasure!

The message on this page said that the uploader tool was only half completed. So, we went to /uploader directory

The uploader had a security check for images only (jpg, png, gif) and a size limitation too.

So, here is what we did.

Traverse to the directory: /usr/share/webshells/php/php-reverse-shell.php

Open it with text editor and add GIF98 in the first line and save this file as shell.gif

Now, what this will do is that it will trick the uploader in believing the file is GIF when in reality, it is a PHP reverse shell.

So, we upload shell.gif using the uploader and the following message was received.

 

Now, the author said file was uploaded to his uploads path. Let’s get a little perspective here.

Website’s name: Frank’s website

Uploader’s name: Frank uploader.

First message on website: I love patterns

It took a while for us but we guessed it in the end, the upload’s directory would be named frank uploads.

We tried many permutations for this directory like: Frankupload, frankUploads, franksuploads etc. but the one that seemed to hit was FRANKuploads.

This step was tedious and time consuming as there was no straight connection from anywhere to this directory.

Now, all was left to trigger this file. We know for a fact that double clicking won’t do us any good so we used curl once again to get shell.

We activated netcat on a terminal side by side and typed this following curl command:

 

On other terminal, we had activated netcat:

 

As soon as curl triggered the LFI vulnerability and requested for shell.gif, we got a netcat session!

After a bit of surfing, we found a Linux Kernel exploit for version 2.6

 

On our vm shell, we downloaded this exploit, compiled it and ran it to get root!

Voila! We got root!

 

And there it was, the flag. Hope you enjoyed because we surely ddi!

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

Hack the Wakanda: 1 (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as Wakanda and it is another capture the flag challenge provided for practice. So let’s try to break through it. But before please note that you can download it from here.

Security Level: Intermediate

Flags: There are three flags (flag1.txt, flag2.txt, root.txt)

Penetrating Methodologies

  • Network Scanning (Nmap, netdiscover)
  • HTTP service enumeration
  • Exploiting LFI using php filter
  • Decode the base 64 encoded text for password
  • SSH Login
  • Get 1st Flag
  • Finding files owned by devops
  • Overwrite antivirus.py via malicious python code
  • Get netcat session
  • Get 2nd flag
  • Sudo Privilege Escalation
  • Exploit Fake Pip
  • Get the Root access and Capture the 3rd flag

WalkThrough

Let’s start off with scanning the network to find our target.

We found our target –> 192.168.1.124

Our next step is to scan our target with NMAP.

The NMAP output shows us that there are 4 ports open: 80 (HTTP), 111 (RPC), 333(SSH), 48920(RPC)

Browsed the URL http://192.168.1.124 and poked around; however we were not able to get any significant clues to move forward  

We didn’t find anything on the webpage so we use dirb to enumerate the directories.

All the pages that we find in the dirb scan has size zero and we don’t find any content on any of the pages. We take a look at the source page of the index file and we find a “lang” parameter commented inside the page.

We use the “lang” parameter, just like it was shown in the page and find the text has been converted into French. Now we check if the “lang” parameter is vulnerable to LFI.

We are able to exploit the LFI vulnerability using “php://filter/convert.base64-encode” function and access the index page.

We decode the base64 encoded string and find the password “Niamey4Ever227!!!”. On the page we find that “mamadou” is the author. We use these credentials to login through ssh on the target machine.

When we login through ssh we get a python IDE prompt. We import pty module, and spawn ‘/bin/bash’ shell. We take a look at home directory for user mamaduo and find the first flag.

Enumerating through the directories, inside /tmp directory we find a file called test. We open it and find nothing interesting, but when we take a closer look at the file we find it that is owned by a devops. Now we find all the files owned by user devops and find a file called “.antivirus.py” inside /srv directory.

Now when we open the python file we find that it is opening and test file and writing “test” inside it. To exploit this, we replace the code with shellcode. First we create a msfvenom payload.

After creating the payload, we open the “. antivirus.py” file and comment out the earlier code and insert our payload without adding “python -c”.

We setup our listener using netcat, we wait for a few minutes for the script to get executed. As soon as the script is executed we get a reverse shell. When we check the UID we find that we spawned a shell for devops. Now we go to /home/devops directory and find the second flag. After getting the second flag we find that we can execute pip is super user without root.

Now there is script called Fakepip (download here), that can be used to exploit this vulnerability.

We download the fakepip script into our system to edit the payload inside.

We edit the payload inside os.system function.

We decode the base64 encoded string and change the IP address to our IP address. Then we again convert the string to base64 and replace the older string with the new one.

We start the python server on our system, so that we can upload the FakePip script into the target machine.

After we start HTTP server, we download the script on the target machine using wget. Now execute the command as per the instructions given to us on the FakePip readme file.

As soon as we run the command we get a reverse shell as root user. We now go to root directory and find the root flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Hack the WinterMute: 1 (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as Wintermute (Part 1) and it is another boot2root challenge provided for practice. So let’s try to break through it. But before please note that you can download it from here https://www.vulnhub.com/entry/wintermute-1,239/

Security Level: Intermediate

Author Note: There are 2 important things to note down for this lab

  1. No buffer overflows or exploit development – any necessary password cracking can be done with small wordlists.
  2. Straylight – simulates a public facing server with 2 NICS. Cap this first, then pivot to the final machine. Neuromancer – is within a non-public network with 1 NIC.

Imp Note: This lab has 2 parts. The 1st part comprises of gaining the root shell of the victim machine and subsequently pivoting to another machine .To begin with , this is the 1st part of the lab ; post which we will publish the 2nd lab in upcoming days

Penetrating Methodologies

  • Network Scanning (Nmap, netdiscover)
  • HTTP service enumeration
  • Directory Traversal in browser using Email log files
  • Exploiting OS command injection in RCPT option of SMTP
  • Generate PHP Backdoor (Msfvenom)
  • Execute the backdoor embedded in RCPT option
  • Reverse connection (Metasploit)
  • Import python one-liner for proper TTY shell
  • Identify the appropriate vulnerable SUID
  • Exploiting target (exploit 4115)
  • Get root access and capture the flag

WalkThrough

Let’s start off with scanning the network to find our target.

We found our target –> 192.168.1.124

Our next step is to scan our target with NMAP.

The NMAP output shows us that there are 3 ports opened : 25 (SMTP) , 80 (HTTP) , 3000

Browsed the URL http://192.168.1.124 and poked around; however we were not able to get any significant clues to move forward  

As we are aware that port 3000 is also opened on the victim machine , hence let’s try to access the website on a Non-standard HTTP port (3000) as follows :

Browse to http://192.168.1.124:3000 and we will be greeted with the following page

As we can see a Hint at the bottom of the page , the default username and credentials are already provided to us ! Lets try to login to the page with them

Username: admin

Password : admin

 

On clicking the Flows option, we were redirected to the following page:

Here we observed few directories were listed (as shown in screenshot above), hence we thought of appending them to our URL http://192.168.1.124/ OR http://192.168.1.124:3000/

We tried accessing http://192.168.1.124:3000/turing-bolo/ however no success . Then we browsed the URL http://192.168.1.124/turing-bolo/ and got below page

 Click on Submit Query and we are redirected to the following page

http://192.168.1.124/turing-bolo/bolo.php?bolo=case

From the above screenshot we can see few log files (as highlighted).Per our experience , this could be an indication of Directory traversal where we can execute writeable files in the browser .Hence let’s try to append  ../../../log/mail to the URL in the browser as follows :

http://192.168.1.124/turing-bolo/bolo.php?bolo=../../../log/mail

Now let’s try to enumerate further and connect to the SMTP (25) port

As we can see, we got connected to the victim machine successfully. Now let’s try to send a mail via command line (CLI) of this machine and send the OS commands via “RCPT TO” option.

 

Note : We can ignore the 501 5.1.3 Bad recipient address syntax server response as seen in the above screenshot because ideally the internal email program of the server (victim machine), is expecting us to input an email ID and not the OS commands.

Now navigate back to the URL http://192.168.1.124/turing-bolo/bolo.php?bolo=../../../log/mail  

As depicted in the below screenshot of the browser , we can clearly see that mail logs files are displaying response output (www-data) of the Unix (OS) command whoami

Let’s generate a Reverse shell with the following command

Now run the web server on the Kali machine

As we got success in receiving the response of OS commands in the email log files, in a similar way there is a possibility that following this method ,we may also get the Meterpreter access of the victim machine

Hence as seen in the below screenshot , we will pass the commands in RCPT command as follows :

1.Navigate to /tmp directory and Download the shell.elf file from Kali machine

2.Modify the permissions of the shell.elf file

3.Execute our Reverse shell (shell.elf) file

Now in parallel, open the Metasploit console and perform the following

Awesome!! We got the Meterpreter session

Using sysinfo command ,we found machine architecture details which may eventually help us to find out the kernel exploit for privilege escalation

Further, navigate to shell

In order to access proper TTY shell , we had imported python one line script by typing following:

Now let’s trigger the post exploitation and try to get root access. Then by using the following command we can enumerate all binaries having SUID permission.

Per the above output , it has dumped all system binaries having SUID permissions; however /bin/screen-4.5.0 seems to be interesting .Therefore first let us begin escalating the root privileges

Upon searching exploit in kalilinux for the screen-4.5.0 exploit,

From given below image we can observe the highlighted exploit 41154.sh which is a shell script for local privilege escalation.

When we didn’t find any appropriate method to execute this shell script for post exploitation, then we approached the manual compilation method and reviewed its code using cat command.

If you will notice following code , then you will observe this script is written in C language and we have divided it into three parts for manual compilation.

  1. Copy Yellow highlighted the code and past it in a text document and save it as libhax.c
  2. Copy Orange highlighted the code and past it in a text document and save it as rootshell.c

3.Copy the remaining code in a notepad , to paste it for the later part of the section (Compilation of C Program files)

From given below image you can see I have pasted above copied inside the file rootshell.c

 

From given below image you can see I have pasted above copied inside the file libhax.c

We will save the libhax.c and rootshell.c files in the Kali Desktop shell directory for further use .Here we can see the contents of both the files in the below image

Now go back to the Meterpreter session and upload the exploit files from Kali machine Meterpreter session to the /tmp directory of the target (victim) machine.

Further, navigate to shell

In order to access proper TTY shell , we had imported python one line script by typing following:

Compilation of C Program files

Note : Refer to website https://www.exploit-db.com/exploits/41154 for the below commands

Let’s compile our C program file manually in our local system using gcc as given below.

1.Compile libhax.c file through the following command.

2.Similarly compile rootshell.c file through the following command.

Navigate to /etc directory and run the commands further

Proceed forward and access the /tmp/rootshell folder of the victim machine by typing :

Hurray !! We got into the root

Navigate to the root directory

Let’s see what file it contains

Wonderful!! We have gained access to the flag and hacked this box.

There seems to be another interesting file note.txt, lets open the same and see what it contains

As we can see there is a clue (vulnerability) for the next part (part 2) of this lab

Stay tuned!! We will be back with the next part in another article!

Author: Ankur Sachdev is Information Security consultant and researcher in the field of Network & WebApp Penetration Testing . Contact Here

Hack the Box: Holiday Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Holiday” which is available online for those who want to increase their skill in penetration testing and black box testing. Holiday is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.25 so let’s begin with nmap port enumeration.

From given below image, you can observe we found port 22 and 8000 are open on target system.

As port 8000 is running http we open the IP address in the browser, and find a webpage.

We didn’t find anything on the webpage so we use dirb to enumerate the directories.

Dirb scan gives us a link to a directory called /login, we open the link and find a login page.

We capture the login request using burpsuite. We use random credentials as placeholder.

We use sqlmap to check if it is vulnerable to sql injection. After finding that it is vulnerable to sql injection, we use sqlmap to dump the database and find a username “RickA” and password hash.

We use hashkiller.co.uk to decrypt the hash and find the password to the user.

We login using these credentials and we are redirected to a page with that looks like it contains user information.

We click on one of the UUID link and find a page that we can post notes for the users. It also shows that it will take up to 1 minute to post the note.

We try exploit the note function, and find it is vulnerable xss. As the notes are being read by administrator xss can be used to get the admin cookie. To run xss and run our payload we need to bypass the filter using java script function String.fromCharCode to run our payload. I created this script here to convert string to ascii code.

We post the note to bypass the filter we have to use this payload:

We setup our listener using nc on port 80, as we will receive the the response of the page including the administrator cookie on this port.

After waiting for 1 minute we received the admin cookie.

The cookie is url encoded we decode and use it hijack the administrator session.

We capture the webpage’s request using burpsuite. We change our cookie with that of administrator and forward it.

As soon as we forward the request, we are able to successfully hijack the administrator session.

We now go to /admin directory and find a page where there are options to export bookings and notes.

We capture the request using burpsuite, and check if it is vulnerable to any king of injection. After enumerating we find that this page is vulnerable to command injection.

We are unable to get a shell using web_delivery module of metaploit due to there being filters. Now we create a payload using msfvenom to upload into the target machine using command injection and get reverse shell.

After creating a shell, we create a python http server to upload into the target machine.

Now “.” Is not blacklisted so we convert the ipaddress into decimal number so that we can bypass the filter.

We upload the shell using wget command into the target machine and save it in /tmp directory.

As soon as we run the command we get a prompt that shell is uploaded.

We give our payload read, write and execute permission using command injection.

Now we setup our listener using metasploit.

We run the shell using command injection vulnerability on the target machine.

As soon as we run the shell we get a reverse shell.

We spawn a tty shell and take a look at the sudoers list and find that we can run /usr/bin/npm I * as root with no password.

Before trying to get root shell we first enumerate rest of the directories and find a file called “user.txt” in /home/algernon directory. We take a look at the content of the files and find the first flag.

Now we try to take root.txt we go to /app directory. We rename package.json to pack, and symlink /root/root.txt package.json

We run /usr/bin/npm i * as root user and find the final flag.

After searching through google we find a way to get reverse shell using a package called rimrafall.

We setup rimrafall by following the instructions given on the webpage.

We setup the json file and change the preinstalled script to bash one liner.

We run the command as root user to get privileged shell.

We setup the listener as soon as we run the preinstalled shell is getting executed we get a reverse shell.

We go to /root directory and find a file called root.txt. We take a look at the content of the file and find the final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Related Posts Plugin for WordPress, Blogger...