Hack the Box Challenge: Canape Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Canape” which is available online for those who want to increase their skill in penetration testing and black box testing. Canape is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Intermediate

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of Canape is 10.10.10.70 so let’s begin with nmap port enumeration.

From given below image, you can observe we found port 80 and 65535 are open on target system.

As port 80 is running http server, we open the target machine’s IP address in our browser and find that it is a fan site for the Simpsons.

We don’t find anything on the webpage, so we run dirb scan to enumerate the directories. The target machine responded with 200 OK for every request but for the /.git/Head directory the size of the response changed.

We open the /.git/ directory and find the config file.

When we open the config file, we find a domain name “git.canape.htb”.

Now we have added the domain name of the target machine in /etc/hosts file to access the webpage using IP address as well as domain name.

Now we can clone the local git repository using the following command:

Here we found out a file named “__init__.py” in Simpsons folder as shown in the image.

After download the files, we open “__init__.py” and find that this program might be vulnerable insecure deserialization as it uses a vulnerable function “cPickel.loads(data)”.

Now we create a program to exploit this vulnerability and get reverse shell. You can download the exploit from here.

We setup our listener “netcat” before running the program and run the following command:

After getting reverse shell, we start penetrating more and more. We check for the open ports in the target machine that might be listening locally and find that a service is running on port 5984 for the Apache couchDB.

Apache couchDB is an open source database software. We check the version of couchDB and also find all the databases using the following command:

Using the above command, we find the version of couchDB to be “2.0.0”. This version of couchDB is vulnerable to remote privilege escalation. You can find more about this vulnerability here.

Then we create a user with permissions to read the database with following command.

We then dump the database with the following command:

The above command will dump the password and we will find the password for SSH login. Now all we need to do is find the username.

We open /etc/passwd to find users available on the target machine. We find that there is only one proper user called homer.

We login through SSH using the credentials we found earlier “homer:0B4jyA0xtytZi7esBNGp”. After login we find a file ‘user.txt’. We open the file and find our first flag.

After getting the flag, we checked the sudoers list and find homer has permission to run “pip install *” as root user.

Now as we know we can run “pip install *” as root, we are going to abuse it by creating a reverse shell and saving it as “setup.py”.

We are going to use netcat pipe one liner to get reverse shell.

Now we can run our reverse shell using the following command:

Remember to setup the listener before running the above command.

As soon as we run our command, we get our reverse shell as root user. We now move to /root directory and to get “root.txt”. We take a look at the content of the file and find our final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. ContacHere

Hack the MinU: 1 (CTF Challenge)

Hello Friends! Today we are going to solve another CTF challenge “MinU: 1” This boot2root is an Ubuntu Based virtual machine and has been tested using Virtual Box. The network interface of the virtual machine will take its IP settings from DHCP. Your goal is to capture the flag on /root.

You can download it from here: https://www.vulnhub.com/entry/minu-1,235/

Level: Easy/Intermediate

Penetrating Methodology

  • Network scanning (Nmap)
  • Web Directory Enumeration (Dirb)
  • Found RCE Vulnerability
  • Digging out JSON Web Token from inside ._pw_
  • Obtain password by using “c-jwt-cracker” for JSON Web Token
  • Generate elf payload (msfvenom)
  • Upload the backdoor inside /tmp
  • Obtain reverse session (Netcat)
  • Go for root access
  • Use envirnoment shell to spwan proper tty shell
  • Capture the Flag

WalkThrough

Since the IP of the target machine is 192.168.1.108, therefore let’s start with namp aggressive scan.

 

From the nmap scan result, we found port 80 is open for http service, let’s navigate to port 80 through browser.

Since we found nothing at the home page, therefore next we used dirb for web directory enumeration.

With the help of above command, we try to enumerate .php extension files and luckily we found a “test.php” file.

So, when we explored /test.php file in the browser, it welcomes us with the following web page, where we found a hyperlink for the next web page.

Here the web page “Read last visitor data” was vulnerable to remote code execution. As you can observe that in the URL we try to run pwd command. As result, it shown /var/www/html as the current directory.

Next, we had used wafwoof for scanning the type of web application firewall used on the target machine.

After we run wafw00f we find that the target machine has implemented modsecurity as web application firewall.

After finding out the WAF, we bypass it by executing following command in the URL.

Hence we found out the kernel details of the target machine.

Similarly, we run following command to find out available user directory inside the /home folder.

So we found bob could be the name of user directory.

Then we run following command to view the available file and folder inside /home/bob.

Here we found a file”._pw_

Then we opened the above obtained file with help of cat command and for that we run the following command.

It put up some encoded text in front of us which could be the password but I did not know much about it, what this was, therefore I take help from google and found out that this is a JSON Web Token.

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Source: https://jwt.io/introduction/

So I found a tool from the github to crack the JSON web token called c-jwt-cracker.

Copy the encoded text from the “._pw_” to decrypt it.  Now run the c-jwt-crack tool and paste the encoded string as its argument as shown in the image.

This will give the password: “mlnv1

Now let’s create a payload using msfvenom with the help of following command:

Above command will generate the elf payload, now we will transfer this malicious file “shell” to the target with the help of PHP server.

Then download the above malicious file with the help of wget, hence you can run the following command for downloading it into target machine.

Now let’s check whether the file is uploaded successfully or not!

Run following command to view the malicious file “shell” file inside the /tmp directory.

Yuppieee!!! In the given below image you can observe that we have successfully uploaded the shell file.

Now give the full permission to the uploaded file “shell” with the help of the following command:

 

Let’s verify the given permission with help of the following command:

Now let’s execute the file “shell” but do not forget to start netcat as the listener.

Hurray!!! We got the reverse shell of the target’s machine and now let’s try to grab the flag.txt file to finish this task. For grabbing the flag.txt file we need the root access and proper tty shell of the machine.

Here we try to use python-one-liner to spawn a tty shell but unfortunately python was not installed on the target machine. So instead we used environment variable to spawn the tty shell.

Now run the following commands to spawn the tty shell and then try to capture flag.txt file.

Boooom!!!! We have root access now let’s fetch the flag.txt file.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the ROP Primer: 1.0.1 (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as ROP Primer. The credit for making this vm machine goes to “Bas” and it is another capture the flag challenge in which our goal is to capture all the flags to complete the challenge. You can download this VM here.

We have 3 levels available here and we are given the login credentials of all of 3 machines which are as follow:

Levels Username Password
Level 0 level0 warmup
Level 1 level1 shodan
Level 2 level2 tryharder

We had one binary per level, which we have to exploit each one to successfully extract flags from them.

You can download all the exploit used from here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.199.139 but you will have to find your own

LEVEL 0:

Now we use the given credentials to login through ssh as user level0. After logging in we find 2 files one executable file called level0 and another file called flag. Both files are owned by level1 user, but the binary file has suid bit set so we can execute it. When we run it we find that it takes a string as input and then outputs a message along with the string.

GDB-peda is provided by the author in the lab so we can directly analyse the binary in the target machine itself. Opening the binary in gdb we find that there is a gets function. Now gets is vulnerable to buffer overflow so we try to exploit it.

We created a 500 bytes long pattern using gdb-peda and used it as input for the binary.

As soon as we passed the string we get a segmentation fault error, we use pattern offset function of gdb-peda to find the EIP offset and find that after 44 bytes we can completely overwrite EIP register.

Now we check for security and find that there is no ASLR but NX is enabled so we cannot execute shellcode on the stack.

As NX is enabled we can still use ret2libc attack to spawn a shell. But when we try to print the memory address of system we find that there is no system so we cannot execute /bin/sh to spawn a shell.

In the description we are given a hint that we can use mprotect to solve this problem.

When we take a look at the man page for mprotect we find that it used to change protection of portions of memory by making it readable, writeable and executable. We also find it takes 3 parameters address, length of the memory that needs to be changes and protection level.

As we can make portions of memory readable, writeable and executable, we are going to use memcpy function to insert our shellcode into the block of memory.

Now need to select which section of the memory we are going to change, so we use gdb to see how the memory is mapped.

We are going to take 0x080ca000 as target memory and we are going to mark 4KB of memory starting from 0x080ca000 as readable, writeable and executable. We create an exploit to this for us.

We save the output of this program in a file called input, we are going to use this as our input for the binary file.

When run the binary in gdb with using the input from our exploit, we take a look at the mapped memory and find that the memory block we selected was marked as readable, writeable and executable.

Now we need to remove mprotect’s parameter from the stack so that we can redirect the flow of execution, mprotect function uses 3 parameters so we need to pop 3 values off the stack so we use ropgadget function in gdb and find a gadget pop3ret at 0x8048882.

Now we create the exploit to get an elevated shell. We use cat to keep the shell alive, we run the exploit and now we can access the flag. We take a look at the content of the file and find our first flag.

LEVEL 1:

After completing level0, we login as level1 using the given credentials. We find a file called flag, bleh and a binary file called level1 with suid bit set. When we run the binary it says that error binding.

We check the listening ports on the target machine and find that port 8888 is open. We check processes with uid 1002 and find it is level1.

We connect it it and find it is an application that can be used to store and read files.

We open the binary in gdb and take a look at the assembly code for further analysis.

We setup a breakpoint on the main function. At main+115 we found that port 8888 is stored on the stack. We changed the value stored in the memory address to port 8889 so that we can run the program.

We create a 128 bytes long pattern using pattern_create.rb script in our system. So that we can pass the string as the name of the file.

After changing the port number, we connected to it and stored a file with 128-byte size.

After mentioning the size of the file, it asks for the file name. We passed the 128 bytes long pattern as the file name.

When we switch to gdb we find that we get a segmentation fault.

We now use the patten_offset.rb script to find the EIP offset.

We are given a hint in the description of this challenge that we can use read, write and open function to open the flag and read it.

We are now going to need ropgadget, we need pop2ret for gadget for open function and pop3ret gadget for read function.

Now if we can get the address of the ‘flag’ string, then we can just read the flag and output it to the connected socket.

We create an exploit to get the flag. We run it and find the flag.

LEVEL 2:

After completing level1, we login as level2 using the given credentials. We find a file called flag and a binary file called level2 with suid bit set. When we run the binary, we find that it takes a string as an argument and then prints it.

We open the file in gdb for further analysis and find that at main+46 it calls strcpy function. As strcpy function is vulnerable to buffer overflow we exploit it.

On further analysis we find that it is similar to level0 binary file, we create a 500 bytes string and pass its argument and find the EIP offset to be 44 bytes.

This binary file has strcpy function instead of gets we cannot use “\x00”. So we use gadgets to do our work. We use ropshell.com to find all the gadgets used in this exploit.

We modified the exploit we created for level0 and inserted our gadgets. We use read function instead of memcpy function in this exploit. (Gadgets are explained in the exploit code).

As soon as we run our exploit we spawn a shell as root user. We open the flag file and get our final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Multiple Ways to Secure SSH Port

Secure Shell (SSH) is defined as a network protocol to operate network services securely over an unsecured network. The standard TCP port for SSH is 22. The best application of SSH is to remotely login into computer systems by users.

This article will be explaining about the network securities which help the network administrator to secure the service of SSH on any server through multiple ways.

 Methods Used:

  1. Port Forwarding
  2. Disable Password Based Login And Using PGP Key (Public Key)
  3. Disable Root Login and Limit SSH User’s Access
  4. Google Authenticator
  5. Time Scheduling
  6. Disable Empty Passwords

Before moving on, Let us first install SSH server on our client machine using following command.

Port Forwarding

Once the SSH services are configured and running, we can begin with our first security measure which is Port Forwarding. Upon initiating the scan on client’s machine IP address using nmap , it shows that SSH is running on Port 22.

Navigate to /etc/ssh and we will find a file named sshd_config in the client’s machine.

cd /etc/ssh

Open the file sshd_config using nano command.

Now change the port 22 to port 2222 as shown in the below screenshot and save the changes made in the sshd_config file . Hence , in this way we have forwarded the port from 22 to 2222.

Now to confirm port forwarding, we will again scan the Client’s IP address using nmap

The output of the nmap shows that TCP port 2222 is opened ; however shows EthernetIP-1 in the service description which doesn’t give exact description of the service running .So we will run the following nmap command with version detection option

With the next output of nmap , it is clearly visible that SSH services are running on TCP Port 2222 along with the description of OpenSSH version.

Secure With Public Key

To begin with this security measure we need to download and install PuTTY Key Generator.

Note : PuTTYgen is an key generator tool for creating SSH keys for PuTTY and stores keys in its own format ( .ppk extension)

Open it and Click on Generate.

Clicking on Generate will initiate the process of generating a Public and Private Key  , as shown in the image.

Once Public and Private Key are generated , click on Save Public Key. This will save the key as a Public Key.

Now open the Ubuntu terminal of our server and type ssh-keygen.

The above command will create a folder named .ssh and then create an empty text file with the name authorized_keys in the same folder. After that copy the “ssh_login.ppk” file which was created using PuTTy Key Generator previously and paste it into the .ssh folder as shown in the image.

In the terminal, move into .ssh folder and type the following command:

This command will generate a key.

Now copy this key and paste it in the empty file named authorized_keys using nano command and save it.

Now open the putty configuration tab, then go to Session tab and give the IP Address & Port Number of your Clients Machine were ssh server is configured.

Now go to data and give Auto-login username.

Navigate to SSH>Auth and give the path of ssh_login.ppk file (public key that was generated earlier) and then click Open.

It will simply use the public key to Login into SSH Server without asking for Password.

Open the sshd_config file in /etc/ssh using gedit command .Here we will make changes in line #PasswordAuthentication as shown in the image.

Current configuration

#PasswordAuthentication yes

Now we will edit parameter value yes to no and remove the # (hash) as shown in the below image. Once done save the changes made. These changes will disable any user to log into SSH Server using the password.

PasswordAuthentication no

As you can see these settings have disabled password based login and is indeed asking for a Public Key to log in.

Disable Root Login and Limit SSH User’s Access

To begin with this security measure you need to make some new User’s using adduser command (New User’s We have Created: h1,h2,h3,h4) then make changes in the sshd_config file in /etc/ssh using gedit command. Type the Following Lines under #Authentication:

#No root login allowed (h2 can login as sudo –s)

PermitRootLogin no

## only allow 1 users h2 (sysadmin)

AllowUsers h2

Remember to save the changes made. This will disable Root Login and will allow only h2 user to log into ssh server remotely.

As you can see only h2 user is able to successfully log into SSH Server, where h1 and h3 users permission to log into SSH Server is denied.

 Google Authenticator

To begin with the two-factor authentication over SSH Server,you need to download the google authenticator application on your phone and also install the required dependency package for Ubuntu using following command:

NOTE-The installation of google authenticator will as ask a couple of questions give Yes for every question asked.

After the installation is completed. Open terminal and type command:

We will see a barcode. Scan it using the google authenticator application on your phone.

Once the application has scanned the barcode, it will start generating One Time Password’s as shown in the image.

Now open sshd file in /etc/pam.d using gedit command and make the following changes:

  1. Add # to @include common-auth
  2. Add Line (auth required pam_google_authenticator.so) under @include common-password

As shown in the image.

Now open sshd_config file in /etc/ssh using gedit command and make the following changes.

ChallengeResponseAuthentication yes

When we log into SSH Server it will prompt for a verification code, Here we have to enter the One Time Password generated on our google authenticator application. As you can see we have successfully logged into SSH Server using One Time Password.

Time Scheduling

In this security measure we are going to set time limit on SSH service on the server.

Cron is a is a built-in service of linux to schedule task , which enables a job (command or script) on the server to run automatically over specified time and date.

Here we are going to schedule SSH services using crontab

We had open crontab in /etc using nano command. Now lets schedule ssh service in a way that it will start for every 2nd minute and will get stop after every 4th minute. The command used to schedule the SSH Service are given below:

*/2 * * * * root service ssh start

*/4 * * * * root service ssh stop

Save the changes made in the file.

Wait for service to reboot. Using nmap we have scan port 22.

After running the scan , we will observe that ssh service on port 22 is CLOSED because it is the 4th minute which has started.

Now if our command is working properly it should start itself on every 2nd minute, to confirm it we will again initiate a scan using nmap.

As we can see that the port is in OPEN state now.

Disable Empty Password

In this security measure , as a best practice ; one should always disable empty password login to the SSH Server. To enable this setting we need to open sshd_config file using gedit command and make the following changes:

PermitEmptyPasswords No

These changes will simply disable empty password login’s into SSH Server.

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. See’s things from a different angle and an out of the box thinker. Contact Here

Related Posts Plugin for WordPress, Blogger...