Hack the Box: Poison Walkthrough

Hello everyone and welcome to yet another CTF challenge from hack the box, called ‘Poison,’ which is available online for those who want to increase their skill in penetration testing and black box testing. Poison is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience level; they have a large collection of vulnerable labs as challenges, ranging from beginner to expert level.

Level: Easy

Task: Find user.txt and root.txt in victim’s machine

Methodology:

  1. Port scanning
  2. Using LFI to find username
  3. Gaining encrypted password file using LFI
  4. Decrypting password file
  5. Logging in to SSH using decrypted password
  6. Transferring ZIP file and extracting to find a secret file
  7. Discovery of VNC on machine
  8. VNC tunneling over SSH to get root shell
  9. Grabbing flag

Let’s get started then!

Since, these labs have a static IP, the IP address for poison is 10.10.10.84.  Let us scan the VM with the most popular port scanning tool, nmap.

 

From the result above we found two working ports on the VM, port 22 and 80 which are universal default ports for SSH and HTTP.

We immediately headed over to the webpage.

It was crystal clear only by reading that there was an LFI vulnerability involved. We tested it by inputting /etc/passwd in the scriptname section.

Which led us to the following output

From here we found that the username was “charix.” But before moving on to that part we tried all the scriptnames one by one given in the previous webpage.

It was going all monotonous until we found an interesting text file in the “listfiles.php” script.

 

 

The listfiles.php was a script that enumerated an array of the files

We found an interesting file called pwdbackup.txt. On opening it by the same process we found an encrypted password.

But it wasn’t a normal encryption, the password was encrypted 13 times. Just by looking we could tell that it was base64 encoding. So, we copied the password in a notepad file and removed the spaces between the password’s lines (present by default) and wrote the following command to decrypt it:

 

Voila! The password was found to be Charix!2#4%6&8(0

A complete logical shot in the dark was that it was the password to secure shell of the victim. So, we tried logging in to SSH.

 

 And just like that we were logged in! We found the first flag (user.txt) and another file called secret.zip

We tried unzipping it on the spot but it didn’t work. So, instead we transferred the file to our system using scp (complete article here)

 

 We got a file “secret” which could be the password of another service.

We were far from convinced that no other service was running so we scanned the victim using socat. (To read more: https://packages.debian.org/sid/sockstat)

Port number 5901 and 5908 were open which clearly are the port numbers for VNC! This could be way in.

We followed the SSH tunneling methodology (refer here)

 

IT will open up a shell. In a new terminal write:

 

 We saw authentication successful tag!

What was left now but to:

And this is how we owned the poison VM. Hope you enjoyed because we surely did!

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

Window Privilege Escalation via Automated Script

We all know that, after compromising the victim’s machine we have a low-privileges shell that we want to escalate into a higher-privileged shell and this process is known as Privilege Escalation. Today in this article we will discuss what comes under privilege escalation and how an attacker can identify that low-privileges shell can be escalated to higher-privileged shell.

Table of Content

  • Introduction
  • Vectors of Privilege Escalation
  • Windows-Exploit-Suggester
  • Windows Gather Applied Patches
  • Sherlock
  • JAWS – Just Another Windows (Enum) Script
  • PowerUp

Introduction

Basically privilege escalation is a phase that comes after the attacker has compromised the victim’s machine where he try to gather critical information related to system such as hidden password and weak configured services or applications and etc. All these information help the attacker to make the post exploit against machine for getting higher-privileged shell.

Vectors Privilege Escalation

Following information are considered as critical Information of Windows System:

  • Version of operating system
  • Any Vulnerable package installed or running
  • Files and Folders with Full Control or Modify Access
  • Mapped Drives
  • Potentially Interesting Files
  • Unquoted Service Paths
  • Network Information (interfaces, arp, netstat)
  • Firewall Status and Rules
  • Running Processes
  • AlwaysInstallElevated Registry Key Check
  • Stored Credentials
  • DLL Hijacking
  • Scheduled Tasks

There are several script use in Penetration testing for quickly identify potential privilege escalation vectors on Windows systems and today we are going to elaborate each script which is working smoothly.

Windows-Exploit-suggester

If you have victim’s low-privilege meterpreter or command session then use can use Exploit-Suggester.

This module suggests local meterpreter exploits that can be used. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter. It’s important to note that not all local exploits will be fired. Exploits are chosen based on these conditions: session type, platform, architecture, and required default options.

As you can observe it has suggested some post exploits against which the target is vulnerable and that can provide higher-privilege shell.

Windows Gather Applied Patches

This module will attempt to enumerate which patches are applied to a windows system based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering.

As you can observe it has also shown that the target is possibly vulnerable to recommended exploit that can provide higher-privilege shell.

Sherlock

It is a PowerShell script to quickly find the missing software patches for local privilege escalation vulnerabilities. It also as similar as above post exploit as gives suggestion the target is possibly vulnerable to recommended exploit that can provide higher-privilege shell.

Download it from git hub with help of following command and execute when you have victim’s meterpreter session at least once.

Since this script should be execute in power shell therefore load power shell and then import the downloading script.

The above command will show that the target is possibly vulnerable to recommended exploit that can be used to achieve higher-privilege shell.

JAWS – Just Another Windows (Enum) Script

JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so ‘should’ run on every Windows version since Windows 7.

Current Features

  • Network Information (interfaces, arp, netstat)
  • Firewall Status and Rules
  • Running Processes
  • Files and Folders with Full Control or Modify Access
  • Mapped Drives
  • Potentially Interesting Files
  • Unquoted Service Paths
  • Recent Documents
  • System Install Files
  • AlwaysInstallElevated Registry Key Check
  • Stored Credentials
  • Installed Applications
  • Potentially Vulnerable Services
  • MuiCache Files
  • Scheduled Tasks

Once you have meterpreter shell, upload the downloaded script and use command shell to run the uploaded script

It will store the critical information into a text file named as “JAWS-Enum.txt” 

As said the JAWS-Enum.txt file must have been stored the vector that can lead to privilege escalation, let’s open it and figure out the result.

In the following image you can observe it has shown all user name and IP configuration.

In this image we can clearly observe the result of NetStat.

In this image we can clearly observe the result of running process and services.

In this image we can clearly observe all install program and patches.

In this image we can clearly observe the folder with full control and Modify Access and hence many more information can be extracted by running this script.

PowerUp

PowerUp is a powershell tool to assist with local privilege escalation on Windows systems. PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

Running Invoke-AllChecks will output any identifiable vulnerabilities along with specifications for any abuse functions. The -HTMLReport flag will also generate a COMPUTER.username.html version of the report.

Current Feature

Service Enumeration:

  • Get-ServiceUnquoted : – returns services with unquoted paths that also have a space in the name.
  • Get-ModifiableServiceFile :- returns services where the current user can write to the service binary path or its config.
  • Get-ModifiableService : – returns services the current user can modify.
  • Get-ServiceDetail :- returns detailed information about a specified service.

Service Abuse:

  • Invoke-ServiceAbuse : –   modifies a vulnerable service to create a local admin or execute a custom command.
  • Write-ServiceBinary : – writes out a patched C# service binary that adds a local admin or executes a custom command.
  • Install-ServiceBinary :- replaces a service binary with one that adds a local admin or executes a custom command.
  • Restore-ServiceBinary :- restores a replaced service binary with the original executable.

DLL Hijacking:

  • Find-ProcessDLLHijack : – finds potential DLL hijacking opportunities for currently running processes
  • Find-PathDLLHijack :- finds service %PATH% DLL hijacking opportunities
  • Write-HijackDll : – writes out a hijackable DLL

Registry Checks:

  • Get-RegistryAlwaysInstallElevated :- checks if the AlwaysInstallElevated registry key is set
  • Get-RegistryAutoLogon :- checks for Autologon credentials in the registry
  • Get-ModifiableRegistryAutoRun :- checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns.

Now use following command to download it from git hub as said above powerUp is the module of powersploit therefore we need to download package of powersploit.

Again

The above comand will show that the target is possibly vulnerable to recommended exploit that can be used to achieve higher-privilege shell.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the /dev/random: K2 VM (boot2root Challenge)

Hello friends! Today we are going to take another CTF challenge known as /dev/random: k2. The credit for making this vm machine goes to “Sagi-” and it is another boot2root challenge in which our goal is to get root to complete the challenge. You can download this VM here.

We are given the credentials to login the VM machine (user:password)

Let us start form getting to know the IP of VM (Here, I have it at 192.168.199.138 but you will have to find your own

We use the given credential to login through ssh. After loggin in we check the sudoers list and find that we can run /bin/calc as user “user2”.

We use strace to debug the binary and if there are missing files or dependencies. We find there is a shared object file missing in /home/user/.config/ directory called libcalc.so.

We check /home directory and find that the user directory has all permission for the owner only. We give read and execute permission to users in the same group and others. Then we created a directory called .config so that we can create our shared object inside it.

We created a binary that copy’s /bin/bash into /tmp directory, give it suid permission and run it.

We save the file as libcalc.c, then we compile and run the /bin/calc as user2. As soon as we run the application we check the id and find that we have successfully spawned a shell as user2.

After spawning a shell as user2 we try to enumerate the machine and find that there is cronjob that runs a file called /sbin/bckup for user3.

We check the content of this file and find that it is a ruby script that creates a zip file in /tmp/ directory.

We check the zip library of that this ruby is using and find that we can write the file.

We change the content of the file and add that bash command to copy /bin/bash and save it in /tmp/ directory as bash2 and set suid bit.

We wait for some time and go to the /tmp/ directory. After changing the directory, we find bash2 has been created by user3. We run the new bash file and successfully spawn a shell as user3.

As we effective user id and not the actual used id of user3. We create a c program that spawns a shell as user3’s uid and gid.

We compile the program and run it. After running the program, we successfully spawn a shell with user3’s uid and gid.

Now we try find files with suid bit set and find a file called “whoisme” is “/usr/bin/local/” directory.

When we run the file it outputs the string “user”. When we check binary file with strings command we find that it runs setuid, system, setgid and logname command.

We run by ignoring the enviroment we use PS4 variable to copy /bin/bash in /tmp/ directory as bash4 and change the ownership to root and set suid bit and run it along the binary file.

As soon as we run the file we find our copied bash file. We run the file and spawn a shell as root user. We go to root directory and a file called flag.txt.

We take a look at the content of the file and find our congratulatory flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Hack the Box: Stratosphere Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Stratosphere” which is lab presented by Hack the Box and is available online for those who want to increase their skill in penetration testing and black box testing. Stratosphereis retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: find user.txt and root.txt file in victim’s machine.

WalkThrough

Since these labs are online available therefore they have static IP. The IP of Stratosphereis 10.10.10.64

Let’s start off with scanning the network to find our target.

As per nmap port 80 is open for HTTP let’s explore the target IP in the browser. After exploring port 80, we was welcomed by following page where we didn’t found any informative clue. 

After then we visit Port 8080 for HTTP proxy and here also we get same web page. We try to inspect source code of port 80 and 8080 but we got nothings.

Therefore next we decided to have directory brute force attack with help of Dirbuster and used wordlist “dictionary-list-2.3-medium.txt” for the attack.

Luckily it fetched some web directories such as /Monitoring, let’s explore it in the web browser.   

So when we try to open the URL http://10.10.10.64:8080/Monitoring then it gets redirect to http://10.10.10.64:8080/Monitoring/example/Welcome.action for login. I closely look at the URL containing .action extension, so I made Google search to extract complete information related to this extension. I found action extension is utilized by apache struts2 which has a history of bugs and vulnerabilities and if you will search for its exploit, you will get lot of python scripts and exploits to compromise this service.

So we used nmap script to identify its state of vulnerability

Awesome!!! It is vulnerable to cve2017-563, let’s exploit it.

I found an exploit Struts-Apache-ExploitPack , lets download it from git hub and give full permission.

 

Now run the following command to exploit the victim machine.

So now we have database credential, let’s utilized them for getting all information from inside the database. 

Here I found Password “9tc*rhKuG5TyXvUJOrE^5CK7k” for user Richard, now let’s try to connect with SSH using these credential.

Yuppie we successfully logged in victim’s machine, so now let get the user.txt and root.txt

Here we notice that test.py was computing some hash values and at the end it will give success.py from inside the root directory and whole script is depends upon hashlib. 

Then we also check sudo rights for Richard and found he has sudo right to run all type of python script. So very first we check test.py file and start solving hashes in order to get success.py

So we got the hash value, now we need to decode it and after decoding I found “kayboo!”

On submitting the decoded text, it generated a new hash for further step and again I decode it and submit the answer and after then again a new hash and it was processing repetitively same at each time on submitting decoded text.

Since test.py was importing hashlib which was a python library so I last option was python library hijacking to escalate the root privilege.    

Therefore I create a hashlib.py script in the current directory to import system binary ‘/bin/bash’ and hence now when we will run test.py then it will import hashlib.py which will calls /bin/bash binary file.

Booom!!! Here we owned root access, now let’s get the root.txt file and finish this task.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...