Zion: 1.1 Vulnhub Walkthrough

Today, I am going to share a writeup for the boot2root challenge of the Vulnhub machine “Zion: 1.1”. It was actually an intermediate box based on the Linux machine. The goal for this machine is to read the flag.txt file.

Penetration Testing Methodology

  • Network Scanning
    • Netdiscover scan
    • Nmap Scan
  • Enumeration
    • Enumerating HTTP service on Browser
    • Inspecting the Login Panel using BurpSuite
    • Decoding Base64 and Base62 messages
  • Exploitation
    • Crafting the Dictionary using Cewl
    • Bruteforcing using BurpSuite
    • Enumerating the Web Application
  • Post Exploitation
    • Connecting using SSH
    • Enumerating for Sudo Rights
  • Privilege Escalation
    • Abusing Sudo Rights on cp

Walkthrough

Network Scanning

We begin by scanning our network for the target machine using Netdiscover. The target machine is active on 192.168.1.109. Let’s scan it and see which services are running and which ports are open.

We do an aggressive scan on the target using nmap.

Enumeration

The scan gives us a lot of good and useful information, but what stands out the most is that port 22 and 80 are open, let’s explore port 80 first and see what we can find there.

Here we see that we have 2 buttons, The “Truth” and “Illusion”. We are given the choice for the Red Pill and Blue Pill similar situation as Neo faced in the Matrix Trilogy by Morpheus. Clicking on the Truth button, we get to a login page.

After looking around the login panel for some time, I decided to inspect the panel through the BurpSuite. I captured the request in the BurpSuite. Sent the request to the Repeater. Here, upon checking the response of the request, we see that there are some odd parameters containing values that seem to be encrypted.

Guessing that the encryption might be Base64, I decided to decode the banner value using the Decoder. This gave us a message that tells us to “Open our mind”. Also it tells us to avoid some characters.

This means that the message that was left to us is not exactly Base64. If we avoid the characters mentioned in the message we get the encryption that is Base62. So, let’s try to decrypt the message using a Base62 decrypter. You can find one online.

The message that was decoded was that it is giving us the hints for the credentials for the “Zion’s Systems”. It tells us to look at the choice page that we were on few moments before. Also, it gives us the username for the user “morpheus.thematrix”. It also tells us that the user likes to keep simple passwords.

Exploitation

There are multiple methods as to how we can try to get the passwords. We can try manually but when we have an arsenal of tools that can do this for us why waste the time. I decided to create a dictionary that can be used to bruteforce the login using cewl. Using cewl is quite simple, we need to provide the URL and the output file path. Cewl will run and create a dictionary for  all the words that are on the webpage.

Now for the brute force, we decide to use the BurpSuite’s Intruder Module. To use Intruder, we need capture the request at the “Login” button with some sample text inside the password box.

Now that we have the request, we can use it to brute force the login using the Intruder. I gave the sample text as “test”. We can send the request to Intruder using the shortcut “Ctrl + I”.

After sending the request to Intruder, we go to the Positions Tab. Here we select the Attack type as Sniper. After setting the Attack type we need to specify the Payload Positions. This is the particular text that is going to be brute-forced. Here we want to brute force the password parameter. So we select the “test” as a place holder. Add the “§” symbol around the text as shown in the image given below by clicking the “Add §” button.

Next, we moved onto the Payloads Tab. Here we have multiple sections to provide the type of payload we want to provide for the bruteforce. Payload here means the dictionary that we created using Cewl previously. We need to provide the Simple list in the Payload type option under the Payload Sets section. Next, we need to add the contents of the dictionary we created. For this we will use the Load button in the Payload Options section. This will open up a window where we can browse the dictionary we created. After doing the above steps we click on the Start attack button.

Clicking on the Start attack button opens up a yet other windows where we can see the Burp Suite try multiple requests from the dictionary. We see that we get a redirection from the password interpreted. This could mean that this is the password. Time to check it out.

We go back to the Login Panel, and try the following credentials to login.

This opens up the Zion’s System. Here we see some information about the user w.rabbit . It tells that the user w.rabbit has forgotten his password. So, the Administrator has disabled its logins using the password. But he did something related to the movies. Matrix, I suppose. Also, I see that there is a link for Private key in the top right sections as shown in the image given below.

The link leads us to a page called rabbit-hole/rsa_priv_key_for_w.rabbit.txt. This is a private key for the user w.rabbit. This means we can login into SSH using this user.

Post Exploitation

I copied the contents of the key and saved it into a empty file and save it as “key”. Now, since we have the port 22 open on the Target Machine, we will try to login on SSH using this key.  From some enumeration we find the warning.txt file. Here we see that we have to find the flag in the path mentioned. We are given the freedom to choose any method or technique we want. Enumerating further into the mail directory, I found the credentials for the user w.rabbit. We are already logged in as w.rabbit user but with the password we can run process as user w.rabbit. To find out what services we can run with elevated permissions. We can see that cp command can be run with elevated privileges as user dozer.

This means that we can run the cp command without any password or other verification.

Privilege Escalation

In the above step we got the that we can access /bin/cp as sudo for both w.rabbit and dozer and in the process of enumeration we got the sudo password for the w.rabbit. So, let’s try to use the /bin/cp file to escalate to the dozer using /bin/sudo. Using cp i.e copy command we will copy the flag.txt in the tmp folder to display the flag.txt using below command.

Here we got our /home/dozer/flag.txt. So that’s for now. See you next time.

Author: Sushma Ahuja is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on LinkedIn

Lateral Movement: Pass the Ticket Attack

After working on Pass the Hash attack and Over the pass attack, it’s time to focus on a similar kind of attack called Pass the Ticket attack. It is very effective and it punishes too if ignored. Let’s look into it.

Table of Content

  • Introduction
  • Configurations used in Practical
  • Working
  • Pass-the- Hash v/s Pass-the-Ticket
  • Pass-the-Ticket Attacks
    • Extracting Tickets: Mimikatz
    • Passing the Ticket: Mimikatz
    • Extracting Tickets: Rubeus
    • Passing the Ticket: Rubeus
  • Practical Approach: Golden Ticket Attack
  • Detection
  • Mitigation

Introduction

The articles series for Lateral Movement which includes techniques below are not the only way to further compromise the target Windows Server. There are other methods as well. One such way was discovered while I was trying to perform the Lateral Movement on the Windows Server from Kali Linux. The surprise was that I didn’t hear about this attack and even the Mimikatz supports it. So, I looked around to find that there is not much written about it. This attack is called Pass the Ticket attack and it can help the attacker to steal the Kerberos Credentials from the Linux system such as Kali Linux and then pass them on Windows Machine while authentication.

Configurations used in Practical

Attacker Machine

  • OS: Kali Linux 2020.2
  • IP Address: 192.168.1.112

Target Machine

  • Server
    • OS: Windows Server 2016
    • IP Address: 192.168.1.105
    • Domain: local
    • User: Administrator
  • Client
    • OS: Windows 10
    • IP Address: 192.168.1.106
    • User: Yashika

Working

In this attack, the attacker extracts the Kerberos Ticket Granting Ticket which is also known as TGT. It is located inside the LSASS process in the memory of the system. After extracting the ticket the attacker uses the ticket on another system to gain the access.

Pass-the-Hash v/s Pass-the-Ticket

The major difference between the Pass-the-Ticket and Pass-the-Hash attack is that the time for which the access can be acquired. In simple words, the Kerberos TGT tickets issues have an expiration time of 10 hours (This can be changed). In the case of the Pass-The-Hash, there is no expiration. The attack will work until the user doesn’t change their password.  

Extracting Tickets: Mimikatz

As discussed before the tickets are loaded inside the memory and to extract them we will be using the mimikatz. We run the keberos::list command in mimikatz to read the tickets that are located in the LSASS. To save them on the machine we will use the /export parameter.

As we can see that we have the tickets that were saved inside the directory where we had the mimikatz executable. In the previous image, we can see that we have 2 tickets and the names of those tickets can be confirmed. For a sense of simplicity, we renamed one of the tickets as ticket.kirbi.

       

Passing the Ticket: Mimikatz

Now Mimikatz doesn’t just give up after extracting the tickets. It can pass the tickets as well. This is the reason I prefer mimikatz. We go back to the mimikatz terminal. Here, we pass the ticket with the help of ptt module inside the Kerberos module followed by the name of the ticket that we want to pass. This is the reason we renamed the ticket. Now that we have successfully passed the ticket. Now to perform the actions as the user that we passed the ticket for we decided to get a cmd as that user. This can be accomplished using the misc::cmd command as shown in the image given below.

Extracting Tickets: Rubeus

First, we will use extract the tickets using Rubeus. This can be done with the help of the asktgt module. Although it is not so sneaky method it gets the work done. We need the domain name, User, Password Hash. When used normally will give the base64 encoded TGT ticket. But Let’s Pass the Ticket as well in the same step. For this, I will just give the /ptt parameter at the end as shown in the image given below. Rubeus will ask the user for a TGT ticket and after receiving the ticket it encodes the ticket in Base64 and saves the ticket. Since I used the /ptt parameter as well, it will pass the ticket in the current session as well. When the ticket is passed, we can perform the actions as the user we passed the ticket for. Here we take a look at the directories of the said user.

Passing the Ticket: Rubeus

If we don’t pass the ticket in the current session then we can use the ptt parameter separately and pass the ticket as the parameter as shown in the image given below. After successfully passing the ticket, we can use the ticket. For this, we decided to get a cmd session of the user we passed the ticket for. We will be using the PsExec64.exe as shown in the image given below.

Practical Approach: Golden Ticket Attack

Golden Ticket Attack is also a good example of the Pass the Ticket Attack. Let’s take a look at it. Mimikatz allows the attacker to create a forged ticket and simultaneously pass the TGT to KDC service to Get TSG and enable the attacker to connect to Domain Server. This can be done by running both commands on cmd as an administrator.

Above command will generate the ticket for impersonate user with RID 500.

As soon as I ran the above-mentioned commands the attacker gets a new cmd prompt which allows the attacker to connect with Domain Server using PsExec.exe as shown in the below image.

Detection

  • Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.
  • Event ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates the action has failed due to “Integrity check on decrypted field failed” and indicates misuse by a previously invalidated golden ticket.

Mitigation

  • For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it.
  • Ensure that local administrator accounts have complex, unique passwords.
  • Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.
  • Do not allow a user to be a local administrator for multiple systems.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

Credential Dumping: DCSync Attack

The most of the Organisation need more than one domain controller for their Active Directory and to maintain consistency among multiple Domain controller, it is necessary to have the Active Directory objects replicated through those DCs with the help of MS-DRSR refer as Microsoft feature Directory Replication Service (DRS) Remote Protocol that is used to replicate users data from one DC to another. Taking Advantage of this feature the attack abuse the MS-DRSR using Mimikatz-DCSYNC.

Table of Content

  • What is DCSYNC Attack
  • Walkthorugh
  • Mimikatz
  • PowerShell Empire
  • Metasploit

What is DCSYNC Attack

The Mimikatz DCSYNC-function allows an attacker to replicate Domain Controller (DC) behaviour. Typically impersonates as a domain controller and request other DC’s for user credential data via GetNCChanges.

But compromised account should be a member of administrators, Domain Admin or Enterprise Admin to retrieve account password hashes from the others domain controller. As a result, the intruder will build Kerberos forged tickets using a retrieved hash to obtain any of the Active Directory ‘s resources and this is known as Golden Ticket attack.

Walkthrough on DCSYNC Attack

Mimikatz

So, here we have a normal user account, hence at present User, Yashika is not the member of any privileged account (administrators, Domain Admin or Enterprise Admin).

When the attacker attempts to execute the command MimiKatz-DCSYNC to get user credentials by requesting other domain controllers in the domain, this will cause an error as shown in the image. This is not possible.

So now we have granted Domain Admins right for user Yashika and now yashika has become the member of domain Admin Group which is also AD a privileged group.

We then confirmed this by listing the details of user Yashika ‘s group information and found that she is part of the domain admin group.

Now let ask for a credential for KRBTGT account by executing the following command using mimikatz:

As a result, it will retrieve the KRBTGT NTLM HASH, this hash further can be used to conduct the very famous GOLDEN Ticket attack, read more about it from here.

Similarly, for every user account in the domain with the same command, we can obtain credentials. Here, it not only requests the current hash but also seeks to get the previous credentials stored.

PowerShell Empire

If you want to conduct this attack remotely, PowerShell Empire is one of the best tools to conduct DCSYNC attack. Only you need to compromise the machine who is member privilege account (administrators, Domain Admin or Enterprise Admin) as shown here.

Now load the following module that will invoke the mimikatz Powershell script to execute the dcsync attack to obtain the credential by asking from an others domain controller in the domain. Here again, we will request for KRBTGT account Hashes and as result, it will retrieve the KRBTGT NTLM HASH.

Likewise, the Empire has a similar module that retrieves the hash of the entire domain controller users account.

Metasploit

If you have meterpreter session of the victim machine who account is member of domain admin, then here also you can execute Mimikatz-DCSYNC attack in order to obtain user’s password.

If your compromised account is a member of the domain admin group, then without wasting time load KIWI and run following command:

As a result, we found the hashes for krbtgt account and this will help us to conduct Golden Ticket attack for further.

DevRandom CTF:1.1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called “DevRandom CTF:1.1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to Hunri Beats. Let’s start and learn how to successfully breach it.

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link .

Penetration Testing Methodology

Reconnaissance

  • netdiscover
  • nmap

Enumeration

  • Browsing HTTP Service
  • Local file inclusion

Exploiting

  • Password Bruteforce via hydra
  • Login to ssh

Privilege Escalation

  • Abusing sudo  dpkg

Walkthrough

Reconnaissance

We will start by scanning the network using Netdiscover tool and identify the host IP address.

We can identify our host IP address as 192.168.1.105. So let’s start with nmap port enumeration and execute following command in our terminal.

From its result, we found ports 22(SSH), 80(HTTP) were open. Also robots.txt is available .

Enumeration

For more detail, we will be needing to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service.

Nothing was displayed on the page . So we started exploring things we found in nmap scan that is:

On seeing the above page i hit-and-trial lfi on it and boom it worked . From its result we found a user trevor .

Exploiting

We have got a username trevor, now our next job is to find the password for the user trevor with the help of hydra, thus we execute following command:

From its result , we found the password that is qwertyuiop[]

Since We have username and a password, so we tried to access the SSH on the target system and were successfully able to logged in.

let’s go for post exploitation and try to escalate root privileged. 

with the help of sudo list, we notice that trevor can execute dpkg program as root.

Privilege Escalation

As we know that dpkg is a package installer thus we need to create a malicious package and install the malicious package within the host machine with the help of dpkg as result it will escalate the root privilege.

Thus we run the following command found from gtfobin, that creates a malicious package to execute /bin/bash.

Once you will create the package, use python server to transfer this packet into host.

So, I downloaded the above malicious package inside /tmp using wget command.

Now, once I have this package inside the /tmp I can used dpkg with sudo right to install the downloaded package, as soon as it will get install we will the root privilege shell.

Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact  here