Hacker Fest: 2019 Vulnhub Walkthrough

Hacker Fest:2019 VM is made by Martin Haller. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of easy level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.

Level: Easy

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

  • Network Scanning
    • Nmap port scan
  • Enumeration
    • Browsing HTTP Service
    • Scanning WordPress (wpscan)
  • Exploiting
    • WordPress Google Maps Plugin SQL Injection
    • WordPress_admin_shell_upload exploit
  • Privilege Escalation
    • Abusing Sudo Rights

Walkthrough

Network Scanning

To identify target IP address we will initiate with netdiscover and thus we found 192.168.0.20. Let’s now go for advance network scanning using the nmap Aggressive scan.

We learned from the scan that we have the port 80 open which is hosting Apache httpd service, along with the ports 21 and 22  open. This tells us that we also have the FTP service, SSH Service running on the target machine.

Enumeration

Since we got the port 80 open, we decided to open the IP address in the web browser.

This gave us a site that looks like a WordPress site, it’s time to perform a wpscan on the target machine.

If we move further down in the wpscan result we find the WordPress google map plugin. It is not updated. So, this could help us. Let’s try and exploit it.

WordPress Google maps Sqli Exploit

We searched the google maps on the Metasploit Framework.  This gave us the following exploit. This exploit works on a SQL injection vulnerability in a REST endpoint registered by the WordPress plugin wp-google-maps between 7.11.00 and 7.11.17 (included). As the table prefix can be changed by administrators, set DB_PREFIX accordingly.

So, we got the following hash through the SQL injection that was on the target machine.

Whenever we get some hashes all we remember is our best friend John The Ripper. The hashes were saved in a file named ‘hash’. We ran it through john. After working on it for some time. John cracked one of the hashes, it came out to be ‘kittykat1’.

The very first method that we have is Metasploit framework, this module takes an administrator username and password, logs into the admin panel, and uploads a payload packaged as a WordPress plugin. Because this is authenticated code execution by design, it should work on all versions of WordPress and as a result, it will give meterpreter session of the webserver.

Great!! It works wonderfully and you can see that we have owned the reverse connection of the web server via meterpreter session.

Privilege Escalation

On the other hands start your attacking machine and first compromise the target system and then move to the privilege escalation phase. After successful login in the victim’s machine now executes below command to know sudo rights for the current user.

Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact here

Lxd Privilege Escalation

In this post we are going to describes how an account on the system that is a member of the lxd group is able to escalate the root privilege by exploiting the features of LXD.

A member of the local “lxd” group can instantly escalate the privileges to root on the host operating system. This is irrespective of whether that user has been granted sudo rights and does not require them to enter their password. The vulnerability exists even with the LXD snap package.

LXD is a root process that carries out actions for anyone with write access to the LXD UNIX socket. It often does not attempt to match the privileges of the calling user. There are multiple methods to exploit this.

One of them is to use the LXD API to mount the host’s root filesystem into a container which is going to use in this post. This gives a low-privilege user root access to the host filesystem. 

Table of Content

  • Introduction to LXD and LXC
  • Container Technology
  • LXD Installation and Configuration
  • LXD Installation and Configuration

Introduction to LXD and LXC

Linux Container (LXC) are often considered as a lightweight virtualization technology that is something in the middle between a chroot and a completely developed virtual machine, which creates an environment as close as possible to a Linux installation but without the need for a separate kernel.

Linux daemon (LXD) is the lightervisor, or lightweight container hypervisor. LXD is building on top of a container technology called LXC which was used by Docker before. It uses the stable LXC API to do all the container management behind the scene, adding the REST API on top and providing a much simpler, more consistent user experience.

Container Technology

Container technology comes from the container, is a procedure to assemble an application so that it can be run, with its requirements, in isolation from other processes container applications with names like Docker and Apache Mesos ‘ popular choices have been introduced by major public cloud vendors including Amazon Web Services, Microsoft Azure and Google Cloud Platforms.

Requirement

Host machine: ubuntu 18:04

Attacker machine: Kali Linux or any other Machine

Let’s Begin !!

So here you can observe that we have a profile for user “raj” as a local user account on the host machine.

LXD Installation and Configuration

Now install lxd by executing the following command:

Also, you need to install some dependency for lxd:

Now to add a profile for user: raj into the lxd group, type following command:

So now you can observe user “raj” is part of lxd groups.

Now you can configure LXD and start the LXD initialization process with the lxd init command. During initialization it will ask for choosing some option, here majorly we have gone with DEFAULT options. But for the storage backend, we have choose “dir” instead of zfs.

Once you have configured the lxd then you can create a container using lxc. Here we are creating a container for “ubuntu:18.04” and named as “intimate-seasnail”. Further use lxc list command to view the available installed containers.

Connect to the container withthe help of lxc exec command, which takes the name of the container and the commands to execute:

Once your are inside the container, the shell prompt will look like as following below.

Privilege Escalation

Privilege escalation through lxd requires the access of local account, therefore, we choose SSH to connect and take the access local account on host machine.

Note: the most important condition is that the user should be a member of lxd group.

In order to take escalate the root privilege of the host machine you have to create an image for lxd thus you need to perform the following the action:

  1. Steps to be performed on the attacker machine:
  • Download build-alpine in your local machine through the git repository.
  • Execute the script “build -alpine” that will build the latest Alpine image as a compressed file, this step must be executed by the root user.
  • Transfer the tar file to the host machine
  1. Steps to be performed on the host machine:
  • Download the alpine image
  • Import image for lxd
  • Initialize the image inside a new container.
  • Mount the container inside the /root directory

So, we downloaded the build alpine using the GitHub repose.

On running the above command, a tar.gz file is created in the working directory that we have transferred to the host machine.

On another hand we will download the alpine-image inside /tmp directory on the host machine.

After the image is built it can be added as an image to LXD as follows:

use the list command to check the list of images

Once inside the container, navigate to /mnt/root to see all resources from the host machine.

After running the bash file. We see that we have a different shell, it is the shell of the container. This container has all the files of the host machine. So, we enumerated for the flag and found it.

Source: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1829071

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

bossplayersCTF 1: Vulnhub Walkthrough

bossplayersCTF 1 VM is made by Cuong Nguyen. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

  • netdiscover
  • nmap port scan

Enumeration

  • Browsing HTTP Service
  • Performing Directory Bruteforce
  • Decoding Encoded Text

Exploiting

  • Command Injection

Privilege Escalation

  • SUID on find command

Capture the flag

Walkthrough

Network Scanning

The first step to attack is to identify the target. So, identify your target. To identify the target, we will use the following command:

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.

We learned from the scan that we have the port 80 open which is hosting Rocket httpd service, and we have the port 22 open. This tells us that we also have the OpenSSH service running on the target machine.

Enumeration

Further, we need to start enumeration against the host machine, therefore we navigated to a web browser for exploring HTTP service. Here we have the description of the machine that tells us that this is an extremely easy CTF. It is for those who are getting started with the CTFs. It also tells us that there might be rabbit holes. So we will try to avoid those.

Now as the convention, we checked the source code of the webpage in the hope to get some valuable hint to move forward with our enumeration. Here, we got an encoded value. This might lead us somewhere.

But we wanted to further enumerate with a directory bruteforce. To do this we will use the dirb. With this directory bruteforce scan, we got a robots.txt file. On browsing it on our web browser we see that we have another encoded text titled as super-secret password. We decoded it to find a troll message “lol try harder bro”. This might be the rabbit hole mentioned earlier. 

We went back to the commented encoded text we found earlier in the Source code of the webpage. It seemed like Base64, so we tried to decode it using base64 command. It gave back another encoded text. This also seemed like Base64, so we decoded it again. This gave back another encoded text. This is getting really tiring. Now we decoded it again to find workinginprogress.php. Not this seems important. All those decodings were not gone for waste.

We tried to open this file on our Web Browser as shown in the image given below. It was a checklist of some kind. It showed that Linux Debian is installed, Apache2 is installed and PHP is also installed. But the stuff that’s not completed tests the ping command and fix the privilege escalation. These seem like major hints.  

Exploiting

As it said to test the ping command, it got us thinking that this might, in fact, be command injection. To further inspect this suspicion, we tried to run the id command through the URL as shown in the image given below. This made our suspicion true. This, in fact, is Command Injection.  

To exploit command injection, we will be using the netcat invoke shell one-liner. Before running that we need a netcat listener to receive the shell that is going to be invoked.

After running the listener, we went back to our browser, and here instead of the id command that we ran previously, it was time to run the shell invocation command. Here we invoked bin/bash shell to the IP Address 192.168.1.105 [Kali Linux]. With the port that we started the listener with.

Now, we went back to our terminal, where we ran the netcat listener. We see that we have successfully got a session. But the shell that came with the session is an improper one. So in order to convert it into a proper shell, we ran the python one-liner. This gave us a proper shell. As soon as we got this shell, we saw that the session that we got is of user www-data. This means that this is an unprivileged shell. We will have to work out a way to that elevated privilege shell. For this, we start to enumerate the target machine through the shell we got.

As a part of our enumeration procedure, we ran the find command with -perm parameter to search for any file having SUID permissions. The find command itself has this permission. This made our job a little easy.

Privilege Escalation

We ran the find command and tried to invoke the /bin/sh shell using it as shown in the image given below. This gave back us a root shell. We confirmed this is a root shell by running the id command.

Now we wanted to enumerate for the Root Flag. We went into the home directory of the root user. Here we found the file named root.txt. On opening it we got a base64 encoded text. It said “congratulations”. This concludes this CTF Challenge.

NOTE: Here we ran typed the command as simply we enter. The shell however just prints what we type again with it. So it gave the look as shown in the image.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Misdirection 1: Vulnhub Walkthrough

Misdirection 1 VM is made by FalconSpy. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

  • netdiscover
  • nmap port scan

Enumeration

  • Browsing HTTP Service
  • Performing Directory Bruteforce

Exploiting

  • Command Injection

Privilege Escalation

  • Writable etc/passwd File

Walkthrough

Network Scanning

The first step to attack is to identify the target. So, identify your target. To identify the target, we will use the following command:

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.

We learned from the scan that we have the port 80 open which is hosting Rocket httpd service, and we have the port 22 open. This tells us that we also have the OpenSSH service running on the target machine. We also have 3306 which hints us to a database situation. Also, we have the Apache httpd running on the port 8080.

Enumeration

Further, we need to start enumeration against the host machine, therefore we navigated to a web browser for exploring HTTP service. We have a webpage with some links here. We did some poking around but we figured out that the lab’s name is not a random name. It wants us to be misdirected. So, this is definitely a rabbit hole.

Back to our nmap port scan, we saw that the Apache httpd service is running on port 8080. So, we thought there might be something worthwhile there. But it is just the Apache It works page. Another Misdirection.

http://192.168.1.106:8080

For now, let’s try Directory Bruteforce using dirb. This surprisingly gave us pages with the name debug, shell and wordpress. All of these seems interesting.

We soon figured out that wordpress was also another misdirection. This lab is full of rabbit holes. Now we found the debug page. On further inspection, we see that there is a virtual shell running on this page. This could possibly our way in.

Exploiting

Now that we have a working virtual shell, let’s try to get a real shell using our good old friend Metasploit. We used the web_delivery exploit with the php reverse_tcp payload.

This gave us a beautiful PHP script that we could use to exploit the target machine.

Now back to our virtual shell in our browser. We pasted the PHP code that Metasploit generated. We executed this script on this shell. This should give us a meterpreter shell. We went back on out Metasploit terminal to check.

And Of course, we have the meterpreter shell. This exploit mostly works in a situation similar to this. We interacted with the meterpreter session using the sessions command. Then after getting onto the meterpreter we used the “shell” command to get a shell on the target system. This came back to be an improper shell. Now we got to use our python one-liner to invoke a proper shell on the target machine. After getting the shell we saw that the shell we got is of user “www-data”. This means the story is not yet over. We have to work our way around to get an elevated privilege shell on the target machine. To escalate privilege, first, we got to enumerate the rights of this user. We did that using the “sudo -l” command.

Here we observed that it shows that user www-data has sudo rights to login as user named brexit without any password. Now using the sudo -u command we invoked a shell of user brexit.  

Privilege Escalation

As a part of our Enumeration for Escalating Privilege on the target machine, we try to find if the /etc/passwd is writable. We can see that the file is, in fact, writable as the user brexit. This is our way to move forward.

Now we going to need the password hash for the user that we are going to create on the target machine by making an entry in the /etc/passwd file. We are going to use the openssl to generate a salted hash.

Now back to our remote shell on the target machine. Here we are going to use the hash that we generated in the previous step and make a user raj which has the elevated privilege. We used the echo command to make an entry in the /etc/passwd file. After making an entry we checked the entry using the tail command. Now, all we got to do is run su command with the user name we just created and enter the password and root shell.

Now that we got the root shell, let’s enumerate further for the root flag. We found one in the home directory of the root user.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here