Hack the Box: Teacher Walkthrough

Today we are going to solve another CTF challenge “Teacher”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of Curling is 10.10.10.153

Penetrating Methodology

Scanning

  • Network Scanning (Nmap)

Enumeration

  • Web Spidering (dirb)
  • Abusing HTTP service
  • Password Fuzzing (Wfuzz)

Exploiting

  • Evil Teacher Attack
  • Obtain Netcat session
  • Get config.php to obtain the MySQL password
  • Connect to MySQL
  • Extract tables to obtain login credentials
  • Get user.txt

Privilege Escalation

  • Symlinking root directory
  • Get root.txt

Walkthrough

Scanning

Let’s start off with our basic Nmap command to find out the open ports and services.

As you can observe that it has shown port 80 is open for http services.

We found a school website on exploring port 80, and I didn’t find a lot of information here. This website appears to be designed for online courses and the author may use some educational cms to design it.

Enumeration

Since it is a learning site that needs to be designed for online classes using a CMS platform. Therefore, I will go for the enumeration of the web directory without wasting much time.

If you notice the image below, you will find a web directory /moodle. The website is therefore proven to be designed on MOODLE CMS, let’s explore it further.

When I explored /10.10.10.153/moodle, it’s the “Giovanni Chhatta” teacher portal for online classes in Mathematics Algebra. If you’re looking for a moodle exploit, you’re going to see it vulnerable to SQL and RCE. So, to exploit it, we need to log in to this account, but we don’t have credentials.

I felt like the photo gallery looks suspicious while spidering because each row contains 4 tiles and one photo in the top left corner is missing.

Therefore, I check the source code of the page and there is some error where I saw picture 5. We need to download this picture to identify more about image error.

So, I downloaded this image 5 with the help of the wget command and identified the type of file.

Though it looks like an image, it was ASCII file that we could open in any text editor. As you can see with the help of the cat command, I opened the 5.png file where I found the “Giovanni” user password clue.

PASSWORD HINT: “I forgot the last character of my password. The only part I remembered is Th4C00lTheacha

Since the password’s last character was missing, I created a wordlist with the command below.

Now let use wfuzz for fuzzing brute force using wordlist to identify valid login combination.

WoW!! We got HTTP 200 ok response for Giovanni: Th4C00lTheacha#

Exploiting

We get inside the dashboard with the help of the above login credential. Now let’s try to exploit if you’re going to google for moodle exploit then it’s going to show you EVIL TEACHER attack which you can read from here.

We now need to edit a new activity in order to exploit it, so explore settings > edit > add an activity or resource. Now you’re going to get a prompt to select an activity you want to add, I’ve chosen a quiz here.

Then click on Ethical hacking quiz to add some question inside it.

Click on Edit option for adding a question.

Now click on Add > + a new question which will open a console to add quiz question.

Choose “calculated” the question type to add.

Now, when you ask a question, you need to mention the answer in the given text area, but this is vulnerable to EVIL TEACHER attack. Now get the reverse shell we insert a formula in the filed text given to write the answer and then click on save the changes.

Start netcat in the local machine and then inject netcat reverse shell payload in the URL as shown in the image, click on next page:

Repeat the same to inject nc payload once again and execute the URL to get a netcat session.

You can see here that we pwned the target machine’s web shell, let’s explore more to get user.txt and root.txt. So, I check the directory list inside /moodle here that I found a config.php file.

I saw mysql login credential inside the config.php file as shown below.

Connect to MySQL to extract information from the database such as credentials for system login.

Here mdl_user table looks more interesting, let’s extract its column information in the hop to get some useful information.

WOW! WOW!! It includes the username and column of the password, let’s explore it.

Here I found 4 users with the md5 hash value, let’s try cracking them.

So, we got the password “expelled” by using the online md5 decryption tool.

Now use the credentials above and switch user account to try to locate the user.txt file.

Yeah! Yeah. We got our 1st flag successfully, now let’s find out about root.txt, but as we know it needs an escalation of privilege.

Privilege Escalation

So, while traversing, I found a backup_course.tar file inside /home/giovanni/work/tmp

I found a backup _course.tar file inside /home/giovanni/work/tmp while traversing.

Therefore, since the current directory has full permission, I try to link the root directory within the /tmp folder so that we can get backup of the root directory within the /tmp folder with the help of backup.sh.

Fantastic!! I found /root directory within /tmp after 1-2 minutes, which means that without root access we can get the root.txt file as shown below.

Booom!! We found root.txt successfully!!!!!!!!!!!

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Covert Channel: The Hidden Network

Generally, the hacker uses a hidden network to escape themselves from firewall and IDS such. In this post, you will learn how to steal information from the target machine through the undetectable network. Such type of network is known as a covert channel which seems as generic traffic to any network monitor device/application and network admin. It could be considered as steganography, but it is not exactly steganography. Two endpoint users can use the covert channel for undetectable communication from network admin.

The red teamers use covert channels for data exfiltration in red teaming operations through a legitimate network and the data exfiltration is a process of secretly sharing data between two endpoints.

Table of Content

What is Covert channel

  • Type of covert channel

Covert channel attack using tunnelshell

  • What is Tunnelshell
  • Covert ICMP Channel
  • Covert HTTP Channel
  • Covert DNS Channel

What is the covert channel?

The word covert means “hidden or undetectable” and Channel is “communication mode”, hence a covert channel denotes an undetectable network of communication. This makes the transmission virtually undetectable by administrators or users through a secret channel. It’s very essential to know the difference between encrypted communication and covert communication. In covert communication, the data stream is garbled and lasting by an unauthorized party. However, encrypted communications do not hide the fact that there has been a communication by encrypted the data travelling between both endpoints.

Type of covert channel

Storage covert Channel: Communicate by modifying a “storage location”, that would allow the direct or indirect writing of a storage location by one process and the direct or indirect reading of it by another.

Timing Covert channels – Perform operations that affect the “real response time observed” by the receiver.

Note: The well – known Spectre and Meltdown use a system’s page cache as their covert channel for exfiltrating data.

The specter and Meltdown attacks work by tricking your computer into caching privileged memory and through miscalculated speculative execution, a lack of privilege checking in out-of-order execution, and the power of the page cache. Once privileged memory is accessed the processor caches the information and the processor is able to retrieve it from the cache, regardless of whether its privileged information or not.

Read the complete article from here.

Covert Channel Attack Using Tunnelshell

It is possible to use almost any protocol to make a covert channel. The huge majority of covert channel research has based on layer 3 (Network) and layer 4 (Transport) protocols such as  ICMP, IP and TCP. Layer 7 (Application) protocols such as HTTP and DNS are also frequently used. This mechanism for conveying the information without alerting network firewalls and IDSs and moreover undetectable by netstat.

What is tunnelshell?

Tunnelshell is a program written in C for Linux users that works with a client-server paradigm. The server opens a /bin/sh that clients can access through a virtual tunnel. It works over multiple protocols, including TCP, UDP, ICMP, and RawIP, will work. Moreover, packets can be fragmented to evade firewalls and IDS.

Let’s go with practical for more details.

Requirement

  • Server (Kali Linux)
  • Client (Ubuntu18.04)
  • Tool for Covert Channel (Tunnelshell) which you can download from here.

Here, I’m assuming we already have a victim’s machine session through the c2 server. Now we need to create a hidden communication channel for data exfiltration, therefore, install tunnelshell on both endpoints.

Once you download it, then extract the file and compile it as shown below:

Similarly, repeat the same at the other endpoint (victim’s machine) and after completion, execute the following command in the terminal to open communication channel for the server (Attacker).

By default, it sends fragment packet, which reassembles at the destination to evade from firewall and IDS.

Now to connect with tunnelshell we need to execute the following command on the server (Attacker’s machine) which will establish a covert channel for data exfiltration.

Syntax: ./tunnel -i <session id (0-65535)> -d <delay in sending packets> -s <packet size> -t <tunnel type> -o <protocol> -p <port> -m <ICMP query> -a <ppp interface> <Victim’s IP>

frag: It uses IPv4 fragmented packets to encapsulate data.  When some routers and firewalls (like Cisco routers and default Linux installation) receives fragmented packets without headers for the fourth layer, they permit pass it even if they have a rule that denies it. As you can observe that it is successfully connected to 10.10.10.2 and we are to access the shell of the victim’s machine.

As I had said, if you will check the network statics using netstat then you will not observe any process ID for tunnelshell. From the given below image, you can observe that with the help of ps command I had checked in process for tunnelshell and then try to check its process id through netstat.

Let’s take a look of network traffic generated between 10.10.10.1 (Attacker’s IP) and10. 10.10.2 (Victim’s IP) using Wireshark. The network flow looks generic between both endpoints, but if it monitors properly, then a network administrator could sniff the data packet. As you can observe that Wireshark has captured the covert traffic and sniff the data that was travelling between two endpoint devices.

Covert ICMP Channel

As we know Ping is the use of ICMP communication that use icmp echo request and icmp echo reply query to establish a connection between two hosts, therefore, execute the below command:

Now to connect with tunnelshell we need to execute the following command on the server (Attacker’s machine) which will establish a covert channel for data exfiltration.

As you can observe that it is successfully connected to 10.10.10.2 and the attacker is able to access the shell of the victim’s machine.

Again, if you will capture the traffic through Wireshark then you will notice the ICMP echo request and reply packet is being travelled between both endpoints. And if you will try to analysis these packets then you will be able to see what kind of payload is travelling as ICMP data.

Covert HTTP Channel

It establishes a virtual TCP connection without using three-way handshakes. It doesn’t bind any port, so you can use a port already use it by another process, therefore execute the below command:

Now to connect with tunnelshell we need to execute the following command on the server (Attacker’s machine) which will establish a covert channel for data exfiltration.

As you can observe that it is successfully connected to 10.10.10.2 and again attacker is able to access the shell of the victim’s machine.

on other side, if you consider the network traffic then you will notice a tcp communication establish without three-way-handshake between source and destination.

Covert DNS Channel 

To establish DNS covert channel, we need to run UDP tunnel mode on both endpoint machines. Therefore, execute the following command on the victim’s machine:

Similarly, execute following on your (Attacker) machine to connect with a tunnel.

As you can observe here the DNS malformed packet contains the data travelling between both endpoint machine.

Conclusion: Covert channel does not send encrypted data packet while data exfiltration, therefore, it can easily sniff, and network admin can easily conduct data loss and risk management.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

SP eric: Vulnhub Lab Walkthrough

Hello friends! Today we are going to take another CTF challenge known as “SP eric”. The credit for making this VM machine goes to “Daniel Solstad”. Our goal is to get 2 flags to complete the challenge.

They are located at:

/root/flag.txt

/home/eric/flag.txt

You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

  • Network scanning (Nmap)
  • Surfing HTTP service port
  • Enumerating directories using Dirb
  • Dumping git files using gitdumper
  • Extracting git file using Extractor
  • Enumerating for Login Credentials
  • Uploading PHP reverse shell
  • Getting user flag
  • Editing the file with a php shell
  • Getting the root flag

Walkthrough

We will start the cracking of this CTF with a port scan using nmap. Through the nmap scan, we get that we have the port 80 open. Also as we can see in the given image that we have also discovered the .git directory.

By convention, if we have the port 80, we try and open the IP Address in the Web Browser. In doing so we see a message of “Blog under construction”. This seems like a Dead End. Let’s try another approach.

We ran a directory bruteforce using the dirb tool. This revealed the admin.php, index.php and a directory named “upload”. We will try to discover all these to enumerate as much as we can.

On opening the admin.php, we get a form with the Username and Password fields. Seeing a form, our basic instinct was the SQL Injections. We spent a little time on that, then we took the advice of author that there is no use of Bruteforcing. We will have to figure our some another way.  

Now, back on the nmap scan, we did in the beginning. We found a Git repository. On browsing a few sites on Google, we found this epic tool called GitTools. We cloned this tool on our Desktop as shown in the given image. After that, we traversed in the GitTools Directory to using the cd command. Here, we found 3 tools: Dumper, Extractor, Finder. We will use this tool to enumerate this git.

First, we traversed into the Dumper directory to use the gitdumper tool. This tool will dump all the files on the git. We will have to give a destination directory to use it. This tool can be used as shown in the given image.

Now that we have successfully dumped the git files using the gitdumper tool. It’s time to use the Extractor tool. For this, we will have to traverse inside the Extractor directory within the GitTools. Now to use the extractor we will have to give the path of the destination directory in with we dumped the git files using the gitdumper.

 The Extractor tool will create the directories based on the commits on the git that we dumped earlier which can be observed in the given image. Three directories were created in response to three commits on the git. We traversed in the directory named “0-3db5628b550f5c9c9f6f663cd158374035a6eaa0/” to find three file: admin.php, commit-meta.txt and index.php. We read the admin.php file using the cat command to find the username and password for the form we found earlier. We made a note of these credentials.

We went back to the admin form we discovered earlier and entered the login credentials we found in the git. This was a successful login. Upon logging in we found more forms, titled: Add new post and Add site to blogroll. Here, we found an Upload option. 

So, we entered the necessary information in the various field on the page and selected a php reverse shell in the location of uploading the file. After all the entries filled, we clicked on the add button to upload the file with this entry.

Even though the file was successfully uploaded, to get the session, we will have to execute the file on the target machine. Back to the nmap scan, we found a directory called “upload”. It’s time to get to that directory. We used the name of the php file we uploaded to execute the file on the target system as shown in the given image.

On the other side, in a new terminal, we created a netcat listener at the port that we mentioned the php reverse shell script. Upon Execution, we got the shell of the target system. To get a proper shell, we used the python one-liner. After getting the proper shell, we used the ls command to enumerate for the flag. We traversed in the eric directory. Here we found the 1st flag as shown in the given image. We also found a file named backup.sh. As we can see in the given image that the backup.sh file has all the permission required and it runs as root.

So, we have to target the backup.sh file to get the root shell on the target machine. We created a msfvenom script to exploit the target machine. We used the reverse_bash payload to create this script.

We copied the script contents and then we moved the session we had on the target machine and here we edited the backup.sh file with our script using the echo command.

On a new terminal, we started a netcat listener on the port that we mentioned while creating the script using msfvenom. When we ran the file backup.sh file, we have a root session. Being an improper shell, we improved it using the python one-liner. Here, we traversed in the root directory. We found the root flag here in this directory as shown in the given image.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Command & Control: Ares

In this article, we will learn how to use Ares tool. This tool performs the Command and Control over the Web Interface. This tool can be found on GitHub.

Table of Content:

  • Introduction
  • Installation
  • Exploiting Target
  • Command Execution
  • Capturing Screenshot
  • File Download
  • Compressing Files
  • Persistence Agent
  • Clean Up

Introduction                                                                                                                                                 

Ares is a Python Remote Access Tool. Ares is made of two main programs: A Command & Control server, which is a Web interface to administer the agents and an agent program, which runs on the compromised host, and ensures communication with the CNC. The credit for creating this tool goes to Kevin Locati.

For this particular demonstration,

Attacker: Kali Linux

Target: Windows 10

Installation

To begin first, we need the tool on our Attacker Machine. To do this, we will clone the tool directly from the GitHub. After Cloning, we traversed into the newly created directory called Ares through the cd command as shown in the image.

Now, to make the tool work we will be needing to install some prerequisites.  Let’s start from the file that we cloned earlier name requirements.txt. This file contains the details of the python libraries that are required to be installed.

Now as we have our target a Windows Machine, we will need to compile the agent that is compatible with the Windows Machine. To do that we will be needing wine. So, using the file that we cloned earlier, let’s begin the wine installation. Now this will take a bit of time.

Exploiting Target

Now that we have successfully installed all the requirements needed to run the Ares tool. Its time to gain the Command and Control Session.  To do this we are going to need an agent. For this, we use the cd command to traverse into the agent directory. After that, we list the contents of the file to find a config file. We will be needing to edit the file so as to gain the session.

As we can see, when we open the config file using the nano command. We see that the SERVER variable has an IP Address. We are going to edit it and change it to the internal IP address of the attacker machine, which in my case is 192.168.1.4. We don’t require any further changes. So Save and Exit the nano editor.

Now that we have configured the config file, Its time to create an agent. As we have a Windows Machine as a target. We will be creating a windows agent using the command given below.

Now, we will send this agent to the target machine by any means of preference. After that, we will be needing to launch the server. This is required as the agent will communicate to this server. Let’s get back to the Ares directory. Here we have a sub-directory called server. After traversing in it we will have to initiate the database for that we will be using the initdb parameter. Initiating the database is to be done only the first time. Now we will run the server as shown in the given image.

 

Now we will open the server IP in our browser. Here we will see a form asking for the password as shown in the given image. We entered the password and clicked on Define to continue.

Now that the password is defined, we will have to enter the password to log in.

Here we have the main index of the Ares GUI. It has the following links: Change Password, Disconnect, Agent List. Now, we will go back to the step where we created an agent. Only after we execute the agent on the target machine, we will get a line Agent in Agent List.

As we can see the image given below, that we have an agent alive. We have the name of the agent, status, user that was logged in when the agent went live, we have the hostname too. We are also informed about the IP Address and Operating System of the target. Here we could run the agent on multiple devices each one of them will be visible here. We can select sessions from here and execute the same command on multiple session at the same time. We will have to click on the name to proceed.

Command Execution

As Ares runs the Power Shell commands, let’s start with the System Information command. As we can see that we have all the system config information of the target machine.

Capturing Screenshot

Now, Let’s take a screenshot of the target machine. To do this we will type in the screenshot command and the agent will capture the screenshot and provide a link as shown in the figure. On opening this link the screenshot can be viewed.

File Download

We can also download files from the remote target using this agent. To do this we require the name of the file. This can be obtained using the dir command. Now once we have the filename, we will download it to our local attacker machine as shown in the image given below.

Compressing Files

We can compress a directory on the remote target using the Ares agent. For this, we require the name of the directory. After we extract the name of the directory, we can compress the file remotely using the command given below. Here, we have ‘sample’ the name of the directory and ‘compressed.zip’ the name of the compressed file.

 

Persistence Agent

We could invoke the persistence in the agent using the command persist. This command installs the agent on the remote target.

Clean Up

This tool also performs the clean up after the work through the session Is done. This command removes the agent from the target machine. Hence it goes on undetectable.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here