Hack the Box: Dab Walkthrough

Today we are going to solve another CTF challenge “Dab”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Dab is 10.10.10.86

Penetrating Methodology

  • Network scanning (Nmap)
  • Logging in FTP using Anonymous Login
  • Find Hidden file using steghide
  • Bruteforce Login Credential using Burpsuite
  • Manage Cookies using Burpsuite to get access
  • Bruteforce all ports using wfuzz
  • Retrieve version and password hashes on Memcached server
  • Crack password hash using John the Ripper
  • Bruteforce the credentials using Hydra
  • Logging into the server using SSH and getting user flag
  • Using ltrace to extract application password
  • Compile the remaining function using gcc
  • Snagging the Root Flag

Walkthrough

Let’s start off with our basic Nmap command to find out the open ports and services.

The Nmap scan shows us that there are 4 ports open: 21(FTP), 22(SSH), 80(HTTP), 8080(HTTP)

As port 21 is open, we access it using FTP and find a JPG file. We download it to our system to find more information about the image file.

We use a tool called “steghide” to find if there is any file hidden inside the image and find a hidden text file called “dab.txt”. We extract the file and open it and find that it was a dead end.

Now as port 80 is running HTTP, we access the web service and find a login page.

Port 8080 is also running HTTP, we try to access the web service and get an error that the authentication cookie is not set.

We try to brute force the username and password, so we capture the request of the browser using burpsuite and send it to the intruder and selected attack type “Cluster bomb” and select the parameter username and password as a target.

After selecting “rockyou.txt” as our wordlist we start the brute force and find the correct username and password to be “admin: Password1”.

We are still not able to access the web application on port 8080, as it still shows the same cookie error. So we brute-force the cookie parameter using burp suite.

After selecting “rockyou.txt” as wordlist, we find the cookie parameter is called “password”. We also get another error; stating that the password authentication cookie is incorrect.

So we again capture the request, and this time we brute force the value of password parameter.

After selecting “rockyou.txt” as our wordlist, we brute force the “password” variable and find the value to be “secret”.

Using burpsuite we change the cookie and are now able to access the web page. After accessing it we find a web application that can be used to send a command to a certain port.

Using burpsuite we change the cookie and are now able to access the web page. After accessing it we find a web application that can be used to send a command to a certain port.

We use wfuzz tool to brute force all the ports that can only be accessed internally and find port 11211 is open.

Now port 11211 is for Memcached server, so we run version command to check the version of the Memcached server.

We find that we are successfully able to get the version of the Memcached server.

Now after getting the version of the Memcached server, we try to find all the users that are available on the web server. So we send the command “get users” to port 11211.

After running the command, we are successfully able to get username and password hashes available on the memcached server.

We copy the username and password from the web site into a text file so that we can user john the ripper to crack the hashes.

After cracking the password, we use the saved file to brute-force SSH login using hydra and find the correct credentials to be “genevieve: Princess1”.

Now we use this credential to login through SSH. After logging in we find a file called “user.txt”, when we open it we find our first flag.

We now find the file with suid bit set, and find an application called “myexec”.

We run the application and find that it is asking for a password.

We now use ltrace to find the password of the application.

Now when we give the correct password and run it with ltrace. We find that a function is missing from the application.

We find the shared library that the application is using. We check “/etc/ld.so.conf.d/test.conf” to find the location from which the preloaded library is accepted and find it is “/tmp” directory.

Now create a C program to execute “/bin/bash” inside /tmp directory.

We compile it as a shared library.

Now we copy it inside the /tmp/ directory and cache the shared library using “ldconfig”. Then when running the application and give it the correct password we are able to spawn a bash shell as the root user. We move to /root directory and find a file called “root.txt”. We take a look at the content of the file and find the final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

TrevorC2 – Command and Control

TrevorC2 is command and control framework. It is a client/server model which works through a browser masquerading as C2 tool. It works on different time intervals which makes it almost impossible to be detected. This tool is coded in python but it’s also compatible with c#, PowerShell, or any other platform. this is supported by both Windows and MacOS along with Linux. It is very easy and convenient to use.

You can download it from

Once its downloaded, open the folder and then open trevorc2_server.py file and change the IP to your localhost IP as shown in the image below. Also, provide the site that will be cloned to the trevorc2 server.

Then, start and run trevorc2 framework.

Once the trevorc2 is up and running, change the IP to your localhost IP in trevorc2.ps1 file.

Then send this file to the victim using any desired social engineering method. Once the file is executed by the victim, you will have your session as shown in the image below :

To see the sessions type :

And to access this session type :

AuthorKavish Tyagi is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. contact here

Bypass Application Whitelisting using cmstp

By default, Applocker allows the executing of binaries in the folder that is the major reason that it can be bypassed. It has been found that such binaries can easily be used in order to bypass Applocker along with UAC. One of such binary related to Microsoft is CMSTP. CMSTP welcomes INF files and so exploitation through INF is possible. And so, we will be learning how to perform such exploitation.

As we all know CMSTP accepts SCT files and runs then without suspicion and therefore we will create a malicious SCT file to reach our goal.  We will use Empire PowerShell for this. For a detailed guide on Empire PowerShell click here.

Launch the empire framework from the terminal of Kali and then type the following commands to create your malware :

Above commands will create a listener for you, then type back to return from listener interface and as for the creation of SCT file type :

Running the above exploit will create your SCT file. We will use the following script to execute our file in PowerShell. In this script give the path of your SCT file and add the following line as shown in the image.

Download this script from here:

 

Now, send the file to the victim’s PC and run the following command in victims’ command prompt :

As soon as you run the command, you will have a session. Use the following command to access your session :

This way, you can use CMSTP binary to bypass applocker restrictions. CMSTP needs an INF file and by using it to your advantage you can have access to victim’s PC.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Hack the Box: Ypuffy Walkthrough

Today we are going to solve another CTF challenge “Ypuffy”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Ypuffy is 10.10.10.107

Penetrating Methodology

  • Network scanning (Nmap)
  • Scanning port 389 using LDAP script
  • Fetching shared directory using smbclient and finding the private key
  • Connecting to VM with SSH using the private key
  • Enumerating files with SUID bit set
  • Discovering that alice1978 can run ssh-keygen as userca
  • Discovering authorized commands at ssh login
  • Fetching principal using the curl command
  • Enumerating public certificate in system
  • Signing RSA key with ca certificate using doas command and previously found the principal
  • Logging into ssh using new private key pair
  • Snagging the flag

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

The nmap scan shows us that there are 5 ports open: 22(SSH), 80(HTTP), 139(SMB), 389(LDAP), 445(SMB)

As LDAP service is running on port 389, we use nmap script called “ldap-search” to enumerate the target machine and we find the password hash for user “alice1978”.

Now as we find the password hash and username, we can login through using SMB using smbclient.

First, we check the shared directory available on the target machine and find a directory called “alice”. We then access the shared directory and find a file called “my_private_key.ppk”, we download the file to our local system.

The file we downloaded was a “Putty Private Key” file, so we use puttygen to convert the file into RSA private key. After converting it into RSA key, we change the permission of the RSA key and use it to login through SSH.

After logging in through SSH, we find a file called “user.txt”. We take a look at the contents of the file and find the first flag.

Now we check the files with suid bit enabled and find that “doas” is available on the target machine. It is a command utility similar to the “sudo” command. Now we check “/etc/doas.conf” to find what commands we can run. We find that we can run “/usr/bin/ssh-keygen” as user “userca”.

To further enumerate the target machine, we open the ssh configuration file at “/etc/ssh/sshd_config” and find we can run the command “/usr/bin/curl http://127.0.0.1/sshauth?type=key&username=%u” and “/usr/bin/curl http://127.0.0.1/sshauth?type=principals&username=%u”.  

Further enumerating the web application, we find that we can request keys from “http://127.0.0.1/sshauth?type=key&username=%u” and principals from “http://127.0.0.1/sshauth?type=principals&username=%u”, we requested keys for root user and get no response but we are successfully able to get root user’s principal.

As we have the root user’s principal, we can generate SSH keys and sign them with root’s principal. Doing so will allow us to login through SSH as root. Now we know we can run ssh-keygen to generate SSH keys but first, we need a certificate to sign the SSH key. We enumerate the machine to find a certificate and find one inside /home/userca directory.

First, we generate SSH keys and move them into the /tmp directory. Then we sign the keys as userca to read the certificate inside /home/userca/ca.

After signing the RSA keys, we use the RSA key to login through SSH as the root user. After logging in we find a file called “root.txt”. We take a look inside the content of the file and find the final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here