Today we are going to solve another CTF challenge “lightweight”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of lightweight is 10.10.10.119

Penetration Methodologies

Scanning

• Network Scanning (Nmap)

Enumeration

• Ldap database Enumerate (Nmap NSE-script)
• HTTP surfing

Exploiting

• Connect to SSH
• Identify capability folder
• Sniffing password via tcpdump
• Obtain user.txt

Privilege Escalation

• Extracting backup.7z
• Identify another user’s credential
• Exploit openssl capability
• Obtain root.xt

Walkthrough

Scanning

Let’s start off with our basic Nmap command to find out the open ports and services.

As you can observe that it has shown port 389 is open for LDAP services and 22 & 80 are available for ssh and http respectively.

Enumeration

Therefore, with the help of nmap NSE script we go for LDAP enumeration:

Luckily! Nmap listed two ldapuser1, ldapuser2 usernames along with a hash of their password from the result of nmap scan, yet we did not crack them.

Since we know that http service was running on port 80 therefore, we navigate to a web browser and browse target IP and welcome by following page where we saw “This site is protected by against brute forcing ” that mean fail2ban could be running inside VM moreover we found three hyperlinks.

When I opened the user.php hyperlink I read the highlighted text and according to this text, a user in the machine has been automatically added for us.

Exploiting

Therefore, I try to connect with SSH by using 10.10.14.10:10.10.14.10 as login credential. At this point, I was not sure what should be done to extract hidden flag, therefore, I thought to identify the binary capability files with the help of getcap and saw the fruitful result.

As we have seen in the above image that tcpdump has the capabilities to capture all network traffic even in low-privileged access, therefore I trigger the following command to inspect LDAP connection traffic if possible.

And then navigate to the browser to activate authentication via status.php, since the loading takes time. There’s something behind the action has to happen.

As result, we observe the following traffic, as predicted, where I found the ldapuser2 password in plaintext.

Then we switch the user with the following credential and obtain our first flag user.txt

Privilege Escalation

Inside the directory /ldapuser2, I found an archive as backup.7z and for its inspection, we need to transfer this file mine in our local machine.

So, I copied it in our machine and try to extract the file, but it was password protected.

Then, by using an online link “lostmyoass.com,” I try to break the password key and then find out the cracked password: delete as in the image below.

And use the “delete” password to extract the directory. I found some php files here and we looked for a status.php file among those files.

The status.php file reveals the password of ldapuser1 as shown in the image.

Thus, we switched to ldapuser1 and navigate inside the directory of ldapuser1

This time once again I checked for file capacity where I saw OpenSSL has all privileges to read a file that owned root user and therefore we decided to grab root.txt directly through OpenSSL.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Today we will be solving a boot2root lab from Vulnhub called Bravery. This lab, like many others, is a good way to keep your penetration testing skills sharp while getting some variety.

Download it from here: //www.vulnhub.com/entry/digitalworldlocal-bravery,281/

Penetration Methodologies

Scanning

• Netdiscover
• Nmap

Enumeration

• Mount NFS share directory
• SMB shared file enumeration

Exploiting

• Abusing CMS via RFI
• Obtaining reverse shell via netcat

Privilege Escalation

• Abusing SUID binary
• Capture the Flag

Walkthrough

Scanning

Let’s start with network scanning to identify the IP of VM with the help of netdiscover.

So we have our target IP 192.168.1.105 now, let’s scan services and ports via nmap.

We got a fruitful result from nmap scan as we saw so many services were running on the various port.

Enumeration

We found network share service is available via port 2049, so we thought to check shared directory in the network. We have therefore installed NFS-client on our local machine and have a command to identify the shared directory available to mount on our local computer.

we found /var/nfsshare is a shared directory that we can mount in our local machine as given below:

Hmmm!!! After exploring all files, we concluded that “qwertyuioplkjhgfdsazxcvbnm” could be the password.

Because port 445 is also available for SMB, even we have also obtained a password recently thus we can try connecting to SMB to list shared folders. But first we need to enumerate SMB shared directory and for that, we can go with Enum4linux.

As you can observe, enum4linux showed two shared folders: anonymous and secured. And we can access them with the help of smb-client.

We have successfully accessed the shared folder “anonymous”, where I have seen some user’s folders. But while doing an internal recon, I didn’t notice any interesting clues.

So, I’m moving to another “secured” folder and here I found three files, which I downloaded on my local computer.

Then, each file opened, and some helpful URLs were found, we’re going to navigate them one by one, moreover, the last line was pitching for any CMS login.

Initially, we looked at the URL given below but that was no use to us.

We then explored another URL and found no useful stuff here, too.

At last we move to the third and final URL found from the genevieve.txt. Fortunately, I found the following web page differing from two previous results and it could have been CMS.

I found a Cuppa CMS login page by exploring other tabs. This might be a turning point as we are attempting to exploit CMS cuppa.

Exploiting

I dig out cuppa exploit from inside the searchsploit without wasting time and the CMS is vulnerable to LFI/RFI.

Thus, I found a Remote Inclusion File URL when I checked the POC. We now have to be prepared with a reverse shell for the exploitation of RFI.

Therefore, I used php-reverse-shell from inside /usr/share/webshell/php and modified the listening IP with Kali’s IP then launch Python HTTP server for file transferring and start netcat listener on listening port.

When everything is ready! Just trigger the following URL to exploit RFI.

We’ll get a netcat session for the victim’s machine as soon as we trigger the URL. Now we have a low privilege shell and we need to enhance privilege in order to achieve a higher privilege shell. Therefore, to find SUID enable binaries, I run the following command.

Hmmm! So here I notice cp (copy command) has SUID permission that means I can copy any file as root. Now let’s try to escalate the privilege by exploiting SUID enable binary by copying our edited /etc/passwd file inside the victim’s machine.

Privilege Escalation

Suppose I would like to create a new user (raj) with root privilege inside /etc/password file of victim’s machine. So first we need to copy the content of /etc/passwd file in a text file inside our local machine and then with the help of OpenSSL generates the salt password for user raj and then copy the salt value.

Now open the text file where you have pasted the content of /etc/passwd of victim’s machine and add a new row for user raj along with the salt value that we have generated. Named the file as passwd and transfer this file into victim machine, so that we can replace our /etc/passwd file with original /etc/passwd file of the VM.

For downloading /etc/passwd file into Victim’s machine, execute the following command and get the root access to grab the flag.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Today we are going to take on another boot2root challenge “uknowndevice64 v2.0” by Ajay Verma. Our goal is to get root and read flag.txt with at least two different ways.

Download it from here: //download.vulnhub.com/unknowndevice64/unknowndevice64-V2.0.ova

Difficulty: Beginner

Penetrating Methodology:

Scanning

• Netdiscover
• NMAP

Enumeration

• Web Directory search 
• Credential harvesting

Exploiting

• SSH login (1^st Method)
• ADB login (2^nd Method)

Privilege Escalation

• Exploit sudo rights

Capture the Flag

Walkthrough

Scanning:

Let’s start off by scanning the network and identifying host IPs. We can identify our host IP as 192.168.1.22 by using netdiscover. Next, we have to scan this IP using nmap.

The result shows that freeciv is running on port 5555, ssh is running on port 6465 and netbus is running on 12345.

First, we try to open the IP into browser with port 12345 we were prompted to login. So, we tried the basic credentials with different combinations and got succeeded with ‘Administrator’ as username and password as ‘password’.

After logging in, a webpage appeared as you can see here. But nothing of our use. 

Then tried to access the robots.txt file. We got lucky and found a file here named ‘./info.php’ inside it.   

When we opened this in the browser, we are prompted to download it.

When we open this downloaded file, we got an SSH private key inside it. So, we copied the text from “BEGIN RSA PRIVATE KEY” to “END RSA PRIVATE KEY” and saved it in a file named ‘sshkey’. Besides this key we can see “unkn0wnd3vic3-64” at the end of the file, let’s save this as of now.   

Here first we have changed permission for the file ‘sshkey’. Then login into ssh using this file on port 6465(as ssh is running on port 6465). And we are asked to enter a passphrase for this ssh key.so we used the text “unkn0wnd3vic3-64” that we saved from info.php and it worked. After that, we switched as root user and listed the content of root.

We spotted a directory named ‘system’ and inside system, we found a file ‘flag.txt’. This is our flag!    

Another way

We will be using previously gained information to save time. As we knew from Nmap scan that freeciv is running on port 5555 so tried to connect it with adb. After getting a shell, we switched to root and captured the flag (as we already knew the flag is inside flag.txt within system directory).

Finally!! The challenge is completed, and we have grabbed the flag.txt file using two different approaches.

Author: Nisha Yadav is trained in Certified Ethical hacking and Bug Bounty Hunter. She is currently working at Ignite Technologies as a Security Analyst. Connect with her here

Today we will be solving a boot2root lab from Vulnhub called SILKY-1. This lab, like many others, is a good way to keep your penetration testing skills sharp while getting some variety.

Download it from here: //www.vulnhub.com/series/silky-ctf,207/

Level: Easy-Intermediate

Task: Boot to Root (flag.txt)

Penetration Methodologies

Scanning

• Netdiscover
• Nmap

Enumeration

• Web Spreading
• txt
• Generating Password Dictionary (Crunch)

Exploit

• Brute force attack (Hydra)
• SSH Login

Identify SUID Enable Binaries

• Privilege Escalation
• Exploit PATH Variable

Capture the flag

Walkthrough

Scanning

We start by scanning the network for targets using Netdiscover.

So we found target IP 192.168.1.106 and proceed by running a Nmap scan for all its ports to see what we can find.

Since port 8080 is running HTTP-proxy, so our obvious choice is to browse Target’s IP in the browser but didn’t find any hint.

Enumeration

We checked the robots.txt file for the results of nmap and showed /notes.txt as our next indication.

So, we found a text message that is written in German when we explored the notes.txt file.

With the help of Google translator, I translate the German message, which was connected to password hint:

“I absolutely have to remove the password from the page, after all, the last 2 characters are missing. But still.”

Then again, I visit the home page to view its source code and found a link for script.js

So, I found the word: s1lKy when navigating to /script.js as shown below.  Hmmm!!! This word s1lKy could be the possible password as said in the above text message.

So, without wasting time I decided to generate a dictionary with the help of crunch. As per the text message last 2 characters are missing. But these 2 characters could be any combination such as alpha-alpha, alpha-ALPHA, alpha-numeric, alpha-special character or vice-versa and so on.

And after spending almost one-an-hour I successfully found the valid combination for ssh login as port 22 is opened.

Exploit

Assuming username could be silky, and password could be in pass.txt, I lunched brute force attack using hydra on port 22 for identifying the valid combination of ssh login.

Since we found silky:s1lky#5 as username and password for ssh login, now it was time to access ssh shell and escalated the root privilege to capture the flag.

Once I logged in successfully than without wasting much time, I looked for SUID enabled binaries and here /usr/bin/sky looks interesting.

Although when I run this program it shown “root” in its output as a result along with some German text. To analysis its result I try to inspect the program script with the help of strings which a command line utility to identify the file type.

Hmm!! the information I found through strings was that this program is executing to commands simultaneously. First, echo command to show the German text message and another whoami.

Privilege Escalation

To escalated root privilege, we can abuse PATH Variable as shown below and for more detail read the complete article from here.

OKAY!! We got another shell which is a root shell as shown below, let’s now grab the flag.txt file and complete the challenge.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here