Tre:1 Vulnhub Walkthrough

Today, I am going to share a writeup for the boot2root challenge of the vulnhub machine “Tre:1”. It is made by SunCSR team difficulty level of this machine is the intermediate level. And for this machine goal is to read the root shell.

Download it from here: https://www.vulnhub.com/entry/tre-1,483/

Table of Content

Recon

  • Netdiscover
  • Nmap
  • dirb

Exploitation

  • Adminer exploit
  • ssh login
  • Exploitable writable file

Privilege Escalation

  • Abusing /etc/passwd

Walkthrough

Recon

Let’s start recon for this machine using Netdiscover, It is used for identifying the IP address of the various machines in our network work It works as traceroute.

As we got our target IP address for the machine (192.168.1.104), Next, we use nmap for the port scanning and further information gathering on the target host.

Since port 80 is open, Let’s explore the domain or webpage on this target IP address using a web browser.

We will also perform fuzzing to find the endpoints using the dirbuster tool with the big.txt wordlist which can be located inside /usr/share/wordlists directory using some extensions like php,html.

We got some extensions like adminer.php, index.html, info.php. After checking all the extensions we got login page on the http://192.168.1.104/adminer.php

In the above login page, we need to escalate for the credentials. I have tried many login bypasses that didn’t work for this page. Now again we will try to brute force directories in hope of config file for this login page.

After scanning and checking all the directories we got one directory /mantisbt/config in which will check for the credentials.

we got the credentials for the login page in the a.txt which was present in the directory /mantisbt/config.

Got the credentials that we want to use for the login of adminer login page.

Using the above credentials, we got logged in.

Exploitation

We fill out all the information that we found earlier in the a.txt file and using those credentials we are successfully inside the panel.  Then we try to read the data of the table mantis_user_table and found 2 users here and with their password.

We tried to login with the first user admin panel but was not able to upload any file. Now if we focus on the second user “tre” and the real name looks like giving us a hint towards ssh login, so we used the tre as username and [email protected]! as password.

First of all, we checked for the user privileges using the command sudo -l.

As per sudo permission the user can run showdown command as privilege user. Further we download the linEnum script to check for further enumeration.

Now let’s run linEnum script binary output on the other terminal.

We did check the permissions of the /usr/bin/check-system.

As the above file is having the permissions of the read-write as a user, edited this file using nano editor. And given SUID permissions for the nano file but /usr/bin/check-system will update the changes when the systems will reboot.

In the above step, we changed the privileges for the nano file. Now will use the /sbin/shutdown.

Here -r flag is used for the restart of the host system. Again will check for the permission of the nano file system and notice the SUID permission is enabled now. J

Hence, now I can try to modify the passwd file for privilege Escalation.

Privilege Escalation

In a new terminal, we are using OpenSSL to make a new salted combined username and password in MD5 algorithm. For this, the command used is

Now using nono /etc/passwd command we are editing the passwd directory for adding a new user. The for the new user is username: Salted Value of username and password:0:0:root:/root:/bin/bash

Now we simply check if the user has been successfully added or not, so as to find them. For this, we have used su -raj command and in the password, we have given the password for this user which is pass123.

Here we got our root.txt… That explains it all. So that’s for now. See you next time.

HAPPY HACKING!! 😊

Author: Sushma Ahuja is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on LinkedIn

Comprehensive Guide to Local File Inclusion (LFI)

In this deep down online world, dynamic web-applications are the ones that can easily be breached by an attacker due to their loosely written server-side codes and misconfigured system files. Today, we will learn about File Inclusion, which is considered as one of the most critical vulnerability that somewhere allows an attacker to manipulate the target’s web server by including malicious files remotely or even access sensitive files present onto that server.

Table of Content

  • Introduction
  • PHP Functions
    • Include() function
    • Require() function
    • Require-once() function
  • Local File Inclusion
  • LFI Exploitation
    • Basic LFI Attack
    • Null byte Attack
    • Base64 Attack
    • Fuzzing Attack
    • LFI Suite
    • LFI over File UPload
  • Mitigation

Introduction

File Inclusion vulnerabilities are commonly found in poorly written PHP web-applications where the input parameters are not properly sanitized or validated. Therefore it becomes easy for an attacker to capture the passing HTTP Requests, manipulates the URL parameter that accepts a filename and include the malicious files in the web-server.

In order to understand the mechanism, let’s take a look at this scenario.

Consider a web-application that accepts a parameter that says “file=hackingarticles.php” via its URL, the server further processes it and displays its content on the application’s screen.

Now the attacker tries to manipulate the filename parameter and calls up a local file or even injects a malicious script or a payload calling it from his own website into that parameter, thus the web-server will process it and executes that particular file which might lead to the following attacks:

  • Code execution on the Web server
  • Cross-Site Scripting Attacks (XSS)
  • Denial of service (DOS)
  • Data Manipulation Attacks
  • Sensitive Information Disclosure

The impact of this vulnerability is quite high and has therefore been reported under-

  1. CWE-98: “Improper Control of Filename for Include/Require Statement in PHP Program”
  2. CWE-20: “Improper Input Validation”
  3. CWE-22: “Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)”
  4. CWE-23: “Relative Path Traversal”
  5. CWE-200: “Exposure of Sensitive Information to an Unauthorized Actor”

The File Inclusion attacks are of two types:

  1. Local File Inclusion (LFI)
  2. Remote File Inclusion (RFI)

Before we get into the depth of these file inclusion attacks, let’s have a look at some of the PHP functions.

PHP Include() Function

We can insert the content of one PHP file into another PHP file before the server executes it, with the include() function. The function can be used to create functions, headers, footers or element that will be reused on multiple pages.

This will help the developers to make it easy to change the layout of a complete website with minimal effort i.e. if there is any change required then instead of changing thousands of files just change the included PHP file.

Example 1

Assume we have a standard footer file called “footer.php“, that looks like this

To include the footer file on our page, we’ll be using the include statement.

The code within the included file (footer.php) is interpreted just as if it had been inserted into the main page.

Example 2

Assume we have a file called “vars.php“, with some variables defined:

Test.php

As soon as the fifth line executes in the test.php file, just “A” will be printed out because we haven’t called our var.php script yet. Whereas in the next line, we have used the include function to include the var.php file, as soon as the interpreter reads this line it directly calls our file from the server and executes it.

Therefore the variables “colour” and “car” are now assigned with “red” and “BMW”. As the last line runs, we’ll get the output as “A red BMW”.

PHP Require() Function

Similar to the include() function, the require statement is also used to include a file into the PHP code. However, there is a one big difference between include and require functions. When a file is included with the include statement and PHP cannot find it or load it properly, thus the include() function generates a warning but the script will continue to execute:

Example 3

Output: I have a Red BMW

Now if we try to run the same code using the require function, the echo statement will not be executed because the script execution dies as soon as the require statement return a fatal error:

No output result.

PHP Require_once() Function

We can use the Require_once() function to access the data of another page into our page but only once. It works in a similar way as the require() function do. The only difference between require and require_once is that, if it is found that the file has already been included in the page, then the calling script is going to ignore further inclusions.

Example 4

echo.php

Test.php

Output: “Hello”

Note

allow_url_include is disabled by default. If allow_url_fopen is disabled, allow_url_include is also disabled

You can enable allow_url_include from php.ini by running the following commands :

Local File Inclusion (LFI)

Local file inclusion is the vulnerability in which an attacker tries to trick the web-application by including the files that are already present locally into the server. It arises when a php file contains some php functions such as “include”, “include_once”, “require”, “require_once”.

This vulnerability occurs, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Thus, the local file inclusion has “High Severity with a CVSS Score of 8.1”

Let’s try to exploit this LFI vulnerability through all the different ways we can, I have used two different platforms bWAPP and DVWA which contains the file inclusion vulnerability.

Basic Local file inclusion

We’ll open the target IP in our browser and login inside BWAPP as a bee : bug, further we will set the “choose your bug” option to Remote & Local File Inclusion (RFI/LFI) and hit hack, even for this time we’ll keep our security level to “low”.

Now, we’ll be redirected to the web page which is basically suffering from RFI & LFI Vulnerability. There we will find a comment section to select a language from the given drop-down list, as soon as we click on go button, the selected language file gets included into the URL.

In order to perform the basic LFI attack, we’ll be manipulating the “URL language parameter” with “/etc/passwd” to access the password file present in the local system as:

192.168.0.11/bWAPP/rlfi.php?language=/etc/passwd

So we’ve successfully get into the password file and we are able to read this sensitive information directly from the webpage. Similarly we can even read the contents of the other files using “/etc/shadow” or “/etc/group”

Null byte

In many scenarios, the basic local file inclusion attack might not work, due to the high-security configurations. From the below image you can observe that, I got failed to read the password file when executing the same path in the URL.

So what should we do when we got stuck in some similar situations?

The answer is to go for the Null Byte Attack. Many developers add up a ‘.php’ extension into their codes at the end of the required variable before it gets included.

Therefore the webserver is interpreting /etc/passwd as /etc/passwd.php, thus we are not able to access the file. In order to get rid of this .php we try to terminate the variable using the null byte character (%00) that will force the php server to ignore everything after that, as soon as it is interpreted.

Great, we are back!! We can read the contents of the password file again.

You can even grab the same using burpsuite, by simply capturing the browser’s request in the proxy tab, manipulating its URL with /etc/passwd%00 and forwarding it all to the repeater. Inside repeater, we can do a deep analysis of the sent requests and responses generated through it.

Now we just need to click on the go tab. And on the right side of the window, you can see that the password file is opened as a response.

Base64 encoded

Sometimes the security configuration is much high and we’re unable to view the contents of the included PHP file. Thus we can still exploit the LFI vulnerability by just using the following PHP function.

Therefore from the below screenshot you can determine that the contents of the password file is encoded in base64. Copy the whole encoded text and try to decode it with any base64 decoder.

I’ve used the burpsuite decoder in order to decode the above-copied text.

Go to the Decoder option in burpsuite and paste the copied base64 text into the field provided, now on the right-hand side click on decode as and choose Base64 from the options presented.

And here we go, you can see that we have successfully grabbed the password file again.

Fuzzing

Many times it is not possible to check for all these scenarios manually, and even sometimes our included file might not be there in the root directory. Thus in order to deface the website through the LFI vulnerability, we need to traverse back and find the actual path to that included file. This traversing can contain a lot of permutation and combinations, therefore we’ll make a dictionary with all the possible conditions and will simply include it in our attack.

From the below screenshot, you can see that I’ve send the intercepted request to the intruder with a simple right-click in the proxy tab and further selecting the send to intruder option.

Now we need to load our dictionary file into the payload section and set the payload type to Simple list as highlighted in the below image.

So, we are almost done, we just need to set the payload position to our input value parameter and simply fire the “Start Attack” button to launch our fuzzing attack.

From the below image we can see that our attack has been started and there is a fluctuation in the length section. As soon as we find any increment in any of the supplied input condition, we’ll check its response to reading the contents of the included file.

LFI Suite

Sometimes it becomes a bit frustrating while performing the LFI attack using Burp suite, i.e. wait for the incremented length and check for every possible response it shows. In order to make this task somewhat simpler and faster, we’ll be using an amazing automated tool called LFI Suite. This helps us to scan the web site’s URL and if found vulnerable, it displays all the possible results, therefore we can use it to gain the website’s remote shell. You can download this from here.

Firstly we’ll clone the LFI suite and boot it up in our kali machine using the following code:

Choose the 2nd option as “Scanner” in order to check the possible input parameters.

Now it ask us to “enter the cookies”, I’ve installed the “HTTP Header live” plugin to capture the HTTP passing requests.

From the below image you can see that I’ve copied the captured cookies into the cookies field and disable the Tor proxy. We just need to enter the website’s URL and hit enter.

Now the attack has been started and we can see that there are 40 different parameters through we can exploit the LFI vulnerability into our web-application.

Now it’s time to connect to the victim and deface the website by capturing its remote shell.

Restart the application and this time choose option 1 as “Exploiter”. Enter the required fields with the same cookies that we’ve used in the scanner section and set the Tor proxy to “No”.

 As soon as you hit enter, you’ll find a list with multiple ways to attack the webserver.

Select the option 9 as “Auto Hack”.

A new section will pop-up asking for the web site’s URL, here enter the target website and hit enter.

Cool!! We’ve successfully captured the victim’s command shell.

LFI over File Upload

As we all are aware with the File Upload vulnerability, that it allows an attacker to upload a file with the malicious code in it, which can be executed on the server. You can learn more about this vulnerability from here.

But what, if the web-server is patched with the file upload vulnerability using high security?

Not a big issue. We just need an unpatched file inclusion vulnerability into that, therefore we can bypass its high security through the file inclusion vulnerability and even get the reverse connection of victim’s server.

Let’s check it out how.

Firstly I’ve downloaded an image raj.png and saved it on my desktop.

Now I’ll open the terminal and type following command to generate a malicious PHP code inside “raj.png” image.

Let’s verify whether our injected code is in the image or not.

At the bottom, you will find that the image is having the PHP code in it. This means that our malicious image is ready, and we are now able to upload it over the web application.

Now explore the target’s IP in browser and login into DVWA with security level high. Choose the vulnerability as a file upload in order to upload the malicious image into the web-applications server.

From the given screenshot, you can see “raj.png” image is successfully uploaded.

Copy the highlighted path where the image is uploaded.

Before executing the image, we’ll boot the Metasploit framework inside the Kali Linux and start-up multi/handler.

Now we’ll get back to DVWA and set security level low and will turn on the File Inclusion vulnerability. This time we will again manipulate the URL parameter “page=” by pasting the above-copied path of uploaded image.

As soon as the URL loads up into the browser, we will get the reverse connection of the server in our Kali machine.

Mitigations to File Inclusion Attacks

  1. In order to prevent our website from the file inclusion attacks, we need to use the strong input validations i.e. rather allow any file to be included in our web-application we should restrict our input parameter to accept a whitelist of acceptable files and reject all the other inputs that do not strictly conform to specifications.

We can examine this all with the following code snippet.

From the above image you can see that, there is an if condition, which is only allowing the whitelisted files and replaying all the other files with “ERROR: File not Found!”

  1. Exclude the directory separators “/” to prevent our web-application from the directory traversal attack which may further lead to the Local File Inclusion attacks.
  2. Develop or run the code in the most recent version of the PHP server which is available. And even configure the PHP applications so that it does not use register_globals.

Source: https://www.w3schools.com/ 

               https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

               https://www.acunetix.com

Author: Chiragh Arora is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. Contact here

GitRoot: 1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called “GitRoot: 1”. It’s available at Vulnhub for penetration testing. This lab is an intermediate level and is based on Git. The credit for making this lab goes to RecursiveNULL. Let’s get started and learn how to successfully break it down.

Level: Intermediate

Since these labs are available on the Vulnhub website. Let’s download the lab file from here.

Penetration Testing Methodology

Reconnaissance

  • Netdiscover
  • Nmap

Enumeration

  • Gobuster
  • GitTools

Exploiting

  • Bruteforce SSH with Hydra

Privilege Escalation

  • Linpeas
  • Abuse Git Hooks
  • Abuse SUDO

Capture the flag

Walkthrough

Reconnaissance

As always we identify the host’s IP with the “Netdiscover” tool:

So, let’s start by listing all the TCP ports with nmap.

Enumeration

We access the website, it tells us that the site is hosted in the subdomain “wp.gitroot.vuln“.

We added the subdomain to our “/etc/hosts” file.

We access the address of the subdomain and see that WordPress is displayed.

After trying to break the WP without success, I try to list more subdomains with the option “vhost” of the Gobuster tool and the “big.txt” dictionary that comes with Kali by default.

We put this subdomain in our list of hosts

We access the new subdomain and find a code storage service, so it looks great.

We will use Gobuster again, this time to merge directories and files within this subdomain.

With GitDumper from the GitTools toolkit, we extract all the contents of “/.git/” into our Kali

He’ll list an assortment of files, but we’ll keep this one:

We have two interesting files, well, actually we only have one, the “pablo_HELP.txt” file has been deleted, but we will rescue it!

Contents of the new file:

Now, we’ll recover all the files with the GitTools Kit Extractor tool (including “pablo_HELP“)

Contents of the “pablo_HELP” file

Nothing useful, we continue to check the .php files, we found some credentials in the file “set.php“.

Exploiting

We used the credentials in both WordPress and SSH, but without success. Although we already know the names of the users, we carried out a brute force attack on the SSH service with the “rockyou” dictionary.

With the credentials obtained, we access through SSH with the user “pablo” and read the flag of user.txt.

Privilege Escalation (user “beth”)

We keep listing the contents of “Pablo” folder, we find a folder called “public“, inside it, we have a message inviting us to check out a new git repository.

We run “linpeas.sh” and it lists a git repository from user “beth”, so it looks like we found the new repository.

We went into the heads directory of the git logs and found a large list, but if we sort them by size we’ll see that there’s one that’s larger than the rest.

We read the file and show the content of the “add some stuff” commit, we’ll get “Beth” password inside the script.

Privilege Escalation (user “jen”)

We authenticate ourselves as “beth” with the previously obtained password, read the content and see that we have a message from the user “jen“. In it, he asks us to leave a .zip in the folder he indicates, this user will be responsible for decompressing it.

Well, let’s surprise him with a .zip containing a reverse shell con la ayuda de “hooks” en git.

We will create a “post-commit” file and put a reverse shell with python. We will give you all the necessary permissions, we will compress it with 7zip and copy it to the path where “jen” indicated.

In our Kali, we will maintain a connection to netcat by listening on port 9999 while waiting for the script to run.

After having a shell with the user “jen“, we will read the file “.viminfo” and we will obtain his password.

Privilege Escalation (root)

With the user’s password “jen” in our possession, we run the command “sudo -l” and see that we have permissions to the “git” binary, of which there are several methods for escalating privileges over it, we’ll use the command “$ sudo git -p help config”.

At the bottom, it will allow us to execute commands, type “!/bin/sh“, get the root prompt and read the flag.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks Contacted on LinkedIn.

Glasgow Smile: 1.1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called “Glasgow Smile”. It’s available at Vulnhub for penetration testing. This lab is an intermediate level. The credit for making this lab goes to mindsflee. Let’s get started and learn how to break it down successfully.

Level: Intermediate

Since these labs are available on the Vulnhub website. Let’s download the lab file from here.

Penetration Testing Methodology

Reconnaissance

  • Netdiscover
  • Nmap

Enumeration

  • Gobuster
  • Joomscan
  • CyberChef

Exploiting

  • CeWL
  • Brute force Joomla login with Burp
  • Credential theft from the database

Privilege Escalation

  • Pspy
  • Abuse of crontab tasks
  • Capture the flag

Walkthrough

Reconnaissance

As always we identify the host’s IP with the “Netdiscover” tool:

So, let’s start by listing all the TCP ports with nmap.

Enumeration

We start by visiting the web service (port 80), we find the image of the “Joker”, we check the source code and the robot.txt file, it seems that there is nothing useful.

With the help of Gobuster and the “big” dictionary (default in kali), we found the Joomla CMS deployed on the server:

We access the site and show the Joomla site with only one post on it, where there is a dialogue of two scenes from the film of the “Joker

It’s time to use “joomscan” and list version, interesting directories, backup files or something that can help us identify some vulnerability.

To work more comfortably, I always recommend that you modify the /etc/hosts/ with the name of the machine. In many cases, this host will be shown to you in the site’s own source code. (Although this step is not necessary on this machine)

Exploiting

We run CeWL to create a custom dictionary using the words from the Joker/Arthur dialogue posted in Joomla.

We capture with Burp a request of the authentication request and take it to the “intruder” and introduce the dictionary we just created.” (You have a good tutorial about Bruteforce login with Burp here)

We start the attack, filter through “Lenght” and find a single line where its value is different. There are our credentials!

We check our credentials in the Joomla administration panel, we see that we are in as “Super Admin (Joker)“.

Our site step will be to get up a reverse shell or webshell in order to have visibility inside the server.

To do this, I didn’t get complicated, I directly modified the file “index.php” and put the code of the webshell of “pentestmonkey“.

Great! Now, we’ll put a listening netcat on port 5555 and run the command to create a reverse shell.

We run the path of the “index.php“:

If everything went well, we will have a reverse shell with the user “www-data”.

We execute the following commands to get an interactive shell. Once inside, we read the “Joomla” configuration file and get the credentials from the database. (There are always interesting things in the databases :D)

Privilege Escalation (user “rob”)

We logged on to the database, from the “batjoke” database and we will query the “taskforce” table. We make a query and see that there are several users with their passwords encoded in base64, we will only keep the user “rob“.

We decode the password from our kali and get the credentials in plain text.

We test the credentials from the SSH service and log in with the user “rob” And we can read the first flag:

Privilege Escalation (user “Abner”)

Inside the “home” of the user “rob” we find the file “Abnerineedyourhelp“. We read it and we will have the clue to get the credentials of the next user.

With the help of the “Cyberchef” website and the “rot13” module. We will be modifying the value until we get the readable text.

We repeat the previous formula, decode the password in base64 and obtain the password of the user “abner“.

We authenticate ourselves as the new user and with it, the next flag:

Privilege Escalation (user “Penguin”)

It is probably the most complicated user to get, since I focused on scaling user privileges, without finishing listing everything that was in the different folders of Joomla. For example, this hidden zip:

Download and unzip the .zip file using the user’s password “abner” (remember: I33hope99my0death000makes44more8cents00than0my0life0)

We read the file and obtain the credentials of the user “penguin“.

We authenticate with the new user “penguin” and we read the flag located in his “home“:

Privilege Escalation (root)

After getting to climb over the three users, now it’s time to get the desired “root”.

We read the file “PeopleAreStartingToNotice” (Make some coffee, you’ll need it! xD)

The Joker tells us that it is developing a program (binary find) and that it can only be executed with root permissions… Well, I’m going to save you time, since this binary is useless xD

We focus on the hidden file “.trash_old“.

I gave it a lot of thought, this “Joker” was playing with me and I didn’t know where to climb, until Pspy gave me the answer…

With this, it was already easy, we would only have to modify the file and add our line with a reverse python shell.

We put a listening netcat on our kali at port 8888:

We wait a few minutes and see how the script runs in crontab:

And if all goes well, we’ll have a shell as root in our kali:

Perfect! Now, all we have to do is read the root flag.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks Contacted on LinkedIn.