Five86-2: Vulnhub Walkthrough

Today we are sharing another CTF walkthrough of the vulnhub machine named Five86-2 with the intent of gaining experience in the world of penetration testing. The credit goes to m0tl3ycr3w and syed umar for design this machine and the level is set to beginner to advanced.

According to the author: The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Download it from here: https://www.vulnhub.com/entry/five86-2,418/

Penetration Testing Methodologies

Network scanning

  • Netdiscover
  • Nmap

Enumeration

  • Exploring Http services
  • WordPress scanning (Wpscan)

Exploit WordPress

Privilege Escalation

  • Abusing capability
  • Abusing Sudo

Walkthrough

Network Scanning

As you know, this is the initial phase where we choose netdiscover for network scan for identifying host IP and this we have 192.168.0.114 as our host IP.

From its scanning, we found port 21 is open for FTP and port 80 is open HTTP where wordpress is running on apache.

Enumeration

Thus, we navigate to a web browser and browse the following URL and found open wordpress application is running on the webserver.

Since we found the wordpress on the host machine thus we choose wpscan and run following commands for wordpress scanning.

From its scanning result, we enumerated 5 usernames: peter, admin, barney, gillian, Stephen as shown in the image below.

We used rockyou.txt wordlist for password brute force attack to enumerate the password, so we saved above-mentioned username in a text file named user.txt and then launched brute force attack by executing the following command.

From its scanning result, we found a password for barney and stephen as given below.

To access the website properly we added the hostname and host IP within /etc/hosts file.

Furthermore, using the Barney login credential we logged in to the wordpress and found a plugin “Insert or Embed Articulate Content into WordPress” was installed. We searched in the google to find out more about it and found a method on Exploit_DB to exploit this plugin to obtain a reverse connection.

Exploiting WordPress         

For exploiting WordPress installed plug-in follow the step given below.

  1. Create a .zip archive with two files as: index.html, index.php

  1. login to wordpress as barney
  2. Create a new Post -> Select Add block -> E-Learning ->

  1. Choose upload option for uploading your zip file.

  1. Browse and Upload the raj.zip -> Insert as: Iframe -> Insert

Start netcat listener on your local machine and access the webshell from the URL after uploading the zip file as shown:

Booom!! We got the reverse connection with the help of netcat session, but we know, this is a root to boot challenge hence we need to escalate the privilege try to gain access high privilege shell. So, we start post enumeration and find capability permission is given to Stephen for tcpdump.

So, we run the following command which reveals the UP & running interfaces.

Privilege Escalation

As we have seen in the above image that tcpdump has the capabilities to capture all network traffic even in low-privileged access, therefore I trigger the following command to inspect “veth1665bcd” traffic if possible, and save the output in a pcap file “cap.pcap”.

With the help of of “-r” option we try to the pcap file and luckily found credentials

So with the help of above credential, we switch to paul account and check for sudo permission for him. We found paul has sudo permission to run /usr/sbin/service program as peter.

With the help above command, we were able to access shell as peter.

Then we check sudo right for peter and found he has ALL permission to run any program as root, but we don’t know Peter’s password and moreover peter owns sudo right for /usr/bin/passwd as root. In order to access root, we try to abuse the sudo permission by changing root’s password and try to get the final flag.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.

Multiple Ways to Mount Raw Images (Windows)

In this article, we are going to learn how we can mount a forensic image in Windows Machine. There are multiple ways to accomplish this and tools like OSF Mount, Arsenal etc. will help us in this process. So, Let’s Start.

Table of Content

  • Introduction
  • Why Mount an Image?
  • Mounting Tools
    • Mount Image Pro
    • OSF Mount
    • Arsenal Image Mounter
    • Access Data FTK Imager

Introduction

In the Cyber Forensic world, a forensic image is a complete sector by sector copy of a hard drive or external drive. Generally, a forensic image is used as evidence in forensic investigation. These images include unlocated space, slack space and boot records. Some computer forensic tool uses different formats to generate a forensic image.

Some common forensic images formats are RAW, E01, AFF, etc. We can use a variety of tools to analyze and mount that image to get better investigative results.

Why Mount an Image?

Mounting is the process that converts a RAW logical image into a mounted directory. To better examine a forensic image mounting is preferred. There are various tools that can be used to mount a RAW image. Let’s Learn the process of mounting using this variety of tools. Although the basic procedure is the same there are times where an investigator finds himself in a situation where he/she cannot use their preferred tool. Also, Each investigative company uses different tools. So a good investigator should know all the different types of tools to widen their ability and robustness.

Tool #1: Mount Image Pro

Mount Image Pro is a tool, which is quite useful in Forensic investigations. It enables the mounting image across all the forensic image extensions. Some of them are:

  • .RAW
  • .E01 (Encase Image)
  • .A01
  • .dd

This tool is developed by GetData. They are Renowned Provider of User-End software. That provides Data Recovery, File Recovery, Computer Forensics and File Previewing. Their products are designed for getting data back from systems and their hard drives.

We can download the mount image pro from here.

Once downloaded the mount image pro, then launch tool using the Icon created on the Desktop. After launching the app, we need to press the Mount icon to get started.

We can also click on the File from the Dropdown menu. Go for the “Mount Image File” Option to move ahead.

After this, we need to select our digital image file on our hard drive. After selecting the image file, we need to click on the “Open” button to open the image file.

Now, we need to select a bunch of options to get started. First one is How we want to mount our image? We want the image to be mounted and shown as a partition in our Explorer. Hence we choose the Disk Option. If you want to investigate the image as a Directory choose File System. Followed by this is the location where we want to mount. If we choose the File System Option, we need to specify the Destination Directory. Here we can Choose an Alphabet which would act as Drive Letter (such as Local Disk D: or E: etc.). Next, we get to Disk options panel here, we checked plug and play so that the dismount is easier. Now we select the kind of access that we want to get. We choose the Read-Only Access. We can also customize the Sector Size of the Partition. After giving all the required details press the OK button.

After this, mounting will starts and we get a live progression of the process through the status bar as depicted below.

After completion, we will get our mounted image and we can start our investigation.

As the screenshot suggests it mounted our forensic image as F drive. Now, we can analyze it and get the same view from the files as its user gets in its system.

Tool #2: OSF Mount

OSF Mount is the software that allows us to mount local disk image files (sector by sector copies off an entire disk or disk partition) in windows system.  We can then analyze the disk with its other tool which is OS Forensics. By default, the image files are mounted as read-only so that our original image files do not get altered.

This software supports mounting disk images files in any mode, whether we want them in the read-only mode, write mode in write cache mode.

We can download OSF mount from here.

Let’s Begin with opening the OSF mount after completing its installation process. The developers at PassMark gave us a neat UI to work upon. We have a very minimalistic interface here. To begin with, we will hit the “Mount New” Button.

After that, we follow a series of steps where we fill in the required details.

Step #1: We need to provide the source of the image file to mount for our investigation.

After filling in details, we hit the Next button.

Step #2: We need to select if we want a specific partition or we want the entire image mounted for investigation.

After that step, we need to finalize things. In the last step, we need to select a few details regarding our image. These are some additional features that we want to include in our process or not. These features include if we want to mount our image as a removable media or not, the Drive type, the Drive letter, Drive emulations, etc.

After filling all details and completing all steps click on the mount button to start mounting the image file.

Now as shown in the image given below we have the image successfully mounted and ready for the analysis.

We can also check the working of the mounted image file by opening the mounted image in the File Explorer as shown in the image given below:

Tool #3: Arsenal Image Mounter

Arsenal image mounter handles the disk images as a whole drive. As far as Windows system is concerned, the contents of disk images mounted by AIM are real SCSI disk, which allows its users to take advantage from some disk specific features like Integration with Disk Manager and Access to volume shadow copies and much more.

Many of the image mounting solutions in the market contents of disk images as share and partition rather than complete disk. Which some times limits their usefulness to digital forensics practitioners or investigators. If AIM is running without a license, it will run in free mode and provide core functionalities. If it is licensed, it will run in professional mode with full functionalities enabled.

We can download our Arsenal Image Mounter from here.

After downloading and completing its installation process, We can open this software and start mounting an image file. After opening that software click on the “Mount disk image” button.

Now we have some details to fill in. We are asked about the mode in which we want to see our mounted image or what type of device it has to be. We can choose Read Only or Writable among other options. We are also required to fill in the Sector Size and Click on the Create “removable” disk device for a better mounting process. After filling up all the details click on the OK button to move further.

After this our disk is mounted successfully, we will get all the details regarding that with that mounted message.

Now we check if our image is successfully mounted as a removable device in our system. After checking that, now we can finally start our investigation process.

Tool #4: Access Data FTK Imager

Access Data believes that zero is on the relevant evidence quickly, conduct faster searches and dramatically increase analysis speed with FTK. FTK uses distributed processing and it is a solution to fully leverage multi-core and multi-thread computers. While other tools waste the usage of modern hardware solutions. Where FTK try to use 100 per cent of its hardware resources for trying to help in the investigation process.

FTK provides faster searching in comparison to other solutions. FTK is truly database-driven, all data is stored securely and centrally, which allows our teams to use the same database that reduces cost creating multiple data sets.

We can download our access data FTK Imager from here.

After finishing up the installation process, Open the software to move further ahead.

Now, click on the File option from Menu and Select the “Image Mounting” option to start the image mounting process.

Now we explore the Add Image file option. We browse the image file in the system, then fill up the details like image file mount type, its drive letter, and its mount method.

After filling up all mandatory details regarding the process, click on the Mount button to start the mounting process.  

It takes some time to mount an image, but after finishing up the process we will get the details of our mounted image which comes in the mapped images section. It provides us with some basic information regarding Drive, Method, Partition, Image locations, etc.

If we want we check the integrity information we can do so by checking or monitoring this drive physically by reaching this drive location to validate that data information and start our investigation.

These are different ways in which we can mount a forensic image window to help investigators. For a better analysis of the evidence, it will help them in their investigation process.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.

Five86:1 Vulnhub Walkthrough

Today we are sharing another CTF walkthrough of the vulnhub machine named Five86-1 with the intent of gaining experience in the world of penetration testing. The credit goes to m0tl3ycr3w for design this machine and the level is set to beginner to advanced.

According to the author: The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Download it from here: https://www.vulnhub.com/entry/five86-1,417/

Penetration Testing Methodologies

Network scanning

  • Netdiscover
  • Nmap

Enumeration

  • Exploring Http services

Exploit OpenNetAdmin

  • Command Injection (Metasploit)
  • Crack the hashes (john)

Privilege Escalation

  • Abusing Sudo
  • Abusing SUID

Walkthrough

Network Scanning

As you know, this is the initial phase where we choose netdiscover for network scan for identifying host IP and this we have 192.168.0.126 as our host IP.

In our next step, we love to use nmap for network ports enumeration, thus we run the following command and found port 80 is open for HTTP, moreover, we also found robots.txt displaying disallow entry for /ona as shown in the below image.

Enumeration

Thus, we navigate to a web browser and browse the following URL and found open network admin application is running on the webserver and disclosing application installed version.

As we notice that the openNetAdmin 18.1.1 version is installed on the host machine, so we explored for its exploit and found ruby script for Metasploit available to Exploit DB to abuse OpenNetAdmin against command injection. Without wasting time, we download a malicious file from our local machine.

Further, we copied the download ruby inside the Metasploit framework to use the module for exploit the host machine against its vulnerability.

Exploit

After copying the exploit inside Metasploit Framework, you will need to reload the database and load the module.

Here we got our meterpreter session after running the following commands:

So, we successfully exploited the host machine and spawned the shell as www-data, we decided to go with post enumeration for privilege escalation and as a result, we found the “.htaccess” file from within /var/www/html/reports. By reading the .htaccess we found path for .htpasswd file i.e. “/var/www/.htpasswd” , and by reading .htapasswd file we found hashes for user “douglas”. In the .htapsswd file, the author has left a hint for the password as shown in the image.

So, we found that the password is a 10-character “aefhrt” string, so you’ll need to prepare a 10-character long password dictionary. Here we use crunch to create the dictionary and execute the following command to follow the pattern of the password as the author has said.

With the help of the above command, we generated a dictionary and used the john ripper to crack the hash value. Here I saved the hash value described above in a text file called “hash” and used dict.txt wordlist to crack the hash value and run the following command.

As a result, we found the password: “fatherrrrr” for the given hash value.

Privilege Escalation

As we spawned the host machine shell, we try to switch as Douglas by using the password cracked above. When we signed in as Douglass, we searched for the sudo rights for him and found that he could use the copy program as “jen.”

Since the author has given sudo right on copy program which could be executed as jen hence we can copy the ssh public rsa_key of douglas inside /home/jen/.ssh so that we can be logged as jen. Thus, we executed the following commands as given below.

Now copy id_rsa in the /tmp directory and change the permission then try to access ssh shell on localhost as jen.

Hmmm! As we connected to the ssh shell as jen we found another hint “you have a new mail” on the ssh banner as shown in the given image.

So, we find a text file “jen” in / var/mails that shows a jen email. As per this message, jen knows the password for the Moss account, so we can use the Moss credential for a further move.

So, switched from Jen’s account to Moss and identified for SUID enabled directories, luckily here we found that the sticky bit is enabled for “upyourgame” as shown in the image.

So we navigate to /home/Moss/.game/ and run the “upyourgame” program, the program launches questionnaires that are only answerable in the YES / NO format, and finally, we get the root shell and find the final flag in the /root directory as shown below.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.

Symfonos:5 Vulnhub Walkthrough

This is another post on vulnhub CTF “named as “symfonos” by Zayotic. It is designed for VMware platform, and it is a boot to root challenge where you have to find flags to finish the task assigned by the author.

You can download it from here: https://www.vulnhub.com/entry/symfonos-5,415/

Level: Intermediate

Penetrating Methodologies

Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Abusing HTTP
  • Dirb

Exploiting LFI

  • Burp suite

Privilege Escalation

  • Exploiting Dpkg

Walkthrough

Scanning

Let’s start off with the scanning process. This target VM took the IP address of 192.168.0.112 automatically from our local wifi network.

Then we used Nmap for port enumeration. We found that port 22 for SSH, 80 for HTTP,389 and 636 for ldap are open.

Enumeration

As port 80 is open, we tried to open the IP address in our browser, but we didn’t find anything useful on the webpage.

Further, we use dirb for directory brute-forcing and found /admin.php page with status code 200 OK on executing following command.

When we searched the above-listed web page, i.e./admin.php; we got a login page, but we don’t know the login credential, so we try to bypass the login page by using the SQL injection and brute force attack, but unfortunately nothing was achieved.

Therefore, further, we use burpsuite and intercept the browser request of the current webpage for analyzing its request. We sent the request to the repeater and gently found a suspicious hyperlink inside its burp response.

We feel there are possibilities of LFI just because the URL is connecting with localhost for portraits.php file as shown in the given image.

To ensure the possibility of LFI vulnerability we try to pull “/etc/passwd” file by fuzzing the parameter “/home.php?url=” and it works successfully as expected to be.

Exploit LFI

As a result we successfully got the content of “admin.php” file by exploiting LFI by fuzzing the same parameter. As we knew the http://192.168.0.112/admin.php webpage requires login credential and here we found credential “username: admin” and “password: qMDdyZh3cT6eeAWD” which is actually used to connect with LDAP.

Further, we used nmap for LDAP enumeration and run following command, and as a result we found user information including password.

Privilege Escalation

Thus, we used the user zeus credential as enumerated above to access the ssh shell of the host machine and check sudo rights for him. We found zeus has sudo permission to run dpkg as root thus we abuse zeus sudo rights for privilege escalation by exploiting dpkg functionality.

As we Dpkg is package installer just like apt in Linux like operating system and so here we are going to craft a Debian package with the help fpm transfer on the host machine to get the privilege shell.

write following code in the shell.sh file and save it.

Install fpm in your local machine and run following command to generate a Debian package for shell.sh file.

Note: You will need to install FPM on your machine.

Once the malicious deb package gets generated download it on the host machine and install the package as root. To perform privilege escalation run the following command and you get privilege where you found the proof.txt as shown in the given image.

Author: Pinky Deka is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here