Hack the Box: Networked Walkthrough

Today, we’re sharing another Hack Challenge Walkthrough box: Networked design by Guly and the machine is part of the retired lab, so you can connect to the machine using your HTB VPN and then start to solve the CTF.

The level of the Lab is set: Beginner to intermediate.

Task: Capture the user.txt and root.txt flags.

Penetration Methodologies

Network Scanning

  • Nmap

Enumeration

  • Dirbuster

Exploiting

  • Malicious file upload

Privilege Escalation

  • Abusing Exec function via nohup
  • Abusing Sudo Right

Network Scanning

As we know the victim’s machine IP thus, we can start with Nmap scanning to identify the open ports and services running across it.

From this scanning result, we found that port 80 is open for HTTP. besides, port 22 is also open for SSH.

Enumeration

As a result, we looked at the victim IP in the web browser and the welcomed web page is shown in the image below.

I read the text given on the web page, but I didn’t find the message was enough to guess next clue, so I decided to go with the listing of the web directory.

Thus, I choose dirbuster for the directory brute force attack and enter the target URL.

As a result I found some php files and directories like /uploads and /backup as shown in the given image.

So, first I explored the /backup directory and found a backup.tar file on the website.

Without wasting a lot of time, we downloaded the file backup.tar in our local machine and extracted the file to analyze what’s in it.

So, basically, it holds some php files like index.php, lib.php, photos.php, and upload.php. Then we explored upload.php file where this file has been linked to uploads directory to validate uploaded photo via extensions like jpg, png, gif & jpeg.

Then I explored photo.php in the web browser and note that it was the photo gallery where the uploaded photos are available.

And when I scanned the /upload.php file in the web browser, I found the upload parameter that allows any image file to be uploaded.

It could be exploited by uploading a backdoor by injecting a malicious payload into the image. So, we’ve got the image named “1.png” that I used to inject a malicious payload.

After injected the payload with the help of exfil tool, I saved the image as shell.php.png

When all things are set then I upload the file “shell.php.png” and as a result, the uploaded file is shown to refresh the gallery successfully.

So, again we browse the http://10.10.10.photos.php file and found the link for our malicious file that we have uploaded.

Now, it was time to execute the backdoor but before that, we need to start netcat listener in the background.

Then finally! We obtained the victim’s machine reverse connection via netcat session and a bash shell. I found three files inside the /guly folder as: “check attack.php” “user.txt” “crontab.guly” where I try to read the user.txt file but couldn’t read it due to the least permission. 😓

Privilege Escalation

Then I explored crontab.guly where I found a cronjob running in the background to run attack php file every three minutes after that, the attack.php file will check for the malicious content inside /var /www /html/uploads and report it by mail to guly. In addition, the “exec”  function here is used for “nohup”, which stands for No Hungup.

The nohup command runs another program defined as its argument and disregards all signals from SIGHUP (hangup). The given exec function along with nohup will delete the files from the get namechecks function under $path = /var/www/html/uploads/ and $value.

Therefore, I decided to use the exec function by passing two arguments separated by semi-colon (;) under /var/www/html / uploads, so I use the touch command to build a file that will be our first argument and then continue the second argument separated by; for netcat reverse connection wait for three to get the reverse connection via new netcat session. 😇

We got a reverse connection of the host machine after three minutes in a new terminal where we had our netcat in listening mode and catch the 1st flag by reading user.txt file.

Now it’s time to get the root flag too, but we need to raise the root privileges for these, so we search for the user’s sudo permission.

So, we found user guly can run a program changename.sh from inside /user/local/sbin as root and fill the input which will give a root shell. Just move inside the/root directory and capture the root flag.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here

Tempus Fugit: 1: Vulnhub Walkthrough

In this article, we are going to crack the Tempus Fugit: 1 Capture the Flag Challenge and present a detailed walkthrough. The machine depicted in this Walkthrough is hosted on Vulnhub. Credit for making this machine goes to 4nqr34z and DCAU. Download this lab by clicking here.

Level: Hard/Insane

Penetration Testing Methodology

  • Network Scanning
    • Netdiscover Scan
    • Nmap Scan
  • Enumeration
    • Browsing HTTP Service in Browser
    • User Enumeration using Command Injection
    • Getting netcat session using Command Injection
    • Enumerating Cgroup for Dockers
    • Enumerating FTP service for CMS Credentials
    • Installing Nmap On Target Machine
    • Nmap Scan
  • Exploitation
    • Crafting Payload using MSFvenom
    • Transferring Payload to Target Machine
    • Getting Meterpreter Session
  • Post Exploitation
    • Port Forwarding using portfwd
    • Enumeration of /etc/hosts on Target Machine
    • Installing Bind Tools
    • Enumerating using DiG
    • Adding CMS URL in attacker’s /etc/hosts
    • Accessing the CMS
    • Exploiting CMS using a Theme template
    • Getting Session for www-data
    • Getting Credentials using Responder
    • Enumerating the mails of the user
    • Getting credentials of another user
  • Privilege Escalation
    • Enumerating for Sudoers List
    • Escalating Privilege using nice
  • Reading Root Flag

Walkthrough

Network Scanning

We downloaded, imported and ran the virtual machine (.ova) on the VMWare Workstation, the machine will automatically be assigned an IP address from the network DHCP. To begin we will find the IP address of our target machine, for that use the following command as it helps to see all the IP’s in an internal network:

We found the target’s IP Address 192.168.43.100. The next step is to scan the target machine by using the Nmap tool. This is to find the open ports and services on the target machine and will help us to proceed further

Enumeration

Here, we performed an Aggressive scan to gather maximum information in a single step. The scan revealed that we only have the TCP port 80 opened. It was running the Nginx server which is hosting the HTTP service. As for the lack of better option let’s get on to enumerate the port 80.

We have a very nice site, which looked like it is made of some popular CMS but, all my hard work exploring the webpage didn’t yield any benefit. But we did find this message.

It was in the About section, it tells us the meaning of the word Tempus Fugit which really translates to “Time Flies”. The message also informs that this webpage was designed to upload some scripts onto an internal FTP server. Now all we need to find that upload option. It was on the menu of the webpage. After enumerating for a while, it was clear that this upload option was white-listed. Only .txt and .rtf extensions were allowed. After an exhaustive list of ways to upload any kind of shell but we were unsuccessful. Now it hit us that we could try command injection through this upload option. We tried the very basic injection with “;whoami”. For this we intercepted the request on the “Upload!” and added the injection text in the filename field as shown in the image given below. After this, we forwarded the request to the Target Machine Server.

It’s good news! The injection was successful. We get a reply “root”. Now the next logical step is to enumerate around the application.

For enumeration, we thought that Directory Listing is a good way. So, we replaced “;whoami” injection to “;ls”. After performing the ls command injection, we see that we have all the files in the directory listed. This was a pretty consolidated format. But we clearly saw that there was a file named main.py. This must be important.

We tried to read the main.py file using the cat command. We get an error “Only RTF and TXT files are allowed”. We deduced from this is that the filter is not allowing “.py” in the injection as well. So, to work around this filter, we thought to try the wildcard option (*).

It worked! We were able to read the main.py file. It was the internal FTP server that is working on the backend. On taking a closer look we see that we have a username and a hash which looks like MD5.

Now, we cannot proceed further without a proper shell to work. But as we figured out earlier that the dot (.) is also blacklisted. We went on to the internet to find the representation of IP Address without the dot. We came across Long IP. So, we thought of trying to gain the session using the Long IP format of our attacker IP. The conversion to Long IP was not difficult, there were many converters available online.

Now using the command injection, we found earlier, we entered a netcat invocation shell command. This command invoked a shell on port 6666 on our attacker machine.

We started a Listener before executing the command to invoke a shell. After execution, we get the shell. But to convert the improper shell into TTY shell, we used the python one-liner. Now that we have the TTY shell, we ran the whoami command which told us that we are the root user.

Now we knew that this was not that easy. So, we went straight up to the root directory. Here we see that we have a text file named message.txt. We read the contents of the message.  As expected, it tells us that we are not done yet.

Now we started to enumerate the other directories that are available for us in search of some hint to move forward. We used the ls command in the root directory which revealed a folder named .ncftp. We decided to take a look at it. Inside it, we found some files, in which trace.234 file revealed some information that was worth looking into. We saw that there was an IP Address that didn’t seem to be part of our subnet. There were attempts to connect to that particular IP Address.

At this moment it hit us that, as we are root and there are multiple IP Addresses involved. It is possible that we are in a docker environment. So, to confirm that we tried to read the proc cgroup file. As expected, we are indeed in a docker environment. As we know that we can run the netcat in this environment, and we found a new IP Address inside an NcFTP directory. We had a hunch that the IP Address we found must be running an NcFTP service. To confirm, we ran a port scan using the netcat on the IP Address we found as shown in the image given below.

Our port scan reveals that the IP Address we found is running an FTP service on port 21. We used the lftp command to login into the FTP service. We used the credentials that we found in the main.py earlier. Now, we found a hash in the main.py. We decoded it and it came out to be “mofo”. We tried that as a password. But it wasn’t a success. So, we tried the hash as a password. That worked and we were inside the FTP Server.  Now in the FTP server, we found a cmscreds.txt file. In this file, we have a set of credentials that would help us logging into a CMS but the location of CMS still remains a mystery.

We went back to the root directory where we found the .ncftp directory. Here we found a file named .python_history. Anything that is hidden, and is named history is worth looking into. So, we dig in to find a set of credentials. But wait there is more. We have an IP Address that is mentioned inside the code. We see that this seems to be out on a different subnet. But definitely requires investigation.

Now, although we have the standard netcat method to scan for active ports, we need something more powerful. Nmap. I checked if we have Nmap installed on this machine. But it wasn’t. Then it hit us, that we are root. So, if there is something that is not installed, we can install it. I tried apt install Nmap but that gave back an error. So, I investigated on the flavour of the Linux that we have here. Then while we were reviewing our steps, there we saw that when we read the file named trace.234. It tells us that our Target is running Alpine Linux 3.7. That’s quite helpful. This means that we will have to run the apk add command to get Nmap installed. Now as we are surrounded by multiple IP Address that is only accessible through the target machine. We went on the mission to find all the IP Address that is in question by scanning the whole subnet for available IP Addresses. This gave us a total of 4 IP Addresses.

We decided to start with the 172.19.0.1 and we saw that it has the port 22, 80 and 8080 open. And we have some sort of Proxy running on the system. Now whenever we come across a proxy, we know we have to use port forwarding to get through. There are multiple ways to do this. But we prefer using Metasploit. For this, we will have to gain a meterpreter session on the system.

Exploitation

To gain meterpreter, we first need to craft a payload. We used the msfvenom for this task. As the target machine was running Alpine Linux. We decided to craft the payload in .elf format. After creating the payload, we use the python one line to host the payload on the port 80 in order to transfer the payload from our attacker machine to target machine.

Now, onto the session that we have of the target machine. We used wget to download the payload file to the target machine. Now we need to give proper permissions to the payload so that it can be executed easily.

Post Exploitation

After giving proper permissions, we execute the elf file. After execution, we see that we have the meterpreter session on our attacker machine. Now, we used the portfwd command to forward the 8080 port of the internal IP to our attacker machine i.e., Kali Linux.

We tried to access the CMS but we were not successful. This means that some more enumeration is required. We went back to our shell on the target machine and started to look around. As the CMS was not accessible, we thought to take a look at the etc directory for any hosts. Here we found “sid” mapped to the IP Address of CMS. We looked inside the resolve.conf and found “mofo.pwn” written.

It was quite possible this might be the host that would lead us to the CMS. To confirm our suspicions, we decided to use the bind tools. As they were not installed, we used the apk add command to install those. After that, we ran the dig command and found the host that we were looking for. ourcms.mofo.pwn seems to be the host that would take us to the CMS that we need.

Since the Tempus Fugit original webpage is still running on the target IP Address, we need to kill that process in order to access this CMS. We ran the netstat command and found that Nginx running with the PID 9. So, we killed it.

Now to access the CMS, we need to add that host we found in our i.e., Kali’s /etc/hosts file.

Now, all that left is to access the CMS from our browser. As we forwarded the port. We will access the webpage on 8080.

Finding the admin login panel was quite easy and if we remember correctly, we have the credentials for this CMS.

After logging in the CMS, we went to the Themes Section. Themes are mostly designed in PHP format and those are easier to edit and gain a shell. We edited the Innovation Theme’s template file.

We replaced the contents of the template.php file with the PHP reverse shell payload and edited the IP Address and the port as shown in the image given below.

Now before saving and accessing the template from the URL provided. We ran a netcat listener to receive the session that would be generated by the reverse shell payload upon execution. The shell popped up. We ran the whoami command and found that we are www-data user. Now we need to escalate privilege from here.

Here we were stuck for a bit, there was almost no hint possible and we were left with enumeration. Here we contacted the author and got the hint that Wireshark would be helpful. If Wireshark is helpful it means that there must be some queries in the network. We ran the Wireshark to find some DNS queries in the network but to get some credentials we need the responder tool. We ran the responder and let it work for a while in the network. After a while, we got some credentials. It was for the user roxi.

We used the su command to login as roxi.

We started our enumeration for this user roxi. We see that this user has some mails.

Let’s dig into that. There was some elaborate story in those emails but in the end, these mails have some credentials. It was for the user dorelia.

Privilege Escalation

We again used the su command to login as the newly found user named dorelia. Let’s use the sudo -l command to enumerate if this user can run some application with root privileges.

Dorelia user can run the “nice” command as the Nancy user which we suppose have the root access. We need to find more about this “nice”. We used the help parameter to get some information about this command. At last, we checked the gtfobin for the nice command and found a way to escalate privileges using the nice command. So, we ran the nice command to invoke the sh shell with the sudo command. This gave us the root privileges.

Reading Root Flag

We traversed to the root directory to find the flag and we have a script here named proof.sh. We ran the script and it gave us the final flag.

This was a long tiring but learning experience, I would like to thank the lab authors for creating such a lab that helped me learn so much. Also, I would like to thank Erik for his help.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

Hack the Box: Writeup Walkthrough

Today, we’re sharing another Hack Challenge Walkthrough box: Writeup and the machine is part of the retired lab, so you can connect to the machine using your HTB VPN and then start to solve the CTF.

The level of the Lab is set : Beginner to intermediate.

Task: Capture the user.txt and root.txt flags.

Pentesting Methodology

Network scanning

  • Nmap

Enumeration

  • Web Source code

Exploit

  • Unauthenticated SQL injection

Privilege Escalation

  • PATH Environment

Network Scanning

As we know the victim’s machine IP thus, we can start with Nmap scanning to identify the open ports and services running across it.

From this scanning result, we found that port 80 is open where the /writeup/ entry in the robot.txt has been shown. Besides, port 22 is also open for ssh.

Enumeration

As a result, we looked at the victim IP in the web browser and welcomed a web page shown in the image below.

Then we explore the URL below to examine /writeup as enumerated above.

It was a simple web page where we didn’t find any remarkable clue, so we were thinking about checking the source code of the page.

Well, thankfully! We found the description of the CMS used to build the website from inside the source code.

Without any delay, we have googled for CMS Made Simple-2019 Exploit and fortunately found the Exploit DB link to exploit the SQL Injection vulnerability.

Exploit

We just downloaded the python script from the ExploitDB and gave ALL permission. When things are set, we run the following command to obtain the credential from inside the database by exploiting unauthorized SQL injection.

As a result we found salt value, username, email address, password hashes and its password.

Since we have found the login credential, we can use it to access the ssh shell.

Booom!! We successfully got the host machine shell and found the user.txt file as shown in the below image. Now it was time to obtain the higher privilege shell by escalating the privilege of the user jkr.

Privilege Escalation

It was time to post enumeration to determine the concealed process running on the host machine. We try to enumerate the services running as root that can be abused, and to do this, we have to use pspy64 to identify the services running, because the manual approach failed to identify all processes running in the background.

Therefore, we downloaded the pspy64 script in the host machine inside /tmp directory and assign full permissions then ran it to identify processes running of the machine. 

So, we found that a suspicious process was underway, which was executing the following command:

We’re trying to break down in order to analyze what’s going on in the current phase.

Here we saw “sh -c /usr/bin/env” command was running to create an empty environment to set up the PATH variable in which you can observe that “/usr/local/sbin” was at the top which means it will be given the highest priority.

All the scripts in /etc/update-motd.d using run-parts, then stores all output in /run/motd.dynamic.new

Interestingly, we found that the above command was running when jkr connects to ssh to access the server, so we can assume that every time we connect to ssh as jkr, the script will run with the help of the command.

Thus we check the permissions for /usr/local/sbin and note the ownership as root:staff, then we checked for user_id and luckily find that jkr is the member of staff group.

Since /usr/local/sbin is being set as the priority path, hence we can try to write a malicious file inside the /usr/local/sbin/ with a name as run-parts.

So, in our local machine we write a script, to change the password for user root and save it as run-parts,

Then transfer this file on the host machine using HTTP python server.

Let’s download the malicious script to the host machine inside the /tmp directory and give it full permission to copy it to “/usr /local/sbin” as shown in the image below.

when everything is done then we need to logout and then again login with ssh as jkr so that our malicious script gets execute as said above.

Booom! Booom! We’ve got the root flag, as soon as you connect to ssh again, the running process will run our malicious run-parts script, which will modify the root user password, and then you can switch the user as root and catch the root.txt flag.

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Connect The Dots:1 Vulnhub Walkthough

Today we are sharing another CTF walkthrough of the vulnhub machine named “Connect the Dots” with the intent of gaining experience in the world of penetration testing. The credit goes to “Sumit Verma” for design this machine and the level is set to intermediate.

You can download it from here: https://www.vulnhub.com/entry/connect-the-dots-1,384/

According to the author: The ultimate goal of this challenge is to get root and to read the “user and root” flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Penetration Methodologies

Network Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Abusing HTTP

Exploiting

  • Decoding JSFuck
  • Login to SSH

Privilege Escalation

  • Capability

Walkthrough

Network Scanning

As you know, this is the initial phase where we used netdiscover for network scan for identifying host IP and this we have 192.168.1.102as our host IP.

In our next step, we love to use nmap for network ports enumeration, thus we run the following command:

With the help above command, we were able to identify open ports and services running across those port. Majorly we take a look at port 80 for HTTP, 2049 for NFS and 7288 for SSH.

Enumeration

Thus, we navigate to a web browser and browse the target IP in the URL and is greeted with the webpage shown in the below in the image.

Unfortunately, I didn’t find any loophole or clue on the home page thus I surf for the given hyperlink “SIRRON” and that redirect to index.html page which similar as a home page but changes can be noted in its source code.

So by exploring the source code of index.html page, we found a username “norris” and a path for a web directory “/mysite”.

We first explore to my /mysite and found some scripts, here bootstrap.min.cs looks suspicious to us thus we download it in our local machine and explore the file.

Exploiting

So, we have found the JSfuck code after exploring the file, and we need to decode it to read this file.

Here, it’s a bit tricky to decode it, if you’re trying to decode the entire contents of the file, you won’t be able to decode the text. You have to remove “var =” and ” “ from the entire content and try to decode the remaining code.

So we visit www.jsfuck.com and paste the code needed to be decoded and as a result, the string that will reveal user Norris password will be given as shown in the image.

Thus, we used the above-enumerated credential to log in to SSH and successfully compromised the host machine and found our 1st flag user.txt as shown in the image below.

 Since we’re at the initial foothold and now it’s time to escalate the privilege to get the root.txt file.

Privilege Escalation

Thus, we explored further and looked for weak service configuration such as SUDO and SUID permission but found nothing related to it. After spending some more time, we saw capability with +ep permission is set on tar program with the help of given below command.

Now it was time to exploit the given permissions on the tar program, so we created the “raj.tar” archive for the / root / root.txt file, and then extract the generated tar file from the current directory as shown below.

As a result, we’ll have the root directory in our current directory, so we’ll be able to read the root.txt file as shown.

Conclusion: By solving this VM you will learn about JSfuck encoding and decoding and Linux capability privilege escalation read more from here.

Author: Ahmed is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here