Zion: 1.1 Vulnhub Walkthrough

Today, I am going to share a writeup for the boot2root challenge of the Vulnhub machine “Zion: 1.1”. It was actually an intermediate box based on the Linux machine. The goal for this machine is to read the flag.txt file.

Penetration Testing Methodology

  • Network Scanning
    • Netdiscover scan
    • Nmap Scan
  • Enumeration
    • Enumerating HTTP service on Browser
    • Inspecting the Login Panel using BurpSuite
    • Decoding Base64 and Base62 messages
  • Exploitation
    • Crafting the Dictionary using Cewl
    • Bruteforcing using BurpSuite
    • Enumerating the Web Application
  • Post Exploitation
    • Connecting using SSH
    • Enumerating for Sudo Rights
  • Privilege Escalation
    • Abusing Sudo Rights on cp

Walkthrough

Network Scanning

We begin by scanning our network for the target machine using Netdiscover. The target machine is active on 192.168.1.109. Let’s scan it and see which services are running and which ports are open.

We do an aggressive scan on the target using nmap.

Enumeration

The scan gives us a lot of good and useful information, but what stands out the most is that port 22 and 80 are open, let’s explore port 80 first and see what we can find there.

Here we see that we have 2 buttons, The “Truth” and “Illusion”. We are given the choice for the Red Pill and Blue Pill similar situation as Neo faced in the Matrix Trilogy by Morpheus. Clicking on the Truth button, we get to a login page.

After looking around the login panel for some time, I decided to inspect the panel through the BurpSuite. I captured the request in the BurpSuite. Sent the request to the Repeater. Here, upon checking the response of the request, we see that there are some odd parameters containing values that seem to be encrypted.

Guessing that the encryption might be Base64, I decided to decode the banner value using the Decoder. This gave us a message that tells us to “Open our mind”. Also it tells us to avoid some characters.

This means that the message that was left to us is not exactly Base64. If we avoid the characters mentioned in the message we get the encryption that is Base62. So, let’s try to decrypt the message using a Base62 decrypter. You can find one online.

The message that was decoded was that it is giving us the hints for the credentials for the “Zion’s Systems”. It tells us to look at the choice page that we were on few moments before. Also, it gives us the username for the user “morpheus.thematrix”. It also tells us that the user likes to keep simple passwords.

Exploitation

There are multiple methods as to how we can try to get the passwords. We can try manually but when we have an arsenal of tools that can do this for us why waste the time. I decided to create a dictionary that can be used to bruteforce the login using cewl. Using cewl is quite simple, we need to provide the URL and the output file path. Cewl will run and create a dictionary for  all the words that are on the webpage.

Now for the brute force, we decide to use the BurpSuite’s Intruder Module. To use Intruder, we need capture the request at the “Login” button with some sample text inside the password box.

Now that we have the request, we can use it to brute force the login using the Intruder. I gave the sample text as “test”. We can send the request to Intruder using the shortcut “Ctrl + I”.

After sending the request to Intruder, we go to the Positions Tab. Here we select the Attack type as Sniper. After setting the Attack type we need to specify the Payload Positions. This is the particular text that is going to be brute-forced. Here we want to brute force the password parameter. So we select the “test” as a place holder. Add the “§” symbol around the text as shown in the image given below by clicking the “Add §” button.

Next, we moved onto the Payloads Tab. Here we have multiple sections to provide the type of payload we want to provide for the bruteforce. Payload here means the dictionary that we created using Cewl previously. We need to provide the Simple list in the Payload type option under the Payload Sets section. Next, we need to add the contents of the dictionary we created. For this we will use the Load button in the Payload Options section. This will open up a window where we can browse the dictionary we created. After doing the above steps we click on the Start attack button.

Clicking on the Start attack button opens up a yet other windows where we can see the Burp Suite try multiple requests from the dictionary. We see that we get a redirection from the password interpreted. This could mean that this is the password. Time to check it out.

We go back to the Login Panel, and try the following credentials to login.

This opens up the Zion’s System. Here we see some information about the user w.rabbit . It tells that the user w.rabbit has forgotten his password. So, the Administrator has disabled its logins using the password. But he did something related to the movies. Matrix, I suppose. Also, I see that there is a link for Private key in the top right sections as shown in the image given below.

The link leads us to a page called rabbit-hole/rsa_priv_key_for_w.rabbit.txt. This is a private key for the user w.rabbit. This means we can login into SSH using this user.

Post Exploitation

I copied the contents of the key and saved it into a empty file and save it as “key”. Now, since we have the port 22 open on the Target Machine, we will try to login on SSH using this key.  From some enumeration we find the warning.txt file. Here we see that we have to find the flag in the path mentioned. We are given the freedom to choose any method or technique we want. Enumerating further into the mail directory, I found the credentials for the user w.rabbit. We are already logged in as w.rabbit user but with the password we can run process as user w.rabbit. To find out what services we can run with elevated permissions. We can see that cp command can be run with elevated privileges as user dozer.

This means that we can run the cp command without any password or other verification.

Privilege Escalation

In the above step we got the that we can access /bin/cp as sudo for both w.rabbit and dozer and in the process of enumeration we got the sudo password for the w.rabbit. So, let’s try to use the /bin/cp file to escalate to the dozer using /bin/sudo. Using cp i.e copy command we will copy the flag.txt in the tmp folder to display the flag.txt using below command.

Here we got our /home/dozer/flag.txt. So that’s for now. See you next time.

Author: Sushma Ahuja is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on LinkedIn

DevRandom CTF:1.1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called “DevRandom CTF:1.1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to Hunri Beats. Let’s start and learn how to successfully breach it.

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link .

Penetration Testing Methodology

Reconnaissance

  • netdiscover
  • nmap

Enumeration

  • Browsing HTTP Service
  • Local file inclusion

Exploiting

  • Password Bruteforce via hydra
  • Login to ssh

Privilege Escalation

  • Abusing sudo  dpkg

Walkthrough

Reconnaissance

We will start by scanning the network using Netdiscover tool and identify the host IP address.

We can identify our host IP address as 192.168.1.105. So let’s start with nmap port enumeration and execute following command in our terminal.

From its result, we found ports 22(SSH), 80(HTTP) were open. Also robots.txt is available .

Enumeration

For more detail, we will be needing to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service.

Nothing was displayed on the page . So we started exploring things we found in nmap scan that is:

On seeing the above page i hit-and-trial lfi on it and boom it worked . From its result we found a user trevor .

Exploiting

We have got a username trevor, now our next job is to find the password for the user trevor with the help of hydra, thus we execute following command:

From its result , we found the password that is qwertyuiop[]

Since We have username and a password, so we tried to access the SSH on the target system and were successfully able to logged in.

let’s go for post exploitation and try to escalate root privileged. 

with the help of sudo list, we notice that trevor can execute dpkg program as root.

Privilege Escalation

As we know that dpkg is a package installer thus we need to create a malicious package and install the malicious package within the host machine with the help of dpkg as result it will escalate the root privilege.

Thus we run the following command found from gtfobin, that creates a malicious package to execute /bin/bash.

Once you will create the package, use python server to transfer this packet into host.

So, I downloaded the above malicious package inside /tmp using wget command.

Now, once I have this package inside the /tmp I can used dpkg with sudo right to install the downloaded package, as soon as it will get install we will the root privilege shell.

Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact  here

mhz_cxf: c1f Vulnhub Walkthrough

CTF’s are a great way to sharpen your axe. As a security enthusiast, this is probably the best way to get some hands-on practice that lends perspective as to how an adversary will exploit a vulnerability and how as an infosec professional we will eliminate that risk or guard against it.

This is a very engaging CTF, it has some aspects of steganography. It gives you the chance to turn those wheels but not so much so that you get frustrated, think of it as somewhere between easy and intermediate level. You can download it from here.

Now, let’s dive in.

Penetration Testing Methodology

  • Network Discovery and Scanning
    • Using Netdiscover
    • Using Nmap
  • Enumeration
    • Directory Bruteforce using dirb
  • System Exploration
  • Data Exfiltration
    • Using SCP
  • Steganography
    • Using Steghide
  • Privilege Escalation

Network Scanning

We begin by scanning our network for the target machine using Netdiscover.

The target machine is active on 192.168.1.104. Let’s scan it and see which services are running and which ports are open.

We do an aggressive scan on the target using map.

The scan gives us a lot of good and useful information, but what stands out the most is that port 22 and 80 are open, let’s explore port 80 first and see what we can find there.

This does not help much, time to move to the next stage.

Enumeration

Let’s try to bruteforce the directory using dirb and see what we come across. We are using the -X flag to specify that we are looking for .txt formats only.

It seems we have found something! Let’s navigate to the link that’s given above in our attacking machines web browser and see what we find.

The maker of this CTF seems to be hinting that remb.txt and or remb2.txt might hold some valuable information. Let’s navigate to them.

This looks like a username and a password; I wonder where we will be able to use it?!

System Exploration

We did see that the victim machine has port 22 open, let’s try our luck with SSH, maybe these credentials will work.

We were successfully able to connect with the victim machine over SSH using “flagitifyoucan1234” as the password.

Moving around in the directories we find “user.txt” that gives us a clue about the privilege level. Looking further we find a directory named after the CTF machine that holds image files, this is the part where see the potential for steganography.

The images need to be moved from the victim machine to the attacking machine so that they can be investigated further.

Data Exfiltration

There are many ways to exfiltrate data from a system but considering that this is a Linux system, the chances of finding SCP installed on it already are very high, so let’s use that instead of un-necessarily trying to install a new application.

In our attacking machine, we make a directory to call the files to, enter that directory and then start SCP with the credentials that we found earlier. Defining that we want to import all the files in the “Paintings” directory.

On checking the contents of the “raj” folder, we see that our operation to exfiltrate data was successful, all the image files in the Paintings directory are now in the attacking machine, ready to be scrutinized.

Steganography

Steghide is the tool of choice here for obvious reasons. We need to find what information is hidden in these images.

On running Steighide, for the image names “spinning the wool.jpeg”, we are prompted for a passphrase, where we use the credentials that we had found earlier. This reveals a text file named “remb2.txt”. If you recall, we have come across this particular file name in our earlier screenshots. 

We open the file to reveal what looks to be more credentials, let’s see where they can be used.

Privilege Escalation

We go back to the terminal we have open into the victim machine and try to switch users to “mhz_c1f” and use the password that we just found, and it works, we are in!

On checking the privilege level held by this account. This account is part of the sudo group, so let’s try to get a better foothold. We are now in the root directory and on checking it’s contents we find “.root.txt” and on opening it, we get our final flag!!

This concludes our walkthrough for mhz_cxf: c1f, we hope you enjoyed it and picked up a few useful pieces of information on the way.

CTF’s are the best way to wrap your head around the concepts and though flows required to be a penetration tester, it gives you a chance to think critically and apply what you have learnt so far about hacking, in a safe environment.

As always, we at hacking articles will try to get you latest and greatest in the sphere of infosec.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

CengBox: 1 Vulnhub Walkthrough

Today, I am going to share a writeup for the boot2root challenge of the vulnhub machine “Cengbox:1”. It was an easy box based on the Linux machine which helped me learn many new things. The goal is to find the user and root flag.

Penetration Testing Methodology

  • Reconnaissance
    • Netdiscover
    • Nmap
    • Dirb
  • Exploitation
    • SQLmap
    • File Upload
  • Privilege Escalation
    • Pspy script
    • Meterpreter session
  • Capturing the flag

Walkthrough

Reconnaissance

Let’s start recon for this machine using Netdiscover, It is used for identifying the IP address of the various machines in our network work It works as traceroute.

As we got our target IP address for the machine (192.168.1.106), Next, we use nmap for the port scanning and further information gathering on the target host.

Since port 80 is open, Let’s explore the domain or webpage on this IP address using Web Browser.

We will also perform fuzzing to find the endpoints using the dirbuster tool with the big.txt wordlist which can be located inside /usr/share/wordlists directory.

We got some directories like (uploads, Masteradmin, etc). After checking all the directories, we got an Error Page with the endpoint masteradmin/.

We decided to do fuzzing for http://192.168.1.106/masteradmin using the dirbuster tool but with the extension, filter to find any php files that might be present in the masteradmin directory.

In the above image, we can see that there are login.php and upload.php endpoints as we can try to take a reverse shell using upload functionality or we can try to bypass the login page using SQL injection. So, let’s try to explore these endpoints for further enumeration.

Landing on the login page we can see that we will have to bypass the authentication panel i.e., username and password both.

Exploitation

Since we got the login page for which we need to find the username and password to login the page for further exploitation. Here, I tried brute-forcing the parameters but it didn’t work for me so I chose to try the hand at SQL Injection with the sqlmap tool. I ran it with the URL as the parameter and we also use the forms, dbs, and batch parameters.

Sqlmap works for a while and gives us the names of some of the databases. Out of the extracted databases, one that interests us is the cengbox. So, we decide to enumerate it further.

Further dumping the data of this database by using the command given below:

Here we can see that there is a table named admin inside the database we were looking in. Looking further we found the credentials for masteradmin.

So the valid credentials for this login page are

After logging in as masteradmin, we see that we have a file upload functionality.

At first, I tried to upload the php-reverse-shell.php from the available web shell directory to get a reverse shell on the target machine but it told me that the extension is not allowed. I need to upload a CENG file.

So to bypass this upload filter I tried changing the extension of the same reverse shell php file as shown in the image below.

After renaming the shell we tried to upload the file again. This time I was successful in uploading the file.  Using netcat listener we will establish the connection and got the shell.

During our enumeration we got a user named cengover we also git it in the above scanning of sqlmap we got the credentials. Here we will switch the user from www-data to cengover and for that we will use the password that we found was C3ng0v3R00t1!

After getting the shell, I looked around for the user flag.

Privilege Escalation

Now moving towards the root flag, we need to check the permissions and some hidden processes running in the machine for finding the hidden processes running in the machine we need to download the pspy script in the remote machine. We will use the wget command for it.

Now, we need to provide the proper permissions. After that, we will execute the script.

Below are some hidden processes we got one python script is having the md5check.py. Let’s check the permissions on this file.

Here, we can see that md5check.py has the read and write permissions.

Now using msfconsole will make one executable shell. And create one session to gain access through meterpreter. Meterpreter is generated only when the session is created. It helps in gaining full access to the target machine.

Edit the md5check.py file and insert the payload generated inside it and save the file.

This gave the shell access in the meterpreter session created before.

Here we got our root flag. Happy Hacking! See you next time.

Author: Sushma Ahuja is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on LinkedIn