Symfonos:2 Vulnhub Walkthrough

Today we are going to take another CTF challenge from the series of Symfonos. The credit for making this VM machine goes to “Zayotic” and it is another boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

  1. Scanning
  • NMAP
  1. Enumeration
  • Enum4Linux
  1. Exploitation
  • Smbclient
  • Hydra
  • Msfconsole
  1. Privilege Escalation
  • Exploiting Sudo rights

Walkthrough:

Scanning:

Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.102 automatically from our local wifi network.

Then we used Nmap for port enumeration. We found that port 21,22, 80,139 and 445 are open.

Enumeration:

As port 80 is open, we tried to open the IP address in our browser but we didn’t find anything useful on the webpage. We also tried dirb and other directory brute-forcing tools but couldn’t find anything.

For further enumeration, we used Enum4Linux tool and found some useful information. We found a shared directory named anonymous.

To confirm our finding we took the help of smbclient with an empty password to list the shared resources of the target machine and got the same result.

Inside the anonymous directory, there is another directory named backups. Inside the backups directory, we got a log.txt file. So we downloaded the same file with get command.

After opening the log.txt file in our local machine we got a username aeolus.

Exploitation:

So far we have got a username aeolus, so we tried to bruteforce it with hydra and after a long wait we successfully got a password sergiotaemo.

Now we have a username and a password and we already know that there ssh service running on the target machine. We tried to ssh login the target using msfconsole and were successfully able to do so.

From the ifconfig command, we got a little hint that the target machine is listening on the localhost IP only.

So we used netstat command to check for the IP address and ports the target machine is listening on and found that web service (8080) is allowed for localhost only.

So what we did is we used port forwarding to access the port 8080 of the target.

After that, we were able to access the web service running on port 8080. On the webpage, we found it is running a LibreNMS web application.

We searched for any exploit available for the LibreNMS application in Metasploit and found one command injection exploit available.

Using this exploit we were able to get a meterpreter session of the user LibreNMS.

Privilege Escalation:

To get to the root shell we checked for the sudoer permissions for the librenms user and found that this user can run mysql command with no password. So we leveraged this to our advantage and run /bin/sh to get the root shell.

Once we got the root shell we traversed to the root directory and opened the proof.txt file to complete the challenge.

Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here

Matrix-3: Vulnhub Walkthrough

Today we are going to take another CTF challenge from the series of Matrix. The credit for making this VM machine goes to “Ajay Verma” and it is another boot2root challenge where we have to root the server and capture the flag to complete the challenge.

You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

  1. Scanning
  • Netdiscover
  • NMAP
  1. Enumeration
  • Web Directory Search 
  1. Exploitation
  • Ghidra
  • SSH
  1. Privilege Escalation
  • Exploiting Sudo rights

Walkthrough:

Scanning:

Let’s start of by scanning the network and identifying the host IP address. We can identify our host IP as 192.168.1.104 by using Netdiscover.

Then we used Nmap for port enumeration. We found that port 80 is open, SSH is running on port 6464 and port 7331 is open on the target machine.

Enumeration:

As we can see port 80 is open, we tried to open the IP address in our browser but we didn’t find anything useful on the webpage.

So we used dirb for directory enumeration.

After brute-forcing with dirb, we found a directory named /assets

We opened the assets directory in the browser and found an image file named Matrix_can-show-you-the-door.png under /assets/img/ URL.

We first opened this image but didn’t find anything of our use. Then upon looking at the file name properly we found out that the name of the file is itself giving us the path forward.

So we used Matrix in the URL as shown in the image below and it worked for us.

From the contents of the directory Matrix, we understood that we have to make a right combination of the alphanumeric to go ahead.

So after trying multiple combinations we used our little brain more aggressively and made a combination of n/e/o/6/4,  neo is the name of the actor in the Matrix movie and 64 number is I guess favourite number of the creator of this VM because he is using it everywhere.

We downloaded the file secret.gz and found that it’s actually a txt file and is containing the username and password.

Upon cracking the hashed password using online tool hashkiller, we found the password as passwd.

If you remember from the nmap scan we have a port 7331 open and it was protected with Basic Authentication.

So we tried to open the URL http://192.168.1.104:7331  and were prompted for authentication, so we used admin:passwd as username and password and were able to login successfully.

But we couldn’t find anything useful there, so we used dirb with an already obtained username and password for directory bruteforcing.

After bruteforcing, we found a directory named data.

In the data directory, we found a file name data which came out to be a DOS file.

Exploitation:

We took the help of our best friend in need Google to know how to open a DOS file. And after some research, we found a tool named Ghidra for opening a DOS file.

After opening the data file with Ghidra tool we found a username and password guest:7R1n17yN30

As we already know from our nmap scan that there is SSH running on port 6464 on the target machine, so we tried to ssh the target machine with the above-found username and password and were successfully able to login.

But we were provided with the restricted bash (rbash) shell, so we used –t option to run ssh with noprofile extension and we got a complete shell of the guest user.

Checking the sudo permissions for the guest user we came to know that this user can run /bin/cp with permissions of another user trinity.

Privilege Escalation

To elevate to a more privilege’s user, what we did is we created a new ssh key pair, gave read write execute permissions to id_rsa.pub file so that we would be able to copy it to our target location.

And then we took the advantage of sudo permission to copy the id_rsa.pub file in the /home/trinity/.ssh/authorized_keys folder. Now we can access ssh of the target machine with trinity user using the id_rsa key.

Checking the sudo permission for trinity it can execute oracle file with root permissions.

But there was no file with the name oracle in the /home/trinity directory, so we created an oracle file with /bin/sh in it using the echo command. In the end, we executed the oracle file with sudo command, we got the root shell.

 And once you have the root shell you can easily get the flag.

Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here

Escalate_Linux: Vulnhub Walkthrough (Part 1)

Escalate_Linux is an intentionally developed Linux vulnerable virtual machine. The main focus of this machine is to learn Linux Post Exploitation (Privilege Escalation) Techniques. The credit for making this VM machine goes to “Manish Gupta” and it is a boot2root challenge where the creator of this machine wants us to root the machine through twelve different ways. You can download the machine following this link: https://www.vulnhub.com/entry/escalate_linux-1,323/

NOTE: In this article, we have exploited the machine with six different methods.

Security Level: Beginner-Intermediate

Penetrating Methodology:

Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Web Directory Search 

Exploiting

  • Metasploit shell upload
  • LinEnum.sh

Privilege Escalation

  • Method 1: Get root shell by exploiting suid rights of the shell file
  • Method 2: Get a root shell by cracking the root password
  • Method 3: Get root shell by exploiting sudo rights of user1
  • Method 4: Get root shell by exploiting crontab
  • Method 5: Exploiting Sudo rights of vi editor
  • Method 6: Exploiting writable permission of /etc/passwd file

Walkthrough:

Scanning:

Let’s start off by scanning the network using Netdiscover tool and identify the host IP address. We can identify our host IP address as 192.168.0.17.

Now let’s scan the services and ports of target machine with nmap

Enumeration:

As we can see port 80 is open, so we tried to open the IP address in our browser and got nothing but the default Apache webpage.

So we used dirb with .php filter for directory enumeration.

After brute-forcing with dirb, we found a URL named http://192.168.0.17/shell.php

Now we opened the URL in our browser and found that it accepts cmd as get parameter.

So, we passed the id command in the URL and found the results are reflected in the response.

Exploiting

Since the target machine is vulnerable to command injection, we created a web delivery shell using Metasploit.

The target host was not able to run the script directly, so we used URL encoding.

After encoding the script, we were successfully able to run it on the target machine and get the meterpreter session.

We got the bash shell of User6 after using python one-liner shell command.

To further enumerate the target host, we uploaded LinEnum tool on the target host.

From the results of LinEnum scan, we found that the target host has eight users namely user1, user2 up to user8.

We also found that in crontab, a file named autoscript.sh is being run every 5 minutes with root privileges.

From the same LinEnum scan, we came to know that /etc/passwd is writable for users also. Also, we found that we can run shell and script files with root privileges because SUID bit is enabled on it.

Privilege Escalation:

As mentioned above there are multiple ways to do the privilege escalation of this machine.

We will try to do as many methods as possible.

Method 1: Get root shell by exploiting SUID rights of the shell file

Using the find command we can confirm that the shell file located in the home directory of user3 can be executed with root privileges.

We tried to execute the same file and got the root shell.

Method 2: Get a root shell by cracking the root password

From the above screenshot, we know that the script file located in the user5 home directory can be executed with root privileges. Using the Path variable exploitation methodology we can access the /etc/shadow file.

To know more about path variable privilege escalation use this link: https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/

on executing ./script, we have fetched the content of shadow’s file as shown in the below image.

We copied the hashed password of root user in the hash file and used John The Ripper tool to crack the password. We got the password of the root as 12345 and then using the su command we were able to access as root.

Method 3: Get root shell by exploiting SUDO rights of user1

We already know by now that script file can be executed with root privileges.

Using the same script file we can change the password of all the users with the help of Path variable methodology.

Here we used echo and chpasswd command to replace the existing password with our new password 12345. And then switched to the user1 account using su command. After checking the sudoer’s list for user1 we came to know that this user can run all commands as sudo.

So we ran the command sudo su and got the root access.

Method 4: Get root shell by exploiting crontab

In the previous screenshot, we saw there is a task scheduled after every 5 minutes for user4 in the crontab by the name autoscript.sh. We changed the password of user4 the same way as we did for user1 and then switched to user4 with the new password 12345. There we can see a file autoscript.sh in the Desktop folder.

So what we did is we created a payload using msfvenom and then copied the code into autoscript.sh file using echo.

After copying the code into autoscript.sh file we executed the file and started the netcat listener on our kali machine and waited for the shell.

Yes we got the root shell as the autoscript.sh is executing as root in the crontab.

Method 5: Exploiting SUDO rights of vi editor

We changed the password of all the users to 12345 using the same methodology as above and switched between users to check for more exploits. We found that user8 has a sudo permission for vi editors.

Open the vi editor with sudo and insert sh command as shown in the screenshot below, exit the editor and hurray we got the root shell.

And again we will obtain the root shell as shown below in the image.

Method 6: Exploiting writable permission of /etc/passwd file

Continuing with the enumeration of users, we found that user7 is a member of the root group with gid 0.

And we already know from the LinEnum scan that /etc/passwd file is writable for the user. So from this observation, we concluded that user7 can edit the /etc/passwd file.

So we copied the contents of /etc/passwd file in our kali machine and created a new user named raj with root privileges for which we generated a password pass123 using openssl.

As you can observe we have created a new entry inside /etc/passwd for user raj with root privilege.

On the target machine, we downloaded the edited passwd file in the /etc folder using wget command.

Then we tried to switch to our newly created user raj and YES yet again we proudly got the root shell of the machine.

Conclusion: So in this part-1 of Escalate_Linux we did the privilege escalation by six different methodologies. In the part-2 we will try to exploit the machine by some different methods. So keep visiting Hacking Articles for next part.

Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here

PumpkinRaising : Vulnhub Walkthrough

PumpkinRaising is another CTF challenge from the series of Mission-Pumpkin v1.0 created by keeping beginners in mind and all credit for this VM goes to Jayanth. This level is all about identifying 4 pumpkin seeds (4 Flags – Seed ID’s) and gain access to root and capture the final Flag.txt file.

You can download it from here: https://www.vulnhub.com/entry/mission-pumpkin-v10-pumpkinraising,324/

Level: Beginner to Intermediate

Penetrating Methodologies

Scanning

  • Nmap

Enumeration

  • txt
  • Abusing HTTP services

Exploiting

  • Ssh Login

Privilege Escalation

  • Abusing Sudo right

Walkthrough

Scanning

Let’s start with network scanning as the IP of this VM is 192.168.0.11. So, initializing this VM by scanning open port and running services over those port with the help nmap.

From its scan result, I found port 22 for ssh and 80 for http are available, moreover it gave some hint for /robot.txt file that disallows 23 entities. 

Enumeration

So first we navigate to a web browser and explore the VM IP and welcome by following web page. Read the following message:

“To raise Pumpkins, we need to collect seeds in the first step. Remember Jack? He is the only expert we have in raising healthy Pumpkins. It’s time to get in search of pumpkin seeds”

From this message, we can assume for “Jack” which could be a username.

Further, I explored /robot.txt file suggested in nmap scan and found some list of interesting directories, files and paths. Apart from all entries, I found a few interesting entries such as: /hidden/notes.txt, /underconstruction.html and /seeds/seed.txt.gpg.  so, we have explored each entry one-by-one.

The hidden note.txt showed certain data which may be needed to login credentials subsequently.

when I checked the source code of the homepage and here, I found a link for pumpkin.html

On exploring source code of http://192.168.0.11/pumpkin.html, I found a base32 encoded string.

With the help of online base32 decoder, we have decoded the string and note the path /scripts/spy.pcap that could be a hint for seed’s id.

To identify what is inside the spy.pcap file, I simply downloaded the file in our local machine and used Wireshark to read the network packet.

Here I found the first seed: 50609 from inside the tcp steam as shown in the below image.

Again, we come back to pumkin.html page and I found the decimal string on scrolling same file.

On decoding decimal string, we found one more seed:96454

As you know we have enumerated /robots.txt and from inside that, we found another important file /underconstrution.html as shown below. So, we have explored the source code of the web page and noted hint for an image.

Now, we have explored the below URL and found a picture for pumpkin which I have downloaded in my local machine.

After downloading the pumpkin image, I check for hidden data with help of stegosuite. This image was password protected image and if you remembered we had enumerated “Mark: [email protected]” secret keys from inside /hidden/notes.txt

I used the key: [email protected] for extracting the hidden file “decorative.txt” from inside the stegno image.

So, when I opened this file, it gave me another PUMP-Ke-Mon Pumpkin seed: 86568

Further, I downloaded the .gpg file as the link /seeds/seed.txt.gpg which was mention in the robot.txt file.

So, when I tried to open the file, I noticed that it requires the passphrase to decrypt the encrypted data which I don’t know. Here I tried to use above enumerated keys but could not able to decrypt it. After so many attempts, I successfully decrypted the file by entering SEEDWATERSUNLIGH which was mentioned in the home page of website in the 2nd image.

 On decrypting I obtained following text file as shown below and it was a Morse encoded text which used in telecommunication that encodes text characters as standardized sequences of two different signal durations called dots and dashes.

To decrypt the Morse text I have used cyberchef which is an online decrypting tool. On decrypting the text, I found another BIGMAXPUMPKIN seed 69507

As it was declared by the author that in this VM we need to find 4 SEED’s ID and a root flag. Hence, we have collected all 4 seed’s id but for getting root flag, we need to compromise the VM.  

When I didn’t get any vulnerability to compromised it, I tried to access ssh by the combination of all 4 seed found in this VM and used this as a password for user jack.

  1. SEED ID: 69507  
  2. SEED ID: 50609
  3. SEED ID: 96454
  4. SEED ID: 86568

Yuppie!! We got the shell access but for obtaining root flag we need to escalate the privilege from low privilege shell to high. Therefore, I check for sudo rights for user jack and found jack can run strace with sudo rights.

 Hmmm! We can abuse the sudo permission set for strace program. Hence type following and obtain the root flag.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here