Hack the Box Challenge: Bitlab Walkthrough

In this article, we are going to crack the Gitlab Boot to Root Challenge and present a detailed walkthrough. The machine depicted in this Walkthrough is hosted on HackTheBox Website. Credit for making this machine goes to Frey & thek. As the Machine is live, we don’t need to download it on our systems but we can take a look at the lab by clicking here.

Penetration Testing Methodology

  • Network Scanning
    • Nmap Scan
  • Enumeration
    • Directory Bruteforce using dirb
    • Browsing the HTTP Service in Browser
    • Decoding the JavaScript to extract credentials
  • Exploitation
    • Enumerating the Repositories
    • Finding the Database Query Script
    • Manipulating the script to get the credentials
    • Connecting to Machine using SSH
  • Post Exploitation
    • Reading the User Flag
    • Downloading the suspicious executable file
  • Privilege Escalation
    • Reverse Engineer the executable using the Debugger
    • Enumerating for the root credentials
    • Connecting to Target Machine using SSH with root credentials
  • Reading Root Flag

Walkthrough

Network Scanning

From the Official HackTheBox Website,

Static IP Address: 10.10.10.114

Since we have the IP Address, the next step is to scan the target machine by using the Nmap tool. This is to find the open ports and services on the target machine and will help us to proceed further.

Here we performed an Aggressive scan coupled with the ping scan. After the scan, we saw that the port 22 and 80 are open. We have the SSH Service (22) as well as an HTTP Service (80) on the server.

This gave us a lay of the land. Now let’s get to enumeration.

Enumeration

We start the Enumeration with a Directory Brute Force. We will be using the dirb tool for this attack.

We see that the dirb helped us get some of the links that could be our potential entry points. We also see that we have the robots.txt file. It had a bunch of links in it. But since we have an HTTP Service, we decided to open the IP Address in the browser.

We find that the machine is running Gitlab on it. But as shown in the image given, there are some credentials that are required to get in. Back to the robots.txt, we see that we have the a /help/ link inside it. This was unusual so we decide to give it a look.

Here we found a page named bookmarks.html. Let’s check it out.

There are a couple of links in this bookmarks.html page. But one that drew our attention was the Git Lab login. Clicking on the link was useless. So, it occurred to us that like it a link on an HTML page, there must be a reference link behind it. We used the Inspect Element Tool of the Firefox Browser to look at that Reference link.  There is some JavaScript code involved. But we were pretty sure that the credentials are hiding inside it somewhere.     

We copied the code and looked for something that could decode these values for us.  We found this awesome Deobfuscator for JavaScript online. We pasted the script inside it and it gave us the decoded values. In those decoded values we have the Login Credentials. 

Exploitation

We went back to the login page that we found earlier. We enter the credentials that we just found and logged in the GitLab.

Username: clave

Password: 11des0081x

After the successful login, we enumerated the Projects and found 2 repositories: Profile and Deployer. We need to enumerate those repositories as well. Let’s Start with the Profile repo. 

We went inside the Profile Repo and then we saw that we have a Snippets Tab in the panel. So, we clicked on that to enumerate some snippets.

Here we have an interesting code snippet that contains a Postgresql file. We examined the file to see that it contains a code that could be useful. So, we took the note of that code.

We went back to the Profile Repository. It was kind-off empty so we went on to do some research on how to exploit the GitLab Repository. We tinkered with it and figured out a way. To do this, first, we need to create a new file in the repo as shown in the image given.

We name the file as “db.php” and paste the PostgreSQL code that we found earlier in the Code Snippet Section and because we want to fetch the credentials form the database, we added the lines at the end to do so.

After making the appropriate edits, we move all the way down to the “Commit changes” button and click on it to reflect the changes in the file.

After we have successfully saved the PHP file with the code, we need to merge the file that we just created in the current working repository. For this, we need to create a Merge Request. It can be done using the “Create merge request” button on the Repository. This will result in the opening of a page, we filled in the necessary details. After that, we drag to the bottom of the page where we find a “Submit merge request” button as shown in the image. 

After submitting the merge request, we need to merge the commit in the root branch. For that, we have a “Merge” button right below the request that we just submitted.

After clicking on that Merge button, we will now modify our URL to get to the PHP file that we just created. As shown in the image given below. Here we wrote the IP Address of the machine, followed by the name of the repository i.e., profile and lastly the name of the file that we created. Here we can see that we have the password of the user clave which was stored in the database. Cool!

Post Exploitation

Now that we had the credentials of the user clave. So, it’s time to connect to the Target Machine via the SSH service. Establishing a connection was a breeze. After connecting, we do some enumeration using the id command. We listed all the directories and found the user.txt. This is the user flag. Congratulations! The battle is half won.

When we were enumerating for the user flag, we saw an executable file named RemoteConnection.exe Let’s download the file to our system to have a better look at the executable. We used the SCP for transferring the RemoteConnection.exe to our system.

Now, that we have the executable we tired to run the file in out Windows Machine but as shown in the image we have the classic Access Denied!! Error.

Privilege Escalation

Now we decided to Reverse Engineer the exe to get some information or to bypass the Access Denied!! In actuality we just wanted to know as this exe makes a connection to the server then it must have a set of credentials hidden in it. We are going to use an x32dbg Debugger for our Reverse Engineering operations.

After opening the Debugger as shown in the image we locate the RemoteConnection.exe file in our Windows Explorer.

We open the executable inside the debugger and take a look around various text fields. In the search for some way to get through the Access Denied!! We click on the Run Button(Highlighted) to capture the response.

Here we take the instance and scan the Text Fields using the button (Highlighted) as shown in the image given below.

We see that we have the attempt for connecting to a server using the PuTTY Tools but then we got our Access Denied. This means that when it launches the PuTTY, it must have entered some set of credentials that are hiding from us. We need to find them.

We check the different breakpoints to see if we can get way in. But it was not looking too good.

So, what we did was set up multiple Breakpoints and tried to analyze the instances. And we see that we have some SSH commands. So, we selected an instance to take a better look at the instance as we see that we have the SSH Password displayed in cleartext. This is probably not a secure way to handle credentials. 

Now that we have the root credentials, all that’s left to do is just SSH our way in and grab that root flag that is waiting for us. We logged in using the credentials that we found and then we quickly located the root flag!

This concludes this awesome Capture the Flag challenge. We learned lots of new things and we were provided with a scenario that could very much possible in a Real Life.

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Five86-2: Vulnhub Walkthrough

Today we are sharing another CTF walkthrough of the vulnhub machine named Five86-2 with the intent of gaining experience in the world of penetration testing. The credit goes to m0tl3ycr3w and syed umar for design this machine and the level is set to beginner to advanced.

According to the author: The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Download it from here: https://www.vulnhub.com/entry/five86-2,418/

Penetration Testing Methodologies

Network scanning

  • Netdiscover
  • Nmap

Enumeration

  • Exploring Http services
  • WordPress scanning (Wpscan)

Exploit WordPress

Privilege Escalation

  • Abusing capability
  • Abusing Sudo

Walkthrough

Network Scanning

As you know, this is the initial phase where we choose netdiscover for network scan for identifying host IP and this we have 192.168.0.114 as our host IP.

From its scanning, we found port 21 is open for FTP and port 80 is open HTTP where wordpress is running on apache.

Enumeration

Thus, we navigate to a web browser and browse the following URL and found open wordpress application is running on the webserver.

Since we found the wordpress on the host machine thus we choose wpscan and run following commands for wordpress scanning.

From its scanning result, we enumerated 5 usernames: peter, admin, barney, gillian, Stephen as shown in the image below.

We used rockyou.txt wordlist for password brute force attack to enumerate the password, so we saved above-mentioned username in a text file named user.txt and then launched brute force attack by executing the following command.

From its scanning result, we found a password for barney and stephen as given below.

To access the website properly we added the hostname and host IP within /etc/hosts file.

Furthermore, using the Barney login credential we logged in to the wordpress and found a plugin “Insert or Embed Articulate Content into WordPress” was installed. We searched in the google to find out more about it and found a method on Exploit_DB to exploit this plugin to obtain a reverse connection.

Exploiting WordPress         

For exploiting WordPress installed plug-in follow the step given below.

  1. Create a .zip archive with two files as: index.html, index.php

  1. login to wordpress as barney
  2. Create a new Post -> Select Add block -> E-Learning ->

  1. Choose upload option for uploading your zip file.

  1. Browse and Upload the raj.zip -> Insert as: Iframe -> Insert

Start netcat listener on your local machine and access the webshell from the URL after uploading the zip file as shown:

Booom!! We got the reverse connection with the help of netcat session, but we know, this is a root to boot challenge hence we need to escalate the privilege try to gain access high privilege shell. So, we start post enumeration and find capability permission is given to Stephen for tcpdump.

So, we run the following command which reveals the UP & running interfaces.

Privilege Escalation

As we have seen in the above image that tcpdump has the capabilities to capture all network traffic even in low-privileged access, therefore I trigger the following command to inspect “veth1665bcd” traffic if possible, and save the output in a pcap file “cap.pcap”.

With the help of of “-r” option we try to the pcap file and luckily found credentials

So with the help of above credential, we switch to paul account and check for sudo permission for him. We found paul has sudo permission to run /usr/sbin/service program as peter.

With the help above command, we were able to access shell as peter.

Then we check sudo right for peter and found he has ALL permission to run any program as root, but we don’t know Peter’s password and moreover peter owns sudo right for /usr/bin/passwd as root. In order to access root, we try to abuse the sudo permission by changing root’s password and try to get the final flag.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.

Five86:1 Vulnhub Walkthrough

Today we are sharing another CTF walkthrough of the vulnhub machine named Five86-1 with the intent of gaining experience in the world of penetration testing. The credit goes to m0tl3ycr3w for design this machine and the level is set to beginner to advanced.

According to the author: The ultimate goal of this challenge is to get root and to read the one and only flag.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Download it from here: https://www.vulnhub.com/entry/five86-1,417/

Penetration Testing Methodologies

Network scanning

  • Netdiscover
  • Nmap

Enumeration

  • Exploring Http services

Exploit OpenNetAdmin

  • Command Injection (Metasploit)
  • Crack the hashes (john)

Privilege Escalation

  • Abusing Sudo
  • Abusing SUID

Walkthrough

Network Scanning

As you know, this is the initial phase where we used netdiscover for network scan for identifying host IP and this we have 192.168.0.126 as our host IP.

 

In our next step, we love to use nmap for network ports enumeration, thus we run the following command and found port 80 is open for HTTP, moreover, we also found robots.txt displaying disallow entry for /ona as shown in the below image.

Enumeration

Thus, we navigate to a web browser and browse the following URL and found open network admin application is running on the webserver and disclosing application installed version.

As we notice that the openNetAdmin 18.1.1 version is installed on the host machine, so we explored for its exploit and found ruby script for Metasploit available to Exploit DB to abuse OpenNetAdmin against command injection. Without wasting time, we download a malicious file from our local machine.

Further, we copied the download ruby inside the Metasploit framework to use the module for exploit the host machine against its vulnerability.

Exploit

After copying the exploit inside Metasploit Framework, you will need to reload the database and load the module.

Here we got our meterpreter session after running the following commands:

So, we successfully exploited the host machine and spawned the shell as www-data, we decided to go with post enumeration for privilege escalation and as a result, we found the “.htaccess” file from within /var/www/html/reports. By reading the .htaccess we found path for .htpasswd file i.e. “/var/www/.htpasswd” , and by reading .htapasswd file we found hashes for user “douglas”. In the .htapsswd file, the author has left a hint for the password as shown in the image.

So, we found that the password is a 10-character “aefhrt” string, so you’ll need to prepare a 10-character long password dictionary. Here we use crunch to create the dictionary and execute the following command to follow the pattern of the password as the author has said.

With the help of the above command, we generated a dictionary and used the john ripper to crack the hash value. Here I saved the hash value described above in a text file called “hash” and used dict.txt wordlist to crack the hash value and run the following command.

As a result, we found the password: “fatherrrrr” for the given hash value.

Privilege Escalation

As we spawned the host machine shell, we try to switch as Douglas by using the password cracked above. When we signed in as Douglass, we searched for the sudo rights for him and found that he could use the copy program as “jen.”

Since the author has given sudo right on copy program which could be executed as jen hence we can copy the ssh public rsa_key of douglas inside /home/jen/.ssh so that we can be logged as jen. Thus, we executed the following commands as given below.

Now copy id_rsa in the /tmp directory and change the permission then try to access ssh shell on localhost as jen.

Hmmm! As we connected to the ssh shell as jen we found another hint “you have a new mail” on the ssh banner as shown in the given image.

So, we find a text file “jen” in / var/mails that shows a jen email. As per this message, jen knows the password for the Moss account, so we can use the Moss credential for a further move.

So, switched from Jen’s account to Moss and identified for SUID enabled directories, luckily here we found that the sticky bit is enabled for “upyourgame” as shown in the image.

So we navigate to /home/Moss/.game/ and run the “upyourgame” program, the program launches questionnaires that are only answerable in the YES / NO format, and finally, we get the root shell and find the final flag in the /root directory as shown below.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.

Symfonos:5 Vulnhub Walkthrough

This is another post on vulnhub CTF “named as “symfonos” by Zayotic. It is designed for VMware platform, and it is a boot to root challenge where you have to find flags to finish the task assigned by the author.

You can download it from here: https://www.vulnhub.com/entry/symfonos-5,415/

Level: Intermediate

Penetrating Methodologies

Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Abusing HTTP
  • Dirb

Exploiting LFI

  • Burp suite

Privilege Escalation

  • Exploiting Dpkg

Walkthrough

Scanning

Let’s start off with the scanning process. This target VM took the IP address of 192.168.0.112 automatically from our local wifi network.

Then we used Nmap for port enumeration. We found that port 22 for SSH, 80 for HTTP,389 and 636 for ldap are open.

Enumeration

As port 80 is open, we tried to open the IP address in our browser, but we didn’t find anything useful on the webpage.

Further, we use dirb for directory brute-forcing and found /admin.php page with status code 200 OK on executing following command.

When we searched the above-listed web page, i.e./admin.php; we got a login page, but we don’t know the login credential, so we try to bypass the login page by using the SQL injection and brute force attack, but unfortunately nothing was achieved.

Therefore, further, we use burpsuite and intercept the browser request of the current webpage for analyzing its request. We sent the request to the repeater and gently found a suspicious hyperlink inside its burp response.

We feel there are possibilities of LFI just because the URL is connecting with localhost for portraits.php file as shown in the given image.

To ensure the possibility of LFI vulnerability we try to pull “/etc/passwd” file by fuzzing the parameter “/home.php?url=” and it works successfully as expected to be.

Exploit LFI

As a result we successfully got the content of “admin.php” file by exploiting LFI by fuzzing the same parameter. As we knew the http://192.168.0.112/admin.php webpage requires login credential and here we found credential “username: admin” and “password: qMDdyZh3cT6eeAWD” which is actually used to connect with LDAP.

Further, we used nmap for LDAP enumeration and run following command, and as a result we found user information including password.

Privilege Escalation

Thus, we used the user zeus credential as enumerated above to access the ssh shell of the host machine and check sudo rights for him. We found zeus has sudo permission to run dpkg as root thus we abuse zeus sudo rights for privilege escalation by exploiting dpkg functionality.

As we Dpkg is package installer just like apt in Linux like operating system and so here we are going to craft a Debian package with the help fpm transfer on the host machine to get the privilege shell.

write following code in the shell.sh file and save it.

Install fpm in your local machine and run following command to generate a Debian package for shell.sh file.

Note: You will need to install FPM on your machine.

Once the malicious deb package gets generated download it on the host machine and install the package as root. To perform privilege escalation run the following command and you get privilege where you found the proof.txt as shown in the given image.

Author: Pinky Deka is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here