Hack the Box: Fighter Walkthrough

Today we are going to solve another CTF challenge “Fighter”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Fighter is 10.10.10.72

Penetrating Methodology

  • Network scanning (Nmap)
  • Browsing IP address through HTTP
  • Adding Domain name to /etc/hosts
  • Bruteforcing subdomains
  • Adding new domain name to /etc/hosts
  • RCE using SQL injection
  • Upgrading shell to meterpreter session
  • Finding vulnerable service
  • Editing Exploit to bypass OS check
  • Finding root.exe
  • Reversing program to find the password
  • Creating a C-program to find the password
  • Getting root flag

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

The Nmap output shows us that there is only 1 port open: 80(HTTP)

We find that port 80 is running http, so we open the IP in our browser.

In the homepage we find a Domain name “streetfighterclub.htb”. We add the domain to our /etc/hosts file.

We don’t find anything new on the webpage, but further looking into the webpage we find that there might be subdomains available that will give us more clues. We intercept the request and send it to intruder. We select where we want to brute force the request.

We select the wordlist, we use namelist.txt located in /usr/share/dnsrecon/.

After bruteforcing we find a subdomain called “members.streetfighterclub.htb” that gave HTTP code 403.

We add the subdomain in /etc/hosts so that we can access the web site.

We open the webpage and got a 403 Forbidden error.

We now run dirb scan on the members.streetfighter.htb and find a directory called “old”.

We then find webpages inside that directory. As we know that it is IIS server we find “asp” files on the web server and find a page called “login.asp”.

We open the web page and find a login page.

We enumerate the webpage and find that the web application is vulnerable to SQL injection.  We find username, password and e-mail but were unable to login. So we tried command injection using SQL injection. We referred this link.

We setup our listener and got a reverse shell.

We are not able to find anything on the target machine. So we try to convert our shell into meterpreter but are unable to run any exe file. So there was a firewall that didn’t allow us to run any exe file. We got a reference through this link on how to bypass this. We use the nps payload to create a XML file that will contain our payload (download from here).

We move into “c:\users\sqlserv” as we have a shell as user sqlserv.

We run the command provided by npc payload to start our listener.

We start our python HTTP Server to send our file to the target machine.

We download the file using certutil.exe on the target machine.

We then run the XML file we uploaded using msbuild.exe.

As soon as we run the file we get a meterpreter session. As we can see by running sysinfo we have 32-bit meterpreter session on a 64-bit machine.

To convert it into 64-bit session, we check the processes and find the 64-bit running process. We then migrate our process to a 64-bit process and get a 64-bit session.

We still don’t find anything to escalate our privilege. As this machine on street fighter game we try to google street fighter exploit and find that street fighter 5 has privilege escalation vulnerability. We find that street fighter has a service called Capcom, so we check if street fighter 5 is installed on the target machine.

We find this metasploit exploit here, we try to run it but are unable to get shell as it gave an error stating that the system was not vulnerable. So we make changes to the code and comment out the section where it checks the OS version.

Now we are successfully able to run the exploit.

When we check the uid we find that we are successfully able to get administrative rights.

We enumerate the directories to find the flags and inside “c:\users\decoder\Desktop”, we find a file called “user.txt”. When we take look at the content of the file we find our first flag.

We move into c:\users\Administratror\Desktop and find a file called “root.exe”. We run it and find that it asks for password. There is also a dll file called “checkdll.dll”, as the password might be checked using this dll file.

We download both the files into our system using meterpreter.

We reverse engineer them using IDA and find that this program XOR’s 9 with each character of the variable aFmFeholH. Now analysing with IDA tells us that the variable contains “FmfEhO1}h”.

So we create a c program that XOR’s 9 with each character of “FmfEhO1}h”.

We compile and run the file and get the the password to be “OdioLaFeta”.

When we provide the password to the root.exe we get our final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Hack the Box: Mischief Walkthrough

Today we are going to solve another CTF challenge “Mischief”. Mischief is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to their experience; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Penetration Methodologies

Scanning Network

  • TCP and UDP ports scanning (Nmap)

Enumeration

  • SNMP Service Enumeration (Nmap Script)
  • Obtain credential for port 3366 login
  • Identify IPv6 address (ENYX)
  • Scanning Ipv6 (Nmap)

Access Victim’s Shell

  • Abusing web server through Command Execution Panel
  • Obtain reverse Shell via ncat
  • Get user.txt flag

Privilege Escalation

  • Obtain root password from bash_history
  • Find root.txt flag

Scanning Network

Note: Since these labs are online available therefore they have a static IP. The IP of this lab is 10.10.10.92

Let’s start off with our nmap Aggressive scan to find out the open ports and services.

But as you can observe that here we didn’t obtain much information, therefore further I scan for UDP port and from its result we got port 161 is open for SNMP.

Enumeration

Because we was knowing SNMP service is enable in the network, therefore I run nmap script command for snmp enumeration.

Hmmm!! So here I found something very interesting and it looks like the login credential to be use as authentication for port 3366.

Let’s navigate to port 3366 in the web browser and enter the following credential.

Here, we were welcomed by following web page where it was holding another credential. Let’s dig out another way to utilize this credential for login.

We use a python script called Enyx to find the ipv6 address of the target machine. You can get the script from this link.

So as you can observe that we have enumerated IPv6 address of victim’s machine and further scan it using nmap command given below:

Hmmm!! So along with Port 22, this time it has also shown port 80 for HTTP services.

So we navigate to web browser and explore Target IPv6 address in the URL, it put a login page for command execution panel. So we try to login this page with the credential we found earlier but that wasn’t the valid credential.

Access Victim’s Shell

 

Further I try brute force for username and successfully get login with following combination:

Since it was Command Execution Panel where we can run arbitrary system commands, hence this was RCE which could be easily exploit and we can owned reverse shell of the target machine.

But before that, you must know Ipv6 address of your local machine for addressing your IP as listening IP.

For reverse shell, I use python reverse shell code from pentestmonkey, and modify lhost IP from our IPv6 address. Since it was both nodes belong to IPv6, therefore we need a listener which can establish reverse connection such as ncat, hence we start ncat listener on port 1234.

As soon we will execute the malicious python code, we will get reverse connection via ncat.

Great!! You can observe that, we have access of remote terminal and let’s try to find out user.txt file to complete our first task. We found the user.txt file in the /home/loki but unable to read it. Although, there was another interesting file “credentials” and here we found another credential.

As port 22 was running, therefore we connect to remote machine through ssh using following credential.

And successfully found user.txt file this time as shown below.

Privilege Escalation

While exploring more, I found .bash_history file where I found one more credential for root user but loki doesn’t have permission to execute switch user command.

Therefore, we move back to www-data user shell to run switch user command and enter above password for root login, then try to find out root.txt file inside the root directory but there wasn’t any flag. Therefore with the help of find command we try to enumerate the path of root.txt.

Booom!! We got the path of the root.txt file and as you can observe that we have successfully captured the last flag and finished this challenge.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Box: Nightmare Walkthrough

Today we are going to solve another CTF challenge “Nightmare”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Nightmare is 10.10.10.66

Penetrating Methodology

  • Network scanning (Nmap)
  • Browsing IP address through HTTP
  • Checking for SQL injection vulnerability
  • Exploiting Second Order Injection
  • Login through SSH
  • Login through SFTP
  • Exploiting SFTP to gain reverse shell
  • Discovering files with SGID bit set
  • Privileges escalation using “sls”
  • Finding exploit for kernel
  • Making changes to the exploit
  • Getting root privilege using exploit
  • Getting root flag

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

The Nmap output shows us that there are 4 ports open: 80(HTTP), 2222(SSH)

We find that port 80 is running http, so we open the IP in our browser.

When we visit the webpage, we find a login page. After trying few SQL injection commands we find that this page is vulnerable to “second order SQL injection”. This means to exploit this vulnerability we have to register a user with our SQL injection query and then login with same username.

First we register a user with credentials “admin’):pass” using the register link on the login page. Now when we login using this user we get an SQL error on the web page.

After finding the web application is vulnerable to Second Order SQL Injection. We now find the number of columns. We register a user with the following credentials:

We keep the password same for the user we register.

Now when we login, we get an SQL error that means the table has less than three columns. So we again register a user using the following query:

When we login, we find that we do not have an SQL error that means the table has 2 columns.

Now we are going to find the version of SQL database it is running. To find the version of the database we are going to register with the following query:

After finding the version we now know that it is a MySQL database. Now we find the name of the database. To find the name of the database we register with the following query:

Now we get the database to be called “notes” but we want the names of all the databases on the server. So we register a user using the following query:

We get another database called “sysadmin”; we find the table names inside “sysadmin”. To find the table names with we register the user with following query:

We find two tables called “users” and “configs”; we now find the column name inside “users” table. To find the column names we register a user with the following query:

Now we find two columns called “username” and “password”. To find the data inside the columns we are going to register a user with the following query:

Now we find different username passwords; we try to login through SSH using these credentials and find that we were able to login using the credentials “ftpuser:@whereyougo?” . We are unable to get a shell using SSH, instead we tried to connect using sftp and were successfully able to login.

Now as we are not able to get a shell using SSH, we tried to find sftp exploit and were able to find a exploit. You can download the exploit from here.

We made changes to the exploit so that we can get a reverse shell.

After making changes to the exploit, we setup our listener using netcat and then run the script.

On our listener we get a reverse shell.

After getting the reverse shell we spawn a TTY shell. Then inside /home/decoder/ directory we find a directory called “test” and user called “user.txt”. As they belong to “decoder” group, we find files that belong to “decoder” group.

Now running the sls command we find that it is a binary file that is running ls command. It also has SGID bit set, so we can abuse this to escalate our privilege.

We use strings command to check the binary and find that it is using system function to execute “ls” command.

Now as ls command is execute inside system function; we are going to use -b argument to execute our command.

After getting a shell we run “id” command and find that we have spawned a shell as user “decoder”. We now can open “user.txt” file and find the first flag.

Enumerating the system we now check the kernel version to check if there is any exploit available for privilege escalation.

We find that the version of kernel is vulnerable to this exploit here.

We download the code on our machine and compile it using gcc. Then we start python http server and send the compiled exploit file to the target machine. When we run the exploit we are unable to get a privileged shell as it shows an error saying that the kernel version is not recognized.

In kali machine:

On target machine:

Now we have to make a few changes for the exploit to work. So we opened the c file again and make the changes.

Now we again compile and send the file to the target machine. This time when we run the file we get an error saying permission denied on set_groups.

So we exited the shell and ran the exploit as ftpuser. As soon as we run the exploit we get a root shell.

We go to /root directory and find a file called “root.txt”. When we open the file we get the final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Hack the Box: Waldo Walkthrough

Today we are going to solve another CTF challenge “waldo”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of waldo is 10.10.10.87

Penetrating Methodology

  • Network scanning (Nmap)
  • Browsing IP address through HTTP
  • Exploiting LFI Vulnerability
  • Finding RSA private key through LFI
  • Login through SSH using RSA private key
  • Escaping restricted shell
  • Using Linux “Capabilities” to read root flag

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

The Nmap output shows us that there are 4 ports open: 22(SSH), 80(HTTP)

We find that port 80 is running http, so we open the IP in our browser.

We find that we were redirected to /list.html. On the webpage we find that it was an application for list manager. We capture its request using burpsuite and find that it is listing the files in the current directory.

We try to find the application is vulnerable to LFI. We remove “list” to list the files in the current directory and find a file called “fileRead.php”. Enumerating the web application, we found that “dirRead.php” can only be used to read contents of a directory and they cannot be used to take read files. So as we the name suggests “fileRead.php” we use this page to read files.

We use “fileRead.php” to read /etc/passwd. We change the variable from “path” to “file” and use the following string to bypass the filter:

When we check the /etc/passwd file we find a user with a distinctive UID and GID called “nobody”.

We check the home directory using “dirRead.php” and find a directory called “nobody”. We take a look inside “/home/nobody” and find the directory called “.ssh”. As “.ssh” might contain RSA private key for SSH login, we take a look inside it.

We take a look inside “/home/nobody/.ssh/” and find a file called “.monitor”.

We read the “.monitor” file inside “/home/nobody/.ssh” using “fileRead.php” and find RSA private key.

The response is in JSON format with special characters in between the characters of RSA private key. We use this site here, to decode the JSON response into string.

We copy the RSA private key and save it in our system to login through SSH using this key.

We change the permission for the key and login as user “nobody”, as we are unable to login as “monitor”.

Then we take a look at the home directory and find a file called “user.txt”. We take a look at the content of the file and find the first flag.

Enumerating the system we go into “.ssh” directory and check the authorized_keys file to find monitor user is allowed to login. As we were unable to login as monitor from the external system, we now try to login as user “monitor” internally using the RSA private key “.monitor”.

After logging in as user “monitor” we find that we have a restricted shell.

We are not able to change the PATH and SHELL variable, so we use “-t” argument to spawn a TTY shell while logging through SSH. After spawning a TTY shell we are able to change the SHELL and PATH environment variables.

Then enumerating the system we don’t find anything in particular. Enumerating further we find that this machine contains “capabilities”. Now Linux “capabilities” are like suid that can give certain file special privileges.  We can find them using binary called “getcap”. Now we recursively search for files using getcap and find a binary called “tac” that can read files.  Now using “tac” we open root.txt inside root directory and find the final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here