POST CATEGORY : CTF Challenges

DC8: Vulnhub Walkthrough

DC8 VM is made by DCAU. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to bypass two-factor authentication, get root and to read a flag.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

  • Network Scanning
    • netdiscover
    • nmap port scan
  • Enumeration
    • Browsing HTTP Service
    • SQL Injection for finding Credentials
    • Performing Directory Bruteforce
  • Exploiting
    • Editing HTML form
  • Privilege Escalation
    • Exim Local Escalation
  • Capture the flag

Walkthrough

Network Scanning

The first step to attack is to identify the target. So, identify your target. To identify the target, we will use the following command:

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.

We learned from the scan that we have the port 80 open which is hosting Apache httpd service with Drupal 7, and we have the port 22 open. This tells us that we also have the OpenSSH service running on the target machine.

Enumeration

Further, we need to start enumeration against the host machine, therefore we navigated to a web browser for exploring HTTP service, and DC:8- Welcome page will be opened in the browser. We enumerated the links provided on left. They seemed a bit fishy.

We enumerated these links to find SQL related Errors. So we used the single quote(‘) to get an error message. We will enumerate this error further.

After some enumeration and poking around, we realised it is definitely SQL Error. We decided to run the sqlmap against the target machine. Here, we set the risk at 3 and level at 5. This is the option we got the best results in the least time.

After working for some time our sqlmap gave us some important information. It showed us that there are 2 available databases in the target machine which are:

  1. d7db
  2. information_schema

Now that we got the database named ‘d7db’, it’s time to further enumerate this database. We re-constructed our sqlmap script with parameters like [–tables] [–batch]. This helps us to enumerate the tables inside the database. 

This gave us a very large number of tables. We went through it with a keen eye. We found a table named ‘users’. This is definitely worth looking into.

Our reliable sqlmap provided us with further more details like we get the following details:

uid name init Pass
1 admin [email protected] $D2tRcYRyqVFNSCONVYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z
2 john [email protected] $S$DqupvJbxVmqj r6cYePnx2A8911Ln7lsuku/3if/oRVZJaz5mKC2vF

So, we got hashes. Whenever we get some hashes all we remember is our best friend John The Ripper. The hashes were saved in a file named ‘hash’. We ran it through john. After working on it for some time. John cracked one of the hashes, it came out to be ‘turtle’.

This seemed as some information that might be useful somewhere else further down the road. For now, let’s try Directory Bruteforce using dirb. This surprisingly gave us a page with the name ‘user’.

On opening the page in our browser, we saw that it requires some login credentials. We found some credentials in our exploitation of SQL Injection. We logged in this panel using the following credentials:

Username: john

Password: turtle

After logging in it was time to look around and try different options. While enumerating we stumbled upon Form settings. Let’s take a closer look at it.

Exploiting

Here we saw that we had an option to change the text format. We changed it to PHP code. This revealed the php code on the webpage. We edited this page with our php reverse shell so as to generate a shell over the target machine.

Now that we have edited out php code, we also started a netcat listener to receive a shell that would be generated on the execution of our php reverse shell script.

Now to submit the form with our php reverse shell script, we would have to enter some of these mandatory data. This details can be anything but they should support the format of the data supposed to be entered.

After typing in all that information, we clicked on the submit button. After a few seconds, we got the shell from the target machine. It was a shell of user ‘www-data’. This was an improper shell. So, in order to convert it into a proper shell, we ran the python one-liner mentioned below.

After getting a proper shell, it was a time to escalate privilege on this machine. So, to do that we ran the find command to find the files with the SUID permissions. We found a service named exim4. Now, in order to proceed further, we are going to need the version of the exim4 tool. It will help us in searching for some exploit on the internet. This was found to be 4.89.

Privilege Escalation

We surfed the web for an exploit regarding exim tool of version 4.89. ExploitDB came up with the rescue. It gave us this Local Privilege Escalation Exploit. We examined it carefully.

Firstly, we traversed into the /tmp directory, because we need to transfer a file and /tmp directory has the writable permission. We downloaded it into our attacker machine i.e Kali Linux and renamed it raptor_exim_wiz.sh. We edited our IP address and the port which we will be using to capture the netcat session. After that, we created a server on the Kali Linux to send the file directly to the target machine. We used the wget command for this transfer. After transferring the script on the target machine, we gave it proper permissions so that it can execute properly.

After providing with the proper permissions, it’s time to run a listener so that we can capture the shell which would be generated by this script. After that, we ran the command with the option to invoke netcat as shown in the image given below. This script invoked a netcat shell to our attacker machine on port 4444.

Capture the flag

We successfully got the shell on the target machine. On running the whoami command, we got a satisfactory response of ‘root’. We traversed into the root directory using the cd command. We found our flag at this location.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

HA: Infinity Stones Vulnhub Walkthrough

Today we are going to solve our CTF challenge called “HA: Infinity Stones” We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.

Download Here

Level: Intermediate

Task: Find 6 Flags on the victim’s machine.

Walkthrough

Firsts of all we try to identify our target and for this use the following command:

Now that we have identified our target using the above command, we can continue on to our second step that is scanning the target. We will use nmap to scan the target with the following command:

With the help of help scan, we now know that port number 22, 80, 443, 8080 are open with the service of SSH, HTTP, HTTPS, respectively. Now that port 80 is open we open the target IP address in our browser as shown in the following image :

It opened a webpage as shown in the above image. But as resulted in the nmap scanning port 8080 is also open, so now we opened our target IP with port 8080 and found a login page there as shown in the image below :

Now that we do not have login credentials, we explored using dirb in order to find directories, and in the result of dirb, we found two important directories i.e. /img and /wifi as shown in the image below :

First, of them, we opened, /img directory and there was a space.jpg we found there.

When opened this image was of the Tesseract. Nothing else in the image as you can see in the image below :

But if you remember, space stone was inside the tesseract, so we used the exif tool to see if there was metadata stored in the image. And for this use the following command :

And so, as you can see in the image below, our doubt was correct, because here we found our first flag i.e. spacestone. Now our infinity gauntlet is missing five more stones (flags). Let’s try and find them.

Our target also has port 443 open, which means there is a webpage on https, let’s try and open it. When you open the target IP on port 443, it shows something is not right with the SSL certificate which you can in the image below too :

Click on that lock icon and navigate yourself to its security as shown in the image below, as here you will find your second stone i.e. Mind stone. Four more stones to collect for there to be a perfect balance.

If you remember, with the /img directory we also found /wifi directory. So now let’s traverse through that.

Upon opening the said directory, we found two things i.e. pwd.txt and reality.cap. First, we downloaded pwd.txt to see what it had to offer. Use the following command to download it :

Once downloaded, we read the pwd.txt file using the cat command. And it said

“Your Password is thanos daughter name “gam” (note it’s all lower case) plus the following I enforced new requirement on you…12 characters

One uppercase character

Two numbers

Two lowercase

The year of the first avengers movie came out in theaters”

Now that we know password the format of the password so we will use crunch to make a wordlist for all the possible password combinations with the following command :

Now, the other file which we found was reality.cap so while examining that file, we found wifi packets in it. So, we used aircrack-ng and used our crunch created password list to find the wifi key. And voila! We found our wifi key as shown in the image below :

 

We used this wifi key as a directory and we found a realitystone.txt which further lead us to our reality stone. Three stones down, three more to go.

Now, for the next stone, we opened the target IP on the 443 port; it had a redirecting link on the top right side. Upon clicking on the link, we are redirected to a page where there is a quiz about avengers, and also some hint related to binary. As shown in the image below :

 

Upon solving the quiz, we had got the following answers with their corresponding binary value :

S.No. Questions Answers Binary Value
1. In the beginning, there are 3 infinity stones on earth. False 0
2. At the end, there are two survivors on Titan. True 1
3. Thanos already had the power stone when he first appeared. True 1
4. Tesseract contains the reality stone. False 0
5. The dwarf on Ndavellir is played by Peter Dinklage True 1
6. Red skull is the guardian of space stone. False 0
7. Thor’s new hammer is called stormbuster. False 0
8. Rocket is the only Guardian of the Galaxy to survive the snap. True 1

After solving the quiz and identifying their binary values, we had a binary string i.e. 01101001. We opened this string of binary characters through the URL and there was a hints.txt and further opened it and found text encrypted through brainfuck algorithm.

So further, we decrypted the ciphertext and got its value as admin:avengers. Here, huge possibility is that this can be log in credentials which can be used on the log in page that we found on 8080.

As deduced above, we logged in by using the above-founded credentials and were welcomed with the following page :

The webpage has used Jenkins framework and it is commonly known for its vulnerability as in Metasploit there is an affective exploit for it. Therefore, we will use the following exploit and so, open Metasploit in kali and the following set of commands :

Once the exploit is executed, you will have a meterpreter session. And when you try to have shell by using the simple “shell” command but an improper shell session will be opened. To get a proper shell use the following command :

Now that we have the proper shell, we tried to look for the files which had SUID bits set on them and for that we used the following command :

After running the above command, we had a list and we enumerated through them one by one. Although the one that stood out was /opt/script. And the one that had our next stone i.e. time stone was /opt/script only as shown in the following image :

As we found our fourth stone in the /opt/script we decided to explore /opt a bit more. And for that we used the following a set of commands :

The above commands allowed us to see the contents of /opt and there we found morag.kdbx. now this morag.kdbx is important for two reasons i.e. there was a planet named Morag in avengers series and .kdbx tells us that it might have password key database.

So we decided to open and we met with the following dialogue box :

As we didn’t know the ‘master password’, we decided to run a python script which created the key hash and then with the additional help of john the ripper we cracked the password and to do so, type :

And as you can see in the image above, the master password is princesa. When entered this password, we found one enter on the flag tab which is powerstone. And so we found our fifth and second last stone/flag as shown in the image below :

Another tab, just below flags, is cred in the morag.kdbx password key database. When opened, it contained a base64 string as shown in the image below :

So we decoded the string using the following echo command :

The string was then decoded to plain text i.e. morag:yondu, just like in the image below :

We have found five stones till now using each port except SSH. And the above-decoded string can be our log in credentials to log in through SSH. Therefore, we tried it using the following command :

And then, when further asked for password type ‘yondu’ and so you are logged in just as shown in the image below :

After logging in through SSH, we used ‘sudo -l’ command to see which user had no password and the result was : /usr/bin/ftp.  So we switched the user to ftp and further accessed root to find our final flag by using the following set of commands :

And so, we have found all the six stones aka flags and with just a snap there can be the perfect balance in the universe.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contachere

Hack the Box: Luke Walkthrough

Hello! Everyone and Welcome to yet another CTF challenge from Hack the Box, called ‘Luke,’ which is available online for those who want to increase their skills in penetration testing and Black box testing. Luke is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience level; they have a large collection of vulnerable labs as challenges ranging from beginner to expert level.

Level: Easy

Task: Find user.txt and root.txt in the victim’s machine

Penetration Methodologies

  • Scanning
    • Nmap
  • Enumeration
    •    Logging in FTP as anonymous
    •    Browsing HTTP service
    •    Directory Scanning using Dirsearch
  • Exploitation
    •    Extracting Authentication token using curl   
    •    Extracting User information using curl
    •    Extracting Password using curl
  • Privilege Escalation
    •    Logging in Ajenti Panel
  • Capturing the flag

Walkthrough

Network Scanning

Let’s get started then!

Since these labs have a static IP, the IP address for Luke is 10.10.10.137. Let us scan the VM with the most popular port scanning tool, nmap.

From the result above we found five working ports on the VM, port 21, 22, 80, 3000, 8000.

Here, we can saw that FTP allow anonymous login. So, we check it.

Through FTP login we found a for_Chihiro.txt file, where Chihiro or Derry might be usernames.

We found that the HTTP service runs on port 80, from nmap results. So, we browse the IP address of Target in the browser. We found a simple HTML page.

We also started a Directory Bruteforce in order to enumerate the machine further. This gave us some directories and files namely config.php, management etc.

We enumerated all of them. Among which config.php gave us some database credentials as shown in the image below.

We tried credentials on 10.10.10.137/management. But it gave back an unauthorized error. We will come back to it again.

Back to our nmap scan, we found that a Nodejs service running on port 3000. On browsing the IP Address with 3000 port, we got a message that says that auth token is not supplied.

We further did a Directory Bruteforce on port 3000. We found pages named /login and /users.

After a bit of research, we can use the curl command to authenticate JWT token. For more, you can read this article from here.

The tricky part here is the username is admin and not root which we guessed.

So, the curl command with the admin as username and password we got earlier.

This gave us the auth token.

We enumerated usernames using the curl command with the help of the Authentication token we found earlier. This gave the users information as shown in the image given below.

We enumerated all users using the curl command. This gave use password for those users as shown in the image given below.

We logged in the management page successfully using the credentials of user Derry.

User Name: Derry

Password: rZ86wwLvx7jUxtch

After logging in we found files named config.json, config.php and login.php. We enumerated all these files among which config.json seemed interesting.

The config.json file had some information related to ‘ajenti’ service running on port 8000 and a password.

We browsed the IP Address with the port 8000, It gave us another login form. We used the following credentials into the form. This successfully gave us the ajenti panel as shown in the image given below:

Username: root

Password: KpMasng655EtTy9Z

After Enumerating a bit, we saw the option to open terminal. On opening the terminal, we checked the user and group details using id command. It is a root shell. Here we enumerated the shell for the user and the root flags.

Author: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles. Contact here.

Silky-CTF: 0x02 Vulhub Walkthrough

Today we will be solving a boot2root lab from Vulnhub called SILKY-CTF: 0x02. This lab is a good way to keep your penetration testing skills on point while getting some variety.

Download it from HERE

Level: Easy-Intermediate

Task: Boot to Root (flag.txt)

Penetration Methodologies

Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Directory Scanning using DIRB
  • Giving Credentials For Admin Login

Exploitation

  • Exploiting Command Injection Vulnerability
  • Fuzzing to exploit LFI Vulnerability
  • Reading /etc/passwd file
  • Getting a reverse connection using Python Reverse Shell
  • Spawning a TTY Shell

Privilege Escalation

  • Getting SUID File
  • Exploiting Buffer Overflow Vulnerability using Bad Chars and Python Script
  • Decoding Hashes using John

Capturing the flag

Walkthrough

Network Scanning

Let’s start by scanning the network for targets using Netdiscover.

We found target IP Address 192.168.1.23. Let’s begin with basic port scanning with NMAP

Enumeration

NMAP scanning result wasn’t much use to us. So, we thought of executing Directory Brute force in order to enumerate the machine further. This gave us a directory “admin.php”. This seems quite interesting.

After browsing the directory on the browser, it turned out to be Admin Login Panel. This might be useful to follow up.

We Clicked on Login and Got a Login form to give Admin’s Username & Password. We tried different methods to access the Admin Panel but were shutdown.

We thought of logging in with random credentials.

Noticing the error was in the German Language. That’s Different!!

Exploitation

After spending a few time looking for a way. It clearly strikes to check LFI in the URL as shown in the image. We have successfully executed the ls command which means it is vulnerable to command injection.

To confirm the LFI, we did some Fuzzing and found the /etc/passwd file.

Moving on, we looked for a Flag.txt in the Silky home directory.

It’s time to execute a Python Reverse Shell to get a reverse connection. But before executing the shell establish a Netcat listener on your machine. Given below is the Python reverse shell we have used in the URL to obtain a reverse connection on our Netcat listener.

Oh Yeah!! We got the reverse shell on our Netcat listener, but it is not a proper shell. We will spawn this tty shell using python.

While enumerating the directories of the machine, we found a SUID file cat_shadow. This might come in handy. Let’s see.

On checking what this file actually does by executing it. We noticed it’s trying to read the shadow file but on the other hand we got permission denied.

We clearly knew we need to send that HEX value since it seemed it is vulnerable to Buffer Overflow Vulnerability.

After some trials, we wrote a simple python script to write 64 bad characters of “A” and then adds the value of “0x496c5962” in little-endian format and provide the result as input to the “cat_shadow” file and was able to read the “/etc/shadow” file.

Now we have simply copied the hashes in a file on our Kali Linux and Fired UP!! John to decode the hashes. After some time, we got the password for root. I guess there is only one thing left to do is to read our Final Flag.

We logged in to Root User using the found credentials and easily got our way to the Final Flag.

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here