EVM: 1 Vulnhub Walkthrough

In this article, we will solve EVM lab. This lab is designed by Ic0de and it is an easy lab as the author has intended it, beginners. You can download the lab from here.

Penetration Methodologies:

  • Network Scanning
    • Netdiscover
    • Nmap Scan
  • Enumeration
    • Browsing HTTP Service
    • Directory Bruteforce using dirb
    • Enumeration Using WPScan
    • Password Bruteforce using WPScan
    • Getting Login Credentials
  • Exploitation
    • Exploiting using Metasploit
    • Getting a reverse connection
    • Spawning a TTY Shell
    • Enumeration for Root Credentials
  • Privilege Escalation
    • Getting Login Credentials
    • Logging in as root
    • Reading the Final Flag

Walkthrough

Network Scanning

First, we will find the IP address of our target machine and for that please use the following command as it helps to see all the IP’s in an internal network:

As you can see from the above image, our target IP is 192.168.1.103. Now that we know target IP, we can move on to scanning our target so that step by step we can attack further and gain control of the machine and scanning will help us to find an opening. We will scan with the help of nmap and for that use the following command:

With the help of nmap, we observed that port number 22, 53, 80, 110, 139, 143, 445 are open with the services of SSH, DNS, HTTP, POP3, NETBIOS, IMAP and NETBIOS respectively.

Enumeration

As port 80 is open, let us try and open the IP in the browser as shown in the image below:

The apache webpage opens which is normal except for the fact that there was a comment saying “you can find me at /wordpress/ im vulnerable 😊

Now according to this comment, it means there is a vulnerable directory called ‘WordPress’. So to confirm we used dirb command which is:

And to no surprise, there is a directory called ‘WordPress’. Now, this is wordpress, as the name suggests, we can use wpscan to find more about it. And for this, type:

With this command, we are telling the wpscan to enumerate(-e) all themes(at), all plugins(ap) installed on the wordpress site. And finally, all the users(u) that might be logged in on the WordPress Site.

As you can see in the image below, there is a vulnerable plugin c0rrupt3d_brain where we can attack via bruteforce and get a password to log in.

So, for our bruteforce, we will use rockyou wordlist and to put it in action type:

And when the bruteforce is successful, it will give you the password i.e. 24992499; which is shown in the image below too:

Exploitation

Now that we know username and password, we can use an inbuilt wordpress exploit from Metasploit. Firstly, start Metasploit by typing ‘msfconsole’ and the type the following command:

So, once the exploit is running and attack is successful, you can have your meterpreter session. When you have the meterpreter session, go home by typing cd /home and checklist of things home has to offer by using ls command. There was only on folder there named root3r and when you navigate yourself to that folder and check the list of files with the same command you used before. Here, you will find .root_password_ssh.txt file; upon reading this text file with a cat you will find the password of the root user just its shown in the image below:

Privilege Escalation

Now, we know that the password of the root user is willy26. We can now switch our user to root and for this type:

Now you are logged in as root along with its privileges too. As you can see in the image below:

Once you are logged in as a root user, navigate yourself around and go to the root folder by typing cd /root. And there when you will use ls command, you find a proof.txt document. Upon reading it with cat command, it will show you that you have successfully pwned the machine. YAY!!!!!!

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Mumbai:1 Vulnhub Walkthrough

Mumbai:1 VM is made by Dylan Barker. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

  • Network Scanning
    • Netdiscover
    • Nmap Port Scan
  • Enumeration
    • Anonymous FTP Login
    • Browsing HTTP Service
    • Scanning directories using Dirb Tool
    • Using Curl to send Get & Post Request
    • Executing Python Script keywords.py
  • Exploiting
    • Executing test.php using Curl
    • Fuzzing and Checking for RCE using Curl
    • Uploading PHP Reverse Shell
    • Getting User access on Netcat Listener
  • Privilege Escalation
    • Using Docker to get Root Access
    • Reading Final Flag

Walkthrough

Network Scanning

Let’s start by scanning the network for targets using Netdiscover.

We found the target IP Address 192.168.1.221. Let’s begin with basic port scanning with NMAP.

The Anonymous Login is allowed for FTP port 21 on the target machine. Then let’s begin enumerating the FTP port and look for some shared files. On enumeration, we found a file Note. We downloaded it on our system and read its contents. It surely is a clear hint for our next step.

Enumeration

For more details, we will navigate to a web browser for exploring HTTP service since port 80 is open. It clearly is not enough for a clue to proceed.

Recalling from the Nmap result, we thought of browsing Target’s IP Address along with port 8000. Since port 8000 depicts Nginx server is installed on the Target Machine.

Till now we didn’t find any hint to establish our foothold, therefore we chose DIRB for directory brute force attack and found URL for drupal and wordpress directories. On browsing, these were just empty directories.

It strikes us let’s look for specific file extensions over the target server in the directories. We discovered test.php and keywords.py files. The first thing to do is to read the contents of PHP files because they seem quite suspicious to us.

On sending a request to the Target Server to access test.php, we discovered it is asking us to make POST request for a proper query along with the URL.

Now let’s download the keywords.py file on our system and executed the script which gave information to proceed. We ran the script against few directories but wordpress gave us the actual understanding of the script. This script just stores words into a list and then counts how many times each word has occurred.

Exploiting

We thought of sending a POST request to test.php as shown below. So the result shows test.php script is acting as a wrapper which is trying to pass data to keywords.py script and return the output back to the request. There are ways where we can try escaping this into RCE. Now, this is a Challenge. After intense fuzzing we finally escaped it with an RCE now, one final thing left is to get a shell.

After a little bit of playing around with our RCE, we did some enumeration and created a PHP Reverse Shell which we have uploaded from our machine to the target server to get the root. To get that we have executed the Php reverse shell along with that we have also executed a Netcat listener to establish a reverse connection.

Therefore we have got a half shell, we tried spawning it with our usual trick of using a TTY shell but nothing changed.

Privilege Escalation

To proceed with our privilege escalation, we tried a few things but didn’t work out. In the end, to get our final flag, we used docker but there is an issue with the docker that all the commands in docker require sudo as docker needs root to run. The Docker daemon works in such a way that it is allowed access to the root user or any other user in the particular docker group. This shows that access to the docker group is the same as to give a perpetual, root access without any password. We ran the command shown below. This command obtains the alpine image from the Docker Hub Registry and runs it. The -v parameter specifies that we want to create a volume in the Docker instance. The -it parameters put the Docker into the shell mode rather than starting a daemon process. The instance is set up to mount the root filesystem of the target machine to the instance volume, so when the instance starts it immediately loads a chroot into that volume. This gives us the root of the machine. After running the command, we traverse into the /mnt directory and /ignite directory to found Proof.txt.

The final thing to do is to read the FLAG!!

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Security Analyst. Contact Here

Gears of War: EP#1 Vulnhub Walkthrough

Gears of War: EP#1 VM is made by eDu809. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

  • Netdiscover
  • Nmap Port Scan

Enumeration

  • Browsing HTTP Service
  • SMB Login

Exploiting

  • Using Crunch to generate a wordlist
  • Using Fcrack to bruteforce ZIP file password
  • Using Hydra to bruteforce SSH Login

Privilege Escalation

  • Reading /etc/passwd File
  • Getting SUID bit files
  • Using Openssl for generating a password hash
  • Adding  User to /tmp file
  • Reading Final Flag

Walkthrough

Network Scanning

Let’s start by scanning the network for targets using Netdiscover.

We found the target IP Address 192.168.1.184. Let’s begin with basic port scanning with NMAP.

Enumeration

For more details, we will need to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service since port 80 is open.

Since HTTP service was not much of a help. On the other hand, we can clearly note from the nmap scan that we have the SMB service running, and we don’t have any credentials for the ssh so we went directly on with SMB. We logged in using the command mentioned. There is a list of shared directories. We tried accessing LOCUS_LAN$ directory and enumerated it. We find a notes.txt file and msg_horda.zip file. Let’s transfer these files on our machine to read their contents.

We tried opening the msg_horda.zip file but it seems password protected.

We thought of reading the contents of SOS.txt file and it was a success. It surely gave us a hint about the characters of the password for ZIP file.

Exploiting

It’s time to FIRE UP!! Crunch and generate a wordlist as per the combination of the password we have fetched from the SOS.txt file.

Once the wordlist is all set up, we have used FCRACK TOOL to crack the password for the ZIP file as shown below.

The password for the ZIP file is r44M. We also found a key.txt file inside the ZIP file.

After reading the key.txt file, we got another credential which could be useful for SSH login but we still need a username. Bring up HYDRA.

We have brute forced the username for SSh Login using hydra with password 3_d4y.

After successfully logged into SSH, we try enumerating the /etc directory but couldn’t because user Marcus doesn’t have the privileges to access the /etc directory.

Privilege Escalation

Since our target machine is in a bash shell. We will be using a command to force SSH for TTY allocation. This will help us run commands as an administrator. Finally, we are able to access the /etc directory.

On reading the passwd file which was not much help, but we got an idea what we can do next.

On checking the SUID bit for all the readable files under /bin directory, we came to know that the current user can use the cp command. This is going to be interesting.

Without any further waiting, we need the password hash for the user that we are going to create on the target machine by making an entry in the /etc/passwd file. We are going to use the openssl to generate a salted hash.

Now back to our user marcus on the target machine. Here we are going to use the hash that we generated in the previous step and make a user raj which has the elevated privilege. We have to use nano command to make an entry in the /tmp directory. After making an entry we checked the entry using the tail command. cd /tmp

Now all we to do login using username and password, we just created to get our root shell. On enumeration we found flag.txt.

Time to Read our Final Flag!!

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Security Analyst. Contact Here

HA: Chakravyuh Vulnhub Walkthrough

Today we are going to solve our Boot to Root challenge called “HA Chakravyuh”. We have developed this lab for the purpose of online penetration practices. It is based on the Mahabharat Saga’s renowned Battle Formation by the same name. Let’s Solve it!!

Download Here

Level: Intermediate

Task: To Enumerate the Target Machine and Get the Root Access.

Penetration Methodologies

  • Network Scanning
    • Netdiscover
    • Nmap Scan
  • Enumeration
    • Browsing HTTP Service
    • Anonymous FTP Login
    • Password Bruteforce using John The Ripper
    • Getting Login Credentials
    • Searching Exploit using Searchsploit
  • Exploitation
    • Exploiting LFI Vulnerability
    • Getting a reverse connection
    • Spawning a TTY Shell
  • Privilege Escalation
    • Docker

Walkthrough

Network Scanning

After downloading, run the Machine in VMWare Workstation. To work on the machine, we will be needing its IP Address. For this, we will be using the netdiscover command. After matching the MAC and IP Address we found the Virtual Machine IP Address to be 192.168.1.105.

Now that we have the Target Machine IP Address, our next logical step would be to do a port scan on the target to get information about the various services that are running on the target machine. After the Aggressive Scan of all the ports, we see that we have the SSH service (22), HTTP service (80), FTP service (65530) running on the Target Machine. We did a scan for all the ports because sometimes Administrators set up a service on a different port altogether so that they are not visible in a normal scan.

Enumeration

Moving on, we observed that we have the HTTP service running. It is probable that a web page is hosted. So, we decided to take a look through our Web Browser. It contained a webpage with a painting depicting Arjuna battling to break the Chakravyuh. We did a thorough browsing of the webpage. We went through its source code and images, but there was no way in or any hint.

We then diverted our attention to the service that was shifted to port 65530. During our Nmap aggressive scan, we saw that Nmap was able to tell us that the Anonymous login is enabled on this server. We decided to take a look at the shared files. So, after logging in the FTP service we looked around to find a directory named pub. Inside it was a Compressed 7z file named arjun. To take a closer look we downloaded the file with the help of get command.

After successfully downloading we tried to open the Compressed file using the Archive Manager as shown in the image below. It gave us a prompt for a password. We currently didn’t have any passwords. So now we have to try and enumerate the password for this file.

We didn’t have any choice other than brute force the password. In order to brute force with John The Ripper. We required a python script that could give us the hashed from the compressed file. These scripts usually have the name as “xyz2john”, where xyz would be the file extension that we need hashes from. We googled 7z2john, we found the script and saved on our system as 7z2ctf.py. It is pretty easy to find this script. But still, if you don’t get it, you can download by clicking here.  Now that we have the python script, we extracted the hashes from the file and ran John The Ripper to crack the password hash. Upon cracking we see that we have the password as “family”.

We opened the Compressed file to find a text file named secret inside it. On opening the secret.txt we find an encoded text inside it. On a first look, it seemed like Base64 encoded text. 

We decoded the text found in the secret.txt using the echo and base64 command. The encryption was indeed base64. Upon decryption, we see that the text hints that we have Gila CMS to deal with in this scenario. Also, we got what seems to be login id and password.

Since we got the hint that we have the Gila CMS. We tried to visit the link to access the page hosted with the help of Gila CMS. And we have a webpage as shown in the image below.

We also tried the admin keyword to access the login panel. This came out to be the actual login panel. So, we entered the credentials we found earlier.

They worked like charm. We got inside the Gila CMS admin panel. We took a look around to see if we have any hints or any way to exploit it.

After looking for a while we couldn’t find any way in through the CMS. So, we went onto the basics. We searched for Gila CMS in searchsploit. We saw that we have a Local File Inclusion Vulnerability that could be useful. We downloaded the exploit to our Attacker machine. After completion of the Download.

Exploitation

In the exploit we see that we have the link but as mentioned by the author of the exploit that the PoC mentioned works on Xampp Server and we have a Linux machine as the target machine. So, we changed the link to point at the /etc/passwd. Also, it has the website set at the gilacms section and we found that we have it at /gila/. So, we changed that bit too.

We see that we have the list of all the files hosted via the Gila CMS. We see that we have the index.php file. It seemed like our way in. So, we opened the file. It contained the PHP code for the display of the index page. We used our PHP reverse shellcode by pentestmonkey. It can be found here. We changed the IP Address in the shell to the IP Address of our Attacker Machine. We started a netcat listener on our attacker machine on the port that we mentioned in our reverse shell. After making the necessary changes, we saved the changes in index.php. And we opened the file in the Web Browser.

As we opened the file, the PHP reverse shell got executed and we got the shell on the target machine. It was an improper shell. So, we used the python one-liner to convert it into a proper shell. After getting the shell as per our satisfaction we ran the id command to see the users and groups on the target machine. We got to know that we have a docker user group. This could help us in Privilege Escalation.

Privilege Escalation

Since we have access to the user which is a part of the docker group. While working we docker we know that there is an issue with the docker that all the commands in docker require sudo as docker needs root to run. The Docker daemon works in such a way that it is allowed access to the root user or any other user in the particular docker group. This shows that access to the docker group is the same as to give a perpetual, root access without any password. We ran the command shown below. This command obtains the alpine image from the Docker Hub Registry and runs it. The –v parameter specifies that we want to create a volume in the Docker instance. The –it parameters put the Docker into the shell mode rather than starting a daemon process. The instance is set up to mount the root filesystem of the target machine to the instance volume, so when the instance starts it immediately loads a chroot into that volume. This gives us the root of the machine. After running the command, we traverse into the /mnt directory and found out flag.txt. This concludes this lab.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here