Hack the Box: Heist Walkthrough

Hello! Everyone and Welcome to yet another CTF challenge from Hack the Box, called ‘Heist,’ which is available online for those who want to increase their skills in penetration testing and Black box testing. Heist is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience level; they have a large collection of vulnerable labs as challenges ranging from beginner to expert level.

Level: Easy

Task: Find user.txt and root.txt in the victim’s machine

Penetration Methodologies

Scanning

  • Nmap

Enumeration

  • Browsing HTTP service
  • Extracting and decrypting User Information from config.txt

Exploitation

  • Bruteforcing more users using impacket tool   

Privilege Escalation

  • Using WinRm to get Root Access
  • Uploading Procdump64.exe to dump process
  • Capturing the flag

Walkthrough

Network Scanning

Let’s get started then!

Since these labs have a static IP, the IP address for Heist is 10.10.10.149. Let us scan the VM with the most popular port scanning tool, nmap.

We learned from the scan that we have the port 80 open which is hosting Microsoft IIS httpd 10.0 service, and we have the port 135,445,5985,49669 open. This tells us that we have the Microsoft windows Rpc and Microsoft HTTP API service running on the target machine respectively.

Enumeration

For more details, we will navigate to a web browser for exploring HTTP service since port 80 is open, which has a login portal.

There’s also an option to login as a guest so let’s try that.

From the picture above, We can see while login as a guest there is a user called hazard has posted an issue with his cisco router and has attached the configuration of it. Let’s open the file in the browser and see what information we get.

By reading the configuration files we can see that it contains two cisco type 7 and one cisco type 5 passwords.

We can decrypt type 7 passwords using a tool online tool. Following link :

So here are the credentials we have collected till now:

Also, we decrypted Cisco type 5 hash using hashcat command below

Which successfully cracked hash $1$pdQG$o8nrSzsGXeaduXrjlvKc91 : stealth1agent

We tried all the combinations as well as to use these credentials on login portal but we failed to login.

Coming back to nmap scan. We can see that port 5895 is open which is used by Microsoft Windows Remote Management), which is basically a service/protocol used to manage remote systems.

So we tried to bruteforce more users with the tool Impacket. You can read more about the tool from here. And download the tool from https://github.com/SecureAuthCorp/impacket

So to try these users with the combination of passwords we got earlier. We use a very great tool available WinRm shell for hacking/pentesting.

We tried all these users with the password and the pair below worked.

Also, make sure to create ps1_scripts and exe_files directories in your home otherwise the tool won’t work. (mkdir ps1_scripts & mkdir exe_files)

Here we managed to get user.txt as our first flag.

Privilege Escalation

Now that we had a user.txt we have to find root.txt. So, after searching for a while we found that firefox instance was running.

We uploaded procdump64.exe to dump one of the processes. You can download procdump64.exe from here.

After uploading procdump64.exe. We saw that there was 4 firefox process were running. So we took the having the highest CPU usage.

This created a dump file and to analyse and search for sensitive information from dump file we used Winrm shell itself.

As the dump file has a lot of information so we use Select-String to filter the information as Select-String in PowerShell is similar to grep in Linux.

Here we got administrator credentials. So we try to login as administrator in WinRm shell and try to capture the root flag.

Author: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles. Contact here.

Sunset: dusk: Vulnhub Walkthrough

Sunset: dusk is another CTF challenge given by vulnhub and the level difficulty is set according to beginners and credit goes to whitecr0wz. You have to hunt two flags, and this is a boot to root challenge. Download it from here.

Penetration Testing Methodologies

Network scanning

  • Nmap
  • netdiscover

Enumeration

  • Weak credentials
  • PHP file injection

Exploiting RCE

Privilege Escalation

  • Sudo rights
  • Docker

Walkthrough

Network Scanning

First of all, we try to identify our target. We did this using the netdiscover command.

Now that we have identified our target using the above command, we can continue to our next step i.e. scanning the host IP to identify open ports and running services. We will use Nmap to scan the target with the following command:

As a result we found multiple open ports and services are running across them thus, we need to enumerate further to step ahead.

Enumeration

We’ve start the enumeration with FTP and HTTP and tried to find some suspicious information but unfortunately, fail to get any remarkable clue thus we tried for mysql brute force attack with the help of hydra using rockyou.txt file.

And we found the login creds for MySQL where username is root and password is password which also considered as a weak credential.

We also navigate to port 8080 and it looks like, that page is displaying the list of the current directory, here the author has left the hint for writable directory /var/tmp.  Thus, it becomes easy for us to deface the machine using these loopholes.

Since we have MySQL cred and we also know the working directory is /var/tmp and with the help of this we can inject malicious PHP code as SQL query into a file named “raj.php”. This will generate an RCE and as a result, we will be able to spawn host machine by exploiting it. 

So, again we navigate to port 8080 and saw the entry for raj.php file.

It was time to execute raj.php and verify the RCE parameter by executing the following URL:

Thus, we find that we are able to run system command through this page.

Exploiting

It was time to exploit RCE, thus we used the netcat reverse shell to spawning shell o host machine.

Bravo!! We hit the goal and spawn the shell of host the machine and found the 1st flag user.txt in the /home/dusk.

Privilege Escalation

Further we move towards privilege escalation and identify the sudo rights for www-data and notice that user:www-data holds sudo rights for “make” & “sl” program but here we try to escalate to shell for user:dusk by exploiting make program.

After executing the above command, we were able to access the host shell as user dusk who is also the member of the docker group.

As we know user:dusk is a member of the ‘docker’ group, thus by running the following command you will get a root shell and as result you will able to capture the final flag.
The command you execute to perform the privilege escalation will fetches Docker image from the Docker Hub Registry and runs it. The -v parameter that you pass to Docker specifies that you want to create a volume in the Docker instance. The -i and -t parameters put Docker into ‘shell mode’ rather than starting a daemon process.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer, she is a completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here

Me and My Girlfreind:1 Vulnhub Walkthrough

Me and My Girlfriend is another CTF challenge given by vulnhub and the level difficulty is set according to beginners. You have to hunt two flags, and this is a boot to root challenge.

According to author: This VM tells us that there are a couple of lovers namely Alice and Bob, where the couple was originally very romantic, but since Alice worked at a private company, “Ceban Corp”, something has changed from Alice’s attitude towards Bob like something is “hidden”, And Bob asks for your help to get what Alice is hiding and get full access to the company.

Download it from here.

Penetration Testing Methodologies

Network Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Burp Suite

Spawning shell

  • SSH

Privilege Escalations

  • Sudo right

Walkthrough

Network Scanning

First of all, we try to identify our target. We did this using the netdiscover command.

Now that we have identified our target using the above command, we can continue to our next step i.e. scanning the target’s IP to identify open ports and running services. We will use Nmap to scan the target with the following command:

We found port 22, 80 are open for ssh and HTTP respectively, let’s go for enumeration.

Enumeration

When you will explore machine IP in the web browser, you will see a message “this site can only be accessed local” which is a hint given by author that means the web page will be accessible locally.

Then I check for the source page and notice the comment “to use x-forwarded-for header” to access the page, here we can say that there is a possibility of host header injection 😊.

Without wasting time, I had edited the rule for the request header for x-forwarded-for: localhost in the burp suite and try to intercept the web page request along this.

Once you have an intercepted request, further you need to forward this request again and again till you receive the response on the web browser.

And finally, you will be able to access the web page for the Ceban Corp company as said by the author. On this page I saw 4 captions that contain some hyperlink. Here I tried to figure out the possibilities for SQL injection and LFI but failed to bypass this.

Since I was failed to enumerate any vulnerability, thus, register a new account by name of raj.

Then log in as raj to investigate further.

Once I logged in, I saw another their three captions “Dashboard, Profile, logout”. The profile caption denoted user_id and for raj, it is showing user-id=12 in the URL.

In the given URL, I tried to change user_id from user_id=12 to user-id=1 and luckily I saw the profile for another user, then frequently found the profile for alice as user_id=5, Moreover, the password field was auto filed thus I was able to read the password from inside the inspect element.

Thus, I have the following creds:

Spawning shell

Since we have enumerated credential for the user alice therefore, further I used this credential to access host machine shell through ssh.

After spawning the pty shell of the host machine, I looked for a directory list where I found a hidden folder named “.my_secret” which contains two files: flag1.txt and my_notes.txt.

Thus, we have found 1st flag, now let’s move forward for privilege escalation and capture the 2nd flag.

Privilege Escalation

Without wasting time, I looked for sudo rights and fortunately found that alice can run the php program as a sudo user. Then I start the netcat listener in a new terminal and run the php reverse shell command in the host terminal.

Boom!! We got the root shell through netcat session and inside the root we found the final flag.

Author: Pinky Deka is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here

Sunset-Sunrise: Vulnhub Walkthrough

In this article, we are going to crack the Sunset: sunrise Boot to Root Challenge and present a detailed walkthrough. The machine depicted in this Walkthrough is hosted on Vulnhub. Credit for making this machine goes to whitecr0wz. Download this lab by clicking here.

Penetration Testing Methodology

  • Network Scanning
    • Netdiscover Scan
    • Nmap Scan
  • Enumeration
    • Browsing HTTP Service
    • Directory Bruteforce using dirb
    • Enumeration using Searchsploit
  • Exploitation
    • Exploiting the Directory Traversal
    • Reading of User Flag
    • Connection via SSH
    • Enumeration of MySQL Service
  • Post Exploitation
    • Enumeration for Sudo Permissions
    • Generation of payload using MSFPC
    • Transferring payload to Target Machine
    • Reading Root Flag

Walkthrough

Network Scanning

After running the downloaded virtual machine in the VMWare, the machine will automatically be assigned an IP address from the network DHCP, find the IP address of our target machine and for that please use the following command as it helps to see all the IP’s in an internal network:

We found the target’s IP Address 192.168.1.197. The next step is to scan the target machine by using the Nmap tool. This is to find the open ports and services on the target machine and will help us to proceed further.

Here, we performed an Aggressive Port Scan because we wanted to grab all the information. After the scan, we saw that port 22 was actively running the OpenSSH, we also have the on port 80 with Apache http with MySQL running on 3306. We also see that there is some kind of proxy running on the port 8080. This was the lay of the land. Now let’s get to the enumeration.

Enumeration

We started from port 80 and tried to browse the webpage on our browser. Much to our dismay, it didn’t contain anything interesting. The port 8080, on the other hand, piqued our interest. So, we decide to take a look at it.

We noticed that we have a directory listing with a sweet little footnote claiming that Weborf is running on this machine. We also got the version information from it. This server a good example of why information disclosure is a vulnerability.

Now without moving around much, we decided to search the Weborf using searchsploit. If we don’t get a hit, then we will try something else. But we got a successful hit. It said that this version of the Weborf is vulnerable to Directory Traversal Exploit. This could be our way in. We downloaded the exploit contents on our attacker machine to get a read on this. The exploit gives us the path that is vulnerable. Let’s try that on our Target Machine.

We went to our Web Browser and in the URL, we injected the line that was displayed by the exploit. This machine is indeed vulnerable to Directory Traversal. Figures! We can read the /etc/passwd file.

Now that we have a method to look around for files inside the target machine. We decided to take a loot at the user sunrise’s home directory. And we came across a user.txt file.

We opened the user.txt file to find this text as shown below. This seems like a simple user flag. That’s charming.

Now although it seemed like a dead-end, we decided to enumerate the target machine further using Directory Traversal. We made our way to the user Weborf user’s home directory.

Now instead of heading inside directly, we decided to make an automated approach. It’s time for a Directory Bruteforce. We will use the dirb tool for this purpose. As you can see, within minutes we get the hidden file named .mysql history.

As this file might contain some useful information, we decided to take a look. We see that it has a query that contains the user login credentials of Weborf. Yes!! Let’s try to get in.

Exploitation

We have successfully gained the credentials of the user Weborf. Since from the earlier nmap scan we saw that we have ssh port open. Let’s try to ssh our way in. After getting in the target machine, we started the enumeration based on the information we had from our initial scanning that there is a MySQL service running on the system. We login it to MySQL using the Weborf credentials. We run the “show databases;” command to get the name of databases.

We decided to enumerate the database named MySQL. We selected the MySQL database and started to look at the tables that were created inside this database. Among some tables, there was a table called user. That looks important.

Upon a closer look at the user table, we noticed that there was an entry in the user table that consists of the credentials of another user named sunrise. It is “thefutureissobrightigottawearshades”. Well, a person keeping this kind of passwords don’t have bright future.

We tried logging in as the user sunrise with the password that we found earlier. After logging in we try to find improper sudo permissions. Upon close inspection we see that the user sunrise can run wine service with root privileges. This kind of got use thinking because this kind of scenario we haven’t faced earlier. Kudos to the Lab author for thinking out of the box here.

Post Exploitation

Now we could go on and on about the libraries but as this is a CTF Challenge, we try to explain as shortly as possible.

Wine (recursive backronym for Wine Is Not an Emulator) is a free and open-source compatibility layer that aims to allow computer programs (application software and computer games) developed for Microsoft Windows to run on Unix-like operating systems.

Now as we can run wine as root, we will create a payload that can be executed using wine. We will be using msfpc for the payload creation. After creating the payload, we will run the python one liner for transferring the payload to the target machine.

Since we have hosted the payload on the attacker machine, we will use the wget tool for downloading the said file to the target machine. After the successful transfer of the payload to the target machine we will be executing the payload using wine along with sudo.

When we used the msfpc tool to generate the payload, a Metasploit Framework ruby file is also generated with the configuration that is required to run the listener for the payload. We ran that ruby file and when we ran the file using wine on that target machine. We see that a meterpreter session pops up. As the file was executed with wine which was had root privileges the shell, we got was root as well.  We traverse into the root directory and when we list all the files inside this directory, we see that we find a file named root.txt.

Let’s read the root flag and conclude this CTF Challenge.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn