Casino Royale: 1 Vulnhub Walkthrough

Today we are going to solve another CTF challenge “Casino Royale: 1”. It is a vulnerable lab presented by author creosote for helping pentesters to perform online penetration testing according to your experience level. The challenge is to get root on the Targeted Virtual Machine and read the flag.sh within that directory.

Difficulty: Intermediate

Penetrating Methodologies

  • IP discovery and Port Scanning.
  • Browsing the IP on port 8080.
  • Discovering accessible directories on the victim’s machine.
  • Searching exploits via searchsploit.
  • Using SQLMAP to find database and login credentials.
  • Browsing directories on the browser.
  • Adding Domain name to /etc/hosts file.
  • Searching exploits via searchsploit.
  • Using Cross-Site Request Forgery Exploit code.
  • Using telnet to connect to port 25.
  • Tail off the access.log file.
  • Browsing directories on a browser.
  • Exploiting XML External Entity vulnerability.
  • Using curl to send the file.
  • Creating a PHP shell using msfvenom.
  • Using hydra to brute force FTP login Password.
  • Logging into Ftp.
  • Using Multi/handler of Metasploit Framework.
  • Enumerating through directories.
  • Getting Login Credentials.
  • Looking for SUID file and directories.
  • Creating a bash shell using msfvenom.
  • Using Netcat listener to get a reverse shell.
  • Getting Root Access.
  • Reading the Flag.

Walkthrough

Let’s start off with discovering the IP address of our Target Machine.

Then we’ll continue with our nmap command to find out the open ports and services.

Since port 80 is open, we explored the Targets IP Address on the browser.

We didn’t found anything on the webpage, so we used dirb tool to enumerate the directories on the Targets IP Address.

Here, we found a useful directory index.php. Moving on.

We tried opening that directory index.php along with Targets IP Address in the browser. This page seems pretty interesting and gave us our next clue to proceed.

The page revealed a pokermax software term. This made us curious to look for it in searchsploit. And our intuition was right. We copied the exploits 6766.txt file on our machine and read it contents. It revealed a link which we tried opening in the browser.

That link we opened directed us to Pokermax Poker League: Admin Login. Since we don’t any credentials time to bring up SQLMAP.

Let’s first find the database.

The database we found is pokerleague.

Let’s look for the credentials of Admin Login in the database pokerleague.

We have got the required credentials.

Username: admin

Password: raise12million

We have successfully logged into the Admin area. Looking for other clues.

After checking all the tabs on the page, we found some useful information in Edit info of player Valenka.

We have got a useful directory in player profile; let’s find out where it’s going to lead us. Also, it asked us to update Domain Name casino-royale.local in our hosts file.

Updating the hosts file.

After opening the directory along with domain name in the browser, we found something interesting about port 25 which was open. This information might come in handy.

Looking around we found a CMS Snowfox. Let’s find if it is on searchsploit.

We were right about it. There is an html file available about this exploit. So we copied the file to our machine.

On reading the contents of the file, we found a script for CROSS SITE REQUEST FORGERY (add admin). So we copied this code.

Created a new file as raj.html and pasted the code in it, also we made some minor changes as you can see in the image.

After that, we have copied the file raj.html to /var/www/html folder of our machine. And restarted the service for apache2.

Let’s connect to port 25 using telnet. We will be sending a mail to recipient valenka along with the link of raj.html file. All the steps are shown in the image.

We have just tail off the access log of apache2.

Let’s Login with the credentials, we have given in the raj.html file in the Signin section of the page casino-royale.local/vip-client-portfolios/?uri=signin

Email address: [email protected]

Password: password

After successfully logging in, we found another clue in Edit of [email protected] in manage players.

Another directory clue let’s open it in the browser and look what it holds.

We landed on this page.

Since that page doesn’t seem useful from outside. So, we checked its Page Source. This gave us a hint to use an XML External Entity injection for our next step.

So we looked for a code for XML External Entity injection online. Therefore, we created a new file xml.txt and pasted the code by making some minor changes.

//depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection

Let’s send our XML External Entity Injection in file xml.txt using curl.

After exploiting the XML External Entity vulnerability, it gave us the /etc/passwd file. This contained a username for FTP Login i.e ftpUserULTRA

We have created a PHP shell payload using msfvenom.

We have used hydra to find the password of username ftpUserULTRA for Ftp Login. We have cracked the password for ftp login i.e bankbank

Let’s just Login into FTP, after quiet messing up we are only able to send .php5 files or files with no extension.  Time to upload our shell and gave permissions to execute.

After uploading our shell, we set up a listener using Metasploit-framework.

We got the reverse shell, but it is not a proper shell. We will spawn a tty shell using python.

After enumerating through directories, we found a useful file config.php. Let’s check it contents.

We when we read the contents of config.php. It gave us two useful credentials.

DBusername: valenka

DBpassword: 11archives11!

So, we used these credentials to login into Valenka.

After that, we tried to find files with SUID bit permissions.

Here we found an interesting Suid file and directory.

/opt/casino-royale/mi6_detect_test

On running the SUID file, we see it is most likely using a run.sh file but there no such file or directory. Since the run.sh has no permissions.  So we decided to move to /tmp directory.

We need to create a bash code using Msfvenom:

After that, we have copied the code in run.sh and executed python server.

We have downloaded the file in the /tmp directory. Again ran the SUID file.

This time on running the SUID file, it gave a reverse shell on our netcat listener.  Finally, we have got the root access and read the FLAG!!

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

DC-1: Vulnhub Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as “DC-1: 1”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

  • IP Discovery using netdiscover
  • Network scanning (Nmap)
  • Surfing HTTPS service port (80)
  • Finding Drupal CMS
  • Exploiting Drupalgeddon2 to get a reverse shell
  • Finding files with SUID bit set
  • Finding the “find” command with SUID bit set
  • Getting root shell with “find” command
  • Getting final flag

Walkthrough

Let’s start off with scanning the network to find our target.

We found our target –> 192.168.1.104

Our next step is to scan our target with nmap.

The NMAP output shows us that there are 3 ports open: 22(SSH), 80(HTTP), 111(RPC)

We find that port 80 is running http, so we open the IP in our browser.

When we access the web service we find that the server is running Drupal CMS. As the target system is running Drupal CMS, we can check if it is vulnerable to Drupalgeddon2 exploit. We run the exploit using Metasploit on the target machine and successfully able to get a reverse shell.

After getting a reverse shell we spawn a TTY shell using python. Then we find a file with suid permission on the server and find that the “find” command has SUID bit set.

As “find” command has SUID bit set, we can execute the command as “root” user. We create a file called “raj” and use “find” command to check if is executing the commands as root user, the reason for creating a file is so that we can use with “find” command. As running it with a single file will run the command only once.  

After executing the command “whoami”, we find that we can run commands as root user. We now execute “/bin/bash” using “find” command and are successfully able to spawn a shell as root user. We now go to /root directory and find a file called “thefinalflag.txt”. We take a look at the content of the file and find a congratulatory message for completing the VM.

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

Replay: 1: Vulnhub Lab Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as “Replay: 1”. The credit for making this VM machine goes to “c0rruptedb1t” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Intermediate

Flags: There is one flag (flag.txt).

Penetrating Methodology:

  • IP Discovery using netdiscover
  • Network scanning (Nmap)
  • Surfing HTTPS service port (80)
  • Enumerating password from Source code.
  • Enumerating robots.txt and finding the zip file
  • Unzipping zip file
  • Enumerating password from the binary file
  • Enumerating the hardcoded command
  • Editing the hardcoded command
  • Getting a reverse shell
  • Enumerating password for the user
  • Elevate Privileges to get root
  • Getting Flag

Walkthrough

Let’s start off with scanning the network to find our target.

We found our target –> 192.168.1.37

Our next step is to scan our target with nmap.

The NMAP output shows us that there are 3 ports open: 22(SSH), 80(HTTP), 1337(Unknown)

We find that port 80 is running http, so we open the IP in our browser.

We take a look at the source code of web page and at the top of the source code, we find a string inside a comment. We are not able to do anything with it, so we save it for later.

Nmap scan shows us that there is one entry inside robots.txt. We open robots.txt and find an entry called “/bob_db.zip”.

We open the link and download the zip file from the web server. After downloading the file, we extract it and find 64-bit ELF file and a text file. We take a look at the content of the text file and don’t find anything of use.

When we run the application “client.bin”, it asks for an IP address and a password.

As we have no clue for the password, we check the strings inside the application and there we find a hint for the password. Inside the application, we find the second half of the password. Now earlier inside the web page, we found a strange string that might be the first half of the password.

Password: qGQjwO4h6gh0TAIRNXuQcDu9Lqsyul

We joined the string and use it as a password for the application. After giving the password, we successfully able to login, and find that we can run commands. But when we type a command we get an error stating that we are sending unauthorized packets and the connection gets closed.

Now when we take a closer look at the application we find that the command “;whoami” is hardcoded in the application.

We try to edit the application and change “;whoami” command to something else and find that the size of string inside the application should remain the same and the command should always start with a semi-colon. So we changed the “;whoami” to “;uname -a” keeping the number of characters inside the application the same by replacing existing characters inside the application.

Now when we run the application and give the password we are successfully able to execute our command.

Now we replace the entire string with our netcat reverse shell one-liner and used extra characters to keep the size of the application the same.

Now we run the application and give the correct the password.

We setup our listener and are successfully able to get a reverse shell. After getting a reverse shell we spawn a TTY shell using python.

Enumerating through the directories inside “~/Documents/.ftp” we find a file called “users.passwd”. We open it and find the password for user “bob”. Now we check the sudoers list and find that we can run all commands as root user.

As we have the password for user bob, we spawn a shell as the root user. We go to “/” directory and find a file called “flag.txt”. We take a look at the content of the file and find the congratulatory flag.

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

Hack the Box Access: Walkthrough

Today we are going to solve another CTF challenge “Access”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Access is 10.10.10.98.

Penetrating Methodologies:

  • Network scanning (nmap).
  • Logging in FTP using Anonymous Login.
  • Using strings to read contents of the .mdb file.
  • Unzipping Zip file using 7z.
  • Using readpst to read the contents of the .pst file.
  • Finding Login Credentials
  • Logging into Telnet.
  • Finding the first flag user.txt
  • Using web delivery module to create PowerShell code.
  • Getting Meterpreter.
  • Using exploit suggester of Metasploit.
  • Getting Root Access.
  • Changing the Administrator password using net user.
  • Reading Our Final flag root.txt

Walkthrough

Let’s start off with scanning the network to find our target.

The first thing that got our attention is that we have anonymous access to the ftp server. Let’s login and see what we find.

After successfully logging into FTP server, we have enumerated directories from where we have downloaded two files Access Control.zip and backup.mdb. They might come in handy later on.

When we tried to unzip the zip file found out that it was password protected. So we tried to open the backup.mdb file and found a password to the zip file.

Once we have obtained the password for the Access Control.zip. Time to unzip it. After unzipping we saw its a .pst which is a Microsoft Exchange Format for mailboxes. Using readpst it converted the file into the .mbox format.

Let’s read the contents of the Access Control.mbox.

After reading the contents, we saw that user credentials that surely going to help us to move ahead.

Let’s login into telnet using our new credentials. After enumerating through directories, we have found our first flag.

Let’s create a shellcode generated via the web delivery module of Metasploit.

Now we will execute the PowerShell code generated via the web delivery module.

We have successfully got the meterpreter. Moving forward.

After that, we have used exploit suggester which has given us all the possible exploits for the operating system of the Victims system.

Using the exploit ms16_014_wmirecv_notif of Metasploit.

oh yeah! We have got the root access.

Now we changed the password for Administrator because we can use it to login via telnet.

Here we successfully logged in via Telnet and found our final flag.

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here