TBBT: FunWithFlags: Vulnhub Walkthrough

Introduction

Today, we are going to complete a Capture The Flag challenge hosted on Vulnhub. This lab is based on a popular CBS series: The Big Bang Theory and as I am a huge fan of this show, it’s gonna fun to solve it. This lab is developed by emargkos and you can download it from here. This lab is a combination of capture the flag challenge and boot2root which means we have to find flags and root the lab; seven flags are hidden in the lab.

Penetration Testing Methodology

  • Flag #1: Sheldon
    • Nmap Scan
  • Flag #2: Amy
    • Browsing HTTP Service
    • Directory Bruteforce
    • Enumeration using WPScan
    • Exploiting Vulnerable Plugin
    • Getting Meterpreter
    • Downloading Binary File
    • Reading Flag using Strings
  • Flag #3: Penny
    • Enumerating Directories
    • Decoding Base64
    • Reading Flag
  • Flag #4: Leonard
    • Enumerating Directories
    • Enumerating Crontab
    • Crafting Payload using Msfvenom
    • Uploading Payload
    • Getting Root Shell
    • Reading Flag
  • Flag #5: Bernadette
    • Enumerating Directories
    • Grabbing Database Credentials
    • Enumerating Database
    • Reading Flag
  • Flag #6: Raj
    • Enumerating Directories
    • Grabbing Database Credentials
    • Enumerating Tables
    • Reading Flag
  • Flag #7: Howard
    • Enumerating FTP Service
    • Downloading Locked Archive File
    • Brute-forcing Password using fcrackzip
    • Brute-forcing Password using stegcracker
    • Reading Flag

Walkthrough

Flag #1: Sheldon

As DHCP is disabled in this machine, we have ourselves a static IP Address. It is 192.168.1.105. Let’s start pawning the lab, firstly by scanning it and for the scan, we will use nmap with the following command:

Nmap showed us that various ports are open with multiple services running on them. These ports are 21(FTP), 22(SSH), 80(HTTP), 1337. If we look closer at the port 1337, we found our first flag i.e. Sheldon.

Flag #2: Amy

Moving on, we opened the target IP address in the browser and here we found an image as shown below:

Apart from Sheldon’s creepy smile and Penny’s sarcastic bung, all that there was on this page was this image. So, to proceed forward with the directory bruteforce. We used the dirb tool for the same.

Without taking much time, our reliable dirb gave was a directory /music/wordpress/. It is a pretty odd directory to find. But if the machine is based on Big Bang theory then who are we to judge. We decided to browse the URL.

As we got wordpress directory, and the web-page that opened up seems to be made in WordPress. It was only natural to enumerate WordPress. For this task, we decided to use WPScan.

 In no time, we have got ourselves a vulnerable plugin on our hands. It is the world-famous reflex-gallery.

Our experience with this plugin tells us that we have a perfect exploit for this plugin in our Metasploit Framework. Let’s get ourselves a sweet meterpreter.

We got our metepreter in the blink of an eye. Now that we have a shell. We need to enumerate the machine for another flag. We traversed in the home directory of the current user. Here we listed the contents to find ourselves a directory named amy/. First Sheldon then Amy. This is turning out to be a nice path for flags. We enter the amy/ directory and we find 2 files here. We read the text file named notes using the cat command. It tells us that another file named secretdiary is Amy’s diary. But no need to be happy. The notes say that once she is famous she will write secrets in it. Like that’s gonna happen any time sooner. We are told that Amy used a very strong password that cannot be brute-forced. It is 18 digit, alphanumeric, uppercase/lowercase with symbols. How kind of Amy to tell us what the password is made up of. Also, we are told that the program is compiled. That means that it is a binary. We need to figure out another approach towards it. But it is not gonna do any good sitting there. So, we downloaded the secretdiary to our attacker machine.

Now that we have the secretdiary on our hands, we need to figure out a way to get the password to unlock it. As it is a binary file, there must be a location where the password is stored. Since it a text inside a binary file, we need the strings command to read from it.

We can see that we have the password, “[email protected]”. Sorry to say Amy but is not a strong password. I recommend that you change it. But strings command has done more than it was asked. It gave us the amy flag. So, we don’t need to log in.

Flag #3: Penny

We went back to the meterpreter and went back to the home directory. We saw that there were a lot of directories. But we decided we need the Penny flag. So, we traversed into the penny directory. We listed the contents of this directory to find a hidden file called .FLAG.penny.txt. Come on! we wanted it to be tougher. We read the file to find a base64 encoded text.

We copied the encoded text and went back to our attacker machine. Here, we decoded the text using the echo command. It gave us the penny flag. 3 Flags down!!

Flag #4: Leonard

Time to go back to the home directory. Here we traversed into the Leonard directory. Let’s see if Leonard is good at hiding his flag. We listed the contents of this directory to find a script. Interesting! We read the script. There was no script. Typical Leonard. It says that they have a thermostat connected to the IoT device. This means that the script can manipulate the temperature. As we all know that Sheldon needs to keep his thermostat at 71 degrees. This is uncomfortable for Leonard. So, this script will change the temperature to Leonard’s preference every minute. I smell corn!

Time to check the crontab. As suspected, we have this script inside the crontab file. It is scheduled to run every minute.

 If we are not wrong, this might give us root. Let’s wait and watch. Time to craft a raw bash payload using the msfvenom.

We copied the payload on our clipboard and used the echo command to paste the payload inside an empty file having the same name as Leonard’s script.

All that’s left to do is upload this script from our machine to the target machine. As we have a meterpreter this can be done using the upload command.

Before uploading, we started a listener at the port that we mentioned at the time of crafting the payload. Now after we upload the payload, we got to wait a minute for the cronjob to execute the script. In no time we have a session. We used the id command to gain information about the user. We have the root shell. Now for the flag. It was in the current directory. We read the flag using the cat command. We have the message that we can sit on Sheldon’s spot. Dreams do come true!!

Flag #5: Bernadette

But, although we have the root shell, it doesn’t mean that the challenge is over. We need to find other flags as well. We went back to our meterpreter shell and started enumerating. This led us to the /var/www/html/ directory. Here, we found a directory named private. How can we not open it? SO! we saw that we have a bunch of HTML and php files. Among them was the db_config.php file. If our experience servers us right, the config file mostly stores the database password. We decided to take a look. Bazinga!! We have the Database credentials.

User: bigpharmacorp

Pass: weareevil

Word of Wisdom: If you are a Big Pharma Company don’t keep your password weareevil. This would have been our First Guess.

We went back to our root shell that we obtained just a while ago. Here, we ran the python one-liner to convert the shell into a TTY shell. As soon as we got the proper shell. We attacked the Database using the credentials that we dug up. We used the queries to inquire about the databases and tables. Here we found different users, their password and in Bernadette’s description, we have our 5th Flag!!

Flag #6: Raj

Since we got this flag inside the database. It scratched a part of our brain that we might have another database user. Then it hit us that we have wordpress installed. WordPress creates its users. We went on the hunt for that user. We traversed into the directory containing the wordpress. Here we found the wp-config.php. How convenient! We read the file using cat command. We found ourselves some credentials.

User: footprintsonthemoon

Pass: footprintsonthemoon1337

Now, who will keep such a password? It must be our Indian brother Raj!! Let’s get that flag.

 We logged out from the previous database and logged in using the new credentials. We enumerated almost all the tables. But we won’t take you on that painstaking journey. We found something in the wp_post table.

If you read the data form the wp_post table, you will find the Raz flag tucked in between. 

Flag #7: Howard

We enumerated further, but we didn’t get anything new. So we went back to our initial nmap scan. We remembered that we have a port 21 open as well. So let’s login to the FTP. We logged in as Anonymous User. Here we listed the files to find a directory named pub. Now, everyone is in the pub including Amy, Bernadette, Howard, Leonard, Penny, Raj, and Sheldon. They must be here to witness as we capture the last flag. Until now we don’t have any flag from Howard. Let’s check his directory. In this, we have a note file and a compressed archive. We figured that we that the zip file was the to be focused so, we downloaded it using the get command.

The archive was password-protected, so we decided to use fcrackzip on it. We brute-forced using the rockyou.txt. It gave us the password. It was the “astronaut”. Damn! Could have guessed that one. We unzipped the archive to find ourselves an image. Hmm.

It didn’t take much time before we figured out that the flag must be hidden inside the image. We used the stegcracker to bruteforce it using rockyou. It cracked us the password “iloveyoumom”. How very Howardy!! Well, all that left is read the flag from the file that stagcracker created. This gave us the Howard flag!!

This concludes this lab. But can we leave without saying “It all started with the big bang!”.

We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the Covid-19. Take Care and be Healthy and Keep Hacking!!

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Hack the Box: Postman Walkthrough

Today, we’re sharing another Hack Challenge Walkthrough box: POSTMAN design by The Cyber Geek and the machine is part of the retired lab, so you can connect to the machine using your HTB VPN and then start to solve the CTF.

The level of the Lab is set: Beginner to intermediate.

Task: Capture the user.txt and root.txt flags.

Penetration Methodologies

  • Network Scanning
    • Nmap
  • Enumeration
    • Redis
  • Initial Foothold
    • Access SSH
  • Privilege Escalation
    • Webmin

Network Scanning

As we know the machine IP of the victim, Nmap scans will begin with the identification of open ports and services across them.

We find port 80 open for HTTP from this scanning study, and port 22 open for SSH, too. In addition, I have noticed port 1000 for webmin and the port 6379 for Redis is open.

Enumeration

The Redis security model is: “it’s totally insecure to let untrusted clients access the system, the ability to control the server configuration using the CONFIG command makes the client able to change the working directory of the program and the name of the dump file. This allows clients to write RDB Redis files at random paths, that is a security issue that may easily lead to the ability to run untrusted code as the same user as Redis is running”.

You can read more about it from here

Since we saw port 6379 is available for Redis, we try to communicate with this with the help of the Redis client.

We noticed, that Redis is insecure and not AUTH required, so we discovered “.ssh directory” for the Redis as mentioned above, due to unsafe configuration we can transfer any file inside the server.

Further, I generate an ssh key pair using the ssh-keygen command given below:

I have a key and my goal is to place it in the server memory and then move it to a file in such a way that the authorized keys file that results remains valid.

Initial Foothold

As we have uploaded our ssh key into server thus it’s time to connect with a remote machine with the help following command

Here, we notice two things: first there is a user whose name is  “Matt” and a file with name “id_rsa.bak”, let’s find out the path for this file.

So, with the help of find command, we enumerate the path for id_rsa.bak file which lie inside /opt directory.

So id_rsa.bak file is actually the id_rsa private key, I copied it into a text file and saved it as a hash.

Then we have used ssh2john to convert this SSH key into a crackable file with the help of John the ripper and further used the rockyou.txt wordlist for this.

Hmmm!! so we have obtained ssh key “computer2008” for the user Matt.

As we knew that webmin was running over port 10000 thus we navigate to a web browser and explore the URL where we submit above-enumerated creds.

Boom! We logged in successfully and notice the installed version for webmin i.e. 1.910; now we can search for its exploit if available.

With the help of searchsploit, we found a Metasploit module for exploiting remote command execution. This module exploits an arbitrary command execution vulnerability in Webmin 1.910 and lower versions. Any user authorized to the “Package Updates” module can execute arbitrary commands with root privileges.

Privilege Escalation

Without wasting time, we loaded the Metasploit module and set the value required to initialize the exploit.

We got the meterpreter session with root privilege, let’s enumerate flags.

Let’s capture both flags user.txt and root.txt from inside the /home/Matt/ and /root respectively.

Conclusion: In this machine, we have learned about two major vulnerability and their exploitation, the first was insure Redis and the other was webmin.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

MuzzyBox: 1: Vulnhub Walkthrough

Introduction

Today we are going to crack this machine called MuzzyBox. It was created by Muzzy. Duh! This is a Capture the Flag type of challenge. The approach towards solving this machine is a bit different from the standard procedure. It consists of 3 Challenges. Each having a flag of its own. Let’s get cracking!!

Penetration Testing Methodology

  • Network Scanning
    • Netdiscover
    • Nmap
  • Initial Enumeration
    • Browsing HTTP Service at port 80
  • Challenge #1
    • Browsing the HTTP Service at port 3000
    • Downloading the idcard.png template
    • Editing the idcard.png
    • Reading Flag #1
  • Challenge #2
    • Browsing the HTTP Service at port 8989
    • Getting a Python Shell
    • Reading Flag #2
  • Challenge #3
    • Detecting of the Server Side Template Injection
    • Getting shell using tplmap
    • Enumerating the shell
    • Getting SSH session
    • Enumerating ls command
    • Reading Flag #3

Walkthrough

Network Scanning

To Attack any machine, we need to detect the IP Address of the Machine. This can be done using netdiscover command. To detect the IP Address, we can co-relate it with the MAC Address of the Machine that can be obtained from the Virtual Machine Configurations Setting. The IP Address of the machine was detected to be: 192.168.1.6

Now that we have the IP Address, we need to enumerate open ports on the machine. For this, we will be running a nmap scan. To get the most information and fast, we ran the Aggressive Scan.

The Nmap Aggressive scan quickly gave us some great information. It positively informed that the following ports and services are running 22 (SSH), 80(HTTP), 3000(HTTP), 15000(HTTP). So nice of the author of the machine to give us so many HTTP services to explore. Let’s move on to Enumeration Stage.

Initial Enumeration

Let’s start with the traditional HTTP port. Port 80. We ran the browser and opened the IP Address of the Machine. It gave us an Index Page. It consists of a text file named index.txt. That was odd but okay. We moved on further by clicking on that file.

Here we get this nicely crafted introduction of the Lab Environment. This machine has been divided into 3 Challenges. Each containing a flag.

Challenge #1

Let’s Start with Challenge #1. The information about this challenge state that Washington University created an online library. But currently, only Principle is Authorized. The library is hosted on the HTTP service running on port 3000. Also, there is an idcard named image hosted on port 9633. Let’s start with an enumerating port of 3000.

Okay, that’s quite a dull library. But in the end, it is a library. If you go through the introduction text written. You might get to know that the developers of the library have implemented a security measure to prevent unauthorized access. They have used an alternative of SQL DB to secure the database. How nice of them to provide us this sweet information. The process to enter the library is to upload the idcard on this page and then the access is allowed.

The template is provided to us on the port 9633. Let’s take a look at it. Now we know that the principal has access to the library. But what we don’t know is the name of the principal. We will have to figure out a way to get through this.

For starters, we downloaded the idcard.png file to our attacker machine using wget command.

Initially, the introduction on the page at 3000 port told us that the authentication is checked using an alternative of SQLDB. Now if we think about it, if they are not using an SQLDB then the next best alternative is NoSQL. We tried to google some of the NoSQL based payloads that can help us in this situation. We found quite a few. We decided to use this one.

Now we took the idcard.png image that we downloaded and tried to edit it to make it look like the image shown in the screenshot given below. It is quite easy you can use any online tool for the same. We made the following changes.

Now that we have the idcard ready. Let’s upload it. The upload was a success and we have successfully cracked the Challenge #1. This flag is in the form of a PIN. Let’s take note of this, we may need it down the road.

Challenge #2

We move onto the next challenge. After we broke the authentication in the previous challenge, the University developed a new website. How Unnecessary! It is under maintenance. We are asked to list the current directory and read the flag file. It shouldn’t be difficult. The new website is hosted on port 8989. Upon browsing the webpage, we see that it is an error page. While we were casually looking at the errors, we saw that there was a console icon. We hovered over it and got the message that it will “Open an interactive python shell in this frame”. How convenient!

We clicked on the console icon, we are greeted with a pop that tells us to enter a PIN. If we remember correctly from the previous challenge we received the flag in the form of a PIN. Let’s try it to get in.

PIN: 123-456-789

Since it was in “Python Interactive Shell”, we need some python shellcode to pop up a shell over here. We went to the pentestmonkey reverse shell cheat sheet and got the Python Reverse shell. We modified it a little bit to execute it line by line as shown in the given image. We chose the port 5555 for getting the reverse shell and opened the netcat listener for the same. As soon as we execute the last command, we see that we have a shell.

The objective of this challenge was to list the current directory, so we ran the ls command. We found a directory named flag. Inside this directory, we found a script called ctf2.py. We read the contents of this script to get ourselves the second flag.

Again we seem to have a hint in this flag. It tells us to read a file at the home directory of the user webssti.

Challenge #3

Two challenges down. One to go! We went back to the index for the description of the third challenge. It says that when we compromised the machine in the last challenge the root user started to audit the machine. Well, he/she really should do a better job. It wasn’t that difficult to exploit them. We are told that the root user is using sudo and bash with the ls command. This seems interesting. At last, we are told to read the final flag using an “Out-of-Band technique”. This challenge is hosted on the port 15000. We modified the URL to print the Raj name. #PersonalTouch. So what kind of vulnerability is this? Its Elementary, My Dear Watson. It is a Server-Side Template Injection.

For exploiting this vulnerability, we have just the tool. It is called tplmap. It is available on GitHub. To use it we cloned it to our attacker machine. After that, we traversed into this directory to find the python file named tplmap.py. We ran it with the proper parameters for the injection point as well as the -os-shell parameter to pop out a shell.

We got ourselves a shell in no time. We ran the id command to enumerate the user. Back to the previous challenge. We saw that the flag from the previous challenge asks us to read a file in the home directory of this user. We are indeed logged in as the webssti user. We checked the directory using the pwd command as well as listed the current directory contents using the ls command. There was a directory named ssti. We listed its contents to find the no_flag.txt file that we were looking for. We read the file using the cat command. This tells us the ssh username as well as password. Brilliant!!

Time to get that SSH shell. We entered the previously found credentials and got logged in. As the final flag was inside the root folder, we tried to read that flag. But we were unsuccessful.

Time to work our mind to escalate privilege on this shell. We ran the sudo -l command to enumerate but we were unsuccessful. We remembered from the introduction that the root user was using sudo as well as bash with the ls command. So it came us that Path Variable method might work here. We used the echo command to print the path for the ls command. After this, we enumerated which ls command we are running. We found that directory /usr/local/sbin was writable by our user. This means that we can create a file there and name it ls. Then we will be able to execute that file. Let’s do this using the nano command as shown in the image given below.

We used curl command to send a POST request onto our attacker machine with the contents fo the Final Flag. Clever Isn’t it?

Now before we save that file and exit the nano editor, we started the netcat listener on the port 1234. In no time we have the Final Flag.

This was a good set of challenges. I enjoyed it a lot while solving it. The first and second challenge was nice and surely something that you can come across in real life. Also this format of small challenges instead a standard CTF was a fresh approach. I appreciate the author and I look forward to more in this series.

We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the Covid-19. I am writing this article while working from home. Take Care and be Healthy!

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

Sahu: Vulnhub Walkthrough

Today we are going to complete a boot2root challenge of the lab Sahu. The lab is developed by Vivek Gautam and can be downloaded from here. Lab us fairly for the beginners and helps to get familiar with the concept of CTF challenges. It also helps to develop your enumeration skills as it solely focuses on enumeration.

Penetration Testing Methodology

  • Network Scanning
    • Netdiscover scan
    • Nmap scan
  • Enumeration
    • Browsing HTTP service at port 80
    • Directory Bruteforce using dirb
    • Enumerating Source Code
    • Directory Generation using Crunch
    • Bruteforce Zip Password using fcrackzip
  • Exploitation
    • Connecting to Target using SMB
    • Enumerating SMB
  • Post Exploitation
    • Running LinEnum script
  • Privilege Escalation
    • Writable /etc/password file
    • Generating Password Hash using Openssl
    • Appending hash to /etc/passwd
    • Getting Root Privileges
  • Reading Root Flag

The first stage in starting the challenge is knowing your target and for that following command will be used :

After that we will start active reconnaissance by scanning our target IP using nmap with the following command :

With nmap, as it can be seen in the image above, open ports are shown. These ports are 21, 22, 80, 139, 445 with the services of FTP, SSH, HTTP, NetBIOS-ssn samba. Because of banner grabbing, it was observed that anonymous login was enabled in FTP. Therefore, try to log in from FTP with the following commands :

Here, enter the password anonymous. Once you are logged in from FTP use the ls command to check the contents it has. The single zip file was found here, namely ftp.zip.

When opened, it asked for a password but as the password is not known we moved further. Open the IP address in the browser and the can he webpage as shown in the following :

Now we enumerated the directories with directory buster using the command :

As a result, we found a directory /H/A/R/, if you remembered that the image on the web-page was of Haryana so we can correctly assume that the full directory will be /H/A/R/Y/A/N/A/ and when opened in the browser you can see the following :

In the source code, there will be a phrase saying “try to extract with hurry”. Now, this is something useful.

We had found an image on a web page and we have the hint in the source code. So we will use steghide to extract any metadata and to do so, use the following command :

And when asked to enter the word hurry and as you can see in the image below we found a file and then read it said, “I have found the password for a zip file but I have forgot the last part of it, can you find out. 5AHU**”

Now, according to the hint, it means that the first four characters of the password are 5AHU and password is of six characters in length and we must find last two characters in order to get the password. We can easily do this using crunch and construct a dictionary to fuzz up the password. The last to characters could be of any combination i.e. it can be alpha-numeric or special character and so on, therefore, use the following set of command to make a dictionary using a crunch of every possible combination:

Once our wordlist for dictionary attack is created we can commence our attack using fcrackzip and for that use the following command :

The password has been cracked using the above method and retrieved an ftp.txt file in which a username and password is found. As from the nmap port scan it was clear that the SMB port(139) was open. We ran the Enum4Linux to enumerate the SMB service

Thus, it is clear that a connection through sambashare can be made using smbclient and so to do the same, following command will be used :

and when asked provide the password which was retrieved from ftp.txt.

Now, connecting through smbclient gave us an opportunity to traverse around which lead us to find ssh.txt. upon reading ssh.txt file revealed a username and password. As the username and password are found in ssh.txt it can safely be assumed that these are the credentials for SSH login. Let’s try to login through SSH, using the following command :

Further, provide the password when asked and log in through SSH will be successful. After logging in the machine, we decided to use the wget command to transfer the LinEnum script to the Target Machine. Followed by the transfer, we gave the proper permissions to the script and then run it.

As a result, we found that /etc/passwd file is writable which allows us to make a new user and alter its permissions as per our desires.

To make a new user, use the following command :

Now we have the hash, all we need is to append this user hash in the target machine.

On the target machine, we use the echo command to add this user into the /etc/passwd file. We can verify that the user has successfully been added by taking a look at the /etc/passwd using the tail command. Now that we have added user, let’s login to that user using the su command. As the user we created had root privileges so we own the root on this machine.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here