Dc:7 Vulnhub Walkthrough

DC:7 writeup, our other CTF challenges for CTF players and it can be download from vulnhub from here. The credit goes to “DCAU” for designing this VM machine for beginners. This is a Linux based CTF challenge where you can use your basic pentest skill to compromise this VM to escalate the root privilege shell.

Penetration Testing Methodologies

Network Scan

  • Nmap

Footprinting

Exploiting

  • SSH login
  • Abusing Drupal Drush
  • Compromising webshell via PHP Backdoor

Privilege Escalation

  • Abusing writable Script
  • Capture the Flag

Walkthrough

Network Scanning

Let’s start with a network scan using an aggressive Nmap scan as we always do, and this time also we will go with the same approach to identify open port for running services.

Hmmm! So nmap showed very exciting & cool outcome, specifically on port 80 that is accessible to HTTP service and is also used to operate drupal CMS, additionally, 15 submissions for robot.txt is like a cheery on a cake.

Enumeration

Further, we need to start enumeration against the host machine, therefore without wasting time, we navigate to a web browser for exploring HTTP service, and DC:7- Welcome page will be opened in the browser that gave us a hint to search “outside the box” and this hint might be connected with internet.

At the end of this web page, we observed another hint “@DC7User” which could be any possible username.

By considering the above-listed hint, we start footprinting on the @DC7-user and find the DC7-user twitter account. This account contains a link to GitHub: https:/github.com/Dc7User, maybe the author was pointing to this link.

And the github URL content a staffdb which is PHP repositories.

So when we have opened the staffdb, here config.php looks more interesting and a note i.e. as depicted below:

“This is some “code” (yes, it’s not the greatest code, but that wasn’t the point) for the DC-7 challenge.

This isn’t a flag, btw, but if you have made it here, well done anyway. :-)”

We found credential from inside config.php as shown below:

Exploiting

With the help of above-enumerated credential, we try to connect with ssh and after obtaining tty shell we go for post enumeration and start directory traversing.

At first, we’re looking for a directory list where we’ve found a “mbox” named file that contains an inbox message. The message contains /opt/script/backup.sh as the subject of the message, let’s explore more.

Inside backup.sh we notice it is using drush which stands for Drupal shell and it is a command-line utility that is used to communicate with drupal CMS.

So, I looked at the drush command on google and found a command that was used to change an account’s password.

Therefore, we try to change the admin password using the below command:

Now, we’ve changed the password for the admin account to login to Drupal and explore the following URL:

After accessing the admin console, it was time to exploit web application by injecting malicious content inside it. Directly writing malicious scripts as web content will not give us the reverse shell of the application but after spending some time, we concluded that it requires PHP module. We, therefore, move to install new module through Manage>Extend>List>Install new module.

You can download the PHP package for Drupal from the URL below and upload the tar file to install the new module.

So, when the installation is completed, we need to enable to added module.

Again, move to Manage > Extend >filters and enable the checkbox for PHP filters.

Now use Pentest monkey PHP script i.e “reverse_shell_backdoor.php” to be injected as basic content. Do not forget to add listening IP and Port for obtaining reverse connection. Further, change text format into PHP and enable the checkbox for publish. Keep the netcat listener ON to receive incoming shell.

Now use the Pentest monkey PHP script, i.e. “reverse shell backdoor.php” to be injected as a basic content. Don’t forget to add a “listening IP & port” to get a reversed connection. Continue to change the “text format to PHP” and enable the publishing checkbox. Keep the netcat listener ON in order to receive the incoming shell.

When everything is set correctly, click the preview button and you’ll get the reverse connection over the netcat.

Great!! we have our netcat session as www-data and if you will check permission on /opt/scripts/backup.sh, you will notice, that www-data has all permission to access or modify this file. We can therefore abuse the rights of the user file for escalating privileges by modifying the contents of the source.

Privilege Escalation

As said above we’ll try to abuse writable permission assign on the script. Thus, we use msfvenom to generate a malicious piece of code for obtaining the bash shell.

Now copy the generated code and start another netcat listener on a new terminal.

Paste the code copied above in the previous netcat session under the www-data shell and wait for some time and get back to another netcat listener.

After some time, you will have access to the root shell, you will now get the final flag in the root directory as shown below.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Sunset: Nightfall Vulnhub Walkthrough

We have another CTF challenges for CTF players that named as “Sunset: nightfall” and it can be download from vulnhub from here. The credit goes to “whitecr0wz” for designing this VM machine for beginners. This is a Linux based CTF challenge where you can use your basic pentest skill for Compromising this VM to escalate the root privilege shell.

Level: Easy

Task: Boot to Root

Penetrating Methodologies

Network Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Enum4linux

Exploiting

  • FTP Brute force
  • Injecting blank SSH key
  • SSH login

Privilege Escalation

  • SUID Binaries
  • Sudo Rights

Walkthrough

Network Scanning

Let’s begin with the network scan using netdiscover to identify the host machine IP.

And this gave 192.168.0.24 as Host IP, now we will move toward ports and service scan further.

For deep network scan we always prefer to use nmap aggressive scan and this time also we will go with the same approach, thus will run the below command to enumerate running services and open port.

From its scan result, we found that it has multiple open ports for various services but here port 21 i.e. look interesting as it is using pyftplib for ftp.

Enumeration

For more detail we need to start enumeration against the host machine, therefore, we navigate to a web browser for exploring HTTP service but we found nothing at this place.

While enumerating SMB service we found two use name “nightfall” & “matt” with the help of Enum4linux.

Exploiting

Since we have enumerated two usernames let’s go for brute force attack with the help of hydra and try to find its password for login into FTP

Great! “Cheese” 😊is the password of user “matt” let’s use this credential for ftp login.

We logged into FTP successfully, therefore we decide to upload a malicious file inside /var/www/html but unfortunately, we were unable to access that directory.

This is due to pyftplib which is using python library for FTP and might be File sharing is allowed on any particular directory hence we are unable to access /var/www/html directory.

But still we have another approach i.e. uploading SSH key which means we will try to inject our created SSH key inside the host machine and access the tty shell of the host machine via ssh and this can be achieved when we will create an .ssh named folder and upload our ssh key inside it.

Thus, in our local machine, we created a ssh key with a blank passphrase using ssh-keygen and it will create two files. Then we copied id_rsa.pub file into another file and named “authorized_keys” and now we need to transfer this file inside the host machine.

As we already have FTP access of the host machine, therefore, it becomes easy to for us to upload authorized_keys inside the .ssh directory which we have created earlier.

So, when we try to connect with ssh as matt user, we got login successfully as shown in the below image. At this phase, we have compromised the host machine but to get access of the root shell we need to bypass user privileges, therefore without wasting time we try to identify SUID enabled binaries with the help of find command.

So, we found /script/find has SUID permissions and it works similarly as Linux-Find utility thus we try to execute /bin/sh command and obtained access of the nightfall shell.

So, we got access of nightfall shell where we found our 1st flag from inside user.txt file.

But this was limited shell thus to access proper shell as nightfall, we try to apply the previous approach of placing blank passphrase ssh key. Therefore inside /home/nightfall we created a .ssh named folder and upload the authorized_key which we had created previously.

Privilege Escalation

Now repeat the same and try to connect with ssh as nightfall and you will get ssh shell, like us as shown in below image. Further, we check sudo right for nightfall and observed he has sudo right for cat program which means we can read higher privilege files such as the shadow.

we have executed the following command for reading shadow file and obtain some hash values.

So, we saved the hash of user: root in a text file and then use john the ripper for cracking hash.

Booomm!! We got user: root password: miguel2

Using above credential i.e. root:miguel2 we got the root shell access and inside /root directory we found our final flag.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Serial: 1 Vulnhub Walkthrough

Today we are going to take a new challenge, Serial: 1 The credit for making this VM machine goes to “sk4” and it is a boot2root challenge where we have to root the server to complete the challenge. You can download this VM here

Security Level: Beginner/ Intermediate

Penetrating Methodology

Scanning

  • NMAP
  • Dirb

Enumeration

  • Browsing the website
  • Burpsuite 

Exploitation

  • Analyze and change PHP code to get

Privilege Escalation

  • Sudo permission for vim command

Walkthrough

Scanning

First thing first, scan the vulnerable machine using Nmap.

Here we got only two ports, 80 and 22.

We browsed the website on port 80 and got the message hinting that we might get something in cookies.

When we intercepted the request, there was a very lengthy value for a cookie. The value for cookie user was a base64 encoded value.

After decoding the value gave us a username, we tried to change it to something else but not possible.

For a moment, we kept it aside and tried to get all the available directories using dirb.

Here we found one interesting directory named backup.

We visited the backup directory on the webserver and found a zip file over there.

We downloaded the zip file and extracted the contents and found three files.

Let’s check the contents of the files starting from

 1) index.php

2) class.php

3) class.php

After carefully analysing the code of file index.php and user.class.php, we came to know that we can try to get base64 encoded value of cookie user by just adjusting a function call from index.php to user.class.php. So, we added one single line in the end to display the base64 value encoded in a similar format as the user cookie value but this time with another user i.e. admin.

 

Now let’s try to run the PHP code and check the output of the same.

We got a base64 encoded value which we will try to use as the value of user cookie.

Well, the base64 cookie value worked but nothing much helpful, so we started to look for something else. We checked the log.class.php, we found that the Log class is having an include function to include a log file but the parameter type_log is not assigned any value. We assigned the variable with the path of passwd file as the value.

Also alongside that, we made a small change in the user class, we replaced the function call of the Welcome class to the function call of the constructor of the Log class.

Now when we tried to run the user.class.php file again, we found that the passwd file was displayed and we got the base64 encoded value which we can use as the cookie.

When we tried the base64 encoded cookie value in the webpage, we got the passwd file from the target machine, confirming we have a file inclusion vulnerability.

Now that we have verified the presence of file inclusion vulnerability, we created a remote code execution file and started the python server.

Now we edit the log class to change the file path variable to the URL of our shell.

After putting the code in place, its time to get the cookie value to execute.

When we used the cookie value and provided the cmd parameter with ifconfig command.

While checking the contents, we found a file named credentials.txt.bak.

We tried to check the contents and found something like a set of credentials, let’s try to use these credentials

We used the credentials for ssh and got access. While enumerating we found the first flag.

Now we have to escalate the privilege, we tried to get sudo permissions for the current user. We found we have sudo permissions for vim editor.

We used privilege escalation through vim editor and got the root shell.

Author: Deepanshu is a Certified Ethical Hacker, Security Researcher, Pentester and Trainer at Ignite Technologies. Contact here

Symfonos:4 Vulnhub Walkthrough

Hello, guys today we are going to take a new challenge Symfonos:4, which is a fourth lab of the series Symfonos. The credit for making this VM machine goes to “Zayotic” and it’s another boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Level: Intermediate

Penetrating Methodology:

Network Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Browsing HTTP Service
  • Directory Bruteforcing using dirb

Exploitation

  • SQL injection to bypass Login Form
  • Using LFI to read the Logs
  • Using SSH log poisoning using PHP malicious script
  • Using Metasploit to create PHP reverse shell
  • Port Forwarding
  • Encoding and Decoding Cookies

Privilege Escalation

  • Inject netcat reverse shell into Json Pickle string
  • Replacing cookie with Base64 Encoded Reverse Shell
  • Getting Root Access

Walkthrough

Network Scanning

We will be running this lab in a Virtual Machine Player or Virtual Box.  But first, let’s discover the IP Address of the lab. i.e 192.168.0.23

Once the IP Address is acquired. Now we will run an aggressive scan using nmap for proceed further.

Enumeration

For more details, we will need to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service since port 80 is open.

Let’s further enumerate the target machine through a directory Bruteforce. For this, we are going to use the dirb tool. This gave us a page named “atlantis.php” and “sea.php”. After browsing both directories we noticed “sea.php” was redirecting to “atlantis.php”.

Exploitation

So, browsing Atlantis.php directory came out to be a Login Form. To further enumerate the form, we tried combinations of SQL Injection. After a few tries, we were able to bypass the Login form using ‘or ‘1’=’1’ as a username. And for the password, we gave any random value.

We got a prompt to select a god after successfully bypassing the Login form. We selected any random god i.e Hades and were redirected to a URL which left us inquisitive.

After seeing all the possibilities, it quickly strikes let’s try Local File Inclusion. After trying to find /etc/passwd file but didn’t succeed, after we thought of reading the log file using LFI. And we successfully did read the logs.

For Reference: https://www.hackingarticles.in/rce-with-lfi-and-ssh-log-poisoning/

So we try to inject malicious PHP command via SSH for poisoning auth logs as shown in the image below so that hopefully we can use a ‘C’ parameter to run arbitrary systems commands on the Target Machine.

Indeed we have to way to execute commands on the target machine. To confirm it we simply checked the id of the Target machine.

Time to Fire Up Metasploit, by using Web-Delivery module we have created a malicious link for PHP reverse shell.

We need to run the above PHP reverse shell in the ‘C’ parameter in the URL as shown in the image.

On successfully executing the Shell, We saw a new session is opened. To get the complete meterpreter we need to interact with the opened session. And to confirm we checked the system information.

 

We thought of checking the ongoing processes. After looking out, we saw an interesting process which was running on 127.0.0.1:8080 but we didn’t see it in our Nmap result because it was an internal process.

Let’s forward the port 8080 to our port 8888.

Once done with port forwarding. We browsed the forwarded port 8888 with Localhost on the browser but where getting redirected to a page /whoami.

I guess we need to manually go back to the main page. Then we got a thought that we might have a cookie for the username.

Without wasting time lets intercept the request of this page using Burp Suite. So the cookie is base64 encoded. We need to decode it.

NOTE: Since port 8080 was busy with another process. So we change the listening of Burpsuite to any random port. Don’t forget to configure it before intercepting the request.

We decoded the cookie using Burp Suite inbuilt decoder. After searching about the decoded string, we came to know it is a jsonpickle string.

Making some modification in the jsonpickle string, we added a netcat reverse shell and encoded the whole string into base64.

We need to replace the old cookie with the new base64 encoded string and forward the request in Burp Suite. Also, don’t forget to spawn a netcat listener on port 5555 before forwarding the request on your Kali Terminal.

Privilege Escalation:

We successfully got the netcat session with root access. To confirm we have checked the Id of the user.  The only thing left to do is we went inside the ROOT directory and Read our FLAG.

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here