Silky-CTF: 0x01: Vulnhub Walkthrough

Today we will be solving a boot2root lab from Vulnhub called SILKY-1. This lab, like many others, is a good way to keep your penetration testing skills sharp while getting some variety.

Download it from here: https://www.vulnhub.com/series/silky-ctf,207/

Level: Easy-Intermediate

Task: Boot to Root (flag.txt)

Penetration Methodologies

Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Web Spreading
  • txt
  • Generating Password Dictionary (Crunch)

Exploit

  • Brute force attack (Hydra)
  • SSH Login

Identify SUID Enable Binaries

  • Privilege Escalation
  • Exploit PATH Variable

Capture the flag

Walkthrough

Scanning

We start by scanning the network for targets using Netdiscover.

So we found target IP 192.168.1.106 and proceed by running a Nmap scan for all its ports to see what we can find.

Since port 8080 is running HTTP-proxy, so our obvious choice is to browse Target’s IP in the browser but didn’t find any hint.

Enumeration

We checked the robots.txt file for the results of nmap and showed /notes.txt as our next indication.

So, we found a text message that is written in German when we explored the notes.txt file.

With the help of Google translator, I translate the German message, which was connected to password hint:

I absolutely have to remove the password from the page, after all, the last 2 characters are missing. But still.

Then again, I visit the home page to view its source code and found a link for script.js

So, I found the word: s1lKy when navigating to /script.js as shown below.  Hmmm!!! This word s1lKy could be the possible password as said in the above text message.

So, without wasting time I decided to generate a dictionary with the help of crunch. As per the text message last 2 characters are missing. But these 2 characters could be any combination such as alpha-alpha, alpha-ALPHA, alpha-numeric, alpha-special character or vice-versa and so on.

And after spending almost one-an-hour I successfully found the valid combination for ssh login as port 22 is opened.

Exploit

Assuming username could be silky, and password could be in pass.txt, I lunched brute force attack using hydra on port 22 for identifying the valid combination of ssh login.

Since we found silky:s1lky#5 as username and password for ssh login, now it was time to access ssh shell and escalated the root privilege to capture the flag.

Once I logged in successfully than without wasting much time, I looked for SUID enabled binaries and here /usr/bin/sky looks interesting.

Although when I run this program it shown “root” in its output as a result along with some German text. To analysis its result I try to inspect the program script with the help of strings which a command line utility to identify the file type.

Hmm!! the information I found through strings was that this program is executing to commands simultaneously. First, echo command to show the German text message and another whoami.

Privilege Escalation

To escalated root privilege, we can abuse PATH Variable as shown below and for more detail read the complete article from here.

OKAY!! We got another shell which is a root shell as shown below, let’s now grab the flag.txt file and complete the challenge.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Sputnik 1: Vulnhub Walkthrough

Today we will be solving a boot2root lab from Vulnhub called Sputnick:1. This lab, like many others, is a good way to keep your penetration testing skills sharp while getting some variety.

Level: Easy

Task: To find flag.txt

Table of Content

Scanning 

  • Open ports and Running services (Nmap)

Enumeration 

  • Web Directory search 
  • Credential harvesting

Exploitation 

  • Splunk reverse and bind shell
  • Python reverse shell
  • Accessing shell

Privilege Escalation

  • Capture flag.txt

Scanning

We start by scanning the network for targets using Netdiscover

So we found target IP 192.168.1.103 and proceed by running a Nmap scan for all its ports to see what we can find.

Enumeration

The scan shows us we have port 8089, 8191, 55555 and 61337 open. Port 55555 has an associated IP address and a directory link for git repository; we investigate it to see what we can find. We copy and paste it into our browser.

We access the “Logs” directory and click on the “HEAD” file within.

There is a link for a Git page, we go to the link and find Flappy. Git clone is used to clone and download the file to our system for further investigation.

Once the file in downloaded we explore its contents but nothing stands out, so we access their logs.

We see that the command gave us the logs for our file and the search starts. We focus on the commit’s and start searching through them.

Finally, we come across the highlighted commit and strike gold!

We use the “ls-tree” to get an indented listing of the file.

The screenshot shows a file named “secret”; we used the git show command on its string to see what is reveals

Now, what could this be? We recalled seeing a Splunk service running on port 61337, we accessed it on our browser to find a login screen for Splunk.

Exploitation (Splunk)

The information we got earlier from the previous screenshot is in fact login credentials. The username is “sputnik” and the password is “ameer_says_thank_you_and_god_job”, we enter these and are able to get into the Splunk account.

We looked around for a while and then decided to upload a shell to the account. On searching, we found a way to weaponize Splunk with reverse and bind shell from https://github.com/TBGSecurity/splunk_shells

The .gz file from the link was saved on our system, we navigate to the “App: Search & Reporting” option and click on “Search & Reporting”

Click on the “Install app from file” option.

Using the browse option, we find our shell, select it and upload it.

Click on the “Restart Now” to restart the application.

We scroll down to find our shell file as shown below. Before we can run, it we need to click on the “Permissions” option to change its permissions.

Configuration files need to be added in order to run the shell successfully, here we set permission to everyone and at the bottom, we click on the “All apps” radio button and save this change.

Now to execute the shell. We navigate to the search option in Splunk and type in our command defining that we want a reverse shell of standard type to talk to out attach machines IP on the listening port.

Access Victim’s Shell

Netcat is running on our machine listening on port 1234 and see shell talking back.

The “id” command was used to no avail so we decided to step it up a notch.

We used Msfvenom to create a python payload.

The payload is uploaded through our existing Netcat session, all that needed to be done was the payload to be pasted into the terminal and executed.

A new Netcat session is started on the port (4444) that we defined in our payload and we see the execution occur flawlessly.

Privilege Escalation

We run the “id” command to see that our user is “splunk”.

Time privilege escalation. On the splunk prompt, we first run the “sudo -l” command and enter the password that we used earlier to log into Splunk “ameer_says_thank_you_and_good_job” where we found splunk user can ed as root.

So close to root! Now, all we have to do is run the “sudo ed” command and then the “!/bin/sh” command. Type in “id” and there you go! We have root!

Time to look for our flag.

We look in the root directory to find “flag.txt” and use “cat” to open it. Hooray for us!

As always, we at Hacking Articles hope you enjoy this lab and share it with your collogues. This lab has a great feature that gives you an insight into exploiting Splunk. Overall the lab is easy and the level of frustration it might induce is minimal.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

Development: Vulnhub Walkthrough

Today we are going to take on another challenge known as “DEVELOPMENT”. This is designed for OSCP practice, and the original version of the machine was used for a CTF. It is now revived and made

slightly more nefarious than the original. The author of this VM machine is “Donavan”. Our goal is to get the flag to complete the challenge.

Download it from here: https://download.vulnhub.com/digitalworld/devt-improved.7z

Security Level: Intermediate

Penetrating Methodology:

Scanning

  • Netdiscover
  • NMAP

Enumeration

  • Run http service
  • Web spidering

Exploiting

  • Remote File Inclusion
  • Ssh login

Privilege Escalation

  • Exploit sudo rights
  • adding new user

Capture the Flag

Walkthrough

Scanning:

Let’s start off by scanning the network and identifying host IPs. As illustrated below, we can identify our host IP as 192.168.1.104.

Time to scan the Target’s IP with Nmap.

We can clearly see from screenshot a few open ports e.g. 22(ssh),139(NetBIOS-ssn), 445(NetBIOS-ssn), 8080(http-proxy).

Enumeration

Since port 8080 is running HTTP-proxy, so our obvious choice is to browse Target’s IP in the browser. Here we got a clue about some html_pages. It could either be any Directory or a webpage.

So, let’s dig into the source code if we can find something useful. Here they are talking about some Development secret page and Patrick is being mentioned, he could be a user:

Now moving ahead lets surf through the webpage mentioned earlier which is html_pages. Here again, we can see a few html files in which “development.html” could be of our interest.

When you visit development.html, you can find a mention of “hackersecretpage” nothing else seems useful.

Again we went through the source code of the same and found “./developmentsecretpage” .This seems our secret page.

If you visit the page, it is confirming to be the Development secret page and a PHP file link named ‘Patrick’.

If we visit the file link it opens a page with another file included in it named ‘Sitemap’.

And when we visit /sitemap.php, we clicked on the embedded link stating “Click here to logout” which turned out to be Login page.

Exploitation

We just tried random login credentials “admin” for both username and password and 1234 that’s a success.  

Here we are getting a short of error message on the top of the page. So we Googled about it. 

We found an exploit for the same listed on Exploit-db with the name of “/[path]/slog_users.txt” which is vulnerable to RFI. Refer CVE code: 2008-5762/63.

 

When we appended the slog_users.txt file with our webpage we found four users and their password hashes.

After decrypting the hashes, we got passwords in clear text for an intern, Patrick and qiu respectively but not for Admin.

Privilege Escalation

As we knew port 22 is open for ssh so here I try to login into ssh using intern and we got access of ssh as shown below. After that, we found a list of commands that are allowed to run here. Then we checklist of files using ‘ls’ as it was one of the allowed commands. We found two text files here ‘local.txt’ and ‘work.txt’ but when we try to open them, we failed.

Hmm! we got access of restricted shell where we can run only a few commands allowed by admin. So, to import proper tty shell, we can import ‘/bin/bash’ by using the following command:

Next, we try again accessing the same ‘local.txt’ file and it just shows a congratulatory message, so we moved on to work.txt, here as well it is showing we have to move further with user Patrick and we already knew Patrick’s password.

NOTE: At first attempt, you will get an error SSH connection refuse, therefore restart the Vulnerable machine to get connect with SSH.

After logging in as patrick, we check the sudo rights for him where I found Patrick has ALL Users permissions including root user to run vim and nano as shown below.

In another terminal in my local machine, I have generated a new encrypted password: pass123 whose salt is ignite using OpenSSL and copy the salt password.

Next, by providing sudo access to any editor(either vim or nano ) we can read as well as edit any system file which is restricted to access by any lower privilege user such as /etc/passwd file.  

Since Patrick has sudo rights which means he can modify the root files too, therefore I decided to insert a new user with root privilege in the /etc/passwd file.

As you can see in the screenshot below, we have added a user ‘RAJ’ and with an encrypted password and we have given all root privileges to it as well.

Capturing the flag

What we are waiting for, lets login using raj. Hereafter listing the content we found the proof.txt file from the inside root directory. we opened it using cat and captured the flag.

Author: Nisha Yadav is trained in Certified Ethical hacking and Bug Bounty Hunter. She is currently working at Ignite Technologies as a Security Analyst. Connect with her here

DC-4 Vulnhub Walkthrough

Today we are going to take another boot2root challenge known as “DC-4”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download it from here

Security Level: Beginner

Penetrating Methodology

Scanning

  • Discovering Targets IP
  • Network scanning (Nmap)

Exploiting

  • Surfing HTTP service port
  • HTTP Login credential Bruteforce (Burpsuite)
  • Command Injection
  • SSH Login Credentials Bruteforce (Hydra)

Lateral Movement

  • Logging into SSH and Enumerating Directories
  • Obtain credentials in /var/mail directory

Privilege Escalation

  • Check Sudo rights
  • Adding new user /etc/passwd with sudo
  • Access root directory
  • Capture the flag

Walkthrough

Scanning

Let’s start off with scanning the network to find our target.

We found our Targets IP Address 192.168.1.101. Our next step is to scan our targets IP Address with nmap.

Exploiting

From nmap result we found HTTP service is running on port 80. So, we browsed the Targets IP Address in the browser and found an Admin Information Security Login page. We clearly need to find credentials for it.  Let’s work on that.

We found that the HTTP service runs on port 80, from nmap results. So, we browse the IP address of Targets in the browser and found the Admin Information Security Login page. Now credentials need to be found for login, Let’s work on this.

We Fired UP!! burpsuite using rockyou.txt to get valid login.

Username- admin

After bruteforcing, we have found the password for Admin i.e

Password- happy

We have successfully logged in as Admin. Under system tools, the hyperlink command looks suspicious here. So, let’s check it out.

Command option looks useful as It displayed some options to Run Command. Here we used list file option which displayed files of the database. We also got a hint from the ls command which executes ls-l, we might make some changes in it.

So, we captured the Webpage request using Burpsuite and Send the request to the repeater. Here we can make the desired changes to the request and check out its response.

Let’s check out subdirectories in the /home directory. We have found 3 users i.e Charles, Jim and Sam.

Exploring the home directory for user Jim, after that, we checked out the backups folder.

We have found a old-passwords.bak file is a backup password file.

Exploring the contents of the file, we found a list of passwords. They might come in handy later.

We thought of checking /etc/passwd is readable or not and found some useful usernames.

We have created a dictionary for users and passwords with the previously discovered credentials. Let’s bruteforce for ssh login using hydra.

So, the credentials found:

Login- jim

Password- jibril04

Lateral Moment

Logging into ssh using the credentials.

While enumeration, we found two files and read their contents. But they didn’t give direct clue to move ahead.

when I open mbox, I saw a test mail in this, send by root to jim.

After some time thinking, it suddenly strikes us to check the /var/mail folder. Maybe it might contain something, and our instinct was right. We have found some credentials.

Privilege Escalation

Let’s login into charles with password ^xHhA&hvim0y.

After enumeration, we check sudo right for Charles and found that he run the editor teehee as root with no password. After that, we have added raaj in the etc/passwd using echo and teehee as shown.

Logging into raaj as root user and inside the root directory, we have found our FINAL FLAG.

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here