Categories

Archives

CTF Challenges

HA: Forensics: Vulnhub Walkthrough

Introduction

Today we are going to crack this vulnerable machine called HA: Forensics. This is a Capture the Flag type of challenge. It contains FOUR flags that are accessible as the solving of the lab progresses based on hints. It is a Forensics focused machine.

Download Lab from here.

 Penetration Testing Methodology

  • Network Scanning
    • Netdiscover
    • Nmap
  • Flag #1
    • Browsing the HTTP service
    • Directory Bruteforce using dirb
    • Enumerating an Image file
    • Extracting Metadata of Image file
    • Reading Flag #1
  • Flag #2
    • Directory Bruteforce using dirb
    • Decrypting PGP Encryption
    • Creating a Dictionary using crunch
    • Performing a Dictionary on ZIP file
    • Reading Flag #2
  • Flag #3
    • Enumerating DMP file using pypykatz
    • Extracting an NT hash
    • Cracking Hash using John the Ripper
    • SSH login using Metasploit
    • Convert SSH to Meterpreter
    • Enumerating Network Interfaces
    • AutoRoute an internal docker instance
    • Perform a ping sweep scan internally
    • Connect to the FTP service as Anonymous
    • Downloading the Image file
    • Transferring the Image file to the local machine
    • Analyze the image file using Autopsy
    • Reading Flag #3
  • Flag#4
    • Decoding the Base64 Encryption
    • Enumerating for Sudo permission
    • Exploiting the Sudo permissions on ALL
    • Reading Flag #4

Walkthrough

Network Scanning

To attack any machine, we need to find the IP Address of the machine. This can be done using the netdiscover command. To find the IP Address, we will need to co-relate the MAC Address of the machine that can be obtained from the Virtual Machine Configuration Setting. The IP Address of the Machine was found to be 192.168.0.174.

netdiscover

Following the netdiscover scan, we need a nmap scan to get the information about the services running on the virtual machine. An aggressive nmap scan reveals that 2 services: SSH (22) and HTTP (80) are running on the application.

nmap -A 192.168.0.174

Enumeration

Since we have the HTTP Service running on the virtual machine, let’s takes a look at the webpage hosted:

http://192.168.0.174

The webpage says a button that says “Click here to get flag!”. Make sure to click that.

FLAG #1

We see the webpage is a simple page with some forensics images. Nothing special. Next on the Enumeration tasks was Directory Bruteforce. We used our reliable dirb tool for the directory bruteforce.

dirb http://192.168.0.174/

This gave us an image directory. We looked into it through the Web Browser and found two images called DNA and fingerprint. We checked DNA it was just a rabbit hole. Then we downloaded the fingerprint.jpg file to the local system to further analyze it.

This machine is based on Forensics and we have an image at our hands, Exiftool seems the right tool to use. Upon a simple look at the metadata of the image using Exiftool, we see that we have our First Flag!

exiftool fingerprint.jpg

Flag #2

Now, Enumeration doesn’t always end with the one version of Directory Bruteforce. When in doubt, always use the Extension filter on the dirb. We got a hit on the txt filter and we have some tips.

dirb http://192.168.0.174 -X .txt

Looking at the tips.txt we see that it is a kind of robots.txt file just named tips. As we are on the hunt for flags, we choose to browse the flag.zip file first.

It gave us an option to save the file. Let’s do it.

Now that we have the zip file on our local system, its time to extract the contents of this file. We use the unzip command to extract the files inside the flag.zip file. It requires a password. We don’t have one!!

We go back to the Web browser and the tips file. Here is a folder named igolder. It resembles a website that encrypts and decrypts public and private key messages. We browse the folder and see that there is another text file called clue.txt. Upon reading the file we see that it is a combination of a private key and a message.

http://192.168.0.174/igolder/clue.txt

To decrypt the message, we went on the igolder website and pasted the PGP Private Key and the Encrypted message from the clue.txt file. After clicking the Decrypt Message button, we have the secret message. It says to us that the password is 6 characters, with the first 3 being letters “for” and the last 3 being numeric characters.

Whenever we are in a situation where we have some partial hint of the password, we use crunch to create a dictionary fitting to that pattern. We used crunch and created a dictionary for cracking the password named dict.txt. Using fcrackzip we cracked the password to be for007.

We unzip the file and we have a pdf file labelled flag. We also get a DMP file but more on that later.

crunch 6 6 -t for%%% -o dict.txt
fcrackzip -u -D -p dict.txt flag.zip
unzip flag.zip

Let’s open the PDF file and take a look at our Second Flag

Flag #3

Now, we have 2 flags, 2 more to go. We received a DMP file from the previous section. In forensics, a dump file can be inspected using pypykatz. So, we will use it to check for some hints inside.

pypykatz -lsa -k /root/Downloads minidump lsass.DMP

Looking at the DMP file a bit thoroughly and we find an NT hash file for a user called jasoos. It means a detective in Hindi. That might be a clue.

We copy the has and paste it inside a file named hash. Now we have a hash file and to crack that hash we need John the Ripper. After churning through, John the Ripper gave us the password. It was “Password@1”. That’s not super secure, is it?

john --format=NT hash

Now, here we can directly connect via SSH but logging in using Metasploit is better as it has a ton of post-exploitation tools that can be used afterwards. Hence using the ssh_login module we get an SSH session on the machine as user jasoos. Using the shell_to_meterpreter script we got ourselves a meterpreter session on the target machine.

use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.0.174
set username jasoos
set password Password@1
exploit
session -u 1

Using the ifconfig command, we see that there is a docker interface running on the application with an IP Address 172.17.0.1

It is an internal IP address; means we cannot access it from outside normally.

sessions 2
ifconfig

No need for Panic. Metasploit has our back here. It has an autoroute exploit that can route the network in such a way that internal IP is accessible from outside. The autoroute will create a new host to connect with whose traffic will be redirected to the internal service. But, Autoroute doesn’t tell us the IP Address of the new host. So, we need to perform a ping sweep to find that particular IP Address which can be used to further exploit the target. Ping sweep gives us the IP address. It is 172.17.0.2. Now that we know the target IP Address, let’s see exactly what kind of service is this docker instance running at this moment. A Port scan reveals that it is an FTP service. But this service is unknown to us. We don’t have any credentials for us. But there is a feature in FTP service where an anonymous user can log in and access the files through the FTP. To confirm if this FTP has that kind of configuration, we use the ftp anonymous scanner in Metasploit.

use post/multi/manage/autoroute
set session 2
exploit
use post/multi/gather/ping_sweep
set session 2
set rhosts 172.17.0.0/24
exploit
use auxiliary/scanner/portscan/tcp
set rhosts 172.17.0.2
set port 1-100
exploit
use auxiliary/scanner/ftp/anonymous

It says that ftp allows anonymous service. So, let’s enumerate the FTP service by connecting to it as anonymous. We have a directory called pub. Inside that directory, we have a file with a 001 extension. It seems to be an image file that is usually used in forensic investigation. It is labeled sabot which is known as saboot. It means Evidence in Hindi.

shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
ftp 172.17.0.2
anonymous
ls
cd pub
ls
get saboot.001

Now using the Python One liner HTTP service we transfer the file from the target machine to our local machine.

exit
ls
python -m SimpleHTTPServer

As the Python One liner runs and provides the service at port 8000, we browse that port and get our saboot file.

http://192.168.0.174:8000

We decided to use the Autopsy Forensic Investigation tool to inspect the image captured. It can be started using the following command. It tells us that the Autopsy is accessible on localhost port 9999. Let’s open it.

Here, we have a Web Interface for the Autopsy. We click on the New Case button

We name the Case, Provide the description, and give the Investigator name for the documentation purposes. And again, click on the New Case button.

Now it creates a case. After creating a case, it requires a host for that particular case. It asks for the name of the host. After providing the name click on the Add Host button to continue.

After the creation of the host, it asks us to add an image file. This is the step where we add the image file, we acquired from the target machine.

It asks for the location of the image file. Since we downloaded it from our Web Browser, it must be in the Downloads folder. We provide the path as shown in the image below. Also, choose the Partition in the Type option. As it is a partition, otherwise it would be quite bigger. Disks are bigger than partitions. After completing, click on the Next button to continue.

Here it asks for further options. Let them be the default and click on the Add button.

Now that our image has been mounted. It is time for Analyse-it. This can be done as shown in the image below.

We see that we have a bunch of files. Among those files, we have 2 text files. A flag file and a creds file. Let’s take a look at our Third Flag.

Flag #4

Now, we have a creds.txt file. We take a look at it to find that there is some encrypted text inside it.

It seems like it is a Base64 encoding. We use the echo command with a base 64 decoder as shown in the image below. This might be the password for another user.

We enumerate the home directory and found that there is another user by the name of forensics. The password must be for this user. We use the su command to login as forensic and the password we found. Now we use the sudo -l command to find what kind of binaries we can use to elevate privileges. We find that ALL is permitted. So, we just use the sudo bash command and get the root. Then look for the final flag in the root directory and we have our fourth and final flag.

cd /home
ls
su forensics
jeenaliisagoodgirl
sudo -l
sudo bash
cd /root
cat root.txt

This concludes this vulnerable machine.

Author: Pavandeep Singh is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on Twitter and LinkedIn

4 thoughts on “HA: Forensics: Vulnhub Walkthrough

  1. Hi,
    Thanks for all you do with the LAB and walkthrough you gave us on your Blog.

    Plz, I needthe link for downloading the LAB for HA Forensic

Comments are closed.