Hack the Box: Wall Walkthrough

Today we are going to crack a machine called Wall. It was created by aksar. This is a Capture the Flag type of challenge. This machine is hosted on HackTheBox. Let’s get cracking!!

Penetration Testing Methodology

  • Network Scanning
    • Nmap
  • Enumeration
    • Browsing HTTP Service at port 80
    • Directory Bruteforce using DirBuster
    • Bypass Authentication using Verb Tampering
    • Bruteforcing using hydra
  • Exploitation
    • Detect Remote Command Execution
    • Invoke Reverse Shell using RCE
  • Privilege Escalation
    • Downloading Screen 4.5.0 Exploit
    • Crafting the Payload
    • Compiling the Payload
    • Transferring the Payload
    • Getting Root Shell
  • Reading Root Flag

Walkthrough

Network Scanning

To Attack any machine, we need the IP Address. Machines hosted on HackTheBox have a static IP Address.

IP Address: 10.10.10.157

Now that we have the IP Address, We need to enumerate open ports on the machine. For this, we will be running a nmap scan. To get the most information and fast, we ran the Aggressive Scan.

The Nmap Aggressive scan quickly gave us some great information. It positively informed that the following ports and services are running 22 (SSH), 80(HTTP). Let’s move on to Enumeration Stage.

Enumeration

Let’s start with the Port 80. We ran the browser and opened the IP Address of the Machine. It gave us a default Debian Apache is Working Page.

Its time to do some directory bruteforce on our target. Generally, we use the dirb tool but let’s show some love to DirBuster sometimes as well. Usage is pretty straight-forward. Enter the Target URL, locate the dictionary you want to use for the bruteforce. Here, in this case, we will be using the medium.txt. It can be found in Kali Linux by default. After everything is set, just click Start and kickback.

After working for a while, it gave us one directory called monitoring, Felt to take a look at it.

So, we entered the URL in the Browser and we have ourselves a Login Panel. This is no fun. It does say that “Protected area by the admin”. So we get that username is admin. Easy Part is done. Now, all we got to do is get through this panel.

After trying a bunch of bruteforce techniques, we were not able to get through his login panel. That’s when it hit us, we should try HTTP Verb Tampering. So, we fired up our BurpSuite and captured the request of the /monitoring/ page.

As we observed that there is a GET request being sent to the server. We decided to tamper with it and we changed it to POST. After making this change, we forwarded the request to the server.

Verb Tampering worked and we were redirected to the /centreon/ page. Here we have another Login Form. How lucky! Now we need to bypass this as well.

We tried to bruteforce it using Burpsuite but we were unsuccessful. Then we took a closer look at the source code of the page and found a centreon token that was preventing us from brute-forcing. Then we ran a directory bruteforce on this page. It gave us /api/ page. So we decided to bruteforce the API for the credentials. We looked for the API documentation for Centreon (https://documentation.centreon.com/docs/centreon/en/latest/api/api_rest/index.html) to find the query that can be brute-forced, In the API documentation, we are told to send a POST request to the API. When we did so, we got the message “Bad Credentials”. So we gained enough information for crafting a bruteforce query. We crafted this query to bruteforce with the Hydra Tool.

Here, we started by giving the username “admin”. We got this from the initial login panel. Then we provided the wordlist for bruteforce. Next, we gave the target IP address. Then we provided the type of authentication panel, which is “http-post-form”. Followed by the URL and usernames and password parameters and the response text that could be used to differentiate the valid and invalid credentials. This gave us the credentials:

Username: admin

Password: password1

Now, this panel which we got was not something that we are used to working every day. But being in the penetration testing business we are sure to check out the CVEs for any panel, software or CMS. We did our research and found CVE-2019-17501 https://www.cvedetails.com/cve/CVE-2019-17501/. There was a GitHub link mentioned in the description of this CVE. We browsed it to find ourselves a PoC. On a closer look, the PoC contained a path.

We entered that URL in our Browser. Here we found an Add a Command Form. This contained the Command Input Field. We entered “cat /etc/passwd” here to check if RCE is working. After entering the command we hit that Blue Play button (Highlighted in the Image). This resulted in the opening of a new window with the result of the command we entered. RCE is indeed working. Now let’s get a shell form here.

We decided to use a socat reverse shell. We edited our attacker IP Address into the one-liner and then entered it into the field. Then we clicked the Blue Play button that we used previously for the command to get executed. Before this, we start a netcat listener on the port that we mentioned in this one-liner.

As soon as the command gets executed, we have a shell in the lister we started. Now as a part of our Post Exploitation tasks, we decided to use the find command to look for the SUID files. We found the screen-4.5.0. file as shown in the image given below.

Now we used the searchsploit command to look for the exploit for the screen-4.5.0. We see that we have the exploit by the name 41154.sh. We download this exploit to our attacker machine via searchsploit.

Now, we read the script. It divides itself into 3 files.

File #1: libhax.c

File #2: rootshell.c

File #3: 41154.sh

Each of them consisting the following code. You can download these files from our GitHub.

Now we need to compile the c files to get the object code. We will be using the gcc to compile this file.

After compiling the code we ran a python one-liner to transfer the payload files.

We went back to the session that we have of the target system and downloaded the payload files onto the machine using wget command.

Now, if we read the initial sh files, we know that we need to perform some configurations before actually running the payload.

After these configurations, we ran payload. This gave us a root shell. This can be confirmed using the whoami command. We traverse into the /root directory. Here we found the root flag.

This concludes this machine. This was a pretty lab. We got to use the Screen 4.5.0 privilege escalation technique after quite some time.

We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the Covid-19. I am writing this article while Working from home. Take care and be Healthy!

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

TBBT: FunWithFlags: Vulnhub Walkthrough

Introduction

Today, we are going to complete a Capture The Flag challenge hosted on Vulnhub. This lab is based on a popular CBS series: The Big Bang Theory and as I am a huge fan of this show, it’s gonna fun to solve it. This lab is developed by emargkos and you can download it from here. This lab is a combination of capture the flag challenge and boot2root which means we have to find flags and root the lab; seven flags are hidden in the lab.

Penetration Testing Methodology

  • Flag #1: Sheldon
    • Nmap Scan
  • Flag #2: Amy
    • Browsing HTTP Service
    • Directory Bruteforce
    • Enumeration using WPScan
    • Exploiting Vulnerable Plugin
    • Getting Meterpreter
    • Downloading Binary File
    • Reading Flag using Strings
  • Flag #3: Penny
    • Enumerating Directories
    • Decoding Base64
    • Reading Flag
  • Flag #4: Leonard
    • Enumerating Directories
    • Enumerating Crontab
    • Crafting Payload using Msfvenom
    • Uploading Payload
    • Getting Root Shell
    • Reading Flag
  • Flag #5: Bernadette
    • Enumerating Directories
    • Grabbing Database Credentials
    • Enumerating Database
    • Reading Flag
  • Flag #6: Raj
    • Enumerating Directories
    • Grabbing Database Credentials
    • Enumerating Tables
    • Reading Flag
  • Flag #7: Howard
    • Enumerating FTP Service
    • Downloading Locked Archive File
    • Brute-forcing Password using fcrackzip
    • Brute-forcing Password using stegcracker
    • Reading Flag

Walkthrough

Flag #1: Sheldon

As DHCP is disabled in this machine, we have ourselves a static IP Address. It is 192.168.1.105. Let’s start pawning the lab, firstly by scanning it and for the scan, we will use nmap with the following command:

Nmap showed us that various ports are open with multiple services running on them. These ports are 21(FTP), 22(SSH), 80(HTTP), 1337. If we look closer at the port 1337, we found our first flag i.e. Sheldon.

Flag #2: Amy

Moving on, we opened the target IP address in the browser and here we found an image as shown below:

Apart from Sheldon’s creepy smile and Penny’s sarcastic bung, all that there was on this page was this image. So, to proceed forward with the directory bruteforce. We used the dirb tool for the same.

Without taking much time, our reliable dirb gave was a directory /music/wordpress/. It is a pretty odd directory to find. But if the machine is based on Big Bang theory then who are we to judge. We decided to browse the URL.

As we got wordpress directory, and the web-page that opened up seems to be made in WordPress. It was only natural to enumerate WordPress. For this task, we decided to use WPScan.

 In no time, we have got ourselves a vulnerable plugin on our hands. It is the world-famous reflex-gallery.

Our experience with this plugin tells us that we have a perfect exploit for this plugin in our Metasploit Framework. Let’s get ourselves a sweet meterpreter.

We got our metepreter in the blink of an eye. Now that we have a shell. We need to enumerate the machine for another flag. We traversed in the home directory of the current user. Here we listed the contents to find ourselves a directory named amy/. First Sheldon then Amy. This is turning out to be a nice path for flags. We enter the amy/ directory and we find 2 files here. We read the text file named notes using the cat command. It tells us that another file named secretdiary is Amy’s diary. But no need to be happy. The notes say that once she is famous she will write secrets in it. Like that’s gonna happen any time sooner. We are told that Amy used a very strong password that cannot be brute-forced. It is 18 digit, alphanumeric, uppercase/lowercase with symbols. How kind of Amy to tell us what the password is made up of. Also, we are told that the program is compiled. That means that it is a binary. We need to figure out another approach towards it. But it is not gonna do any good sitting there. So, we downloaded the secretdiary to our attacker machine.

Now that we have the secretdiary on our hands, we need to figure out a way to get the password to unlock it. As it is a binary file, there must be a location where the password is stored. Since it a text inside a binary file, we need the strings command to read from it.

We can see that we have the password, “[email protected]”. Sorry to say Amy but is not a strong password. I recommend that you change it. But strings command has done more than it was asked. It gave us the amy flag. So, we don’t need to log in.

Flag #3: Penny

We went back to the meterpreter and went back to the home directory. We saw that there were a lot of directories. But we decided we need the Penny flag. So, we traversed into the penny directory. We listed the contents of this directory to find a hidden file called .FLAG.penny.txt. Come on! we wanted it to be tougher. We read the file to find a base64 encoded text.

We copied the encoded text and went back to our attacker machine. Here, we decoded the text using the echo command. It gave us the penny flag. 3 Flags down!!

Flag #4: Leonard

Time to go back to the home directory. Here we traversed into the Leonard directory. Let’s see if Leonard is good at hiding his flag. We listed the contents of this directory to find a script. Interesting! We read the script. There was no script. Typical Leonard. It says that they have a thermostat connected to the IoT device. This means that the script can manipulate the temperature. As we all know that Sheldon needs to keep his thermostat at 71 degrees. This is uncomfortable for Leonard. So, this script will change the temperature to Leonard’s preference every minute. I smell corn!

Time to check the crontab. As suspected, we have this script inside the crontab file. It is scheduled to run every minute.

 If we are not wrong, this might give us root. Let’s wait and watch. Time to craft a raw bash payload using the msfvenom.

We copied the payload on our clipboard and used the echo command to paste the payload inside an empty file having the same name as Leonard’s script.

All that’s left to do is upload this script from our machine to the target machine. As we have a meterpreter this can be done using the upload command.

Before uploading, we started a listener at the port that we mentioned at the time of crafting the payload. Now after we upload the payload, we got to wait a minute for the cronjob to execute the script. In no time we have a session. We used the id command to gain information about the user. We have the root shell. Now for the flag. It was in the current directory. We read the flag using the cat command. We have the message that we can sit on Sheldon’s spot. Dreams do come true!!

Flag #5: Bernadette

But, although we have the root shell, it doesn’t mean that the challenge is over. We need to find other flags as well. We went back to our meterpreter shell and started enumerating. This led us to the /var/www/html/ directory. Here, we found a directory named private. How can we not open it? SO! we saw that we have a bunch of HTML and php files. Among them was the db_config.php file. If our experience servers us right, the config file mostly stores the database password. We decided to take a look. Bazinga!! We have the Database credentials.

User: bigpharmacorp

Pass: weareevil

Word of Wisdom: If you are a Big Pharma Company don’t keep your password weareevil. This would have been our First Guess.

We went back to our root shell that we obtained just a while ago. Here, we ran the python one-liner to convert the shell into a TTY shell. As soon as we got the proper shell. We attacked the Database using the credentials that we dug up. We used the queries to inquire about the databases and tables. Here we found different users, their password and in Bernadette’s description, we have our 5th Flag!!

Flag #6: Raj

Since we got this flag inside the database. It scratched a part of our brain that we might have another database user. Then it hit us that we have wordpress installed. WordPress creates its users. We went on the hunt for that user. We traversed into the directory containing the wordpress. Here we found the wp-config.php. How convenient! We read the file using cat command. We found ourselves some credentials.

User: footprintsonthemoon

Pass: footprintsonthemoon1337

Now, who will keep such a password? It must be our Indian brother Raj!! Let’s get that flag.

 We logged out from the previous database and logged in using the new credentials. We enumerated almost all the tables. But we won’t take you on that painstaking journey. We found something in the wp_post table.

If you read the data form the wp_post table, you will find the Raz flag tucked in between. 

Flag #7: Howard

We enumerated further, but we didn’t get anything new. So we went back to our initial nmap scan. We remembered that we have a port 21 open as well. So let’s login to the FTP. We logged in as Anonymous User. Here we listed the files to find a directory named pub. Now, everyone is in the pub including Amy, Bernadette, Howard, Leonard, Penny, Raj, and Sheldon. They must be here to witness as we capture the last flag. Until now we don’t have any flag from Howard. Let’s check his directory. In this, we have a note file and a compressed archive. We figured that we that the zip file was the to be focused so, we downloaded it using the get command.

The archive was password-protected, so we decided to use fcrackzip on it. We brute-forced using the rockyou.txt. It gave us the password. It was the “astronaut”. Damn! Could have guessed that one. We unzipped the archive to find ourselves an image. Hmm.

It didn’t take much time before we figured out that the flag must be hidden inside the image. We used the stegcracker to bruteforce it using rockyou. It cracked us the password “iloveyoumom”. How very Howardy!! Well, all that left is read the flag from the file that stagcracker created. This gave us the Howard flag!!

This concludes this lab. But can we leave without saying “It all started with the big bang!”.

We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the Covid-19. Take Care and be Healthy and Keep Hacking!!

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Comprehensive Guide to tcpdump (Part 3)

This is the third article in the Comprehensive Guide to tcpdump Series. Please find the first and second articles of the series below.

In this part, we will cover some of the advance features which we were unable to cover in the previous parts of the series. So we can get more benefits from this tool.

Table of Content

  • Version Information
  • Quick mode
  • Verbose mode
  • HTTP Requests
  • User Agent
  • Port Range
  • Destination
  • Source
  • Network
  • TCP Packets
  • Tcpdump to Wireshark

Version Information

Let’s begin with one of the simplest commands so that we can understand and relate all the practicals during the article. We can use this parameter to print the tcpdump, libpcap and OpenSSL version string.

Quick Mode

Arguably if the network is very quite, performing any operation during that time will take more time than usual. The person who developed tcpdump thought of this conundrum and gave us the way to speed up the process by using the “-q” parameter. It will print less information about protocols and data packets to save time.

Verbose Mode

The verbose mode is famous to provide extra information regarding operations. in TCPDump, verbose mode provides such the information too. For instance, time to live, identification, total length. It can also enable additional packet integrity checks such as verifying the IP and ICMP header checksum values.

TCPDump provides us with plenty of parameters that are moved around this mode like -v, -vv, -vvv, where each parameter has its unique efficiency.

  • -v parameter is the traditional verbose mode.
  • -vv parameter is more than the traditional verbose mode, additional fields are printed from NFS (Network File System) reply packets and SMB packets are fully decoded.
  • -vvv parameter has something more to provide like tenet options etc.

HTTP Requests

As we all know, HTTP Requests is an information message from the client to a server over the hypertext transfer protocol (HTTP). It has various methods to deliver this information. These methods are case-sensitive and always mentioned in the UPPERCASE. Through tcpdump, we can capture these request to analyze the traffic sent over the said protocol traffic.

The method which we can capture through tcpdump are the following :

  • GET- This method is used to retrieve the information from the given server using a given URL. Requests using GET should only retrieve data and have no other effect on it. We can also capture this request with the help of tcpdump.

  • POST- This request is used to send data to the server. Like customer information, file upload, etc. using HTML forms. Traffic over this protocol can analyzed using the following command :

  • Request-URL- It is a uniform resource identifier, which identifies the resource on which we need to apply requests. The most common form of this is used to identify a resource on a server. If a client wants to retrieve the data directly from the server, where it originated, then it would create a connection to port 80 of the host and send the request. These requests can be captured using the following commands:

User Agent

With TCPDump, you can also see which traffic is generated from which application. We can also find the user agents in our data traffic by using the following command :

Port Range

Some ordinary port filters help us to analyze the traffic on a particular port. But in tcpdump, we give our scan a range of ports through which it can monitor the destination of TCP/UDP or other port-based network protocols.

Destination

To check the flow of data in network traffic towards a particular destination, use the following command for this :

Source

To check the data traffic coming from a particular source, we can follow the command given below :

Network

To find the packets going to or from in a particular network, we can use the following function to analyze this traffic:

TCP Packets

TCP packet is the format consists of the fields such as source port and destination port field. Through these fields, we can identify the endpoints of the connections and can also capture these TCP packets in its various flag format. i.e. SYN, RST and ACK.

  • SYN- SYN flag is known as Synchronizes sequence numbers to initiate a TCP connection. We can capture this particular packet from traffic with the help of tcpdump.

  • RST- RST flag is known as reset flag. This flag is sent from the receiver to the sender if a packet is sent to a particular host that was expecting it. RST flag is used to re-establish a TCP end-to-end connection. We can capture this flag from our data traffic with the help of tcpdump.

  • ACK- ACK flag is known as the Acknowledgement flag. This flag is used to acknowledge that our data packet has been successfully received. We can capture these flags with tcpdump to study our data traffic.

Tcpdump to Wireshark

The only difference between the Wireshark and TCPDump is that Wireshark is GUI while tcpdump is a command-line tool. But with the help of a few sources, we use a command on tcpdump and view our data traffic results in Wireshark which, we find is the best way to analyze our traffic. This can be done using the following command :

After running this command it will immediately open the Wireshark and will ask a few questions about our scan. Press OK to move further.

After this, it will ask you which network interface we want to capture the data packets. In our case it will be eth0, so we are selecting that network interface.

After completing all the formalities our live data capture screen will appear with our captured data packets.

By following these steps we can run a command for tcpdump and capture its results in Wireshark.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher, Contact Linkedin and twitter.

Hack the Box: Postman Walkthrough

Today, we’re sharing another Hack Challenge Walkthrough box: POSTMAN design by The Cyber Geek and the machine is part of the retired lab, so you can connect to the machine using your HTB VPN and then start to solve the CTF.

The level of the Lab is set: Beginner to intermediate.

Task: Capture the user.txt and root.txt flags.

Penetration Methodologies

  • Network Scanning
    • Nmap
  • Enumeration
    • Redis
  • Initial Foothold
    • Access SSH
  • Privilege Escalation
    • Webmin

Network Scanning

As we know the machine IP of the victim, Nmap scans will begin with the identification of open ports and services across them.

We find port 80 open for HTTP from this scanning study, and port 22 open for SSH, too. In addition, I have noticed port 1000 for webmin and the port 6379 for Redis is open.

Enumeration

The Redis security model is: “it’s totally insecure to let untrusted clients access the system, the ability to control the server configuration using the CONFIG command makes the client able to change the working directory of the program and the name of the dump file. This allows clients to write RDB Redis files at random paths, that is a security issue that may easily lead to the ability to run untrusted code as the same user as Redis is running”.

You can read more about it from here

Since we saw port 6379 is available for Redis, we try to communicate with this with the help of the Redis client.

We noticed, that Redis is insecure and not AUTH required, so we discovered “.ssh directory” for the Redis as mentioned above, due to unsafe configuration we can transfer any file inside the server.

Further, I generate an ssh key pair using the ssh-keygen command given below:

I have a key and my goal is to place it in the server memory and then move it to a file in such a way that the authorized keys file that results remains valid.

Initial Foothold

As we have uploaded our ssh key into server thus it’s time to connect with a remote machine with the help following command

Here, we notice two things: first there is a user whose name is  “Matt” and a file with name “id_rsa.bak”, let’s find out the path for this file.

So, with the help of find command, we enumerate the path for id_rsa.bak file which lie inside /opt directory.

So id_rsa.bak file is actually the id_rsa private key, I copied it into a text file and saved it as a hash.

Then we have used ssh2john to convert this SSH key into a crackable file with the help of John the ripper and further used the rockyou.txt wordlist for this.

Hmmm!! so we have obtained ssh key “computer2008” for the user Matt.

As we knew that webmin was running over port 10000 thus we navigate to a web browser and explore the URL where we submit above-enumerated creds.

Boom! We logged in successfully and notice the installed version for webmin i.e. 1.910; now we can search for its exploit if available.

With the help of searchsploit, we found a Metasploit module for exploiting remote command execution. This module exploits an arbitrary command execution vulnerability in Webmin 1.910 and lower versions. Any user authorized to the “Package Updates” module can execute arbitrary commands with root privileges.

Privilege Escalation

Without wasting time, we loaded the Metasploit module and set the value required to initialize the exploit.

We got the meterpreter session with root privilege, let’s enumerate flags.

Let’s capture both flags user.txt and root.txt from inside the /home/Matt/ and /root respectively.

Conclusion: In this machine, we have learned about two major vulnerability and their exploitation, the first was insure Redis and the other was webmin.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn