Introduction

Today we are going to crack this vulnerable machine called CengBox: 2. It is created by Arslan Bilecen.  This is a Capture the Flag type of challenge. It contains two flags that are accessible after gaining a limited session and a root level privilege on the machine. It is an Intermediate level machine.

Download Lab from here.

Penetration Testing Methodology

• Network Scanning
  • Netdiscover
  • Nmap
• Enumeration
  • Enumerating the FTP login
  • Browsing the HTTP service on port 80
  • Directory Bruteforce using gobuster
  • Enumerating Credentials for Gila CMS
  • Enumerating Gila CMS
• Exploitation
  • Exploiting Command Injection
• Post-Exploitation
  • Enumerating for Sudo Permissions
  • Crafting a PHP payload using Msfvenom
  • Enumerating the SSH keys
  • Cracking the SSH password using John The Ripper
  • Logging the SSH session as Mitnick user
  • Downloading and Enumerating using pspy64s script
  • Exploring permissions on Motd files
  • Adding nano command to the Motd header file
• Privilege Escalation
  • Relogging as Mitnick user
  • Creating a new user using openssl
  • Editing the /etc/password and adding a new user
  • Getting root access from new user
• Getting the Root Flag

Walkthrough

Network Scanning

To attack any machine, we need to find the IP Address of the machine. This can be done using the netdiscover command. To find the IP Address, we will need to co-relate the MAC Address of the machine that can be obtained from the Virtual Machine Configuration Setting. The IP Address of the machine was found to be 192.168.1.104.

Following the netdiscover scan, we need a nmap scan to get the information about the services running on the virtual machine. An aggressive nmap scan reveals that 3 services: FTP (21), SSH (22) and HTTP (80) are running on the application.

Enumeration

It was quite clear from the nmap scan that the FTP service has Anonymous Login Enabled by default and there is a file located in it as well named note.txt. As this is one of the ports that is basically open for access, let’s take a look into it. After logging in as Anonymous, we download the note.txt to our local machine to take a look at it. Here we see it is a note which consists of 2 names. Note them they can be useful down the road. Also, we see that the application is moved to a domain ceng-company.vm. That means we need to configure our /etc/hosts file. We also take note that if we find any CMS on the application then the default credentials can work as the note suggests so.

To access the application, we make the appropriate changes in the /etc/hosts file.

Now that we have made changes in the /etc/hosts file and there was an http service running on the application, we can check the application on our Web browser.

We have the Site Maintenance banner. This means that we need to enumerate further for the proper application. It is possible that the CMS is hidden in one of the directories.

After using dirb for Directory Bruteforcing, we were unable to find any relevant webpages. Then it hit us that what if Aaron from the note meant subdomain. That means we need to perform a directory bruteforce on the subdomain. To do this gobuster is the best tool. It has a vhost option with the subdomains dictionary.

After going on for some time, gobuster gave us the admin subdomain on the ceng-company.vm. But as it can be observed that it is forbidden i.e. 403. We need to bypass this restriction as well.

Let’s make an entry in the /etc/hosts/ file for the admin subdomain.

Let’s try to access the URL again on the Web Browser. It can be observed that the link is still forbidden. We need to enumerate further for a possible entry point.

This is where we decided it is time to do another directory bruteforce. This time, we thought to use the OWASP DirBuster. It gave us some directories. One of them was “gila”. It looks interesting.

We decided to browse the gila directory and we have ourselves a CMS page at last. Wow! That took some time. This made us realise that finding an entry point on the application is as important as exploiting it. Also trusting a single tool is not ideal. We should expand our arsenal of tools and dictionary.

We checked the Gila CMS Documentations for the location of the admin login panel. It was “mysite.com/admin” and after a thorough the read of the documentation on Gila CMS which can be found here. There was nothing about the default password. Also, the login panel asks for an email means we will have to find some email address as well. There were two users that we learnt from the note that we found on the FTP server. It was Kevin and Aaron. Also, Kevin is the one whose account was setup by Aaron. We need to obtain the email address of Kevin. Since ceng-company.vm was the primary domain. We decided to smack both of them together and get the email id as “[email protected]”. It was total guesswork at this moment.  We tried multiple passwords like “password”, “1234”, “gila”. Nothing worked. Then, just as we were about to attempt bruteforce. It came to us to try “admin” as password and Voila! It worked.

As we read the documentation earlier, we knew that the Gila provides a File Manager in its Dashboard. It can help in uploading a payload to generate the session on the virtual machine. But instead of uploading, we decided to edit the already consisting files on the virtual machine as they will have the proper permissions. We used the pentest monkey’s PHP Reverse shell and made the specific changes in it to point our local attacking machine i.e., Kali Linux.

Now, after editing the config file, we started a netcat listener on the port that we specified in the payload. In this case, it was port 1234. After starting the listener, we execute the payload by browsing the payload in the web browser. When we come back to the terminal, we find that a new session is generated but the said session is a limited shell. To upgrade this limited shell into a TTY shell, use the python one-liner.

Post Exploitation

After getting the shell as a part of post-exploitation, we ran the sudo -l command to find the list of binaries that can be run using sudo. We found that there is a script named runphp.sh that can be run using swartz user. We ran the script and got ourselves a php shell.

So, we need a php shell script to get the session. For this, we went back to our local machine and ran the Metasploit Framework. We decided to use the web_delivery exploit. We gave the proper values to the lhost and lport options and got ourselves a php script that can give us a meterpreter session on the target machine. We copied the script.

We pasted the script in the php shell that we got ourselves earlier as shown in the image given below.

After running the script, we went back to the terminal with Metasploit. We have ourselves a meterpreter session. We enumerate the home directory to find a user named Mitnick. It might be important. We traverse into the Mitnick user directory to find a user.txt file and .ssh directory. We tried to read the user.txt but we were unable to. Then we decided that logging as the Mitnick user is the only way to read that user.txt flag. And from the looks of it, it seems that we will have to SSH into Mitnick user. We get into the ssh directory and we have the public keys which can be used to SSH into Mitnick user.

We read the public key and to see that it is indeed the keys for Mitnick user. We copy the SSH key and paste it into a file named “key” on our local system.

We have a script that can convert the “key” into a crackable hash. It is called ssh2john. It is already in the Kali Linux in the /usr/share/ directory. Using the script we converted the “key” into “hash” file. Now that we have a hash, we used John the Ripper to crack it and discovered that the password is legend.

Time to SSH into Mitnick user. We had the username from the previous steps and the password we just cracked. After logging into the Mitnick user, we traversed into the /tmp directory and download the pspy64s script using wget command. We provide it proper permissions and execute it. It will help us enumerate pesky files or permission of different files across the system.

Here, we see that /etc/update-motd.d is running. MOTD is usually the Message of the Day messages. It seems interesting enough to take a look at.

We traverse into the directory to find in this directory all the files are writable. We tied to use edit one using the nano command.

After taking a good look at the files, it was clear that these files are called as root without sanitising the environment. While this is acceptable when called for instance by sshd or by Getty through login where the environment should be controlled, it becomes an issue if, for instance, the attacker modify the PAM to add a temporary user. We added the permissions to nano command in this file.

Privilege Escalation

Now that we have the nano command added in the motd, we need to logout from the ssh session and reconnect so that the motd gets executed. After logging again, we see that nano now have upgraded permissions. Let’s use this nano command to edit the /etc/passwd file and add our user with root privileges.

We opened up a new terminal on our local machine and created a set of credentials for the new user.

Back to the SSH session on the target machine, we add the line with the username raj and with root-level privileges.

Let’s save and exit the nano editor. To check if the entries are saved, we use the tail command. Let just login to raj user using su command and we are root. We can find the root flag in the /root directory.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

Hi friends, Today I am going to share a writeup for gaining root access for the vulnhub machine “star-wars-ctf-1”. It contains one flag that is accessible after gaining root level privilege on the machine. It is developed by Sir Logic team difficulty level of this machine is for beginners. Our goal is to gain root shell access.

Download it from here: https://www.vulnhub.com/entry/star-wars-ctf-1,528/

Table of Content:

Reconnaissance

• netdiscover
• Nmap
• Dirb
• Steganography Online decrypt tool

Exploitation

• hydra
• SSH Login

Privilege Escalation

• Post Enumeration
• Abusing writeable script
• Root access

WalkThrough

Reconnaissance

let’s start Reconnaissance for the vulnerable machine by using netDiscover. It is used for identifying the IP address of the various devices in our network.

As we got our target IP address for the machine (192.168.0.188), And now we are performing the nmap for the port scanning and further information gathering on the target host. Here “-A” means Aggressive scanning.

so, we come to know that only two ports are open here.

Since port 80 is open, Let’s explore the domain or webpage on this target IP address using any browser.

Now we have to find the password. To find the password we are checking the source code of the webpage.

The author has given a hint “password is here”. The text format is in the base64 encode and we tried to decode the text but we unable to decode the text, I think Author want to bluff us in decode the text, further from the main page we downloaded source image to find hidden text that is known as “Steganography”.

To use steganography Click the url https://stylesuxx.github.io/steganography/ and upload the image then click the decoded image for extracting password.

After clicking on decode image, we got the password “babyYoda123”, but we don’t know the username, therefore we made directory brute attack using dirb tool for enumerating web directories.

here, it shows some directory, but I was interested in robots.txt file.

 

I navigate to the url http://192.168.0.188/robots.txt and found a webpage named as “/r2d2” but still, we have to enumerate username.

As we can see didn’t find any username, further, we made use of dirb tool and this time we were looking for php, .js and .txt extension file types.

From its result user.js looks interesting to me, let’s explore this.

we open the user.js in the browser and found two entries which could the usernames: skywalker and another one is han.

As we have both usernames and password now, we can perform the Brute-force attacks on ssh with help of the hydra tool. We created a users.txt file and we have a password (babyYoda123), now we have to crack the valid username with password.

As you can observe it has found the 1 valid username: han for the password: babyYoda123 SSH login.

After login into ssh, we move for post enumeration and found a hidden file named as .secrets that contain a text file “note.txt”. This file looks like a hint for us, where the author wants us to use Cewl for making a wordlist.

further, we check passwd file for enumerating user account and we saw han, starwalker & Darth as usernames.

Above we have found the robots.txt which has given a hint for /r2d2. So, we explored it in the web browser and obtain web page as shown in the image.

As you remember the author has given hint i.e. cewl. By using cewl command, we created a dict.txt file and used the dict.txt file as password list for making brute attack over ssh for user:skywalker.

As we can see hydra given a valid password for the skywalker.

Now have to switch the user han to skywalker and enumerate further.

After switching into user, we move for post enumeration and found a hidden file named as .secrets that contain a text file “note.txt”. This file looks like a hint for us, where the author mentioned: “Darth must take up the job of being a good father”. From this we got a clue, that may be Darth is the user.

After switching into the home directory, we move for post enumeration and found a Darth folder in that contains a hidden file named as .secrets that contain a python file “evil.py”. As you can see in the above image, there is a read and write executable python file, also this file is executing after one minute.

Privilege Escalation

Since, the evil.py script was writable, therefore, we edit the evil.py to the get reverse shell as Darther over netcat.

In a new terminal, we run netcat listener to obtain the reverse connection after one minute.

And after one minute we obtained session as Darth user, further we used python one-liner to obtain the proper TTY shell and then check the sudo privilege for user Darth.

We found, the user Darth own sudo right for NMAP, thus without wasting much time, we write root.nse script inside /tmp to run /bin/bash for root privilege Escalation when executing through nmap.

Booom!!! We have completed the task and obtain the final flag of the machine

Author: Madhava Rao Yejarla is an Ethical Hacker, Security Analyst, Penetration Tester from India. Contact on LinkedIn or Twitter

Today we will solve a new boot2root challenge named “ONSYSTEM: SHELLDREDD # 1 HANNAH“. For penetration testing, it is available on VulnHub and we can download it from here. The credit goes to d4t4s3c for creating this lab. Let’s start, and learn how to break it down successfully.

Level: Easy

Penetration Testing Methodology

• Network Scanning
  • netdiscover
  • nmap
• Enumeration
  • ftp login
• Exploiting
  • SSH
• Post Exploitation
  • Enumeration for Sudo Permission
  • Enumeration for SUID
• Privilege Escalation
  • SUID permission on cpulimit

Now Let’s start this walkthrough

Network Scanning

Using netdiscover we start by scanning our network for the target computer to find the IP Address of the Target Machine. We need to match the MAC Address of the Target Machine with the IP Addresses that were shown by the netdiscover command. On 192.168.0.121 the target machine was active.

Let’s do a port or a services scan. We will be using the nmap tool to see which ports are available. As we have seen in the FTP (21) and SSH (61000) services are available in the screenshot below.

Enumeration

It was quite clear from the nmap scan that the FTP service has Anonymous Login Enabled by default. So, let’s login as Anonymous to further enumerate the service.

We listed the contents of the directory using the ls command but it was worthless. After this, it came to us that the directories might be hidden. So, now it’s time to use the la option in ls command to list all the files inside the current working directory. Then we found out a hidden directory called (.hannah) in this directory we can find out an SSH key.

We use the get command to transfer this key in our local system aka Kali Linux.

Exploiting

Now as we downloaded the SSH key from the FTP server, it might have improper permissions. The SSH key requires a specific set of permissions. The key must have the read and write permission on the User or Owner. That means we need to add 600 permission. After setting appropriate permission, it’s time to login using the SSH key.  If we remember correctly from the nmap scan, the SSH service is running on the port 61000.

We get access to the Hannah user.

Post Exploitation

Now that we have a session on the target machine, its time to enumerate. We list all the files in the directory and find a file named user.txt. This might be the user flag.

Now that the user flag is found, its time to elevate privileges and look for the binaries that can be run as sudo.

Much to our demise, there isn’t any binary or script that can be run as sudo.

Next on our docket is SUID permissions. We can enumerate all binaries having SUID permissions with the help of the find command as shown in the image below.

We find that there is a binary called cpulimit that have the SUID permissions. Time to exploit it.

Privilege Escalation

We can use this cpulimit to run commands which we don’t have permissions to run like mkdir, cp, etc. but to use we need to move in /tmp directory as it is the only directory which has write permissions. Next, we change the permission for the bash file and copy its contents to the directory we created i.e., ignite. Then we apply the execution permissions to the bash inside the ignite directory.

Then BOOM!! we got the root we can check its id and in the root directory we found out its root.txt. After executing this file, Hurray!! we got our root flag.

Author: Shubham Sharma is a Pentester and Cybersecurity Researcher, Contact LinkedIn, and Twitter.