Today we are going to solve another CTF challenge called “Sunset: dawn”. It is available on Vulnhub for the purpose of Penetration Testing practices. This is a box from the Sunset series. The credit for making this lab goes to “whitecr0wz”. Let’s start and learn how to successfully breach it.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

• netdiscover
• Nmap

Enumeration

• Browsing HTTP Service
• Performing Directory Bruteforce
• Enumerating log files
• Enumerating SMB using Enum4linux

Exploiting

• Connecting via SMB
• Sending files with netcat invocation

Privilege Escalation

• SUID bit on zsh

Capture the flag

Walkthrough

Network Scanning

We will be running this lab in a Virtual Machine Player or Virtual Box.  After running the lab, we used the netdiscover command to check the IP Address of the lab.

This was found out to be 192.168.1.165.

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.

We learned from the scan that we have the port 80 open which is hosting Apache httpd service, and we have the port 139,445,3306 open. This tells us that we have the NetBIOS and MySQL service running on the target machine respectively.

Enumeration

Since we got the port 80 open, we decided to browser the IP Address in the browser. We were given an unavailable error as shown in the given image.

We also started a Directory Bruteforce in order to enumerate the machine further. This gave us a directory called “logs” as shown in the given image.

Upon finding the logs directory, we opened the URL in our browser. This gave us a bunch of different log files like auth.log, daemon.log, error.log and management.log. We tried to access the all those log files but we got forbidden message in all except management.log.

So, we downloaded the management.log and used cat command to open the management.log on our attacker machine (Kali Linux). Here we see that we have a directory named “ITDEPT”. It contains two files namely product-control and web-control. As these files were mentioned with cron, we can safely say that these files are getting executed by some background task.

Back to the nmap port scan, we found that there is a NetBIOS SMB. Its time to enumerate this machine’s SMB Service. There are multiple ways to do this about which you can learn here. now we decided to use the Enum4Linux script. This shows that we have the ITDEPT directory we found earlier. This means this directory is accessible through SMB.

Also, as we explored the result of Enum4Linux, we saw that we have two users namely, “dawn” and” ganimedes”.

Exploitation

Since we found the ITDEPT directory in our enumeration. We tried to access it using the SMB as shown in the image. We gave a blank password to login. Upon logging in we ran the ls command. We found nothing in it. We ran the ls command again with the -al parameters to see if we missed any hidden files but we couldn’t find any.

But this doesn’t mean that we cannot create any file in it. We went back to our terminal and created the files by the name of “product-control” and “web-control”. We created the files by this name because earlier while enumerating the management.log file we saw that files with this name were executed after every minute. again and again, using cron. We also entered the netcat shell invocation script in those files using the echo command as well.

Now back to the SMB shell, we transferred the files that we just created to the target system using the put command. Both the files were successfully transferred. After the transfer, we ran the ls command to check whether the files were indeed on the system or not. As seen in the image given below, we have put our files on the target system. 

Now, we went back to our browser, to see the log directory. From there we downloaded the management.log file again. We did this as if those files we just created were executed or not. As shown in the image, the files were successfully executed.

Now we ran the netcat to get this session on the target machine. We get our shell through netcat. This was an improper shell. So, we used the python one-liner to convert this into a proper shell. On conversion, we saw that the shell we got was of user dawn.

Privilege Escalation

Now that we had a shell, it was a regular practice to check for any file having SUID permissions with the help of Find command. By using the following command, we enumerated all binaries having SUID permissions:

The Find command gave us that the zsh command can help us escalate privilege on this machine. We ran the zsh command and checked our status using the whoami command. We got root. Now it was time to enumerate for the flag. We traversed into the root directory and found the flag.txt file. This concludes this CTF.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Prime writeup- our other CTF challenges for CTF players and it can be download from vulnhub from here. The credit goes to “Suraj Pandey” for designing this VM machine for beginners. This is a Linux based CTF challenge where you can use your basic pentest skill to compromise this VM to escalate the root privilege shell.

The difficulty level of the lab is set easy to intermediate at the phase of initial foothold and once the machine is get compromised the privilege escalation phase is very easy. To capture the flag, you need to find user.txt and root.txt file.

Penetration Testing Methodologies

Network Scan

• Netdiscover
• Nmap

Enumeration

• Abusing web application
• Dirb
• fuzzing

Exploiting

• LFI
• Abusing WordPress
• Injecting PHP reverse shell payload
• Obtain Meterpreter Session
• Capture the Flagtxt

Privilege Escalation

• Kernel Exploit (Metasploit)
• Capture the Flag.txt

Walkthrough

Network Scanning

This CTF is started to run on a virtual box, so use a virtual box to run this machine. We’ve got a few hints at the initial phase when the host machine starts up.

We notice the following:

• The VM is designed on “ubuntu 16.04”
• Found a username: “victor”
• Hint for Password.txt file “find password.txt file in my directory”

Time to identify the IP of the host machine with the help of netdiscover. Here we have 192.168.1.101 as an IP host on my network, let’s go further to scan the victim’s network to identify the open port and services running across it.

Using an aggressive nmap scan, we only found two open ports, i.e. 22 for ssh and 80 for http.

Enumeration

Further, we need to start enumeration against the host machine, therefore without wasting time, we navigate to a web browser for exploring HTTP service but we didn’t found anything here.

Then we go to the web directory listing and use the starting directory brute force with the help of dirb. Hmmmm!! Shows two interesting directories, /dev & /WordPress, which means that the host uses the WordPress application.

Lol! By exploring /dev directory we got a message and that it wasn’t useful

We further explored /WordPress and found the WordPress welcome page. When you browse this page, you will also find the username “Victor” which means that the victor could be the admin.

Then we dig further but didn’t find anything, so we’re using dirb again to list .txt extension files, and fortunately, we’ve found a secret.txt file out of the result.

Let’s go for secret.txt file and figure out what is this file has.

Hmmmm! The secret.xt file provided an indication for the GitHub link and the location.txt file.

The Github page contains a few commands for Fuzzing, we try to use each command, but it didn’t work as if it was aspected. Then we notice “file” as a fuzzy payload that might be another hint, so we used it to fuzz.

So we try to navigate the following URL as per hint, and this approach works as shown in the image below.

At the end of the web page, the author left us with a comment as a hint.

“Do something better

You are digging the wrong file”

If you remember, we got a hint for the “location.txt” file from inside the secret.txt file. So we’re trying to call the location.txt file with the given URL.

Great!! We have been able to access the file location.txt, which means that it is vulnerable to local file inclusion (LFI). Let’s try and take advantage of it.

Also, location.txt file gave a hint us to use “secrettire360 as parameter on other php page”.

Exploiting

As per the above observation, we try to exploit LFI by executing the following command to extract / etc / password file.

Boom!! Boom!! And we’ve got the/etc/passwd file of the host machine. if you will notice below image here user: Saket is giving an indication to look inside his directory i.e. /home/saket for password.txt file.

To get the password file we try to explore the following URL:

And we found the password: follow_the_ippsec

It was time to utilized above-enumerated credential for login into WordPress, we, therefore, try to access the WordPress admin console using the combination of the victor: follow_the_ippsec.

After login into WordPress, we try to inject malicious php script via theme templates or by installing new plugin, but all of them fail because they have no writable permission.

Providentially, we’ve seen a secret.php file that also has writeable permission, which means we can write our malicious php code here.

We, therefore, write use msfvenom following command for generating malicious php code in raw format.

Then copy the highlighted code for injected inside secret.php page

So here, we’ve injected our malicious code and updated the file, and at the same time, we’ve started a multi-handler to get a backup of the host machine.

When everything is set up, we try to trigger our malicious php script by running the following URL:

After executing the above url we got meterpreter session1 which is limited shell access of host machine and here we found the kernel version, now let’s go for post enumeration to find out user.txt file.

From inside /home/saket we found our 1^st flag user.txt file. Further, let’s got for privilege escalation to access root shell.

Privilege Escalation

As we already know the kernel version of the host therefore without wasting time we look for a kernel exploit in the google and found the Metasploit module for exploiting the kernel.

Thus we use the following module:

Great!! we got another meterpreter session i.e session 2, and after that, we get into the root directory and capture the final flag i.e. root.txt

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Today we are going to solve another CTF challenge called “AI: Web: 2”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This is the second box from the series AI: Web. The credit for making this lab goes to Mohammad Ariful. Let’s start and learn how to successfully breach it.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

•  Netdiscover
•  Nmap

Enumeration

• Browsing HTTP Service
• Performing Directory Bruteforce
• Enumerating robot.txt

Exploiting

• Exploiting Directory Traversal
• Crack password hashes using John The Ripper
• Exploiting Command Injection to get a shell

Privilege Escalation

• Enumerating exploit 46978
• Enumerating for flag

Capture the flag

Walkthrough

Network Scanning

We will be running this lab in a Virtual Machine Player or Virtual Box.  After running the lab, we used the netdiscover command to check the IP Address of the lab.

This was found out to be 192.168.0.3.

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.

We learned from the scan that we have the port 80 open which is hosting Apache httpd service. And we have the port 22 open which gives us the option to remotely connect to the target machine.

Enumeration

Since we got the port 80 open, we decided to browser the IP Address in the browser.

We also started a Directory Bruteforce in order to enumerate the machine further. This gave us a directory called webadmin as shown in the given image.

Upon finding the webadmin directory, we opened the URL in our browser. This gave us a Login Prompt. We don’t have any login credentials to proceed further here.

Back to the part, where we initially browsed the webpage, we found a signup option. We clicked that option. This gave us a form with the username option as shown in the image. So, we created a user account with the name “raj”.

On clicking the “OK” button, we get a panel as shown in the image given below. It shows us a welcome message “Welcome to XuezhuLi File Sharing”. This must be a service that is configured on the webserver. This service seems interesting.

We googled the name of the service in the hope to find any exploit. And we got the exploit db link.

On close inspection, we found that it contains a captured request marked as viewing.php. This shows the path that can be used to view the /etc/passwd on the target system.

Exploiting

So, we captured the request on our target machine using Burp Suite from the userpage.php.

Now we will right-click here on the captured requested and select “Send to Repeater” option in the BurpSuite. Here we will change the GET request with the path that we found in the exploit earlier and send the request to get the response. Here we can see that we have the /etc/passwd. Among all the other users, we found a user named aiweb2.

Even though we have a user, we don’t have any passwords. We tried to crack the has by usual methods and dictionaries. It turned out to be useless. Then we turned to the Lab Description on the Vulnhub. Here we found a hint given by the lab author “You may need to crack a password. Use wordlist SecLists/rockyou-45.txt”. So, we downloaded that wordlist and still tried to crack the hash.

You can download this wordlist by clicking here.

This also was of no use. We went on thorough research to find a move ahead and after hours and hours of googling and running through guides and manuals. We found that there are some credentials stored inside the /etc/apache2/.htpasswd.

We modified our request from earlier to go to this path as shown in the image.

This proved to be a successful step. We found a user named aiweb2admin. Now that we have the username and the password hash. We tried to crack the hash using John The Ripper. We downloaded the wordlist mentioned before by the author and named it dict.txt. On running John, The Ripper, we found the password to be “c.ronaldo”

We went back to the user login panel on /webadmin/ and entered the following credentials

Username: aiweb2admin

Password: c.ronaldo

This was a success. We found some text written here, It says” I disallowed some contents from robots.” This was a simple hint for robots.txt.

As we understood the lab author is trying to hide contents from robot. That means we need to enumerate the robots.txt. On the inspection of robots.txt, we found two directories.

/H05Tpin9555/

/S0mextras/

We opened the /H05Tpin9555/, this gave us a form to enter the IP Address, and upon entering the IP Address, the Victim Machine will ping that particular IP Address. We tired and pinged 127.0.0.1. And the result of the command is shown in the image given below. This is a simple case of Command Injection Vulnerability.

We will get back to in a minute but we thought of enumerating further another directory hidden in the robots. txt, “/S0meextras/”. We tried multiple ways to enumerate but all we have is this message” For juicy information in this dir”. This means that there is something in this directory. But to access this directory, first, we will be needing access on this machine.

We got back to our command injection. Hereafter trying multiple ways and different filters, we found that double pipe ‘||’ bypasses the command injection. We tried the id command with the double pipe as shown in the image.

Now that we have found our way in, we will use the PHP shell of pentest monkey to get a session over the target system. First, we will change the IP Address to our attacker machine (Kali).

After making the appropriate changes, we will run a python one-liner to create a server on the port 8000. Now we will transfer the php shell to the target system with the wget command with the double pipe. After clicking the submit button, the shell will get uploaded as shown in the image.

Now that the shell is successfully uploaded, we need to execute it by browsing it in our web browser, but before doing that we will create a netcat listener using the command given below. Remember to enter the port number that was in the shell.php file.

As soon as we execute the shell file, we have a shell over the target system. We have found our way in. Now its time to enumerate that S0mextras directory. As the directory was visible on the outside as a webpage. It must be in the var/www/html/ directory. So, we traversed to that directory. Here we found a directory named webadmin. We entered into that directory to find out targeted directory. In that directory, we ran the ls -al command. We did this to find any hidden directories. Here we found a text file named “.sshUserCred55512.txt”. Upon opening it we found the credentials of a user on the remote system as shown in the given image.

So, we decided to login using those credentials. Upon logging in we ran the id command to reveal the user permissions. This gave us very peculiar information that the user is a member of lxd group.

LXD is a next-gen system container manager. It offers the user a similar environment as virtual machines. But using Linux containers. For more information read this wiki.

Privilege Escalation

We used the searchsploit to find any exploit related to lxd. And to our better knowledge, we got exactly what we wanted a privilege escalation to exploit.

So, we downloaded the exploit using the (-m) parameter of the searchsploit command. After successfully downloading we opened the file to read using the cat command. Here we found the instruction of how to use the exploit.

So, we will follow these steps:

Step 1: Download build-alpine on Attacker Machine

So, we downloaded the build alpine using the link provided in the exploit.

Step 2: Build alpine as root user on Attacker Machine

After that, we ran the alpine-build using the following command

On running the bash build command a tar.gz file is created in our working directory.

Step 3: Run this script and you will get root on the Victim Machine

Now we will transfer the file to the victim machine, we used the combination of python one-liner and wget for this process. Now there seems to be some error in execution. What happens is that when we tried to execute this directly, we are not able to execute it properly. But when we try this method, we are successful. We created a bash file named raj.sh and copied the 46978.sh code in this file. After that, we provided it with giving the file proper permission to execute. Now we run the file with providing the tar.gz file in the parameter.

Step 4: Once inside the container, navigate to /mnt/root to see all resources from the host machine.

After running the bash file. We see that we have a different shell, it is the shell of the container. This container has all the files of the host machine. So, we enumerated for the flag and found it. This concludes this lab.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

DC:7 writeup, our other CTF challenges for CTF players and it can be download from vulnhub from here. The credit goes to “DCAU” for designing this VM machine for beginners. This is a Linux based CTF challenge where you can use your basic pentest skill to compromise this VM to escalate the root privilege shell.

Penetration Testing Methodologies

Network Scan

• Nmap

Footprinting

Exploiting

• SSH login
• Abusing Drupal Drush
• Compromising webshell via PHP Backdoor

Privilege Escalation

• Abusing writable Script
• Capture the Flag

Walkthrough

Network Scanning

Let’s start with a network scan using an aggressive Nmap scan as we always do, and this time also we will go with the same approach to identify open port for running services.

Hmmm! So nmap showed very exciting & cool outcome, specifically on port 80 that is accessible to HTTP service and is also used to operate drupal CMS, additionally, 15 submissions for robot.txt is like a cheery on a cake.

Enumeration

Further, we need to start enumeration against the host machine, therefore without wasting time, we navigate to a web browser for exploring HTTP service, and DC:7- Welcome page will be opened in the browser that gave us a hint to search “outside the box” and this hint might be connected with internet.

At the end of this web page, we observed another hint “@DC7User” which could be any possible username.

By considering the above-listed hint, we start footprinting on the @DC7-user and find the DC7-user twitter account. This account contains a link to GitHub: https:/github.com/Dc7User, maybe the author was pointing to this link.

And the github URL content a staffdb which is PHP repositories.

So when we have opened the staffdb, here config.php looks more interesting and a note i.e. as depicted below:

“This is some “code” (yes, it’s not the greatest code, but that wasn’t the point) for the DC-7 challenge.

This isn’t a flag, btw, but if you have made it here, well done anyway. :-)”

We found credential from inside config.php as shown below:

Exploiting

With the help of above-enumerated credential, we try to connect with ssh and after obtaining tty shell we go for post enumeration and start directory traversing.

At first, we’re looking for a directory list where we’ve found a “mbox” named file that contains an inbox message. The message contains /opt/script/backup.sh as the subject of the message, let’s explore more.

Inside backup.sh we notice it is using drush which stands for Drupal shell and it is a command-line utility that is used to communicate with drupal CMS.

So, I looked at the drush command on google and found a command that was used to change an account’s password.

Therefore, we try to change the admin password using the below command:

Now, we’ve changed the password for the admin account to login to Drupal and explore the following URL:

After accessing the admin console, it was time to exploit web application by injecting malicious content inside it. Directly writing malicious scripts as web content will not give us the reverse shell of the application but after spending some time, we concluded that it requires PHP module. We, therefore, move to install new module through Manage>Extend>List>Install new module.

You can download the PHP package for Drupal from the URL below and upload the tar file to install the new module.

So, when the installation is completed, we need to enable to added module.

Again, move to Manage > Extend >filters and enable the checkbox for PHP filters.

Now use Pentest monkey PHP script i.e “reverse_shell_backdoor.php” to be injected as basic content. Do not forget to add listening IP and Port for obtaining reverse connection. Further, change text format into PHP and enable the checkbox for publish. Keep the netcat listener ON to receive incoming shell.

Now use the Pentest monkey PHP script, i.e. “reverse shell backdoor.php” to be injected as a basic content. Don’t forget to add a “listening IP & port” to get a reversed connection. Continue to change the “text format to PHP” and enable the publishing checkbox. Keep the netcat listener ON in order to receive the incoming shell.

When everything is set correctly, click the preview button and you’ll get the reverse connection over the netcat.

Great!! we have our netcat session as www-data and if you will check permission on /opt/scripts/backup.sh, you will notice, that www-data has all permission to access or modify this file. We can therefore abuse the rights of the user file for escalating privileges by modifying the contents of the source.

Privilege Escalation

As said above we’ll try to abuse writable permission assign on the script. Thus, we use msfvenom to generate a malicious piece of code for obtaining the bash shell.

Now copy the generated code and start another netcat listener on a new terminal.

Paste the code copied above in the previous netcat session under the www-data shell and wait for some time and get back to another netcat listener.

After some time, you will have access to the root shell, you will now get the final flag in the root directory as shown below.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here