DC6-Lab Walkthrough

DC-6 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. This isn’t an overly difficult challenge so should be great for beginners. The ultimate goal of this challenge is to get root and to read the one and only flag. Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Download it from here – //www.five86.com/dc-6.html

Table of Content

  1. Scanning
  • Netdiscover
  • NMAP
  1. Enumeration
  • WPSCAN
  1. Exploiting
  • Searchsploit
  1. Privilege Escalation
  • sudo rights
  1. Capture the Flag

Walkthrough

Here the author has left a clue which will be helpful in this CTF.

OK, this isn’t really a clue as such, but more of some “we don’t want to spend five years waiting for a certain process to finish” kind of advice for those who just want to get on with the job.

cat /usr/share/wordlists/rockyou.txt | grep k01 > passwords.txt

That should save you a few years. 😉

Scanning

Now, start the CTF challenge by scanning the network and identifying host IPs. As illustrated below, we can identify our host IP 192.168.1.103.

Then, it’s time to run nmap following command to identify open ports and running services.

As ever, this time also we got port 22 and 80 is open for SSH and HTTP services, moreover all HTTP services are made to redirected on domain i.e. //wordy

Therefore, we thought of adding the Domain Name into our Host file, so that we will be able to access http services.

Enumeration

Since port 80 is open, we explored the Domain Name on the browser. We discovered the webpage got a WordPress CMS installed on it.

Since I didn’t find any remarkable clue on the website, therefore, the next idea that came to us was to run a wpscan on the webpage and see what the scan enumerates for us.

Hmmm!! Not bad, here I got usernames as shown in the below image.

Moreover, in a text file named users, I saved all the usernames that I had found from WPScan. If you remember the CLUE I discussed at the beginning of the post, generating a password dictionary would be helpful.

We have successfully found the password for the mark; Let’s make good use of them.

mark:helpdesk01

Exploiting

After login into WordPress, I notice a plugin “Active-monitor” is installed in the dashboard.

So, quickly I checked for its exploit inside searchsploit and surprisingly I found this plugin is vulnerable to reflected XSS and CSRF attack, moreover this vulnerability cloud lead to remote code execution. You will get its exploit from searchsploit which is an html form to exploit CSRF attack.

From searchsploit I found 45274.html file to exploit CRSF attack, but before executing it we need to make to some Cosmo changes as shown below and launch netcat listener.

Now, execute the shell.html file to get the reverse connection.

OKAY!! We got a reverse connection at netcat, where I need to run python command to spawn a proper shell. While traversing I found a bash “backup.sh” and tar “backups.tar.gz” and moreover I found a text file “things-to-do” from inside /home/mark/stuff which stored credential for another user “graham” as shown below.

graham : GSo7isUM1D4

Privilege Escalation

As we knew port 22 is open for ssh and here I try to connect with ssh using graham : GSo7isUM1D4 and luckily I got ssh access as shown below. Since this is boot to root challenge where I need to escalate privilege for root access.

Therefore, I check for sudo rights, where I found Graham can execute backup.sh as jens without a password.

After reading this bash script, I decided to edit this file by adding /bin/bash as shown below.

Then with the sudo right I executed the following command successfully login as jeans.

Now when we have access to jens shell and further I check sudo rights for jeans. As per suoders file permission, jens can run nmap as root. To escalate root privilege, I generate a nmap script to access /bin/sh shell called root.nse and then use nmap command to run the script with sudo.

WELL DONE! We have found the final flag and complete the challenges.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

PowerCat -A PowerShell Netcat

The word PowerCat named from Powershell Netcat which is a new version of netcat in the form of the powershell script. In this article, we will learn about powercat which a PowerShell tool for is exploiting windows machines.

Table of Content

  • Requirement & Installations
  • Testing PowerShell Communication
  • Bind Shell
  • Execute Shell
  • Tunnelling or port forwarding

Introduction & Requirements

PC-1       192.168.1.16

PC-2       192.168.1.19

Powercat PowerShell Script

Powercat brings the usefulness and intensity of Netcat to every ongoing form of Microsoft Windows. It achieves this objective by utilizing local PowerShell form 2 segments. This permits simple organization, use, and minimal possibility of being gotten by customary antivirus arrangements. Furthermore, the most recent adaptations of Powercat incorporate propelled usefulness that goes well past those found in customary types of Netcat.

By default, we cannot run PowerShell scripts in windows. To run PowerShell scripts, we have to first change the execution policy of PowerShell. First, we run PowerShell as an administrator then we run the following command to change the execution policy: –

Now we download powercat in the system. We can either download the powercat script and import it manually or use Invoke-Expression to download the powercat script and import it automatically. In our case, we are using Invoke-Expression to download the powercat script.

Testing PowerShell Communication

Now we are going to test the working of powercat, first we setup our listener in PC-1.

-l is for listen mode

-p is for the port number

-v is for verbose mode

Now in PC-2, we use powercat to connect to PC-1 on port 9000 and send a message through powercat.

Now we switch to PC-1, and we find that we have received the message from PC-2.

Transfer File

We can also transfer the file using powercat, in PC-1 we setup the listener to accept the file from a remote machine inside the particular path and such as save the files as “file.txt” and therefore run the following command to initiate file transferring via port 9000.

-of is for the output file

Now we can use powercat to transfer the file from PC-2 to PC-1. Here we select a file called “1.txt” in PC-2 that will be transferred to PC-1.

-i is for the input file

Now in PC-1, we find that we have received the file from PC-2 inside C drive.

Bind Shell

In PC-1 we start our listener and execute cmd, creating a bind shell so that we can access the terminal of the remote machine, therefore execute below command.

We can connect to PC-1 from PC-2 using powercat and get a shell of PC-1.

Execute Powershell

We can use powercat to execute PowerShell instead of cmd to create a bind or reverse shell. In this case, we are going to create a PowerShell bind shell using powercat in PC-1.

Now we connect PC-2 to PC-1 using powercat and obtain a Powershell of pc-1.

Tunnelling or Port Forwarding

For this practical, we need 3 machines

PC-1 192.168.1.16
PC-2 192.168.1.19
PC-3 10.0.0.10

We can also use powercat for tunnelling. In our case we have the following systems:

We get a session of PC-2 from PC-1 using PSSession.

After giving the username and password for the target machine, we get access to PC-2 where we found another network interface of Class A IP network.

On the target machine, we download powercat using Invoke-Expression.

Now we check for common running services on the gateway and find that port 22 is open.

Now we use powercat for port forwarding so that we can use PC-1 to connect with PC-3.

We now connect to PC-3 using putty.

As seen from the image below we are able to connect to the Ubuntu Machine (PC-3) from the Attacker’s machine(PC-1)

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher  Contact Here

Configure Web Application Penetration Testing Lab

As you know that we have already shown you how to configure web server. Now it’s time to move on to the next step which is the configuration of Web Application in Ubuntu 18. So today we will be learning how can we configure the 5 famous web applications (DVWA, bwapp, XVWA, SQLI, Mutillidae) in our web server for Web Penetration Testing. So, let’s do that.

Table of Content

  • Requirement
  • Web application
  • DVWA
  • bWAPP
  • XVWA
  • Sqli
  • Mutillidae

Requirement-ubuntu 18.0

Web Application

A web application is a remote server software application. In general, web browsers are used through a network, such as an internet, to access Web applications. Like a software program running on a desktop or desktop application, the Web-app permits interaction with the user and can be designed for a wide range of applications.

DVWA

Let’s start You should download and configure this web application only within the html directory for all web applications in the browser through localhost. Go to your Ubuntu terminal and move inside html directory by running the following command and then download dvwa lab from the given link.

After the installation we will go inside the dvwa and there we will find a config folder, now we will move inside the config folder and there we will run the ls command to view all available folder, now, here you will see a config.inc.php.dist file. Now as you can see, we have moved config.inc.php.dist file to config.inc.php

Now open the config file by the following command; where you will find that db user is root and db password is password.

Here you need to make the changes and give access to the Ubuntu user as in our case we have written raj as db user and as our ubuntu password is 123 so we have written 123 as db password.

Now we will try to open dvwa lab in the browser by the following URL and click on Create/Reset Database

Good! We have successfully configured the dvwa lab in ubuntu 18 as we can see that we are welcomed by the login page.

For login, we will use the dvwa username which is admin and password which is dvwa password by default.

bWAPP

A buggy web application that is purposely unsafe. Enthusiasts of security, system engineers, developers can find out about Web vulnerabilities and prevent them.

bWAPP prepares you for successful tests and penetration testing. Now we will configure bWAPP lab in Ubuntu 18. First, we will download bWAPP and then we will move inside the Downloads folder and then unzip the bWAPP file by the following command-

Now we will move bWAPP into var/www/html by the following command-

Now we will edit the config file; so, move inside the config file by the following command and where you can see that db username is root and db password is bug b default.

Now we will make some changes and will set our ubuntu user raj in place of root and set password 123 in place of bug. Save it and then exit the config file.

Now go to your browser and open bWAPP installation file by the following command and click on here as shown in the image below

Now you will get a login page of bWAPP where we will use the default username which is bee and default password which is bug and you are logged in in bWAPP.

Now you can start working on bWAPP.

When you will login as bee:bug; you will get the portal to test your penetration testing skill.

XVWA

XVWA is poorly coded written in PHP/MYSQL web application that helps security lovers learn security from applications. This application is not advisable online because it is Vulnerable to extremes as the name also suggests. This application should be hosted in a controlled and safe environment where you can improve your skills with the tool of your choice. So, let’s start-

First, we will download XVWA from GitHub; so, go to ubuntu terminal and open the following link to download XVWA lab inside html directory by the following link-

Once it is downloaded, we will open the config file of xvwa by the following command

Now we can see that the username of xvwa is root and password is left blank.

Now we will remove the root user from here and we will be using the ubuntu username and password here which is raj:123

Afterwards, we will save the file and exit.

Now browse web application through URL-localhost/xvwa and we can see that we are successfully logged in-

SQLI Labs

A laboratory that offers a complete test environment for those interested in acquiring or improving SQL injection skills. Let’s start. First, we will download SQLI lab inside html directory by the following link-

 Once the download is done, we will move sqli labs into the /var/www/html directory and rename it to sqli. Then go inside the sqli directory where we will find /sqli-connections directory. Here we will run ls command to check the files and we can see that here is file by the name of db-creds.inc

we need to make some changes in the config file by the following command-

As we can see that username is given root and password is left blank which we need to modify.

Now here we will set the username and password as raj:123 Now save the file and exit.

Now browse this web application from through this URL: localhost/sqli and click on Setup/reset Databases for labs.

Now the sqli lab is ready to use.

Now a page will open up in your browser which is an indication that we can access different kinds of Sqli challenges

Click on lesson 1 and start the Sqli challenge.

Mutillidae

OWASP Mutillidae is a free open source purposely vulnerable web application providing an enthusiastic goal for web security. It’s a laboratory which provides a complete test environment for those who are interested in SQL injection acquisition or improvement. This is an easy-to-use Web hacking environment designed for laboratories, security lovers, classrooms, CTFs, and vulnerability assessment targets, and has dozens of vulnerabilities and tips to help the user.

So, let’s start by downloading by the clicking on the following link given below-

After the downloading, go inside the Mutillidae directory and where you will find a directory /includes, go inside this directory.

Inside this directory, we will find database-config.inc file which we need to open by nano command as shown in the image below.

Now here you will find that username is root and password is Mutillidae, by default and which we need to change.

Now we will use our ubuntu username and password which is raj:123. Save the changes and then exit

Now we will open this our local browser by the following URL: localhost/mutillidae where we will find an option of reset database. Just click on it to reset the database.

Now you will be redirected to a page which will ask you to click ok to proceed. Here you need to click on ok and you are done with the configuration of the Mutillidae lab.

So, In this way, we can setup our vulnerable web application lab for penetration testing.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here

DC-3 Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as “DC-3”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download it from here.

Security Level: Beginner

Penetrating Methodology:

  • Discovering Targets IP
  • Network scanning (Nmap)
  • Surfing HTTP service port
  • Searching exploits via searchsploit
  • Using SQLMAP to dump databases information
  • Using John the Ripper to Crack the Password
  • Login into JOOMLA
  • Inject malicious PHP Reverse Shell Code
  • Using Netcat for obtaining reverse connection
  • Exploit the kernel
  • Getting root access
  • Reading Final flag

Walkthrough

Let’s start off with scanning the network to find our target.

We found our Targets IP Address 192.168.1.104; Our next step is to scan our targets IP Address with nmap.

From nmap result we found only HTTP service is running on port 80 and we got to know that JOOMLA CMS is installed on this website.

So, we navigate to port 80 by exploring target IP in the web browser and read the text message of the admin, moreover the website was running on Joomla CMS as found above.

So to identify installed Joomla version, we checked its Readme file. We can clearly come to know about the version of Joomla 3.7, I think this is might come in handy.

 

We looked for Joomla 3.7 in searchsploit and found JOOMLA SQL INJECTION exploit. We copied the exploits 42033.txt file on our machine and read it contents. It revealed a Command for Sqlmap along with a vulnerable URL.

Then we executed given below sqlmap command and with the help of it we look for the Database names that revealed database 5 entries as shown in the image given below where I notice joomladb.

Let’s again use Sqlmap to look for the tables and column.

After getting the table names, we have dumped the contents of table #_users using sqlmap, which revealed credentials which that come in handy to log into JOOMLA. But the password is encoded, we need to crack it. Time to fire up John up.

We have saved the hash in our system and use john the ripper to crack the hash. Now we have both the credentials to log into Joomla.

Let’s login into Joomla as admin.

After spending some time exploring, we got an idea to add a malicious PHP code (available inside kali: /usr/share/webshells/php) in index.php of beez3 template for getting reverse shell as shown below.

On the other side, we set up a netcat listener. Upon Execution, we got the shell of the target system. To get a proper shell, we have used the python one-liner to spawn the TTY shell.

From the LSB description, we clearly knew for this version of Ubuntu has a direct exploit which can be used to get the root access and found our final flag.

Without wasting time, we found a privilege escalation exploit for ubuntu 16.04. We have downloaded it and extracted it.

After running the exploit, we have easily got the root access and thus got our Final flag.

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here