CengBox: 2: Vulnhub Walkthrough

Introduction

Today we are going to crack this vulnerable machine called CengBox: 2. It is created by Arslan Bilecen.  This is a Capture the Flag type of challenge. It contains two flags that are accessible after gaining a limited session and a root level privilege on the machine. It is an Intermediate level machine.

Download Lab from here.

Penetration Testing Methodology

  • Network Scanning
    • Netdiscover
    • Nmap
  • Enumeration
    • Enumerating the FTP login
    • Browsing the HTTP service on port 80
    • Directory Bruteforce using gobuster
    • Enumerating Credentials for Gila CMS
    • Enumerating Gila CMS
  • Exploitation
    • Exploiting Command Injection
  • Post-Exploitation
    • Enumerating for Sudo Permissions
    • Crafting a PHP payload using Msfvenom
    • Enumerating the SSH keys
    • Cracking the SSH password using John The Ripper
    • Logging the SSH session as Mitnick user
    • Downloading and Enumerating using pspy64s script
    • Exploring permissions on Motd files
    • Adding nano command to the Motd header file
  • Privilege Escalation
    • Relogging as Mitnick user
    • Creating a new user using openssl
    • Editing the /etc/password and adding a new user
    • Getting root access from new user
  • Getting the Root Flag

Walkthrough

Network Scanning

To attack any machine, we need to find the IP Address of the machine. This can be done using the netdiscover command. To find the IP Address, we will need to co-relate the MAC Address of the machine that can be obtained from the Virtual Machine Configuration Setting. The IP Address of the machine was found to be 192.168.1.104.

Following the netdiscover scan, we need a nmap scan to get the information about the services running on the virtual machine. An aggressive nmap scan reveals that 3 services: FTP (21), SSH (22) and HTTP (80) are running on the application.

Enumeration

It was quite clear from the nmap scan that the FTP service has Anonymous Login Enabled by default and there is a file located in it as well named note.txt. As this is one of the ports that is basically open for access, let’s take a look into it. After logging in as Anonymous, we download the note.txt to our local machine to take a look at it. Here we see it is a note which consists of 2 names. Note them they can be useful down the road. Also, we see that the application is moved to a domain ceng-company.vm. That means we need to configure our /etc/hosts file. We also take note that if we find any CMS on the application then the default credentials can work as the note suggests so.

To access the application, we make the appropriate changes in the /etc/hosts file.

Now that we have made changes in the /etc/hosts file and there was an http service running on the application, we can check the application on our Web browser.

We have the Site Maintenance banner. This means that we need to enumerate further for the proper application. It is possible that the CMS is hidden in one of the directories.

After using dirb for Directory Bruteforcing, we were unable to find any relevant webpages. Then it hit us that what if Aaron from the note meant subdomain. That means we need to perform a directory bruteforce on the subdomain. To do this gobuster is the best tool. It has a vhost option with the subdomains dictionary.

After going on for some time, gobuster gave us the admin subdomain on the ceng-company.vm. But as it can be observed that it is forbidden i.e. 403. We need to bypass this restriction as well.

Let’s make an entry in the /etc/hosts/ file for the admin subdomain.

Let’s try to access the URL again on the Web Browser. It can be observed that the link is still forbidden. We need to enumerate further for a possible entry point.

This is where we decided it is time to do another directory bruteforce. This time, we thought to use the OWASP DirBuster. It gave us some directories. One of them was “gila”. It looks interesting.

We decided to browse the gila directory and we have ourselves a CMS page at last. Wow! That took some time. This made us realise that finding an entry point on the application is as important as exploiting it. Also trusting a single tool is not ideal. We should expand our arsenal of tools and dictionary.

We checked the Gila CMS Documentations for the location of the admin login panel. It was “mysite.com/admin” and after a thorough the read of the documentation on Gila CMS which can be found here. There was nothing about the default password. Also, the login panel asks for an email means we will have to find some email address as well. There were two users that we learnt from the note that we found on the FTP server. It was Kevin and Aaron. Also, Kevin is the one whose account was setup by Aaron. We need to obtain the email address of Kevin. Since ceng-company.vm was the primary domain. We decided to smack both of them together and get the email id as “[email protected]”. It was total guesswork at this moment.  We tried multiple passwords like “password”, “1234”, “gila”. Nothing worked. Then, just as we were about to attempt bruteforce. It came to us to try “admin” as password and Voila! It worked.

As we read the documentation earlier, we knew that the Gila provides a File Manager in its Dashboard. It can help in uploading a payload to generate the session on the virtual machine. But instead of uploading, we decided to edit the already consisting files on the virtual machine as they will have the proper permissions. We used the pentest monkey’s PHP Reverse shell and made the specific changes in it to point our local attacking machine i.e., Kali Linux.

Now, after editing the config file, we started a netcat listener on the port that we specified in the payload. In this case, it was port 1234. After starting the listener, we execute the payload by browsing the payload in the web browser. When we come back to the terminal, we find that a new session is generated but the said session is a limited shell. To upgrade this limited shell into a TTY shell, use the python one-liner.

Post Exploitation

After getting the shell as a part of post-exploitation, we ran the sudo -l command to find the list of binaries that can be run using sudo. We found that there is a script named runphp.sh that can be run using swartz user. We ran the script and got ourselves a php shell.

So, we need a php shell script to get the session. For this, we went back to our local machine and ran the Metasploit Framework. We decided to use the web_delivery exploit. We gave the proper values to the lhost and lport options and got ourselves a php script that can give us a meterpreter session on the target machine. We copied the script.

We pasted the script in the php shell that we got ourselves earlier as shown in the image given below.

After running the script, we went back to the terminal with Metasploit. We have ourselves a meterpreter session. We enumerate the home directory to find a user named Mitnick. It might be important. We traverse into the Mitnick user directory to find a user.txt file and .ssh directory. We tried to read the user.txt but we were unable to. Then we decided that logging as the Mitnick user is the only way to read that user.txt flag. And from the looks of it, it seems that we will have to SSH into Mitnick user. We get into the ssh directory and we have the public keys which can be used to SSH into Mitnick user.

We read the public key and to see that it is indeed the keys for Mitnick user. We copy the SSH key and paste it into a file named “key” on our local system.

We have a script that can convert the “key” into a crackable hash. It is called ssh2john. It is already in the Kali Linux in the /usr/share/ directory. Using the script we converted the “key” into “hash” file. Now that we have a hash, we used John the Ripper to crack it and discovered that the password is legend.

Time to SSH into Mitnick user. We had the username from the previous steps and the password we just cracked. After logging into the Mitnick user, we traversed into the /tmp directory and download the pspy64s script using wget command. We provide it proper permissions and execute it. It will help us enumerate pesky files or permission of different files across the system.

Here, we see that /etc/update-motd.d is running. MOTD is usually the Message of the Day messages. It seems interesting enough to take a look at.

We traverse into the directory to find in this directory all the files are writable. We tied to use edit one using the nano command.

After taking a good look at the files, it was clear that these files are called as root without sanitising the environment. While this is acceptable when called for instance by sshd or by Getty through login where the environment should be controlled, it becomes an issue if, for instance, the attacker modify the PAM to add a temporary user. We added the permissions to nano command in this file.

Privilege Escalation

Now that we have the nano command added in the motd, we need to logout from the ssh session and reconnect so that the motd gets executed. After logging again, we see that nano now have upgraded permissions. Let’s use this nano command to edit the /etc/passwd file and add our user with root privileges.

We opened up a new terminal on our local machine and created a set of credentials for the new user.

Back to the SSH session on the target machine, we add the line with the username raj and with root-level privileges.

Let’s save and exit the nano editor. To check if the entries are saved, we use the tail command. Let just login to raj user using su command and we are root. We can find the root flag in the /root directory.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

Star Wars: 1 Vulnhub Walkthrough

Today we are going to root a vulnhub machine “star-wars-ctf-1”. It contains one flag that is accessible after gaining root privilege on the machine. It is developed by Sir Logic team difficulty level of this machine is for beginners. Our goal is to gain root shell access.

Download it from here: https://www.vulnhub.com/entry/star-wars-ctf-1,528/

Table of Content:

Reconnaissance

  • netdiscover
  • Nmap
  • Dirb
  • Steganography Online decrypt tool

Exploitation

  • hydra
  • SSH Login

Privilege Escalation

  • Post Enumeration
  • Abusing writeable script
  • Root access

WalkThrough

Reconnaissance

Let’s start reconnaissance for the vulnerable machine by using netdiscover. Through this command, we can identify the IP address of the various devices in our network and eventually finding the IP address of our target machine.

As we got our target IP address for the machine (192.168.0.188), And now that we know our target IP, let’s scan it with the help of Nmap and move forward with the process of information gathering on the target host. In the following command, “-A” means Aggressive scanning.

So, we come to know that only two ports are open here i.e. 22 and 80. And since the port 80 is open, Let’s explore the domain or webpage on this target IP address using any browser.

The webpage hinted us to find the password hence the search for it is commenced. For the password to be known, we are checking the source code of the webpage.

In the source code, the author has given a hint regarding password i.e. “password is here” and below that there is a string of text which indicates that there is a password hidden here somewhere. When nothing worked, we downloaded the image from the main page in the hope that there must be some data hidden behind it by the method os steganography. To use steganography Click the URL https://stylesuxx.github.io/steganography/ and upload the image then click the decoded image for extracting passwords.

We got the password “babyYoda123”, but we don’t know the username, therefore we will brute attack the directory using dirb tool for enumerating web directories.

As a result of dirb we found few directories, but we more interested in robots.txt file.

 

We navigated to the URL http://192.168.0.188/robots.txt and found a webpage named “/r2d2” but we still have to find a username.

As we can see didn’t find any username, further, we again used dirb tool, and this time we were looking for PHP, .js, and/or .txt extension file types.

And from the result of the above command, we found  user.js, let’s explore this. When we opened the user.js in the browser, two entries which could the usernames: skywalker and han were found.

Now that we have both usernames and passwords, we can perform the various password attacks such as the brute force on SSH. For brute force, we will try the tool hydra. We created a users.txt file and we have a password (babyYoda123), now we have to crack the valid username with password.

As you can observe in the image above, only one valid username: han for the password: babyYoda123.

After logging into SSH, we move for post enumeration and found a hidden file named as .secrets that contain a text file “note.txt”. This file looks like a hint for us, where the author wants us to use Cewl for making a wordlist.

Further, we check passwd file for enumerating user account and we saw han, starwalker & Darth as usernames.

As you can see, we have found the robots.txt which has given a hint for /r2d2. So, we explored it in the web browser and obtain a web page as shown in the image below:

If you remember the author has given hint i.e. cewl. Hence with the help of cewl command, we created a dict.txt file and used the dict.txt file as a password list for our brute attack over SSH for user skywalker.

As you can observe from the image above, the previous commands have helped us in finding a valid password for the skywalker. Now we will switch the user han to skywalker.

After switching the user, we found a hidden directory named .secret. Upon exploring, we found that this directory contains a text file called “note.txt”. This file can be a hint for us, so we decided to check it. In the file, the author mentioned: “Darth must take up the job of being a good father”. From this, we can be sure that Darth is the user.

After switching to the home directory, we found a folder named Darth that contains a hidden directory named as .secrets that contain a python file “evil.py”. As you can see in the above image, there is a read and write executable python file, also this file is executing after one minute.

Privilege Escalation

Since the evil.py script was writable, therefore, we edit the evil.py to the get reverse shell as Darther over netcat.

In a new terminal, we run Netcat listener to obtain the reverse connection after one minute.

And after one minute we obtained a session as Darth user, further we used python one-liner to obtain the proper TTY shell and then check the sudo privilege for user Darth.

We found that the user Darth own sudo right for NMAP, thus without wasting much time, we write root.nse script inside /tmp to run /bin/bash for root privilege Escalation when executing through nmap.

Booom!!! We have completed the task and obtain the final flag of the machine

Author: Madhava Rao Yejarla is an Ethical Hacker, Security Analyst, Penetration Tester from India. Contact on LinkedIn or Twitter

ShellDredd #1 Hannah Vulnhub Walkthrough

Today we will solve a new boot2root challenge named “ONSYSTEM: SHELLDREDD # 1 HANNAH“. This lab is made for penetration testing practices and it is available on VulnHub and we can download it from here. The credit goes to d4t4s3c for creating this lab. Let’s start, and learn how to break it down successfully.

Level: Easy

Penetration Testing Methodology

  • Network Scanning
    • netdiscover
    • nmap
  • Enumeration
    • FTP login
  • Exploiting
    • SSH
  • Post Exploitation
    • Enumeration for Sudo Permission
    • Enumeration for SUID
  • Privilege Escalation
    • SUID permission on cpulimit

Now Let’s start this walkthrough

Network Scanning

Using netdiscover we will scan the network for the target machine to find the IP Address. We need to match the MAC Address of the Target Machine with the IP Addresses that was shown by the netdiscover command. On 192.168.0.121 the target machine was active.

Let’s do a port or a services scan. We will be using the nmap tool to see which ports are available. As shown in the image below, the result of nmap shows that port FTP (21) and SSH (61000) services are available.

Enumeration

It was quite clear from the Nmap scan that the FTP service has Anonymous Login Enabled by default. So, let’s login as Anonymous to further enumerate the service.

After logging in, we listed the contents of the directory using the ls command but it was worthless. After this, it came to us that the directories might be hidden. So, now it’s time to use the la option in ls command to list all the files inside the current working directory. Then we found out a hidden directory called (.hannah) in this directory we can find out an SSH key.

We use the get command to transfer this key in our local system aka Kali Linux.

Exploiting

Now as we have downloaded the SSH key from the FTP server, the major concern is that it might have improper permissions. The SSH key requires a specific set of permissions. The key must have the read and write permissions on the User or Owner. That means we need to add 600 permission. After setting appropriate permission, it’s time to login using the SSH key.  If we remember correctly from the Nmap scan, the SSH service is running on the port 61000.

We get access to the Hannah user.

Post Exploitation

Now that we have a session on the target machine, its time to enumerate. We list all the files in the directory and find a file named user.txt. This might be the user flag.

Now that the user flag is found, its time to elevate privileges and look for the binaries that can be run as sudo.

Much to our demise, there isn’t any binary or script that can be run as sudo.

Next on our docket is SUID permissions. We can enumerate all binaries having SUID permissions with the help of the find command as shown in the image below.

We find that there is a binary called cpulimit that have the SUID permissions. Time to exploit it.

Privilege Escalation

We can use this cpulimit to run commands which we don’t have permissions to run like mkdir, cp, etc. but to use we need to move in /tmp directory as it is the only directory which has write permissions. Next, we change the permission for the bash file and copy its contents to the directory we created i.e., ignite. Then we apply the execution permissions to the bash inside the ignite directory.

Then BOOM!! we got the root we can check its id and in the root directory we found out its root.txt. After executing this file, Hurray!! we got our root flag.

Author: Shubham Sharma is a Pentester and Cybersecurity Researcher, Contact LinkedIn, and Twitter.