Symfonos:5 Vulnhub Walkthrough

This is another post on vulnhub CTF “named as “symfonos” by Zayotic. It is designed for VMware platform, and it is a boot to root challenge where you have to find flags to finish the task assigned by the author.

You can download it from here: https://www.vulnhub.com/entry/symfonos-5,415/

Level: Intermediate

Penetrating Methodologies

Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Abusing HTTP
  • Dirb

Exploiting LFI

  • Burp suite

Privilege Escalation

  • Exploiting Dpkg

Walkthrough

Scanning

Let’s start off with the scanning process. This target VM took the IP address of 192.168.0.112 automatically from our local wifi network.

Then we used Nmap for port enumeration. We found that port 22 for SSH, 80 for HTTP,389 and 636 for ldap are open.

Enumeration

As port 80 is open, we tried to open the IP address in our browser, but we didn’t find anything useful on the webpage.

Further, we use dirb for directory brute-forcing and found /admin.php page with status code 200 OK on executing following command.

When we searched the above-listed web page, i.e./admin.php; we got a login page, but we don’t know the login credential, so we try to bypass the login page by using the SQL injection and brute force attack, but unfortunately nothing was achieved.

Therefore, further, we use burpsuite and intercept the browser request of the current webpage for analyzing its request. We sent the request to the repeater and gently found a suspicious hyperlink inside its burp response.

We feel there are possibilities of LFI just because the URL is connecting with localhost for portraits.php file as shown in the given image.

To ensure the possibility of LFI vulnerability we try to pull “/etc/passwd” file by fuzzing the parameter “/home.php?url=” and it works successfully as expected to be.

Exploit LFI

As a result we successfully got the content of “admin.php” file by exploiting LFI by fuzzing the same parameter. As we knew the http://192.168.0.112/admin.php webpage requires login credential and here we found credential “username: admin” and “password: qMDdyZh3cT6eeAWD” which is actually used to connect with LDAP.

Further, we used nmap for LDAP enumeration and run following command, and as a result we found user information including password.

Privilege Escalation

Thus, we used the user zeus credential as enumerated above to access the ssh shell of the host machine and check sudo rights for him. We found zeus has sudo permission to run dpkg as root thus we abuse zeus sudo rights for privilege escalation by exploiting dpkg functionality.

As we Dpkg is package installer just like apt in Linux like operating system and so here we are going to craft a Debian package with the help fpm transfer on the host machine to get the privilege shell.

write following code in the shell.sh file and save it.

Install fpm in your local machine and run following command to generate a Debian package for shell.sh file.

Note: You will need to install FPM on your machine.

Once the malicious deb package gets generated download it on the host machine and install the package as root. To perform privilege escalation run the following command and you get privilege where you found the proof.txt as shown in the given image.

Author: Pinky Deka is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here

CyNix:1 Vulnhub Walkthrough

Today we are sharing another CTF Walkthrough named Cynix Post by Vulnerhub and credit goes to “Sumit Verma” and the level difficulty is set Intermediate-Hard. You have to hunt two flags, and this is a boot to root challenge. Download it from here.

Table of Content

Network scanning

  • Netdiscover
  • Nmap

Enumeration

  • Abusing HTTP
  • Dirbuster

Exploiting LFI

  • Burp Suite

Privilege Escalation

  • Lxd

Walkthrough

Network Scanning

As you know, this is the initial phase where we choose netdiscover for network scan for identifying host IP and this we have 192.168.1.105 as our host IP.

In our next step, we love to use nmap for network ports enumeration, thus we run following command and found port 80 is open for HTTP and 6688 is open for SSH and also the host operating system is Linux based OS.

Enumeration

After network scanning, the enumeration is next phase, because it helps a pentester for to dig out suspicious information or loopholes in the installed application, therefore we navigate to a web browser and explored the host IP as shown but unfortunately, we found nothing except apache default page.

We continue this with the directory brute force attack and the dirbuster used for directory listing. As you can see, we’ve found a directory named /lavalamp to learn more about dirbuster, read the article from here.

We’re browsing the /lavalamp in the web browser and we’re welcomed by the web page shown in the image. Then we dig more and more, including its source code, but found no hint for the next step.

As a result, we fill out the contact form as shown in the image below and intercept the http request of the browser in the browser.

The intercepted request shows that here the HTTP Post method is used to submit the request at /canyobypassme.php page.

Thus, we navigate to /lavalamp/canyoubypassme.php as found above, an image on the web page shown below.

As the web page displays the image only and it was troubling us, thus, we check its source code and notice a hidden form with opacity 0:0 inside the web page.

With the help inspect element we changed the opacity 0:0 to 0:1 and got the form visible on the web page.

Now it was time to intercept the form’s http request by entering a value as a specific number. So, we’ve got the intercepted request in the burpsuite where we’ve seen the parameter “file=1” and maybe there’s a possibility for LFI, so we’ve sent the request to the repeater.

For validating LFI we looked for /etc/passwd file by injecting “../../../etc/passwd” in the parameter “file=1” as checked its response.

Luckily, we found the application is vulnerable to LFI and from its result, we notice record entry for username “ford” and “lxd”

Exploiting LFI

Since ssh is installed on the host machine, so we also check for ssh rsa key by injecting “../../../home/ford/.ssh/id_rsa” in parameter ‘’file=8” as result we found id_rsa key for ssh.

We copied the id_rsa key in a text document and named it “key” and also grant permission 600, and finally get logged in and spawn the ssh shell of the machine.

we found our fist flag user.txt file inside ford’s /home directory and for privilege escalation, we check user_id where we saw ford is member of lxd group thus we can be escalated go with lxd privilege escalation which we had explained in our previous article.

Privilege Escalation

In order to take escalate the root privilege of the host machine you have to create an image for lxd thus you need to perform the following the action:

  1. Steps to be performed on the attacker machine:
  • Download build-alpine in your local machine through the git repository.
  • Execute the script “build -alpine” that will build the latest Alpine image as a compressed file, this step must be executed by the root user.
  • Transfer the tar file to the host machine
  1. Steps to be performed on the host machine:
  • Download the alpine image
  • Import image for lxd
  • Initialize the image inside a new container.
  • Mount the container inside the /root directory

So, we downloaded the build alpine using the GitHub repose.

On running the above command, a tar.gz file is created in the working directory that we have transferred to the host machine.

On another hand, we will download the alpine-image inside /tmp directory on the host machine.

After the image is built it can be added as an image to LXD as follows:

Use the list command to check the list of images

Once inside the container, navigate to /mnt/root to see all resources from the host machine.

After running the bash file. We see that we have a different shell, it is the shell of the container. This container has all the files of the host machine. So, we enumerated for the root flag and found it.

Author: Pinky Deka is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here

SSH Penetration Testing (Port 22)

Probing through every open port is practically the first step hackers take in order to prepare their attack. And in order to work, one is required to keep their port open but at the same time, they are threatened by the fear of hackers. Therefore, one must learn to secure their ports even if they are open. In this post, we will discuss penetration testing of SSH which is also known as Secure Shell.

Table of content

  • Introduction to SSH
  • SSH Installation
  • SSH Port Scanning
  • Methods to Connect SSH
    • Terminal Command (Linux)
    • Putty (Windows)
  • Port Redirection
  • Port Redirection Testing
  • Establish SSH connection using RSA key
  • Exploit SSH with Metasploit
    • SSH Key Persistence- Post Exploitation
    • Stealing the SSH key
    • SSH login using pubkey
  • SSH Password cracking

Introduction to SSH

The SSH protocol also stated to as Secure Shell is a technique for secure and reliable remote login from one computer to another. It offers several options for strong authentication, as it protects the connections and communications\ security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).

SSH Installation

It very easy to install and configure ssh service, we can directly install ssh service by using the openssh-server package from ubuntu repo. To install any service you must have root privilege account and then follow the given below command.

when you will execute above command it will extract the package the install the default configure on the host machine. you can check open port with the help of netstat command on the host machine.

SSH Port Scanning

If you don’t have direct access to the host machine, use nmap to remotely identify the port state that is considered to be the initial step of the penetration test. Here we’re going to use Kali Linux to perform a penetration testing.

So, to identify an open port on a remote network, we will use a version scan of the nmap that will not only identify an open port but will also perform a banner grabbing that shows the installed version of the service.

Methods to Connect SSH

Terminal Command (Linux)

Now execute the following command to access the ssh shell of the remote machine as an authorized user. Username: ignite

Password: 123

Putty (Windows)

Step1: Install putty.exe and run it, then enter the HOST IP address <192.168.1.103> and port <22>, also choose to connect type as SSH.

Step2: To establish a connection between the client and the server, a putty session will be generated that requires a login credential.

Username: ignite

Password: 123

Port Redirection

By default, ssh listen on port 22 which means if the attacker identifies port 22 is open then he can try attacks on port 22 in order to connect with the host machine. Therefore, a system admin chooses Port redirection or Port mapping by changing its default port to others in order to receive the connection request from the authorized network.

Follow the below steps for port redirection:

Step1: Edit the sshd_config from inside the /etc/sshd using the editor

Step2: Change port 22 into 2222 and save the file.

Step3: Then restart ssh

Port Redirection Testing

Thus, when we have run the scan on port 22, it has shown port state CLOSE for ssh whereas port 2222 OPEN for ssh which can be seen the given image.

Establish SSH connection using RSA key

Strong passwords don’t seem to be decent to secure the server because a brute force attack can crack them. That’s why you need an additional security method to secure the SSH server.

SSH key pairs is another necessary feature to authenticate clients to the server. It consists of a long string of characters: a public and a private key. You can place the public key on the server and private key on the client machine and unlock the server by connecting the private key of the client machine. Once the keys match up, the system permits you to automatically establish an SSH session without the need to type in a password.

Ssh-keygen is a tool for creating new authentication key pairs for SSH. Such key pairs are used for automating logins, single sign-on, and for authenticating hosts.

Thus, we will follow the steps for generating a key pair for authenticated connection.

Step1: Run the given command to generate an ssh key pair (id_rsa and id_rsa.pub) on the host machine Ubuntu.

Step2: Same should be done on the client machine which is authorized to establish the connection with the host machine (ubuntu).

Step3: Once the ssh key pair (id_rsa and id_rsa.pub) get generated then rename the id_rsa.pub into authorized_keys as show in the given image.

Step4: Share the authorized_keys with the host machine by copying it into the .ssh directory.

Step5: Edit the sshd_config from inside the /etc/sshd using the editor

Step6: Enable the “passwordauthentication no” comment

As a result of only the authorized machine which rsa key can establish a connection with the host machine without using password.

Now if you need to connect to the ssh server using your password username, the server will drop your connection request because it will authenticate the request that has authorized key.

Step7: Copy the id_rsa key from Kali Linux to the windows machine, to established connection using authorized keys on the windows machine,

Step8: Install puttygen.exe

Step 9: Run puttygen.exe and load the id_rsa and “save as key” named as Key

Step10: Use putty.exe to connect with the host machine by entering hostname 192.168.1.103 and port 22.

Step11: Navigate to SSH >auth and browse the key private key that you have saved as mention in step 9.

This will establish an ssh connection between windows client and server without using a password.

Exploit SSH with Metasploit

SSH Key Persistence- Post Exploitation

Consider a situation, that by compromising the host machine you have obtained a meterpreter session and want to leave a permanent backdoor that will provide a reverse connection for next time.

This can be achieved with the help of the Metasploit module named “SSH Key Persistence-a post exploit” when port 22 is running on the host machine.

This module will add an SSH key to a specified user (or all), to allow remote login on the victim via SSH at any time.

As can be seen in the image given, it added authorized keys to /home / ignite/.ssh and stored a private key within /root/.msf4/loot

As we ensure this by connecting the host machine via port 22 using a private key generated above. Here I have renamed the private as “key” and gave permission 600.

Bravo!! It works without any congestion and in this way, we can use ssh key as persistence backdoor.

Stealing the SSH key

Consider a situation, that by compromising the host machine you have obtained a meterpreter session and port 22 is open for ssh and you want to steal SSH public key and authorized key. This can be done with the help Metasploit module named “Multi Gather OpenSSH PKI Credentials Collection -a post exploit” as discussed below.

This module will collect the contents of all users .ssh directories on the targeted machine. Additionally, known_hosts and authorized_keys and any other files are also downloaded. This module is largely based on firefox_creds.rb.

From given below image you can see we have got all authorized keys store in /home/ignite/.ssh directory in our local machine at /root/.msf4/loot and now use those keys for login into an SSH server.

This can be done manually by downloading keys directly from inside /home/ignite/.ssh as shown in the below image.

As we ensure this by connecting the host machine via port 22 using private key downloaded above. Let’s change the permission for the rsa key and to do this follow the step given below.

It works without any congestion and in this way, we can use ssh key as persistence backdoor.

SSH login using pubkey

Considering you have id_rsa key of the host machine and want to obtain meterpreter session via Metasploit and this can be achieved with the help of the following module.

This module will test ssh logins on a range of machines using a defined private key file and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Key files may be a single private key or several private keys in a single directory.

This will give a command session which can be further updated into the meterpreter session by executing the following command.

SSH Password cracking

We can test a brute force attack on ssh for guessing the password or to test threshold policy while performing penetration testing on SSH. It requires a dictionary for username list and password list, here we have username dictionary “user.txt” and password list named “pass.txt” to perform the brute force attack with the help of hydra

As a result you can observe that the host machine has no defence against brute force attack, and we were able to obtain ssh credential.

To protect your service against brute force attack you can use fail2ban which is an IPS. Read more from here to setup fail2ban IPS in the network.

If you will observe the given below image, then it can see here that this time the connection request drops by host machine when we try to launch a brute force attack.

Conclusion: In this post, we try to discuss the possible way to secure SSH and perform penetration testing against such a scenario.

Author: Nisha Sharma is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here

DC: 9: Vulnhub Walkthrough

In this article, we are going to crack the DC: 9 Boot to Root Challenge and present a detailed walkthrough. The machine depicted in this Walkthrough is hosted on Vulnhub. Credit for making this machine goes to DCAU. Download this lab by clicking here.

Penetration Testing Methodology

  • Network Scanning
    • Netdiscover Scan
    • Nmap Scan
  • Enumeration
    • Browsing HTTP Service
  • Exploitation
    • Connection via SSH
  • Post Exploitation
    • Enumeration for Sudo Permissions
  • Reading Root Flag

Walkthrough

Network Scanning

We downloaded, imported and ran the virtual machine (.ova file) on the VMWare Workstation, the machine will automatically be assigned an IP address from the network DHCP. To begin we will find the IP address of our target machine, for that use the following command as it helps to see all the IP’s in an internal network:

We found the target’s IP Address 192.168.1.8. The next step is to scan the target machine by using the Nmap tool. This is to find the open ports and services on the target machine and will help us to proceed further.

Here, we performed an Aggressive Port Scan because we wanted to grab all the information. After the scan, we saw that port 22 was detected but filtered, this says that we do have the SSH service but something is blocking it from the inside. We have the port 80 with the Apache httpd service. This was the lay of the land. Now let’s get to enumeration.

Enumeration

We started from port 80 and tried to browse the webpage on our browser. With the history of the series of DC Machines, the Drupal CMS is used. But this was not Drupal. I must say there was some work done here to make the webpage look like one provided by the Drupal. Smart Move. We have the Home page depicted in the image given below. We also have the “Display All Records” tab, which consists record of some users. We have the Manage tab, but it requires some credentials to manage users.

During our Enumeration, we didn’t find anything much to move ahead. We had a Form in the Search Tab. Forms are susceptible to Injection Attacks. To test for the SQL Injection on this search attack, we will search for some text inside the search form and capture the request by clicking on Search Button. We will capture the request using the BurpSuite Tool.

We copied the captured request and pasted in inside a text file and named it raj.txt. We did so to use the captured request with the sqlmap. Now we will start the sqlmap to check if the search form is vulnerable to SQL Injection or not. If it is vulnerable, this will enumerate some databases form this machine.

After working for some time, sqlmap told us that the search form is vulnerable. We see that the back-end DBMS configured is MySQL 5.0.12. We also see that some databases that are extracted by sqlmap. We have the “information_schema”, “Staff” and “user” named databases.  Now let’s enumerate these databases, as sqlmap doesn’t allow multiple databases at the same time. We will enumerate the Staff Database first.

The Staff Database contains 2 tables. First Table consists of email ids, phone numbers, First Name, Last Name and Positions of users and the Second Table consist of a username and a password hash. The username is “admin”. So, it hints at us that this might be an important account.

Before moving on with the hash cracking, let’s enumerate another database as well. The database named is users. We will again use the sqlmap in a similar way that we did earlier but change the database name against the -D parameter as depicted below.

After working on the enumeration, the sqlmap extracts a table named UserDetails from the user database. We have ids, First Names, Last Names, usernames, and passwords. This is important data that could be used further down the road. But let’s get back to our hash.

We went on our favorite hash cracker website, “Hashkiller”. We entered the hash and it told us that the hash is MD5 in nature. The cracked password is “transorbital1”.

Now that we have the admin credentials, let’s look back at the Web Application that we were presented by the Machine. We had a Manage Tab which contains a login authentication page. We enter the credentials that we just cracked. We see that we have some additional features unlocked now like manage and Add Record. But what struck our eye was the footer. It now says that “File does not exist”. This means there must be a file that was being included to the footer which is now missing or misplaced. We know that where we have the include function, we have a probability of finding an LFI Vulnerability.

We try to test it using the most common LFI testing URL parameter. We insert the testing parameter in the URL followed by the welcome.php file. We do add “?file=” so that it can be pointed to a Local File on the Server. We try to look for the /etc/passwd file. We see that it is accessible. This proves that we do have the LFI Vulnerability.

We started to enumerate different files on the Target Machine. This is when we stumbled upon the knockd.conf. This means that the is Port Knocking Involved. We see that we have the openSSH configured here with a sequence. We note this sequence and knock the SSH Port In this sequence to get it up and running.

Exploitation

We use the knock command for the Port Knocking. This can be done by a bunch of different methods. After Knocking the ports in the sequence, we ran the NMAP scan again to ensure that our knocking worked and SSH Port should be open now. We have the SSH port open. This is our way in.

Now that we have the SSH service, we need login credentials to get inside. We tried the same credentials that we used on WebApp but it was a no go. We went back to the user database that we enumerated earlier and made 2 dictionaries for the bruteforce of the SSH Service. We used the usernames and passwords columns form that table for this procedure.

After creating the user.txt and pass.txt dictionaries, we used the hydra tool for the bruteforce against the SSH service on the Target Machine. After some tries, we see that the user janitor is the user with the SSH Access. We now have the proper credentials to login via SSH.

We logged in using the following credentials.

Username: janitor

Password: Ilovepeepee

After logging in we being our Enumeration of the Machine for steps through which we can elevate our access on the machine. In the process of Enumeration, we ran the Directory Listing command, and we see that we have a hidden directory labeled “secrets-for-putin”.

We traversed inside the newly found hidden directory using the cd command. We again list all the contents inside this directory to find a text file named “passwords-found-on-post-it-notes.txt”. More Passwords, Cool! We read this text file using the cat command.

We went back to our native terminal and edited the pass.txt file and appended it with this newly found passwords. Now with recent developments, we ran the hydra bruteforce again. This time we see that we have some additional valid login credentials.

Post Exploitation

Let’s login using the first credential we found. It was the user fredf. We used the su command on the previous SSH session we had using the following credentials.

Username: fredf

Password: B4-Tru3-001

After logging in as the user fredf, we check if what kind of sudo rights does this fredf user have? We see that it can run a program called test as a root user without entering any password. We ran the test program but nothing happened.

To inspect what went wrong, we went to the location where we see that the test is saved. We found the test.py. On taking a closer look we see that it is a simple data append program. It will take 2 files as parameters and then append the contents of the first file inside the second file.

Privilege Escalation

Now to escalate privileges, we thought that we will create a new user with root access and make the entry of the user inside the /etc/passwd file using the test file. Let’s create a user and its password hash. We accomplish this task using openssl. Here we created a user named pavan with the password 123456. We get our hash, let’s move on to the target machine.

We add username, colons (:), and “:0:0::” to make the entry that could act as a root user. After that, we used the echo command to create a file named in the  /tmp directory named raj. Then we used the test program that we found earlier with the raj file and appended that user hash that we just created inside the /etc/passwd file. After this we login in as the user pavan that we created. We enter the password and we have the root access on the machine.

Accessing the Root Flag

We moved to the home of the root user and found the final root flag. This was a nice machine. We enjoyed every bit of it. We are sad to see this nice series come to end. But we thank the author for putting so much effort into our learning. 

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn