Sunset: Nightfall Vulnhub Walkthrough

We have another CTF challenges for CTF players that named as “Sunset: nightfall” and it can be download from vulnhub from here. The credit goes to “whitecr0wz” for designing this VM machine for beginners. This is a Linux based CTF challenge where you can use your basic pentest skill for Compromising this VM to escalate the root privilege shell.

Level: Easy

Task: Boot to Root

Penetrating Methodologies

Network Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Enum4linux

Exploiting

  • FTP Brute force
  • Injecting blank SSH key
  • SSH login

Privilege Escalation

  • SUID Binaries
  • Sudo Rights

Walkthrough

Network Scanning

Let’s begin with the network scan using netdiscover to identify the host machine IP.

And this gave 192.168.0.24 as Host IP, now we will move toward ports and service scan further.

For deep network scan we always prefer to use nmap aggressive scan and this time also we will go with the same approach, thus will run the below command to enumerate running services and open port.

From its scan result, we found that it has multiple open ports for various services but here port 21 i.e. look interesting as it is using pyftplib for ftp.

Enumeration

For more detail we need to start enumeration against the host machine, therefore, we navigate to a web browser for exploring HTTP service but we found nothing at this place.

While enumerating SMB service we found two use name “nightfall” & “matt” with the help of Enum4linux.

Exploiting

Since we have enumerated two usernames let’s go for brute force attack with the help of hydra and try to find its password for login into FTP

Great! “Cheese” 😊is the password of user “matt” let’s use this credential for ftp login.

We logged into FTP successfully, therefore we decide to upload a malicious file inside /var/www/html but unfortunately, we were unable to access that directory.

This is due to pyftplib which is using python library for FTP and might be File sharing is allowed on any particular directory hence we are unable to access /var/www/html directory.

But still we have another approach i.e. uploading SSH key which means we will try to inject our created SSH key inside the host machine and access the tty shell of the host machine via ssh and this can be achieved when we will create an .ssh named folder and upload our ssh key inside it.

Thus, in our local machine, we created a ssh key with a blank passphrase using ssh-keygen and it will create two files. Then we copied id_rsa.pub file into another file and named “authorized_keys” and now we need to transfer this file inside the host machine.

As we already have FTP access of the host machine, therefore, it becomes easy to for us to upload authorized_keys inside the .ssh directory which we have created earlier.

So, when we try to connect with ssh as matt user, we got login successfully as shown in the below image. At this phase, we have compromised the host machine but to get access of the root shell we need to bypass user privileges, therefore without wasting time we try to identify SUID enabled binaries with the help of find command.

So, we found /script/find has SUID permissions and it works similarly as Linux-Find utility thus we try to execute /bin/sh command and obtained access of the nightfall shell.

So, we got access of nightfall shell where we found our 1st flag from inside user.txt file.

But this was limited shell thus to access proper shell as nightfall, we try to apply the previous approach of placing blank passphrase ssh key. Therefore inside /home/nightfall we created a .ssh named folder and upload the authorized_key which we had created previously.

Privilege Escalation

Now repeat the same and try to connect with ssh as nightfall and you will get ssh shell, like us as shown in below image. Further, we check sudo right for nightfall and observed he has sudo right for cat program which means we can read higher privilege files such as the shadow.

we have executed the following command for reading shadow file and obtain some hash values.

So, we saved the hash of user: root in a text file and then use john the ripper for cracking hash.

Booomm!! We got user: root password: miguel2

Using above credential i.e. root:miguel2 we got the root shell access and inside /root directory we found our final flag.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Serial: 1 Vulnhub Walkthrough

Today we are going to take a new challenge, Serial: 1 The credit for making this VM machine goes to “sk4” and it is a boot2root challenge where we have to root the server to complete the challenge. You can download this VM here

Security Level: Beginner/ Intermediate

Penetrating Methodology

Scanning

  • NMAP
  • Dirb

Enumeration

  • Browsing the website
  • Burpsuite 

Exploitation

  • Analyze and change PHP code to get

Privilege Escalation

  • Sudo permission for vim command

Walkthrough

Scanning

First thing first, scan the vulnerable machine using Nmap.

Here we got only two ports, 80 and 22.

We browsed the website on port 80 and got the message hinting that we might get something in cookies.

When we intercepted the request, there was a very lengthy value for a cookie. The value for cookie user was a base64 encoded value.

After decoding the value gave us a username, we tried to change it to something else but not possible.

For a moment, we kept it aside and tried to get all the available directories using dirb.

Here we found one interesting directory named backup.

We visited the backup directory on the webserver and found a zip file over there.

We downloaded the zip file and extracted the contents and found three files.

Let’s check the contents of the files starting from

 1) index.php

2) class.php

3) class.php

After carefully analysing the code of file index.php and user.class.php, we came to know that we can try to get base64 encoded value of cookie user by just adjusting a function call from index.php to user.class.php. So, we added one single line in the end to display the base64 value encoded in a similar format as the user cookie value but this time with another user i.e. admin.

 

Now let’s try to run the PHP code and check the output of the same.

We got a base64 encoded value which we will try to use as the value of user cookie.

Well, the base64 cookie value worked but nothing much helpful, so we started to look for something else. We checked the log.class.php, we found that the Log class is having an include function to include a log file but the parameter type_log is not assigned any value. We assigned the variable with the path of passwd file as the value.

Also alongside that, we made a small change in the user class, we replaced the function call of the Welcome class to the function call of the constructor of the Log class.

Now when we tried to run the user.class.php file again, we found that the passwd file was displayed and we got the base64 encoded value which we can use as the cookie.

When we tried the base64 encoded cookie value in the webpage, we got the passwd file from the target machine, confirming we have a file inclusion vulnerability.

Now that we have verified the presence of file inclusion vulnerability, we created a remote code execution file and started the python server.

Now we edit the log class to change the file path variable to the URL of our shell.

After putting the code in place, its time to get the cookie value to execute.

When we used the cookie value and provided the cmd parameter with ifconfig command.

While checking the contents, we found a file named credentials.txt.bak.

We tried to check the contents and found something like a set of credentials, let’s try to use these credentials

We used the credentials for ssh and got access. While enumerating we found the first flag.

Now we have to escalate the privilege, we tried to get sudo permissions for the current user. We found we have sudo permissions for vim editor.

We used privilege escalation through vim editor and got the root shell.

Author: Deepanshu is a Certified Ethical Hacker, Security Researcher, Pentester and Trainer at Ignite Technologies. Contact here

Symfonos:4 Vulnhub Walkthrough

Hello, guys today we are going to take a new challenge Symfonos:4, which is a fourth lab of the series Symfonos. The credit for making this VM machine goes to “Zayotic” and it’s another boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Level: Intermediate

Penetrating Methodology:

Network Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Browsing HTTP Service
  • Directory Bruteforcing using dirb

Exploitation

  • SQL injection to bypass Login Form
  • Using LFI to read the Logs
  • Using SSH log poisoning using PHP malicious script
  • Using Metasploit to create PHP reverse shell
  • Port Forwarding
  • Encoding and Decoding Cookies

Privilege Escalation

  • Inject netcat reverse shell into Json Pickle string
  • Replacing cookie with Base64 Encoded Reverse Shell
  • Getting Root Access

Walkthrough

Network Scanning

We will be running this lab in a Virtual Machine Player or Virtual Box.  But first, let’s discover the IP Address of the lab. i.e 192.168.0.23

Once the IP Address is acquired. Now we will run an aggressive scan using nmap for proceed further.

Enumeration

For more details, we will need to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service since port 80 is open.

Let’s further enumerate the target machine through a directory Bruteforce. For this, we are going to use the dirb tool. This gave us a page named “atlantis.php” and “sea.php”. After browsing both directories we noticed “sea.php” was redirecting to “atlantis.php”.

Exploitation

So, browsing Atlantis.php directory came out to be a Login Form. To further enumerate the form, we tried combinations of SQL Injection. After a few tries, we were able to bypass the Login form using ‘or ‘1’=’1’ as a username. And for the password, we gave any random value.

We got a prompt to select a god after successfully bypassing the Login form. We selected any random god i.e Hades and were redirected to a URL which left us inquisitive.

After seeing all the possibilities, it quickly strikes let’s try Local File Inclusion. After trying to find /etc/passwd file but didn’t succeed, after we thought of reading the log file using LFI. And we successfully did read the logs.

For Reference: https://www.hackingarticles.in/rce-with-lfi-and-ssh-log-poisoning/

So we try to inject malicious PHP command via SSH for poisoning auth logs as shown in the image below so that hopefully we can use a ‘C’ parameter to run arbitrary systems commands on the Target Machine.

Indeed we have to way to execute commands on the target machine. To confirm it we simply checked the id of the Target machine.

Time to Fire Up Metasploit, by using Web-Delivery module we have created a malicious link for PHP reverse shell.

We need to run the above PHP reverse shell in the ‘C’ parameter in the URL as shown in the image.

On successfully executing the Shell, We saw a new session is opened. To get the complete meterpreter we need to interact with the opened session. And to confirm we checked the system information.

 

We thought of checking the ongoing processes. After looking out, we saw an interesting process which was running on 127.0.0.1:8080 but we didn’t see it in our Nmap result because it was an internal process.

Let’s forward the port 8080 to our port 8888.

Once done with port forwarding. We browsed the forwarded port 8888 with Localhost on the browser but where getting redirected to a page /whoami.

I guess we need to manually go back to the main page. Then we got a thought that we might have a cookie for the username.

Without wasting time lets intercept the request of this page using Burp Suite. So the cookie is base64 encoded. We need to decode it.

NOTE: Since port 8080 was busy with another process. So we change the listening of Burpsuite to any random port. Don’t forget to configure it before intercepting the request.

We decoded the cookie using Burp Suite inbuilt decoder. After searching about the decoded string, we came to know it is a jsonpickle string.

Making some modification in the jsonpickle string, we added a netcat reverse shell and encoded the whole string into base64.

We need to replace the old cookie with the new base64 encoded string and forward the request in Burp Suite. Also, don’t forget to spawn a netcat listener on port 5555 before forwarding the request on your Kali Terminal.

Privilege Escalation:

We successfully got the netcat session with root access. To confirm we have checked the Id of the user.  The only thing left to do is we went inside the ROOT directory and Read our FLAG.

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

Westwild: 2 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called “Westwild: 2”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to Hashim Alsharef. Let’s start and learn how to successfully breach it.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

  • Netdiscover
  • Nmap

Enumeration

  • Browsing HTTP Service
  • Directory Bruteforce using dirb
  • Using wget to download user and password list

Exploiting

  • Bruteforcing Login credentials using BurpSuite
  • Searching and Getting Exploit using Searchsploit
  • Using Metasploit cmsms_showtime2_rce exploit

Privilege Escalation

  • SUID Binaries
  • PATH Variable
  • sh
  • Editing /etc/passwd
  • Capture the flag

Walkthrough

Network Scanning

We will start by scanning the network using Netdiscover tool and identify the host IP address.

We can identify our host IP address as 192.168.1.105.

Now let’s scan the services and ports of the target machine with nmap. Nmap has a special flag to activate aggressive detection, namely -A. Aggressive mode enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (–traceroute).

From its result, we found ports 22(SSH), 80(HTTP) were open.

Enumeration

For more detail, we will be needing to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service.

We got the CMS: Made Simple Welcome page as shown in the given below image.

Now we further use dirb for directory enumeration.  DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary-based attack against a web server and analysing the response. This gave us multiple files hosted via the CMS but aspadmin piqued our interest.

As aspadmin was an interesting result of dirb scan, we decided to browse the URL in our browser.

Further, we downloaded the user and password list using wget. The Wget command is a command-line utility that enables the user to download single or multiple files simultaneously from the internet or server by the help of many protocols like HTTP, HTTPS and FTP. This command performs many operations that can be used by any user while downloading any file from the internet such as: Downloading multiple files, downloading in the background, resuming downloading, renaming any downloaded file, Mirror downloading.

Exploiting

Bruteforcing Login Credentials

First, we will intercept the request of the login page of the CMS, where we have given a random username and password. Then click on login, the burp suite will capture the request of the login page.

Now we will send the captured request to the Intruder by clicking on the Action Tab. Afterwards, we will open the Intruder tab and select positions (username and password) which will get highlighted as shown in the image given. Now we will select the payload position. Firstly, we will press on the Clear button given at the right of the window frame. Now we will select the fields where we want to attack which is the username and password and click on Add button. Followed by that we will choose the Attack type as Cluster Bomb.

In the given below image, we have selected username and password that means we will need two dictionary files i.e. one for username and second for a password.

And Boom!!, we got the username and password.  Username is west and password is Madison.

And to confirm the username and password, we will enter the matched username and password in the CMS. This will generate a welcome message which shows our success in the simple list payload attack. Hereafter a bit enumeration we found out that we have a plugin installed named “Showtime2” as shown in the image.

Now, to exploit the CMS, we will use searchsploit for this task. We searched the plugin in searchsploit as shown in the given image. Searchsploit gave us a Remote Code Execution Exploit. And moreover, it is a part of the Metasploit Framework.

First, we will select the exploit with the help of use command. After that, we will select the Remote host IP Address, followed by the username and password that we extracted earlier. Later, we will use the exploit command to run the exploit. This will give us a meterpreter shell on the target system. Now that we have the meterpreter, we ran the shell command to get the bash shell. But this we gave us an improper shell, so we will convert it into a proper shell using the python one-liner.

And Boom!! we got the shell. Then without wasting any time we searched for any file having SUID or 4000 permission with the help of Find command.

By using the following command, you can enumerate all binaries having SUID permissions:

The Find command gave us an interesting file named “network_info”. We will try to enumerate this further.

Privilege Escalation

Now, we need to compromise the target system further to the escalate privileges. PATH is an environmental variable in Linux and Unix-like operating systems which specifies all bin and sbin directories that hold all executable programs are stored. When the user run any command on the terminal, its request to the shell to search for executable files with the help of PATH Variable in response to commands executed by a user.

Now to proceed further we will use wget to download LinEnum.sh. Scripted Local Linux Enumeration & Privilege Escalation Checks Shellscript that enumerates the system configuration and high-level summary of the checks/tasks performed by LinEnum.

After the successful run of the LinEnum Script, we find some important information that the /etc/passwd file is readable and writable by the user “wside”.

Now let’s edit /etc/passwd file. Sometimes it is not possible to execute passwd command to set the password of a user; in that case, we can use OpenSSL command which will generate an encrypted password with salt.

OpenSSL passwd will compute the hash of the given password using a salt string and the MD5-based BSD password algorithm 1.

full articles read here

After, generating the salted hash we edited the /etc/passwd using the echo command to add our password hash.

Author: Japneet Kaur Gandhi is a Technical Writer, Researcher and Penetration Tester. Contact here