unknowndevice64: 1: Vulnhub Lab Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as “unknowndevice64: 1”. The credit for making this VM machine goes to “Ajay Verma” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

  • IP Discovery using netdiscover
  • Network scanning (Nmap)
  • Surfing HTTP service port
  • Finding image File
  • Extracting the hidden file from the image
  • Logging in through SSH
  • Escaping restricted shell
  • Finding binary in sudoers list
  • Getting the root shell and finding the flag

Walkthrough

Let’s start off with scanning the network to find our target.

We found our target –> 192.168.1.104

Our next step is to scan our target with nmap.

The NMAP output shows us that there are 2 ports open: 1337(SSH), 31337(HTTP)

We find that port 31337 is running HTTP, so we open the IP in our browser. Here we find a string “h1dd3n” that might be a hint or a password for something.

We take a look at the source code of the web page and inside a comment, we find a string called “key_is_h1dd3n.jpg”.

We open the image in our browser and download it in our system.

After downloading the image, we use steghide to extract any hidden file from the image. When we try to extract files using steghide, it prompts for a password. We use the password “h1dd3n” we found earlier on the webpage and were successfully able to extract a text file. We take a look at the content of the text file and find a brain fuck encoded string.

We decode the brainfuck encoded string using this site and find a username and password.

As port 1337 is running SSH, we use the credentials we found above to log in. After logging in through SSH we find that we have a restricted shell, and PATH and SHELL environment variable are read-only.

After pressing the “tab” button twice, we find the commands we can run using the restricted shell. Among that command, we find that we can use the Vi editor. We use Vi editor to escape the restricted shell.

After escaping the restricted shell, we export “/bin/bash” as our SHELL environment variable and “/usr/bin” as our PATH environment variable so that we can run Linux commands properly. Now we check sudoers list and find we can run “/usr/bin/sysud64” as root without a password.

On checking the help for “sysud64”, we find that it is actually executing strace.

As we can run sysud64 as root and sysud64 are actually running the strace command. We can spawn a shell as root user using “sysud64”. After spawning a shell as the root user, we switch to the root directory and

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

Bypass User Access Control using Empire

This is the fifth article in our empire series, for the basic guide to empire click here. In this article, we will learn to bypass administrator privileges using various bypassuac post-exploitation methods.

Table of content :

  • Introduction
  • Bypassuac_env
  • Bypassuac_eventvwr
  • Bypassuac_fodhelper
  • Bypassuac_wscript
  • Bypassuac

Introduction

UAC stands for User Account Control, which means which user has how many rights to make changes in the system. The rights are given too a user depends on the integrity levels; which are :

  • High : Administrator rights
  • Medium : Standard user rights
  • Low : Extremely restricted

UAC works by adjusting the permission level of our user account, and on the bases of this permission, it decides whether to run a program or not. When changes are made to this permission level, it notifies us but these modules help us to bypass UAC. When we try and gain the highest integrity that is indicated by the number 1.

Bypassuac_env

 Let’s start with the first exploit i.e. bypassuac_env. Now, as you can see in the image, we already have an empire session with the integrity of 0, which means we do not have admin right. So type the following set of commands to get administrator privileges :

Executing the above module will give you a new session. Upon accessing the said session you can see the integrity has to change to 1, which means no we have administrator rights, just as shown in the image below :

bypassuac_eventvwr

Now, let’s try another exploit which is privsec/bypassuac_eventvwr. The function of this module is the same as before i.e. to get administrator rights so we can attack more effectively.  This module makes changes in the registry key and inserts a custom command which is then executed when windows event viewer is launched. This custom command will turn the UAC flag off. And, as you can see, we have the session with the integrity of 0 which indicates we have no admin rights yet. So, run the following commands :

As you can see, we have a new session with the integrity of 1 which confirms that we now have admin rights.

Bypassuac_fodhelper

The next module we will use for the same purpose is privesc/bypassuac_fodhelper. This module will gain administrator rights by hijacking a special key in the registry and inserting custom command that will get invoked when windows fodhelper.exe application will be executed. It covers its tracks by getting rid of the key after the payload is invoked. Now, just like before use the following set of commands :

Once the module is executed, you will have the session with the integrity of 1, hence we are successful in attaining the admin rights.

bypassuac_wscript

Next the bypassuac module we will use is privesc/bypassuac_wscript. When using wscript for UAC bypass, there is no need for you to send a dll to the target. As wscrpit.exe does not has embedded manifestation, it’s easy to abuse it. And similarly, to have administrator privileges use the following commands :

As you can see in the image, the new session that we have gained is with admin rights.

bypassuac

The last module we will use for the same purpose is privesc/bypassuac, this is a trivial process. To execute the following commands :

As you can see in the image above, the new session gained has the integrity of 1 hence the administrator rights are gained.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

nps_payload: An Application Whitelisting Bypass Tool

In this article, we will create payloads using a tool named nps_payload and get meterpreter sessions using those payloads. This tool is written by Larry Spohn and Ben Mauch. Find this tool on GitHub.

Attacker: Kali Linux

Target: Windows 10

Table of Content:

  • Downloading and Installing
  • Getting session using MSBuild
  • Getting session using MSBuild HTA

Downloading and Installing

First, we will get the tool in our attacker machine. It is Kali Linux in our case. The tool is available at GitHub. We will use the git clone command to download it on our machine.

Now we will traverse inside the folder that was downloaded using the git clone, we can check that if we have successfully downloaded the file using ls command. After that use cd to get inside the nps_payload folder. There are some requirements that are required for the nps_payload to run. Those are mentioned inside in the requirements text file. Now we can either install each of those requirements individually but that would be time taking. We will use the pip install command and then mention the requirements file. It will automatically pick the requirements from the file and install it.

Getting session using MSBuild

Now that we have successfully downloaded the tool and installed the requirements now it’s time to launch the tool and create some payloads and get some sessions. To launch the tool, we can either use command

or we could just

After launching the tool, we are given options to choose the technique we need to use. Is it going to be a default msbuild payload or the one in the HTA format? We are going to use both but first, we will choose the default msbuild payload. Next, we have to choose the type of payload, is going to be reverse_tcp or reverse_httpor reverse_https or a custom one. We can choose anyone, but here we are choosing the reverse_tcp.

Following this, we are asked to enter the Local IP Address. This is the IP address of the machine where we want the session to reach. That is the attacker machine. In our case, it is Kali Linux. After that, we are asked to enter the listener port. It is selected 443 by default. We are not changing it. That’s it, we are now told that the payload is successfully created as a msbuild_nps.xml file. Also, we are told to start a listener.

We will start the listener before anything else. To do this we have to be inside the nps_payload folder. Now the author has provided us with a script that will create a listener for us. So, we will run it as shown below.

Let’s check the file that we created earlier using the ls command. Now to send the file to the target we will host the directory using the HTTP server as shown below:

Now onto the target machine. We browse the IP Address of the attacker machine and we see that we have the file msbuild_nps.xml. Now to use the msbuild to execute this XML file, we will have to shift this payload file inside this path:

C:\Windows\Microsoft.NET\Framework\v4.0.30319

Once we got the nps_payload.xml file inside the depicted path. Now we need a command prompt terminal (cmd) at that particular path. After we have a cmd at this path we will execute the nps_payload command as shown below.

Now back to our attacker machine, here we created a listener earlier. We see that we have a meterpreter session. This concludes out the attack.

NOTE: If a session is not opened, please be patient. It sometimes takes a bit of time to generate a stable session.

Getting session using MSBuild HTA

Let’s get another session using the HTA file. To do this we will generate an HTA file. First, we will launch the tool using the command below.

After launching the tool, we are going to choose the HTA payload. Next, we have to choose the type of payload, is going to be reverse_tcp or reverse_httpor reverse_https or a custom one. We can choose anyone, but here we are choosing the reverse_tcp.

Following this, we are asked to enter the Local IP Address. This is the IP address of the machine where we want the session to reach. That is the attacker machine. In our case, it is Kali Linux. After that, we are asked to enter the listener port. It is selected 443 by default. We are not changing it. That’s it, we are now told that the payload is successfully created as msbuild_nps.hta file. Also, we are told to start a listener.

We will start the listener as we did earlier.

Let’s check the file that we created earlier using the ls command. Now to send the file to the target we will host the directory using the HTTP server as shown below:

Now onto the target machine. We browse the IP Address of the attacker machine and we see that we have the file msbuild_nps.hta. Right click on it and choose to Save the Link As. This will download the payload.

Once we got the nps_payload.hta file. Now we need a command prompt terminal (cmd) at that path where we saved the payload file. In our case is the Downloads Folder of the current user. After we have a cmd at this path we will execute the nps_payload command as shown below.

Now back to our attacker machine, here we created a listener earlier. We see that we have a meterpreter session. This concludes the attack.

NOTE: If a session is not opened, please be patient. It sometimes takes a bit of time to generate a stable session.

Author: Shubham Sharma is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Casino Royale: 1 Vulnhub Walkthrough

Today we are going to solve another CTF challenge “Casino Royale: 1”. It is a vulnerable lab presented by author creosote for helping pentesters to perform online penetration testing according to your experience level. The challenge is to get root on the Targeted Virtual Machine and read the flag.sh within that directory.

Difficulty: Intermediate

Penetrating Methodologies

  • IP discovery and Port Scanning.
  • Browsing the IP on port 8080.
  • Discovering accessible directories on the victim’s machine.
  • Searching exploits via searchsploit.
  • Using SQLMAP to find database and login credentials.
  • Browsing directories on the browser.
  • Adding Domain name to /etc/hosts file.
  • Searching exploits via searchsploit.
  • Using Cross-Site Request Forgery Exploit code.
  • Using telnet to connect to port 25.
  • Tail off the access.log file.
  • Browsing directories on a browser.
  • Exploiting XML External Entity vulnerability.
  • Using curl to send the file.
  • Creating a PHP shell using msfvenom.
  • Using hydra to brute force FTP login Password.
  • Logging into Ftp.
  • Using Multi/handler of Metasploit Framework.
  • Enumerating through directories.
  • Getting Login Credentials.
  • Looking for SUID file and directories.
  • Creating a bash shell using msfvenom.
  • Using Netcat listener to get a reverse shell.
  • Getting Root Access.
  • Reading the Flag.

Walkthrough

Let’s start off with discovering the IP address of our Target Machine.

Then we’ll continue with our nmap command to find out the open ports and services.

Since port 80 is open, we explored the Targets IP Address on the browser.

We didn’t found anything on the webpage, so we used dirb tool to enumerate the directories on the Targets IP Address.

Here, we found a useful directory index.php. Moving on.

We tried opening that directory index.php along with Targets IP Address in the browser. This page seems pretty interesting and gave us our next clue to proceed.

The page revealed a pokermax software term. This made us curious to look for it in searchsploit. And our intuition was right. We copied the exploits 6766.txt file on our machine and read it contents. It revealed a link which we tried opening in the browser.

That link we opened directed us to Pokermax Poker League: Admin Login. Since we don’t any credentials time to bring up SQLMAP.

Let’s first find the database.

The database we found is pokerleague.

Let’s look for the credentials of Admin Login in the database pokerleague.

We have got the required credentials.

Username: admin

Password: raise12million

We have successfully logged into the Admin area. Looking for other clues.

After checking all the tabs on the page, we found some useful information in Edit info of player Valenka.

We have got a useful directory in player profile; let’s find out where it’s going to lead us. Also, it asked us to update Domain Name casino-royale.local in our hosts file.

Updating the hosts file.

After opening the directory along with domain name in the browser, we found something interesting about port 25 which was open. This information might come in handy.

Looking around we found a CMS Snowfox. Let’s find if it is on searchsploit.

We were right about it. There is an html file available about this exploit. So we copied the file to our machine.

On reading the contents of the file, we found a script for CROSS SITE REQUEST FORGERY (add admin). So we copied this code.

Created a new file as raj.html and pasted the code in it, also we made some minor changes as you can see in the image.

After that, we have copied the file raj.html to /var/www/html folder of our machine. And restarted the service for apache2.

Let’s connect to port 25 using telnet. We will be sending a mail to recipient valenka along with the link of raj.html file. All the steps are shown in the image.

We have just tail off the access log of apache2.

Let’s Login with the credentials, we have given in the raj.html file in the Signin section of the page casino-royale.local/vip-client-portfolios/?uri=signin

Email address: [email protected]

Password: password

After successfully logging in, we found another clue in Edit of [email protected] in manage players.

Another directory clue let’s open it in the browser and look what it holds.

We landed on this page.

Since that page doesn’t seem useful from outside. So, we checked its Page Source. This gave us a hint to use an XML External Entity injection for our next step.

So we looked for a code for XML External Entity injection online. Therefore, we created a new file xml.txt and pasted the code by making some minor changes.

//depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection

Let’s send our XML External Entity Injection in file xml.txt using curl.

After exploiting the XML External Entity vulnerability, it gave us the /etc/passwd file. This contained a username for FTP Login i.e ftpUserULTRA

We have created a PHP shell payload using msfvenom.

We have used hydra to find the password of username ftpUserULTRA for Ftp Login. We have cracked the password for ftp login i.e bankbank

Let’s just Login into FTP, after quiet messing up we are only able to send .php5 files or files with no extension.  Time to upload our shell and gave permissions to execute.

After uploading our shell, we set up a listener using Metasploit-framework.

We got the reverse shell, but it is not a proper shell. We will spawn a tty shell using python.

After enumerating through directories, we found a useful file config.php. Let’s check it contents.

We when we read the contents of config.php. It gave us two useful credentials.

DBusername: valenka

DBpassword: 11archives11!

So, we used these credentials to login into Valenka.

After that, we tried to find files with SUID bit permissions.

Here we found an interesting Suid file and directory.

/opt/casino-royale/mi6_detect_test

On running the SUID file, we see it is most likely using a run.sh file but there no such file or directory. Since the run.sh has no permissions.  So we decided to move to /tmp directory.

We need to create a bash code using Msfvenom:

After that, we have copied the code in run.sh and executed python server.

We have downloaded the file in the /tmp directory. Again ran the SUID file.

This time on running the SUID file, it gave a reverse shell on our netcat listener.  Finally, we have got the root access and read the FLAG!!

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here