Hack the 64base VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as 64base. The credit for making this vm machine goes to “3mrgnc3” and it is another capture the flag where author has hidden flag for the attacker as a challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.118 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -p- sV 192.168.1.118

We found that port 80 is open, so let’s open this ip in our browser.

When we take a closer look at the source code, we found a long encoded string comment.

It is hexadecimal encoded, after decoding it we found another base64 encoded string. Decoding the latter string we found our 1^st flag.

Now inside the flag is another base64 string, we decode it and find a username and password.

Now we take a look around the site in the first post we find hint, using cewl we make a dictionary of this page and find that Imperial-Class exist.

Opening the link, it will ask for password and username. We use the username and password that we found earlier to login. When we open this link we find a hint, so we take a look at the source code.

Inside the source code we find another hint for a link.

When we open this link we find a login page. When we look at the source code of the login page we find that when data is submitted a file called login.php is handling the login form. So we take a look at that page.

Here we found a few strings that are encoded in hexadecimal, when we decode them individually we find they are part of a bigger string so we join the strings together and decode it.

The string is in hexadecimal format, when we decode it we find a base64 encoded string. When we decode the base64 string we find our 2^nd flag. Inside the flag is another base64 encoded string, when we decode it we find that it is a link to a youtube video.

From this video we are hinted that we should use burp suite. So we start the burp suite to capture the request of the login page.

After capturing the request we sent it to repeater, here in the response we get the 3^rd flag.  Inside the flag we see a base64 encoded string.

After decoding the flag we get a link.

Here we don’t find anything, then we remember the hint what we found on the first page.

So we replace exec with system and try to run our command.

Here we find our 4^th flag and we find that inside the flag contains base64 encoded string. After decoding it we find a username and password now we are going to use it to login into ssh After failing a few times I encoded the password again in base64 format.

Now we are going to login through ssh, we know from our netcat that port 62964 is running openssh.

Now that we are inside the shell, we list the files in the current directory.

We open the file and get a random message, after trying a few commands it is possible that the functions of the commands have been changed. So we check the path of commands

echo $PATH/*

We find that path of the commands have been changed. We see that there is a command called droids, we run it to see what it does.

After running the command we get a matrix screen, when we close it we get this message given in the above image. Earlier we weren’t able to change directory, now after running the command we were able to change directories.

After going through the files we find a hint inside /var/www/html/admin. We find a folder called S3cR37/ we move into this folder and find our 5^th flag.

Inside the flag5 we find a base64 string when we decode it, it gave us a hint.

Now cat command doesn’t work so we use strings command to find the strings inside the file.

We find a hexadecimal encoded string, we copy it into a file on our local system and decode it and find it is an rsa key.

We remove its permission using command:

chmod 600 rsa_key

Then we connect to root using this key

ssh 192.168.1.118 –I rsa_key  

When we try to login it ask for a passphrase, after a lot of searching we send the flag5 file to our system for more information.

scp -P 62964 64base@172.16.0.19:/var/www/html/admin/S3cR37/flag5* \  > /root/Desktop/flag5.jpeg

Now we open the file on the local system, inside the file we find another hint to use the force.

After trying some passphrases, we found the passphrase is usetheforce

Now when we can login through ssh.

We find the final flag; inside the flag we find a hexadecimal string. When we decode the string we find a base64 string, again when we decode the string we find a hexadecimal string, when we decode the hexadecimal string we again find a base64 string. When we decode it we finally get a message that looks like a command.

When we run this command on the VM, we get a congratulation message that we completed the CTF.

Wordpress Penetration Testing Lab in Ubuntu

Today we are demonstrating how to install and configure wordpress for penetration testing inside the web server. To configure wordpress, you must install any web host software such as xampp/wamp or read our previous article “Configure Web Server for Penetration Testing (Beginner Guide)” which will help in set up of your own localhost web server. Here we are using our own web server which had configure in ubuntu 14.04.

WordPress is a free and open-source content management system (CMS) based on PHP and MYSQL. It is installed on a web server that is either part of an Internet hosting service or a network host in its own right. WordPress is reportedly the most popular website management or blogging system in use on the Web, supporting more than 60 million websites.

For more detail visit https://en.wikipedia.org/wiki/WordPress

Let’s start!!

If you have read our previous article, then you might be remembering that we had specified blank space as password for root user. Now start with login into phpmyadmin as root user.

phpmyadmin is separated into two parts left and right panels. The left panel contains name of existing databases and right panel contains functional setting for performing maintenance operations on tables, backing up information, editing things and creating or deleting the database.

In order to store wordpress data we need to create a new database. Now click on databases tab given at the top of right panel.

Now enter the name for database system such as wordpress and then click on create. After that you will observe a new database “wordpress” will get add into left panel.

Open the terminal and type following command to download wordpress inside /var/www/html

wget https://wordpress.org/latest.zip /

Now unzip the folder of latest.zip

unzip latest.zip

ls

From given image you can see we have folder of wordpress inside /html directory.

Now for wordpress installations open it on browser through URL: http:// localhost/wordpress as shown in given image.  At the end of window click on let’s go to proceed for installation.

At another window enter your database connection information such as:

Database Name: wordpress

Username: root

Password: (null)

Database host: localhost

Now click on submit tab.

In next window you will get some code of line to configure wp-config.php file as shown in given image. Now copy the highlighted text into a text document. After you done come back and click on run the install.

As you can see we have pasted above copy text inside a text file and then save it as wp-config.php on desktop.

Since we have saved wp-config.php on desktop therefore we are going to shift it inside /var/www/html/wordpress using following command.

mv /home/raj/Desktop/wp-config.php .

After then go back to previous open tab and click on Run the install.

“Welcome” the new window will come up, now fills the information below and you’ll be on the way for wordpress installation.

Site title: Pentest Lab

Username: admin

Password: password

Email: (your email ID)

At last click on “install wordpress” tab given at the end of window.

Once wordpress will successfully install, click on log in as shown in given image.

Now enter your wordpress credential for login.

Great!!  Finally our web site “pentest lab” is online on localhost server and is ready posting articles and blogs.

 Now we need to add some Plug-in wordpress so that we can make wordpress penetration testing by exploiting these plug-in based vulnerabilities. WordPress' plug-in architecture allows users to extend the features and functionality of a website or blog.

Now type following command to give all permission to the file and folder own by www-data of /var/www/html.

sudo chown –R www-data /var/www/html

For penetration testing practice we are going to download some vulnerable plug-in so that we have our own vulnerable wordpress site.

We had downloaded a vulnerable plug-in “reflex gallery 3.1.3 arbitrary file upload” found from inside the exploit-db.com, you can download many other vulnerable plug-in from exploit database.

Now login into wordpress as admin to access administration control panel and then select plugins option from dashboard and go for new plugin so that you can add your install plug-in in your wordpress.\

Now browse you downloaded zip file and then click on upload plugin for installation.

It will install plug-in into wordpress, now to activate it click on given tab Activate Plugin as shown in given image.

Similarly you can install as much as can be possible vulnerable plug-in into wordpress. You can see we had installed many plug-in inside our wordpress so that we can make more practice on wordpress penetration testing which you will learn in our next upcoming article.

Wait for our next article where you will how exploit wordpress plug-in base vulnerability.

Configure Web Application Penetration Testing Lab

As you know that we have already shown you how to configure web server. Now it’s time to move on to the next step which is the configuration of Web Application in Ubuntu 18. So today we will be learning how can we configure the 5 famous web applications (DVWA, bwapp, XVWA, SQLI, Mutillidae) in our web server for Web Penetration Testing. So, let’s do that.

Table of content

·         Requirement

·         Web application

·         DVWA

·         bWAPP

·         Xvwa

·         Sqli

·         Mutillidae

Requirement-ubuntu 18.0

Web Application

A web application is a remote server software application. In general, web browsers are used through a network, such as internet, to access Web applications. Like a software program running on a desktop or desktop application, the Web-app permits interaction with the user and can be designed for a wide range of applications.

DVWA

Let’s start You should download and configure this web application only within the html directory for all web applications in the browser through localhost. Go to your ubuntu terminal and move inside html directory by running the following command and then download dvwa lab from the given link.

cd /var/www/html

git clone https://github.com/ethicalhack3r/DVWA

After the installation we will go inside the dvwa and there we will find a config folder, now we will move inside the config folder and there we will run the ls command to view all available folder, now here you will see a config.inc.php.dist file. Now as you can see, we have moved config.inc.php.dist file to config.inc.php

cd /dvwa/config

mv config.inc.php.dist config.inc.php

Now open the config file by the following command; where you will find that db user is root and db password is password.

Here you need to make the changes and give access to the ubuntu user as in our case we have written raj as db user and as our ubuntu password is 123 so we have written 123 as db password.

Now we will try to open dvwa lab in the browser by the following URL and click on Create/Reset Database

http://localhost/dvwa/setup.php

Good! We have successfully configured the dvwa lab in ubuntu 18 as we can see that we are welcomed by the login page.

For login we will use the dvwa username which is admin and password which is dvwa password by default.

bWAPP

A buggy web application that is purposely unsafe. Enthusiasts of security, system engineers, developers can find out about Web vulnerabilities and prevent them.

bWAPP prepares you for successful tests and penetration testing. Now we will configure bWAPP lab in Ubuntu 18. First, we will download bWAPP and then we will move inside the Downloads folder and then unzip bWAPP file by the following command-

unzip bWAPP_latest.zip

Now we will move bWAPP into var/www/html by the following command-

mv bWAPP /var/www/html

Now we will edit the config file; so, move inside the config file by the following command and where you can see that db username is root and db password is bug b default.

cd admin

ls

nano setting.php

Now we will make some changes and will set our ubuntu user raj in place of root and set password 123 in place of bug. Save it and then exit the config file.

Now go to your browser and open bWAPP installation file by the following command and click on here as shown in the image below

http://localhost/bWAPP/install.php

Now you will get a login page of bWAPP where we will use the default username which is bee and default password which is bug and you are logged in in bWAPP.

Now you can start working on bWAPP.

When you will login as bee:bug; you will get the portal to test your penetration testing skill.

XVWA

XVWA is poorly coded written in PHP/MYSQL web application that helps security lovers learn security from applications. This application is not advisable online because it is Vulnerable to extremes as the name also suggests. This application should be hosted in a controlled and safe environment where you can improve your skills with the tool of your choice. So, let’s start-

First, we will download XVWA from GitHub; so, go to ubuntu terminal and open the following link to download XVWA lab inside html directory by the following link-

 git clone https://github.com/s4n7h0/xvwa.git

Once it is downloaded, we will open the config file of xvwa by the following command

cd xvwa

nano config.php

Now we ca see that the username of xvwa is root and password is left blank.

Now we will remove the root user from here and we will be using the ubuntu username and password here which is raj:123

Afterwards we will save the file and exit.

Now browse web application through URL-localhost/xvwa and we can see that we are successfully logged in-

SQLI Labs

A laboratory that offers a complete test environment for those interested in acquiring or improving SQL injection skills. Let’s start. First, we will download SQLI lab inside html directory by the following link-

git clone https://github.com/Rinkish/Sqli_Edited_Version

 Once the download is done, we will move sqli labs into var/www/html directory and rename it to sqli. Then go inside the sqli directory where we will find /sqli-connections directory. Here we will run ls command to check the files and we can see that here is file by the name of db-creds.inc

we need to make some changes in the config file by the following command-

cd Sqli_Edited_Version/

ls

mv sqlilabs/ ../sqli

cd sqli

cd sql-connections/

ls

nano db-creds.inc

As we can see that username is given root and password is left blank which we need to modify.

Now here we will set the username and password as raj:123 Now save the file and exit.

Now browse this web application from through this URL: localhost/sqli and click on Setup/reset Databases for labs.

Now the sqli lab is ready to use.

Now a page will open up in your browser which is an indication that we can access different kinds of Sqli challenges

Click on lesson 1 and start the Sqli challenge.

Mutillidae

OWASP Mutillidae is a free open source purposely vulnerable web application providing an enthusiastic goal for web security. It’s a laboratory which provides a complete test environment for those who are interested in SQL injection acquisition or improvement. This is an easy-to-use Web hacking environment designed for laboratories, security lovers, classrooms, CTFs, and vulnerability assessment targets, and has dozens of vulnerabilities and tips to help the user.

So, let’s start by downloading by the clicking on the following link given below-

git clone https://github.com/webpwnized/mutillidae

After the download go inside the mutillidae directory and where you will find a directory /includes, go inside this directory.

Inside this directory we will find database-config.inc file which we need to open by nano command as shown in the image below.

cd mutillidae

cd includes

ls

nano database-config.inc

Now here you will find that username is root and password is mutillidae by default and which we need to change.

Now we will use our ubuntu username and password which is raj:123. Save the changes and then exit

Now we will open this our local browser by the following URL: localhost/mutillidae where we will find an option of reset database. Just click on it to reset the database.

Now you will be redirected to a page which will ask you to click ok to proceed. Here you need to click on ok and you are done with the configuration of mutillidae lab.

So, In this way we can setup our vulnerable web application lab for penetration testing.