Hacking Articles|Raj Chandel's Blog

Zeus:1 Vulnhub Walkthrough

at 5:58 AM Friday, July 26, 2019 0 comments

Today we are going to take another CTF challenge Zeus:1 . The credit for making this VM machine goes to “Vesile Revnic” and it is a boot2root challenge where we have to root the server and capture the flags to complete the challenge. You can download this VM here

Security Level: Intermediate

Penetrating Methodology:

1. Scanning

· NMAP

2. Enumeration

· Dirb

3. Exploitation

· Hydra

· SSH

· Jailkit

4. Privilege Escalation

· Exploiting Suid rights

Walkthrough:

Scanning:

Let’s start off with the scanning process. This target VM has a static IP address set as 192.168.131.170. So we created a vm network same as this and put our kali machine in the same network.

Then as usual we used nmap for port and service enumeration.

And we have ports 21, 22 and 80 open on the target machine.

nmap -A 192.168.131.170

Enumeration:

As we can see port 80 is open, we tried to open the IP address in our browser but we didn’t find anything useful on the webpage.

We took the help of dirb to directory bruteforce the webpage and got one directory named /telecom/

So we tried to access the url in the browser but didn’t find anything.

We looked for the page source and got a name called gogu which we can try as a username.

Exploitation:

We have hopefully got a username so we tried to bruteforce the ssh port and successfully got a password universal for the user gogu.

So we logged in the target machine using ssh with the above found credentials and got our first user.txt flag.

What we found that user gogu was able to run only limited commands because the creator of the machine has implemented jailkit on this user.

Note: Jailkit is implemented to limit the bash shell of any particular user.

ssh gogu@192.168.131.170

cat user.txt

ls -la

We looked for any hidden files and got one file named sysdate which had suid bit set on it.

Sysdate command gave us the current date and time. We tried to use path variable method to leverage the suid of sysdate but we were still not getting out of the restricted shell maybe because of the jailkit implementation.

ls -lRah

echo “/bin/sh/ “ > date

chmod 777 date

export PATH=/home/gogu:$PATH

/home/gogu/…/sysdate/

We looked on the google to find anyway around to bypass the jailkit and got one c-script. We save the file as bypass.c in our kali. Then tried to compile it. It was asking for some libraries so we installed the dependencies and were able to compile it after that.

Reference: https://filippo.io/escaping-a-chroot-jail-slash-1/

apt install gcc-multilib -y^C

gcc bypass.c -o bypass -m32

Privilege Escalation:

After compiling the file what we did is we tarnsfered the bypass script file into the target machine and the executed with root privileges using the path variable methodology.

After execution we successfully came out of the restricted shell and also got the root shell and eventually the root flag.

ssh gogu@192.168.131.170 “cat> bypass”

ssh gogu@192.168.131.170

chmod bypass

echo :/home/gogu/bypass” >date

chmod date

export PATH=/home/gogu/…/sysdate:$PATH

/home/gogu/…/sysdate

cd root

cat flag.txt

Comprehensive Guide to Steghide Tool

at 12:08 AM 0 comments

In this article, we'll learn about Steghide. There are various steganography tools available but the part that differentiates it is that it uses a variety of algorithms to encrypt the data. Moreover, Steghide supports to hide data behind any image(jpg/jpeg/png/gif/bmp), audio (mp3/wav), excel, etc.

Table of Content

· Introduction to Steganography

· Introduction to Steghide

· Features

· Installation of Steghide

· Getting Start with Steghide

· Functionality of Steghide

o Embedding of Data Via Steghide

o Extraction of Data Via Steghide

o Password Protect Files

o Retrieve Information of Embedded File

o Verbose Mode

o Compression Mode

o Anti-compression Mode

o Embedding File Without Name

o Encrypting Algorithms

o Overwriting the Existing File

Introduction to Steganography

In digital steganography, electronic communications may incorporate steganographic coding inside of a transport layer, such as a document file, picture file, program or convention. Media records are perfect for steganographic transmission since of their expansive estimate. For instance, a sender might begin with a harmless picture and make few alterations to it in order to hide data, so that, this alteration goes unnoticed for someone who is not particularly seeking out for it.

The upside of steganography over cryptography alone is that the planned mystery message does not stand out to itself as an object of examination. Clearly obvious scrambled messages—regardless of how unbreakable—stimulate intrigue, and may in themselves be implicating in nations where encryption is illicit. In this manner, while cryptography is the act of securing the substance of a message alone, steganography is worried about hiding the way that a mystery message is being sent, just as disguising the substance of the message.

Introduction to Steghide

Steghide may be a steganography device which permits you to cover up confidential records inside a picture or sound record with a passphrase. Bolsters BMP and JPEG picture groups, AU and WAV sound groups. By default, its employments Rijndael calculation to scramble the record and the key measure is 128 bits. This tool has its advantages and disadvantages. One upside is that it is significantly better at covering up and can without much of a stretch shroud any document type. It does as such by utilizing a propelled calculation to shroud it inside the picture (or sound) record without changing the look (or sound) of the document. This additionally implies without utilizing steghide (or if nothing else a similar scientific methodology as steghide) it is hard to extricate the concealed documents from the picture.

Features

· Compression of embedded data

· BMP, GIF and JPG supported

· Encryption of embedded data

· Decryption via password

· Uses various algorithms for encryption

INSTALLATION

Let's start with the installation of steghide. In windows, we can download steghide from http://steghide.sourceforge.net/download.php. After downloading we have to simply unzip the files and use it through the cmd. In linux, open your terminal and type the following command to download Steghide :

apt-get install steghide

Getting Started with Steghide

To start Steghide, the most basic option we use the help command. This command will display us all the options that Steghide provides us.

steghide --help

Embedding Data in The Image

We hide data in the image using Steghide so that only the person who acknowledges it can read that. So, we made a text file named as user.txt in which we wrote our confidential data and image.jpeg is that file in which we are embedding our data. To achieve this, we'll be executing the following command:

steghide embed -ef -cf

Here, ef and cf is termed as embedded file and cover file respectively.

Extraction of Data Via Steghide

Using Steghide adds an extra layer of security by allowing us to use a password for it. Now, to extract the hidden data use the following command :

steghide extract-sf

Then enter the password in order to extract the file.

Here,

sf is secret file

Password Protect Files

Now, we can also extract the files using the following command. This command is different is that it specifies password in the command itself, therefore, we do not need to specify it separately.

steghide embed -ef -cf -p

Retrieve Information of Embedded File

If we have an image that is suspected to have data hidden and if so, then which algorithm is used to encrypt the data in the file. Then we will use the following command :

steghide info

VERBOSE MODE

To get each and every information of a file during its extraction, we can use the verbose mode. Verbose mode gives you detailed information. We can use verbose mode by executing the following command :

steghide embed -v -ef -cf

COMPRESSION MODE

Now if we want to compress text file before hiding it then we would use the following command. The compression level can vary from 1 to 9. The first level gives you speed to compress whereas at 9th level, it will provide you with best compression techniques.

steghide embed -ef -cf -z 2

Anti Compression Mode

Now if we don't want to compress a file before hiding it then we will use the following command :

steghide embed -ef -cf -Z

Embedding File Without Name

We can also hide a file without naming it. We will use this command :

steghide embed -ef -cf -N

Encrypting Algorithms

We can encrypt the data that we are hiding by using encryption techniques. And this can be easily achieved by just using the following command :

steghide embed -ef -cf -e

Overwriting the Existing File

When extracting the file let’s assume we have already have a file in the same directory with the same name. then we can use the following command to overwrite the existing file if that is desired. And for this use the following command :

steghide extract -sf -f

Conclusion

So, this was the short guide about Steghide. And as you can see, it is an easy tool for steganography. Its also user friendly. It has, therefore, become one of the finest steganography tools for extracting and embedding information in a multitude of media files Steghide has many uses and its other notable characteristics such as file encryption make it one of the finest steganography.

MinU: v2 Vulnhub Walkthrough

at 8:45 AM Thursday, July 25, 2019 0 comments

Today we are going to take another CTF challenge Minu:v2. The credit for making this VM machine goes to “8bitsec” and it is a boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

1. Scanning

· Netdiscover

· NMAP

2. Enumeration

· Web Directory search

3. Exploitation

· Command Injection

· SSH

4. Privilege Escalation

· Exploiting Suid rights

Walkthrough:

Scanning:

Let’s start of by scanning the network and identifying host IP address. We can identify our host IP as 192.168.1.101 by using Netdiscover.

netdiscover

Then as usual we used our favorite tool Nmap for port enumeration. We found that port 22 and 3306 are open.

And we observed that on port 3306 http service was running.

nmap -A 192.168.1.101

Enumeration:

We found nothing useful on the index page so we used dirb for brute forcing and found one directory with .html extension.

dirb http://192.168.1.101/3306 -X .html

We tried to access the url and found that it is an upload page and accepts only .svg files as input.

So we took help of the google to find any script in svg format which we can utilize for command injection.

After doing some research we found on such script in which we are injecting /etc/passwd command. We copied the script and saved it as .svg file.

Exploitation:

We tried to upload the script file and it got successfully uploaded. And after uploading we checked for the page source and got the output of /etc/passwd file.

We came to know that the target has multiple users like employee, chrony, nobody etc.

We thought of exploring other commands using the same script.

Since the target machine is using the /bin/ash shell, we thought of checking the shell history in the /.ash_history directory by editing the script file.

After editing we uploaded the file and got some useful information from the history file, which gave us a username and a password.

So we tried to ssh the target machine with username employee and a password superultrapass3 which we got above and were successfully able to login.

After logging in we checked for the suid permissions for privilege escalation and got one file with name micro which came out to be an editor tool.

ssh employee@192.168.1.101

find / -perm -u=s -type f 2>/dev/null

/usr/bin/micro