Introduction
Today we are going to crack this vulnerable
machine called HA: Forensics. This is a Capture the Flag type of challenge. It
contains FOUR flags that are accessible as the solving of the lab progresses
based on hints. It is a Forensics focused machine.
Download Lab from here.
Penetration
Testing Methodology
·
Network Scanning
o
Netdiscover
o
Nmap
·
Flag #1
o
Browsing the HTTP service
o
Directory Bruteforce using dirb
o
Enumerating an Image file
o
Extracting Metadata of Image
file
o
Reading Flag #1
·
Flag #2
o
Directory Bruteforce using dirb
o
Decrypting PGP Encryption
o
Creating a Dictionary using
crunch
o
Performing a Dictionary on ZIP
file
o
Reading Flag #2
·
Flag #3
o
Enumerating DMP file using
pypykatz
o
Extracting an NT hash
o
Cracking Hash using John the
Ripper
o
SSH login using Metasploit
o
Convert SSH to Meterpreter
o
Enumerating Network Interfaces
o
AutoRoute an internal docker
instance
o
Perform a ping sweep scan
internally
o
Connect to the FTP service as
Anonymous
o
Downloading the Image file
o
Transferring the Image file to the
local machine
o
Analyze the image file using
Autopsy
o
Reading Flag #3
·
Flag#4
o
Decoding the Base64 Encryption
o
Enumerating for Sudo permission
o
Exploiting the Sudo permissions
on ALL
o
Reading Flag #4
Walkthrough
Network Scanning
To attack any machine, we need to find the
IP Address of the machine. This can be done using the netdiscover command. To
find the IP Address, we will need to co-relate the MAC Address of the machine
that can be obtained from the Virtual Machine Configuration Setting. The IP
Address of the Machine was found to be 192.168.0.174.
netdiscover
Following the netdiscover scan, we need a
nmap scan to get the information about the services running on the virtual
machine. An aggressive nmap scan reveals that 2 services: SSH (22) and HTTP
(80) are running on the application.
nmap
-A 192.168.0.174
Enumeration
Since we have the HTTP Service running on
the virtual machine, let’s takes a look at the webpage hosted:
http://192.168.0.174
The webpage says a button that says “Click
here to get flag!”. Make sure to click that.
FLAG #1
We see the webpage is a simple page with
some forensics images. Nothing special. Next on the Enumeration tasks was
Directory Bruteforce. We used our reliable dirb tool for the directory
bruteforce.
dirb http://192.168.0.174/
This gave us an image directory. We looked
into it through the Web Browser and found two images called DNA and
fingerprint. We checked DNA it was just a rabbit hole. Then we downloaded the
fingerprint.jpg file to the local system to further analyze it.
This machine is based on Forensics and we
have an image at our hands, Exiftool seems the right tool to use. Upon a simple
look at the metadata of the image using Exiftool, we see that we have our First
Flag!
exiftool fingerprint.jpg
Flag #2
Now, Enumeration doesn’t always end with
the one version of Directory Bruteforce. When in doubt, always use the
Extension filter on the dirb. We got a hit on the txt filter and we have some
tips.
dirb http://192.168.0.174 -X .txt
Looking at the tips.txt we see that it is a
kind of robots.txt file just named tips. As we are on the hunt for flags, we
choose to browse the flag.zip file first.
It gave us an option to save the file.
Let’s do it.
Now that we have the zip file on our local
system, its time to extract the contents of this file. We use the unzip command
to extract the files inside the flag.zip file. It requires a password. We don’t
have one!!
We go back to the Web browser and the tips
file. Here is a folder named igolder. It resembles a website that encrypts and
decrypts public and private key messages. We browse the folder and see that
there is another text file called clue.txt. Upon reading the file we see that
it is a combination of a private key and a message.
http://192.168.0.174/igolder/clue.txt
To decrypt the message, we went on the
igolder website and pasted the PGP Private Key and the Encrypted message from
the clue.txt file. After clicking the Decrypt Message button, we have the
secret message. It says to us that the password is 6 characters, with the first
3 being letters “for” and the last 3 being numeric characters.
Whenever we are in a situation where we have some partial hint of the password, we use crunch to create a dictionary fitting to that pattern. We used crunch and created a dictionary for cracking the password named dict.txt. Using fcrackzip we cracked the password to be for007.
We unzip the file and we have a pdf file
labeled flag. We also get a DMP file but more on that later.
crunch 6 6 -t for%%% -o dict.txt
fcrackzip -u -D -p dict.txt flag.zip
unzip flag.zip
Let’s open the PDF file and take a look at
our Second Flag
Flag #3
Now, we have 2 flags, 2 more to go. We
received a DMP file from the previous section. In forensics, a dump file can be
inspected using pypykatz. So, we will use it to check for some hints inside.
pypykatz -lsa -k /root/Downloads
minidump lsass.DMP
Looking at the DMP file a bit thoroughly
and we find an NT hash file for a user called jasoos. It means a detective in
Hindi. That might be a clue.
We copy the has and paste it inside a file
named hash. Now we have a hash file and to crack that hash we need John the
Ripper. After churning through, John the Ripper gave us the password. It was
“Password@1”. That’s not super secure, is it?
john –format=NT hash
Now, here we can directly connect via SSH
but logging in using Metasploit is better as it has a ton of post-exploitation tools
that can be used afterward. Hence using the ssh_login module we get an SSH
session on the machine as user jasoos. Using the shell_to_meterpreter script we
got ourselves a meterpreter session on the target machine.
use auxiliary/scanner/ssh/ssh_login
set rhosts 192.168.0.174
set username jasoos
set password Password@1
exploit
session -u 1
Using the ifconfig command, we see that
there is a docker interface running on the application with an IP Address 172.17.0.1
It is an internal IP address; means we
cannot access it from outside normally.
sessions 2
ifconfig
No need for Panic. Metasploit has our back
here. It has an autoroute exploit that can route the network in such a way that
internal IP is accessible from outside. The autoroute will create a new host to
connect with whose traffic will be redirected to the internal service. But,
Autoroute doesn’t tell us the IP Address of the new host. So, we need to
perform a ping sweep to find that particular IP Address which can be used to
further exploit the target. Ping sweep gives us the IP address. It is 172.17.0.2.
Now that we know the target IP Address, let’s see exactly what kind of service
is this docker instance running at this moment. A Port scan reveals that it is
an FTP service. But this service is unknown to us. We don’t have any
credentials for us. But there is a feature in FTP service where an anonymous
user can log in and access the files through the FTP. To confirm if this FTP has
that kind of configuration, we use the ftp anonymous scanner in Metasploit.
use post/multi/manage/autoroute
set session 2
exploit
use post/multi/gather/ping_sweep
set session 2
set rhosts 172.17.0.0/24
exploit
use auxiliary/scanner/portscan/tcp
set rhosts 172.17.0.2
set port 1-100
exploit
use auxiliary/scanner/ftp/anonymous
It says that ftp allows anonymous service.
So, let's enumerate the FTP service by connecting to it as anonymous. We have a
directory called pub. Inside that directory, we have a file with a 001
extension. It seems to be an image file that is usually used in forensic
investigation. It is labeled sabot which is known as saboot. It means Evidence
in Hindi.
shell
python3 -c ‘import
pty;pty.spawn(“/bin/bash”)’
ftp 172.17.0.2
anonymous
ls
cd pub
ls
get saboot.001
Now using the Python One liner HTTP service
we transfer the file from the target machine to our local machine.
exit
ls
python -m SimpleHTTPServer
As the Python One liner runs and provides
the service at port 8000, we browse that port and get our saboot file.
http://192.168.0.174:8000
We decided to use the Autopsy Forensic
Investigation tool to inspect the image captured. It can be started using the
following command. It tells us that the Autopsy is accessible on localhost port
9999. Let’s open it.
Here, we have a Web Interface for the
Autopsy. We click on the New Case button
We name the Case, Provide the description,
and give the Investigator name for the documentation purposes. And again, click
on the New Case button.
Now it creates a case. After creating a
case, it requires a host for that particular case. It asks for the name of the
host. After providing the name click on the Add Host button to continue.
After the creation of the host, it asks us to add an image file. This is the step where we add the image file, we acquired from the target machine.
It asks for the location of the image file.
Since we downloaded it from our Web Browser, it must be in the Downloads
folder. We provide the path as shown in the image below. Also, choose the Partition
in the Type option. As it is a partition, otherwise it would be quite bigger.
Disks are bigger than partitions. After completing, click on the Next button to
continue.
Here it asks for further options. Let them
be the default and click on the Add button.
Now that our image has been mounted. It is time for Analyse-it. This can be done as shown in the image below.
We see that we have a bunch of files. Among those files, we have 2 text files. A flag file and a creds file. Let’s take a look at our Third Flag.
Flag #4
Now, we have a creds.txt file. We take a look at it to find that there is some encrypted text inside it.
It seems like it is a Base64 encoding. We
use the echo command with a base 64 decoder as shown in the image below. This
might be the password for another user.
We enumerate the home directory and found
that there is another user by the name of forensics. The password must be for
this user. We use the su command to login as forensic and the password we
found. Now we use the sudo -l command to find what kind of binaries we can use
to elevate privileges. We find that ALL is permitted. So, we just use the sudo
bash command and get the root. Then look for the final flag in the root
directory and we have our fourth and final flag.
cd /home
ls
su forensics
jeenaliisagoodgirl
sudo -l
sudo bash
cd /root
cat root.txt
This concludes this vulnerable machine.
